mirror of
https://github.com/qosmio/nss-packages.git
synced 2025-12-16 08:12:53 +00:00
8d54d726c2
To keep fork as closely synced with upstream, move NSS packages back into repository. Not sure why they were moved out from my original fork. * nss-firmware * qca-nss-crypto * qca-nss-cfi Removed the following: * mhz (already available in packages repo) * qrtr (unecessary, and has been broken for years) Also moved packages out of `qca` and back into root directory.
232 lines
5.0 KiB
Bash
Executable File
232 lines
5.0 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
#
|
|
# Copyright (c) 2018-2019, 2021 The Linux Foundation. All rights reserved.
|
|
#
|
|
# Permission to use, copy, modify, and/or distribute this software for any
|
|
# purpose with or without fee is hereby granted, provided that the above
|
|
# copyright notice and this permission notice appear in all copies.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
NSS_IPSEC_LOG_FILE=/tmp/.nss_ipsec_log
|
|
NSS_IPSEC_LOG_STR_ECM="ECM_Loaded"
|
|
NSS_IPSEC_OL_FILE=/tmp/qca_nss_ipsec_ol
|
|
|
|
ecm_load () {
|
|
if [ ! -d /sys/module/ecm ]; then
|
|
/etc/init.d/qca-nss-ecm start
|
|
if [ -d /sys/module/ecm ]; then
|
|
echo ${NSS_IPSEC_LOG_STR_ECM} >> ${NSS_IPSEC_LOG_FILE}
|
|
fi
|
|
fi
|
|
}
|
|
|
|
ecm_unload () {
|
|
if [ -f /tmp/.nss_ipsec_log ]; then
|
|
str=`grep ${NSS_IPSEC_LOG_STR_ECM} ${NSS_IPSEC_LOG_FILE}`
|
|
if [[ $str == ${NSS_IPSEC_LOG_STR_ECM} ]]; then
|
|
/etc/init.d/qca-nss-ecm stop
|
|
`sed 's/${NSS_IPSEC_LOG_STR_ECM}/ /g' $NSS_IPSEC_LOG_FILE > $NSS_IPSEC_LOG_FILE`
|
|
fi
|
|
fi
|
|
}
|
|
|
|
ecm_disable() {
|
|
if [ ! -d /sys/module/ecm ]; then
|
|
return;
|
|
fi
|
|
|
|
echo 1 > /sys/kernel/debug/ecm/front_end_ipv4_stop
|
|
echo 1 > /sys/kernel/debug/ecm/front_end_ipv6_stop
|
|
echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
|
|
sleep 2
|
|
}
|
|
|
|
ecm_enable() {
|
|
if [ ! -d /sys/module/ecm ]; then
|
|
return;
|
|
fi
|
|
|
|
echo 0 > /sys/kernel/debug/ecm/ecm_db/defunct_all
|
|
echo 0 > /sys/kernel/debug/ecm/front_end_ipv4_stop
|
|
echo 0 > /sys/kernel/debug/ecm/front_end_ipv6_stop
|
|
}
|
|
|
|
kernel_version_check_5_4() {
|
|
major_ver=$(uname -r | awk -F '.' '{print $1}')
|
|
minor_ver=$(uname -r | awk -F '.' '{print $2}')
|
|
if [ $major_ver -lt 5 ] || ([ $major_ver -eq 5 ] && [ $minor_ver -lt 4 ] ); then
|
|
return 1
|
|
else
|
|
return 0
|
|
fi
|
|
}
|
|
|
|
kernel_version_check_5_15() {
|
|
major_ver=$(uname -r | awk -F '.' '{print $1}')
|
|
minor_ver=$(uname -r | awk -F '.' '{print $2}')
|
|
if [ $major_ver -lt 5 ] || ([ $major_ver -eq 5 ] && [ $minor_ver -lt 15 ] ); then
|
|
return 1
|
|
else
|
|
return 0
|
|
fi
|
|
}
|
|
|
|
start_klips() {
|
|
if kernel_version_check_5_4; then
|
|
echo "Kernel 5.4 doesn't support klips stack."
|
|
return $?
|
|
fi
|
|
|
|
if kernel_version_check_5_15; then
|
|
echo "Kernel 5.15 doesn't support klips stack."
|
|
return $?
|
|
fi
|
|
|
|
touch $NSS_IPSEC_OL_FILE
|
|
ecm_load
|
|
|
|
local kernel_version=$(uname -r)
|
|
|
|
insmod /lib/modules/${kernel_version}/qca-nss-ipsec-klips.ko
|
|
if [ "$?" -gt 0 ]; then
|
|
echo "Failed to load plugin. Please start ecm if not done already"
|
|
ecm_enable
|
|
rm $NSS_IPSEC_OL_FILE
|
|
return
|
|
fi
|
|
|
|
/etc/init.d/ipsec start
|
|
sleep 2
|
|
ipsec eroute
|
|
|
|
ecm_enable
|
|
}
|
|
|
|
stop_klips() {
|
|
if kernel_version_check_5_4; then
|
|
echo "Kernel 5.4 doesn't support klips stack."
|
|
return $?
|
|
fi
|
|
|
|
if kernel_version_check_5_15; then
|
|
echo "Kernel 5.15 doesn't support klips stack."
|
|
return $?
|
|
fi
|
|
|
|
ecm_disable
|
|
|
|
/etc/init.d/ipsec stop
|
|
rmmod qca-nss-ipsec-klips
|
|
rm $NSS_IPSEC_OL_FILE
|
|
|
|
ecm_unload
|
|
}
|
|
|
|
start_xfrm() {
|
|
touch $NSS_IPSEC_OL_FILE
|
|
ecm_load
|
|
|
|
local kernel_version=$(uname -r)
|
|
|
|
# load all NETKEY modules first.
|
|
for mod in xfrm_ipcomp ipcomp xfrm6_tunnel ipcomp6 xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro \
|
|
xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel \
|
|
xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key
|
|
do
|
|
insmod $mod 2> /dev/null
|
|
done
|
|
|
|
# Now load the xfrm plugin
|
|
insmod /lib/modules/${kernel_version}/qca-nss-ipsec-xfrm.ko
|
|
if [ "$?" -gt 0 ]; then
|
|
echo "Failed to load plugin. Please start ecm if not done already"
|
|
ecm_enable
|
|
rm $NSS_IPSEC_OL_FILE
|
|
return
|
|
fi
|
|
|
|
/etc/init.d/ipsec start
|
|
sleep 2
|
|
|
|
ecm_enable
|
|
}
|
|
|
|
stop_xfrm() {
|
|
ecm_disable
|
|
|
|
#Shutdown Pluto first. Then only plugin can be removed.
|
|
plutopid=/var/run/pluto/pluto.pid
|
|
if [ -f $plutopid ]; then
|
|
pid=`cat $plutopid`
|
|
if [ ! -z "$pid" ]; then
|
|
ipsec whack --shutdown | grep -v "002";
|
|
if [ -s $plutopid ]; then
|
|
echo "Attempt to shut Pluto down failed! Trying kill:"
|
|
kill $pid;
|
|
sleep 5;
|
|
fi
|
|
fi
|
|
rm -rf $plutopid
|
|
fi
|
|
ip xfrm state flush;
|
|
ip xfrm policy flush;
|
|
sleep 2
|
|
|
|
#Now we can remove the plugin
|
|
retries=5
|
|
while [ -d /sys/module/qca_nss_ipsec_xfrm ]
|
|
do
|
|
rmmod qca-nss-ipsec-xfrm
|
|
if [ "$?" -eq 0 ]; then
|
|
rm $NSS_IPSEC_OL_FILE
|
|
break
|
|
fi
|
|
|
|
if [ ${retries} -eq 0 ]; then
|
|
echo "Failed to unload qca-nss-ipsec-xfrm plugin!"
|
|
exit
|
|
fi
|
|
|
|
echo "XFRM plugin unload failed; retrying ${retries} times"
|
|
sleep 1
|
|
retries=`expr ${retries} - 1`
|
|
done
|
|
|
|
/etc/init.d/ipsec stop
|
|
ecm_unload
|
|
}
|
|
|
|
start() {
|
|
local protostack=`uci -q get ipsec.setup.protostack`
|
|
if [ "$protostack" = "klips" ]; then
|
|
start_klips
|
|
return $?
|
|
fi
|
|
|
|
start_xfrm
|
|
return $?
|
|
}
|
|
|
|
stop() {
|
|
local protostack=`uci -q get ipsec.setup.protostack`
|
|
if [ "$protostack" = "klips" ]; then
|
|
stop_klips
|
|
return $?
|
|
fi
|
|
|
|
stop_xfrm
|
|
return $?
|
|
}
|
|
|
|
restart() {
|
|
stop
|
|
start
|
|
}
|