From: <ges...@us...> - 2007-09-20 15:12:13
|
Revision: 496 http://ipcop.svn.sourceforge.net/ipcop/?rev=496&view=rev Author: gespinasse Date: 2007-09-20 08:12:16 -0700 (Thu, 20 Sep 2007) Log Message: ----------- This version should be correct to usage of bash built-in command and external commands with full path. Fix the MX domain that could be printed by host from bind-9.4.0 Print only A record SF 1797096 ( thank to dermots ) Forward from 1.4 two missing revisions : - Handle the case where the 'pipe' had been left alone for some reason - Reread ipsec.secrets file This is not necessary with certs but with preshared keys conns identified by IP, it is ! - Change a little the informational message. Modified Paths: -------------- ipcop/trunk/src/scripts/vpn-watch Modified: ipcop/trunk/src/scripts/vpn-watch =================================================================== --- ipcop/trunk/src/scripts/vpn-watch 2007-09-20 10:45:24 UTC (rev 495) +++ ipcop/trunk/src/scripts/vpn-watch 2007-09-20 15:12:16 UTC (rev 496) @@ -27,38 +27,43 @@ # Configuration # -VPN_CONFIG='CONFIG_ROOT/vpn/config' # Location of IPCop's vpn configuration file -SETTINGS='CONFIG_ROOT/vpn/settings' # and settings +VPN_CONFIG='/var/ipcop/vpn/config' # Location of IPCop's vpn configuration file +SETTINGS='/var/ipcop/vpn/settings' # and settings CHECK_INTERVAL='60' # Check this often (in seconds) -DNS_RESOLVE_TRIES='2' # Try to resolve IPs this often (each try takes max. 2 seconds) +DNS_RESOLVE_TRIES='4' # Try to resolve IPs this often (each try takes max. 2 seconds) NICENESS='+5' # Adjust niceness of child processes: '-20' ... '+19'; '0' is default - case "$1" in 'start' | '--start') eval $(/usr/local/bin/readhash $SETTINGS) - test "${VPN_WATCH}" != "on" && exit 1 # not activated, cannot start! - + test "${VPN_WATCH}" != "on" && exit 1 # not activated, cannot start! + if test ! -r "$VPN_CONFIG"; then echo 'Error: cannot read IPCop VPN configuration file; exit.' >&2 exit 1 fi if test -p /var/run/$(basename $0); then - echo 'Error: stop before; exit.' >&2 - exit 1 + if /bin/ps --no-heading axw | /bin/grep -v 'grep' | /bin/grep -q "$(basename $0) conn: "; then + echo "Error: use '$(basename $0) stop' please; exit." >&2 + exit 1 + else + /bin/rm /var/run/$(basename $0) # pipe was left alone, correct error condition + fi fi - mknod -m 0660 "/var/run/$(basename $0)" p >/dev/null 2>&1 # Create pipe for status-information + # the pipe serves for "-status" but is not used yet + /bin/mknod -m 0660 "/var/run/$(basename $0)" p >/dev/null 2>&1 # Create pipe for status-information + # # Read VPN configuration and fork a child process for each VPN connection active, net-to-net & RED # while read line; do - VPN=($(echo $line | cut --delimiter=',' --output-delimiter=' ' -f2,3,5,12,28 )) # Activated, Name, Host/Net-to-net, Remote, ITF. + VPN=($(echo $line | /usr/bin/cut --delimiter=',' --output-delimiter=' ' -f2,3,5,12,28 )) # Activated, Name, Host/Net-to-net, Remote, ITF. test "${VPN[0]}" != "on" && continue # Ignore: deactivated connections test "${VPN[2]}" = "host" && continue # Ignore: roadwarriors ## test "${VPN[4]}" != "RED" && continue # Ignore: local vpns needed or not ? - echo -n "${VPN[3]}" | grep -q '^[[:digit:]\.]\+$' && continue #If fixed remote IP, no need to watch! + echo -n "${VPN[3]}" | /bin/grep -q '^[[:digit:]\.]\+$' && continue #If fixed remote IP, no need to watch! $0 'conn:' "${VPN[1]}" "${VPN[3]}">/dev/null 2>&1 & #Fork child process (parameters: "conn: NAME RIGHT") done < "$VPN_CONFIG" exit 0 # Parent dies here... RIP @@ -66,78 +71,76 @@ 'stop' | '--stop') # Terminate processes - for proc in $(pidof -x -o %PPID $(basename $0)); do - kill -s SIGTERM -- "$proc" + for proc in $(/bin/pidof -x -o %PPID $(basename $0)); do + /bin/kill -s SIGTERM -- "$proc" done - sleep 1 - + /bin/sleep 1 + # Kill remaining processes - for proc in $(pidof -x -o %PPID $(basename $0)); do - kill -s SIGKILL -- "$proc" + for proc in $(/bin/pidof -x -o %PPID $(basename $0)); do + /bin/kill -s SIGKILL -- "$proc" done - rm -f "/var/run/$(basename $0)" # Remove pipe + /bin/rm -f "/var/run/$(basename $0)" # Remove pipe exit 0 ;; - 'restart' | '--restart') - $0 