#! /usr/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # #pragma ident "%Z%%M% %I% %E% SMI" # # Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # PATH="/usr/bin:/usr/sbin:${PATH}" export PATH IPSECINIT="$BASEDIR/etc/inet/ipsecinit.conf" # # Update IPsec policy configuration file only if installed # on a Sun Fire 15000. # platform=`uname -i` starcat="SUNW,Sun-Fire-15000" if [ ${platform} != "${starcat}" ]; then exit 0 fi issue_warning=0 # # Function to update ipsecinit.conf if necessary. # # Usage: # remove_ipsecinit_entry sport|dport service apply|permit \ # auth_algs [sa_state] # # Note: If an entry exists that uses the same (sport|dport)/service # combination, the default entry is not removed. This is to prevent # the removal of any custom policies that might have been established. # remove_ipsecinit_entry() { # Build default entries if [ $3 = "permit" ]; then default="{ $1 $2 ulp tcp } $3 { auth_algs $4 }" else default="{ $1 $2 ulp tcp } $3 { auth_algs $4 sa $5 }" fi # Check for a default entry, and remove it grep "$default" $IPSECINIT > /dev/null 2>&1 if [ $? -eq 0 ]; then sed "/$default/d" $IPSECINIT > /tmp/ipsec.$$ && \ cat /tmp/ipsec.$$ > $IPSECINIT rm -f /tmp/ipsec.$$ return fi # # Check the file for an entry that # has a matching (sport|dport)/port pair # nawk " BEGIN { RS=\"}\" } /$1.*$2/ { exit 1 } " $IPSECINIT > /dev/null 2>&1 # Found a modified entry, just issue a warning if [ $? -eq 1 ]; then echo "Found a policy for $1 $2 that does not match the" \ "default policy" issue_warning=1 fi } # # Remove all of our default policies # remove_ipsecinit_entry dport sun-dr permit md5 remove_ipsecinit_entry sport sun-dr apply md5 unique remove_ipsecinit_entry dport cvc_hostd permit md5 remove_ipsecinit_entry sport cvc_hostd apply md5 unique if [ $issue_warning -eq 1 ]; then echo echo "NOTICE: One or more of the default IPsec policies for the" echo "Sun Fire 15000 services has been modified. As a result, the" echo "modified policy for those services was not removed. Please" echo "verify that the /etc/inet/ipsecinit.conf file is correct." echo "For more information, refer to sckmd(1M) and ipsecconf(1M)." echo fi exit 0