ipsec: add ability to configure "none" SA

Also added myself as co-maintainer

Signed-Off-By: Vitaly Protsko <villy@sft.ru>
---
 Makefile           |    5 +++--
 files/functions.sh |   35 +++++++++++++++++++++++++++++++++++
 files/racoon       |    4 ++++
 files/racoon.init  |   12 ++++++++----
 4 files changed, 50 insertions(+), 6 deletions(-)

net/ipsec-tools/Makefile

@@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ipsec-tools
 PKG_VERSION:=0.8.2
-PKG_RELEASE:=5
+PKG_RELEASE:=6
-PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
+PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
+	Vitaly Protsko <villy@sft.ru>
 PKG_LICENSE := BSD-3-Clause
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2

net/ipsec-tools/files/functions.sh

@@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
   done
 }
 
+manage_nonesa() {
+  local spdcmd
+  local item
+  local cout cin
+
+  if [ -z "$4" ]; then
+    $log "Bad usage of manage_nonesa"
+    errno=3; return 3
+  fi
+
+  case "$1" in
+    add|up|1) spdcmd=add ;;
+    del|down|0) spdcmd=delete ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  case "$2" in
+    local|remote) ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  for item in $3 ; do
+    if [ "$2" = "local" ]; then
+      cout="$4 $item"
+      cin="$item $4"
+    else
+      cout="$item $4"
+      cin="$4 $item"
+    fi
+    echo "
+spd$spdcmd $cout any -P out none;
+spd$spdcmd $cin any -P in none;
+" | /usr/sbin/setkey -c 1>&2
+  done
+}
 
 . /lib/functions/network.sh
 

net/ipsec-tools/files/racoon

@@ -51,6 +51,10 @@ config sainfo 'office'
 	option	p2_proposal	'example_prop2'
 	option	local_net	'192.168.8.0/24'
 	option	remote_net	'192.168.1.0/24'
+# you can exclude some local or remote
+# addresses from SA rules
+	list	local_exclude	'192.168.8.0/30'
+	list	remote_exclude	'192.168.1.128/29'
 
 config sainfo 'welcome'
 	option	p2_proposal	'example_in2'

net/ipsec-tools/files/racoon.init

@@ -183,10 +183,12 @@ setup_sa() {
     echo -e "  split_network include $locnet;\n}" >> $conf
 
   elif [ -z "$client" ]; then
-    manage_sa add $locnet $remnet $remote
+    config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
+    config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
+    manage_sa add "$locnet" "$remnet" $remote
     test $? -gt 0 -o $errno -gt 0 && return $errno
 
-    manage_fw add $confIntZone $confExtZone $remnet
+    manage_fw add $confIntZone $confExtZone "$remnet"
   fi
 }
 
@@ -339,8 +341,10 @@ destroy_sa() {
     errno=4; return 4
   fi
 
-  manage_sa del $locnet $remnet $2
+  config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
-  manage_fw del $confIntZone $confExtZone $remnet
+  config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
+  manage_sa del "$locnet" "$remnet" $2
+  manage_fw del $confIntZone $confExtZone "$remnet"
 }
 
 destroy_tunnel() {