Gecko [ 122.154.134.11 ]

Name	Size	Permission
.ipsec.hmac	65 B	-rw-r--r--
.sshd.hmac	65 B	-rw-r--r--
abrt-auto-reporting	24.84 KB	-rwxr-xr-x
abrt-dbus	32.25 KB	-rwxr-xr-x
abrt-install-ccpp-hook	2.77 KB	-rwxr-xr-x
abrt-server	28.77 KB	-rwxr-xr-x
abrtd	26.02 KB	-rwxr-xr-x
accept	10.24 KB	-rwxr-xr-x
accton	10.45 KB	-rwxr-xr-x
adcli	140.36 KB	-rwxr-xr-x
addgnupghome	3.05 KB	-rwxr-xr-x
adduser	108.71 KB	-rwxr-x---
alsa-delay	19.12 KB	-rwxr-xr-x
alsactl	101.37 KB	-rwxr-xr-x
alternatives	27.9 KB	-rwxr-xr-x
anacron	38.05 KB	-rwxr-xr-x
applygnupgdefaults	2.21 KB	-rwxr-xr-x
arpaname	15.68 KB	-rwxr-xr-x
arpd	41.7 KB	-rwxr-xr-x
arping	17.48 KB	-rwxr-xr-x
atrun	67 B	-rwxr-xr-x
authconfig	37.79 KB	-rwxr-xr-x
authconfig-tui	37.79 KB	-rwxr-xr-x
avcstat	13.66 KB	-rwxr-xr-x
biosdecode	17.77 KB	-rwxr-xr-x
brctl	36.81 KB	-rwxr-xr-x
build-locale-archive	741.4 KB	-rwx------
cacertdir_rehash	644 B	-rwxr-xr-x
cache_check	1.54 MB	-rwxr-xr-x
cache_dump	1.54 MB	-rwxr-xr-x
cache_metadata_size	1.54 MB	-rwxr-xr-x
cache_repair	1.54 MB	-rwxr-xr-x
cache_restore	1.54 MB	-rwxr-xr-x
capsh	16.23 KB	-rwxr-xr-x
chpasswd	49.65 KB	-rwxr-xr-x
chroot	31.03 KB	-rwxr-xr-x
cifs.idmap	10.27 KB	-rwxr-xr-x
cifs.upcall	38.75 KB	-rwxr-xr-x
ck-log-system-restart	18.7 KB	-rwxr-xr-x
ck-log-system-start	18.99 KB	-rwxr-xr-x
ck-log-system-stop	18.7 KB	-rwxr-xr-x
clockdiff	15.16 KB	-rwxr-xr-x
console-kit-daemon	155.27 KB	-rwxr-xr-x
convertquota	68.76 KB	-rwxr-xr-x
cpuspeed	22.05 KB	-rwxr-xr-x
cracklib-check	8.8 KB	-rwxr-xr-x
cracklib-format	218 B	-rwxr-xr-x
cracklib-packer	9.31 KB	-rwxr-xr-x
cracklib-unpacker	8.45 KB	-rwxr-xr-x
crda	13.67 KB	-rwxr-xr-x
create-cracklib-dict	990 B	-rwxr-xr-x
cupsaccept	10.24 KB	-rwxr-xr-x
cupsaddsmb	10.3 KB	-rwxr-xr-x
cupsctl	10.28 KB	-rwxr-xr-x
cupsdisable	10.24 KB	-rwxr-xr-x
cupsenable	10.24 KB	-rwxr-xr-x
cupsfilter	28.05 KB	-rwxr-xr-x
cupsreject	10.24 KB	-rwxr-xr-x
ddns-confgen	26.23 KB	-rwxr-xr-x
dmidecode	80.12 KB	-rwxr-xr-x
dnssec-dsfromkey	40.04 KB	-rwxr-xr-x
dnssec-keyfromlabel	39.27 KB	-rwxr-xr-x
dnssec-keygen	47.87 KB	-rwxr-xr-x
dnssec-revoke	32.86 KB	-rwxr-xr-x
dnssec-settime	38.97 KB	-rwxr-xr-x
dnssec-signzone	94.63 KB	-rwxr-xr-x
dump-acct	14.29 KB	-rwxr-xr-x
dump-utmp	14.37 KB	-rwxr-xr-x
e2freefrag	14.12 KB	-rwxr-xr-x
edquota	80.72 KB	-rwxr-xr-x
efibootmgr	49.73 KB	-rwxr-xr-x
eject	31.36 KB	-rwxr-xr-x
era_check	1.54 MB	-rwxr-xr-x
era_dump	1.54 MB	-rwxr-xr-x
era_invalidate	1.54 MB	-rwxr-xr-x
era_restore	1.54 MB	-rwxr-xr-x
ethtool	233.75 KB	-rwxr-xr-x
exportfs	59.65 KB	-rwxr-xr-x
fdformat	11.15 KB	-rwxr-xr-x
filefrag	13.55 KB	-rwxr-xr-x
foomatic-addpjloptions	29.16 KB	-rwxr-xr-x
foomatic-cleanupdrivers	1.34 KB	-rwxr-xr-x
foomatic-extract-text	4.46 KB	-rwxr-xr-x
foomatic-fix-xml	1.5 KB	-rwxr-xr-x
foomatic-getpjloptions	2.09 KB	-rwxr-xr-x
foomatic-kitload	3.17 KB	-rwxr-xr-x
foomatic-nonumericalids	4.39 KB	-rwxr-xr-x
foomatic-preferred-driver	9.1 KB	-rwxr-xr-x
foomatic-printermap-to-gutenpr...	4.99 KB	-rwxr-xr-x
foomatic-replaceoldprinterids	2.54 KB	-rwxr-xr-x
genhomedircon	33 B	-rwxr-xr-x
genrandom	17.37 KB	-rwxr-xr-x
getcap	10.02 KB	-rwxr-xr-x
getenforce	8.55 KB	-rwxr-xr-x
getpcaps	9.05 KB	-rwxr-xr-x
getsebool	10.42 KB	-rwxr-xr-x
glibc_post_upgrade.x86_64	676.62 KB	-rwx------
groupadd	57.71 KB	-rwxr-x---
groupdel	53.52 KB	-rwxr-x---
groupmems	53.67 KB	-rwxr-x---
groupmod	71.95 KB	-rwxr-x---
grpck	53.63 KB	-rwxr-xr-x
grpconv	49.52 KB	-rwxr-xr-x
grpunconv	49.52 KB	-rwxr-xr-x
htcacheclean	19.52 KB	-rwxr-xr-x
httpd	358.53 KB	-rwxr-xr-x
httpd.event	370.79 KB	-rwxr-xr-x
httpd.worker	370.79 KB	-rwxr-xr-x
httxt2dbm	10.93 KB	-rwxr-xr-x
hwclock	47.52 KB	-rwxr-xr-x
iconvconfig	25.89 KB	-rwxr-xr-x
iconvconfig.x86_64	25.89 KB	-rwxr-xr-x
iotop	452 B	-rwxr-xr-x
ipa-client-automount	17.82 KB	-rwxr-xr-x
ipa-client-install	100.75 KB	-rwxr-xr-x
ipa-getkeytab	37.9 KB	-rwxr-xr-x
ipa-join	40.68 KB	-rwxr-xr-x
ipa-rmkeytab	17.28 KB	-rwxr-xr-x
ipsec	11.82 KB	-rwxr-xr-x
isc-hmac-fixup	18.7 KB	-rwxr-xr-x
krb5-send-pr	14.16 KB	-rwxr-xr-x
latencytop	44.71 KB	-rwxr-xr-x
latencytop-tui	25.03 KB	-rwxr-xr-x
lchage	33.5 KB	-rwxr-xr-x
ldattach	13.23 KB	-rwxr-xr-x
ledctl	51.58 KB	-rwxr-xr-x
ledmon	55.14 KB	-rwxr-xr-x
lgroupadd	29.77 KB	-rwxr-xr-x
lgroupdel	28.7 KB	-rwxr-xr-x
lgroupmod	34.48 KB	-rwxr-xr-x
lid	18.53 KB	-rwxr-xr-x
lnewusers	34.29 KB	-rwxr-xr-x
lnstat	17.64 KB	-rwxr-xr-x
load_policy	10.21 KB	-rwxr-xr-x
lokkit	2.15 KB	-rwxr-xr-x
lpadmin	26.57 KB	-rwxr-xr-x
lpasswd	32.46 KB	-rwxr-xr-x
lpc	14.34 KB	-rwxr-xr-x
