LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

strongswan: make the include's in the .conf files persistent 

Having scripts diddle user written config files seems potentially
dangerous.  Plus there's really no downside to including some
empty files.  Best to just make the includes be permanent.

Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting.  The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
lilik-openwrt-22.03
Philip Prindeville 4 years ago
parent
10a00b3f20
commit
643df01275
2 changed files with 31 additions and 42 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +14
    -1
      net/strongswan/Makefile
  2. +17
    -41
      net/strongswan/files/ipsec.init

+ 14
- 1
net/strongswan/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan PKG_NAME:=strongswan
PKG_VERSION:=5.9.1 PKG_VERSION:=5.9.1
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
@ -454,9 +454,11 @@ endef
define Package/strongswan/install define Package/strongswan/install
$(INSTALL_DIR) $(1)/etc $(INSTALL_DIR) $(1)/etc
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/ $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf
$(INSTALL_DIR) $(1)/usr/lib/ipsec $(INSTALL_DIR) $(1)/usr/lib/ipsec
$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/ $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
echo -e "\ninclude /var/ipsec/ipsec.secrets" >> $(1)/etc/ipsec.secrets
$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/ $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
@ -502,9 +504,20 @@ endef
define Package/strongswan-ipsec/install define Package/strongswan-ipsec/install
$(INSTALL_DIR) $(1)/etc/ $(1)/usr/sbin $(INSTALL_DIR) $(1)/etc/ $(1)/usr/sbin
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/ $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
echo -e "\ninclude /var/ipsec/ipsec.conf" >> $(1)/etc/ipsec.conf
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
endef endef
define Package/strongswan-ipsec/postinst
#!/bin/sh
[ -z "$${IPKG_INSTROOT}" ] || exit 0
opkg list-changed-conffiles | grep -qx /etc/ipsec.conf || {
rm -f /etc/ipsec.conf-opkg
}
endef
define Package/strongswan-pki/install define Package/strongswan-pki/install
$(INSTALL_DIR) $(1)/etc/strongswan.d $(INSTALL_DIR) $(1)/etc/strongswan.d
$(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/ $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/


+ 17
- 41
net/strongswan/files/ipsec.init View File

@ -27,58 +27,31 @@ xappend() {
local file="$1" local file="$1"
shift shift
echo "${@}" >> "${file}"
}
remove_include() {
local file="$1"
local include="$2"
sed -i "\_${include}_d" "${file}"
}
remove_includes() {
remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
}
do_include() {
local conf="$1"
local uciconf="$2"
local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
[ ! -f "${conf}" ] && rm -rf "${conf}"
touch "${conf}"
cat "${conf}" | grep -v "${uciconf}" > "${backup}"
mv "${backup}" "${conf}"
xappend "${conf}" "include ${uciconf}"
file_reset "${uciconf}"
echo "$@" >> "$file"
} }
ipsec_reset() { ipsec_reset() {
do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
file_reset "$IPSEC_VAR_CONN_FILE"
} }
ipsec_xappend() { ipsec_xappend() {
xappend "${IPSEC_VAR_CONN_FILE}" "$@"
xappend "$IPSEC_VAR_CONN_FILE" "$@"
} }
swan_reset() { swan_reset() {
do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
file_reset "$STRONGSWAN_VAR_CONF_FILE"
} }
swan_xappend() { swan_xappend() {
xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
} }
secret_reset() { secret_reset() {
do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
file_reset "$IPSEC_VAR_SECRETS_FILE"
} }
secret_xappend() { secret_xappend() {
xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
xappend "$IPSEC_VAR_SECRETS_FILE" "$@"
} }
warning() { warning() {
@ -204,7 +177,7 @@ config_conn() {
[ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier" [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
[ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown" [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
[ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown" [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
[ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
[ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
ipsec_xappend " keyexchange=$keyexchange" ipsec_xappend " keyexchange=$keyexchange"
set_crypto_proposal "$1" set_crypto_proposal "$1"
@ -267,6 +240,14 @@ config_remote() {
ipsec_xappend "" ipsec_xappend ""
} }
do_preamble() {
ipsec_xappend "# generated by /etc/init.d/ipsec"
ipsec_xappend "version 2"
ipsec_xappend ""
secret_xappend "# generated by /etc/init.d/ipsec"
}
config_ipsec() { config_ipsec() {
local debug local debug
local rtinstall_enabled local rtinstall_enabled
@ -280,11 +261,7 @@ config_ipsec() {
secret_reset secret_reset
swan_reset swan_reset
ipsec_xappend "# generated by /etc/init.d/ipsec"
ipsec_xappend "version 2"
ipsec_xappend ""
secret_xappend "# generated by /etc/init.d/ipsec"
do_preamble
config_get debug "$1" debug 0 config_get debug "$1" debug 0
config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
@ -332,7 +309,6 @@ config_ipsec() {
prepare_env() { prepare_env() {
mkdir -p /var/ipsec mkdir -p /var/ipsec
remove_includes
config_load ipsec config_load ipsec
config_foreach config_ipsec ipsec config_foreach config_ipsec ipsec
config_foreach config_remote remote config_foreach config_remote remote


Write Preview
Loading…
Cancel
Save