X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=debian%2Fopenvswitch-ipsec.init;h=a39dd40e686d32886947ceff02cd83aa1ce02f99;hb=HEAD;hp=f3c9a13a0895e3038bef2533e7b47756ca273c04;hpb=a3acf0b0c46a28d6c891086e054d81dd915eea2e;p=sliver-openvswitch.git

diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
index f3c9a13a0..a39dd40e6 100755
--- a/debian/openvswitch-ipsec.init
+++ b/debian/openvswitch-ipsec.init
@@ -19,11 +19,13 @@
 #
 ### BEGIN INIT INFO
 # Provides:          openvswitch-ipsec
-# Required-Start:    $network $local_fs $remote_fs
+# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
 # Required-Stop:     $remote_fs
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description:       The ovs-monitor-ipsec script provides support for encrypting GRE
+#                    tunnels with IPsec.
 ### END INIT INFO
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
@@ -68,10 +70,25 @@ running() {
     return 0
 }
 
+uninstall_mark_rule() {
+    iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
+}
+
+install_mark_rule() {
+    if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then
+        iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
+    fi
+}
+
 start_server() {
-    PYTHONPATH=/usr/share/openvswitch/python \
-           /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
-           --pidfile-name=$PIDFILE --detach --monitor \
+    if [ ! -d /var/run/openvswitch ]; then
+        install -d -m 755 -o root -g root /var/run/openvswitch
+    fi
+
+    install_mark_rule "-p esp"
+    install_mark_rule "-p udp --dport 4500"
+    /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
+           --pidfile=$PIDFILE --log-file --detach --monitor \
            unix:/var/run/openvswitch/db.sock
 
     return 0
@@ -81,6 +98,8 @@ stop_server() {
     if [ -e $PIDFILE ]; then
         kill `cat $PIDFILE`
     fi
+    uninstall_mark_rule "-p esp"
+    uninstall_mark_rule "-p udp --dport 4500"
 
     return 0
 }
@@ -91,10 +110,10 @@ force_stop() {
     if running ; then
         kill -15 $pid
         # Is it really dead?
-        sleep "$DIETIME"s
+        sleep "$DODTIME"
         if running ; then
             kill -9 $pid
-            sleep "$DIETIME"s
+            sleep "$DODTIME"
             if running ; then
                 echo "Cannot kill $NAME (pid=$pid)!"
                 exit 1
@@ -153,7 +172,7 @@ case "$1" in
         log_daemon_msg "Restarting $NAME"
         stop_server
         # Wait some sensible amount, some server need this
-        [ -n "$DIETIME" ] && sleep $DIETIME
+        [ -n "$DODTIME" ] && sleep $DODTIME
         start_server
         running
         log_end_msg $?