lpc.cups	14.34 KB	-rwxr-xr-x
lpinfo	14.23 KB	-rwxr-xr-x
lpmove	10.31 KB	-rwxr-xr-x
lsof	154.44 KB	-rwxr-xr-x
lsusb	105.49 KB	-rwxr-xr-x
luseradd	34.71 KB	-rwxr-xr-x
luserdel	30.52 KB	-rwxr-xr-x
lusermod	36.7 KB	-rwxr-xr-x
makedumpfile	309.8 KB	-rwxr-xr-x
makewhatis	13.79 KB	-rwxr-xr-x
matchpathcon	12.01 KB	-rwxr-xr-x
mcelog	117.1 KB	-rwxr-xr-x
mkdict	218 B	-rwxr-xr-x
mklost+found	9.4 KB	-rwxr-xr-x
mksock	10.41 KB	-rwxr-xr-x
mountstats	34.53 KB	-rwxr-xr-x
mtr	63 KB	-rwxr-xr-x
named-checkconf	40.13 KB	-rwxr-xr-x
named-checkzone	35.8 KB	-rwxr-xr-x
named-compilezone	35.8 KB	-rwxr-xr-x
named-journalprint	17.26 KB	-rwxr-xr-x
newusers	71.93 KB	-rwxr-xr-x
nfsidmap	16.46 KB	-rwxr-xr-x
nfsiostat	23.18 KB	-rwxr-xr-x
nfsstat	27.63 KB	-rwxr-xr-x
nsec3hash	18.2 KB	-rwxr-xr-x
nstat	19.88 KB	-rwxr-xr-x
ntp-keygen	180.27 KB	-rwxr-xr-x
ntpdate	108.3 KB	-rwxr-xr-x
ntpdc	248.45 KB	-rwxr-xr-x
ntpq	246.51 KB	-rwxr-xr-x
ntptime	71.14 KB	-rwxr-xr-x
ntsysv	32.95 KB	-rwxr-xr-x
ownership	11.86 KB	-rwxr-xr-x
packer	9.31 KB	-rwxr-xr-x
pdata_tools	1.54 MB	-rwxr-xr-x
pethtool	8.94 KB	-rwxr-xr-x
pifconfig	3.03 KB	-rwxr-xr-x
ping6	35.63 KB	-rwsr-xr-x
pluginviewer	18.22 KB	-rwxr-xr-x
plymouth-set-default-theme	6.2 KB	-rwxr-xr-x
pm-hibernate	2.76 KB	-rwxr-xr-x
pm-powersave	1.53 KB	-rwxr-xr-x
pm-suspend	2.76 KB	-rwxr-xr-x
pm-suspend-hybrid	2.76 KB	-rwxr-xr-x
postconf	297.07 KB	-rwxr-xr-x
postdrop	184.57 KB	-rwxr-sr-x
postmap	212.7 KB	-rwxr-xr-x
postmulti	124.41 KB	-rwxr-xr-x
postqueue	212.73 KB	-rwxr-sr-x
powertop	426.14 KB	-rwxr-xr-x
prelink	1.25 MB	-rwxr-xr-x
pwck	49.61 KB	-rwxr-xr-x
pwconv	45.52 KB	-rwxr-xr-x
pwunconv	36.43 KB	-rwxr-xr-x
quotastats	11.21 KB	-rwxr-xr-x
raid-check	3.7 KB	-rwxr-xr-x
readprofile	15.25 KB	-rwxr-xr-x
redhat_lsb_trigger.x86_64	2.83 KB	-rwx------
regdbdump	9.26 KB	-rwxr-xr-x
reject	10.24 KB	-rwxr-xr-x
repquota	72.66 KB	-rwxr-xr-x
rndc	40.31 KB	-rwxr-xr-x
rndc-confgen	26.63 KB	-rwxr-xr-x
rotatelogs	16.55 KB	-rwxr-xr-x
rpcdebug	16.03 KB	-rwxr-xr-x
rpcinfo	27.25 KB	-rwxr-xr-x
rtacct	35.56 KB	-rwxr-xr-x
rtcwake	17.44 KB	-rwxr-xr-x
run_init	10.32 KB	-rwxr-xr-x
sa	31.53 KB	-rwxr-xr-x
safe_finger	8.69 KB	-rwxr-xr-x
sasldblistusers2	19.8 KB	-rwxr-xr-x
saslpasswd2	17.62 KB	-rwxr-xr-x
selinuxconlist	10.04 KB	-rwxr-xr-x
selinuxdefcon	10.39 KB	-rwxr-xr-x
selinuxenabled	7.8 KB	-rwxr-xr-x
semodule	18.9 KB	-rwxr-xr-x
sendmail	208.61 KB	-rwxr-xr-x
sendmail.postfix	208.61 KB	-rwxr-xr-x
sestatus	14.44 KB	-rwxr-xr-x
setcap	10.77 KB	-rwxr-xr-x
setenforce	9.1 KB	-rwxr-xr-x
setquota	84.78 KB	-rwxr-xr-x
setregdomain	1.47 KB	-rwxr-xr-x
setsebool	14.41 KB	-rwxr-xr-x
setup	15.59 KB	-rwxr-xr-x
showmount	19.34 KB	-rwxr-xr-x
sm-notify	50.41 KB	-rwxr-xr-x
smartctl	560.77 KB	-rwxr-xr-x
smtp-sink	84.54 KB	-rwxr-xr-x
smtp-source	67.55 KB	-rwxr-xr-x
sosreport	898 B	-rwxr-xr-x
ss	73.9 KB	-rwxr-xr-x
sss_cache	87.11 KB	-rwxr-xr-x
start-statd	300 B	-rwxr-xr-x
suexec	13.66 KB	-r-s--x---
sys-unconfig	180 B	-rwxr-xr-x
system-config-network	188 B	-rwxr-xr-x
system-config-network-cmd	13.4 KB	-rwxr-xr-x
system-config-network-tui	10.02 KB	-rwxr-xr-x
t1libconfig	3.83 KB	-rwxr-xr-x
tcpdmatch	38.01 KB	-rwxr-xr-x
tcpdump	725.63 KB	-rwxr-xr-x
tcpslice	24.02 KB	-rwxr-xr-x
testsaslauthd	14.43 KB	-rwxr-xr-x
thin_check	1.54 MB	-rwxr-xr-x
thin_delta	1.54 MB	-rwxr-xr-x
thin_dump	1.54 MB	-rwxr-xr-x
thin_ls	1.54 MB	-rwxr-xr-x
thin_metadata_size	1.54 MB	-rwxr-xr-x
thin_repair	1.54 MB	-rwxr-xr-x
thin_restore	1.54 MB	-rwxr-xr-x
thin_rmap	1.54 MB	-rwxr-xr-x
thin_trim	1.54 MB	-rwxr-xr-x
tickadj	6.02 KB	-rwxr-xr-x
tmpwatch	21.15 KB	-rwxr-xr-x
togglesebool	10.43 KB	-rwxr-xr-x
tracepath	11.17 KB	-rwxr-xr-x
tracepath6	12.02 KB	-rwxr-xr-x
try-from	19.22 KB	-rwxr-xr-x
tunelp	12.24 KB	-rwxr-xr-x
tzdata-update	12.79 KB	-rwxr-xr-x
unbound-anchor	52.26 KB	-rwxr-xr-x
update-alternatives	27.9 KB	-rwxr-xr-x
update-pciids	1.72 KB	-rwxr-xr-x
update-smart-drivedb	8.25 KB	-rwxr-xr-x
useradd	108.71 KB	-rwxr-x---
userdel	71.93 KB	-rwxr-x---
userhelper	41.3 KB	-rws--x--x
usermod	112.4 KB	-rwxr-x---
usernetctl	8.79 KB	-rwsr-xr-x
vigr	59.95 KB	-rwxr-xr-x
vipw	59.95 KB	-rwxr-xr-x
virt-what	10.06 KB	-rwxr-xr-x
visudo	155.24 KB	-rwxr-xr-x
vnstat.cron	311 B	-rwxr-xr-x
vnstatd	59.95 KB	-rwxr-xr-x
vpddecode	14.49 KB	-rwxr-xr-x
warnquota	80.91 KB	-rwxr-xr-x
yppoll	16.26 KB	-rwxr-xr-x
ypserv_test	19.26 KB	-rwxr-xr-x
ypset	14.2 KB	-rwxr-xr-x
yptest	19.48 KB	-rwxr-xr-x
yum-complete-transaction	9.7 KB	-rwxr-xr-x
yumdb	7.83 KB	-rwxr-xr-x
zdump	16.98 KB	-rwxr-xr-x
zic	49.08 KB	-rwxr-xr-x

Code Editor : ipsec

#!/bin/sh
#
# prefix command to run stuff from our programs directory
#
# Copyright (C) 1998-2002  Henry Spencer.
# Copyright (C) 2013-2015  Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2013-2014  Paul Wouters <pwouters@redhat.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

test "${IPSEC_INIT_SCRIPT_DEBUG}" && set -v -x

# where the private directory and the config files are
IPSEC_CONF="${IPSEC_CONF:-/etc/ipsec.conf}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-/usr/sbin}"
IPSEC_CONFDDIR="${IPSEC_CONFDDIR:-/etc/ipsec.d}"
IPSEC_NSSDIR="${IPSEC_NSSDIR:-/etc/ipsec.d}"
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
IPSEC_NSSPW="${IPSEC_CONFDDIR}/nsspassword"
DBPW=""
CACERTDIR="${IPSEC_CONFDDIR}/cacerts"
CRLDIR="${IPSEC_CONFDDIR}/crls"

IPSEC_DIR="${IPSEC_EXECDIR}"
export IPSEC_DIR IPSEC_EXECDIR IPSEC_CONF

# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH

# supress ElectricFence banner changing our reference testing output
export EF_DISABLE_BANNER=1

# things not to be listed in --help command list
DONTMENTION='^(ipsec|_.*|.*\.old|.*\.orig|.*~)$'

# version numbering (details filled in by build)
# Possibly should call a C program to invoke the version_code() function
# instead, but for performance's sake, we inline it here (and only here).
version="3.15"

# export the version information
IPSEC_VERSION="${version}"
export IPSEC_VERSION

# function for the funky user/kernel version stuff
fixversion() {
    if [ -f /proc/net/ipsec_version ]; then
	stack=" (klips)"
	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
    else
	if [ -f /proc/net/pfkey ]; then
	    stack=" (netkey)"
	    kv="${version}"
	else
	    if [ -f /mach_kernel ]; then
		stack=" (OSX)"
		kv="$(uname -r)"
	    else
		kv="(no kernel code presently loaded)"
	    fi
	fi
    fi
    if [ "${kv}" != "${version}" ]; then
	version="U${version}/K${kv}"
    fi
    version="${version}${stack} on $(uname -r)"
}

set_db_trusts() {
    # has to handle a NSS nick with spaces
    certutil -L -d "${IPSEC_NSSDIR_SQL}" | egrep -v 'Certificate|MIME' | awk '{$NF=""; print $0}' | grep -v "^$" | while read -r cert; do
	if certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -q 'Is a CA' &&
	  [ $(certutil -L -d ${IPSEC_NSSDIR_SQL} -n "${cert}" | grep -i -A3 'ssl flags' | grep -i 'trusted' | wc -l) -ne 2 ]; then
	    echo "correcting trust bits for ${cert}"
	    certutil -M -d "${IPSEC_NSSDIR_SQL}" -n "${cert}" -t 'CT,,'
	fi
    done
}

case "${1}" in
    '')
	echo "Usage: ipsec <command> <argument ...>"
	echo "Use --help for a list of commands, or see the ipsec(8) manual page"
	echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
	echo "See <http://www.libreswan.org> for more general info."
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    status|--status)
	exec ipsec auto --status
	;;
    start|--start)
	exec ipsec setup start
	;;
    stop|--stop)
	exec ipsec setup stop
	;;
    restart|--restart)
	# restart does not work when stoped in systemd - it's dumb
	ipsec setup stop
	exec ipsec setup start
	;;
    help|--help)
	echo "Usage: ipsec <command> <argument ...>"
	echo "where <command> is one of:"
	echo ""
	GOTTWO=""
	for f in start stop restart status import initnss checknss checknflog \
	    $(ls "${IPSEC_EXECDIR}" | egrep -v -i "${DONTMENTION}"); do
	    if [ -z "${GOTTWO}" ]; then
		# first of two entries
		GOTTWO="${f}"
	    else
		# second of two entries, we can print
		echo -n "	${GOTTWO}"
		if [ "${#GOTTWO}" -ge 16 ]; then
		    echo -e -n  "\t"
		elif [ "${#GOTTWO}" -ge 8 ]; then
		    echo -e -n "\t\t"
		else
		    echo -e -n "\t\t\t"
		fi
		echo "${f}"
		GOTTWO=""
	    fi
	done
	if [ -n "${GOTTWO}" ]; then
	    # leftover entry
	    echo "	${GOTTWO}"
	fi
	echo
	echo "See also: man ipsec <command> or ipsec <command> --help"
	echo "See <https://libreswan.org/> for more general info."
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    # some ubuntu/debian scripts use --versioncode, so let's keep the alias
    version|--version|--versioncode)
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    --directory)
	echo "${IPSEC_DIR}"
	exit 0
	;;

--stopnflog|stopnflog)
	NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup|grep nflog| sed -e "s/^.*=//" -e "s/'//g");
	if [ -z "${NFGROUP}" ]; then
		exit 0
	fi
	iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	exit 0
	;;

--checknflog|checknflog|nflog)
	NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup|grep nflog| sed -e "s/^.*=//" -e "s/'//g");
	if [ -z "${NFGROUP}" ]; then
	    OLDNFGROUP=$(iptables -L -n |grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
	    if [ -n "${OLDNFGROUP}" ]; then
		    echo "deleting rules with old nflog group ${OLDNFGROUP}"
		    iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
		    iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
		fi
	    echo "nflog ipsec capture disabled"
	    exit 0
	else
	    OLDNFGROUP=$(iptables -L -n |grep "all-ipsec nflog-group" | sed "s/^.* //" | tail -1);
	    if [ -n "${OLDNFGROUP}" ]; then
		if [ "${NFGROUP}" = "${OLDNFGROUP}" ]; then
		    # nothing to do
		    echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
		    exit 0
		else
		    # delete rules with old group number
		    echo "deleting rules with old nflog group ${OLDNFGROUP}"
		    iptables -D INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
		    iptables -D OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${OLDNFGROUP} --nflog-prefix all-ipsec
		fi
	    fi
	    # insert rules with current group number
	    iptables -I INPUT  -m policy --dir in  --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	    iptables -I OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${NFGROUP} --nflog-prefix all-ipsec
	    echo "nflog ipsec capture enabled on nflog:${NFGROUP}"
	fi
	exit 0
	;;

