Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

strongswan: miscellaneous cleanup of config file, etc

Browse source 
Use list's where appropriate for multi-value config variables.

Forbid absolute/relative paths for certificate and key files.

Get rid of last remnants of left/right naming.

Factor invariant code paths.

Drop redundant secrets.rsa.filename section.

Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit is contained in:
Philip Prindeville 2021-06-26 11:26:18 -06:00
parent 09dcf7486d
commit 0fe23b0e4a
1 changed files with 44 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
net/strongswan/files/swanctl.init
View file

@ -19,8 +19,7 @@ WAIT_FOR_INTF=0
CONFIG_FAIL=0 CONFIG_FAIL=0
time2seconds() time2seconds() {
{
local timestring="$1" local timestring="$1"
local multiplier number suffix local multiplier number suffix
@ -42,8 +41,7 @@ time2seconds()
echo $(( number * multiplier )) echo $(( number * multiplier ))
} }
seconds2time() seconds2time() {
{
local seconds="$1" local seconds="$1"
if [ $seconds -eq 0 ]; then if [ $seconds -eq 0 ]; then
@ -135,6 +133,11 @@ fatal() {
CONFIG_FAIL=1 CONFIG_FAIL=1
} }
append_var() {
local var="$2" value="$1" delim="${3:- }"
append "$var" "$value" "$delim"
}
is_aead() { is_aead() {
local cipher="$1" local cipher="$1"
@ -228,17 +231,18 @@ config_child() {
local rekeytime local rekeytime
config_get startaction "$1" startaction "route" config_get startaction "$1" startaction "route"
config_get local_subnet "$1" local_subnet ""
config_get local_nat "$1" local_nat "" config_get local_nat "$1" local_nat ""
config_get updown "$1" updown "" config_get updown "$1" updown ""
config_get firewall "$1" firewall "" config_get firewall "$1" firewall ""
config_get remote_subnet "$1" remote_subnet ""
config_get lifetime "$1" lifetime "" config_get lifetime "$1" lifetime ""
config_get dpdaction "$1" dpdaction "none" config_get dpdaction "$1" dpdaction "none"
config_get closeaction "$1" closeaction "none" config_get closeaction "$1" closeaction "none"
config_get if_id "$1" if_id "" config_get if_id "$1" if_id ""
config_get rekeytime "$1" rekeytime "" config_get rekeytime "$1" rekeytime ""
config_list_foreach "$1" local_subnet append_var local_subnet ","
config_list_foreach "$1" remote_subnet append_var remote_subnet ","
local esp_proposal local esp_proposal
parse_esp_proposal "$1" esp_proposal parse_esp_proposal "$1" esp_proposal
@ -336,7 +340,7 @@ config_connection() {
local gateway local gateway
local local_gateway local local_gateway
local local_sourceip local local_sourceip
local local_leftip local local_ip
local remote_gateway local remote_gateway
local pre_shared_key local pre_shared_key
local auth_method local auth_method
@ -359,8 +363,7 @@ config_connection() {
config_get auth_method "$1" authentication_method config_get auth_method "$1" authentication_method
config_get local_identifier "$1" local_identifier "" config_get local_identifier "$1" local_identifier ""
config_get remote_identifier "$1" remote_identifier "" config_get remote_identifier "$1" remote_identifier ""
config_get local_sourceip "$1" local_sourceip "" config_get local_ip "$1" local_ip "%any"
config_get local_leftip "$1" local_leftip "%any"
config_get keyingtries "$1" keyingtries "3" config_get keyingtries "$1" keyingtries "3"
config_get dpddelay "$1" dpddelay "30s" config_get dpddelay "$1" dpddelay "30s"
config_get inactivity "$1" inactivity config_get inactivity "$1" inactivity
@ -373,6 +376,8 @@ config_connection() {
config_get rekeytime "$1" rekeytime config_get rekeytime "$1" rekeytime
config_get overtime "$1" overtime config_get overtime "$1" overtime
config_list_foreach "$1" local_sourceip append_var local_sourceip ","
case "$fragmentation" in case "$fragmentation" in
0) 0)
fragmentation="no" ;; fragmentation="no" ;;
@ -389,22 +394,42 @@ config_connection() {
[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway" [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
[ -z "$local_gateway" ] && { local ipdest
local ipdest [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway" if [ -n "$local_key" ]; then
local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'` [ "$(dirname "$local_key")" != "." ] && \
} fatal "local_key $local_key can't be pathname"
[ -f "/etc/swanctl/private/$local_key" ] || \
fatal "local_key $local_key not found"
fi
local ike_proposal local ike_proposal
parse_ike_proposal "$1" ike_proposal parse_ike_proposal "$1" ike_proposal
[ -n "$firewall" ] && fatal "Firewall not supported" [ -n "$firewall" ] && fatal "Firewall not supported"
if [ "$auth_method" = pubkey ]; then
if [ -n "$ca_cert" ]; then
[ "$(dirname "$ca_cert")" != "." ] && \
fatal "ca_cert $ca_cert can't be pathname"
[ -f "/etc/swanctl/x509ca/$ca_cert" ] || \
fatal "ca_cert $ca_cert not found"
fi
if [ -n "$local_cert" ]; then
[ "$(dirname "$local_cert")" != "." ] && \
fatal "local_cert $local_cert can't be pathname"
[ -f "/etc/swanctl/x509/$local_cert" ] || \
fatal "local_cert $local_cert not found"
fi
fi
swanctl_xappend0 "# config for $config_name" swanctl_xappend0 "# config for $config_name"
swanctl_xappend0 "connections {" swanctl_xappend0 "connections {"
swanctl_xappend1 "$config_name {" swanctl_xappend1 "$config_name {"
swanctl_xappend2 "local_addrs = $local_leftip" swanctl_xappend2 "local_addrs = $local_ip"
swanctl_xappend2 "remote_addrs = $remote_gateway" swanctl_xappend2 "remote_addrs = $remote_gateway"
[ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip" [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
@ -414,7 +439,8 @@ config_connection() {
swanctl_xappend3 "auth = $auth_method" swanctl_xappend3 "auth = $auth_method"
[ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\"" [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
[ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert" [ "$auth_method" = pubkey ] && [ -n "$local_cert" ] && \
swanctl_xappend3 "certs = $local_cert"
swanctl_xappend2 "}" swanctl_xappend2 "}"
swanctl_xappend2 "remote {" swanctl_xappend2 "remote {"
@ -464,14 +490,6 @@ config_connection() {
if [ "$auth_method" = pubkey ]; then if [ "$auth_method" = pubkey ]; then
swanctl_xappend0 "" swanctl_xappend0 ""
swanctl_xappend0 "secrets {"
swanctl_xappend1 "rsa {"
swanctl_xappend2 "filename = $local_key"
swanctl_xappend1 "}"
swanctl_xappend0 "}"
swanctl_xappend0 ""
if [ -n "$ca_cert" ]; then if [ -n "$ca_cert" ]; then
swanctl_xappend0 "authorities {" swanctl_xappend0 "authorities {"
swanctl_xappend1 "$config_name {" swanctl_xappend1 "$config_name {"
@ -505,15 +523,12 @@ do_preamble() {
swanctl_xappend0 "# generated by /etc/init.d/swanctl" swanctl_xappend0 "# generated by /etc/init.d/swanctl"
} }
append_interface() {
append interface_list "$1" " "
}
config_ipsec() { config_ipsec() {
local rtinstall_enabled local rtinstall_enabled
local routing_table local routing_table
local routing_table_id local routing_table_id
local interface local interface
local interface_list
config_get debug "$1" debug 0 config_get debug "$1" debug 0
config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
@ -530,8 +545,7 @@ config_ipsec() {
[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id" [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
done done
local interface_list config_list_foreach "$1" interface append_var interface_list
config_list_foreach "$1" interface append_interface
if [ -z "$interface_list" ]; then if [ -z "$interface_list" ]; then
WAIT_FOR_INTF=0 WAIT_FOR_INTF=0