From 09dcf7486dc8cdf65cb46499d606d418848b6d93 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sun, 27 Jun 2021 16:26:39 -0600 Subject: [PATCH 1/6] strongswan: rename config functions Signed-off-by: Philip Prindeville --- net/strongswan/Makefile | 2 +- net/strongswan/files/swanctl.init | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index 596bd8e38..a1eb7b8af 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.9.2 -PKG_RELEASE:=11 +PKG_RELEASE:=12 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/ diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 884fefe38..6ccddb076 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -210,7 +210,7 @@ parse_ike_proposal() { export -n "$var=$crypto" } -config_conn() { +config_child() { # Generic ipsec conn section shared by tunnel and transport local config_name="$1" local mode="$2" @@ -322,14 +322,14 @@ config_conn() { } config_tunnel() { - config_conn "$1" "tunnel" + config_child "$1" "tunnel" } config_transport() { - config_conn "$1" "transport" + config_child "$1" "transport" } -config_remote() { +config_connection() { local config_name="$1" local enabled @@ -574,7 +574,7 @@ prepare_env() { config_load ipsec config_foreach config_ipsec ipsec - config_foreach config_remote remote + config_foreach config_connection remote do_postamble } From 0fe23b0e4a258b57e09bb2209638166ec4c6924e Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sat, 26 Jun 2021 11:26:18 -0600 Subject: [PATCH 2/6] strongswan: miscellaneous cleanup of config file, etc Use list's where appropriate for multi-value config variables. Forbid absolute/relative paths for certificate and key files. Get rid of last remnants of left/right naming. Factor invariant code paths. Drop redundant secrets.rsa.filename section. Thanks to Vincent Wiemann for calling out many of these improvements. Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 74 ++++++++++++++++++------------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 6ccddb076..f498036d0 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -19,8 +19,7 @@ WAIT_FOR_INTF=0 CONFIG_FAIL=0 -time2seconds() -{ +time2seconds() { local timestring="$1" local multiplier number suffix @@ -42,8 +41,7 @@ time2seconds() echo $(( number * multiplier )) } -seconds2time() -{ +seconds2time() { local seconds="$1" if [ $seconds -eq 0 ]; then @@ -135,6 +133,11 @@ fatal() { CONFIG_FAIL=1 } +append_var() { + local var="$2" value="$1" delim="${3:- }" + append "$var" "$value" "$delim" +} + is_aead() { local cipher="$1" @@ -228,17 +231,18 @@ config_child() { local rekeytime config_get startaction "$1" startaction "route" - config_get local_subnet "$1" local_subnet "" config_get local_nat "$1" local_nat "" config_get updown "$1" updown "" config_get firewall "$1" firewall "" - config_get remote_subnet "$1" remote_subnet "" config_get lifetime "$1" lifetime "" config_get dpdaction "$1" dpdaction "none" config_get closeaction "$1" closeaction "none" config_get if_id "$1" if_id "" config_get rekeytime "$1" rekeytime "" + config_list_foreach "$1" local_subnet append_var local_subnet "," + config_list_foreach "$1" remote_subnet append_var remote_subnet "," + local esp_proposal parse_esp_proposal "$1" esp_proposal @@ -336,7 +340,7 @@ config_connection() { local gateway local local_gateway local local_sourceip - local local_leftip + local local_ip local remote_gateway local pre_shared_key local auth_method @@ -359,8 +363,7 @@ config_connection() { config_get auth_method "$1" authentication_method config_get local_identifier "$1" local_identifier "" config_get remote_identifier "$1" remote_identifier "" - config_get local_sourceip "$1" local_sourceip "" - config_get local_leftip "$1" local_leftip "%any" + config_get local_ip "$1" local_ip "%any" config_get keyingtries "$1" keyingtries "3" config_get dpddelay "$1" dpddelay "30s" config_get inactivity "$1" inactivity @@ -373,6 +376,8 @@ config_connection() { config_get rekeytime "$1" rekeytime config_get overtime "$1" overtime + config_list_foreach "$1" local_sourceip append_var local_sourceip "," + case "$fragmentation" in 0) fragmentation="no" ;; @@ -389,22 +394,42 @@ config_connection() { [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway" - [ -z "$local_gateway" ] && { - local ipdest + local ipdest + [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway" + local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` - [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway" - local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` - } + if [ -n "$local_key" ]; then + [ "$(dirname "$local_key")" != "." ] && \ + fatal "local_key $local_key can't be pathname" + [ -f "/etc/swanctl/private/$local_key" ] || \ + fatal "local_key $local_key not found" + fi local ike_proposal parse_ike_proposal "$1" ike_proposal [ -n "$firewall" ] && fatal "Firewall not supported" + if [ "$auth_method" = pubkey ]; then + if [ -n "$ca_cert" ]; then + [ "$(dirname "$ca_cert")" != "." ] && \ + fatal "ca_cert $ca_cert can't be pathname" + [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \ + fatal "ca_cert $ca_cert not found" + fi + + if [ -n "$local_cert" ]; then + [ "$(dirname "$local_cert")" != "." ] && \ + fatal "local_cert $local_cert can't be pathname" + [ -f "/etc/swanctl/x509/$local_cert" ] || \ + fatal "local_cert $local_cert not found" + fi + fi + swanctl_xappend0 "# config for $config_name" swanctl_xappend0 "connections {" swanctl_xappend1 "$config_name {" - swanctl_xappend2 "local_addrs = $local_leftip" + swanctl_xappend2 "local_addrs = $local_ip" swanctl_xappend2 "remote_addrs = $remote_gateway" [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip" @@ -414,7 +439,8 @@ config_connection() { swanctl_xappend3 "auth = $auth_method" [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\"" - [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert" + [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \ + swanctl_xappend3 "certs = $local_cert" swanctl_xappend2 "}" swanctl_xappend2 "remote {" @@ -464,14 +490,6 @@ config_connection() { if [ "$auth_method" = pubkey ]; then swanctl_xappend0 "" - swanctl_xappend0 "secrets {" - swanctl_xappend1 "rsa {" - swanctl_xappend2 "filename = $local_key" - swanctl_xappend1 "}" - swanctl_xappend0 "}" - - swanctl_xappend0 "" - if [ -n "$ca_cert" ]; then swanctl_xappend0 "authorities {" swanctl_xappend1 "$config_name {" @@ -505,15 +523,12 @@ do_preamble() { swanctl_xappend0 "# generated by /etc/init.d/swanctl" } -append_interface() { - append interface_list "$1" " " -} - config_ipsec() { local rtinstall_enabled local routing_table local routing_table_id local interface + local interface_list config_get debug "$1" debug 0 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 @@ -530,8 +545,7 @@ config_ipsec() { [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id" done - local interface_list - config_list_foreach "$1" interface append_interface + config_list_foreach "$1" interface append_var interface_list if [ -z "$interface_list" ]; then WAIT_FOR_INTF=0 From 0231e043b7c7a25d872a62c3482aaf8522e26345 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sat, 26 Jun 2021 13:01:20 -0600 Subject: [PATCH 3/6] strongswan: add support for hw_offload Also from Vincent Wiemann . Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index f498036d0..2144c5c20 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -218,6 +218,7 @@ config_child() { local config_name="$1" local mode="$2" + local hw_offload local local_subnet local local_nat local updown @@ -239,6 +240,7 @@ config_child() { config_get closeaction "$1" closeaction "none" config_get if_id "$1" if_id "" config_get rekeytime "$1" rekeytime "" + config_get hw_offload "$1" hw_offload "" config_list_foreach "$1" local_subnet append_var local_subnet "," config_list_foreach "$1" remote_subnet append_var remote_subnet "," @@ -299,12 +301,23 @@ config_child() { ;; esac + case "$hw_offload" in + yes|no|auto|"") + ;; + *) + fatal "hw_offload value $hw_offload invalid" + hw_offload="" + ;; + esac + [ -n "$local_nat" ] && local_subnet="$local_nat" swanctl_xappend3 "$config_name {" [ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet" [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet" + + [ -n "$hw_offload" ] && swanctl_append4 "hw_offload = $hw_offload" [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; } [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction" [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction" From 11ff07267283a341d52baefddb59d66c45ed87d7 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sat, 26 Jun 2021 13:18:12 -0600 Subject: [PATCH 4/6] strongswan: add interface option for children This option sets the interface of the policy. Also from Vincent Wiemann . Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index 2144c5c20..cebd3ea84 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -219,6 +219,7 @@ config_child() { local mode="$2" local hw_offload + local interface local local_subnet local local_nat local updown @@ -240,6 +241,7 @@ config_child() { config_get closeaction "$1" closeaction "none" config_get if_id "$1" if_id "" config_get rekeytime "$1" rekeytime "" + config_get interface "$1" interface "" config_get hw_offload "$1" hw_offload "" config_list_foreach "$1" local_subnet append_var local_subnet "," @@ -318,6 +320,7 @@ config_child() { [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet" [ -n "$hw_offload" ] && swanctl_append4 "hw_offload = $hw_offload" + [ -n "$interface" ] && swanctl_append4 "interface = $interface" [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; } [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction" [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction" From 6c7971567667cb39f707476f0780698772e2db4b Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sun, 27 Jun 2021 16:13:54 -0600 Subject: [PATCH 5/6] strongswan: add ipcomp support Also from Vincent Wiemann . Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index cebd3ea84..faef09042 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -220,6 +220,7 @@ config_child() { local hw_offload local interface + local ipcomp local local_subnet local local_nat local updown @@ -241,6 +242,7 @@ config_child() { config_get closeaction "$1" closeaction "none" config_get if_id "$1" if_id "" config_get rekeytime "$1" rekeytime "" + config_get_bool ipcomp "$1" ipcomp 0 config_get interface "$1" interface "" config_get hw_offload "$1" hw_offload "" @@ -320,6 +322,7 @@ config_child() { [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet" [ -n "$hw_offload" ] && swanctl_append4 "hw_offload = $hw_offload" + [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1" [ -n "$interface" ] && swanctl_append4 "interface = $interface" [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; } [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction" From d279a64df85673e464369878f1c21afb8cce2466 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Sun, 27 Jun 2021 16:45:40 -0600 Subject: [PATCH 6/6] strongswan: add priority option Also from Vincent Wiemann . Signed-off-by: Philip Prindeville --- net/strongswan/files/swanctl.init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init index faef09042..2156e0730 100644 --- a/net/strongswan/files/swanctl.init +++ b/net/strongswan/files/swanctl.init @@ -221,6 +221,7 @@ config_child() { local hw_offload local interface local ipcomp + local priority local local_subnet local local_nat local updown @@ -245,6 +246,7 @@ config_child() { config_get_bool ipcomp "$1" ipcomp 0 config_get interface "$1" interface "" config_get hw_offload "$1" hw_offload "" + config_get priority "$1" priority "" config_list_foreach "$1" local_subnet append_var local_subnet "," config_list_foreach "$1" remote_subnet append_var remote_subnet "," @@ -324,6 +326,7 @@ config_child() { [ -n "$hw_offload" ] && swanctl_append4 "hw_offload = $hw_offload" [ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1" [ -n "$interface" ] && swanctl_append4 "interface = $interface" + [ -n "$priority" ] && swanctl_append4 "priority = $priority" [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; } [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction" [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction"