mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity
openwrt-packages/net/libreswan/files/etc/hotplug.d/libreswan/00-default

221 lines
5.6 KiB
Bash
Raw Blame History

#!/bin/sh
# Things that this script gets (from ipsec_pluto(8) man page)
#
# PLUTO_VERB
# specifies the name of the operation to be performed
# (prepare-host, prepare-client, up-host, up-client,
# down-host, or down-client). If the address family
# for security gateway to security gateway
# communications is IPv6, then a suffix of -v6 is added
# to the verb.
#
# PLUTO_CONNECTION
# is the name of the connection for which we are
# routing.
#
# PLUTO_CONNECTION_TYPE
# is type of the connection, "tunnel" or "transport".
#
# PLUTO_CONN_POLICY
# the policy of the connection, as in:
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC
# +failureDROP+lKOD+rKOD
#
# CAT=YES|
# if client address translation inside IPsec stack is enabled
#
# PLUTO_NEXT_HOP
# is the next hop to which packets bound for the peer
# must be sent.
#
# PLUTO_INTERFACE
# is the name of the real interface used by encrypted traffic and IKE traffic
#
# PLUTO_ME
# is the IP address of our host.
#
# PLUTO_MY_ID
# is our ID.
#
# PLUTO_METRIC
# is the metric to set for the route
#
# PLUTO_MTU
# is the mtu to set for the route
#
# PLUTO_ADD_TIME
# Time the IPsec SA was added to the kernel
#
# PLUTO_MOBIKE_EVENT
# wether the connection is underdoing MOBIKE migration
#
# PLUTO_MY_CLIENT
# is the IP address / count of our client subnet. If
# the client is just the host, this will be the
# host's own IP address / mask (where max is 32 for
# IPv4 and 128 for IPv6).
#
# PLUTO_MY_CLIENT_NET
# is the IP address of our client net. If the client
# is just the host, this will be the host's own IP
# address.
#
# PLUTO_MY_CLIENT_MASK
# is the mask for our client net. If the client is
# just the host, this will be 255.255.255.255.
#
# PLUTO_MY_SOURCEIP
# if non-empty, then the source address for the route will be
# set to this IP address.
#
# PLUTO_MY_PROTOCOL
# is the protocol for this connection. Useful for
# firewalling.
#
# PLUTO_MY_PORT
# is the port. Useful for firewalling.
#
# PLUTO_PEER
# is the IP address of our peer.
#
# PLUTO_PEER_ID
# is the ID of our peer.
#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client subnet.
# If the client is just the peer, this will be
# the peer's own IP address / mask (where max is 32
# for IPv4 and 128 for IPv6).
#
# PLUTO_PEER_CLIENT_NET
# is the IP address of the peer's client net. If the
# client is just the peer, this will be the peer's
# own IP address.
#
# PLUTO_PEER_CLIENT_MASK
# is the mask for the peer's client net. If the
# client is just the peer, this will be
# 255.255.255.255.
#
# PLUTO_PEER_PROTOCOL
# is the protocol set for remote end with port
# selector.
#
# PLUTO_PEER_PORT
# is the peer's port. Useful for firewalling.
#
# PLUTO_PEER_CA
# is the DN of the peer's CA that signed its certificate
#
# PLUTO_CFG_CLIENT=0|1
# is MODECFG or IKEv2 Config client.
#
# PLUTO_CFG_SERVER=0|1
# is MODECFG or IKEv2 Config server.
#
# PLUTO_PEER_DNS_INFO
# The peer's supplied DNS information (IKEv1 and IKEv2)
#
# PLUTO_PEER_DOMAIN_INFO
# The peer's supplied domain list for local resolving (IKEv2 only)
#
# PLUTO_PEER_BANNER
# is the peer's provided banner
#
# PLUTO_NM_CONFIGURED=0|1
# is NetworkManager used for resolv.conf update
#
# PLUTO_CONN_ADDRFAMILY
# is the family type, "ipv4" or "ipv6"
#
# PLUTO_CONN_KIND
# is the "kind" of connection (CK_PERMANENT, CK_INSTANCE, etc)
#
# PLUTO_STACK
# is the local IPsec kernel stack used, eg XFRM, BSDKAME, NOSTACK
#
# PLUTO_IS_PEER_CISCO=0|1
# remote server type is cisco. Add support for cisco extensions
# when used with xauth.
#
# PLUTO_SA_REQID
# When using KAME or XFRM, the IPsec SA reqid base value.
# ESP/AH out is base, ESP/AH in = base + 1
# IPCOMP is base + 2 plus for inbound + 1
#
# PLUTO_XFRMI_FWMARK
# use outgoing mark
#
# PLUTO_SA_TYPE
# The type of IPsec SA (ESP or AH)
#
# PLUTO_USERNAME
# The username (XAUTH or GSSAPI) that was authenticated (if any)
# for this SA
#
# PLUTO_VIRT_INTERFACE
# is the name of ipsec interface used by clear traffic in/out
#
# INTERFACE_IP
# The IP to configure / expect on the interface? Currently is never set
#
# PLUTO_XFRM_ROUTE
# if an XFRM (ipsec-device) has been specified, value will be "yes"
#
# XAUTH_FAILED
# If xauthfail=soft this will be set to 1 if XAUTH authentication
# failed. If xauthfail=hard, the updown scripts never run.
#
# CONNMARK
# If mark= is set on the connection, this variable will be
# set with the value. It can be used for iptables or VTI.
#
# CONNMARK_IN
# the incoming mark to use
#
# CONNMARK_OUT
# the outgoing mark to use
#
# VTI_IFACE=iface
# Name of VTI interface to create
#
# VTI_ROUTING=yes|no
# Whether or not to perform ip rule and ip route commands
# covering the IPsec SA address ranges to route those packets
# into the VTI_IFACE interface. This should be enabled unless
# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0
#
# VTI_SHARED=yes|no
# Whether or not more conns (or instances) share a VTI device.
# If not shared, the VTI device is deleted when tunnel goes down.
#
# VTI_IP
# The IP to configure on the VTI device
#
# SPI_IN / SPI_OUT
# The inbound and outbound SPI's of the connection.
#
# PLUTO_INBYTES
# total bytes received
#
# PLUTO_OUTBYTES
# total bytes sent
#
# NFLOG
# is the nflog group to use
#
case "${PLUTO_VERB}" in
prepare-host|prepare-host-v6) ;;
prepare-client|prepare-client-v6) ;;
route-host|route-host-v6) ;;
unroute-host|unroute-host-v6) ;;
route-client|route-client-v6) ;;
unroute-client|unroute-client-v6) ;;
up-host|up-host-v6) ;;
down-host|down-host-v6) ;;
up-client|up-client-v6) ;;
down-client|down-client-v6) ;;
esac
View Git Blame Copy Permalink