/[smecontribs]/rpms/smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch
ViewVC logotype

Annotation of /rpms/smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Mar 24 15:54:56 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-openswan-0_6-5_el5_sme, smeserver-openswan-0_6-6_el5_sme, smeserver-openswan-0_6-7_el5_sme, HEAD
* Thu Mar 24 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.6-5.sme
- Add debug db key to /etc/ipsec.conf
- Remove setting public/private keys as they won't affect unless templates are re-expanded
- Set xfrm_larval_drop drop correctly
- minor formatting

1 reetspetit 1.1 diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
2     --- smeserver-openswan-0.6.old/createlinks 2016-03-24 16:42:09.758000614 +0100
3     +++ smeserver-openswan/createlinks 2016-03-24 16:25:13.000000000 +0100
4     @@ -13,6 +13,8 @@
5     /etc/ipsec.d/ipsec.conf
6     /etc/ipsec.d/ipsec.secrets
7     /etc/rc.d/init.d/masq
8     + /etc/syctl.conf
9     +
10     ))
11     {
12     templates2events("$_", qw(
13     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
14     --- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
15     +++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 16:25:13.000000000 +0100
16     @@ -0,0 +1 @@
17     +none
18     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
19     --- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:42:09.758000614 +0100
20     +++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:25:13.000000000 +0100
21     @@ -44,12 +44,19 @@
22    
23     # Do we check if it is already stopped ?
24     # For now we stop it regardless
25     -
26     +
27     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
28    
29     # First set ipsec access to private which disables firewall rule
30     # Is this the correct syntax - what about die ?
31     - $configDB->set_prop( $dbKey, 'access', 'private' );
32     + # This is problematic as masq templates are already expanded and may be wrong
33     +
34     + # Make sure access = private
35     + # No point in this unless we expand the masq template again
36     +
37     + #unless ( $ipsec_access eq 'private' ) {
38     + # $configDB->set_prop( $dbKey, 'access', 'private' );
39     + #}
40    
41     my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
42     die("Ipsec Error - Unable to launch ipsec stop : $!\n")
43     @@ -57,7 +64,7 @@
44     if not defined $myStopConnection;
45     die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
46    
47     - print "Ipsec Information - Enable Reverse Path Filtering";
48     + print "Ipsec Information - reset redirects";
49     resetRedirects();
50    
51     exit 0;
52     @@ -68,9 +75,11 @@
53     if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
54    
55     # Make sure access = public
56     - unless ( $ipsec_access eq 'public' ) {
57     - $configDB->set_prop( $dbKey, 'access', 'public' );
58     - }
59     + # No point in this unless we expand the masq template again
60     +
61     + #unless ( $ipsec_access eq 'public' ) {
62     + # $configDB->set_prop( $dbKey, 'access', 'public' );
63     + #}
64    
65     my $status = (`ps ax | grep -v grep | grep pluto`);
66    
67     @@ -96,7 +105,6 @@
68     my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
69    
70     # Lets check the last state and if it doesn't exist set it disabled
71     -
72     if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
73     my $previpsecstatus = "disabled";
74     $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
75     @@ -108,7 +116,6 @@
76     print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
77    
78     # Lets reread secrets anyway
79     -
80     print "Ipsec Information - Restart - ReReading Secrets\n";
81     my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
82    
83     @@ -122,19 +129,19 @@
84     && ( $ipsecstatus eq "enabled" ) ) {
85    
86     # Restart
87     -
88     print "Ipsec Information - Restarting connection - $ipsecprop\n";
89    
90     # Have to use system here as replace usually returns 1280
91     + # Replace just rereads the config and does --delete --add
92     system("/usr/sbin/ipsec auto --replace $ipsecprop");
93     print "Ipsec Information - Restart system - replace return code: $?\n";
94    
95     - # If connection -= start then....
96     + # If connection = start then bring it up
97     if ( $connection eq 'start' ) {
98     print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
99    
100     + # If it is start rather than add we try and force it to come up
101     startConnection($ipsecprop);
102     -
103     print "Ipsec Information - En - En auto --up\n";
104     print "Ipsec Information - Restart system - up return code: $?\n";
105     }
106     @@ -149,24 +156,21 @@
107     && ( $ipsecstatus eq "disabled" ) ) {
108    
109     # Stop
110     -
111     print "Ipsec Information - Stop connection - $ipsecprop\n";
112     -
113     stopConnection($ipsecprop);
114    
115     # Set Previous status
116     changeState( $dbKey, $ipsecstatus );
117     }
118    
119     + # If status was disabled and now enabled then start it
120     elsif ( ( $previpsecstatus eq "disabled" )
121     && ( $ipsecstatus eq "enabled" ) ) {
122    
123     # Start
124     - # Set Previous status
125     -
126     print "Enabling connection $ipsecprop\n";
127    
128     - # Have to use system here as replace usually return 1280
129     + # Have to use system here as replace usually returns 1280 and not 0
130     system("/usr/sbin/ipsec auto --replace $ipsecprop");
131     print "Ipsec Information - Restart system - return code: $?\n";
132    
133     @@ -183,25 +187,24 @@
134     #or die "exec failed!";
135     }
136    
137     + # Set Previous status
138     changeState( $ipsecprop, $ipsecstatus );
139     }
140    
141     + # If status was enabled and now disabled then stop it
142     elsif ( ( $previpsecstatus eq "enabled" )
143     && ( $ipsecstatus eq "disabled" ) ) {
144    
145     # Stop and remove - do we need to ?
146     -
147     print "Ipsec Information - Stopping connection $ipsecprop\n ";
148     stopConnection($ipsecprop);
149    
150     # Set Previous status
151     changeState( $ipsecprop, $ipsecstatus );
152     -
153     }
154    
155     + # Should never be here as it means the statuses are other than enabled or disabled
156     else {
157     -
158     - # Can't be here as it means the statuses are other than enabled or disabled
159     print "Ipsec Error - Something went wrong with ipsec connection status\n";
160     }
161    
162     @@ -212,15 +215,14 @@
163     # If it isn't running then start it up
164     # Auto connections start themselves. Added connections wait
165     else {
166     -
167     print "Ipsec Information - Disable Reverse Path Filtering\n";
168     -
169     setRedirects();
170    
171     # Make sure access = public
172     unless ( $ipsec_access eq 'public' ) {
173     $configDB->set_prop( $dbKey, 'access', 'public' );
174     }
175     +
176     print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
177     my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
178     die("Ipsec Error - Unable to launch ipsec start : $!\n ")
179     @@ -258,13 +260,12 @@
180    
181     # Big warning - this is a potential security issue
182     # Make sure you read and understand what happens !
183     -
184     # If I knew which specific interfaces to change we could reduce the lines here
185     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
186     or die("Ipsec Error - A problem occurred with sysctl: $?");
187     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
188     or die("Ipsec Error - A problem occurred with sysctl: $?");
189     -
190     +
191     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
192     or die("Ipsec Error - A problem occurred with sysctl: $?");
193     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
194     @@ -280,14 +281,15 @@
195     or die("Ipsec Error - A problem occurred with sysctl: $?");
196    
197     # On v8 this is set to 0 so we would need
198     - system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
199     + system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
200    
201     }
202    
203     sub resetRedirects {
204    
205     - # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
206     - # This should reset back to defaults
207     + # /etc/syctl.conf is expanded on ipsec-update
208     + # This should reload the file - if ipsec is disabled it should reset to defaults
209     + # If ipsec is enabled it should disable rp_filtering
210     system("/sbin/sysctl -p") == 0
211     or die("Ipsec Error - A problem occurred with sysctl: $?");
212     }
213     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
214     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:42:09.759000614 +0100
215     +++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:25:13.000000000 +0100
216     @@ -23,12 +23,13 @@
217     my $dbKey = 'ipsec';
218    
219     # Generic setup file
220     -
221     + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
222     +
223     # A standard config is included in the RPM but we need to generate a new one so we can modify settings
224    
225     $OUT .= "config setup\n";
226     $OUT .= " protostack=netkey\n";
227     - $OUT .= " #plutodebug=none\n";
228     + $OUT .= " plutodebug=$debugstatus\n";
229     $OUT .= " #klipsdebug=none\n";
230     $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
231     $OUT .= " dumpdir=/var/run/pluto/\n";
232     diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
233     --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
234     +++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
235     @@ -0,0 +1,30 @@
236     +{
237     +# Set up sysctl.conf for ipsec
238     +# need a check on release version as v8 needs
239     +# net.core.xfrm_larval_drop = 1
240     +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
241     +
242     +use strict;
243     +use warnings;
244     +use esmith::ConfigDB;
245     +
246     +my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
247     +
248     + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
249     +
250     + $OUT .= <<CONFIG_END
251     +# Ipsec overrides
252     +net.ipv4.conf.all.rp_filter = 0
253     +net.ipv4.conf.all.send_redirects = 0
254     +net.ipv4.conf.default.accept_redirects = 0
255     +net.ipv4.conf.default.rp_filter = 0
256     +net.ipv4.conf.default.send_redirects = 0
257     +net.ipv4.conf.dummy0.rp_filter = 0
258     +net.ipv4.conf.eth0.rp_filter = 0
259     +net.ipv4.conf.eth1.rp_filter = 0
260     +net.ipv4.conf.lo.rp_filter = 0
261     +net.core.xfrm_larval_drop = 1
262     +
263     +CONFIG_END
264     + }
265     +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed