#!/bin/sh -x

#
# sa-up.sh local configuration for a new SA
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

case `uname -s` in
NetBSD)
	DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'`
	;;
Linux)
	DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'`
	;;
esac

if [ -z ${SPLIT_INCLUDE} -a -z ${SPLIT_LOCAL} ]; then
	MYNET='0.0.0.0'
	MYMASK=`/bin/echo ${SPLIT_INCLUDE} | /bin/awk -F/ '{ print $2 }'`
	MYCIDR=0
fi
if [ ! -z ${SPLIT_LOCAL} ]; then
	/bin/echo " to do"
fi
if [ ! -z ${SPLIT_INCLUDE} ]; then
	MYNET=`/bin/echo ${SPLIT_INCLUDE} | /bin/awk -F/ '{ print $1 }'`
	MYMASK=`/bin/echo ${SPLIT_INCLUDE} | /bin/awk -F/ '{ print $2 }'`
	MYCIDR=32
fi

test -f /etc/resolv.conf.bak || cp /etc/resolv.conf /etc/resolv.conf.bak
echo "# Generated by racoon on `date`" > /etc/resolv.conf
echo "nameserver ${INTERNAL_DNS4}" >> /etc/resolv.conf

case `uname -s` in
NetBSD)
	if=`netstat -rn|awk '($1 == "default"){print $7}'`
	ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4}
	if [ ${MYNET} -eq '0.0.0.0' ]; then
		route add -net ${MYNET} -netmask ${MYMASK} ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4}
	else
		route delete default
		route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4}
		route add ${REMOTE_ADDR} ${DEFAULT_GW}
	fi
	;;
Linux)
	if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'`
	ifconfig ${if}:1 inet ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4}
	if [ ${MYNET} != '0.0.0.0' ]; then
		route add -net ${MYNET} netmask ${MYMASK} gw ${DEFAULT_GW} dev ${if}:1
	else
		route delete default
		route add ${REMOTE_ADDR} gw ${DEFAULT_GW} dev ${if}
		route add default gw ${DEFAULT_GW} dev ${if}:1
	fi
	;;
esac

# Use this for a NAT-T setup
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"

# Use this for a non NAT-T setup
#LOCAL="${LOCAL_ADDR}"
#REMOTE="${REMOTE_ADDR}"

if [ ${MYNET} = '0.0.0.0' ]; then
echo "
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
       -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
       -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c
else
echo "
spdadd ${INTERNAL_ADDR4}/${MYCIDR}[any] ${MYNET}/24[any] any
        -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd ${MYNET}/24[any] ${INTERNAL_ADDR4}/${MYCIDR}[any] any
       -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c
fi

#
# XXX This is a workaround for Linux forward policies problem. 
# Someone familiar with forward policies please fix this properly.
#
case `uname -s` in
Linux)
	echo "
	spddelete ${MYNET}/24[any] ${INTERNAL_ADDR4}/${MYCIDR}[any] any
		-P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
	" | setkey -c
	;;
esac