webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-05 03:18:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into ppp-update

Browse Source
This commit is contained in:
Michael Tremer
2010-06-30 11:36:50 +02:00
parent 06b912c5c5 f0f385de20
commit 0b83e5a52e
16 changed files with 273 additions and 174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/etc/ipsec.user.conf Normal file
View File

@@ -0,0 +1,2 @@
# user connections that should not overwritten by the webif
#

2
config/etc/ipsec.user.secrets Normal file
View File

@@ -0,0 +1,2 @@
# user secrets that should not overwritten by the webif
#

2
config/rootfiles/common/stage2
View File

@@ -15,6 +15,8 @@ etc/hddtemp.db
etc/host.conf etc/host.conf
etc/inittab etc/inittab
etc/inputrc etc/inputrc
#etc/ipsec.user.conf
#etc/ipsec.user.secrets
etc/issue etc/issue
etc/ld.so.conf etc/ld.so.conf
etc/logrotate.conf etc/logrotate.conf

2
config/rootfiles/common/strongswan
View File

@@ -1,4 +1,5 @@
etc/ipsec.conf etc/ipsec.conf
etc/ipsec.user.conf
#etc/ipsec.d #etc/ipsec.d
etc/ipsec.d/aacerts etc/ipsec.d/aacerts
etc/ipsec.d/acerts etc/ipsec.d/acerts
@@ -9,6 +10,7 @@ etc/ipsec.d/ocspcerts
etc/ipsec.d/private etc/ipsec.d/private
etc/ipsec.d/reqs etc/ipsec.d/reqs
etc/ipsec.secrets etc/ipsec.secrets
etc/ipsec.user.secrets
etc/strongswan.conf etc/strongswan.conf
#usr/lib/libcharon.a #usr/lib/libcharon.a
#usr/lib/libcharon.la #usr/lib/libcharon.la

1
config/rootfiles/core/38/filelists/files
View File

@@ -55,6 +55,7 @@ etc/rc.d/init.d/network
etc/rc.d/init.d/ntp etc/rc.d/init.d/ntp
etc/rc.d/init.d/modules etc/rc.d/init.d/modules
usr/local/bin/ipsecctrl usr/local/bin/ipsecctrl
usr/local/bin/rebuildhosts
usr/local/bin/syslogdctrl usr/local/bin/syslogdctrl
usr/local/bin/wirelessctrl usr/local/bin/wirelessctrl
usr/local/sbin/setup usr/local/sbin/setup

3
config/rootfiles/core/38/update.sh
View File

@@ -61,6 +61,9 @@ echo boot >> /opt/pakfire/tmp/ROOTFILES
echo etc/sysconfig/lm_sensors >> /opt/pakfire/tmp/ROOTFILES echo etc/sysconfig/lm_sensors >> /opt/pakfire/tmp/ROOTFILES
echo usr/lib/ipsec >> /opt/pakfire/tmp/ROOTFILES echo usr/lib/ipsec >> /opt/pakfire/tmp/ROOTFILES
echo usr/libexec/ipsec >> /opt/pakfire/tmp/ROOTFILES echo usr/libexec/ipsec >> /opt/pakfire/tmp/ROOTFILES
# exclude squid cache from backup
sed -i -e "s|^var/log/cache|#var/log/cache|g" /opt/pakfire/tmp/ROOTFILES
# Backup the files
tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \ tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
-C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' > /dev/null 2>&1 -C / -T /opt/pakfire/tmp/ROOTFILES --exclude='#*' > /dev/null 2>&1

0
config/rootfiles/core/39/exclude Normal file
View File

1
config/rootfiles/core/39/filelists/files Normal file
View File

@@ -0,0 +1 @@
etc/system-release

1
config/rootfiles/core/39/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

42
config/rootfiles/core/39/update.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2010 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
#
#Stop services
#
#Extract files
extract_files
#
#Start services
#
#Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
#
#Finish
#Don't report the exitcode last command
exit 0

2
html/cgi-bin/ids.cgi
View File

@@ -143,7 +143,7 @@ if (-e "/etc/snort/snort.conf") {
# If see more than one dashed line, (start to) create rule file description # If see more than one dashed line, (start to) create rule file description
if ($dashlinecnt > 1) { if ($dashlinecnt > 1) {
# Check for a line starting with a # # Check for a line starting with a #
if ($ruleline =~ /^\#/) { if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) {
# Create tempruleline # Create tempruleline
my $tempruleline = $ruleline; my $tempruleline = $ruleline;

6
html/cgi-bin/vpnmain.cgi
View File

@@ -289,6 +289,12 @@ sub writeipsecfiles {
#print CONF "\tdisablearrivalcheck=no\n"; #print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n"; print CONF "\n";
# Add user includes to config file
print CONF "include /etc/ipsec.user.conf\n";
print CONF "\n";
print SECRETS "include /etc/ipsec.user/secrets\n";
if (-f "${General::swroot}/certs/hostkey.pem") { if (-f "${General::swroot}/certs/hostkey.pem") {
print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n"
} }

2
make.sh
View File

@@ -25,7 +25,7 @@
NAME="IPFire" # Software name NAME="IPFire" # Software name
SNAME="ipfire" # Short name SNAME="ipfire" # Short name
VERSION="2.7" # Version number VERSION="2.7" # Version number
CORE="38" # Core Level (Filename) CORE="39" # Core Level (Filename)
PAKFIRE_CORE="38" # Core Level (PAKFIRE) PAKFIRE_CORE="38" # Core Level (PAKFIRE)
GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan SLOGAN="www.ipfire.org" # Software slogan

21
src/misc-progs/ipsecctrl.c
View File

@@ -141,16 +141,11 @@ int decode_line (char *s,
issue ipsec commmands to turn on connection 'name' issue ipsec commmands to turn on connection 'name'
*/ */
void turn_connection_on (char *name, char *type) { void turn_connection_on (char *name, char *type) {
char command[STRING_SIZE]; /*
FILE *file = NULL; if you find a way to start a single connection without changing all add it
here. Change also vpn-watch.
if (file = fopen("/var/run/vpn-watch.pid", "r")) { */
safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
safe_system("unlink /var/run/vpn-watch.pid");
close(file);
}
safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null"); safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
safe_system("/usr/local/bin/vpn-watch &");
} }
/* /*
issue ipsec commmands to turn off connection 'name' issue ipsec commmands to turn off connection 'name'
@@ -194,6 +189,12 @@ int main(int argc, char *argv[]) {
/* Get vpnwatch pid */ /* Get vpnwatch pid */
if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
safe_system("unlink /var/run/vpn-watch.pid");
close(file);
}
/* FIXME: workaround for pclose() issue - still no real idea why /* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */ * this is happening */
signal(SIGCHLD, SIG_DFL); signal(SIGCHLD, SIG_DFL);
@@ -338,6 +339,8 @@ int main(int argc, char *argv[]) {
// start the system // start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) { if ((argc == 2) && strcmp(argv[1], "S") == 0) {
safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
safe_system("/usr/local/bin/vpn-watch &");
exit(0); exit(0);
} }

22
src/misc-progs/rebuildhosts.c
View File

@@ -23,6 +23,7 @@
FILE *fd = NULL; FILE *fd = NULL;
FILE *hosts = NULL; FILE *hosts = NULL;
FILE *gw = NULL;
struct keyvalue *kv = NULL; struct keyvalue *kv = NULL;
void exithandler(void) void exithandler(void)
@@ -33,6 +34,8 @@ void exithandler(void)
fclose(fd); fclose(fd);
if (hosts) if (hosts)
fclose(hosts); fclose(hosts);
if (gw)
fclose(gw);
} }
int main(int argc, char *argv[]) int main(int argc, char *argv[])
@@ -40,6 +43,7 @@ int main(int argc, char *argv[])
int fdpid; int fdpid;
char hostname[STRING_SIZE]; char hostname[STRING_SIZE];
char domainname[STRING_SIZE] = ""; char domainname[STRING_SIZE] = "";
char gateway[STRING_SIZE] = "";
char buffer[STRING_SIZE]; char buffer[STRING_SIZE];
char address[STRING_SIZE]; char address[STRING_SIZE];
char *active, *ip, *host, *domain; char *active, *ip, *host, *domain;
@@ -73,11 +77,26 @@ int main(int argc, char *argv[])
freekeyvalues(kv); freekeyvalues(kv);
kv = NULL; kv = NULL;
if (!(gw = fopen(CONFIG_ROOT "/red/remote-ipaddress", "r")))
{
fprintf(stderr, "Couldn't open remote-ipaddress file\n");
fclose(gw);
gw = NULL;
exit(1);
}
if (fgets(gateway, STRING_SIZE, gw) == NULL)
{
fprintf(stderr, "Couldn't read remote-ipaddress\n");
exit(1);
}
if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r"))) if (!(fd = fopen(CONFIG_ROOT "/main/hosts", "r")))
{ {
fprintf(stderr, "Couldn't open main hosts file\n"); fprintf(stderr, "Couldn't open main hosts file\n");
exit(1); exit(1);
} }
if (!(hosts = fopen("/etc/hosts", "w"))) if (!(hosts = fopen("/etc/hosts", "w")))
{ {
fprintf(stderr, "Couldn't open /etc/hosts file\n"); fprintf(stderr, "Couldn't open /etc/hosts file\n");
@@ -90,6 +109,9 @@ int main(int argc, char *argv[])
fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname); fprintf(hosts, "%s\t%s.%s\t%s\n",address,hostname,domainname,hostname);
else else
fprintf(hosts, "%s\t%s\n",address,hostname); fprintf(hosts, "%s\t%s\n",address,hostname);
fprintf(hosts, "%s\tgateway\n",gateway);
while (fgets(buffer, STRING_SIZE, fd)) while (fgets(buffer, STRING_SIZE, fd))
{ {
buffer[strlen(buffer) - 1] = 0; buffer[strlen(buffer) - 1] = 0;

28
src/scripts/vpn-watch
View File

@@ -1,6 +1,6 @@
#!/usr/bin/perl #!/usr/bin/perl
################################################## ##################################################
##### VPN-Watch.pl Version 0.4c ##### ##### VPN-Watch.pl Version 0.5 #####
################################################## ##################################################
# # # #
# VPN-Watch is part of the IPFire Firewall # # VPN-Watch is part of the IPFire Firewall #
@@ -24,13 +24,17 @@ if ( -e $file ){
} }
system("echo $$ > $file"); system("echo $$ > $file");
my $round=0;
while ( $i == 0){ while ( $i == 0){
if ($debug){logger("We will wait 60 seconds before next action.");} if ($debug){logger("We will wait 60 seconds before next action.");}
sleep(60); sleep(60);
if (open(FILE, "<${General::swroot}/vpn/config")) { $round++;
@vpnsettings = <FILE>;
# Reset roundcounter after 10 min. To do established check.
if ($round > 9) { $round=0 }
if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
close(FILE); close(FILE);
unless(@vpnsettings) {exit 1;} unless(@vpnsettings) {exit 1;}
} }
@@ -50,12 +54,21 @@ foreach (@vpnsettings){
my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
my $ipmatch= `echo "$status" | grep $remoteip | grep $settings[2]`; my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
if ( $ipmatch eq '' ){ if ( $ipmatch eq '' ){
logger("Remote IP for host $remotehostname-$remoteip has changed, restarting ipsec."); logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S"); system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
}
if ( ($round = 0) && ($established eq '')) {
logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
} }
} }
if ($debug){logger("All connections may be fine nothing was done.");} if ($debug){logger("All connections may be fine nothing was done.");}
@@ -65,4 +78,3 @@ sub logger {
my $log = shift; my $log = shift;
system("logger -t vpnwatch \"$log\""); system("logger -t vpnwatch \"$log\"");
} }