strongswan: add interface uci list
The interface config option allows users to configure logical OpenWRT interface names in the ipsec section; it allows StrongSwan to listen and send traffic on specified interface(s). It translates to interfaces_use StrongSwan option which is a comma sepearted list of network devices that should be used by charon. Since StrongSwan can only be started when one of the specified logical OpenWRT interface is up procd interface triggers are installed to trigger the reload script. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This commit is contained in:
Hans Dedecker
parent
1d31d840d4
commit
74dbf6bcbe
2 changed files with 33 additions and 4 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=strongswan
|
PKG_NAME:=strongswan
|
||||||
PKG_VERSION:=5.6.1
|
PKG_VERSION:=5.6.1
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=2
|
||||||
|
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
PKG_HASH:=e0c282d8ad418609c5dfb5e8efa01b28b95ef3678070ed47bf2a229f55f4ab53
|
PKG_HASH:=e0c282d8ad418609c5dfb5e8efa01b28b95ef3678070ed47bf2a229f55f4ab53
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ USE_PROCD=1
|
||||||
PROG=/usr/lib/ipsec/starter
|
PROG=/usr/lib/ipsec/starter
|
||||||
|
|
||||||
. $IPKG_INSTROOT/lib/functions.sh
|
. $IPKG_INSTROOT/lib/functions.sh
|
||||||
|
. $IPKG_INSTROOT/lib/functions/network.sh
|
||||||
|
|
||||||
IPSEC_SECRETS_FILE=/etc/ipsec.secrets
|
IPSEC_SECRETS_FILE=/etc/ipsec.secrets
|
||||||
IPSEC_CONN_FILE=/etc/ipsec.conf
|
IPSEC_CONN_FILE=/etc/ipsec.conf
|
||||||
|
|
@ -16,6 +17,8 @@ IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
|
||||||
IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
|
IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
|
||||||
STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
|
STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
|
||||||
|
|
||||||
|
WAIT_FOR_INTF=0
|
||||||
|
|
||||||
file_reset() {
|
file_reset() {
|
||||||
: > "$1"
|
: > "$1"
|
||||||
}
|
}
|
||||||
|
|
@ -290,11 +293,23 @@ config_ipsec() {
|
||||||
[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
|
[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
local interface_list=$(config_get "$1" "interface")
|
||||||
|
if [ -z "$interface_list" ]; then
|
||||||
|
WAIT_FOR_INTF=0
|
||||||
|
else
|
||||||
|
for interface in $interface_list; do
|
||||||
|
network_get_device device $interface
|
||||||
|
[ -n "$device" ] && append device_list "$device" ","
|
||||||
|
done
|
||||||
|
[ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
|
||||||
|
fi
|
||||||
|
|
||||||
swan_xappend "# generated by /etc/init.d/ipsec"
|
swan_xappend "# generated by /etc/init.d/ipsec"
|
||||||
swan_xappend "charon {"
|
swan_xappend "charon {"
|
||||||
swan_xappend " load_modular = yes"
|
swan_xappend " load_modular = yes"
|
||||||
swan_xappend " install_routes = $install_routes"
|
swan_xappend " install_routes = $install_routes"
|
||||||
[ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
|
[ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
|
||||||
|
[ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
|
||||||
swan_xappend " plugins {"
|
swan_xappend " plugins {"
|
||||||
swan_xappend " include /etc/strongswan.d/charon/*.conf"
|
swan_xappend " include /etc/strongswan.d/charon/*.conf"
|
||||||
swan_xappend " }"
|
swan_xappend " }"
|
||||||
|
|
@ -325,21 +340,35 @@ service_running() {
|
||||||
reload_service() {
|
reload_service() {
|
||||||
running && {
|
running && {
|
||||||
prepare_env
|
prepare_env
|
||||||
|
[ $WAIT_FOR_INTF -eq 0 ] && {
|
||||||
ipsec rereadall
|
ipsec rereadall
|
||||||
ipsec reload
|
ipsec reload
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
start
|
start
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_ipsec_interface() {
|
||||||
|
local intf
|
||||||
|
|
||||||
|
for intf in $(config_get "$1" interface); do
|
||||||
|
procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
service_triggers() {
|
service_triggers() {
|
||||||
procd_add_reload_trigger "ipsec"
|
procd_add_reload_trigger "ipsec"
|
||||||
|
config load "ipsec"
|
||||||
|
config_foreach check_ipsec_interface ipsec
|
||||||
}
|
}
|
||||||
|
|
||||||
start_service() {
|
start_service() {
|
||||||
prepare_env
|
prepare_env
|
||||||
|
|
||||||
|
[ $WAIT_FOR_INTF -eq 1 ] && return
|
||||||
|
|
||||||
procd_open_instance
|
procd_open_instance
|
||||||
|
|
||||||
procd_set_param command $PROG --daemon charon --nofork
|
procd_set_param command $PROG --daemon charon --nofork
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue