openwrt_ipsec_function.sh 分析

#!/bin/sh
#
# Copyright (C) 2015 Vitaly Protsko 

errno=0
#  get_fieldval gate src "$(/usr/sbin/ip route get $4)"
#  获取字段的值,
#

#  ip route get `nslookup www.xiaohuamao.top |awk 'NR == 5 {print $3}'`
#  47.100.200.1 via 192.168.254.254 dev eth5 src 192.168.254.127

# 调用这个函数就是给第一个参数赋值,找到源地址
get_fieldval() {
  local __data="$3"
  local __rest

  test -z "$1" && return  ## 测试第一个参数是否为空

  while true ; do
    __rest=${__data#* }
    test "$__rest" = "$__data" && break

    if [ "${__data/ *}" = "$2" ]; then ## 找他的源地址 src 
      eval "$1=${__rest/ *}"              
      break
    fi

    __data="$__rest"
  done
}
# 这个函数是管理防墙的
# 调用方式 manage_fw add $confIntZone $confExtZone "$remnet"
#                        lan            wan     
# config_get confExtZone "$1" ext_zone wan  获取那个配置文件的,那个option  不用管section   
#                  
# 防火墙的规则是要分析的   
manage_fw() {
  local cmd=/usr/sbin/iptables
  local mode
  local item

  if [ -z "$4" ]; then
    $log "Bad usage of manage_fw"
    errno=3; return 3
  fi

  case "$1" in
    add|up|1) mode=A ;;
    del|down|0) mode=D ;;
    *) return 3 ;;
  esac

  for item in $4 ; do
    $cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
    $cmd -$mode output_$3_rule -d $item -j ACCEPT
    $cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
    $cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
  done
}

# manage_sa add "$locnet" "$remnet" $remote
#  option local_net '0.0.0.0/31'
#  option remote_net '0.0.0.0/31'
#  option remote 'anonymous'
# 这个函数是管理安全通道的
# ipsec 需要定义两个局域网  192.168.1.1/24 10.10.10.0/24 你的两台主机要在这个范围内进行通信才会触发
# 除了局域网还需要两个局域网对应的网关, 就是以前的setkey -f ipsec.conf 

manage_sa() {
  local spdcmd
  local rtcmd
  local gate
  local litem
  local ritem

  if [ -z "$4" ]; then
    $log "Bad usage of manage_sa"
    errno=3; return 3
  fi

  case "$1" in
    add|up|1) spdcmd=add; rtcmd=add ;;
    del|down|0) spdcmd=delete; rtcmd=del ;;
    *) errno=3; return 3 ;;
  esac

  get_fieldval gate src "$(/usr/sbin/ip route get $4)"
  if [ -z "$gate" ]; then
    $log "Can not find outbound IP for $4"
    errno=3; return 3
  fi


  for litem in $2 ; do
    for ritem in $3 ; do
      echo "
spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
" | /usr/sbin/setkey -c 1>&2
    done
  done

  test -n "$5" && gate=$5

  for ritem in $3 ; do
    (sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
  done
}

manage_nonesa() {
  local spdcmd
  local item
  local cout cin

  if [ -z "$4" ]; then
    $log "Bad usage of manage_nonesa"
    errno=3; return 3
  fi

  case "$1" in
    add|up|1) spdcmd=add ;;
    del|down|0) spdcmd=delete ;;
    *) errno=3; return 3 ;;
  esac

  case "$2" in
    local|remote) ;;
    *) errno=3; return 3 ;;
  esac

  for item in $3 ; do
    if [ "$2" = "local" ]; then
      cout="$4 $item"
      cin="$item $4"
    else
      cout="$item $4"
      cin="$4 $item"
    fi
    echo "
spd$spdcmd $cout any -P out none;
spd$spdcmd $cin any -P in none;
" | /usr/sbin/setkey -c 1>&2
  done
}

. /lib/functions/network.sh  # 这个文件也要分析下

get_zoneiflist() {
  local item
  local data
  local addr

  item=0
  data=$(uci get firewall.@zone[0].name)
  while [ -n "$data" ]; do
    test "$data" = "$1" && break
    let "item=$item+1"
    data=$(uci get firewall.@zone[$item].name)
  done

  if [ -z "$data" ]; then
    errno=1
    return $errno
  fi
  data=$(uci get firewall.@zone[$item].network)

  echo "$data"
}

get_zoneiplist() {
  local item
  local addr
  local data
  local result

  data=$(get_zoneiflist $1)
  test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno

  for item in $data ; do
    if network_is_up $item ; then
      network_get_ipaddrs addr $item
      test $? -eq 0 && result="$result $addr"
    fi
  done

  result=$(echo $result)
  echo "$result"
}


# EOF /etc/racoon/functions.sh

 

转载于:https://www.cnblogs.com/xiaohuamao/p/9205000.html