From 997358a6c475c8886cce388ab325184a1ff733c9 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 28 Apr 2006 07:14:48 +0000 Subject: - import of strongswan-2.7.0 - applied patch for charon --- testing/hosts/moon/etc/conf.d/hostname | 1 + testing/hosts/moon/etc/conf.d/net | 11 + testing/hosts/moon/etc/init.d/iptables | 76 +++++ testing/hosts/moon/etc/init.d/net.eth0 | 314 +++++++++++++++++++++ testing/hosts/moon/etc/init.d/net.eth1 | 314 +++++++++++++++++++++ testing/hosts/moon/etc/ipsec.conf | 36 +++ .../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 22 ++ testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem | 24 ++ testing/hosts/moon/etc/ipsec.d/private/moonKey.pem | 27 ++ testing/hosts/moon/etc/ipsec.secrets | 7 + testing/hosts/moon/etc/runlevels/default/net.eth0 | 314 +++++++++++++++++++++ testing/hosts/moon/etc/runlevels/default/net.eth1 | 314 +++++++++++++++++++++ 12 files changed, 1460 insertions(+) create mode 100644 testing/hosts/moon/etc/conf.d/hostname create mode 100644 testing/hosts/moon/etc/conf.d/net create mode 100755 testing/hosts/moon/etc/init.d/iptables create mode 100755 testing/hosts/moon/etc/init.d/net.eth0 create mode 100755 testing/hosts/moon/etc/init.d/net.eth1 create mode 100755 testing/hosts/moon/etc/ipsec.conf create mode 100644 testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem create mode 100644 testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem create mode 100644 testing/hosts/moon/etc/ipsec.d/private/moonKey.pem create mode 100644 testing/hosts/moon/etc/ipsec.secrets create mode 100755 testing/hosts/moon/etc/runlevels/default/net.eth0 create mode 100755 testing/hosts/moon/etc/runlevels/default/net.eth1 (limited to 'testing/hosts/moon/etc') diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname new file mode 100644 index 000000000..78e695337 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=moon diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net new file mode 100644 index 000000000..7dec60ba5 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0" +iface_eth1="PH_IP1_MOON broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..7f46267c2 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a0e97e057 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=192.168.0.2 + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..d8fbfa1c9 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F +f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD +v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+ +9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U +esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX +Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec +tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW +EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h +wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K +iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW +kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..89197a447 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAr64uEJrApxtDe28anlGU0IXJmf4sjeEbJh8BbIjnNOsaZ2ex +W8fYM4vzrMFOihi/hX/T37zmN+mw02VPFdkGi99EUFF89yZRvo1Mj/c46pYbL1WE +v3CJr6oKN7lJENGAg79kmn05WkHwTmjxRJTRD/x9mEosgel/NCHB7DjGKbJFaj2P +O/ORXoYxfqcbskQivvR15nfolnZwtPbuKoCkWty9CGplN6tfwSv2n5BytiACDeGI +DOxs3qR1Q9H+xMX/VHrCRHoeIQ2cEo3DM3cm62PVwccxqixjzhddvI6/ucHlGYgV +vkc3gcP4LCtZ0j3rlzndpTyY0xo/uld2CuqomwIDAQABAoIBAECAVQ1npCA2lFo3 +erByB49f75sIhVc6NPuUGrO8uBbn0vPwUGAASdLzKW5eMvXlDDx5qFLXSjdxJ6kV +4ymEWzDzsmNC5/zeJtkti9S30j/fCPAiF/Ep4oOKjOHUt4zjPqoglVFbdLk8yHwh +b6Pcd73E2GAXq6uvDTMYydhvJ+KaozAfbXmQ9vf3HbneI6xmgAug209Cu+gpMspW +4IunMMY/668neRmM7jh+4JNLMqJhCrmQpLkIlRux2yNFzxkF8RrqptGzaLf4KxNF +rRRUThHUfWmB/EvggzJgUMuVA2Pa0bKNvBbbQuwPqXMxLHMGBjvJ8wimsLzJZeXL +fgsyPKECgYEA5x//2cmlKL3LbprRpfSzVOPqM3OSeEqseQtPun9Gs7WNVZZVc/ZJ +O2hjdc9qDGjak3lDSwVbYl8B1kqfGTTLB1sl2171aDJQOWdNV3WQtexUKEhC4Ewn +yXEDoVGAXJtiCj34QYHjoMEHUqfabKyWKUcaK8hbMsOhYPOorfLXg9MCgYEAwpaP +W68NJGu5Zxsdz62rOiPNb58cuoxLDZsJ1sMKJO7BdPIqTZ0oGNdgt5phyc3ROBSH +cjqZdzpim1gXGm4ocGvwg3APNQN6DLBknJNZmHzPd7RLSz2UxhTHRTfHAltQPcmW +cJVBHsrsS0QnvDndXfzLuLq12S6UZasR5eBdcxkCgYEAizBuOI6DdGG4nceG8lbH +mRwY8xtq3h66d7skLMBxp9ByaVS76bYsrCZVn6Fl0EtlNuMUb52uRzPIO3F9FwUA +MFHoHpC1YibKwYdAwKcAm07T7950x/eVDm+NLB2VHDBHfruLQogiubEF4/VKSaA2 +Xm1/iVaD9bJzAZw7vWY9/BkCgYB/Xe9uErGmgkB0BaLIuiNWxfKFOn+id4v01uNk +yHtOW10TgCNCdDi3sdpjs1CIuAhXDdDuav7itLuwdMOCkFI16+EdF29Mwv7TaW4h +sq01i5R9BO03zZIg6Z7ZZr4Dg+OM3fNzs65RSn/KcE0V/kYwa/So8MVw5/VIauYn +MmnYmQKBgDEFWQPyPH242olRqtE0yDp8qVHEjJp7mU822YFbyCyAUnttqOS+/5/u +Z7H95QZHGaQESL1tcNnaiRASJAKDWjKOdM/TTotWjCn65v+DHvgk/IJeYJVHoGBS +pBE+wJ8AZJu3t9GVp3PxFxHIjxUrEKG0rli7bYv8F245+Wx8DeXI +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..c90b4c4a3 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + + + + diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 -- cgit v1.2.3