smeserver-openswan/contribs8/smeserver-openswan-add-debug-key.patch

diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
--- smeserver-openswan-0.6.old/createlinks      2016-03-24 16:42:09.758000614 +0100
+++ smeserver-openswan/createlinks      2016-03-24 16:25:13.000000000 +0100
@@ -13,6 +13,8 @@
        /etc/ipsec.d/ipsec.conf
        /etc/ipsec.d/ipsec.secrets
        /etc/rc.d/init.d/masq
+       /etc/syctl.conf
+       
     ))
 {
     templates2events("$_", qw(
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
--- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug   1970-01-01 01:00:00.000000000 +0100
+++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug   2016-03-24 16:25:13.000000000 +0100
@@ -0,0 +1 @@
+none
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
--- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update     2016-03-24 16:42:09.758000614 +0100
+++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update     2016-03-24 16:25:13.000000000 +0100
@@ -44,12 +44,19 @@
 
     # Do we check if it is already stopped ?
     # For now we stop it regardless
-        
+
     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
 
     # First set ipsec access to private which disables firewall rule
     # Is this the correct syntax - what about die ?
-    $configDB->set_prop( $dbKey, 'access', 'private' );
+    # This is problematic as masq templates are already expanded and may be wrong
+
+    # Make sure access = private
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'private' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'private' );
+    #}
 
     my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
     die("Ipsec Error - Unable to launch ipsec stop : $!\n")
@@ -57,7 +64,7 @@
       if not defined $myStopConnection;
     die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
 
-    print "Ipsec Information - Enable Reverse Path Filtering";
+    print "Ipsec Information - reset redirects";
     resetRedirects();
 
     exit 0;
@@ -68,9 +75,11 @@
 if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
 
     # Make sure access = public
-    unless ( $ipsec_access eq 'public' ) {
-        $configDB->set_prop( $dbKey, 'access', 'public' );
-    }
+    # No point in this unless we expand the masq template again
+    
+    #unless ( $ipsec_access eq 'public' ) {
+    #    $configDB->set_prop( $dbKey, 'access', 'public' );
+    #}
 
     my $status = (`ps ax | grep -v grep | grep pluto`);
 
@@ -96,7 +105,6 @@
             my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
 
             # Lets check the last state and if it doesn't exist set it disabled
-
             if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
                 my $previpsecstatus = "disabled";
                 $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
@@ -108,7 +116,6 @@
             print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
 
             # Lets reread secrets anyway
-
             print "Ipsec Information - Restart - ReReading Secrets\n";
             my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
 
@@ -122,19 +129,19 @@
                  && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Restart
-
                 print "Ipsec Information - Restarting connection - $ipsecprop\n";
 
                 # Have to use system here as replace usually returns 1280
+                # Replace just rereads the config and does --delete --add
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - replace return code: $?\n";
 
-                # If connection -= start then....
+                # If connection = start then bring it up
                 if ( $connection eq 'start' ) {
                     print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
 
+                    # If it is start rather than add we try and force it to come up
                     startConnection($ipsecprop);
-
                     print "Ipsec Information - En - En auto --up\n";
                     print "Ipsec Information - Restart system - up return code: $?\n";
                 }
@@ -149,24 +156,21 @@
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop
-
                 print "Ipsec Information - Stop connection - $ipsecprop\n";
-
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $dbKey, $ipsecstatus );
             }
 
+            # If status was disabled and now enabled then start it
             elsif (    ( $previpsecstatus eq "disabled" )
                     && ( $ipsecstatus eq "enabled" ) ) {
 
                 # Start
-                # Set Previous status
-
                 print "Enabling connection $ipsecprop\n";
 
-                # Have to use system here as replace usually return 1280
+                # Have to use system here as replace usually returns 1280 and not 0
                 system("/usr/sbin/ipsec auto --replace $ipsecprop");
                 print "Ipsec Information - Restart system - return code: $?\n";
 
@@ -183,25 +187,24 @@
                     #or die "exec failed!";
                 }
 
+                # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
             }
 
+            # If status was enabled and now disabled then stop it
             elsif (    ( $previpsecstatus eq "enabled" )
                     && ( $ipsecstatus eq "disabled" ) ) {
 
                 # Stop and remove - do we need to  ?
-
                 print "Ipsec Information - Stopping connection $ipsecprop\n ";
                 stopConnection($ipsecprop);
 
                 # Set Previous status
                 changeState( $ipsecprop, $ipsecstatus );
-
             }
 
+            # Should never be here as it means the statuses are other than enabled or disabled
             else {
-
-                # Can't be here as it means the statuses are other than enabled or disabled
                 print "Ipsec Error - Something went wrong with ipsec connection status\n";
             }
 
@@ -212,15 +215,14 @@
     # If it isn't running then start it up
     # Auto connections start themselves. Added connections wait
     else {
-
         print "Ipsec Information - Disable Reverse Path Filtering\n";
-
         setRedirects();
 
         # Make sure access = public
         unless ( $ipsec_access eq 'public' ) {
             $configDB->set_prop( $dbKey, 'access', 'public' );
         }
+
         print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
         my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
         die("Ipsec Error - Unable to launch ipsec start : $!\n ")
@@ -258,13 +260,12 @@
 
     # Big warning - this is a potential security issue
     # Make sure you read and understand what happens !
-
     # If I knew which specific interfaces to change we could reduce the lines here
     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
-      
+
     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
@@ -280,14 +281,15 @@
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 
     # On v8 this is set to 0 so we would need
-    system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
+    system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
 
 }
 
 sub resetRedirects {
 
-    #    system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
-    # This should reset back to defaults
+    #  /etc/syctl.conf is expanded on ipsec-update
+    # This should reload the file - if ipsec is disabled it should reset to defaults
+    # If ipsec is enabled it should disable rp_filtering
     system("/sbin/sysctl -p") == 0
       or die("Ipsec Error - A problem occurred with sysctl: $?");
 }
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup        2016-03-24 16:42:09.759000614 +0100
+++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup        2016-03-24 16:25:13.000000000 +0100
@@ -23,12 +23,13 @@
   my $dbKey = 'ipsec';
 
   # Generic setup file
-
+  my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
+  
 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
 
   $OUT .= "config setup\n";
   $OUT .= "    protostack=netkey\n";
-  $OUT .= "    #plutodebug=none\n";
+  $OUT .= "    plutodebug=$debugstatus\n";
   $OUT .= "    #klipsdebug=none\n";
   $OUT .= "    plutostderrlog=/var/log/pluto/pluto.log\n";
   $OUT .= "    dumpdir=/var/run/pluto/\n";
diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
+++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
@@ -0,0 +1,30 @@
+{
+# Set up sysctl.conf for ipsec
+# need a check on release version as v8 needs
+# net.core.xfrm_larval_drop = 1
+#  $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
+
+use strict;
+use warnings;
+use esmith::ConfigDB;
+
+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
+
+    if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
+
+        $OUT .= <<CONFIG_END
+# Ipsec overrides
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.dummy0.rp_filter = 0
+net.ipv4.conf.eth0.rp_filter = 0
+net.ipv4.conf.eth1.rp_filter = 0
+net.ipv4.conf.lo.rp_filter = 0
+net.core.xfrm_larval_drop = 1
+
+CONFIG_END
+    }
+}
1	reetspetit	1.1	diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks
2			--- smeserver-openswan-0.6.old/createlinks 2016-03-24 16:42:09.758000614 +0100
3			+++ smeserver-openswan/createlinks 2016-03-24 16:25:13.000000000 +0100
4			@@ -13,6 +13,8 @@
5			/etc/ipsec.d/ipsec.conf
6			/etc/ipsec.d/ipsec.secrets
7			/etc/rc.d/init.d/masq
8			+ /etc/syctl.conf
9			+
10			))
11			{
12			templates2events("$_", qw(
13			diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug
14			--- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100
15			+++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 16:25:13.000000000 +0100
16			@@ -0,0 +1 @@
17			+none
18			diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update
19			--- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:42:09.758000614 +0100
20			+++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:25:13.000000000 +0100
21			@@ -44,12 +44,19 @@
22
23			# Do we check if it is already stopped ?
24			# For now we stop it regardless
25			-
26			+
27			print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
28
29			# First set ipsec access to private which disables firewall rule
30			# Is this the correct syntax - what about die ?
31			- $configDB->set_prop( $dbKey, 'access', 'private' );
32			+ # This is problematic as masq templates are already expanded and may be wrong
33			+
34			+ # Make sure access = private
35			+ # No point in this unless we expand the masq template again
36			+
37			+ #unless ( $ipsec_access eq 'private' ) {
38			+ # $configDB->set_prop( $dbKey, 'access', 'private' );
39			+ #}
40
41			my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
42			die("Ipsec Error - Unable to launch ipsec stop : $!\n")
43			@@ -57,7 +64,7 @@
44			if not defined $myStopConnection;
45			die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
46
47			- print "Ipsec Information - Enable Reverse Path Filtering";
48			+ print "Ipsec Information - reset redirects";
49			resetRedirects();
50
51			exit 0;
52			@@ -68,9 +75,11 @@
53			if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
54
55			# Make sure access = public
56			- unless ( $ipsec_access eq 'public' ) {
57			- $configDB->set_prop( $dbKey, 'access', 'public' );
58			- }
59			+ # No point in this unless we expand the masq template again
60			+
61			+ #unless ( $ipsec_access eq 'public' ) {
62			+ # $configDB->set_prop( $dbKey, 'access', 'public' );
63			+ #}
64
65			my $status = (`ps ax \| grep -v grep \| grep pluto`);
66
67			@@ -96,7 +105,6 @@
68			my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) \|\| '';
69
70			# Lets check the last state and if it doesn't exist set it disabled
71			-
72			if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
73			my $previpsecstatus = "disabled";
74			$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
75			@@ -108,7 +116,6 @@
76			print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
77
78			# Lets reread secrets anyway
79			-
80			print "Ipsec Information - Restart - ReReading Secrets\n";
81			my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
82
83			@@ -122,19 +129,19 @@
84			&& ( $ipsecstatus eq "enabled" ) ) {
85
86			# Restart
87			-
88			print "Ipsec Information - Restarting connection - $ipsecprop\n";
89
90			# Have to use system here as replace usually returns 1280
91			+ # Replace just rereads the config and does --delete --add
92			system("/usr/sbin/ipsec auto --replace $ipsecprop");
93			print "Ipsec Information - Restart system - replace return code: $?\n";
94
95			- # If connection -= start then....
96			+ # If connection = start then bring it up
97			if ( $connection eq 'start' ) {
98			print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
99
100			+ # If it is start rather than add we try and force it to come up
101			startConnection($ipsecprop);
102			-
103			print "Ipsec Information - En - En auto --up\n";
104			print "Ipsec Information - Restart system - up return code: $?\n";
105			}
106			@@ -149,24 +156,21 @@
107			&& ( $ipsecstatus eq "disabled" ) ) {
108
109			# Stop
110			-
111			print "Ipsec Information - Stop connection - $ipsecprop\n";
112			-
113			stopConnection($ipsecprop);
114
115			# Set Previous status
116			changeState( $dbKey, $ipsecstatus );
117			}
118
119			+ # If status was disabled and now enabled then start it
120			elsif ( ( $previpsecstatus eq "disabled" )
121			&& ( $ipsecstatus eq "enabled" ) ) {
122
123			# Start
124			- # Set Previous status
125			-
126			print "Enabling connection $ipsecprop\n";
127
128			- # Have to use system here as replace usually return 1280
129			+ # Have to use system here as replace usually returns 1280 and not 0
130			system("/usr/sbin/ipsec auto --replace $ipsecprop");
131			print "Ipsec Information - Restart system - return code: $?\n";
132
133			@@ -183,25 +187,24 @@
134			#or die "exec failed!";
135			}
136
137			+ # Set Previous status
138			changeState( $ipsecprop, $ipsecstatus );
139			}
140
141			+ # If status was enabled and now disabled then stop it
142			elsif ( ( $previpsecstatus eq "enabled" )
143			&& ( $ipsecstatus eq "disabled" ) ) {
144
145			# Stop and remove - do we need to ?
146			-
147			print "Ipsec Information - Stopping connection $ipsecprop\n ";
148			stopConnection($ipsecprop);
149
150			# Set Previous status
151			changeState( $ipsecprop, $ipsecstatus );
152			-
153			}
154
155			+ # Should never be here as it means the statuses are other than enabled or disabled
156			else {
157			-
158			- # Can't be here as it means the statuses are other than enabled or disabled
159			print "Ipsec Error - Something went wrong with ipsec connection status\n";
160			}
161
162			@@ -212,15 +215,14 @@
163			# If it isn't running then start it up
164			# Auto connections start themselves. Added connections wait
165			else {
166			-
167			print "Ipsec Information - Disable Reverse Path Filtering\n";
168			-
169			setRedirects();
170
171			# Make sure access = public
172			unless ( $ipsec_access eq 'public' ) {
173			$configDB->set_prop( $dbKey, 'access', 'public' );
174			}
175			+
176			print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
177			my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
178			die("Ipsec Error - Unable to launch ipsec start : $!\n ")
179			@@ -258,13 +260,12 @@
180
181			# Big warning - this is a potential security issue
182			# Make sure you read and understand what happens !
183			-
184			# If I knew which specific interfaces to change we could reduce the lines here
185			system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
186			or die("Ipsec Error - A problem occurred with sysctl: $?");
187			system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
188			or die("Ipsec Error - A problem occurred with sysctl: $?");
189			-
190			+
191			system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
192			or die("Ipsec Error - A problem occurred with sysctl: $?");
193			system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
194			@@ -280,14 +281,15 @@
195			or die("Ipsec Error - A problem occurred with sysctl: $?");
196
197			# On v8 this is set to 0 so we would need
198			- system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
199			+ system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?");
200
201			}
202
203			sub resetRedirects {
204
205			- # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?");
206			- # This should reset back to defaults
207			+ # /etc/syctl.conf is expanded on ipsec-update
208			+ # This should reload the file - if ipsec is disabled it should reset to defaults
209			+ # If ipsec is enabled it should disable rp_filtering
210			system("/sbin/sysctl -p") == 0
211			or die("Ipsec Error - A problem occurred with sysctl: $?");
212			}
213			diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
214			--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:42:09.759000614 +0100
215			+++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:25:13.000000000 +0100
216			@@ -23,12 +23,13 @@
217			my $dbKey = 'ipsec';
218
219			# Generic setup file
220			-
221			+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) \|\| 'none';
222			+
223			# A standard config is included in the RPM but we need to generate a new one so we can modify settings
224
225			$OUT .= "config setup\n";
226			$OUT .= " protostack=netkey\n";
227			- $OUT .= " #plutodebug=none\n";
228			+ $OUT .= " plutodebug=$debugstatus\n";
229			$OUT .= " #klipsdebug=none\n";
230			$OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n";
231			$OUT .= " dumpdir=/var/run/pluto/\n";
232			diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
233			--- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100
234			+++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100
235			@@ -0,0 +1,30 @@
236			+{
237			+# Set up sysctl.conf for ipsec
238			+# need a check on release version as v8 needs
239			+# net.core.xfrm_larval_drop = 1
240			+# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
241			+
242			+use strict;
243			+use warnings;
244			+use esmith::ConfigDB;
245			+
246			+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
247			+
248			+ if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
249			+
250			+ $OUT .= <<CONFIG_END
251			+# Ipsec overrides
252			+net.ipv4.conf.all.rp_filter = 0
253			+net.ipv4.conf.all.send_redirects = 0
254			+net.ipv4.conf.default.accept_redirects = 0
255			+net.ipv4.conf.default.rp_filter = 0
256			+net.ipv4.conf.default.send_redirects = 0
257			+net.ipv4.conf.dummy0.rp_filter = 0
258			+net.ipv4.conf.eth0.rp_filter = 0
259			+net.ipv4.conf.eth1.rp_filter = 0
260			+net.ipv4.conf.lo.rp_filter = 0
261			+net.core.xfrm_larval_drop = 1
262			+
263			+CONFIG_END
264			+ }
265			+}