Revision: 7482
http://sourceforge.net/p/ipcop/svn/7482
Author: owes
Date: 2014-04-16 04:54:41 +0000 (Wed, 16 Apr 2014)
Log Message:
-----------
Drop no longer used patch.
Removed Paths:
-------------
ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch
Deleted: ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch
===================================================================
--- ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch 2014-04-15
09:27:26 UTC (rev 7481)
+++ ipcop/trunk/src/patches/openswan-2.6.39_verify-python.patch 2014-04-16
04:54:41 UTC (rev 7482)
@@ -1,1146 +0,0 @@
-From 42a64529a904697972a914a250d65a329cc037eb Mon Sep 17 00:00:00 2001
-From: Paul Wouters <p...@nohats.ca>
-Date: Mon, 10 Sep 2012 00:00:00 -0400
-Subject: [PATCH] Fixed ipsec verify to avoid perl and use python instead. It
- helps during minimum install so that openswan does not have to pull perl
- packages, and it keeps minimal install really minimum. Also Removed
- compilation of ipsec policy subprogram as it is not needed with NETKEY.
-
----
-For IPCop verify needs to be reverted to perl as we don't have python
available in IPCop.
-Reverse patch this patch.
-
-
-diff --git a/programs/verify/verify.in b/programs/verify/verify.in
-index a63cd2c..61724f0 100755
---- a/programs/verify/verify.in
-+++ b/programs/verify/verify.in
-@@ -1,5 +1,8 @@
--#!/usr/bin/perl
-+#!/usr/bin/python
- #
-+# Copyright (C) 2012 Paul Wouters <pwout...@redhat.com>
-+#
-+# Based on old perl and shell code:
- # Copyright (C) 2003 Sam Sgro <s...@freeswan.org>
- # Copyright (C) 2005-2008 Michael Richardson <m...@xelerance.com>
- # Copyright (C) 2005-2009 Paul Wouters <p...@xelerance.com>
-@@ -17,548 +20,584 @@
- # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- # for more details.
-
--$reterr = 0;
--$me="ipsec verify";
--$ENV{'PATH'}="/sbin:/usr/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$ENV{'PATH'}";
--if($ENV{'IPSEC_CONFS'}) { $conf=$ENV{'IPSEC_CONFS'} } else { $conf= `ipsec
--confdir`; chomp($conf); }
-+import os, sys, subprocess, glob
-+
-+
-+retcode = 0
-+
-+confdir = os.getenv("IPSEC_CONFS")
-+if not confdir:
-+ # should get substituted by 'make programs'
-+ confdir = "@IPSEC_DIR@"
-+
-+ipsecbin = "@IPSEC_SBINDIR@/ipsec"
-
--$print_deprecated = 1;
-+if not os.path.isfile(ipsecbin):
-+ # hopefully somewhere in our path then
-+ ipsecbin = "ipsec"
-+
-+if not os.path.isfile("%s/ipsec.conf"%confdir):
-+ try:
-+ p = subprocess.Popen("%s --config"%ipsecbin,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ output = output.strip()
-+ if os.path.isfile("%s/ipsec.conf"%output):
-+ confdir = output
-+ except:
-+ sys.exit("Failed to find ipsec.conf")
-
- # Should we print in colour by default?
--if ( -e "/sbin/consoletype" )
--{
-- $ctype=`/sbin/consoletype`;
-- if ( $ctype && !($ctype eq "serial"))
-- {
-- $colour="1";
-- }
--}
--else
--{
-- if ( -e "/usr/bin/tput" )
-- {
-- $ctype=`/usr/bin/tput colors`;
-- if ( $ctype && ($ctype gt "0"))
-- {
-- $colour="1";
-- }
-- }
--}
--
--sub printfun {
-- print sprintf("%-60s",@_);
--}
--
--# capture STDOUT as @out, STDERR as @err with no temp files.
--sub run {
-- $command=shift;
--
-- pipe child_read, parent_write;
-- pipe parent_read, child_write;
-- pipe err_read, err_write;
--
-- $mypid=fork;
-- if($mypid)
-- {
-- close child_write; close err_write;
-- @out=<parent_read>;
-- @err=<err_read>;
-- }
-- else
-- {
-- close parent_read; close parent_write;
-- open STDOUT,">&child_write";
-- open STDERR,">&err_write";
-- exec $command; $reterr = 1 ; print STDERR "Cannot execute command
\"$command\": $!\n";
-- }
--}
--
--# Code to print out [OK], [FAILED].
