From e63b5f5e39e2012bbdf1ca8301c6eb2cd13716cb Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 2 Jul 2014 20:52:27 +0200
Subject: Remove IPSec related files.

---
 roles/common/files/etc/network/if-up.d/ipsec | 68 ----------------------------
 1 file changed, 68 deletions(-)
 delete mode 100755 roles/common/files/etc/network/if-up.d/ipsec

(limited to 'roles/common/files')

diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
deleted file mode 100755
index 4a84112..0000000
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/sh
-
-# A post-up/down hook to automatically create/delete a 'sec' VLAN
-# device, and a dedicated, host-scoped, IP for IPSec (v4 only).
-# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-set -ue
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-ifsec=sec0
-ipsec=172.16.0.1/32
-
-# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
-secmark=0xA99
-
-# Ignore the loopback interface and non inet4 families.
-[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
-
-# Only the device with the default, globally-scoped route, is of
-# interest here.
-[ "$( /bin/ip -4 route show to default scope global \
-    | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \
-  = \
-  "$IFACE" ] || exit 0
-
-case "$MODE" in
-    start) # Don't create $ifsec if it's already there
-           if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
-               # Create a new VLAN $IFACE on physical device $ifsec. This is
-               # required otherwise charon thinks the left peer is that
-               # host-scoped, non-routable IP.
-               /bin/ip link    add link "$IFACE" name "$ifsec" type vlan id 2713
-               /bin/ip address add "$ipsec" dev "$ifsec" scope host
-               /bin/ip link    set dev "$ifsec" up
-           fi
-
-           # If a packet retained its mark that far, it means it has
-           # been SNAT'ed from $ipsec, and didn't have a xfrm
-           # association.  Hence we nullroute it to avoid to leak data
-           # intented to be tunneled through IPSec.  /!\ The priority
-           # must be >220 (which the one used by strongSwan IPSec) since
-           # xfrm lookup must take precedence.
-           /bin/ip rule  add fwmark "$secmark" table 666 priority 666 || true
-           /bin/ip route add prohibit default  table 666              || true
-    ;;
-    stop)  if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
-               # Deactivate the VLAN
-               /bin/ip link set dev "$ifsec" down
-           fi
-
-           # Delete the 'prohibit' rule
-           /bin/ip rule  del fwmark "$secmark" table 666 priority 666 || true
-           /bin/ip route flush table 666
-    ;;
-esac
-- 
cgit v1.2.3