/usr/lib/ipsec/_startnetkey is in openswan 1:2.6.37-1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 | #!/bin/sh
# Netkey startup script
# Copyright (C) 2007 Ken Bantoft <ken@xelerance.com>
# Copyright (C) 2007 - 2008 Paul Wouters <paul@xelerance.com>
# Copyright (C) 2008 Tuomo Soini <tis@foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
test $IPSEC_INIT_SCRIPT_DEBUG && set -v -x
me='ipsec _startnetkey' # for messages
modules=/proc/modules
kamepfkey=/proc/net/pfkey
ipsecpfkey=/proc/net/ipsec/version
info=/dev/null
log=daemon.error
for dummy
do
case "$1" in
--log) log="$2" ; shift ;;
--info) info="$2" ; shift ;;
--debug) debug="$2" ; shift ;;
--omtu) omtu="$2" ; shift ;;
--fragicmp) fragicmp="$2" ; shift ;;
--hidetos) hidetos="$2" ; shift ;;
--) shift ; break ;;
-*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
*) break ;;
esac
shift
done
logger -p $log -t ipsec_setup "Using NETKEY(XFRM) stack"
# log only to syslog, not to stdout/stderr
logonly() {
logger -p $log -t ipsec_setup
}
defaultinterface() {
local getphysdev getifaddr addr phys next multiaddr multidefault
addr=
phys=
next=
multiaddr=
multidefault=
getphysdev() {
local phys next addr
phys=
next=
addr=
while test $# -gt 0
do
case $1 in
dev)
phys=$2
shift; shift;
;;
via)
next=$2
shift; shift;
;;
src)
addr=$2
shift; shift
;;
*)
shift
;;
esac
done
echo "phys=$phys"
echo "next=$next"
echo "addr=$addr"
}
getifaddr() {
local addr peer
addr=
peer=
while test $# -gt 0
do
case $1 in
inet)
addr=$2
shift; shift
;;
peer)
peer=$2
shift; shift
;;
*)
shift
;;
esac
done
if test -n "$peer"
then
echo "next=${peer%/*}"
fi
echo "addr=${addr%/*}"
}
iproutedefault=`ip route list 0.0.0.0/0`
if test -n "$iproutedefault"
then
if test `echo "$iproutedefault" | wc -l` -gt 1
then
multidefault=1
iproutedefault=`echo $iproutedefault | head -1`
fi
eval `getphysdev $iproutedefault`
if test -z "$next" -o -z "$addr" -a -n "$phys"
then
ipaddrlist=`ip -o -f inet addr list dev $phys`
if test `echo "$ipaddrlist" | wc -l` -gt 1
then
multiaddr=1
ipaddrlist=`echo "$ipaddrlist" | head -1`
fi
eval `getifaddr $ipaddrlist`
fi
if test -n "$multidefault"
then
echo "multiple default routes, using $next on $phys"
fi
if test -n "$multiaddr"
then
echo "multiple ip addresses, using $addr on $phys"
fi
else
echo "no default routes detected"
fi
# simulate old silly output
echo "defaultroutephys=$phys" >> $info
echo "defaultroutevirt=none" >> $info
echo "defaultrouteaddr=$addr" >> $info
echo "defaultroutenexthop=$next" >> $info
}
# main line
# since klips/mast now calls _startklips, we know we're called to use netkey
# so if we find klips/mast, try to unload it or die
if test -f $ipsecpfkey
then
echo "Warning: found KLIPS/MAST stack loaded"
echo -n Trying to unload KLIPS/MAST module:
rmmod ipsec 2> /dev/null
if test -f $ipsecpfkey
then
echo "FAILURE to unload KLIPS/MAST module. Use protostack=klips or protostack=mast, or recompile kernel without builtin KLIPS/MAST support"
exit 1
fi
fi
if test -f $modules
then
# load hardware random related modules - some changed names over time
modprobe -q hw_random 2>/dev/null
modprobe -q hwrng 2>/dev/null
modprobe -q amd-rng 2>/dev/null
modprobe -q intel-rng 2>/dev/null
# load all NETKEY modules
for mod in ipcomp6 ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro \
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel \
xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 iaf_key
do
#echo -n "$mod "
modprobe -q $mod 2> /dev/null
done
# xfrm_user is the old name for xfrm4_tunnel - backwards compatibility
modprobe -q xfrm_user 2> /dev/null
# padlock must load before aes module
# padlock-aes must load before padlock-sha for some reason
modprobe -q padlock 2>/dev/null
modprobe -q padlock-aes 2>/dev/null
modprobe -q padlock-sha 2>/dev/null
# load the most common ciphers/algo's
# aes-x86_64 has higher priority in via crypto api
for crypto in aesni_intel es-x86_64 geode-aes aes aes_generic des sha512 sha256 md5 cbc xcbc ecb twofish blowfish serpent ccm gcm \
ctr cts deflate cast5 cast6 lzo sha256_generic sha512_generic camellia
do
#echo -n "$crypto "
modprobe -q $crypto 2> /dev/null
done
fi
if ip xfrm state > /dev/null 2>&1
then
ip xfrm state flush
ip xfrm policy flush
elif type setkey > /dev/null 2>&1
then
# Check that the setkey command is available.
setkeycmd=
PATH=$PATH:/usr/local/sbin
for dir in `echo $PATH | tr ':' ' '`
do
if test -f $dir/setkey -a -x $dir/setkey
then
setkeycmd=$dir/setkey
break # NOTE BREAK OUT
fi
done
$setkeycmd -F
$setkeycmd -FP
else
echo "WARNING: cannot flush state/policy database -- \`$1'. Install a newer version of iproute/iproute2 or install the ipsec-tools package to obtain the setkey command." |
logger -s -p daemon.error -t ipsec_setup
fi
# figure out interfaces for defaultroute
for i
do
case "$i" in
%defaultroute) defaultinterface ;;
*) echo "interface \`$i' not understood"
exit 1
;;
esac
done
exit 0
|