--sub errchk {
-- if (!shift(@_))
-- {
-- print "\t[";
-- if($colour) { print "\e[1;31m"; }
-- if(@_)
-- {
-- print "@_";
-- }
-- else
-- {
-- print "FAILED";
-- $reterr = 1;
-- }
-- if($colour) { print "\e[0;39m"; }
-- print "]\n";
-- if(@err)
-- {
-- print " @err";
-- $reterr = 1;
-- }
-- }
-- else
-- {
-- print "\t[";
-- if($colour) { print "\e[1;32m"; }
-- print "OK";
-- if($colour) { print "\e[0;39m"; }
-- print "]\n";
-- }
--}
--
--# Code to print out [OK], [FAILED] in warning colours
--sub warnchk {
-- if (!shift(@_))
-- {
-- print "\t[";
-- if($colour) { print "\e[1;33m"; }
-- if(@_)
-- {
-- print "@_";
-- }
-- else
-- {
-- print "FAILED";
-- $reterr = 1;
-- }
-- if($colour) { print "\e[0;39m"; }
-- print "]\n";
-- if(@err)
-- {
-- print " @err";
-- $reterr = 1;
-- }
-- }
-- else
-- {
-- print "\t[";
-- if($colour) { print "\e[1;32m"; }
-- print "OK";
-- if($colour) { print "\e[0;39m"; }
-- print "]\n";
-- }
--}
--
--
--# Code to print out [DEPRECATED] and key restrict message
--sub deprecated {
--
-- print "\t[";
-- if($colour) { print "\e[1;33m"; }
-- print "DEPRECATED";
-- if($colour) { print "\e[0;39m"; }
-- print "]\n";
--}
-+colour = 0
-+try:
-+ p = subprocess.Popen("consoletype", stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ output = output.strip()
-+ if output in ("vc","tty","pty"):
-+ colour = 1
-+except:
-+ try:
-+ p = subprocess.Popen("tput colors", stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if int(output) > 0:
-+ colour = 1
-+ except:
-+ pass
-+
-+
-+def printfun(text):
-+ # suppress newline
-+ sys.stdout.write("%-50s"%text)
-+
-+def print_result(rcode, rtext):
-+ global colour
-+ global retcode
-+ OK = '\033[92m'
-+ WARN = '\033[93m'
-+ FAIL = '\033[91m'
-+ ENDC = '\033[0m'
-+
-+ if rcode == "FAIL":
-+ retcode = 1
-+ if not rtext:
-+ rtext = "FAILED"
-+ if colour:
-+ print "\t[%s%s%s]"%(FAIL,rtext,ENDC)
-+ else:
-+ print "\t[%s]"%rtext
-+ elif rcode == "WARN":
-+ # don't log warnings until we implemented IKE over TCP
-+ # retcode = 1
-+ if not rtext:
-+ rtext = "WARNING"
-+ if colour:
-+ print "\t[%s%s%s]"%(WARN,rtext,ENDC)
-+ else:
-+ print "\t[%s]"%rtext
-+ elif rcode == "OK":
-+ if not rtext:
-+ rtext = "OK"
-+ if colour:
-+ print "\t[%s%s%s]"%(OK,rtext,ENDC)
-+ else:
-+ print "\t[%s]"%rtext
-+ else:
-+ print "INTERNAL ERROR - unknown rcode:%s"%rcode
-+
-+
-+
-
- # Verification routines begin here...
- #
- # Check DNS Configuration based on a hostname
- # $1 = Hostname (string)
- # eg: checkdnshost oetest.freeswan.org
--sub checkdnshost {
-- run "host -t key $_[0]";
-- ($keypresent)=grep /(0x4200|16896)/, @out;
-- if($keypresent)
-- {
-- printfun " Looking for KEY in forward dns zone: $_[0]";
-- deprecated;
-- }
--
--
-- printfun " Looking for TXT in forward dns zone: $_[0]";
-- run "host -t txt $_[0]";
-- ($txtpresent)=grep /X-IPsec-Server/,@out;
-- errchk "$txtpresent", "MISSING";
--}
-+#sub checkdnshost {
-+# run "host -t key $_[0]";
-+# ($keypresent)=grep /(0x4200|16896)/, @out;
-+# if($keypresent)
-+# {
-+# printfun " Looking for KEY in forward dns zone: $_[0]";
-+# deprecated;
-+# }
-+#
-+#
-+# printfun " Looking for TXT in forward dns zone: $_[0]";
-+# run "host -t txt $_[0]";
-+# ($txtpresent)=grep /X-IPsec-Server/,@out;
-+# errchk "$txtpresent", "MISSING";
-+#}
-
- # Check DNS Configuration based on IP address
- # $1 = IP Address (string)
- # eg: checkdnsip 127.0.0.2
--sub checkdnsip {
-- $fortxt=$_[0];
-- $revtxt=join('.',reverse(split(/\./, $fortxt))).".in-addr.arpa.";
-- printfun " Looking for TXT in reverse dns zone: $revtxt";
-- run "host -t txt $revtxt";
-- ($txtpresent)=grep /X-IPsec-Server/,@out;
-- errchk "$txtpresent", "MISSING";
--
-- if($txtpresent) {
-- $txtpresent=~ s/.*X-IPsec-Server\([0-9].*\)=//; $txtpresent=~ s/[\"\
].*//;
-- $gwip=$txtpresent;
-- chomp($gwip);
-- $gwrev=join('.',reverse(split(/\./, $gwip))).".in-addr.arpa.";
-- # Check for a KEY record for the indicated IPSec GW.