sniff|--sniff)
	if [ -z "${2}" ]; then
	    NFGROUP=$(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup|grep nflog| sed -e "s/^.*=//" -e "s/'//g");
	    tcpdump -n -i nflog:${NFGROUP}
	else
	    echo "conn specific coming soon"
	fi
	exit 0
	;;

import|--import)
	if [ -n "${2}" ]; then
	    # A lot of nss commands use -d or --configdir to specify
	    # NSS db location. We use --ipsecdir so we are consistent
	    # with pluto options
	    if [ "${2}" = "-d" -o \
		"${2}" = "--configdir" -o \
		"${2}" = "--ipsecdir" ]
	    then
		if [ -d "${3}" ]; then
		    IPSEC_NSSDIR="${3}"
		else
		    echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2
		    exit 1
		fi
		shift
		shift
	    fi
	    IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
	fi
	if [ -z "${2}" -o ! -f "${2}" ]; then
	    echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2
	    exit 1
	fi
	pk12util -i "${2}" -d "${IPSEC_NSSDIR_SQL}"
	# check and correct trust bits
	set_db_trusts
	exit 0
	;;
    initnss|--initnss|checknss|--checknss)
	if [ -n "${2}" ]; then
	    # A lot of nss commands use -d or --configdir to specify
	    # NSS db location. We use --ipsecdir so we are consistent
	    # with pluto options
	    if [ "${2}" = "-d" -o \
		"${2}" = "--configdir" -o \
		"${2}" = "--ipsecdir" ]
	    then
		IPSEC_NSSDIR="${3}"
	    else
		IPSEC_NSSDIR="${2}"
	    fi
	    IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
	fi
	if [ ! -d "${IPSEC_NSSDIR}" ]; then
	    mkdir -p "${IPSEC_NSSDIR}"
	fi
	# if we have old database
	if [ -f "${IPSEC_NSSDIR}/cert8.db" -o \
	    -f "${IPSEC_NSSDIR}/key3.db" -o \
	    -f "${IPSEC_NSSDIR}/secmod.db" ]; then
	    if [ ! -f "${IPSEC_NSSDIR}/cert9.db" -o \
		! -f "${IPSEC_NSSDIR}/key4.db" ]; then
		IMPORTDBPW=""
		NSSTMP=$(mktemp -d /tmp/ipsec_nss_tmp.XXXXXXXXXX)
		if [ $? -gt 0 ]; then
		    echo "Failed to create temporary directory for NSS db migration" >&2
		    exit 4
		fi
		# save current umask
		umask=$(umask)
		# set safe umask
		umask 077
		echo "Migrating NSS db to ${IPSEC_NSSDIR_SQL}"

# this section works around a few certutil quirks
		# to maintain the current password and merge keys
		certutil -N -d sql:"${NSSTMP}" --empty-password
		if [ $? -gt 0 ]; then
		    echo "Failed to initialize nss database sql:${NSSTMP}" >&2
		    exit 4
		fi
		if [ -f "${IPSEC_NSSPW}" ]; then
		    # Look for FIPS format of token:pw, or just the pw
		    grep -q ':' "${IPSEC_NSSPW}"
		    if [ $? -eq 0 ]; then
			cut -d':' -f2 "${IPSEC_NSSPW}" \
			    > "${NSSTMP}/nsspassword.txt"
			cut -d':' -f2 "${IPSEC_NSSPW}" \
			    >> "${NSSTMP}/nsspassword.txt"
		    else
			cat "${IPSEC_NSSPW}" > "${NSSTMP}/nsspassword.txt"
			cat "${IPSEC_NSSPW}" >> "${NSSTMP}/nsspassword.txt"
		    fi
		    # For the empty password prompt:
		    echo -e "\n\n" > "${NSSTMP}/nsspassword2.txt"
		    # Change blank pw to the current, and use
		    # for certutil --upgrade-merge
		    certutil -W -d sql:"${NSSTMP}" \
			-f "${NSSTMP}/nsspassword2.txt" \
			-@ "${NSSTMP}/nsspassword.txt"
		    DBPW="-f ${NSSTMP}/nsspassword.txt -@ ${NSSTMP}/nsspassword.txt"
		    IMPORTDBPW="-f ${NSSTMP}/nsspassword.txt"
		fi
		# restore umask
		umask ${umask}