stop #bug: 'stop' kill this process also..... - $0 start #and never start - exit 0 - ;; + #'status' | '--status') + # echo "VPN-Watch" + # if /bin/ps --no-heading axw | /bin/grep -v 'grep' | /bin/grep -q "$(basename $0) conn: "; then + # trap '' USR1 + # /bin/killall -q -g -s USR1 -- $(basename $0) + # /bin/sleep 1 + # /bin/cat "/var/run/$(basename $0)" | /usr/bin/sort # Read children's info from pipe + # else + # echo ' no instance running.' + # fi + # exit 0 + # ;; - 'status' | '--status') - echo "VPN-Watch" - if ps --no-heading axw | grep -v 'grep' | grep -q "$(basename $0) conn: "; then - trap '' USR1 - killall -q -g -s USR1 -- $(basename $0) - sleep 1 - cat "/var/run/$(basename $0)" | sort # Read children's info from pipe - else - echo ' no instance running.' - fi - exit 0 - ;; - 'conn:') # Children proceed here... - renice ${NICENESS:-0} -p $$ >/dev/null 2>&1 # Adjust niceness + /usr/bin/renice ${NICENESS:-0} -p $$ >/dev/null 2>&1 # Adjust niceness shift # Remove the first positional parameter ("conn:"), as we don't need it anymore ;; *) - echo "Usage: $0 { start | stop | status }" >&2 + echo "Usage: $0 { start | stop }" >&2 exit 1 ;; esac # Logging, signal handlers -alias log="logger -t vpn-watch \'${1}\':" +alias log="/usr/bin/logger -t vpn-watch \'${1}\':" trap 'log "terminated after ${RESTART_COUNT} restarts."' EXIT -trap 'echo "connection \"${1}\" restarted ${RESTART_COUNT} times" >>/var/run/$(basename $0)' USR1 +#trap 'echo "connection \"${1}\" restarted ${RESTART_COUNT} times" >>/var/run/$(basename $0)' USR1 # -# Get IP of a FQDN... using 'host', 'arp', 'traceroute' or 'ping', +# Get IP of a FQDN... using 'host' command. Everything is ok when dns server responds. +# If no response, +# -maybe RED is down. The script can terminate. It will restart with rc.updatered. +# or +# -the dns server is down. In this case, terminate the script is not a good idea... +# Thus 4 retries before returning response 'stop' # function get_ip () { local RESULT='' + # delay divided by two for each loop + delay=8 for ((i=1; ${i} <= ${DNS_RESOLVE_TRIES}; i++)); do - RESULT=$(host "$1" 2>/dev/null | awk '{ print $4 }') - test -n "$RESULT" && break + # extract IP address + RESULT=$(/usr/bin/host -t A "$1" 2>/dev/null| awk '{ print $4 }') + if echo -n $RESULT | /bin/grep -q '^[[:digit:]\.]\+$' ; then + echo -n $RESULT + return + fi - RESULT=$(arp "$1" 2>/dev/null | awk '{ print $2 }' | tr -d '()') - test -n "$RESULT" && break - - RESULT=$(traceroute -m1 -q1 "$1" 2>/dev/null | head -n1 | awk '{ print $4 }' | tr -d '(),') - test -n "$RESULT" && break - - RESULT=$(ping -q -c1 -w2 -s0 "$1" 2>/dev/null | head -n1 | awk '{ print $3 }' | tr -d '()') - test -n "$RESULT" && break + /bin/sleep $delay + delay=$((delay>>1)) done + # Change 'stop' to something else to let the script running + echo -n "stop" # stop: the script will terminate - test -z "$RESULT" && log "Warning: could not resolve ${1} after ${DNS_RESOLVE_TRIES} tries..." && exit - echo -n "$RESULT" | !grep -q '^[[:digit:]\.]\+$' && log "Warning: could not resolve ${1} after ${DNS_RESOLVE_TRIES} tries..."&& exit - echo -n "$RESULT" } # Infinite loop; checks, whether the IP of FQDN has changed. @@ -146,20 +149,24 @@ RESTART_COUNT=0 REMOTE_IP_OLD=$(get_ip $2) log "start watching $REMOTE_IP_OLD" -while :; do - sleep $CHECK_INTERVAL +while [ $REMOTE_IP_OLD != 'stop' ] ; do + /bin/sleep $CHECK_INTERVAL # Skip check until IPSec is running. Update IP_OLD while our ipsec is down - ipsec auto --status >/dev/null 2>&1 || REMOTE_IP_OLD=$(get_ip $2) || continue + /usr/sbin/ipsec auto --status >/dev/null 2>&1 || { + REMOTE_IP_OLD=$(get_ip $2) + continue + } REMOTE_IP_NEW=$(get_ip $2) if test "${REMOTE_IP_OLD}" != "${REMOTE_IP_NEW}"; then - log "Remote IP has changed to $REMOTE_IP_NEW. Restarting vpn..." /usr/sbin/ipsec auto --down $1 /usr/sbin/ipsec auto --replace $1 + /usr/sbin/ipsec auto --rereadsecrets /usr/sbin/ipsec auto --up $1 let RESTART_COUNT++ + log "Remote IP has changed from $REMOTE_IP_OLD to $REMOTE_IP_NEW. Connection restarted (#$RESTART_COUNT times)." REMOTE_IP_OLD=$REMOTE_IP_NEW fi done This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |