postinstall revision 7c478bd95313f5f23a4c958a745db2134aa03244
#! /usr/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#pragma ident "%Z%%M% %I% %E% SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH
IPSECINIT="$BASEDIR/etc/inet/ipsecinit.conf"
IPSECINITSAMPLE="$BASEDIR/etc/inet/ipsecinit.sample"
#
# Update IPsec policy configuration file only if installed
# on a Sun Fire 15000.
#
platform=`uname -i`
starcat="SUNW,Sun-Fire-15000"
if [ ${platform} != "${starcat}" ]; then
exit 0
fi
issue_warning=0
# Make sure ipsecinit.conf exists
if [ ! -f $IPSECINIT -a -f $IPSECINITSAMPLE ]
then
cp $IPSECINITSAMPLE $IPSECINIT
else
touch $IPSECINIT > /dev/null 2>&1
fi
#
# Function to update ipsecinit.conf if necessary.
#
# Usage:
# add_ipsecinit_entry sport|dport service apply|permit \
# auth_algs [sa_state]
#
# Note: If an entry exists that uses the same (sport|dport)/service
# combination, the default entry is not added. This is to prevent
# the default policies from overriding any custom policies that might
# have been established.
#
add_ipsecinit_entry()
{
# Build default entries
if [ $3 = "permit" ]; then
default="{ $1 $2 ulp tcp } $3 { auth_algs $4 }"
else
default="{ $1 $2 ulp tcp } $3 { auth_algs $4 sa $5 }"
fi
# Check for a default entry
grep "$default" $IPSECINIT > /dev/null 2>&1
if [ $? -eq 0 ]; then
return
fi
#
# Check the file for an entry that has
# a matching (sport|dport)/service pair
#
nawk " BEGIN { RS=\"}\" }
/$1.*$2/ { exit 1 }
" $IPSECINIT > /dev/null 2>&1
# Add an entry if necessary
if [ $? -eq 1 ]; then
echo "Found a policy for $1 $2 that does not match the" \
"default policy"
issue_warning=1
else
echo $default >> $IPSECINIT
fi
}
#
# Add all of our default policies
#
add_ipsecinit_entry dport sun-dr permit md5
add_ipsecinit_entry sport sun-dr apply md5 unique
add_ipsecinit_entry dport cvc_hostd permit md5
add_ipsecinit_entry sport cvc_hostd apply md5 unique
if [ $issue_warning -eq 1 ]; then
echo
echo "NOTICE: One or more of the default IPsec policies for the"
echo "Sun Fire 15000 services has been modified. As a result, the "
echo "default policy for those services was not added. Please verify"
echo "that the /etc/inet/ipsecinit.conf file is correct. For"
echo "more information, refer to sckmd(1M) and ipsecconf(1M)."
echo
fi
exit 0