strongswan: make the include's in the .conf files persistent

Having scripts diddle user written config files seems potentially dangerous. Plus there's really no downside to including some empty files. Best to just make the includes be permanent. Additional feature suggested by Luiz: if a -opkg version of the config file was created unnecessarily, remove it as part of the upgrade process since changes won't be happening to that file as an artifact of the service starting. The include lines are now permanent, which means that (1) additional configuration synthesized by UCI won't be anywhere that opkg (or sysupgrade, for that matter) cares about since it won't be persistent, and (2) if changes are being made, then they're being done by a person with an editor and they really should be distinguished. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> (cherry picked from commit 643df01275)
2021-02-09 23:42:00 -07:00 · 2021-02-09 23:42:00 -07:00 · 56feabdcdc
commit 56feabdcdc
parent 2983a7f9ef
2 changed files with 31 additions and 42 deletions
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
@ -454,9 +454,11 @@ endef
 define Package/strongswan/install
 	$(INSTALL_DIR) $(1)/etc
 	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
+	echo -e "\ninclude /var/ipsec/strongswan.conf" >> $(1)/etc/strongswan.conf
 	$(INSTALL_DIR) $(1)/usr/lib/ipsec
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
 	$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
+	echo -e "\ninclude /var/ipsec/ipsec.secrets" >> $(1)/etc/ipsec.secrets
 	$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
@ -502,9 +504,20 @@ endef
 define Package/strongswan-ipsec/install
 	$(INSTALL_DIR) $(1)/etc/ $(1)/usr/sbin
 	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
+	echo -e "\ninclude /var/ipsec/ipsec.conf" >> $(1)/etc/ipsec.conf
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
 endef

+define Package/strongswan-ipsec/postinst
+#!/bin/sh
+
+[ -z "$${IPKG_INSTROOT}" ] || exit 0
+
+opkg list-changed-conffiles | grep -qx /etc/ipsec.conf || {
+	rm -f /etc/ipsec.conf-opkg
+}
+endef
+
 define Package/strongswan-pki/install
 	$(INSTALL_DIR) $(1)/etc/strongswan.d
 	$(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/pki.conf $(1)/etc/strongswan.d/
--- a/net/strongswan/files/ipsec.init
+++ b/net/strongswan/files/ipsec.init
@ -27,58 +27,31 @@ xappend() {
 	local file="$1"
 	shift

-	echo "${@}" >> "${file}"
-}
-
-remove_include() {
-	local file="$1"
-	local include="$2"
-
-	sed -i "\_${include}_d" "${file}"
-}
-
-remove_includes() {
-	remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
-	remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
-	remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
-}
-
-do_include() {
-	local conf="$1"
-	local uciconf="$2"
-	local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
-
-	[ ! -f "${conf}" ] && rm -rf "${conf}"
-	touch "${conf}"
-
-	cat "${conf}" | grep -v "${uciconf}" > "${backup}"
-	mv "${backup}" "${conf}"
-	xappend "${conf}" "include ${uciconf}"
-	file_reset "${uciconf}"
+	echo "$@" >> "$file"
 }

 ipsec_reset() {
-	do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
+	file_reset "$IPSEC_VAR_CONN_FILE"
 }

 ipsec_xappend() {
-	xappend "${IPSEC_VAR_CONN_FILE}" "$@"
+	xappend "$IPSEC_VAR_CONN_FILE" "$@"
 }

 swan_reset() {
-	do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
+	file_reset "$STRONGSWAN_VAR_CONF_FILE"
 }

 swan_xappend() {
-	xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
+	xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
 }

 secret_reset() {
-	do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
+	file_reset "$IPSEC_VAR_SECRETS_FILE"
 }

 secret_xappend() {
-	xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
+	xappend "$IPSEC_VAR_SECRETS_FILE" "$@"
 }

 warning() {
@ -204,7 +177,7 @@ config_conn() {
 	[ -n "$remote_identifier" ] && ipsec_xappend "  rightid=$remote_identifier"
 	[ -n "$local_updown" ] && ipsec_xappend "  leftupdown=$local_updown"
 	[ -n "$remote_updown" ] && ipsec_xappend "  rightupdown=$remote_updown"
-	[ -n "$packet_marker" ] && ipsec_xappend "  mark=$packet_marker"	
+	[ -n "$packet_marker" ] && ipsec_xappend "  mark=$packet_marker"
 	ipsec_xappend "  keyexchange=$keyexchange"

 	set_crypto_proposal "$1"
@ -267,6 +240,14 @@ config_remote() {
 	ipsec_xappend ""
 }

+do_preamble() {
+	ipsec_xappend "# generated by /etc/init.d/ipsec"
+	ipsec_xappend "version 2"
+	ipsec_xappend ""
+
+	secret_xappend "# generated by /etc/init.d/ipsec"
+}
+
 config_ipsec() {
 	local debug
 	local rtinstall_enabled
@ -280,11 +261,7 @@ config_ipsec() {
 	secret_reset
 	swan_reset

-	ipsec_xappend "# generated by /etc/init.d/ipsec"
-	ipsec_xappend "version 2"
-	ipsec_xappend ""
-
-	secret_xappend "# generated by /etc/init.d/ipsec"
+	do_preamble

 	config_get debug "$1" debug 0
 	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
@ -332,7 +309,6 @@ config_ipsec() {

 prepare_env() {
 	mkdir -p /var/ipsec
-	remove_includes
 	config_load ipsec
 	config_foreach config_ipsec ipsec
 	config_foreach config_remote remote