openwrt/package/openswan/patches/scripts.patch

   1 diff -Nur openswan-2.4.5rc5/programs/loggerfix openswan-2.4.5rc5.patched/programs/loggerfix
   2 --- openswan-2.4.5rc5/programs/loggerfix        1970-01-01 01:00:00.000000000 +0100
   3 +++ openswan-2.4.5rc5.patched/programs/loggerfix        2006-03-29 01:20:44.000000000 +0200
   4 @@ -0,0 +1,5 @@
   5 +#!/bin/sh
   6 +# use filename instead of /dev/null to log, but dont log to flash or ram
   7 +# pref. log to nfs mount
   8 +echo "$*" >> /dev/null
   9 +exit 0
  10 diff -Nur openswan-2.4.5rc5/programs/look/look.in openswan-2.4.5rc5.patched/programs/look/look.in
  11 --- openswan-2.4.5rc5/programs/look/look.in     2005-08-18 16:10:09.000000000 +0200
  12 +++ openswan-2.4.5rc5.patched/programs/look/look.in     2006-03-29 01:20:44.000000000 +0200
  13 @@ -84,7 +84,7 @@
  14  then
  15         pat="$pat|$defaultroutephys\$|$defaultroutevirt\$"
  16  else
  17 -       for i in `echo "$IPSECinterfaces" | sed 's/=/ /'`
  18 +       for i in `echo "$IPSECinterfaces" | tr '=' ' '`
  19         do
  20                 pat="$pat|$i\$"
  21         done
  22 diff -Nur openswan-2.4.5rc5/programs/_plutorun/_plutorun.in openswan-2.4.5rc5.patched/programs/_plutorun/_plutorun.in
  23 --- openswan-2.4.5rc5/programs/_plutorun/_plutorun.in   2006-01-06 00:45:00.000000000 +0100
  24 +++ openswan-2.4.5rc5.patched/programs/_plutorun/_plutorun.in   2006-03-29 01:20:44.000000000 +0200
  25 @@ -147,7 +147,7 @@
  26                         exit 1
  27                 fi
  28         else
  29 -               if test ! -w "`dirname $stderrlog`"
  30 +               if test ! -w "`echo $stderrlog | sed -r 's/(^.*\/)(.*$)/\1/'`"
  31                 then
  32                         echo Cannot write to directory to create \"$stderrlog\".
  33                         exit 1
  34 diff -Nur openswan-2.4.5rc5/programs/_realsetup/_realsetup.in openswan-2.4.5rc5.patched/programs/_realsetup/_realsetup.in
  35 --- openswan-2.4.5rc5/programs/_realsetup/_realsetup.in 2005-07-28 02:23:48.000000000 +0200
  36 +++ openswan-2.4.5rc5.patched/programs/_realsetup/_realsetup.in 2006-03-29 01:20:44.000000000 +0200
  37 @@ -235,7 +235,7 @@
  38
  39         # misc pre-Pluto setup
  40
  41 -       perform test -d `dirname $subsyslock` "&&" touch $subsyslock
  42 +       perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock
  43
  44         if test " $IPSECforwardcontrol" = " yes"
  45         then
  46 @@ -347,7 +347,7 @@
  47                 lsmod 2>&1 | grep "^xfrm_user" > /dev/null && rmmod -s xfrm_user
  48         fi
  49
  50 -       perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock
  51 +       perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock "&&" rm -f $subsyslock
  52
  53         perform rm -f $info $lock $plutopid
  54         perform echo "...Openswan IPsec stopped" "|" $LOGONLY
  55 diff -Nur openswan-2.4.5rc5/programs/send-pr/send-pr.in openswan-2.4.5rc5.patched/programs/send-pr/send-pr.in
  56 --- openswan-2.4.5rc5/programs/send-pr/send-pr.in       2005-04-18 01:04:46.000000000 +0200
  57 +++ openswan-2.4.5rc5.patched/programs/send-pr/send-pr.in       2006-03-29 01:20:44.000000000 +0200
  58 @@ -402,7 +402,7 @@
  59                     else
  60                         if [ "$fieldname" != "Category" ]
  61                         then
  62 -                           values=`${BINDIR}/query-pr --valid-values $fieldname | sed ':a;N;$!ba;s/\n/ /g' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
  63 +                           values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
  64                             valslen=`echo "$values" | wc -c`
  65                         else
  66                             values="choose from a category listed above"
  67 @@ -414,7 +414,7 @@
  68                         else
  69                                 desc="<${values} (one line)>";
  70                         fi
  71 -                       dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
  72 +                       dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
  73                         echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
  74                     fi
  75                     echo "${fmtname}${desc}" >> $file
  76 @@ -425,7 +425,7 @@
  77                         desc="  $default_val";
  78                     else
  79                         desc="  <`${BINDIR}/query-pr --field-description $fieldname` (multiple lines)>";
  80 -                       dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
  81 +                       dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
  82                         echo "s/^${dpat}//" >> $FIXFIL
  83                     fi
  84                     echo "${fmtname}" >> $file;
  85 @@ -437,7 +437,7 @@
  86                         desc="${default_val}"
  87                     else
  88                         desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>"
  89 -                       dpat=`echo "$desc" | sed 's/[][*+^$|\()&/]/./g'`
  90 +                       dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
  91                         echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
  92                     fi
  93                     echo "${fmtname}${desc}" >> $file
  94 diff -Nur openswan-2.4.5rc5/programs/setup/setup.in openswan-2.4.5rc5.patched/programs/setup/setup.in
  95 --- openswan-2.4.5rc5/programs/setup/setup.in   2005-07-25 21:17:03.000000000 +0200
  96 +++ openswan-2.4.5rc5.patched/programs/setup/setup.in   2006-03-29 01:20:44.000000000 +0200
  97 @@ -117,12 +117,22 @@
  98  # do it
  99  case "$1" in
 100    start|--start|stop|--stop|_autostop|_autostart)
 101 -       if test " `id -u`" != " 0"
 102 +       if [ "x${USER}" != "xroot" ]
 103         then
 104                 echo "permission denied (must be superuser)" |
 105                         logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
 106                 exit 1
 107         fi
 108 +
 109 +       # make sure all required directories exist
 110 +       if [ ! -d /var/run/pluto ]
 111 +       then
 112 +               mkdir -p /var/run/pluto
 113 +       fi
 114 +       if [ ! -d /var/lock/subsys ]
 115 +       then
 116 +               mkdir -p /var/lock/subsys
 117 +       fi
 118         tmp=/var/run/pluto/ipsec_setup.st
 119         outtmp=/var/run/pluto/ipsec_setup.out
 120         (
 121 diff -Nur openswan-2.4.5rc5/programs/showhostkey/showhostkey.in openswan-2.4.5rc5.patched/programs/showhostkey/showhostkey.in
 122 --- openswan-2.4.5rc5/programs/showhostkey/showhostkey.in       2004-11-14 14:40:41.000000000 +0100
 123 +++ openswan-2.4.5rc5.patched/programs/showhostkey/showhostkey.in       2006-03-29 01:20:44.000000000 +0200
 124 @@ -63,7 +63,7 @@
 125         exit 1
 126  fi
 127
 128 -host="`hostname --fqdn`"
 129 +host="`cat /proc/sys/kernel/hostname`"
 130
 131  awk '  BEGIN {
 132                 inkey = 0
 133 diff -Nur openswan-2.4.5rc5/programs/_startklips/_startklips.in openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in
 134 --- openswan-2.4.5rc5/programs/_startklips/_startklips.in       2005-11-25 00:08:05.000000000 +0100
 135 +++ openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in       2006-03-29 01:23:54.000000000 +0200
 136 @@ -262,15 +262,15 @@
 137      echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel"
 138      exit
 139  fi
 140 -if test ! -f $ipsecversion && test ! -f $netkey && modprobe -qn ipsec
 141 +if test ! -f $ipsecversion && test ! -f $netkey && insmod ipsec
 142  then
 143      # statically compiled KLIPS/NETKEY not found; try to load the module
 144 -    modprobe ipsec
 145 +    insmod ipsec
 146  fi
 147
 148  if test ! -f $ipsecversion && test ! -f $netkey
 149  then
 150 -       modprobe -v af_key
 151 +       insmod -v af_key
 152  fi
 153
 154  if test -f $netkey
 155 @@ -278,21 +278,21 @@
 156         klips=false
 157         if test -f $modules
 158         then
 159 -               modprobe -qv ah4
 160 -               modprobe -qv esp4
 161 -               modprobe -qv ipcomp
 162 +               insmod -qv ah4
 163 +               insmod -qv esp4
 164 +               insmod -qv ipcomp
 165                 #  xfrm4_tunnel is needed by ipip and ipcomp
 166 -               modprobe -qv xfrm4_tunnel
 167 +               insmod -qv xfrm4_tunnel
 168                 # xfrm_user contains netlink support for IPsec
 169 -               modprobe -qv xfrm_user
 170 -               modprobe -qv hw_random
 171 +               insmod -qv xfrm_user
 172 +               insmod -qv hw_random
 173                 # padlock must load before aes module
 174 -               modprobe -qv padlock
 175 +               insmod -qv padlock
 176                 # load the most common ciphers/algo's
 177 -               modprobe -qv sha1
 178 -               modprobe -qv md5
 179 -               modprobe -qv des
 180 -               modprobe -qv aes
 181 +               insmod -qv sha1
 182 +               insmod -qv md5
 183 +               insmod -qv des
 184 +               insmod -qv aes
 185         fi
 186  fi
 187
 188 @@ -308,10 +308,10 @@
 189                 fi
 190                  unset MODPATH MODULECONF        # no user overrides!
 191                  depmod -a >/dev/null 2>&1
 192 -               modprobe -qv hw_random
 193 +               insmod -qv hw_random
 194                 # padlock must load before aes module
 195 -               modprobe -qv padlock
 196 -                modprobe -v ipsec
 197 +               insmod -qv padlock
 198 +                insmod -v ipsec
 199          fi
 200          if test ! -f $ipsecversion
 201          then
 202 diff -Nur openswan-2.4.5rc5/programs/_startklips/_startklips.in.orig openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in.orig
 203 --- openswan-2.4.5rc5/programs/_startklips/_startklips.in.orig  1970-01-01 01:00:00.000000000 +0100
 204 +++ openswan-2.4.5rc5.patched/programs/_startklips/_startklips.in.orig  2005-11-25 00:08:05.000000000 +0100
 205 @@ -0,0 +1,407 @@
 206 +#!/bin/sh
 207 +# KLIPS startup script
 208 +# Copyright (C) 1998, 1999, 2001, 2002  Henry Spencer.
 209 +#
 210 +# This program is free software; you can redistribute it and/or modify it
 211 +# under the terms of the GNU General Public License as published by the
 212 +# Free Software Foundation; either version 2 of the License, or (at your
 213 +# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 214 +#
 215 +# This program is distributed in the hope that it will be useful, but
 216 +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 217 +# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 218 +# for more details.
 219 +#
 220 +# RCSID $Id$
 221 +
 222 +me='ipsec _startklips'         # for messages
 223 +
 224 +# KLIPS-related paths
 225 +sysflags=/proc/sys/net/ipsec
 226 +modules=/proc/modules
 227 +# full rp_filter path is $rpfilter1/interface/$rpfilter2
 228 +rpfilter1=/proc/sys/net/ipv4/conf
 229 +rpfilter2=rp_filter
 230 +# %unchanged or setting (0, 1, or 2)
 231 +rpfiltercontrol=0
 232 +ipsecversion=/proc/net/ipsec_version
 233 +moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
 234 +bareversion=`uname -r | sed -e 's/\.nptl//' | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'`
 235 +moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
 236 +case $bareversion in
 237 +       2.6*)
 238 +               modulename=ipsec.ko
 239 +               ;;
 240 +       *)
 241 +               modulename=ipsec.o
 242 +               ;;
 243 +esac
 244 +
 245 +klips=true
 246 +netkey=/proc/net/pfkey
 247 +
 248 +info=/dev/null
 249 +log=daemon.error
 250 +for dummy
 251 +do
 252 +       case "$1" in
 253 +       --log)          log="$2" ; shift        ;;
 254 +       --info)         info="$2" ; shift       ;;
 255 +       --debug)        debug="$2" ; shift      ;;
 256 +       --omtu)         omtu="$2" ; shift       ;;
 257 +       --fragicmp)     fragicmp="$2" ; shift   ;;
 258 +       --hidetos)      hidetos="$2" ; shift    ;;
 259 +       --rpfilter)     rpfiltercontrol="$2" ; shift    ;;
 260 +       --)     shift ; break   ;;
 261 +       -*)     echo "$me: unknown option \`$1'" >&2 ; exit 2   ;;
 262 +       *)      break   ;;
 263 +       esac
 264 +       shift
 265 +done
 266 +
 267 +
 268 +
 269 +# some shell functions, to clarify the actual code
 270 +
 271 +# set up a system flag based on a variable
 272 +# sysflag value shortname default flagname
 273 +sysflag() {
 274 +       case "$1" in
 275 +       '')     v="$3"  ;;
 276 +       *)      v="$1"  ;;
 277 +       esac
 278 +       if test ! -f $sysflags/$4
 279 +       then
 280 +               if test " $v" != " $3"
 281 +               then
 282 +                       echo "cannot do $2=$v, $sysflags/$4 does not exist"
 283 +                       exit 1
 284 +               else
 285 +                       return  # can't set, but it's the default anyway
 286 +               fi
 287 +       fi
 288 +       case "$v" in
 289 +       yes|no) ;;
 290 +       *)      echo "unknown (not yes/no) $2 value \`$1'"
 291 +               exit 1
 292 +               ;;
 293 +       esac
 294 +       case "$v" in
 295 +       yes)    echo 1 >$sysflags/$4    ;;
 296 +       no)     echo 0 >$sysflags/$4    ;;
 297 +       esac
 298 +}
 299 +
 300 +# set up a Klips interface
 301 +klipsinterface() {
 302 +       # pull apart the interface spec
 303 +       virt=`expr $1 : '\([^=]*\)=.*'`
 304 +       phys=`expr $1 : '[^=]*=\(.*\)'`
 305 +       case "$virt" in
 306 +       ipsec[0-9])     ;;
 307 +       *)      echo "invalid interface \`$virt' in \`$1'" ; exit 1     ;;
 308 +       esac
 309 +
 310 +       # figure out ifconfig for interface
 311 +       addr=
 312 +       eval `ifconfig $phys |
 313 +               awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
 314 +                       gsub(/:/, " ", $0)
 315 +                       print "addr=" $3
 316 +                       other = $5
 317 +                       if ($4 == "Bcast")
 318 +                               print "type=broadcast"
 319 +                       else if ($4 == "P-t-P")
 320 +                               print "type=pointopoint"
 321 +                       else if (NF == 5) {
 322 +                               print "type="
 323 +                               other = ""
 324 +                       } else
 325 +                               print "type=unknown"
 326 +                       print "otheraddr=" other
 327 +                       print "mask=" $NF
 328 +               }'`
 329 +       if test " $addr" = " "
 330 +       then
 331 +               echo "unable to determine address of \`$phys'"
 332 +               exit 1
 333 +       fi
 334 +       if test " $type" = " unknown"
 335 +       then
 336 +               echo "\`$phys' is of an unknown type"
 337 +               exit 1
 338 +       fi
 339 +       if test " $omtu" != " "
 340 +       then
 341 +               mtu="mtu $omtu"
 342 +       else
 343 +               mtu=
 344 +       fi
 345 +       echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
 346 +
 347 +       if $klips
 348 +       then
 349 +               # attach the interface and bring it up
 350 +               ipsec tncfg --attach --virtual $virt --physical $phys
 351 +               ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
 352 +       fi
 353 +
 354 +       # if %defaultroute, note the facts
 355 +       if test " $2" != " "
 356 +       then
 357 +               (
 358 +                       echo "defaultroutephys=$phys"
 359 +                       echo "defaultroutevirt=$virt"
 360 +                       echo "defaultrouteaddr=$addr"
 361 +                       if test " $2" != " 0.0.0.0"
 362 +                       then
 363 +                               echo "defaultroutenexthop=$2"
 364 +                       fi
 365 +               ) >>$info
 366 +       else
 367 +               echo '#dr: no default route' >>$info
 368 +       fi
 369 +
 370 +       # check for rp_filter trouble
 371 +       checkif $phys                   # thought to be a problem only on phys
 372 +}
 373 +
 374 +# check an interface for problems
 375 +checkif() {
 376 +       $klips || return 0
 377 +       rpf=$rpfilter1/$1/$rpfilter2
 378 +       if test -f $rpf
 379 +       then
 380 +               r="`cat $rpf`"
 381 +               if test " $r" != " 0"
 382 +               then
 383 +                       case "$r-$rpfiltercontrol" in
 384 +                       0-%unchanged|0-0|1-1|2-2)
 385 +                               # happy state
 386 +                               ;;
 387 +                       *-%unchanged)
 388 +                               echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)"
 389 +                               ;;
 390 +                       [012]-[012])
 391 +                               echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)"
 392 +                               echo "$rpfiltercontrol" >$rpf
 393 +                               ;;
 394 +                       [012]-*)
 395 +                               echo "ERROR: unknown rpfilter setting: $rpfiltercontrol"
 396 +                               ;;
 397 +                       *)
 398 +                               echo "ERROR: unknown $rpf value $r"
 399 +                               ;;
 400 +                       esac
 401 +               fi
 402 +       fi
 403 +}
 404 +
 405 +# interfaces=%defaultroute:  put ipsec0 on top of default route's interface
 406 +defaultinterface() {
 407 +       phys=`netstat -nr |
 408 +               awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
 409 +       if test " $phys" = " "
 410 +       then
 411 +               echo "no default route, %defaultroute cannot cope!!!"
 412 +               exit 1
 413 +       fi
 414 +       if test `echo " $phys" | wc -l` -gt 1
 415 +       then
 416 +               echo "multiple default routes, %defaultroute cannot cope!!!"
 417 +               exit 1
 418 +       fi
 419 +       next=`netstat -nr |
 420 +               awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
 421 +       klipsinterface "ipsec0=$phys" $next
 422 +}
 423 +
 424 +# log only to syslog, not to stdout/stderr
 425 +logonly() {
 426 +       logger -p $log -t ipsec_setup
 427 +}
 428 +
 429 +# sort out which module is appropriate, changing it if necessary
 430 +setmodule() {
 431 +       if [ -e /proc/kallsyms ]
 432 +       then
 433 +               kernelsymbols="/proc/kallsyms";
 434 +               echo "calcgoo: warning: 2.6 kernel with kallsyms not supported yet"
 435 +       else
 436 +               kernelsymbols="/proc/ksyms";
 437 +       fi
 438 +        wantgoo="`ipsec calcgoo $kernelsymbols`"
 439 +        module=$moduleplace/$modulename
 440 +        if test -f $module
 441 +        then
 442 +                goo="`nm -ao $module | ipsec calcgoo`"
 443 +                if test " $wantgoo" = " $goo"
 444 +                then
 445 +                        return          # looks right
 446 +                fi
 447 +        fi
 448 +        if test -f $moduleinstplace/$wantgoo
 449 +        then
 450 +                echo "modprobe failed, but found matching template module $wantgoo."
 451 +                echo "Copying $moduleinstplace/$wantgoo to $module."
 452 +                rm -f $module
 453 +                mkdir -p $moduleplace
 454 +                cp -p $moduleinstplace/$wantgoo $module
 455 +                # "depmod -a" gets done by caller
 456 +        fi
 457 +}
 458 +
 459 +
 460 +
 461 +# main line
 462 +
 463 +# load module if possible
 464 +if test -f $ipsecversion && test -f $netkey
 465 +then
 466 +    # both KLIPS and NETKEY code detected, bail out
 467 +    echo "FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel"
 468 +    exit
 469 +fi
 470 +if test ! -f $ipsecversion && test ! -f $netkey && modprobe -qn ipsec
 471 +then
 472 +    # statically compiled KLIPS/NETKEY not found; try to load the module
 473 +    modprobe ipsec
 474 +fi
 475 +
 476 +if test ! -f $ipsecversion && test ! -f $netkey
 477 +then
 478 +       modprobe -v af_key
 479 +fi
 480 +
 481 +if test -f $netkey
 482 +then
 483 +       klips=false
 484 +       if test -f $modules
 485 +       then
 486 +               modprobe -qv ah4
 487 +               modprobe -qv esp4
 488 +               modprobe -qv ipcomp
 489 +               #  xfrm4_tunnel is needed by ipip and ipcomp
 490 +               modprobe -qv xfrm4_tunnel
 491 +               # xfrm_user contains netlink support for IPsec
 492 +               modprobe -qv xfrm_user
 493 +               modprobe -qv hw_random
 494 +               # padlock must load before aes module
 495 +               modprobe -qv padlock
 496 +               # load the most common ciphers/algo's
 497 +               modprobe -qv sha1
 498 +               modprobe -qv md5
 499 +               modprobe -qv des
 500 +               modprobe -qv aes
 501 +       fi
 502 +fi
 503 +
 504 +if test ! -f $ipsecversion && $klips
 505 +then
 506 +        if test -r $modules             # kernel does have modules
 507 +        then
 508 +               if [ ! -e /proc/ksyms -a ! -e /proc/kallsyms ]
 509 +               then
 510 +                       echo "Broken 2.6 kernel without kallsyms, skipping calcgoo (Fedora rpm?)"
 511 +               else
 512 +                       setmodule
 513 +               fi
 514 +                unset MODPATH MODULECONF        # no user overrides!
 515 +                depmod -a >/dev/null 2>&1
 516 +               modprobe -qv hw_random
 517 +               # padlock must load before aes module
 518 +               modprobe -qv padlock
 519 +                modprobe -v ipsec
 520 +        fi
 521 +        if test ! -f $ipsecversion
 522 +        then
 523 +                echo "kernel appears to lack IPsec support (neither CONFIG_KLIPS or CONFIG_NET_KEY are set)"
 524 +                exit 1
 525 +        fi
 526 +fi
 527 +
 528 +# figure out debugging flags
 529 +case "$debug" in
 530 +'')    debug=none      ;;
 531 +esac
 532 +if test -r /proc/net/ipsec_klipsdebug
 533 +then
 534 +       echo "KLIPS debug \`$debug'" | logonly
 535 +       case "$debug" in
 536 +       none)   ipsec klipsdebug --none ;;
 537 +       all)    ipsec klipsdebug --all  ;;
 538 +       *)      ipsec klipsdebug --none
 539 +               for d in $debug
 540 +               do
 541 +                       ipsec klipsdebug --set $d
 542 +               done
 543 +               ;;
 544 +       esac
 545 +elif $klips
 546 +then
 547 +       if test " $debug" != " none"
 548 +       then
 549 +               echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
 550 +       fi
 551 +fi
 552 +
 553 +# figure out misc. kernel config
 554 +if test -d $sysflags
 555 +then
 556 +       sysflag "$fragicmp" "fragicmp" yes icmp
 557 +       echo 1 >$sysflags/inbound_policy_check          # no debate
 558 +       sysflag no "no_eroute_pass" no no_eroute_pass   # obsolete parm
 559 +       sysflag no "opportunistic" no opportunistic     # obsolete parm
 560 +       sysflag "$hidetos" "hidetos" yes tos
 561 +elif $klips
 562 +then
 563 +       echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
 564 +       # carry on
 565 +fi
 566 +
 567 +if $klips
 568 +then
 569 +       # clear tables out in case dregs have been left over
 570 +       ipsec eroute --clear
 571 +       ipsec spi --clear
 572 +elif test $netkey
 573 +then
 574 +       if ip xfrm state > /dev/null 2>&1
 575 +       then
 576 +               ip xfrm state flush
 577 +               ip xfrm policy flush
 578 +       elif type setkey > /dev/null 2>&1
 579 +       then
 580 +               # Check that the setkey command is available.
 581 +               setkeycmd=
 582 +               PATH=$PATH:/usr/local/sbin
 583 +               for dir in `echo $PATH | tr ':' ' '`
 584 +               do
 585 +                       if test -f $dir/setkey -a -x $dir/setkey
 586 +                       then
 587 +                               setkeycmd=$dir/setkey
 588 +                               break                   # NOTE BREAK OUT
 589 +                       fi
 590 +               done
 591 +               $setkeycmd -F
 592 +               $setkeycmd -FP
 593 +       else
 594 +
 595 +               echo "WARNING: cannot flush state/policy database -- \`$1'. Install a newer version of iproute/iproute2 or install the ipsec-tools package to obtain the setkey command." |
 596 +                       logger -s -p daemon.error -t ipsec_setup
 597 +       fi
 598 +fi
 599 +
 600 +# figure out interfaces
 601 +for i
 602 +do
 603 +       case "$i" in
 604 +       ipsec*=?*)      klipsinterface "$i"     ;;
 605 +       %defaultroute)  defaultinterface        ;;
 606 +       *)      echo "interface \`$i' not understood"
 607 +               exit 1
 608 +               ;;
 609 +       esac
 610 +done
 611 +
 612 +exit 0