#!/bin/sh
# IPsec startup and shutdown script
# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: setup,v 1.110 2001/06/20 15:55:13 henry Exp $
#
# ipsec         init.d script for starting and stopping
#               the IPsec security subsystem (KLIPS and Pluto).
#
# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
# and is also accessible as "ipsec setup" (the preferred route for human
# invocation).
#
# The startup and shutdown times are a difficult compromise (in particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown).  Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
# chkconfig: 345 47 68
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
# Check that networking is up.
SourceIfNotEmpty /etc/sysconfig/network &&
	[ "$NETWORKING" != no ] ||
	exit

# Get config.
SourceIfNotEmpty /etc/sysconfig/ipsec

IPSEC_EXE=/usr/sbin/ipsec
LOCKFILE=/var/lock/subsys/ipsec
RETVAL=0
me='ipsec setup'		# for messages

# Pick up IPsec configuration (until we have done this, successfully, we
# do not know where errors should go, hence the explicit "daemon.error"s.)
# Note the "--export", which exports the variables created.
echo -n "Picking up IPsec configuration: "
eval `$IPSEC_EXE _confread --varprefix IPSEC --export --type config setup`
if [ -z "$IPSEC_confreadstatus" ]; then
	success "ipsec config"
	echo
else
	echo "$IPSEC_confreadstatus -- \`$1' aborted" |
		logger -p daemon.error -t ipsec_setup
	failure "ipsec config"
	echo
	exit 1
fi
IPSECsyslog=${IPSECsyslog-daemon.error}
export IPSECsyslog

# misc setup
umask 027

start_stop()
{
	if [ "`id -u`" != 0 ]; then
		echo "permission denied (must be superuser)" |
			logger -p $IPSECsyslog -t ipsec_setup 2>&1
		failure "$me"
		exit 1
	fi
	tmp="$(mktemp "/var/run/ipsec.XXXXXXXXXX")"
	if [ -z "$tmp" ]; then
		echo "failed to create tmpfile" |
			logger -p $IPSECsyslog -t ipsec_setup 2>&1
		failure "$me"
		exit 1
	fi
	(
		$IPSEC_EXE _realsetup "$@"
		echo "$?" >$tmp
	) 2>&1 | logger -p $IPSECsyslog -t ipsec_setup 2>&1
	RETVAL=`cat "$tmp"`
	rm -f "$tmp"
	if [ "$RETVAL" -eq 0 ]; then
		success "$me"
	else
		failure "$me"
	fi
	echo
	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
	return $RETVAL
}

start()
{
	echo -n "Starting IPsec: "
	start_stop "$@" && touch "$LOCKFILE"
	return $RETVAL
}

stop()
{
	echo -n "Stopping IPsec: "
	start_stop "$@" && rm -f "$LOCKFILE"
	return $RETVAL
}

restart()
{
	stop stop
	start start
}

autorestart()
{
	stop _autostop
	start _autostart
}

# do it
case "$1" in
	start|--start|_autostart)
		start "$1"
		;;
	stop|--stop|_autostop)
		stop "$1"
		;;
	restart|--restart)
		restart
		;;
	_autorestart)
		# for internal use only
		autorestart
		;;
	status|--status)
		"$IPSEC_EXE" _realsetup $1
		RETVAL=$?
		;;
	version|--version)
		echo "$me $IPSEC_VERSION"
		;;
	condstop)
		if [ -e "$LOCKFILE" ]; then
			stop stop
		fi
		;;
	condrestart)
		if [ -e "$LOCKFILE" ]; then
			restart
		fi
		;;
	help|--help)
		echo "Usage: ${0##*/} {start|stop|restart|condstop|condrestart|status}"
		;;
	*)
		echo "Usage: ${0##*/} {start|stop|restart|condstop|condrestart|status}"
		RETVAL=1
esac

exit $RETVAL
