Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

strongswan: bump to 5.4.0

Browse source 
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This commit is contained in:
Stijn Tintel 2016-03-28 20:42:19 +02:00
parent 475be1df93
commit 108197ddcf
7 changed files with 22 additions and 757 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/strongswan/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan
PKG_VERSION:=5.3.5
PKG_RELEASE:=3
PKG_VERSION:=5.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4
PKG_MD5SUM:=9d7c77b0da9b69f859624897e5e9ebbf
PKG_LICENSE:=GPL-2.0+
PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
@ -399,7 +399,7 @@ define Package/strongswan/install
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
$(INSTALL_DIR) $(1)/usr/lib/ipsec
$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
$(INSTALL_DIR) $(1)/etc/init.d
@ -562,7 +562,7 @@ $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charo
$(eval $(call BuildPlugin,sql,SQL database interface,))
$(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
$(eval $(call BuildPlugin,sshkey,SSH key decoding,))
$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-charon +strongswan-utils))
$(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
$(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
$(eval $(call BuildPlugin,unity,Cisco Unity extension,))

12
net/strongswan/patches/101-musl-fixes.patch
View file

@ -50,8 +50,8 @@
+#undef blkcnt_t
+#undef crypt
+#undef encrypt
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -18,6 +18,8 @@
* for more details.
*/
@ -61,8 +61,8 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <stdint.h>
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -37,6 +37,8 @@
* THE SOFTWARE.
*/
@ -72,8 +72,8 @@
#include <sys/socket.h>
#include <sys/utsname.h>
#include <linux/netlink.h>
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -15,6 +15,8 @@
* for more details.
*/

324
net/strongswan/patches/102-forecast-Fix-alignment-when-adding-rules.patch
View file

@ -1,324 +0,0 @@
From 1f642f872abe39cb5a67a87c4e9b63c9d78657d7 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 30 Nov 2015 16:30:22 +0100
Subject: [PATCH 2/2] forecast: Fix alignment when adding rules
Basically the same issue as with the connmark plugin.
#1212
---
src/libcharon/plugins/forecast/forecast_listener.c | 247 +++++++++++----------
1 file changed, 133 insertions(+), 114 deletions(-)
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 63a8cb1..7e93617 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2010-2014 Martin Willi
* Copyright (C) 2010-2014 revosec AG
*
@@ -25,6 +28,15 @@
#include <collections/hashtable.h>
#include <threading/rwlock.h>
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+ *(st*)_cur = (st){ __VA_ARGS__ };\
+ (st*)_cur;\
+})
+
typedef struct private_forecast_listener_t private_forecast_listener_t;
/**
@@ -164,60 +176,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
entry_t *entry, bool add)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_match m;
- struct xt_udp udp;
- struct ipt_entry_target t;
- struct xt_mark_tginfo2 tm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
- sizeof(ipt.udp)),
- .next_offset = sizeof(ipt),
- .ip = {
- .proto = IPPROTO_UDP,
- },
+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
+ XT_ALIGN(sizeof(struct xt_udp));
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ .ip = {
+ .proto = IPPROTO_UDP,
},
- .m = {
- .u = {
- .user = {
- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
- .name = "udp",
- },
+ );
+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+ {
+ return FALSE;
+ }
+ ADD_STRUCT(pos, struct ipt_entry_match,
+ .u = {
+ .user = {
+ .match_size = match_size,
+ .name = "udp",
},
},
- .udp = {
- .spts = {
- entry->rhost->get_port(entry->rhost),
- entry->rhost->get_port(entry->lhost)
- },
- .dpts = {
- entry->lhost->get_port(entry->lhost),
- entry->lhost->get_port(entry->lhost)
- },
+ );
+ ADD_STRUCT(pos, struct xt_udp,
+ .spts = {
+ entry->rhost->get_port(entry->rhost),
+ entry->rhost->get_port(entry->lhost)
},
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
- .name = "MARK",
- .revision = 2,
- },
- },
+ .dpts = {
+ entry->lhost->get_port(entry->lhost),
+ entry->lhost->get_port(entry->lhost)
},
- .tm = {
- .mark = entry->mark,
- .mask = ~0,
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "MARK",
+ .revision = 2,
+ },
},
- };
-
- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
- {
- return FALSE;
- }
- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+ );
+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
+ .mark = entry->mark,
+ .mask = ~0,
+ );
+ return manage_rule(ipth, "PREROUTING", add, e);
}
/**
@@ -225,53 +237,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
*/
static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_match m;
- struct xt_esp esp;
- struct ipt_entry_target t;
- struct xt_mark_tginfo2 tm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
- sizeof(ipt.esp)),
- .next_offset = sizeof(ipt),
- .ip = {
- .proto = IPPROTO_ESP,
- },
+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
+ XT_ALIGN(sizeof(struct xt_esp));
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ .ip = {
+ .proto = IPPROTO_ESP,
},
- .m = {
- .u = {
- .user = {
- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
- .name = "esp",
- },
+ );
+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
+ {
+ return FALSE;
+ }
+ ADD_STRUCT(pos, struct ipt_entry_match,
+ .u = {
+ .user = {
+ .match_size = match_size,
+ .name = "esp",
},
},
- .esp = {
- .spis = { htonl(entry->spi), htonl(entry->spi) },
- },
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
- .name = "MARK",
- .revision = 2,
- },
+ );
+ ADD_STRUCT(pos, struct xt_esp,
+ .spis = { htonl(entry->spi), htonl(entry->spi) },
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "MARK",
+ .revision = 2,
},
},
- .tm = {
- .mark = entry->mark,
- .mask = ~0,
- },
- };
-
- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
- {
- return FALSE;
- }
- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+ );
+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
+ .mark = entry->mark,
+ .mask = ~0,
+ );
+ return manage_rule(ipth, "PREROUTING", add, e);
}
/**
@@ -291,45 +303,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
*/
static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_target t;
- struct xt_mark_tginfo2 m;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e)),
- .next_offset = sizeof(ipt),
- },
- .t = {
- .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
- .u.user.name = "MARK",
- .u.user.revision = 2,
- },
- .m = {
- .mark = entry->mark,
- .mask = ~0,
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "MARK",
+ .revision = 2,
+ },
},
- };
+ );
+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
+ .mark = entry->mark,
+ .mask = ~0,
+ );
+
enumerator_t *enumerator;
traffic_selector_t *ts;
enumerator = array_create_enumerator(entry->rts);
while (enumerator->enumerate(enumerator, &ts))
{
- if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
+ if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk))
{
continue;
}
- if (ipt.e.ip.dst.s_addr == 0xffffffff ||
- ipt.e.ip.dst.s_addr == entry->broadcast ||
- memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
+ if (e->ip.dst.s_addr == 0xffffffff ||
+ e->ip.dst.s_addr == entry->broadcast ||
+ memeq(&e->ip.dst.s_addr, "\xe0", 1))
{
/* skip broadcast/multicast selectors, they are shared and the mark
* is set by the socket we use for reinjection */
continue;
}
- if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
- !manage_rule(ipth, "OUTPUT", add, &ipt.e))
+ if (!manage_rule(ipth, "PREROUTING", add, e) ||
+ !manage_rule(ipth, "OUTPUT", add, e))
{
enumerator->destroy(enumerator);
return FALSE;
--
2.4.10

411
net/strongswan/patches/110-connmark-Fix-alignment-when-adding-rules.patch
View file

@ -1,411 +0,0 @@
From a4d7f5ee6f36decdcd18d70078e1f0a847fe9b24 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 30 Nov 2015 16:04:35 +0100
Subject: [PATCH 1/2] connmark: Fix alignment when adding rules
The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN. That was not necessarily the case when
initializing the complete message as struct.
#1212
---
src/libcharon/plugins/connmark/connmark_listener.c | 332 +++++++++++----------
1 file changed, 172 insertions(+), 160 deletions(-)
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index 23df690..cd53701 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
@@ -25,6 +28,14 @@
#include <linux/netfilter/xt_policy.h>
#include <linux/netfilter/xt_CONNMARK.h>
+/**
+ * Add a struct at the current position in the buffer
+ */
+#define ADD_STRUCT(pos, st, ...) ({\
+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
+ *(st*)_cur = (st){ __VA_ARGS__ };\
+ (st*)_cur;\
+})
typedef struct private_connmark_listener_t private_connmark_listener_t;
@@ -108,54 +119,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
u_int mark, u_int32_t spi,
host_t *dst, host_t *src)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_match m;
- struct xt_udp udp;
- struct ipt_entry_target t;
- struct xt_mark_tginfo2 tm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
- sizeof(ipt.udp)),
- .next_offset = sizeof(ipt),
- .ip = {
- .proto = IPPROTO_UDP,
- },
+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
+ XT_ALIGN(sizeof(struct xt_udp));
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ .ip = {
+ .proto = IPPROTO_UDP,
},
- .m = {
- .u = {
- .user = {
- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
- .name = "udp",
- },
+ );
+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+ !host2in(src, &e->ip.src, &e->ip.smsk))
+ {
+ return FALSE;
+ }
+ ADD_STRUCT(pos, struct ipt_entry_match,
+ .u = {
+ .user = {
+ .match_size = match_size,
+ .name = "udp",
},
},
- .udp = {
- .spts = { src->get_port(src), src->get_port(src) },
- .dpts = { dst->get_port(dst), dst->get_port(dst) },
- },
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
- .name = "MARK",
- .revision = 2,
- },
+ );
+ ADD_STRUCT(pos, struct xt_udp,
+ .spts = { src->get_port(src), src->get_port(src) },
+ .dpts = { dst->get_port(dst), dst->get_port(dst) },
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "MARK",
+ .revision = 2,
},
},
- .tm = {
- .mark = mark,
- .mask = ~0,
- },
- };
-
- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
- {
- return FALSE;
- }
- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+ );
+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
+ .mark = mark,
+ .mask = ~0,
+ );
+ return manage_rule(ipth, "PREROUTING", add, e);
}
/**
@@ -166,53 +177,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this,
u_int mark, u_int32_t spi,
host_t *dst, host_t *src)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_match m;
- struct xt_esp esp;
- struct ipt_entry_target t;
- struct xt_mark_tginfo2 tm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
- sizeof(ipt.esp)),
- .next_offset = sizeof(ipt),
- .ip = {
- .proto = IPPROTO_ESP,
- },
+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
+ XT_ALIGN(sizeof(struct xt_esp));
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ .ip = {
+ .proto = IPPROTO_ESP,
},
- .m = {
- .u = {
- .user = {
- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
- .name = "esp",
- },
+ );
+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+ !host2in(src, &e->ip.src, &e->ip.smsk))
+ {
+ return FALSE;
+ }
+ ADD_STRUCT(pos, struct ipt_entry_match,
+ .u = {
+ .user = {
+ .match_size = match_size,
+ .name = "esp",
},
},
- .esp = {
- .spis = { htonl(spi), htonl(spi) },
- },
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
- .name = "MARK",
- .revision = 2,
- },
+ );
+ ADD_STRUCT(pos, struct xt_esp,
+ .spis = { htonl(spi), htonl(spi) },
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "MARK",
+ .revision = 2,
},
},
- .tm = {
- .mark = mark,
- .mask = ~0,
- },
- };
-
- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
- {
- return FALSE;
- }
- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+ );
+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
+ .mark = mark,
+ .mask = ~0,
+ );
+ return manage_rule(ipth, "PREROUTING", add, e);
}
/**
@@ -238,59 +249,59 @@ static bool manage_in(private_connmark_listener_t *this,
u_int mark, u_int32_t spi,
traffic_selector_t *dst, traffic_selector_t *src)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_match m;
- struct xt_policy_info p;
- struct ipt_entry_target t;
- struct xt_connmark_tginfo1 cm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
- sizeof(ipt.p)),
- .next_offset = sizeof(ipt),
- },
- .m = {
- .u = {
- .user = {
- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
- .name = "policy",
- },
+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
+ XT_ALIGN(sizeof(struct xt_policy_info));
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ );
+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+ !ts2in(src, &e->ip.src, &e->ip.smsk))
+ {
+ return FALSE;
+ }
+ ADD_STRUCT(pos, struct ipt_entry_match,
+ .u = {
+ .user = {
+ .match_size = match_size,
+ .name = "policy",
},
},
- .p = {
- .pol = {
- {
- .spi = spi,
- .match.spi = 1,
- },
+ );
+ ADD_STRUCT(pos, struct xt_policy_info,
+ .pol = {
+ {
+ .spi = spi,
+ .match.spi = 1,
},
- .len = 1,
- .flags = XT_POLICY_MATCH_IN,
},
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
- .name = "CONNMARK",
- .revision = 1,
- },
+ .len = 1,
+ .flags = XT_POLICY_MATCH_IN,
+ );
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "CONNMARK",
+ .revision = 1,
},
},
- .cm = {
- .ctmark = mark,
- .ctmask = ~0,
- .nfmask = ~0,
- .mode = XT_CONNMARK_SET,
- },
- };
-
- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
- {
- return FALSE;
- }
- return manage_rule(ipth, "INPUT", add, &ipt.e);
+ );
+ ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+ .ctmark = mark,
+ .ctmask = ~0,
+ .nfmask = ~0,
+ .mode = XT_CONNMARK_SET,
+ );
+ return manage_rule(ipth, "INPUT", add, e);
}
/**
@@ -300,37 +311,38 @@ static bool manage_out(private_connmark_listener_t *this,
struct iptc_handle *ipth, bool add,
traffic_selector_t *dst, traffic_selector_t *src)
{
- struct {
- struct ipt_entry e;
- struct ipt_entry_target t;
- struct xt_connmark_tginfo1 cm;
- } ipt = {
- .e = {
- .target_offset = XT_ALIGN(sizeof(ipt.e)),
- .next_offset = sizeof(ipt),
- },
- .t = {
- .u = {
- .user = {
- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
- .name = "CONNMARK",
- .revision = 1,
- },
- },
- },
- .cm = {
- .ctmask = ~0,
- .nfmask = ~0,
- .mode = XT_CONNMARK_RESTORE,
- },
- };
-
- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
+ u_int16_t entry_size = target_offset + target_size;
+ u_char ipt[entry_size], *pos = ipt;
+ struct ipt_entry *e;
+
+ memset(ipt, 0, sizeof(ipt));
+ e = ADD_STRUCT(pos, struct ipt_entry,
+ .target_offset = target_offset,
+ .next_offset = entry_size,
+ );
+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
+ !ts2in(src, &e->ip.src, &e->ip.smsk))
{
return FALSE;
}
- return manage_rule(ipth, "OUTPUT", add, &ipt.e);
+ ADD_STRUCT(pos, struct ipt_entry_target,
+ .u = {
+ .user = {
+ .target_size = target_size,
+ .name = "CONNMARK",
+ .revision = 1,
+ },
+ },
+ );
+ ADD_STRUCT(pos, struct xt_connmark_tginfo1,
+ .ctmask = ~0,
+ .nfmask = ~0,
+ .mode = XT_CONNMARK_RESTORE,
+ );
+ return manage_rule(ipth, "OUTPUT", add, e);
}
/**
--
2.4.10

4
net/strongswan/patches/201-kmodloader.patch
View file

@ -1,6 +1,6 @@
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
@ -9,7 +9,7 @@
}
/* now test again */
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{

10
net/strongswan/patches/210-sleep.patch
View file

@ -4,8 +4,8 @@
loop=110
while [ $loop -gt 0 ] ; do
kill -0 $spid 2>/dev/null || break
- sleep 0.1
+ sleep 1
loop=$(($loop - 1))
done
if [ $loop -eq 0 ]
- sleep 0.1 2>/dev/null
+ sleep 1 2>/dev/null
if [ $? -ne 0 ]
then
sleep 1

8
net/strongswan/patches/305-minimal_dh_plugin.patch
View file

@ -8,7 +8,7 @@
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.])
@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt], [s ch
@@ -1325,6 +1326,7 @@ ADD_PLUGIN([gcrypt], [s ch
ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
@ -16,7 +16,7 @@
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([chapoly], [s charon scripts nm cmd])
@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
@@ -1458,6 +1460,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
@ -24,7 +24,7 @@
AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([
@@ -1707,6 +1710,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/sha3/Makefile
src/libstrongswan/plugins/fips_prf/Makefile
src/libstrongswan/plugins/gmp/Makefile
@ -34,7 +34,7 @@
src/libstrongswan/plugins/random/Makefile
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -303,6 +303,13 @@ if MONOLITHIC
@@ -305,6 +305,13 @@ if MONOLITHIC
endif
endif