[Ipcop-svn] SF.net SVN: ipcop: [496] ipcop/trunk/src/scripts/vpn-watch

[<ges...@us...>]

Revision: 496
          http://ipcop.svn.sourceforge.net/ipcop/?rev=496&view=rev
Author:   gespinasse
Date:     2007-09-20 08:12:16 -0700 (Thu, 20 Sep 2007)

Log Message:
-----------
This version should be correct to usage of bash built-in command and external commands with full path.

Fix the MX domain that could be printed by host from bind-9.4.0
Print only A record SF 1797096 ( thank to dermots )

Forward from 1.4 two missing revisions :
- Handle the case where the 'pipe' had been left alone for some reason

- Reread ipsec.secrets file
This is not  necessary with certs but with preshared keys conns identified by IP, it is !

- Change a little the informational message.

Modified Paths:
--------------
    ipcop/trunk/src/scripts/vpn-watch

Modified: ipcop/trunk/src/scripts/vpn-watch
===================================================================
--- ipcop/trunk/src/scripts/vpn-watch	2007-09-20 10:45:24 UTC (rev 495)
+++ ipcop/trunk/src/scripts/vpn-watch	2007-09-20 15:12:16 UTC (rev 496)
@@ -27,38 +27,43 @@
 # Configuration
 #
 
-VPN_CONFIG='CONFIG_ROOT/vpn/config'		# Location of IPCop's vpn configuration file
-SETTINGS='CONFIG_ROOT/vpn/settings'		# and settings
+VPN_CONFIG='/var/ipcop/vpn/config'		# Location of IPCop's vpn configuration file
+SETTINGS='/var/ipcop/vpn/settings'		# and settings
 
 CHECK_INTERVAL='60'				# Check this often (in seconds)
-DNS_RESOLVE_TRIES='2'				# Try to resolve IPs this often (each try takes max. 2 seconds)
+DNS_RESOLVE_TRIES='4'				# Try to resolve IPs this often (each try takes max. 2 seconds)
 NICENESS='+5'					# Adjust niceness of child processes: '-20' ... '+19'; '0' is default
-
 case "$1" in
 	'start' | '--start')
 		eval $(/usr/local/bin/readhash $SETTINGS)
-		test  "${VPN_WATCH}" != "on"  && exit 1			# not activated, cannot start!
-		 
+		test "${VPN_WATCH}" != "on"  && exit 1			# not activated, cannot start!
+
 		if test ! -r "$VPN_CONFIG"; then
 			echo 'Error: cannot read IPCop VPN configuration file; exit.' >&2
 			exit 1
 		fi
 
 		if test -p /var/run/$(basename $0); then
-			echo 'Error: stop before; exit.' >&2
-			exit 1
+			if /bin/ps --no-heading axw | /bin/grep -v 'grep' | /bin/grep -q "$(basename $0) conn: "; then
+				echo "Error: use '$(basename $0) stop' please; exit." >&2
+				exit 1
+			else
+				/bin/rm /var/run/$(basename $0)			# pipe was left alone, correct error condition
+			fi
 		fi
 
-		mknod -m 0660 "/var/run/$(basename $0)" p >/dev/null 2>&1	# Create pipe for status-information
+		# the pipe serves for "-status" but is not used yet
+		/bin/mknod -m 0660 "/var/run/$(basename $0)" p >/dev/null 2>&1	# Create pipe for status-information
 
+		#
 		# Read VPN configuration and fork a child process for each VPN connection active, net-to-net & RED 
 		#
 		while read line; do
-			VPN=($(echo $line | cut --delimiter=',' --output-delimiter=' ' -f2,3,5,12,28 ))	# Activated, Name, Host/Net-to-net, Remote, ITF.
+			VPN=($(echo $line | /usr/bin/cut --delimiter=',' --output-delimiter=' ' -f2,3,5,12,28 ))	# Activated, Name, Host/Net-to-net, Remote, ITF.
 			test  "${VPN[0]}" != "on"  && continue				# Ignore: deactivated connections
 			test  "${VPN[2]}"  = "host"  && continue			# Ignore: roadwarriors
 			## test  "${VPN[4]}" != "RED"  && continue			# Ignore: local vpns needed or not ?
-			echo -n "${VPN[3]}" | grep -q '^[[:digit:]\.]\+$' && continue	#If fixed remote IP, no need to watch!
+			echo -n "${VPN[3]}" | /bin/grep -q '^[[:digit:]\.]\+$' && continue	#If fixed remote IP, no need to watch!
 			$0 'conn:' "${VPN[1]}" "${VPN[3]}">/dev/null 2>&1 &		#Fork child process (parameters: "conn: NAME RIGHT")
 		done < "$VPN_CONFIG"
 		exit 0									# Parent dies here... RIP
@@ -66,78 +71,76 @@
 
 	'stop' | '--stop')
 		# Terminate processes
-		for proc in $(pidof -x -o %PPID $(basename $0)); do
-			kill -s SIGTERM -- "$proc"
+		for proc in $(/bin/pidof -x -o %PPID $(basename $0)); do
+			/bin/kill -s SIGTERM -- "$proc"
 		done
-		sleep 1
-		
+		/bin/sleep 1
+
 		# Kill remaining processes
-		for proc in $(pidof -x -o %PPID $(basename $0)); do
-			kill -s SIGKILL -- "$proc"
+		for proc in $(/bin/pidof -x -o %PPID $(basename $0)); do
+			/bin/kill -s SIGKILL -- "$proc"
 		done
-		rm -f "/var/run/$(basename $0)"			# Remove pipe
+		/bin/rm -f "/var/run/$(basename $0)"			# Remove pipe
 		exit 0
 		;;
 
-	'restart' | '--restart')
-		$0 stop						#bug: 'stop' kill this process also.....
-		$0 start					#and never start
-		exit 0
-		;;
+	#'status' | '--status')
+	#	echo "VPN-Watch"
+	#	if /bin/ps --no-heading axw | /bin/grep -v 'grep' | /bin/grep -q "$(basename $0) conn: "; then
+	#		trap '' USR1
+	#		/bin/killall -q -g -s USR1 -- $(basename $0)
+	#		/bin/sleep 1
+	#		/bin/cat "/var/run/$(basename $0)" | /usr/bin/sort 	# Read children's info from pipe
+	#	else
+	#		echo '     no instance running.'
+	#	fi
+	#	exit 0
+	#	;;
 
-	'status' | '--status')
-		echo "VPN-Watch"
-		if ps --no-heading axw | grep -v 'grep' | grep -q "$(basename $0) conn: "; then
-			trap '' USR1
-			killall -q -g -s USR1 -- $(basename $0)
-			sleep 1
-			cat "/var/run/$(basename $0)" | sort 	# Read children's info from pipe
-		else
-			echo '     no instance running.'
-		fi
-		exit 0
-		;;
-
 	'conn:')
 		# Children proceed here...
-		renice ${NICENESS:-0} -p $$ >/dev/null 2>&1	# Adjust niceness
+		/usr/bin/renice ${NICENESS:-0} -p $$ >/dev/null 2>&1	# Adjust niceness
 		shift		# Remove the first positional parameter ("conn:"), as we don't need it anymore
 		;;
 	*)
-		echo "Usage: $0 { start | stop | status }" >&2
+		echo "Usage: $0 { start | stop }" >&2
 		exit 1
 		;;
 esac
 
 # Logging, signal handlers
-alias log="logger -t vpn-watch \'${1}\':"
+alias log="/usr/bin/logger -t vpn-watch \'${1}\':"
 
 trap 'log "terminated after ${RESTART_COUNT} restarts."' EXIT
-trap 'echo "connection \"${1}\" restarted ${RESTART_COUNT} times" >>/var/run/$(basename $0)' USR1
+#trap 'echo "connection \"${1}\" restarted ${RESTART_COUNT} times" >>/var/run/$(basename $0)' USR1
 
 #
-# Get IP of a FQDN... using 'host', 'arp', 'traceroute' or 'ping',
+# Get IP of a FQDN... using 'host' command. Everything is ok when dns server responds.
+# If no response,
+# -maybe RED is down. The script can terminate. It will restart with rc.updatered.
+# or
+# -the dns server is down. In this case, terminate the script is not a good idea...
+# Thus 4 retries before returning response 'stop'
 #
 function get_ip () {
 	local RESULT=''
+	# delay divided by two for each loop
+	delay=8
 	for ((i=1; ${i} <= ${DNS_RESOLVE_TRIES}; i++)); do
 
-		RESULT=$(host "$1" 2>/dev/null | awk '{ print $4 }')
-		test -n "$RESULT" && break
+		# extract IP address
+		RESULT=$(/usr/bin/host -t A "$1" 2>/dev/null| awk '{ print $4 }')
+		if echo -n $RESULT | /bin/grep -q '^[[:digit:]\.]\+$' ; then
+			echo -n $RESULT
+			return
+		fi
 
-		RESULT=$(arp "$1" 2>/dev/null | awk '{ print $2 }' | tr -d '()')
-		test -n "$RESULT" && break
-
-		RESULT=$(traceroute -m1 -q1 "$1" 2>/dev/null | head -n1 | awk '{ print $4 }' | tr -d '(),')
-		test -n "$RESULT" && break	
-
-		RESULT=$(ping -q -c1 -w2 -s0 "$1" 2>/dev/null | head -n1 | awk '{ print $3 }' | tr -d '()')
-		test -n "$RESULT" && break
+		/bin/sleep $delay
+		delay=$((delay>>1))
 	done
+	# Change 'stop' to something else to let the script running
+	echo -n "stop" # stop: the script will terminate
 
-	test -z "$RESULT" && log "Warning: could not resolve ${1} after ${DNS_RESOLVE_TRIES} tries..." && exit
-	echo -n "$RESULT" | !grep -q '^[[:digit:]\.]\+$' && log "Warning: could not resolve ${1} after ${DNS_RESOLVE_TRIES} tries..."&& exit
-	echo -n "$RESULT"
 }
 
 # Infinite loop; checks, whether the IP of FQDN has changed.
@@ -146,20 +149,24 @@
 RESTART_COUNT=0
 REMOTE_IP_OLD=$(get_ip $2)
 log "start watching $REMOTE_IP_OLD"
-while :; do
-	sleep $CHECK_INTERVAL
 
+while [ $REMOTE_IP_OLD != 'stop' ] ;  do
+	/bin/sleep $CHECK_INTERVAL
 	# Skip check until IPSec is running. Update IP_OLD while our ipsec is down
-	ipsec auto --status >/dev/null 2>&1 || REMOTE_IP_OLD=$(get_ip $2) || continue
+	/usr/sbin/ipsec auto --status >/dev/null 2>&1 || {
+		REMOTE_IP_OLD=$(get_ip $2)
+		continue
+	}
 
 	REMOTE_IP_NEW=$(get_ip $2)
 
 	if test "${REMOTE_IP_OLD}" != "${REMOTE_IP_NEW}"; then
-		log "Remote IP has changed to $REMOTE_IP_NEW. Restarting vpn..."
 		/usr/sbin/ipsec auto --down  $1
 		/usr/sbin/ipsec auto --replace  $1
+		/usr/sbin/ipsec auto --rereadsecrets
 		/usr/sbin/ipsec auto --up  $1
 		let RESTART_COUNT++
+		log "Remote IP has changed from $REMOTE_IP_OLD to $REMOTE_IP_NEW. Connection restarted (#$RESTART_COUNT times)."
 		REMOTE_IP_OLD=$REMOTE_IP_NEW
 	fi
 done


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.