2
0
mirror of https://github.com/openvswitch/ovs synced 2025-10-25 15:07:05 +00:00
Files
openvswitch/debian/openvswitch-ipsec.init
Ansis Atteka 7849d3e4ca ipsec: install iptables rules that set IPsec bit in skb mark
Without these two iptables rules (one for UDP encapsulated IPsec and
another for direct IPsec), ovs-vswitchd would incorrectly conclude
that GRE packet belonged to a plain GRE tunnel instead of IPsec GRE
tunnel.

Reported-by: Aryan TaheriMonfared <aryan.taherimonfared@uis.no>
Reported-by: Daniel Hiltgen <daniel@netkine.com>
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
2014-01-21 17:12:16 -08:00

204 lines
5.9 KiB
Bash
Executable File

#!/bin/sh
#
# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
#
# This is free software; you may redistribute it and/or modify
# it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2,
# or (at your option) any later version.
#
# This is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License with
# the Debian operating system, in /usr/share/common-licenses/GPL; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place,
# Suite 330, Boston, MA 02111-1307 USA
#
### BEGIN INIT INFO
# Provides: openvswitch-ipsec
# Required-Start: $network $local_fs $remote_fs openvswitch-switch
# Required-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Open vSwitch GRE-over-IPsec daemon
# Description: The ovs-monitor-ipsec script provides support for encrypting GRE
# tunnels with IPsec.
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
NAME=ovs-monitor-ipsec # Introduce the short server's name here
LOGDIR=/var/log/openvswitch # Log directory to use
PIDFILE=/var/run/openvswitch/$NAME.pid
test -x $DAEMON || exit 0
. /lib/lsb/init-functions
DODTIME=10 # Time to wait for the server to die, in seconds
# If this value is set too low you might not
# let some servers to die gracefully and
# 'restart' will not work
set -e
running_pid() {
# Check if a given process pid's cmdline matches a given name
pid=$1
name=$2
[ -z "$pid" ] && return 1
[ ! -d /proc/$pid ] && return 1
cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
# Is this the expected server
[ "$cmd" != "$name" ] && return 1
return 0
}
running() {
# Check if the process is running looking at /proc
# (works for all users)
# No pidfile, probably no daemon present
[ ! -f "$PIDFILE" ] && return 1
pid=`cat $PIDFILE`
running_pid $pid $DAEMON || return 1
return 0
}
uninstall_mark_rule() {
iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
}
install_mark_rule() {
if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then
iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
fi
}
start_server() {
if [ ! -d /var/run/openvswitch ]; then
install -d -m 755 -o root -g root /var/run/openvswitch
fi
install_mark_rule "-p esp"
install_mark_rule "-p udp --dport 4500"
/usr/share/openvswitch/scripts/ovs-monitor-ipsec \
--pidfile=$PIDFILE --log-file --detach --monitor \
unix:/var/run/openvswitch/db.sock
return 0
}
stop_server() {
if [ -e $PIDFILE ]; then
kill `cat $PIDFILE`
fi
uninstall_mark_rule "-p esp"
uninstall_mark_rule "-p udp --dport 4500"
return 0
}
force_stop() {
# Force the process to die killing it manually
[ ! -e "$PIDFILE" ] && return
if running ; then
kill -15 $pid
# Is it really dead?
sleep "$DODTIME"
if running ; then
kill -9 $pid
sleep "$DODTIME"
if running ; then
echo "Cannot kill $NAME (pid=$pid)!"
exit 1
fi
fi
fi
rm -f $PIDFILE
}
case "$1" in
start)
log_daemon_msg "Starting $NAME"
# Check if it's running first
if running ; then
log_progress_msg "apparently already running"
log_end_msg 0
exit 0
fi
if start_server && running ; then
# It's ok, the server started and is running
log_end_msg 0
else
# Either we could not start it or it is not running
# after we did
# NOTE: Some servers might die some time after they start,
# this code does not try to detect this and might give
# a false positive (use 'status' for that)
log_end_msg 1
fi
;;
stop)
log_daemon_msg "Stopping $NAME"
if running ; then
# Only stop the server if we see it running
stop_server
log_end_msg $?
else
# If it's not running don't do anything
log_progress_msg "apparently not running"
log_end_msg 0
exit 0
fi
;;
force-stop)
# First try to stop gracefully the program
$0 stop
if running; then
# If it's still running try to kill it more forcefully
log_daemon_msg "Stopping (force) $NAME"
force_stop
log_end_msg $?
fi
;;
restart|force-reload)
log_daemon_msg "Restarting $NAME"
stop_server
# Wait some sensible amount, some server need this
[ -n "$DODTIME" ] && sleep $DODTIME
start_server
running
log_end_msg $?
;;
status)
log_daemon_msg "Checking status of $NAME"
if running ; then
log_progress_msg "running"
log_end_msg 0
else
log_progress_msg "apparently not running"
log_end_msg 1
exit 1
fi
;;
# Use this if the daemon cannot reload
reload)
log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon"
log_warning_msg "cannot re-read the config file (use restart)."
;;
*)
N=/etc/init.d/openvswitch-ipsec
echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0