-- run "host -t key $gwrev";
-- ($keypresent)=grep /(0x4200|16896)/, @out;
-- if($keypresent)
-- {
-- printfun " Looking for KEY in reverse dns zone: $gwrev";
-- deprecated;
-- $print_deprecated = 1;
--
-- }
-- # If the host is its own gateway, then we know we've got a TXT record.
-- if($gwip ne $fortxt) {
-- printfun "Looking for TXT in reverse dns zone: $gwrev";
-- run "host -t txt $gwrev";
-- ($txtpresent)=grep /X-IPsec-Server/,@out;
-- errchk "$txtpresent", "MISSING";
-- }
--
-- }
--}
--
--sub udp500check {
-- printfun " Pluto listening for IKE on udp 500";
-- run "lsof -i UDP:500";
-- #run "netstat -an";
-- ($listen)=grep /pluto/, @out;
-- if(!$listen)
-- {
-- errchk "", "FAILED";
-- $reterr = 1;
-- }
-- else
-- {
-- errchk "1";
-- }
--}
--
--sub udp4500check {
-- printfun " Pluto listening for NAT-T on udp 4500";
-- run "lsof -i UDP:4500";
-- #run "netstat -an";
-- ($listen)=grep /pluto/, @out;
-- if(!$listen)
-- {
-- errchk "", "FAILED";
-- $reterr = 1;
-- }
-- else
-- {
-- errchk "1";
-- }
--}
--
--sub checktunnel {
-- $csource=$_[0]; $cdest=$_[1]; $ctun=$_[2]; $all="0.0.0.0/0";
--
-- printfun "Checking $ctun from $csource to $cdest";
-- run "iptables -t nat -L POSTROUTING -n";
-- @out=grep !/(Chain POSTROUTING|target)/, @out;
-- foreach (@out) {
-- ( $target, $prot, $opt, $source, $dest ) = split(' ',$_);
-- if(((($source eq $csource) || ($source eq $all)) && (($dest eq $cdest)
|| ($dest = $all))) && $target eq "ACCEPT")
-- {
-- errchk "@out";
-- $reterr = 1;
-- }
-- else
-- {
-- @err="$target from $source to $dest kills tunnel $source ->
$cdest\n";
-- errchk "","FAILED";
-- $reterr = 1;
-- }
-- }
--}
--
--sub installstartcheck {
-- print "Checking your system to see if IPsec got installed and started
correctly:\n";
--
-- printfun "Version check and ipsec on-path";
-- run "ipsec --version";
-- errchk "@out";
-- print grep /Linux/, @out;
--
-- printfun "Checking for IPsec support in kernel";
-- if ( -e "/proc/net/ipsec_eroute" || -e "/proc/net/pfkey" ) { $test="1" }
-- errchk "$test";
--
--# This requires KLIPS NAT-T patch > 2.4.x
-- if ( -e "/proc/net/ipsec_eroute") {
--
-- printfun " KLIPS: checking for NAT Traversal support";
-- if ( -e "/sys/module/ipsec/parameters/natt_available") {
-- run "cat /sys/module/ipsec/parameters/natt_available";
-- if("@out" =="1\n")
-- { warnchk "", "OLD STYLE"; }
-- else {
-- if("@out" == "2\n")
-- { errchk "OK"; }
-- else
-- { warnchk "", "UNKNOWN"; }
-- }
-- } else { warnchk "","UNKNOWN"; }
--
-- printfun " KLIPS: checking for OCF crypto offload support ";
-- if ( -e "/sys/module/ipsec/parameters/ocf_available") {
-- run "cat /sys/module/ipsec/parameters/ocf_available";
-- if("@out" =="1\n")
-- { errchk "OK"; }
-- else {
-- { warnchk "", "N/A"; }
-- }
-- } else { warnchk "","UNKNOWN"; }
--
-- }
--
--# Check for SAref kernel
-- if ( -e "/proc/net/ipsec/saref") {
-- printfun " Kernel: IPsec SAref kernel support";
-- run "grep 'refinfo patch applied' /proc/net/ipsec/saref";
-- if("@out" eq "refinfo patch applied\n")
-- { errchk "OK"; }
-- else
-- { warnchk "", "N/A"; }
--
-- printfun " Kernel: IPsec SAref Bind kernel support";
-- run "grep 'bindref patch applied' /proc/net/ipsec/saref";
-- if("@out" eq "bindref patch applied\n")
-- { errchk "OK"; }
-- else
-- { warnchk "", "N/A"; }
-- } else {
-- printfun " SAref kernel support";
-- { warnchk "", "N/A"; }
-- }
--
-- if ( -e "/proc/net/pfkey") {
-- printfun " NETKEY: Testing XFRM related proc values";
-- open("cat", "/proc/sys/net/ipv4/conf/default/send_redirects");
-- if(<cat> == "1")
-- {
-- errchk "";
-- $reterr = 1;
-- print "\n Please disable
/proc/sys/net/ipv4/conf/*/send_redirects\n or NETKEY will cause the sending of
bogus ICMP redirects!\n\n";
-- }
-- else { errchk "1"; }
--
-- open("cat", "/proc/sys/net/ipv4/conf/default/accept_redirects");
-- if(<cat> == "1")
-- {
-- $reterr = 1;
-- errchk "";
-- print "\n Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects\n or NETKEY will accept bogus ICMP
redirects!\n\n";
-- }
-- else { errchk "1"; }
--
-- open("cat", "/proc/sys/net/core/xfrm_larval_drop");
-- if(<cat> == "0")
-- {
-- $reterr = 1;
-- errchk "";
-- print "\n Please enable /proc/sys/net/core/xfrm_larval_drop\n
or NETKEY will cause non-POSIX compliant long time-outs\n\n";
-- }
-- else { errchk "1"; }
-- }
--
-- if ( -c "/dev/hw_random" || -c "/dev/hwrng" ) {
-- printfun "Hardware RNG detected, testing if used properly";
-- run "pidof rngd";
-- ($processid) = @out;
-- chomp($processid);
-- if( $processid eq "" ) {
-- run "pidof clrngd";
-- ($processid2) = @out;
-- if( $processid2 eq "" ) {
-- errchk "";
-- print "\n Hardware RNG is present but 'rngd' or
'clrngd' is not running.\n No harware random used!\n\n";
-- $reterr = 1;
-- }
-- else { errchk "1"; }
-- }
-- else { errchk "1"; }
-- }
--
--
-- # Wouldn't this test fail if your mucked up your interface definition?
-- printfun "Checking that pluto is running";
-- run "ipsec whack --status";
-- errchk "@out";
-- if (grep /interface/, @out)
-- {
-- udp500check;
-- udp4500check;
-- }
--}
--
--sub tunnelchecks {
-- open("dev", "/proc/net/dev");
-- if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)
-- {
-- printfun "Two or more interfaces found, checking IP forwarding";
-- my ($data, $n);
-- open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
-- $n = read FILE, $data, 1;
-- if($data == 1)
-- {
-- $reterr = 1;
-- errchk "0";
-- }
--
-- printfun "Checking NAT and MASQUERADEing";
-- # This assumes KLIPS eroute information, we should add support
-- # for NETKEY, but ip xfrm is very annoying to parse
-- if(( -e "/proc/net/nf_conntrack" || -e "/proc/net/ip_conntrack")
--&& -e "/proc/net/ipsec_eroute" )
-- {
-- run "iptables -t nat -L -n";
-- if(grep /(NAT|MASQ)/, @out)
-- {
-- printf "\n";
-- open("cat", "/proc/net/ipsec_eroute");
-- foreach(grep /tun0x/, <cat>)
-- {
-- @eroute=split(' ',$_);
-- checktunnel $eroute[1], $eroute[3], $eroute[5];
-- }
-- }
-- else
-- {
-- errchk "1";
-- }
-- }
-- else
-- {
-- errchk "OK";
-- }
-- }
--}
--
--sub cmdchecks {
-- # check for vital commands
-- printfun "Checking for 'ip' command";
-- run "which ip";
-- errchk "@out";
--
-- printfun "Checking /bin/sh is not /bin/dash";
-- if (-e "/bin/dash") {
-- run "cmp /bin/sh /bin/dash";
-- ($dash)=grep(/differ/, @out);
-- if(!$dash) {
-- warnchk "", "WARNING";
-- } else {
-- errchk "OK";
-- }
-- } else {
-- errchk "OK";
-- }
--
-- printfun "Checking for 'iptables' command";
-- run "which iptables";
-- errchk "@out";
--
--
-- open("cat","$conf/ipsec.conf");
-- foreach(grep /crlcheckinterval/,<cat>)
-- {
-- if(!$curlcheckdone) {
-- $curlcheckdone=1;
-- printfun "Checking for 'curl' command for CRL fetching";
-- run "which curl";
-- errchk "@out";
-- }
-- }
--# perhaps check for ip xfrm support, but forget about setkey.