certutil --upgrade-merge --source-dir "${IPSEC_NSSDIR}" \
		    -d sql:"${NSSTMP}" --upgrade-id pluto ${DBPW}
		if [ $? -ne 0 ]; then
		    echo "NSS upgrade failed. You should run certutil --upgrade-merge manually against ${IPSEC_NSSDIR_SQL}"
		    exit $?
		fi
		# import cacerts and crls
		if [ -d "${CACERTDIR}" ]; then
		    for file in "${CACERTDIR}"/*; do
			if [ -f "${file}" ]; then
			    filename=$(basename "${file}")
			    name=${filename%%.*}
			    certutil -A -i "${file}" -d sql:"${NSSTMP}" -n "${name}" -t 'CT,,' ${IMPORTDBPW}
			    [ $? -eq 0 ] || echo "${file}"
			fi
		    done
		fi
		if [ -d "${CRLDIR}" ]; then
		    for file in "${CRLDIR}"/*; do
			if [ -f "${file}" ]; then
			    crlutil -I -i "${file}" -d sql:"${NSSTMP}" -B ${IMPORTDBPW}
			    [ $? -eq 0 ] || echo "${file}"
			fi
		    done
		fi
		cp "${NSSTMP}"/*.db "${NSSTMP}"/*.txt "${IPSEC_NSSDIR}"
		rm -f "${NSSTMP}"/*.txt "${NSSTMP}"/*.db
		rmdir "${NSSTMP}"
		echo "NSS upgrade complete"
	    fi
	    exit 0
	fi	# no old database

if [ -f "${IPSEC_NSSDIR}/cert9.db" -o -f "${IPSEC_NSSDIR}/key4.db" ]; then
	    if [ "${1}" = "checknss" -o "${1}" = "--checknss" ]; then
		exit 0
	    fi
	    echo "NSS database already initialised - aborted"
	    echo "To wipe the old NSS database, issue: rm ${IPSEC_NSSDIR}/*.db"
	    exit 42
	fi

echo "Initializing NSS database"
	echo "See 'man pluto' if you want to protect the NSS database with a password"
	echo ""

certutil -N -d "${IPSEC_NSSDIR_SQL}" --empty-password
	if [ $? -gt 0 ]; then
	    echo "Failed to initialize nss database ${IPSEC_NSSDIR_SQL}" >&2
	    exit 4
	fi
	if [ -x "$(which restorecon)" ]; then
	    restorecon -Rv "${IPSEC_NSSDIR}"
	fi
	exit 0
	;;
    --*)
	echo "${0}: unknown option \"${1}\" (perhaps command name was omitted?)" >&2
	exit 1
	;;
esac

cmd="${1}"
shift

path="${IPSEC_EXECDIR}/${cmd}"

if [ ! -x "${path}" ]; then
    path="${IPSEC_EXECDIR}/${cmd}"
    if [ ! -x "${path}" ]; then
	echo "${0}: unknown IPsec command \"${cmd}\" (\"ipsec --help\" for list)" >&2
	exit 1
    fi
fi

exec "${path}" "$@"

${this.title}

Code Editor : ipsec