ipsec: add ability to configure "none" SA
Also added myself as co-maintainer Signed-Off-By: Vitaly Protsko <villy@sft.ru> --- Makefile | 5 +++-- files/functions.sh | 35 +++++++++++++++++++++++++++++++++++ files/racoon | 4 ++++ files/racoon.init | 12 ++++++++---- 4 files changed, 50 insertions(+), 6 deletions(-)
This commit is contained in:
aTanW
parent
4eec08f225
commit
df0e0bc17b
4 changed files with 50 additions and 6 deletions
|
|
@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk
|
|||
|
||||
PKG_NAME:=ipsec-tools
|
||||
PKG_VERSION:=0.8.2
|
||||
PKG_RELEASE:=5
|
||||
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
|
||||
PKG_RELEASE:=6
|
||||
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
|
||||
Vitaly Protsko <villy@sft.ru>
|
||||
PKG_LICENSE := BSD-3-Clause
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
|
|
|
|||
|
|
@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
|
|||
done
|
||||
}
|
||||
|
||||
manage_nonesa() {
|
||||
local spdcmd
|
||||
local item
|
||||
local cout cin
|
||||
|
||||
if [ -z "$4" ]; then
|
||||
$log "Bad usage of manage_nonesa"
|
||||
errno=3; return 3
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
add|up|1) spdcmd=add ;;
|
||||
del|down|0) spdcmd=delete ;;
|
||||
*) errno=3; return 3 ;;
|
||||
esac
|
||||
|
||||
case "$2" in
|
||||
local|remote) ;;
|
||||
*) errno=3; return 3 ;;
|
||||
esac
|
||||
|
||||
for item in $3 ; do
|
||||
if [ "$2" = "local" ]; then
|
||||
cout="$4 $item"
|
||||
cin="$item $4"
|
||||
else
|
||||
cout="$item $4"
|
||||
cin="$4 $item"
|
||||
fi
|
||||
echo "
|
||||
spd$spdcmd $cout any -P out none;
|
||||
spd$spdcmd $cin any -P in none;
|
||||
" | /usr/sbin/setkey -c 1>&2
|
||||
done
|
||||
}
|
||||
|
||||
. /lib/functions/network.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -51,6 +51,10 @@ config sainfo 'office'
|
|||
option p2_proposal 'example_prop2'
|
||||
option local_net '192.168.8.0/24'
|
||||
option remote_net '192.168.1.0/24'
|
||||
# you can exclude some local or remote
|
||||
# addresses from SA rules
|
||||
list local_exclude '192.168.8.0/30'
|
||||
list remote_exclude '192.168.1.128/29'
|
||||
|
||||
config sainfo 'welcome'
|
||||
option p2_proposal 'example_in2'
|
||||
|
|
|
|||
|
|
@ -183,10 +183,12 @@ setup_sa() {
|
|||
echo -e " split_network include $locnet;\n}" >> $conf
|
||||
|
||||
elif [ -z "$client" ]; then
|
||||
manage_sa add $locnet $remnet $remote
|
||||
config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
|
||||
config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
|
||||
manage_sa add "$locnet" "$remnet" $remote
|
||||
test $? -gt 0 -o $errno -gt 0 && return $errno
|
||||
|
||||
manage_fw add $confIntZone $confExtZone $remnet
|
||||
manage_fw add $confIntZone $confExtZone "$remnet"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -339,8 +341,10 @@ destroy_sa() {
|
|||
errno=4; return 4
|
||||
fi
|
||||
|
||||
manage_sa del $locnet $remnet $2
|
||||
manage_fw del $confIntZone $confExtZone $remnet
|
||||
config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
|
||||
config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
|
||||
manage_sa del "$locnet" "$remnet" $2
|
||||
manage_fw del $confIntZone $confExtZone "$remnet"
|
||||
}
|
||||
|
||||
destroy_tunnel() {
|
||||
|
|
|
|||
Loading…
Reference in a new issue