--# if ( -e "/proc/net/pfkey") {
--# printfun "Checking for 'setkey' command for NETKEY IPsec stack
support";
--# run "which setkey";
--# errchk "@out";
-+#sub checkdnsip {
-+# $fortxt=$_[0];
-+# $revtxt=join('.',reverse(split(/\./, $fortxt))).".in-addr.arpa.";
-+# printfun " Looking for TXT in reverse dns zone: $revtxt";
-+# run "host -t txt $revtxt";
-+# ($txtpresent)=grep /X-IPsec-Server/,@out;
-+# errchk "$txtpresent", "MISSING";
-+#
-+# if($txtpresent) {
-+# $txtpresent=~ s/.*X-IPsec-Server\([0-9].*\)=//; $txtpresent=~ s/[\"\
].*//;
-+# $gwip=$txtpresent;
-+# chomp($gwip);
-+# $gwrev=join('.',reverse(split(/\./, $gwip))).".in-addr.arpa.";
-+# # Check for a KEY record for the indicated IPSec GW.
-+# run "host -t key $gwrev";
-+# ($keypresent)=grep /(0x4200|16896)/, @out;
-+# if($keypresent)
-+# {
-+# printfun " Looking for KEY in reverse dns zone: $gwrev";
-+# deprecated;
-+# $print_deprecated = 1;
-+#
-+# }
-+# # If the host is its own gateway, then we know we've got a TXT record.
-+# if($gwip ne $fortxt) {
-+# printfun "Looking for TXT in reverse dns zone: $gwrev";
-+# run "host -t txt $gwrev";
-+# ($txtpresent)=grep /X-IPsec-Server/,@out;
-+# errchk "$txtpresent", "MISSING";
-+# }
-+#
- # }
--}
--
--sub dnschecks {
-- # Check the running hostname.
-- printf "\nOpportunistic Encryption DNS checks:\n";
-- run "hostname";
-- ($hostname)=@out; chomp $hostname;
-- checkdnshost $hostname;
--
-- # Check all the public IP addresses...
-- run "ip -4 -o addr show";
-- for (@out)
-- {
-- @temp=split(/[\/\ ]+/, $_);
-- push(@address,$temp[3]);
-- }
-- # Purge all non-routeable IPs...
-- @address=grep
!/^(127.*|10.*|172.1[6789]+.*.*|172.2+.*.*|172.3[01]+.*.*|192.168.*.*|169.254.*.*)/,@address;
-- printfun " Does the machine have at least one non-private address?";
-- errchk @address;
-- foreach(@address=grep !$check{$_}++,@address)
-- {
-- checkdnsip $_;
-- }
--}
--
--# Main function begins here!
--# Harvest options, ensure they're valid.
--use Getopt::Long;
--%optctl = ("host" => \$hostname,"ip" => \$ip, "colour" => \$colour);
--GetOptions(\%optctl, "host=s" ,"ip=s", "colour!");
--
--# Exit if we get passed an option we don't recognize.
--if($Getopt::Long::error) { exit 1; }
--
--
--# If you've passed --host or --ip, do only those checks.
--if($hostname || $ip)
--{
--# Check this --host for OE.
-- if($hostname)
-- {
-- printf "Checking $hostname for Opportunistic Encryption:\n";
-- checkdnshost $hostname;
-- run "host -t A $hostname";
-- if(($ipaddr) = grep (/address/i, @out))
-- {
-- $ipaddr=~ s/.*address\ //;
-- chomp $ipaddr;
-- checkdnsip $ipaddr;
-- }
-- else
-- {
-- printf "$hostname does not resolve to an IP, no reverse lookup
tests possible.\n";
-- }
-- }
--# Check this IP for OE.
-- if($ip)
-- {
-- printf "Checking IP $ip for Opportunistic Encryption:\n";
-- checkdnsip $ip;
-- }
--}
--else
--{
-- # Call the default routines...
-- # Root check...
-- if($> != "0")
-- {
-- print "To check this machine, you need to run \"$me\" as root.\n"; exit;
-- }
-- else
-- {
-- installstartcheck;
-- tunnelchecks;
-- cmdchecks;
-- run "ipsec addconn --configsetup";
-- ($oe)=grep(/oe=\'yes\'/, @out);
-- if( $oe) {
-- dnschecks;
-- if($print_deprecated)
-- {
-- print "
--
-- RFC 3445 restricts the use of the KEY RR to DNSSEC applications. The use
of
-- a KEY record sub-type for Opporunistic Encryption (OE) has been deprecated.
-- TXT records are used to provide all OE functionality.\n";
-- }
-- } else {
-- printfun "Opportunistic Encryption Support";
-- warnchk "", "DISABLED";
-- }
-- }
-- # finally, run the config file through the parser checks
-- run "ipsec auto addconn --checkconfig";
--}
--exit $reterr
-+#}
-+
-+def plutocheck():
-+ printfun("Checking that pluto is running")
-+ p = subprocess.Popen(["pidof", "pluto"], stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if not output:
-+ print_result("FAIL","FAILED")
-+ return
-+ else:
-+ print_result("OK","OK")
-+
-+ # only if pluto is running, do the listen tests
-+ udp500check()
-+ tcp500check()
-+ udp4500check()
-+ tcp4500check()
-+ tcp10000check()
-+
-+# This is pretty broken, as you can enable forwarding specificaly via
iptables as well
-+# It also won't find/exclude all kinds of interfaces. Also, lots of people
have one
-+# ethernet and one wifi interface, but don't want to bridge these.
