This file is indexed.

/usr/lib/ipsec/_updown is in libreswan 3.23-4.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#! /bin/sh
# iproute2 version, default updown script
#
# Copyright (C) 2003-2004 Nigel Metheringham
# Copyright (C) 2002-2007 Michael Richardson <mcr@xelerance.com>
# Copyright (C) 2003-2013 Tuomo Soini <tis@foobar.fi>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

# CAUTION:  Installing a new version of Libreswan will install a new
# copy of this script, wiping out any custom changes you make.  If
# you need changes, make a copy of this under another name, and customize
# that, and use the (left/right)updown parameters in ipsec.conf to make
# Libreswan use yours instead of this default one.

test $IPSEC_INIT_SCRIPT_DEBUG && set -v -x

LC_ALL=C
export LC_ALL

# things that this script gets (from ipsec_pluto(8) man page)
#
#
#	PLUTO_VERSION
#		indicates  what  version of this interface is being
#		used.  This document describes version  1.1.   This
#		is upwardly compatible with version 1.0.
#
#	PLUTO_VERB
#		specifies the name of the operation to be performed
#		(prepare-host, prepare-client, up-host, up-client,
#		down-host, or down-client).  If the address family
#		for security gateway to security gateway communications
#		is IPv6, then a suffix of -v6 is added to the
#		verb.
#
#	PLUTO_CONNECTION
#		is the name of the  connection  for  which  we  are
#		routing.
#
#	PLUTO_CONN_POLICY
#		the policy of the connection, as in:
#		RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failureDROP+lKOD+rKOD
#
#	PLUTO_NEXT_HOP
#		is the next hop to which packets bound for the peer
#		must be sent.
#
#	PLUTO_INTERFACE
#		is the name of the ipsec interface to be used.
#
#	PLUTO_ME
#		is the IP address of our host.
#
#	PLUTO_MY_CLIENT
#		is the IP address / count of our client subnet.  If
#		the  client  is  just  the  host,  this will be the
#		host's own IP address / mask (where max is  32  for
#		IPv4 and 128 for IPv6).
#
#	PLUTO_MY_CLIENT_NET
#		is the IP address of our client net.  If the client
#		is just the host, this will be the  host's  own  IP
#		address.
#
#	PLUTO_MY_CLIENT_MASK
#		is  the  mask for our client net.  If the client is
#		just the host, this will be 255.255.255.255.
#
#	PLUTO_MY_SOURCEIP
#		if non-empty, then the source address for the route will be
#		set to this IP address.
#
#	PLUTO_MY_PROTOCOL
#		is the protocol  for this  connection.  Useful  for
#		firewalling.
#
#	PLUTO_MY_PORT
#		is the port. Useful for firewalling.
#
#	PLUTO_PEER
#		is the IP address of our peer.
#
#	PLUTO_PEER_CLIENT
#		is the IP address / count of the peer's client subnet.
#		If the client is just the peer, this will be
#		the peer's own IP address / mask (where  max  is  32
#		for IPv4 and 128 for IPv6).
#
#	PLUTO_PEER_CLIENT_NET
#		is the IP address of the peer's client net.  If the
#		client is just the peer, this will  be  the  peer's
#		own IP address.
#
#	PLUTO_PEER_CLIENT_MASK
#		is  the  mask  for  the  peer's client net.  If the
#		client   is   just   the   peer,   this   will   be
#		255.255.255.255.
#
#	PLUTO_PEER_PROTOCOL
#		is  the  protocol  set  for  remote  end  with port
#		selector.
#
#	PLUTO_PEER_PORT
#		is the peer's port. Useful for firewalling.
#
#	PLUTO_CONNECTION_TYPE
#
#	PLUTO_MY_REF/PLUTO_PEER_REF
#		KLIPSng(mast) references to the SA to be used in each
#		direction.
#
#	PLUTO_STACK
#		The kernel level IPstack used (see protostack=)
#
#	PLUTO_SA_REQID
#		When using KAME or XFRM/NETKEY, the IPsec SA reqid value

case $PLUTO_VERSION in
    1.*)
	# Older Pluto?!?  Play it safe, script may be using new features.
	echo "$0: obsolete interface version \"$PLUTO_VERSION\"," >&2
	echo "$0: 	called by obsolete Pluto?" >&2
	exit 2
	;;
    2.*)
	;;
esac

if [ -x /usr/lib/ipsec/_updown.${PLUTO_STACK} ]; then
    exec /usr/lib/ipsec/_updown.${PLUTO_STACK} $*
else
    echo "FATAL: Could not execute /usr/lib/ipsec/_updown.${PLUTO_STACK} $*"
fi

exit 3