#!/bin/sh
#
# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino <jfs@debian.org>
#
# This is free software; you may redistribute it and/or modify
# it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2,
# or (at your option) any later version.
#
# This is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License with
# the Debian operating system, in /usr/share/common-licenses/GPL;  if
# not, write to the Free Software Foundation, Inc., 59 Temple Place,
# Suite 330, Boston, MA 02111-1307 USA
#
### BEGIN INIT INFO
# Provides:          openvswitch-ipsec
# Required-Start:    $network $local_fs $remote_fs openvswitch-switch
# Required-Stop:     $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Open vSwitch GRE-over-IPsec daemon
# Description:       The ovs-monitor-ipsec script provides support for encrypting GRE
#                    tunnels with IPsec.
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
NAME=ovs-monitor-ipsec          # Introduce the short server's name here
LOGDIR=/var/log/openvswitch     # Log directory to use

PIDFILE=/var/run/openvswitch/$NAME.pid 

test -x $DAEMON || exit 0

. /lib/lsb/init-functions

DODTIME=10              # Time to wait for the server to die, in seconds
                        # If this value is set too low you might not
                        # let some servers to die gracefully and
                        # 'restart' will not work
                        
set -e

running_pid() {
# Check if a given process pid's cmdline matches a given name
    pid=$1
    name=$2
    [ -z "$pid" ] && return 1 
    [ ! -d /proc/$pid ] &&  return 1
    cmd=`cat /proc/$pid/cmdline | tr "\000" " "|cut -d " " -f 2`
    # Is this the expected server
    [ "$cmd" != "$name" ] &&  return 1
    return 0
}

running() {
# Check if the process is running looking at /proc
# (works for all users)

    # No pidfile, probably no daemon present
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE`
    running_pid $pid $DAEMON || return 1
    return 0
}

uninstall_mark_rule() {
    iptables -D INPUT -t mangle $1 -j MARK --set-mark 1/1 || return 0
}

install_mark_rule() {
    if ( ! iptables -C INPUT -t mangle $1 -j MARK --set-mark 1/1 2> /dev/null); then
        iptables -A INPUT -t mangle $1 -j MARK --set-mark 1/1
    fi
}

start_server() {
    if [ ! -d /var/run/openvswitch ]; then
        install -d -m 755 -o root -g root /var/run/openvswitch
    fi

    install_mark_rule "-p esp"
    install_mark_rule "-p udp --dport 4500"
    /usr/share/openvswitch/scripts/ovs-monitor-ipsec \
           --pidfile=$PIDFILE --log-file --detach --monitor \
           unix:/var/run/openvswitch/db.sock

    return 0
}

stop_server() {
    if [ -e $PIDFILE ]; then
        kill `cat $PIDFILE`
    fi
    uninstall_mark_rule "-p esp"
    uninstall_mark_rule "-p udp --dport 4500"

    return 0
}

force_stop() {
# Force the process to die killing it manually
    [ ! -e "$PIDFILE" ] && return
    if running ; then
        kill -15 $pid
        # Is it really dead?
        sleep "$DODTIME"
        if running ; then
            kill -9 $pid
            sleep "$DODTIME"
            if running ; then
                echo "Cannot kill $NAME (pid=$pid)!"
                exit 1
            fi
        fi
    fi
    rm -f $PIDFILE
}


case "$1" in
  start)
        log_daemon_msg "Starting $NAME"
        # Check if it's running first
        if running ;  then
            log_progress_msg "apparently already running"
            log_end_msg 0
            exit 0
        fi
        if start_server && running ;  then
            # It's ok, the server started and is running
            log_end_msg 0
        else
            # Either we could not start it or it is not running
            # after we did
            # NOTE: Some servers might die some time after they start,
            # this code does not try to detect this and might give
            # a false positive (use 'status' for that)
            log_end_msg 1
        fi
        ;;
  stop)
        log_daemon_msg "Stopping $NAME"
        if running ; then
            # Only stop the server if we see it running
            stop_server
            log_end_msg $?
        else
            # If it's not running don't do anything
            log_progress_msg "apparently not running"
            log_end_msg 0
            exit 0
        fi
        ;;
  force-stop)
        # First try to stop gracefully the program
        $0 stop
        if running; then
            # If it's still running try to kill it more forcefully
            log_daemon_msg "Stopping (force) $NAME"
            force_stop
            log_end_msg $?
        fi
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $NAME"
        stop_server
        # Wait some sensible amount, some server need this
        [ -n "$DODTIME" ] && sleep $DODTIME
        start_server
        running
        log_end_msg $?
        ;;
  status)
        log_daemon_msg "Checking status of $NAME"
        if running ;  then
            log_progress_msg "running"
            log_end_msg 0
        else
            log_progress_msg "apparently not running"
            log_end_msg 1
            exit 1
        fi
        ;;
  # Use this if the daemon cannot reload
  reload)
        log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon"
        log_warning_msg "cannot re-read the config file (use restart)."
        ;;
  *)
        N=/etc/init.d/openvswitch-ipsec
        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0