OpenSolaris_b135/pkgdefs/SUNWsckmr/preremove

#! /usr/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#pragma ident	"%Z%%M%	%I%	%E% SMI"
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

IPSECINIT="$BASEDIR/etc/inet/ipsecinit.conf"

#
# Update IPsec policy configuration file only if installed
# on a Sun Fire 15000.
#
platform=`uname -i`
starcat="SUNW,Sun-Fire-15000"
if [ ${platform} != "${starcat}" ]; then
	exit 0
fi

issue_warning=0

#
# Function to update ipsecinit.conf if necessary.
#
# Usage:
#	remove_ipsecinit_entry  sport|dport  service  apply|permit \
#		auth_algs  [sa_state]
#
# Note: If an entry exists that uses the same (sport|dport)/service
# combination, the default entry is not removed. This is to prevent
# the removal of any custom policies that might have been established.
#
remove_ipsecinit_entry()
{
	# Build default entries
	if [ $3 = "permit" ]; then
		default="{ $1 $2 ulp tcp } $3 { auth_algs $4 }"
	else
		default="{ $1 $2 ulp tcp } $3 { auth_algs $4 sa $5 }"
	fi

	# Check for a default entry, and remove it
	grep "$default" $IPSECINIT > /dev/null 2>&1
	if [ $? -eq 0 ]; then
		sed "/$default/d" $IPSECINIT > /tmp/ipsec.$$ && \
		    cat /tmp/ipsec.$$ > $IPSECINIT
		rm -f /tmp/ipsec.$$
		return
	fi

	#
	# Check the file for an entry that
	# has a matching (sport|dport)/port pair
	#
	nawk "	BEGIN		{ RS=\"}\" }
		/$1.*$2/	{ exit 1 }
	" $IPSECINIT > /dev/null 2>&1

	# Found a modified entry, just issue a warning
	if [ $? -eq 1 ]; then
		echo "Found a policy for $1 $2 that does not match the" \
		     "default policy"
		issue_warning=1
	fi
}


#
# Remove all of our default policies
#
remove_ipsecinit_entry dport sun-dr permit md5
remove_ipsecinit_entry sport sun-dr apply md5 unique
remove_ipsecinit_entry dport cvc_hostd permit md5
remove_ipsecinit_entry sport cvc_hostd apply md5 unique


if [ $issue_warning -eq 1 ]; then
	echo
	echo "NOTICE: One or more of the default IPsec policies for the"
	echo "Sun Fire 15000 services has been modified. As a result, the"
	echo "modified policy for those services was not removed. Please"
	echo "verify that the /etc/inet/ipsecinit.conf file is correct."
	echo "For more information, refer to sckmd(1M) and ipsecconf(1M)."
	echo
fi

exit 0