diff -ruN smeserver-openswan-0.6.old/createlinks smeserver-openswan/createlinks --- smeserver-openswan-0.6.old/createlinks 2016-03-24 16:42:09.758000614 +0100 +++ smeserver-openswan/createlinks 2016-03-24 16:25:13.000000000 +0100 @@ -13,6 +13,8 @@ /etc/ipsec.d/ipsec.conf /etc/ipsec.d/ipsec.secrets /etc/rc.d/init.d/masq + /etc/syctl.conf + )) { templates2events("$_", qw( diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug --- smeserver-openswan-0.6.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-openswan/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 16:25:13.000000000 +0100 @@ -0,0 +1 @@ +none diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update --- smeserver-openswan-0.6.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:42:09.758000614 +0100 +++ smeserver-openswan/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 16:25:13.000000000 +0100 @@ -44,12 +44,19 @@ # Do we check if it is already stopped ? # For now we stop it regardless - + print "Ipsec Information - ipsec disabled - Stopping ipsec \n"; # First set ipsec access to private which disables firewall rule # Is this the correct syntax - what about die ? - $configDB->set_prop( $dbKey, 'access', 'private' ); + # This is problematic as masq templates are already expanded and may be wrong + + # Make sure access = private + # No point in this unless we expand the masq template again + + #unless ( $ipsec_access eq 'private' ) { + # $configDB->set_prop( $dbKey, 'access', 'private' ); + #} my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop); die("Ipsec Error - Unable to launch ipsec stop : $!\n") @@ -57,7 +64,7 @@ if not defined $myStopConnection; die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; - print "Ipsec Information - Enable Reverse Path Filtering"; + print "Ipsec Information - reset redirects"; resetRedirects(); exit 0; @@ -68,9 +75,11 @@ if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) { # Make sure access = public - unless ( $ipsec_access eq 'public' ) { - $configDB->set_prop( $dbKey, 'access', 'public' ); - } + # No point in this unless we expand the masq template again + + #unless ( $ipsec_access eq 'public' ) { + # $configDB->set_prop( $dbKey, 'access', 'public' ); + #} my $status = (`ps ax | grep -v grep | grep pluto`); @@ -96,7 +105,6 @@ my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || ''; # Lets check the last state and if it doesn't exist set it disabled - if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) { my $previpsecstatus = "disabled"; $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus ); @@ -108,7 +116,6 @@ print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n"; # Lets reread secrets anyway - print "Ipsec Information - Restart - ReReading Secrets\n"; my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets); @@ -122,19 +129,19 @@ && ( $ipsecstatus eq "enabled" ) ) { # Restart - print "Ipsec Information - Restarting connection - $ipsecprop\n"; # Have to use system here as replace usually returns 1280 + # Replace just rereads the config and does --delete --add system("/usr/sbin/ipsec auto --replace $ipsecprop"); print "Ipsec Information - Restart system - replace return code: $?\n"; - # If connection -= start then.... + # If connection = start then bring it up if ( $connection eq 'start' ) { print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n"; + # If it is start rather than add we try and force it to come up startConnection($ipsecprop); - print "Ipsec Information - En - En auto --up\n"; print "Ipsec Information - Restart system - up return code: $?\n"; } @@ -149,24 +156,21 @@ && ( $ipsecstatus eq "disabled" ) ) { # Stop - print "Ipsec Information - Stop connection - $ipsecprop\n"; - stopConnection($ipsecprop); # Set Previous status changeState( $dbKey, $ipsecstatus ); } + # If status was disabled and now enabled then start it elsif ( ( $previpsecstatus eq "disabled" ) && ( $ipsecstatus eq "enabled" ) ) { # Start - # Set Previous status - print "Enabling connection $ipsecprop\n"; - # Have to use system here as replace usually return 1280 + # Have to use system here as replace usually returns 1280 and not 0 system("/usr/sbin/ipsec auto --replace $ipsecprop"); print "Ipsec Information - Restart system - return code: $?\n"; @@ -183,25 +187,24 @@ #or die "exec failed!"; } + # Set Previous status changeState( $ipsecprop, $ipsecstatus ); } + # If status was enabled and now disabled then stop it elsif ( ( $previpsecstatus eq "enabled" ) && ( $ipsecstatus eq "disabled" ) ) { # Stop and remove - do we need to ? - print "Ipsec Information - Stopping connection $ipsecprop\n "; stopConnection($ipsecprop); # Set Previous status changeState( $ipsecprop, $ipsecstatus ); - } + # Should never be here as it means the statuses are other than enabled or disabled else { - - # Can't be here as it means the statuses are other than enabled or disabled print "Ipsec Error - Something went wrong with ipsec connection status\n"; } @@ -212,15 +215,14 @@ # If it isn't running then start it up # Auto connections start themselves. Added connections wait else { - print "Ipsec Information - Disable Reverse Path Filtering\n"; - setRedirects(); # Make sure access = public unless ( $ipsec_access eq 'public' ) { $configDB->set_prop( $dbKey, 'access', 'public' ); } + print "Ipsec Information - ipsec enabled - Starting ipsec\n "; my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start); die("Ipsec Error - Unable to launch ipsec start : $!\n ") @@ -258,13 +260,12 @@ # Big warning - this is a potential security issue # Make sure you read and understand what happens ! - # If I knew which specific interfaces to change we could reduce the lines here system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); - + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 @@ -280,14 +281,15 @@ or die("Ipsec Error - A problem occurred with sysctl: $?"); # On v8 this is set to 0 so we would need - system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?"); + system("/sbin/sysctl -w net.core.xfrm_larval_drop=0") == 0 or die("A problem occurred with sysctl: $?"); } sub resetRedirects { - # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?"); - # This should reset back to defaults + # /etc/syctl.conf is expanded on ipsec-update + # This should reload the file - if ipsec is disabled it should reset to defaults + # If ipsec is enabled it should disable rp_filtering system("/sbin/sysctl -p") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); } diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:42:09.759000614 +0100 +++ smeserver-openswan/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 16:25:13.000000000 +0100 @@ -23,12 +23,13 @@ my $dbKey = 'ipsec'; # Generic setup file - + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; + # A standard config is included in the RPM but we need to generate a new one so we can modify settings $OUT .= "config setup\n"; $OUT .= " protostack=netkey\n"; - $OUT .= " #plutodebug=none\n"; + $OUT .= " plutodebug=$debugstatus\n"; $OUT .= " #klipsdebug=none\n"; $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; $OUT .= " dumpdir=/var/run/pluto/\n"; diff -ruN smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications --- smeserver-openswan-0.6.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-openswan/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-23 19:38:56.000000000 +0100 @@ -0,0 +1,30 @@ +{ +# Set up sysctl.conf for ipsec +# need a check on release version as v8 needs +# net.core.xfrm_larval_drop = 1 +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9' + +use strict; +use warnings; +use esmith::ConfigDB; + +my $configDB = esmith::ConfigDB->open or die("can't open Config DB"); + + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) { + + $OUT .= <