#! /bin/sh
# default updown script
# Copyright (C) 2000  D. Hugh Redelmeier, Henry Spencer
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: _updown,v 1.5 2000/03/22 17:14:50 henry Exp $



# CAUTION:  Installing a new version of FreeS/WAN will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, it's probably better to make a copy of this under
# another name, and modify that, and use the (left/right)updown parameters
# in ipsec.conf to make FreeS/WAN use yours instead of this one.



# check interface version
case "$PLUTO_VERSION" in
1.0)	;;
*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
	exit 2
	;;
esac

# check parameter(s)
case "$*" in
'')	;;
ipfwadm)	# caused by (left/right)firewall=yes
	;;
*)	echo "$0: unknown parameter \`$1'" >&2
	exit 2
	;;
esac

# utility functions for route manipulation
# Meddling with this stuff should never be necessary and is most unwise.
uproute() {
	route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
		dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}
downroute() {
	route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
		dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
}



# the big choice
case "$PLUTO_VERB:$1" in
prepare-host:*|prepare-client:*)
	# delete possibly-existing route (preliminary to adding a route)
	oops="`route del -net $PLUTO_PEER_CLIENT_NET \
					netmask $PLUTO_PEER_CLIENT_MASK 2>&1`"
	status="$?"
	if test " $oops" = " " -a " $status" != " 0"
	then
		oops="silent error in route command, exit status $status"
	fi
	case "$oops" in
	'SIOCDELRT: No such process')
		# This is what route (currently -- not documented!) gives
		# for "could not find such a route".
		status=0
		;;
	esac
	exit $status
	;;
route-host:*|route-client:*)
	# connection to this host or client being routed
	uproute
	;;
unroute-host:*|unroute-client:*)
	# connection to this host or client being unrouted
	downroute
	;;
up-host:*)
	# connection to this host coming up
	;;
down-host:*)
	# connection to this host going down
	;;
up-client:)
	# connection to client subnet coming up
	;;
down-client:)
	# connection to client subnet going down
	;;
up-client:ipfwadm)
	# connection to client subnet, through forwarding firewall, coming up
	# beware:  read the CAUTION comment up at the top before changing this
	ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
down-client:ipfwadm)
	# connection to client subnet, through forwarding firewall, going down
	# beware:  read the CAUTION comment up at the top before changing this
	ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
		-D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
	;;
*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
	exit 1
	;;
esac