-+# So, mostly left here for historic reasons - candidate to be changed/removed
-+def forwardcheck():
-+ try:
-+ output = open("/proc/net/dev","r").read().strip()
-+ except:
-+ printfun("Checking for multiple interfaces")
-+ print_result("FAIL","UNEXPECTED KERNEL DEV LIST")
-+ count = 0
-+ for line in output.split("\n"):
-+ if ":" in line:
-+ if not "lo:" in line and not "ipsec" in line and not
"mast" in line and not "virbr:" in line:
-+ # let's count this as a real physical interface
-+ count += 1
-+ if count > 1:
-+ printfun("Two or more interfaces found, checking IP forwarding")
-+ try:
-+ output =
open("/proc/sys/net/ipv4/ip_forward","r").read().strip()
-+ except:
-+ print_result("FAIL","MISSING ip_forward proc file")
-+ return
-+ if output == "1":
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","FAILED")
-+
-+def rpfiltercheck():
-+ fail = 0
-+ printfun("Checking rp_filter")
-+ for dirname in glob.glob("/proc/sys/net/ipv4/conf/*"):
-+ val = open("%s/rp_filter"%dirname,"r").read().strip()
-+ if val == "1":
-+ if fail == 0:
-+ print_result("FAIL","ENABLED")
-+ fail = 1
-+ printfun(" %s/rp_filter"%dirname)
-+ print_result("FAIL","ENABLED")
-+ if fail == 0:
-+ print_result("OK","OK")
-+
-+# Check if any NAT or MASQUERADE would accidentally mess up our packets
-+def natcheck():
-+ printfun("Checking NAT and MASQUERADEing")
-+ print_result("WARN","TEST INCOMPLETE")
-+
-+ # run iptables -t nat -L -n
-+ # grep for NAT or MASQ
-+ # for KLIPS
-+ # grep over /proc/net/ipsec_eroute check for 'tun0x' then find overlap
-+ # for NETKEY
-+ # grep over ip xfrm state/policy and find overlap
-+
-+def cmdchecks():
-+ printfun("Checking 'ip' command")
-+ if not os.path.isfile("/sbin/ip") and not
os.path.isfile("/usr/sbin/ip"):
-+ print_result("FAIL","FAILED")
-+ p = subprocess.Popen(["ip", "xfrm"], stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if not "XFRM-OBJECT" in err:
-+ print_result("FAIL","IP XFRM BROKEN")
-+ else:
-+ print_result("OK","OK")
-+
-+ printfun("Checking 'iptables' command")
-+ if not os.path.isfile("/sbin/iptables") and not
os.path.isfile("/usr/sbin/iptables"):
-+ print_result("WARN","MISSING")
-+ else:
-+ print_result("OK","OK")
-+
-+def udp500check():
-+ printfun(" Pluto listening for IKE on udp 500")
-+ if 1==1:
-+ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport
= :500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if ":500" in output:
-+ print_result("OK","OK")
-+ else:
-+ print "fail in else:%s"%output
-+ print_result("FAIL","FAILED")
-+ else:
-+ print "except hit?"
-+ print_result("FAIL","FAILED")
-+
-+# not yet implemented in *swan
-+def tcp500check():
-+ printfun(" Pluto listening for IKE on tcp 500")
-+ try:
-+ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport
= :500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if ":500" in output:
-+ print_result("OK","OK")
-+ else:
-+ print_result("WARN","NOT IMPLEMENTED")
-+ except:
-+ print_result("WARN","NOT IMPLEMENTED")
-+
-+def udp4500check():
-+ printfun(" Pluto listening for IKE/NAT-T on udp 4500")
-+ try:
-+ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-u", "sport
= :4500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if ":4500" in output:
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","DISABLED")
-+ except:
-+ print_result("FAIL","DISABLED")
-+
-+# not yet implemented in *swan
-+def tcp4500check():
-+ printfun(" Pluto listening for IKE/NAT-T on tcp 4500")
-+ try:
-+ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport
= :4500"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if ":4500" in output:
-+ print_result("OK","OK")
-+ else:
-+ print_result("WARN","NOT IMPLEMENTED")
-+ except:
-+ print_result("WARN","NOT IMPLEMENTED")
-+
-+# not yet implemented in *swan
-+def tcp10000check():
-+ printfun(" Pluto listening for IKE on tcp 10000 (cisco)")
-+ try:
-+ p = subprocess.Popen(["/usr/sbin/ss", "-n", "-l", "-t", "sport
