smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch

diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
--- smeserver-openswan-0.6.old/createlinks      2016-03-24 16:42:09.758000614 +0100
+++ smeserver-openswan/createlinks      2016-03-24 16:25:13.000000000 +0100
@@ -13,6 +13,8 @@
        /etc/ipsec.d/ipsec.conf
        /etc/ipsec.d/ipsec.secrets
        /etc/rc.d/init.d/masq
+       /etc/syctl.conf
+       
     ))
 {
     templates2events("$_", qw(
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
--- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug   1970-01-01 01:00:00.000000000 +0100
+++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug   2016-03-24 16:25:13.000000000 +0100
@@ -0,0 +1 @@
+none
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
--- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update     2016-03-24 16:42:09.758000614 +0100
+++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update     2016-03-24 16:25:13.000000000 +0100
@@ -44,12 +44,19 @@
 
     # Do we check if it is already stopped ?
     # For now we stop it regardless
-        
+
     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
 
     # First set ipsec access to private which disables firewall rule
     # Is this the correct syntax - what about die ?
-    $configDB->set_prop( $dbKey, 'access', 'private' );
+    # This is problematic as masq templates are already expanded and may be wrong
+
+    # Make sure access = private
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'private' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'private' );
+    #}
 
     my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
     die("Ipsec Error - Unable to launch ipsec stop : $!\n")
@@ -57,7 +64,7 @@
       if not defined $myStopConnection;
     die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
 
-    print "Ipsec Information - Enable Reverse Path Filtering";
+    print "Ipsec Information - reset redirects";
     resetRedirects();
 
     exit 0;
@@ -68,9 +75,11 @@
 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
 
     # Make sure access = public
-    unless ( $ipsec_access eq 'public' ) {
-        $configDB->set_prop( $dbKey, 'access', 'public' );
-    }
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'public' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'public' );
+    #}
 
     my $status = (`ps ax | grep -v grep | grep pluto`);
 
@@ -96,7 +105,6 @@
             my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
 
             # Lets check the last state and if it doesn't exist set it disabled
-
             if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
                 my $previpsecstatus = "disabled";
                 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
@@ -108,7 +116,6 @@
             print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
 
             # Lets reread secrets anyway
-
             print "Ipsec Information - Restart - ReReading Secrets\n";
             my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
 
@@ -122,19 +129,19 @@
                  && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Restart
-
                 print "Ipsec Information - Restarting connection - $ipsecprop\n";
 
                 # Have to use system here as replace usually returns 1280
+                # Replace just rereads the config and does --delete --add
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - replace return code: $?\n";
 
-                # If connection -= start then....
+                # If connection = start then bring it up
                 if ( $connection eq 'start' ) {
                     print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
 
+                    # If it is start rather than add we try and force it to come up
                     startConnection($ipsecprop);
-
                     print "Ipsec Information - En - En auto --up\n";
                     print "Ipsec Information - Restart system - up return code: $?\n";
                 }
@@ -149,24 +156,21 @@
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop
-
                 print "Ipsec Information - Stop connection - $ipsecprop\n";
-
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $dbKey, $ipsecstatus );
             }
 
+            # If status was disabled and now enabled then start it
             elsif (    ( $previpsecstatus eq "disabled" )
                     && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Start
-                # Set Previous status
-
                 print "Enabling connection $ipsecprop\n";
 
-                # Have to use system here as replace usually return 1280
+                # Have to use system here as replace usually returns 1280 and not 0
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - return code: $?\n";
 
@@ -183,25 +187,24 @@
                     #or die "exec failed!";
                 }
 
+                # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
             }
 
+            # If status was enabled and now disabled then stop it
             elsif (    ( $previpsecstatus eq "enabled" )
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop and remove - do we need to  ?
-
                 print "Ipsec Information - Stopping connection $ipsecprop\n ";
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
-
             }
 
+            # Should never be here as it means the statuses are other than enabled or disabled
             else {
-
-                # Can't be here as it means the statuses are other than enabled or disabled
                 print "Ipsec Error - Something went wrong with ipsec connection status\n";
             }
 
@@ -212,15 +215,14 @@
     # If it isn't running then start it up
     # Auto connections start themselves. Added connections wait
     else {
-
         print "Ipsec Information - Disable Reverse Path Filtering\n";
-
         setRedirects();
 
         # Make sure access = public
         unless ( $ipsec_access eq 'public' ) {
             $configDB->set_prop( $dbKey, 'access', 'public' );
         }
+
         print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
         my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
         die("Ipsec Error - Unable to launch ipsec start : $!\n ")
@@ -258,13 +260,12 @@
 
     # Big warning - this is a potential security issue
     # Make sure you read and understand what happens !
-
     # If I knew which specific interfaces to change we could reduce the lines here
     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
-      
+
     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
@@ -280,14 +281,15 @@
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 
     # On v8 this is set to 0 so we would need
-    system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
+    system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
 
 }
 
 sub resetRedirects {
 
-    #    system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
-    # This should reset back to defaults
+    #  /etc/syctl.conf is expanded on ipsec-update
+    # This should reload the file - if ipsec is disabled it should reset to defaults
+    # If ipsec is enabled it should disable rp_filtering
     system("/sbin/sysctl -p") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup        2016-03-24 16:42:09.759000614 +0100
+++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup        2016-03-24 16:25:13.000000000 +0100
@@ -23,12 +23,13 @@
   my $dbKey = 'ipsec';
 
   # Generic setup file
-
+  my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
+  
 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
 
   $OUT .= "config setup\n";
   $OUT .= "    protostack=netkey\n";
-  $OUT .= "    #plutodebug=none\n";
+  $OUT .= "    plutodebug=$debugstatus\n";
   $OUT .= "    #klipsdebug=none\n";
   $OUT .= "    plutostderrlog=/var/log/pluto/pluto.log\n";
   $OUT .= "    dumpdir=/var/run/pluto/\n";
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
+++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
@@ -0,0 +1,30 @@
+{
+# Set up sysctl.conf for ipsec
+# need a check on release version as v8 needs
+# net.core.xfrm_larval_drop = 1
+#  $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
+
+use strict;
+use warnings;
+use esmith::ConfigDB;
+
+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
+
+    if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
+
+        $OUT .= <<CONFIG_END
+# Ipsec overrides
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.dummy0.rp_filter = 0
+net.ipv4.conf.eth0.rp_filter = 0
+net.ipv4.conf.eth1.rp_filter = 0
+net.ipv4.conf.lo.rp_filter = 0
+net.core.xfrm_larval_drop = 1
+
+CONFIG_END
+    }
+}
1	diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
2	--- smeserver-openswan-0.6.old/createlinks 2016-03-24 16:42:09.758000614 +0100
3	+++ smeserver-openswan/createlinks 2016-03-24 16:25:13.000000000 +0100
4	@@ -13,6 +13,8 @@
5	/etc/ipsec.d/ipsec.conf
6	/etc/ipsec.d/ipsec.secrets
7	/etc/rc.d/init.d/masq
8	+ /etc/syctl.conf
9	+
10	))
11	{
12	templates2events("$_", qw(
13	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
14	--- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
15	+++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 16:25:13.000000000 +0100
16	@@ -0,0 +1 @@
17	+none
18	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
19	--- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:42:09.758000614 +0100
20	+++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:25:13.000000000 +0100
21	@@ -44,12 +44,19 @@
22
23	# Do we check if it is already stopped ?
24	# For now we stop it regardless
25	-
26	+
27	print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
28
29	# First set ipsec access to private which disables firewall rule
30	# Is this the correct syntax - what about die ?
31	- $configDB->set_prop( $dbKey, 'access', 'private' );
32	+ # This is problematic as masq templates are already expanded and may be wrong
33	+
34	+ # Make sure access = private
35	+ # No point in this unless we expand the masq template again
36	+
37	+ #unless ( $ipsec_access eq 'private' ) {
38	+ # $configDB->set_prop( $dbKey, 'access', 'private' );
39	+ #}
40
41	my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
42	die("Ipsec Error - Unable to launch ipsec stop : $!\n")
43	@@ -57,7 +64,7 @@
44	if not defined $myStopConnection;
45	die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
46
47	- print "Ipsec Information - Enable Reverse Path Filtering";
48	+ print "Ipsec Information - reset redirects";
49	resetRedirects();
50
51	exit 0;
52	@@ -68,9 +75,11 @@
53	if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
54
55	# Make sure access = public
56	- unless ( $ipsec_access eq 'public' ) {
57	- $configDB->set_prop( $dbKey, 'access', 'public' );
58	- }
59	+ # No point in this unless we expand the masq template again
60	+
61	+ #unless ( $ipsec_access eq 'public' ) {
62	+ # $configDB->set_prop( $dbKey, 'access', 'public' );
63	+ #}
64
65	my $status = (`ps ax \| grep -v grep \| grep pluto`);
66
67	@@ -96,7 +105,6 @@
68	my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) \|\| '';
69
70	# Lets check the last state and if it doesn't exist set it disabled
71	-
72	if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
73	my $previpsecstatus = "disabled";
74	$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
75	@@ -108,7 +116,6 @@
76	print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
77
78	# Lets reread secrets anyway
79	-
80	print "Ipsec Information - Restart - ReReading Secrets\n";
81	my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
82
83	@@ -122,19 +129,19 @@
84	&& ( $ipsecstatus eq "enabled" ) ) {
85
86	# Restart
87	-
88	print "Ipsec Information - Restarting connection - $ipsecprop\n";
89
90	# Have to use system here as replace usually returns 1280
91	+ # Replace just rereads the config and does --delete --add
92	system("/usr/sbin/ipsec auto --replace $ipsecprop");
93	print "Ipsec Information - Restart system - replace return code: $?\n";
94
95	- # If connection -= start then....
96	+ # If connection = start then bring it up
97	if ( $connection eq 'start' ) {
98	print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
99
100	+ # If it is start rather than add we try and force it to come up
101	startConnection($ipsecprop);
102	-
103	print "Ipsec Information - En - En auto --up\n";
104	print "Ipsec Information - Restart system - up return code: $?\n";
105	}
106	@@ -149,24 +156,21 @@
107	&& ( $ipsecstatus eq "disabled" ) ) {
108
109	# Stop
110	-
111	print "Ipsec Information - Stop connection - $ipsecprop\n";
112	-
113	stopConnection($ipsecprop);
114
115	# Set Previous status
116	changeState( $dbKey, $ipsecstatus );
117	}
118
119	+ # If status was disabled and now enabled then start it
120	elsif ( ( $previpsecstatus eq "disabled" )
121	&& ( $ipsecstatus eq "enabled" ) ) {
122
123	# Start
124	- # Set Previous status
125	-
126	print "Enabling connection $ipsecprop\n";
127
128	- # Have to use system here as replace usually return 1280
129	+ # Have to use system here as replace usually returns 1280 and not 0
130	system("/usr/sbin/ipsec auto --replace $ipsecprop");
131	print "Ipsec Information - Restart system - return code: $?\n";
132
133	@@ -183,25 +187,24 @@
134	#or die "exec failed!";
135	}
136
137	+ # Set Previous status
138	changeState( $ipsecprop, $ipsecstatus );
139	}
140
141	+ # If status was enabled and now disabled then stop it
142	elsif ( ( $previpsecstatus eq "enabled" )
143	&& ( $ipsecstatus eq "disabled" ) ) {
144
145	# Stop and remove - do we need to ?
146	-
147	print "Ipsec Information - Stopping connection $ipsecprop\n ";
148	stopConnection($ipsecprop);
149
150	# Set Previous status
151	changeState( $ipsecprop, $ipsecstatus );
152	-
153	}
154
155	+ # Should never be here as it means the statuses are other than enabled or disabled
156	else {
157	-
158	- # Can't be here as it means the statuses are other than enabled or disabled
159	print "Ipsec Error - Something went wrong with ipsec connection status\n";
160	}
161
162	@@ -212,15 +215,14 @@
163	# If it isn't running then start it up
164	# Auto connections start themselves. Added connections wait
165	else {
166	-
167	print "Ipsec Information - Disable Reverse Path Filtering\n";
168	-
169	setRedirects();
170
171	# Make sure access = public
172	unless ( $ipsec_access eq 'public' ) {
173	$configDB->set_prop( $dbKey, 'access', 'public' );
174	}
175	+
176	print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
177	my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
178	die("Ipsec Error - Unable to launch ipsec start : $!\n ")
179	@@ -258,13 +260,12 @@
180
181	# Big warning - this is a potential security issue
182	# Make sure you read and understand what happens !
183	-
184	# If I knew which specific interfaces to change we could reduce the lines here
185	system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
186	or die("Ipsec Error - A problem occurred with sysctl: $?");
187	system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
188	or die("Ipsec Error - A problem occurred with sysctl: $?");
189	-
190	+
191	system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
192	or die("Ipsec Error - A problem occurred with sysctl: $?");
193	system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
194	@@ -280,14 +281,15 @@
195	or die("Ipsec Error - A problem occurred with sysctl: $?");
196
197	# On v8 this is set to 0 so we would need
198	- system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
199	+ system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
200
201	}
202
203	sub resetRedirects {
204
205	- # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
206	- # This should reset back to defaults
207	+ # /etc/syctl.conf is expanded on ipsec-update
208	+ # This should reload the file - if ipsec is disabled it should reset to defaults
209	+ # If ipsec is enabled it should disable rp_filtering
210	system("/sbin/sysctl -p") == 0
211	or die("Ipsec Error - A problem occurred with sysctl: $?");
212	}
213	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
214	--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:42:09.759000614 +0100
215	+++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:25:13.000000000 +0100
216	@@ -23,12 +23,13 @@
217	my $dbKey = 'ipsec';
218
219	# Generic setup file
220	-
221	+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) \|\| 'none';
222	+
223	# A standard config is included in the RPM but we need to generate a new one so we can modify settings
224
225	$OUT .= "config setup\n";
226	$OUT .= " protostack=netkey\n";
227	- $OUT .= " #plutodebug=none\n";
228	+ $OUT .= " plutodebug=$debugstatus\n";
229	$OUT .= " #klipsdebug=none\n";
230	$OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
231	$OUT .= " dumpdir=/var/run/pluto/\n";
232	diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
233	--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
234	+++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
235	@@ -0,0 +1,30 @@
236	+{
237	+# Set up sysctl.conf for ipsec
238	+# need a check on release version as v8 needs
239	+# net.core.xfrm_larval_drop = 1
240	+# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
241	+
242	+use strict;
243	+use warnings;
244	+use esmith::ConfigDB;
245	+
246	+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
247	+
248	+ if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
249	+
250	+ $OUT .= <<CONFIG_END
251	+# Ipsec overrides
252	+net.ipv4.conf.all.rp_filter = 0
253	+net.ipv4.conf.all.send_redirects = 0
254	+net.ipv4.conf.default.accept_redirects = 0
255	+net.ipv4.conf.default.rp_filter = 0
256	+net.ipv4.conf.default.send_redirects = 0
257	+net.ipv4.conf.dummy0.rp_filter = 0
258	+net.ipv4.conf.eth0.rp_filter = 0
259	+net.ipv4.conf.eth1.rp_filter = 0
260	+net.ipv4.conf.lo.rp_filter = 0
261	+net.core.xfrm_larval_drop = 1
262	+
263	+CONFIG_END
264	+ }
265	+}