ipsec: add ability to configure "none" SA

Also added myself as co-maintainer Signed-Off-By: Vitaly Protsko <villy@sft.ru> --- Makefile | 5 +++-- files/functions.sh | 35 +++++++++++++++++++++++++++++++++++ files/racoon | 4 ++++ files/racoon.init | 12 ++++++++---- 4 files changed, 50 insertions(+), 6 deletions(-)
8 years ago · df0e0bc17b
--- a/net/ipsec-tools/Makefile
+++ b/net/ipsec-tools/Makefile
@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=ipsec-tools
 PKG_VERSION:=0.8.2
 PKG_RELEASE:=5
 PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
 PKG_RELEASE:=6
 PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
 	Vitaly Protsko <villy@sft.ru>
 PKG_LICENSE := BSD-3-Clause

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
--- a/net/ipsec-tools/files/functions.sh
+++ b/net/ipsec-tools/files/functions.sh
@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
  done
 }

 manage_nonesa() {
  local spdcmd
  local item
  local cout cin

  if [ -z "$4" ]; then
    $log "Bad usage of manage_nonesa"
    errno=3; return 3
  fi

  case "$1" in
    add|up|1) spdcmd=add ;;
    del|down|0) spdcmd=delete ;;
    *) errno=3; return 3 ;;
  esac

  case "$2" in
    local|remote) ;;
    *) errno=3; return 3 ;;
  esac

  for item in $3 ; do
    if [ "$2" = "local" ]; then
      cout="$4 $item"
      cin="$item $4"
    else
      cout="$item $4"
      cin="$4 $item"
    fi
    echo "
 spd$spdcmd $cout any -P out none;
 spd$spdcmd $cin any -P in none;
 " | /usr/sbin/setkey -c 1>&2
  done
 }

 . /lib/functions/network.sh

--- a/net/ipsec-tools/files/racoon
+++ b/net/ipsec-tools/files/racoon
@ -51,6 +51,10 @@ config sainfo 'office'
 	option	p2_proposal	'example_prop2'
 	option	local_net	'192.168.8.0/24'
 	option	remote_net	'192.168.1.0/24'
 # you can exclude some local or remote
 # addresses from SA rules
 	list	local_exclude	'192.168.8.0/30'
 	list	remote_exclude	'192.168.1.128/29'

 config sainfo 'welcome'
 	option	p2_proposal	'example_in2'
--- a/net/ipsec-tools/files/racoon.init
+++ b/net/ipsec-tools/files/racoon.init
@ -183,10 +183,12 @@ setup_sa() {
    echo -e "  split_network include $locnet;\n}" >> $conf

  elif [ -z "$client" ]; then
    manage_sa add $locnet $remnet $remote
    config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
    config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
    manage_sa add "$locnet" "$remnet" $remote
    test $? -gt 0 -o $errno -gt 0 && return $errno

    manage_fw add $confIntZone $confExtZone $remnet
    manage_fw add $confIntZone $confExtZone "$remnet"
  fi
 }

@ -339,8 +341,10 @@ destroy_sa() {
    errno=4; return 4
  fi

  manage_sa del $locnet $remnet $2
  manage_fw del $confIntZone $confExtZone $remnet
  config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
  config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
  manage_sa del "$locnet" "$remnet" $2
  manage_fw del $confIntZone $confExtZone "$remnet"
 }

 destroy_tunnel() {