= :10000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if ":10000" in output:
-+ print_result("OK","OK")
-+ else:
-+ print_result("WARN","NOT IMPLEMENTED")
-+ except:
-+ print_result("WARN","NOT IMPLEMENTED")
-+
-+def installstartcheck():
-+ print "Checking if IPsec got installed and started correctly:\n"
-+ printfun("Version check and ipsec on-path")
-+ try:
-+ p = subprocess.Popen(["ipsec", "--version"],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if "swan" in output:
-+ print_result("OK","OK")
-+ print output.replace("Linux","").strip()
-+ else:
-+ print_result("FAIL","FAILED")
-+ except:
-+ print_result("FAIL","FAILED")
-+
-+ printfun("Checking for IPsec support in kernel")
-+ if not os.path.isfile("/proc/net/ipsec_eroute") and not
os.path.isfile("/proc/net/pfkey"):
-+ print_result("FAIL","FAILED")
-+ if "no kernel code presently loaded" in output:
-+ print("\n The ipsec service should be started before
running 'ipsec verify'\n")
-+ return
-+ else:
-+ print_result("OK","OK")
-+
-+ # we know we have some stack, so continue
-+ if os.path.isfile("/proc/net/ipsec_eroute"):
-+ installcheckklips()
-+ else:
-+ installchecknetkey()
-+
-+def installcheckklips():
-+ # NAT-T patch check
-+ printfun(" KLIPS: checking for NAT Traversal support")
-+ try:
-+ natt =
open("/sys/module/ipsec/parameters/natt_available","r").read().strip()
-+ if natt == "1":
-+ print_result("WARN","OLD STYLE")
-+ elif natt == "2":
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","UNKNOWN CODE")
-+ except:
-+ print_result("WARN","OLD/MISSING")
-+
-+ # OCF patch check
-+ printfun(" KLIPS: checking for OCF crypto offload support ")
-+ try:
-+ ocf =
open("/sys/module/ipsec/parameters/ocf_available","r").read().strip()
-+ if ocf == "1":
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","UNKNOWN CODE")
-+ except:
-+ print_result("WARN","N/A")
-+
-+ # SAref patch check
-+ saref = ""
-+ printfun(" KLIPS: IPsec SAref kernel support")
-+ try:
-+ saref = open("/proc/net/ipsec/saref","r").read().strip()
-+ if "refinfo patch applied" in saref:
-+ print_result("OK","OK")
-+ else:
-+ print_result("WARN","N/A")
-+
-+ except:
-+ print_result("WARN","N/A")
-+
-+ # SAref bind patch check
-+ printfun(" KLIPS: IPsec SAref Bind kernel support")
-+ if "bindref patch applied" in saref:
-+ print_result("OK","OK")
-+ else:
-+ print_result("WARN","N/A")
-+
-+
-+def installchecknetkey():
-+ print (" NETKEY: Testing XFRM related proc values")
-+ for option in ( "send_redirects", "accept_redirects"):
-+ printfun(" ICMP default/%s"%option)
-+ try:
-+ redir =
open("/proc/sys/net/ipv4/conf/default/%s"%option,"r").read().strip()
-+ except:
-+ print_result("FAIL","VERY BROKEN KERNEL")
-+ return
-+ if redir == "0":
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","NOT DISABLED")
-+ print("\n Disable /proc/sys/net/ipv4/conf/*/%s or
NETKEY will cause act on or cause sending of bogus ICMP redirects!\n"%option)
-+
-+ printfun(" XFRM larval drop")
-+ try:
-+ larval =
open("/proc/sys/net/core/xfrm_larval_drop","r").read().strip()
-+ except:
-+ print_result("FAIL","OLD OR BROKEN KERNEL")
-+ return
-+ if larval == "1":
-+ print_result("OK","OK")
-+ else:
-+ print_result("FAIL","NOT ENABLED")
-+
-+
-+def randomdevcheck():
-+ printfun("Hardware random device check")
-+ if os.path.isfile("/dev/hw_random") or os.path.isfile("/dev/hwrng"):
-+ p = subprocess.Popen(["pidof", "rngd"], stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if not output:
-+ p = subprocess.Popen(["pidof", "clrngd"],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-+ output, err = p.communicate()
-+ if not output:
-+ print_result("FAIL","NO RUNNING (cl)rngd DAEMON
FOR HW")
-+ else:
-+ print_result("OK","CLRNGD")
-+ else:
-+ print_result("OK","RNGD")
-+ else:
-+ print_result("OK","N/A")
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+def main():
-+ installstartcheck()
-+ randomdevcheck()
-+ forwardcheck()
-+ rpfiltercheck()
-+ plutocheck()
-+ natcheck()
-+ cmdchecks()
-+ if retcode:
-+ sys.exit("\nipsec verify: encountered errors")
-+
-+
-+
-+if __name__ == "__main__":
-+ main()
-+
-+## old perl code not yet ported
-+##
-+## sub checktunnel {
-+## $csource=$_[0]; $cdest=$_[1]; $ctun=$_[2]; $all="0.0.0.0/0";
-+##
-+## printfun "Checking $ctun from $csource to $cdest";
-+## run "iptables -t nat -L POSTROUTING -n";
-+## @out=grep !/(Chain POSTROUTING|target)/, @out;
-+## foreach (@out) {
-+## ( $target, $prot, $opt, $source, $dest ) = split(' ',$_);
-+## if(((($source eq $csource) || ($source eq $all)) && (($dest eq $cdest)
|| ($dest = $all))) && $target eq "ACCEPT")
-+## {
-+## errchk "@out";
-+## $reterr = 1;
-+## }
-+## else
-+## {
-+## @err="$target from $source to $dest kills tunnel $source ->
$cdest\n";
-+## errchk "","FAILED";
-+## $reterr = 1;
-+## }
-+## }
-+## }
-+##
-+## printfun "Checking NAT and MASQUERADEing";
-+## # This assumes KLIPS eroute information, we should add support
-+## # for NETKEY, but ip xfrm is very annoying to parse
-+## if(( -e "/proc/net/nf_conntrack" || -e "/proc/net/ip_conntrack")
-+## && -e "/proc/net/ipsec_eroute" )
-+## {
-+## run "iptables -t nat -L -n";
-+## if(grep /(NAT|MASQ)/, @out)
-+## {
-+## printf "\n";
-+## open("cat", "/proc/net/ipsec_eroute");
-+## foreach(grep /tun0x/, <cat>)
-+## {
-+## @eroute=split(' ',$_);
-+## checktunnel $eroute[1], $eroute[3], $eroute[5];
-+## }
-+## }
-+## else
-+## {
-+## errchk "1";
-+## }
-+## }
-+## else
-+## {
-+## errchk "OK";
-+## }
-+## }
-+## }
-+##
-+##
-+## sub dnschecks {
-+## # Check the running hostname.
-+## printf "\nOpportunistic Encryption DNS checks:\n";
-+## run "hostname";
-+## ($hostname)=@out; chomp $hostname;
-+## checkdnshost $hostname;
-+##
-+## # Check all the public IP addresses...
-+## run "/sbin/ifconfig -a";
-+## foreach (grep /inet addr/,@out)
-+## {
-+## $_=~ s/^\s*//;
-+## @temp=split(/[:\ ]+/, $_);
-+## push(@address,$temp[2]);
-+## }
-+## # Purge all non-routeable IPs...
-+## @address=grep
!/^(127.*|10.*|172.1[6789]+.*.*|172.2+.*.*|172.3[01]+.*.*|192.168.*.*|169.254.*.*)/,@address;
-+## printfun " Does the machine have at least one non-private address?";
-+## errchk @address;
-+## foreach(@address=grep !$check{$_}++,@address)
-+## {
-+## checkdnsip $_;
-+## }
-+## }
-+##
-+##
-+## # If you've passed --host or --ip, do only those checks.
-+## if($hostname || $ip)
-+## {
-+## # Check this --host for OE.
-+## if($hostname)
-+## {
-+## printf "Checking $hostname for Opportunistic Encryption:\n";
-+## checkdnshost $hostname;
-+## run "host -t A $hostname";
-+## if(($ipaddr) = grep (/address/i, @out))
-+## {
-+## $ipaddr=~ s/.*address\ //;
-+## chomp $ipaddr;
-+## checkdnsip $ipaddr;
-+## }
-+## else
-+## {
-+## printf "$hostname does not resolve to an IP, no reverse lookup
tests possible.\n";
-+## }
-+## }
-+## # Check this IP for OE.
-+## if($ip)
-+## {
-+## printf "Checking IP $ip for Opportunistic Encryption:\n";
-+## checkdnsip $ip;
-+## }
-+## }
-+## else
-+## {
-+## # Call the default routines...
-+## # Root check...
-+## if($> != "0")
-+## {
-+## print "To check this machine, you need to run \"$me\" as root.\n"; exit;
-+## }
-+## else
-+## {
-+## installstartcheck;
-+## tunnelchecks;
-+## cmdchecks;
-+## run "ipsec addconn --configsetup";
-+## ($oe)=grep(/oe=\'yes\'/, @out);
-+## if( $oe) {
-+## dnschecks;
-+## if($print_deprecated)
-+## {
-+## print "
-+##
-+## RFC 3445 restricts the use of the KEY RR to DNSSEC applications. The
use of
-+## a KEY record sub-type for Opporunistic Encryption (OE) has been
deprecated.
-+## TXT records are used to provide all OE functionality.\n";
-+## }
-+## } else {
-+## printfun "Opportunistic Encryption Support";
-+## warnchk "", "DISABLED";
-+## }
-+## }
-+## # finally, run the config file through the parser checks
-+## run "ipsec auto addconn --checkconfig";
-+## }
-+## exit $reterr
---
-1.8.1.6
-
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
