/[smecontribs]/rpms/smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch
ViewVC logotype

Contents of /rpms/smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Mar 24 15:54:56 2016 UTC (8 years, 8 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-openswan-0_6-5_el5_sme, smeserver-openswan-0_6-6_el5_sme, smeserver-openswan-0_6-7_el5_sme, HEAD
Error occurred while calculating annotation data.
* Thu Mar 24 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.6-5.sme
- Add debug db key to /etc/ipsec.conf
- Remove setting public/private keys as they won't affect unless templates are re-expanded
- Set xfrm_larval_drop drop correctly
- minor formatting

1 diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
2 --- smeserver-openswan-0.6.old/createlinks 2016-03-24 16:42:09.758000614 +0100
3 +++ smeserver-openswan/createlinks 2016-03-24 16:25:13.000000000 +0100
4 @@ -13,6 +13,8 @@
5 /etc/ipsec.d/ipsec.conf
6 /etc/ipsec.d/ipsec.secrets
7 /etc/rc.d/init.d/masq
8 + /etc/syctl.conf
9 +
10 ))
11 {
12 templates2events("$_", qw(
13 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
14 --- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
15 +++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 16:25:13.000000000 +0100
16 @@ -0,0 +1 @@
17 +none
18 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
19 --- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:42:09.758000614 +0100
20 +++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:25:13.000000000 +0100
21 @@ -44,12 +44,19 @@
22
23 # Do we check if it is already stopped ?
24 # For now we stop it regardless
25 -
26 +
27 print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
28
29 # First set ipsec access to private which disables firewall rule
30 # Is this the correct syntax - what about die ?
31 - $configDB->set_prop( $dbKey, 'access', 'private' );
32 + # This is problematic as masq templates are already expanded and may be wrong
33 +
34 + # Make sure access = private
35 + # No point in this unless we expand the masq template again
36 +
37 + #unless ( $ipsec_access eq 'private' ) {
38 + # $configDB->set_prop( $dbKey, 'access', 'private' );
39 + #}
40
41 my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
42 die("Ipsec Error - Unable to launch ipsec stop : $!\n")
43 @@ -57,7 +64,7 @@
44 if not defined $myStopConnection;
45 die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
46
47 - print "Ipsec Information - Enable Reverse Path Filtering";
48 + print "Ipsec Information - reset redirects";
49 resetRedirects();
50
51 exit 0;
52 @@ -68,9 +75,11 @@
53 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
54
55 # Make sure access = public
56 - unless ( $ipsec_access eq 'public' ) {
57 - $configDB->set_prop( $dbKey, 'access', 'public' );
58 - }
59 + # No point in this unless we expand the masq template again
60 +
61 + #unless ( $ipsec_access eq 'public' ) {
62 + # $configDB->set_prop( $dbKey, 'access', 'public' );
63 + #}
64
65 my $status = (`ps ax | grep -v grep | grep pluto`);
66
67 @@ -96,7 +105,6 @@
68 my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
69
70 # Lets check the last state and if it doesn't exist set it disabled
71 -
72 if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
73 my $previpsecstatus = "disabled";
74 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
75 @@ -108,7 +116,6 @@
76 print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
77
78 # Lets reread secrets anyway
79 -
80 print "Ipsec Information - Restart - ReReading Secrets\n";
81 my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
82
83 @@ -122,19 +129,19 @@
84 && ( $ipsecstatus eq "enabled" ) ) {
85
86 # Restart
87 -
88 print "Ipsec Information - Restarting connection - $ipsecprop\n";
89
90 # Have to use system here as replace usually returns 1280
91 + # Replace just rereads the config and does --delete --add
92 system("/usr/sbin/ipsec auto --replace $ipsecprop");
93 print "Ipsec Information - Restart system - replace return code: $?\n";
94
95 - # If connection -= start then....
96 + # If connection = start then bring it up
97 if ( $connection eq 'start' ) {
98 print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
99
100 + # If it is start rather than add we try and force it to come up
101 startConnection($ipsecprop);
102 -
103 print "Ipsec Information - En - En auto --up\n";
104 print "Ipsec Information - Restart system - up return code: $?\n";
105 }
106 @@ -149,24 +156,21 @@
107 && ( $ipsecstatus eq "disabled" ) ) {
108
109 # Stop
110 -
111 print "Ipsec Information - Stop connection - $ipsecprop\n";
112 -
113 stopConnection($ipsecprop);
114
115 # Set Previous status
116 changeState( $dbKey, $ipsecstatus );
117 }
118
119 + # If status was disabled and now enabled then start it
120 elsif ( ( $previpsecstatus eq "disabled" )
121 && ( $ipsecstatus eq "enabled" ) ) {
122
123 # Start
124 - # Set Previous status
125 -
126 print "Enabling connection $ipsecprop\n";
