From 1d31d840d45a2bce86c1a7b1871e86dd20b39cf2 Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Wed, 13 Dec 2017 10:32:26 +0100 Subject: [PATCH 1/2] strongswan: fix reload service Based on the ipsec running state reload_service is either reloading ipsec or starting ipsec. However in the latter case it calls ipsec start which bypasses the procd start_service function which means the running ipsec instance is not managed by procd. Fix this by calling start in case ipsec is not running; at the same time add service_running function which is used by procd provided running function. Signed-off-by: Hans Dedecker --- net/strongswan/files/ipsec.init | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init index 311679d69a..1e0adfd114 100644 --- a/net/strongswan/files/ipsec.init +++ b/net/strongswan/files/ipsec.init @@ -318,14 +318,19 @@ prepare_env() { config_foreach config_remote remote } +service_running() { + ipsec status > /dev/null 2>&1 +} + reload_service() { - prepare_env - if ipsec status > /dev/null 2>&1; then + running && { + prepare_env ipsec rereadall ipsec reload - else - ipsec start - fi + return + } + + start } service_triggers() { From 74dbf6bcbe58e38baef16c589762026a8cec1784 Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Wed, 13 Dec 2017 11:39:53 +0100 Subject: [PATCH 2/2] strongswan: add interface uci list The interface config option allows users to configure logical OpenWRT interface names in the ipsec section; it allows StrongSwan to listen and send traffic on specified interface(s). It translates to interfaces_use StrongSwan option which is a comma sepearted list of network devices that should be used by charon. Since StrongSwan can only be started when one of the specified logical OpenWRT interface is up procd interface triggers are installed to trigger the reload script. Signed-off-by: Hans Dedecker --- net/strongswan/Makefile | 2 +- net/strongswan/files/ipsec.init | 35 ++++++++++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile index aff11fdef4..1c52175660 100644 --- a/net/strongswan/Makefile +++ b/net/strongswan/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=strongswan PKG_VERSION:=5.6.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_HASH:=e0c282d8ad418609c5dfb5e8efa01b28b95ef3678070ed47bf2a229f55f4ab53 diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init index 1e0adfd114..07ccffd2e5 100644 --- a/net/strongswan/files/ipsec.init +++ b/net/strongswan/files/ipsec.init @@ -7,6 +7,7 @@ USE_PROCD=1 PROG=/usr/lib/ipsec/starter . $IPKG_INSTROOT/lib/functions.sh +. $IPKG_INSTROOT/lib/functions/network.sh IPSEC_SECRETS_FILE=/etc/ipsec.secrets IPSEC_CONN_FILE=/etc/ipsec.conf @@ -16,6 +17,8 @@ IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf +WAIT_FOR_INTF=0 + file_reset() { : > "$1" } @@ -290,11 +293,23 @@ config_ipsec() { [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id" done + local interface_list=$(config_get "$1" "interface") + if [ -z "$interface_list" ]; then + WAIT_FOR_INTF=0 + else + for interface in $interface_list; do + network_get_device device $interface + [ -n "$device" ] && append device_list "$device" "," + done + [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1 + fi + swan_xappend "# generated by /etc/init.d/ipsec" swan_xappend "charon {" swan_xappend " load_modular = yes" swan_xappend " install_routes = $install_routes" [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored" + [ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list" swan_xappend " plugins {" swan_xappend " include /etc/strongswan.d/charon/*.conf" swan_xappend " }" @@ -325,21 +340,35 @@ service_running() { reload_service() { running && { prepare_env - ipsec rereadall - ipsec reload - return + [ $WAIT_FOR_INTF -eq 0 ] && { + ipsec rereadall + ipsec reload + return + } } start } +check_ipsec_interface() { + local intf + + for intf in $(config_get "$1" interface); do + procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload + done +} + service_triggers() { procd_add_reload_trigger "ipsec" + config load "ipsec" + config_foreach check_ipsec_interface ipsec } start_service() { prepare_env + [ $WAIT_FOR_INTF -eq 1 ] && return + procd_open_instance procd_set_param command $PROG --daemon charon --nofork