[Openswan dev] init script feature request

Harald Jenny harald at a-little-linux-box.at
Fri Nov 5 02:46:06 EDT 2010


On Fri, Nov 05, 2010 at 11:04:22AM +1000, David McCullough wrote:
> 
> Jivin Harald Jenny lays it down ...
> > Hi all,
> > 
> > I have had an interesting discussion on a Debian mailing list about a good way
> > to make a smooth transition from openswan 2.4 to 2.6 and somehow the issue was
> > raised to not allow pluto to start/restart/reload without proper configuration.
> > As looking into the current code shows that such a protection is already in
> > place for start but it's currently missing from restart, reload/force-reload
> > and condrestart/try-restart. What is the lists opinion on this matter? I
> > personally think it would be benefical for the userbase (for example someone
> > using the VPN to access the system itself).
> 
> Sounds reasonable to me,  at least it would be consistent then :-)

Seems like I was a bit too enthusiastic - the current code does use ipsec
addconn to parse the config variables but does not use it's return value:

programs/setup/setup.in:90
    variables=`ipsec addconn $IPSEC_CONFS/ipsec.conf --varprefix IPSEC --configsetup`
    eval $variables
    RETVAL=$?
    if [ $RETVAL != 0 ]
    then
         echo "Failed to parse config setup portion of ipsec.conf"
         exit $RETVAL
    fi

With the eval $variables statement the value of $? is set to the eval return
value not the ipsec addconn one. My suggestions would therefore be something
like this:

if test " $IPSEC_DIR" = " "     # if we were not called by the ipsec command
then
    # we must establish a suitable PATH ourselves
    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
    export PATH

    IPSEC_DIR="$IPSEC_LIBDIR"
    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
fi

# Does not make any sense at all to continue without the main binary
test -x $IPSEC_SBINDIR/ipsec || exit 5
.
.
.
RETVAL=0

verify_config() {
    test -f $IPSEC_CONFS/ipsec.conf || exit 6

    config_error=`ipsec addconn --configsetup 2>&1 >/dev/null`
    RETVAL=$?
    if [ $RETVAL != 0 ]
    then
        echo "failed to start openswan IKE daemon - the following error occured:"
        echo $config_error
        exit $RETVAL
    fi
}


used like this:

start() {
    verify_config

    # Pick up IPsec configuration (until we have done this, successfully, we
    # do not know where errors should go, hence the explicit "daemon.error"s.)
    # Note the "--export", which exports the variables created.
    variables=`ipsec addconn $IPSEC_CONFS/ipsec.conf --varprefix IPSEC --configsetup`
    eval $variables

    IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
    export IPSEC_confreadsection
.
.
.
restart() {
    verify_config
    stop
.
.
.
condrestart() {
    verify_config
    ipsec _realsetup status || exit 0
.
.
.
status() {
    ipsec _realsetup status


This would also have the side effect of making all functions resistant to ipsec
binary unavailability and unifying the code. Any objections against this?

> 
> -- 
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Dev mailing list