127
128 - # Have to use system here as replace usually return 1280
129 + # Have to use system here as replace usually returns 1280 and not 0
130 system("/usr/sbin/ipsec auto --replace $ipsecprop");
131 print "Ipsec Information - Restart system - return code: $?\n";
132
133 @@ -183,25 +187,24 @@
134 #or die "exec failed!";
135 }
136
137 + # Set Previous status
138 changeState( $ipsecprop, $ipsecstatus );
139 }
140
141 + # If status was enabled and now disabled then stop it
142 elsif ( ( $previpsecstatus eq "enabled" )
143 && ( $ipsecstatus eq "disabled" ) ) {
144
145 # Stop and remove - do we need to ?
146 -
147 print "Ipsec Information - Stopping connection $ipsecprop\n ";
148 stopConnection($ipsecprop);
149
150 # Set Previous status
151 changeState( $ipsecprop, $ipsecstatus );
152 -
153 }
154
155 + # Should never be here as it means the statuses are other than enabled or disabled
156 else {
157 -
158 - # Can't be here as it means the statuses are other than enabled or disabled
159 print "Ipsec Error - Something went wrong with ipsec connection status\n";
160 }
161
162 @@ -212,15 +215,14 @@
163 # If it isn't running then start it up
164 # Auto connections start themselves. Added connections wait
165 else {
166 -
167 print "Ipsec Information - Disable Reverse Path Filtering\n";
168 -
169 setRedirects();
170
171 # Make sure access = public
172 unless ( $ipsec_access eq 'public' ) {
173 $configDB->set_prop( $dbKey, 'access', 'public' );
174 }
175 +
176 print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
177 my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
178 die("Ipsec Error - Unable to launch ipsec start : $!\n ")
179 @@ -258,13 +260,12 @@
180
181 # Big warning - this is a potential security issue
182 # Make sure you read and understand what happens !
183 -
184 # If I knew which specific interfaces to change we could reduce the lines here
185 system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
186 or die("Ipsec Error - A problem occurred with sysctl: $?");
187 system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
188 or die("Ipsec Error - A problem occurred with sysctl: $?");
189 -
190 +
191 system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
192 or die("Ipsec Error - A problem occurred with sysctl: $?");
193 system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
194 @@ -280,14 +281,15 @@
195 or die("Ipsec Error - A problem occurred with sysctl: $?");
196
197 # On v8 this is set to 0 so we would need
198 - system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
199 + system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
200
201 }
202
203 sub resetRedirects {
204
205 - # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
206 - # This should reset back to defaults
207 + # /etc/syctl.conf is expanded on ipsec-update
208 + # This should reload the file - if ipsec is disabled it should reset to defaults
209 + # If ipsec is enabled it should disable rp_filtering
210 system("/sbin/sysctl -p") == 0
211 or die("Ipsec Error - A problem occurred with sysctl: $?");
212 }
213 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
214 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:42:09.759000614 +0100
215 +++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:25:13.000000000 +0100
216 @@ -23,12 +23,13 @@
217 my $dbKey = 'ipsec';
218
219 # Generic setup file
220 -
221 + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
222 +
223 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
224
225 $OUT .= "config setup\n";
226 $OUT .= " protostack=netkey\n";
227 - $OUT .= " #plutodebug=none\n";
228 + $OUT .= " plutodebug=$debugstatus\n";
229 $OUT .= " #klipsdebug=none\n";
230 $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
231 $OUT .= " dumpdir=/var/run/pluto/\n";
232 diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
233 --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
234 +++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
235 @@ -0,0 +1,30 @@
236 +{
237 +# Set up sysctl.conf for ipsec
238 +# need a check on release version as v8 needs
239 +# net.core.xfrm_larval_drop = 1
240 +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
241 +
242 +use strict;
243 +use warnings;
244 +use esmith::ConfigDB;
245 +
246 +my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
247 +
248 + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
249 +
250 + $OUT .= <<CONFIG_END
251 +# Ipsec overrides
252 +net.ipv4.conf.all.rp_filter = 0
253 +net.ipv4.conf.all.send_redirects = 0
254 +net.ipv4.conf.default.accept_redirects = 0
255 +net.ipv4.conf.default.rp_filter = 0
256 +net.ipv4.conf.default.send_redirects = 0
257 +net.ipv4.conf.dummy0.rp_filter = 0
258 +net.ipv4.conf.eth0.rp_filter = 0
259 +net.ipv4.conf.eth1.rp_filter = 0
260 +net.ipv4.conf.lo.rp_filter = 0
261 +net.core.xfrm_larval_drop = 1
262 +
263 +CONFIG_END
264 + }
265 +}

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed