From 643df01275798dc4a44d33ac1a8b630c91a80c8c Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Tue, 9 Feb 2021 23:42:00 -0700 Subject: [PATCH] strongswan: make the include's in the .conf files persistent Having scripts diddle user written config files seems potentially dangerous. Plus there's really no downside to including some empty files. Best to just make the includes be permanent. Additional feature suggested by Luiz: if a -opkg version of the config file was created unnecessarily, remove it as part of the upgrade process since changes won't be happening to that file as an artifact of the service starting. The include lines are now permanent, which means that (1) additional configuration synthesized by UCI won't be anywhere that opkg (or sysupgrade, for that matter) cares about since it won't be persistent, and (2) if changes are being made, then they're being done by a person with an editor and they really should be distinguished. Signed-off-by: Philip Prindeville --- net/strongswan/Makefile | 15 ++++++++- net/strongswan/files/ipsec.init | 58 ++++++++++----------------------- 2 files changed, 31 insertions(+), 42 deletions(-) diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 993b5e1c8..98ef9e491 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.9.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ @@ -454,9 +454,11 @@ endef define Package/strongswan/install $(INSTALL_DIR) $(1)/etc $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/ + echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf $(INSTALL_DIR) $(1)/usr/lib/ipsec $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/ $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/ + echo -e "\ninclude /var/ipsec/ipsec.secrets" >> $(1)/etc/ipsec.secrets $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec @@ -502,9 +504,20 @@ endef define Package/strongswan-ipsec/install $(INSTALL_DIR) $(1)/etc/ $(1)/usr/sbin $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/ + echo -e "\ninclude /var/ipsec/ipsec.conf" >> $(1)/etc/ipsec.conf $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/ endef +define Package/strongswan-ipsec/postinst +#!/bin/sh + +[ -z "$${IPKG_INSTROOT}" ] || exit 0 + +opkg list-changed-conffiles | grep -qx /etc/ipsec.conf || { + rm -f /etc/ipsec.conf-opkg +} +endef + define Package/strongswan-pki/install $(INSTALL_DIR) $(1)/etc/strongswan.d $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/ diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init index 1881e1f14..ed55b95a9 100644 --- a/net/strongswan/files/ipsec.init +++ b/net/strongswan/files/ipsec.init @@ -27,58 +27,31 @@ xappend() { local file="$1" shift - echo "${@}" >> "${file}" -} - -remove_include() { - local file="$1" - local include="$2" - - sed -i "\_${include}_d" "${file}" -} - -remove_includes() { - remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}" - remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}" - remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}" -} - -do_include() { - local conf="$1" - local uciconf="$2" - local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX` - - [ ! -f "${conf}" ] && rm -rf "${conf}" - touch "${conf}" - - cat "${conf}" | grep -v "${uciconf}" > "${backup}" - mv "${backup}" "${conf}" - xappend "${conf}" "include ${uciconf}" - file_reset "${uciconf}" + echo "$@" >> "$file" } ipsec_reset() { - do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}" + file_reset "$IPSEC_VAR_CONN_FILE" } ipsec_xappend() { - xappend "${IPSEC_VAR_CONN_FILE}" "$@" + xappend "$IPSEC_VAR_CONN_FILE" "$@" } swan_reset() { - do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}" + file_reset "$STRONGSWAN_VAR_CONF_FILE" } swan_xappend() { - xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@" + xappend "$STRONGSWAN_VAR_CONF_FILE" "$@" } secret_reset() { - do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}" + file_reset "$IPSEC_VAR_SECRETS_FILE" } secret_xappend() { - xappend "${IPSEC_VAR_SECRETS_FILE}" "$@" + xappend "$IPSEC_VAR_SECRETS_FILE" "$@" } warning() { @@ -204,7 +177,7 @@ config_conn() { [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier" [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown" [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown" - [ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker" + [ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker" ipsec_xappend " keyexchange=$keyexchange" set_crypto_proposal "$1" @@ -267,6 +240,14 @@ config_remote() { ipsec_xappend "" } +do_preamble() { + ipsec_xappend "# generated by /etc/init.d/ipsec" + ipsec_xappend "version 2" + ipsec_xappend "" + + secret_xappend "# generated by /etc/init.d/ipsec" +} + config_ipsec() { local debug local rtinstall_enabled @@ -280,11 +261,7 @@ config_ipsec() { secret_reset swan_reset - ipsec_xappend "# generated by /etc/init.d/ipsec" - ipsec_xappend "version 2" - ipsec_xappend "" - - secret_xappend "# generated by /etc/init.d/ipsec" + do_preamble config_get debug "$1" debug 0 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 @@ -332,7 +309,6 @@ config_ipsec() { prepare_env() { mkdir -p /var/ipsec - remove_includes config_load ipsec config_foreach config_ipsec ipsec config_foreach config_remote remote