/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-move-logfile.patch
ViewVC logotype

Contents of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-move-logfile.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Mar 22 17:28:08 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-20_el6_sme, smeserver-libreswan-0_5-18_el6_sme, smeserver-libreswan-0_5-19_el6_sme, smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-23_el6_sme, smeserver-libreswan-0_5-22_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-25_el6_sme, smeserver-libreswan-0_5-17_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-24_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD
* Tue Mar 22 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-17.sme
- Move pluto.log to /var/log/pluto
- bump libreswan requires version to 3.16
- regenerate masq template on ipsec-update
- change wiki location page
- add sysctl.conf template
- modify masq templates for ipsec status enabled/disabled
- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf

1 diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks
2 --- smeserver-libreswan-0.5.old/createlinks 2016-02-17 14:19:42.000000000 +0100
3 +++ smeserver-libreswan-0.5/createlinks 2016-03-22 18:26:42.624000613 +0100
4 @@ -12,6 +12,7 @@
5 /etc/ipsec.secrets
6 /etc/ipsec.d/ipsec.conf
7 /etc/ipsec.d/ipsec.secrets
8 + /etc/rc.d/init.d/masq
9 ))
10 {
11 templates2events("$_", qw(
12 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
13 --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-02-17 14:19:42.000000000 +0100
14 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:26:42.623000615 +0100
15 @@ -43,7 +43,7 @@
16 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
17
18 # Do we check if it is already stopped ?
19 - # For now we stop it regradless
20 + # For now we stop it regardless
21
22 print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
23
24 @@ -264,16 +264,11 @@
25 or die("Ipsec Error - A problem occurred with sysctl: $?");
26 system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
27 or die("Ipsec Error - A problem occurred with sysctl: $?");
28 -
29 - # I don;t beleive these are required
30 - # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
31 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
32 - # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
33 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
34 - # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0
35 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
36 - # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0
37 - # or die("Ipsec Error - A problem occurred with sysctl: $?");
38 +
39 + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
40 + or die("Ipsec Error - A problem occurred with sysctl: $?");
41 + system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
42 + or die("Ipsec Error - A problem occurred with sysctl: $?");
43
44 system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
45 or die("Ipsec Error - A problem occurred with sysctl: $?");
46 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
47 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-02-17 14:19:42.000000000 +0100
48 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:26:42.624000613 +0100
49 @@ -30,7 +30,7 @@
50 $OUT .= " protostack=netkey\n";
51 $OUT .= " #plutodebug=none\n";
52 $OUT .= " #klipsdebug=none\n";
53 - $OUT .= " plutostderrlog=/var/log/pluto.log\n";
54 + $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
55 $OUT .= " dumpdir=/var/run/pluto/\n";
56 $OUT .= " nat_traversal=yes\n";
57
58 @@ -66,7 +66,7 @@
59 chop($virtual_private);
60 $OUT .= "$virtual_private\n";
61 $OUT .= "\n";
62 - $OUT .= "include /etc/ipsec.d/*.conf\n";
63 + $OUT .= "include /etc/ipsec.d/ipsec.conf\n";
64
65 # End else
66 }
67 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto
68 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-02-17 14:19:42.000000000 +0100
69 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:26:42.623000615 +0100
70 @@ -1,4 +1,4 @@
71 -/var/log/pluto.log \{
72 +/var/log/pluto/pluto.log \{
73 missingok
74 notifempty
75 compress
76 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
77 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:25.223000613 +0100
78 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:42.624000613 +0100
79 @@ -1,9 +1,16 @@
80 +# Required PostRouting for VPN
81 +
82 {
83 - my $ipsec_access = $ipsec{access} || '';
84 + my $ipsec_status = $ipsec{status} || '';
85 +
86 +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
87
88 - if ( $ipsec_access eq 'public' ) {
89 + if ( $ipsec_status eq 'enabled' ) {
90 $OUT .= " # Do not NAT VPN traffic\n";
91 - $OUT .=
92 -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
93 + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
94 + }
95 +
96 + else {
97 + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
98 }
99 }
100 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
101 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:25.223000613 +0100
102 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:42.623000615 +0100
103 @@ -1,14 +1,18 @@
104 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
105
106 {
107 -my $ipsec_access = $ipsec{access} || '';
108 + my $ipsec_status = $ipsec{status} || '';
109
110 -if ($ipsec_access eq 'public') {
111 +# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
112
113 - $OUT .= " /sbin/iptables --new-chain esp-in\n";
114 - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
115 - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
116 - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
117 - $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
118 - }
119 + if ( $ipsec_status eq 'enabled' ) {
120 + $OUT .= " /sbin/iptables --new-chain esp-in\n";
121 + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
122 + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
123 + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
124 + $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
125 + }
126 + else {
127 + $OUT .= " # 56AllowESP disabled\n";
128 + }
129 }
130 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
131 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:25.241000615 +0100
132 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:42.623000615 +0100
133 @@ -1,12 +1,16 @@
134 # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
135 +
136 {
137 - my $ipsec_access = $ipsec{access} || '';
138 - my $ipsec_status = $ipsec{status};
139 - if ( $ipsec_access eq 'public' ) {
140 -
141 - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
142 + my $ipsec_status = $ipsec{status} || '';
143 +
144 +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
145
146 + if ( $ipsec_status eq 'enabled' ) {
147 + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
148 $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
149 $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
150 }
151 + else {
152 + $OUT .= " # 90adjustESP disabled\n";
153 + }
154 }
155 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
156 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
157 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-22 18:26:42.624000613 +0100
158 @@ -0,0 +1,29 @@
159 +{
160 +# Set up sysctl.conf for ipsec
161 +# need a check on release version as v8 needs
162 +# net.core.xfrm_larval_drop = 1
163 +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
164 +
165 +use strict;
166 +use warnings;
167 +use esmith::ConfigDB;
168 +
169 +my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
170 +
171 + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
172 +
173 + $OUT .= <<CONFIG_END
174 +# Ipsec overrides
175 +net.ipv4.conf.all.rp_filter = 0
176 +net.ipv4.conf.all.send_redirects = 0
177 +net.ipv4.conf.default.accept_redirects = 0
178 +net.ipv4.conf.default.rp_filter = 0
179 +net.ipv4.conf.default.send_redirects = 0
180 +net.ipv4.conf.dummy0.rp_filter = 0
181 +net.ipv4.conf.eth0.rp_filter = 0
182 +net.ipv4.conf.eth1.rp_filter = 0
183 +net.ipv4.conf.lo.rp_filter = 0
184 +
185 +CONFIG_END
186 + }
187 +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed