diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index ccd1a4f22d..76cde7b873 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan PKG_VERSION:=3.29 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ diff --git a/net/libreswan/files/ipsec.init b/net/libreswan/files/ipsec.init index 6e30263086..5b0475d30f 100755 --- a/net/libreswan/files/ipsec.init +++ b/net/libreswan/files/ipsec.init @@ -3,205 +3,33 @@ START=90 STOP=10 -#USE_PROCD=1 +USE_PROCD=1 +PROG="/usr/libexec/ipsec/pluto" +IPSEC_SECRETS=/etc/ipsec.secrets +IPSEC_CONF=/etc/ipsec.conf +IPSEC_BIN=/usr/sbin/ipsec -. $IPKG_INSTROOT/lib/functions.sh - -EXTRA_COMMANDS=status -EXTRA_HELP=" status Show the status of the service" - -# Check that networking is up. -[ "${NETWORKING}" = "no" ] && exit 6 - -if [ $(id -u) -ne 0 ]; then - echo "permission denied (must be superuser)" | \ - logger -s -p daemon.error -t ipsec_setup 2>&1 - exit 4 -fi - -# where the private directory and the config files are -IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" -IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" -IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}" -unset PLUTO_OPTIONS - -rundir=/var/run/pluto -plutopid=${rundir}/pluto.pid -plutoctl=${rundir}/pluto.ctl -lockdir=/var/lock -lockfile=${lockdir}/ipsec -ipsecversion=/proc/net/ipsec_version -kamepfkey=/proc/net/pfkey - -# /etc/resolv.conf related paths -LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup -ORIG_RESOLV_CONF=/etc/resolv.conf - -# misc setup -umask 022 - -# standardize PATH, and export it for everything else's benefit -PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin -export PATH - -mkdir -p ${rundir} -chmod 700 ${rundir} - -verify_config() { - [ -f ${IPSEC_CONF} ] || exit 6 - config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1) - RETVAL=$? - if [ ${RETVAL} -gt 0 ]; then - echo "Configuration error - the following error occurred:" - echo ${config_error} - echo "IKE daemon status was not modified" - exit ${RETVAL} - fi +checkconfig() { + ${IPSEC_BIN} addconn --checkconfig || return 1 } -start() { - echo -n "Starting pluto IKE daemon for IPsec: " +start_service() { + checkconfig || return 1 + ipsec _stackmanager start - # pluto searches the current directory, so this is required for making it selinux compliant - cd / - # Create nss db or convert from old format to new sql format - ipsec --checknss # Enable nflog if configured ipsec --checknflog > /dev/null - # This script will enter an endless loop to ensure pluto restarts on crash - ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir} - touch ${lockfile} - # Because _plutorun starts pluto at background we need to make sure pluto is started - # before we know if start was successful or not - for waitsec in 1 2 3 4 5; do - if status >/dev/null; then - RETVAL=0 - break - else - echo -n "." - sleep 1 - RETVAL=1 - fi - done - if [ ${RETVAL} -ge 1 ]; then - rm -f ${lockfile} - fi - echo - return ${RETVAL} + + procd_open_instance + procd_set_param command $PROG --config ${IPSEC_CONF} --nofork --secretsfile ${IPSEC_SECRETS} + procd_set_param respawn + procd_close_instance } -stop() { - if [ -e ${plutoctl} ]; then - echo "Shutting down pluto IKE daemon" - ipsec whack --shutdown 2>/dev/null - # don't use seq, might not exist on embedded - for waitsec in 1 2 3 4 5 6 7 8 9 10; do - if [ -s ${plutopid} ]; then - echo -n "." - sleep 1 - else - break - fi - done - echo - rm -f ${plutoctl} # we won't be using this anymore - fi - if [ -s ${plutopid} ]; then - # pluto did not die peacefully - pid=$(cat ${plutopid}) - if [ -d /proc/${pid} ]; then - kill -TERM ${pid} - RETVAL=$? - sleep 5; - if [ -d /proc/${pid} ]; then - kill -KILL ${pid} - RETVAL=$? - fi - if [ ${RETVAL} -ne 0 ]; then - echo "Kill failed - removing orphaned ${plutopid}" - fi - else - echo "Removing orphaned ${plutopid}" - fi - rm -f ${plutopid} - fi +stop_service() { + ipsec whack --shutdown + ipsec _stackmanager stop + ipsec --stopnflog > /dev/null - ipsec _stackmanager stop - ipsec --stopnflog > /dev/null - - # cleaning up backup resolv.conf - if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then - if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then - cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF} - fi - rm -f ${LIBRESWAN_RESOLV_CONF} - fi - - rm -f ${lockfile} - return ${RETVAL} } -restart() { - verify_config - stop - start - return $? -} - -status() { - local RC - if [ -f ${plutopid} ]; then - if [ -r ${plutopid} ]; then - pid=$(cat ${plutopid}) - if [ -n "$pid" -a -d /proc/${pid} ]; then - RC=0 # running - else - RC=1 # not running but pid exists - fi - else - RC=4 # insufficient privileges - fi - fi - if [ -z "${RC}" ]; then - if [ -f ${lockfile} ]; then - RC=2 - else - RC=3 - fi - fi - case "${RC}" in - 0) - echo "ipsec: pluto (pid ${pid}) is running..." - return 0 - ;; - 1) - echo "ipsec: pluto dead but pid file exits" - return 1 - ;; - 2) - echo "ipsec: pluto dead but subsys locked" - return 2 - ;; - 4) - echo "ipsec: pluto status unknown due to insufficient privileges." - return 4 - ;; - esac - echo "ipsec: pluto is stopped" - return 3 -} - -condrestart() { - verify_config - RETVAL=$? - if [ -f ${lockfile} ]; then - restart - RETVAL=$? - fi - return ${RETVAL} -} - -version() { - ipsec version - return $? -}