#!/bin/sh

USAGE=$"Usage: spd [options] {commands}
  options:
     -c <file>               : specify alternate IKE daemon configuration file
     -b <path>               : override location of binaries/modules
     -d                      : just display debug info and do dry-run
  commands:
     start|load [policyfile] : ADD ipsec table rules & routes from policy file or [policyfile]
     stop [policyfile]       : DELETE ipsec table rules & routes (disables IP forwarding)
     restart|reload          : reset/start this script
     reset|init              : flush & init default VPN rules (enables IP forwarding)
     print                   : display ipsec table rules
     log<on|off>             : turn on/off ipsec table packet logging rules (default off)
     help                    : this message
"
BINDIR=/usr/iked
CONFDIR=/etc/iked	# must point to r/w location
IKEDCONF=$CONFDIR/iked.conf

# static settings
ADDSPDRULESBIN=addspdrules
IPTBIN=iptables

# indicates presence of firewall module
IPT_SHELL="/tmp/config/fw/iptables.sh"

SPDSYSLOG=authpriv.warning
SPDTAG=spd

######################################################################

logit()
{
	logger -p $SPDSYSLOG -t $SPDTAG "$@"
}

get_confparam()
{
	if [ -f $IKEDCONF ]; then
		# remove the leading # and " from key values as well as
		#	trailing whitespace
		grep "^$1=" $IKEDCONF | sed -e "s/$1=[\"\#]*//" | sed -e "s/[ ]*$//"
	fi
}

get_dmz_if()
{
	for eth in eth0 eth1 eth2
	do
		[ $eth != $REDIF -a $eth != $BLACKIF ] && dmzif=$eth
	done
	echo $dmzif
}

get_dmz_ip()
{
	dmzif=`get_dmz_if`
	if [ -f /config/net/$dmzif ]; then
		dmzip=`cat /config/net/$dmzif | grep "IPADDR=" | \
			sed 's/^\([ \t]*\)IPADDR=\([0-9.]*\).*/\2/'`
		[ -n "$dmzip" ] && echo $dmzip
	fi
}

######################################################################

getoptions()
{
	POLICYCONF=`get_confparam policyfile`
	REDIP=`get_confparam redip`
	REDIF=`get_confparam redif`
	BLACKIP=`get_confparam blackip`
	BLACKIF=`get_confparam blackif`
	#DMZIF=`get_dmz_if`
	#DMZIP=`get_dmz_ip`
	blacknexthop=`get_confparam blacknexthop`
	redrouter=`get_confparam redrouter`
	if [ -n "$redrouter" ]; then
		NEXTHOP=$redrouter
	else
		NEXTHOP=$blacknexthop
	fi
	CLIENT_ROUTING=`get_confparam client_routing`
}

# sanity check
#if [ ! -x $IPTBIN ]; then
#	logit "$0: Fatal, can't find iptables util: $IPTBIN"
#	exit 1
#fi

policyrules()
{
	if [ -z "$DEBUG" ] && [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
		logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
		exit 1
	elif [ -z "$BLACKIF" ]; then
		logit "$0: Fatal, $IKEDCONF blk interface not set."
		exit 1
	elif [ ! -x $BINDIR/$ADDSPDRULESBIN ]; then
		logit "$0: Fatal, can't find $BINDIR/$ADDSPDRULESBIN util."
		exit 1
	else
#		BIF=`echo $BLACKIF | sed -e "s/eth//"`
		BIFNAME=`echo $BLACKIF | sed -e "s/\([a-zA-Z]*\)[0-9]*/\1/"`
		BIFNUM=`echo $BLACKIF | sed -e "s/[a-zA-Z]*\([0-9]*\)/\1/"`
		case "$1" in
		add)
			logit "$0: ADDING ipsec table rules for profiles in $POLICYCONF ..."
			cmd=-a
			shift
			;;
		del)
			logit "$0: DELETING ipsec table rules for profiles in $POLICYCONF ..."
			cmd=-d
			shift
			;;
		*)
			cmd=err
			shift
			;;
		esac

		if [ "$cmd" != "err" ]; then
			if [ "$DEBUG" = "echo" ]; then
				# do dry-run (only echo rules to stdout)
				$BINDIR/$ADDSPDRULESBIN -r -p $POLICYCONF $cmd -i $BIFNUM -y $BIFNAME 2>/dev/null
			else
				$BINDIR/$ADDSPDRULESBIN -p $POLICYCONF $cmd -i $BIFNUM -y $BIFNAME 2>/dev/null
			fi
			RC=$?
			if [ $RC -gt 0 ]; then
				exit $RC;
			fi
		fi
	fi
}

resetflush()
{
	if [ -z "$DEBUG" ] && [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
		logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
		exit 1
	else
		logit "$0: Flushing ipsec table rules/user chains ..."
		$DEBUG $IPTBIN -t ipsec -F 2>/dev/null
		$DEBUG $IPTBIN -t ipsec -X 2>/dev/null
		$DEBUG $IPTBIN -t ipsec -Z 2>/dev/null

		# don't modify filter chain at FORWARD if firewall module enabled
#		if [ ! -f $IPT_SHELL ]; then
#			$DEBUG $IPTBIN -F FORWARD 2>/dev/null
#			$DEBUG $IPTBIN -P FORWARD DROP 2>/dev/null
#		fi

		logit "$0: Flushing mangle table rules/user chains ..."
		# don't flush the whole mangle table, must keep the SNAT-IPSEC & MGMT-IPSEC chains
#		$DEBUG $IPTBIN -t mangle -F PREROUTING 2>/dev/null
#		$DEBUG $IPTBIN -t mangle -F OUTPUT 2>/dev/null
		$DEBUG $IPTBIN -t mangle -F IPSEC-SPD 2>/dev/null
# OKR: put next line into comment as clients connections gets broken each time
# spd restart is called, i.e. each time there is a modif in the IPSEC config
#		$DEBUG $IPTBIN -t mangle -F IPSEC-DYN-SPD 2>/dev/null

		# same goes for removing user-defined chains and zeroing counters
		$DEBUG $IPTBIN -t mangle -Z PREROUTING 2>/dev/null
		$DEBUG $IPTBIN -t mangle -Z OUTPUT 2>/dev/null
		$DEBUG $IPTBIN -t mangle -Z IPSEC-SPD 2>/dev/null
#		$DEBUG $IPTBIN -t mangle -X IPSEC-SPD 2>/dev/null
		$DEBUG $IPTBIN -t mangle -Z IPSEC-DYN-SPD 2>/dev/null
#		$DEBUG $IPTBIN -t mangle -X IPSEC-DYN-SPD 2>/dev/null


		logit "$0: Resetting default ipsec table policies ..."
	#	$DEBUG $IPTBIN -t mangle -P PREROUTING  ACCEPT 2>/dev/null
	#	$DEBUG $IPTBIN -t mangle -P OUTPUT      ACCEPT 2>/dev/null
	#	$DEBUG $IPTBIN -t ipsec  -P PREROUTING  ACCEPT 2>/dev/null
	#	$DEBUG $IPTBIN -t ipsec  -P POSTROUTING ACCEPT 2>/dev/null

#		logit "$0: Flushing routing table ..."
#		$DEBUG route flush 2>/dev/null	# doesn't work
#		route -n | sed -e 's/\*/0/g' -e '/Kernel/d' -e '/Destination/d' | \
#			while read target gw mask rest; do
#				$DEBUG route del -host $target netmask $mask 2>/dev/null
#				$DEBUG route del -net  $target netmask $mask 2>/dev/null
#			done
	fi
}

setforwarding()
{
	if [ ! -f /config/network ]; then
		logit "$0: Error, can't find netowrk configuration file."
	elif [ -z "$DEBUG" ] && [ ! -e /proc/sys/net/ipv4/ip_forward ]; then
		logit "$0: Fatal, can't find /proc/sys/net/ipv4/ip_forward (BAD)."
		exit 1
	else
		case "$1" in
		on)
			logit "$0: Enabling IP forwarding ..."
			[ -z "$DEBUG" ] && echo "1" > /proc/sys/net/ipv4/ip_forward
			shift
			;;
		off)
			logit "$0: Disabling IP forwarding ..."
			[ -z "$DEBUG" ] && echo "0" > /proc/sys/net/ipv4/ip_forward
			shift
			;;
		esac
	fi
}

checkbridgemode()
{
	# if black and red interfaces are set to the same IP address
	# and the same network number and the default gateway is set
	# to one of the interfaces, confusing routes are deleted

	# believe it or not, we also need to add an explicit route to
	#	the default gateway via the gateway device's IP

	if [ ! -f /config/network ]; then
		logit "$0: Error, can't find network configuration file."
	else
		if [ "$BLACKIP" = "$REDIP" ]; then
			logit "$0: Bridge emulation detected, fixing routing table ..."
			. /config/network		
			if [ "$GATEWAYDEV" = "$BLACKIF" ]; then
				# remove black side subnet from routing table
				. /config/net/$BLACKIF
				if [ -n "`route -n | grep $NETWORK | grep $DEVICE`" ]; then
					$DEBUG route del -net $NETWORK netmask $NETMASK dev $DEVICE 2>/dev/null
				fi
				# add route to default gwy via black iface
				$DEBUG route add -host $GATEWAY gw $BLACKIP dev $BLACKIF 2>/dev/null
				# remove duplicate default gateway on red side
				. /config/net/$REDIF
				if [ -n "`route -n | grep default | grep $DEVICE`" ]; then
					$DEBUG route del default gw $GATEWAY dev $DEVICE 2>/dev/null
				fi

			elif [ "$GATEWAYDEV" = "$REDIF" ]; then
				# remove red side subnet from routing table
				. /config/net/$REDIF
				if [ -n "`route -n | grep $NETWORK | grep $DEVICE`" ]; then
					$DEBUG route del -net $NETWORK netmask $NETMASK dev $DEVICE 2>/dev/null
				fi
				# add route to default gwy via red iface
				$DEBUG route add -host $GATEWAY gw $REDIP dev $REDIF 2>/dev/null
				# remove duplicate default gateway on black side
				. /config/net/$BLACKIF
				if [ -n "`route -n | grep default | grep $DEVICE`" ]; then
					$DEBUG route del default gw $GATEWAY dev $DEVICE 2>/dev/null
				fi
			fi
		fi
	fi
}

addroutesfordevice()
{
	if [ ! -f /config/network ]; then
		logit "$0: Error, can't find network configuration file."
	elif [ ! -f /config/net/$1 ]; then
		logit "$0: Error, can't find configuration file for device: $1."
	else
		. /config/network
		. /config/net/$1
		if [ -z "`route -n | grep $NETWORK | grep $DEVICE`" ]; then
    		$DEBUG route add -net $NETWORK netmask $NETMASK dev $1 2>/dev/null
		fi
		if [ -n "$GATEWAY" -a "$GATEWAY" != "none" ]; then
   			$DEBUG route add default gw $GATEWAY metric 1 $1 2>/dev/null
		fi
		if [ -z "$GATEWAYDEV" -o "$GATEWAYDEV" = "$1" ]; then
			if [ -z "`route -n | grep 0.0.0.0 | grep $1`" ]; then
        		if [ -n "$GATEWAY" ]; then
            		$DEBUG route add default gw $GATEWAY $1 2>/dev/null
        		elif [ "$GATEWAYDEV" = "$1" ]; then
            		$DEBUG route add default $1 2>/dev/null
        		fi
    		fi
		fi
	fi
}

restoreroutes()
{
	if [ -z "$BLACKIF" -o -z "$REDIF" ]; then
		logit "$0: Error, $IKEDCONF blk/red interfaces not set."
	else
		logit "$0: Restoring original startup routes ..."
		addroutesfordevice $BLACKIF
		addroutesfordevice $REDIF
#		addroutesfordevice $DMZIF
		checkbridgemode
		# restore static routes
		[ -x /sbin/ifup-routes ] && /sbin/ifup-routes
	fi
}

setopenrules()
{
		## Send inbound ESP/AH/IPCOMP packets destined for Black interface to IPSEC target
		# ESP
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 50  -d $BLACKIP -i $BLACKIF -j IPSEC 
		# UDP-Encapsulated packets (or IKE), fragments included - XSDpr40574 related
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p udp --dport 500 -d $BLACKIP -i $BLACKIF -j IPSEC
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -f -p udp -d $BLACKIP -i $BLACKIF -j IPSEC
		# AH
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 51  -d $BLACKIP -i $BLACKIF -j IPSEC 
		# IPCOMP
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 108 -d $BLACKIP -i $BLACKIF -j IPSEC 
}

setdefaultrules()
{
	if [ -z "$DEBUG" ] && [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
		logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
		exit 1
	elif [ -z "$BLACKIP" -o -z "$REDIP" ]; then
		logit "$0: Fatal, $IKEDCONF blk/red addresses not set."
		exit 1
	elif [ -z "$BLACKIF" -o -z "$REDIF" ]; then
		logit "$0: Fatal, $IKEDCONF blk/red interfaces not set."
		exit 1
	else
		logit "$0: Setting default VPN rules ..."

		#
		# order is always important for rulesets!
		#

		## Prevent the local DHCP server from responding to external clients or relay agents
#		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p udp --sport 68 -j DROP
#		$DEBUG $IPTBIN -t ipsec -A POSTROUTING -p udp --dport 68 -j DROP	
#
#		## Silently drop ICMP cleartext host unreachable replies
#		$DEBUG $IPTBIN -t ipsec -A POSTROUTING -p icmp --icmp-type destination-unreachable -j DROP
#
#		# don't add these rules if firewall module enabled
#		if [ ! -f $IPT_SHELL ]; then
#			## Drop inbound WINS queries: NetBIOS name service, datagram service and session service
#			$DEBUG $IPTBIN -A INPUT -p tcp --dport 137 -j DROP
#			$DEBUG $IPTBIN -A INPUT -p udp --dport 137 -j DROP
#			$DEBUG $IPTBIN -A INPUT -p tcp --dport 138 -j DROP
#			$DEBUG $IPTBIN -A INPUT -p udp --dport 138 -j DROP
#			$DEBUG $IPTBIN -A INPUT -p tcp --dport 139 -j DROP
#			$DEBUG $IPTBIN -A INPUT -p udp --dport 139 -j DROP
#		fi
	
		## Send inbound ISAKMP packets destined for Black interface to IPSEC target
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p udp --dport 500 -d $BLACKIP -i $BLACKIF -j IPSEC
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p udp --dport 4500 -d $BLACKIP -i $BLACKIF -j IPSEC
		# Send 2nd and consecutive UDP-encapsulated fragments to IPSEC target
		# (the --dport information is not available in those packets, so they will
		# not match previous rule)
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -f -p udp -d $BLACKIP -i $BLACKIF -j IPSEC
		
		## Send inbound ESP/AH/IPCOMP packets destined for Black interface to IPSEC target
		# ESP
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 50  -d $BLACKIP -i $BLACKIF -j IPSEC 
		# AH
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 51  -d $BLACKIP -i $BLACKIF -j IPSEC 
		# IPCOMP
		$DEBUG $IPTBIN -t ipsec -A PREROUTING -p 108 -d $BLACKIP -i $BLACKIF -j IPSEC 

		# ----------------------------------------------------------------------
		# OKR comment: ipsec and mangle tables policy is ACCEPT,
		# useless to add ACCEPT rules in it.
		# INBOUND LAN (red), decrypted packets
		#$DEBUG $IPTBIN -t ipsec  -A POSTROUTING -o $REDIF -m mark --mark 0x2000/0x2000 -j ACCEPT
		#$DEBUG $IPTBIN -t ipsec  -A POSTROUTING -o lo     -m mark --mark 0x2000/0x2000 -j ACCEPT

		# INBOUND WAN (black), decrypted packets
		# Note: may be disabled for client routing
		#if [ "$CLIENT_ROUTING" != "1" ]; then
		#	$DEBUG $IPTBIN -t mangle -A PREROUTING -i $BLACKIF -m mark --mark 0x2000/0x2000 -j ACCEPT
		#fi

		#  OUTBOUND LAN (red), packets already marked for IPSec
		#$DEBUG $IPTBIN -t mangle -A PREROUTING -i $REDIF -m mark --mark 0x1000/0x1000 -j ACCEPT
		#$DEBUG $IPTBIN -t mangle -A PREROUTING -i lo     -m mark --mark 0x1000/0x1000 -j ACCEPT

		# OUTBOUND (all) rules for policy.cfg remote subnets and hosts are added
		# to the mangle table IPSEC-SPD user chain (PREROUTING, mangle &
		# OUTPUT, mangle) to mark packets for IPSec.
		#   (Note: chain may have already been created by netfilter script.)
		# okr: following ops done by the firewall
		#$DEBUG $IPTBIN -t mangle -N IPSEC-SPD 2>/dev/null
		#$DEBUG $IPTBIN -t mangle -A PREROUTING -j IPSEC-SPD
		#$DEBUG $IPTBIN -t mangle -A OUTPUT     -j IPSEC-SPD
		#$DEBUG $IPTBIN -t mangle -N IPSEC-DYN-SPD 2>/dev/null
		#$DEBUG $IPTBIN -t mangle -A PREROUTING -j IPSEC-DYN-SPD
		#$DEBUG $IPTBIN -t mangle -A OUTPUT     -j IPSEC-DYN-SPD



		# Also, we must create an SNAT-IPSEC chain (PREROUTING, mangle) that will make
		# sure packets that are SNAT-ed and going into a VPN tunnel get marked. Such
		# packets won't match the selectors in the IPSEC-SPD
		# chain, since for SNAT+VPN, the local policy would be WAN_IP.
		#   (Note: chain may have already been created by netfilter script.)
		#$DEBUG $IPTBIN -t mangle -N SNAT-IPSEC 2>/dev/null
		#$DEBUG $IPTBIN -t mangle -A PREROUTING -j SNAT-IPSEC

		# Must also create MGMT-IPSEC chain (OUTPUT, mangle), which makes sure packets
		# originating from one of the management servers on the Gate and going into a
		# VPN tunnel get marked. Such packets won't match the selectors in the
		# IPSEC-SPD chain, since the local policy would be RED_SUBNET
		# and the packets have not yet been SNAT-ed to RED_IP (that happens in
		# POSTROUTING, nat).
		#   (Note: chain may have already been created by netfilter script.)
		#$DEBUG $IPTBIN -t mangle -N MGMT-IPSEC 2>/dev/null
		#$DEBUG $IPTBIN -t mangle -A OUTPUT -j MGMT-IPSEC

		# OUTBOUND WAN (black), packets marked for encryption
		$DEBUG $IPTBIN -t ipsec -A POSTROUTING -o $BLACKIF -m mark --mark 0x1000/0x1000 -j IPSEC

		# OUTBOUND WAN (black), decrypted packets (mis-routed)
		#if [ -n "$NEXTHOP" ]; then
		#	$DEBUG $IPTBIN -t ipsec -A POSTROUTING -o $BLACKIF -m mark --mark 0x2000/0x2000 -j RedROUTE --route-to $NEXTHOP
		#else
		# Changed the test for OXO XTSce04693
		# and completely removed it for XTSce06032 because packets going from
                # a dedicated tunnel toward the Internet will be decrypted and sent to
		# the blackif
		#if [ "$BLACKIF" != "$REDIF" ]; then
		#	$DEBUG $IPTBIN -t ipsec -A POSTROUTING -o $BLACKIF -m mark --mark 0x2000/0x2000 -j DROP
		#fi

		# don't add these rules if firewall module enabled
#		if [ ! -f $IPT_SHELL ]; then
#			# FORWARD (all), decrypted and packets marked for encryption
#			$DEBUG $IPTBIN -I FORWARD -m mark --mark 0x2000/0x2000 -j ACCEPT
#			$DEBUG $IPTBIN -I FORWARD -m mark --mark 0x1000/0x1000 -j ACCEPT
#        fi

		# default IPSEC table policy at PRE/POST = ACCEPT
	fi

	# (CGS) 2001-10-05: turn off rp_filter on red iface to enable dedicated tunnel
#	if [ -n "$DEBUG" ]; then
#		$DEBUG 'echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter'
#	else
#		echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter
#	fi
}

######################################################################

while [ ! -z "$1" ]; do
	case "$1" in

### options:

	  c|-c|--c)
		if [ -n "$2" ]; then
			IKEDCONF=$2
			shift
		else
			echo "Invalid -c param."
			echo "$USAGE"
			exit 2
		fi
		shift
		;;

	  d|-d|--d)
		DEBUG=echo
		shift
		;;

	  b|-b|--b)
		if [ -n "$2" ]; then
			BINDIR=$2
			shift
		else
			echo "Invalid -b param."
			echo "$USAGE"
			exit 2
		fi
		shift
		;;

### commands:

	  start|--start|load|--load)
		getoptions
		if [ -n "$2" ]; then POLICYCONF=$2; fi
		policyrules add
		exit 0
		;;

	  flushdynrules)
		getoptions
		if [ -n "$2" ]; then POLICYCONF=$2; fi
		$DEBUG $IPTBIN -t mangle -F IPSEC-DYN-SPD 2>/dev/null
		exit 0
		;;

	  stop|--stop|unload|--unload)
		getoptions
		if [ -n "$2" ]; then POLICYCONF=$2; fi
		#setforwarding off
		resetflush
		#restoreroutes
		exit 0
		;;

	  reset|--reset|hup|--hup|init|--init)
		getoptions
		#setforwarding off
		resetflush
		#restoreroutes
		setdefaultrules
		#setforwarding on
		exit 0
		;;

	  restart|--restart|reload|--reload)
		getoptions
		if [ -n "$DEBUG" ]; then
			$0 -c $IKEDCONF -b $BINDIR -d reset
			$0 -c $IKEDCONF -b $BINDIR -d start
		else
			$0 -c $IKEDCONF -b $BINDIR reset
			$0 -c $IKEDCONF -b $BINDIR start
		fi
		exit 0
		;;

	  print|--print)
		if [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
			logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
			exit 1
		fi
		getoptions
		echo ----- FORWARD -------------------------------------
		$IPTBIN -t filter -n -v -L FORWARD --line-numbers 2>/dev/null
		echo ----- SPD -----------------------------------------
		$IPTBIN -t mangle -n -v -L IPSEC-SPD --line-numbers 2>/dev/null
		exit 0
		;;

	  logon|--logon)
		if [ -z "$DEBUG" ] && [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
			logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
			exit 1
		fi
		getoptions
		$DEBUG $IPTBIN -t ipsec  -I PREROUTING     -j LOG --log-prefix "ipsec-pre:"  2>/dev/null
		$DEBUG $IPTBIN -t ipsec  -I POSTROUTING    -j LOG --log-prefix "ipsec-post:" 2>/dev/null
		$DEBUG $IPTBIN           -I FORWARD        -j LOG --log-prefix "filter-forward:" 2>/dev/null
		$DEBUG $IPTBIN -t mangle -I IPSEC-SPD      -j LOG --log-prefix "mangle-spd:" 2>/dev/null
		exit 0
		;;

	  logoff|--logoff)
		if [ -z "$DEBUG" ] && [ -z "`cat /proc/ksyms | grep ipt_IPSEC`" -o -z "`cat /proc/ksyms | grep iptable_IPSEC`" ]; then
			logit "$0: Fatal, IPSec Netfilter table/target modules not loaded."
			exit 1
		fi
		getoptions
		$DEBUG $IPTBIN -t ipsec  -D PREROUTING  -j LOG --log-prefix "ipsec-pre:"  2>/dev/null
		$DEBUG $IPTBIN -t ipsec  -D POSTROUTING -j LOG --log-prefix "ipsec-post:" 2>/dev/null
		$DEBUG $IPTBIN           -D FORWARD     -j LOG --log-prefix "filter-forward:" 2>/dev/null
		$DEBUG $IPTBIN -t mangle -D IPSEC-SPD   -j LOG --log-prefix "mangle-spd:" 2>/dev/null
		exit 0
		;;

	  -h|help|--help)
		echo "$USAGE"
		exit 0
		;;

	  *)
		echo "$USAGE"
		exit 2
		;;
	esac
done

exit 1
