diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile index 806c16090..6134a0918 100644 --- a/net/ipsec-tools/Makefile +++ b/net/ipsec-tools/Makefile @@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ipsec-tools PKG_VERSION:=0.8.2 -PKG_RELEASE:=5 -PKG_MAINTAINER:=Noah Meyerhans +PKG_RELEASE:=6 +PKG_MAINTAINER:=Noah Meyerhans , \ + Vitaly Protsko PKG_LICENSE := BSD-3-Clause PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 diff --git a/net/ipsec-tools/files/functions.sh b/net/ipsec-tools/files/functions.sh index e3e739b93..45715b5a3 100644 --- a/net/ipsec-tools/files/functions.sh +++ b/net/ipsec-tools/files/functions.sh @@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require; done } +manage_nonesa() { + local spdcmd + local item + local cout cin + + if [ -z "$4" ]; then + $log "Bad usage of manage_nonesa" + errno=3; return 3 + fi + + case "$1" in + add|up|1) spdcmd=add ;; + del|down|0) spdcmd=delete ;; + *) errno=3; return 3 ;; + esac + + case "$2" in + local|remote) ;; + *) errno=3; return 3 ;; + esac + + for item in $3 ; do + if [ "$2" = "local" ]; then + cout="$4 $item" + cin="$item $4" + else + cout="$item $4" + cin="$4 $item" + fi + echo " +spd$spdcmd $cout any -P out none; +spd$spdcmd $cin any -P in none; +" | /usr/sbin/setkey -c 1>&2 + done +} . /lib/functions/network.sh diff --git a/net/ipsec-tools/files/racoon b/net/ipsec-tools/files/racoon index 3ce41eb49..e2c8400b4 100644 --- a/net/ipsec-tools/files/racoon +++ b/net/ipsec-tools/files/racoon @@ -51,6 +51,10 @@ config sainfo 'office' option p2_proposal 'example_prop2' option local_net '192.168.8.0/24' option remote_net '192.168.1.0/24' +# you can exclude some local or remote +# addresses from SA rules + list local_exclude '192.168.8.0/30' + list remote_exclude '192.168.1.128/29' config sainfo 'welcome' option p2_proposal 'example_in2' diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init index 6520d5bde..247bdfc67 100644 --- a/net/ipsec-tools/files/racoon.init +++ b/net/ipsec-tools/files/racoon.init @@ -183,10 +183,12 @@ setup_sa() { echo -e " split_network include $locnet;\n}" >> $conf elif [ -z "$client" ]; then - manage_sa add $locnet $remnet $remote + config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet" + config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet" + manage_sa add "$locnet" "$remnet" $remote test $? -gt 0 -o $errno -gt 0 && return $errno - manage_fw add $confIntZone $confExtZone $remnet + manage_fw add $confIntZone $confExtZone "$remnet" fi } @@ -339,8 +341,10 @@ destroy_sa() { errno=4; return 4 fi - manage_sa del $locnet $remnet $2 - manage_fw del $confIntZone $confExtZone $remnet + config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet" + config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet" + manage_sa del "$locnet" "$remnet" $2 + manage_fw del $confIntZone $confExtZone "$remnet" } destroy_tunnel() {