#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

LOG_DISABLE_STDOUT="true"

. /usr/lib/network/functions

# Read network settings
network_settings_read

# Make sure we are called by strongSwan
assert isset PLUTO_VERSION

CONNECTION="${PLUTO_CONNECTION}"

if ! ipsec_connection_read_config "${CONNECTION}"; then
	log ERROR "Could not read configuration for ${CONNECTION}"
	exit ${EXIT_ERROR}
fi

# Interface name for this IPsec connection
case "${MODE}" in
	gre-*|vti)
		INTERFACE="ipsec-${CONNECTION}"
		;;
esac

log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"

case "${PLUTO_VERB}" in
	up-client|up-client-v6|up-host|up-host-v6)
		case "${MODE}" in
			gre-*)
				if ! device_exists "${INTERFACE}"; then
					ip_tunnel_add "${INTERFACE}" \
						--mode="gre" \
						--local-address="${PLUTO_ME}" \
						--remote-address="${PLUTO_PEER}"

					device_set_up "${INTERFACE}"
				fi
				;;
			vti)
				if device_exists "${INTERFACE}"; then
					ip_tunnel_change_keys "${INTERFACE}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"

				else
					if ! ip_tunnel_add "${INTERFACE}" \
						--mode="vti" \
						--local-address="${PLUTO_ME}" \
						--remote-address="${PLUTO_PEER}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"; then
						log ERROR "Could not create VTI device for ${CONNECTION}"
					fi
				fi

				device_set_up "${INTERFACE}"
				;;
		esac

		# Set routes
		if isset INTERFACE; then
			cmd ip route add "${PLUTO_PEER_CLIENT}" \
				dev "${INTERFACE}"
		else
			cmd ip route add "${PLUTO_PEER_CLIENT}" \
				via "${PLUTO_PEER}"
		fi
		;;

	down-client|down-client-v6|down-host|down-host-v6)
		# Remove routes
		cmd ip route del "${PLUTO_PEER_CLIENT}"

		# Remove interfaces
		case "${MODE}" in
			gre-*|vti)
				if device_exists "${INTERFACE}"; then
					device_set_down "${INTERFACE}"

					ip_tunnel_del "${INTERFACE}"
				fi
				;;
		esac
		;;
esac

exit ${EXIT_OK}
