ipsec: add ability to configure "none" SA

Also added myself as co-maintainer Signed-Off-By: Vitaly Protsko <villy@sft.ru> --- Makefile | 5 +++-- files/functions.sh | 35 +++++++++++++++++++++++++++++++++++ files/racoon | 4 ++++ files/racoon.init | 12 ++++++++---- 4 files changed, 50 insertions(+), 6 deletions(-)
2017-06-05 08:25:09 +03:00 · 2017-06-05 08:25:09 +03:00 · df0e0bc17b
parent 4eec08f225
commit df0e0bc17b
4 changed files with 50 additions and 6 deletions
--- a/net/ipsec-tools/Makefile
+++ b/net/ipsec-tools/Makefile
@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk

 PKG_NAME:=ipsec-tools
 PKG_VERSION:=0.8.2
-PKG_RELEASE:=5
-PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
+PKG_RELEASE:=6
+PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
+	Vitaly Protsko <villy@sft.ru>
 PKG_LICENSE := BSD-3-Clause

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
--- a/net/ipsec-tools/files/functions.sh
+++ b/net/ipsec-tools/files/functions.sh
@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
  done
 }

+manage_nonesa() {
+  local spdcmd
+  local item
+  local cout cin
+
+  if [ -z "$4" ]; then
+    $log "Bad usage of manage_nonesa"
+    errno=3; return 3
+  fi
+
+  case "$1" in
+    add|up|1) spdcmd=add ;;
+    del|down|0) spdcmd=delete ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  case "$2" in
+    local|remote) ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  for item in $3 ; do
+    if [ "$2" = "local" ]; then
+      cout="$4 $item"
+      cin="$item $4"
+    else
+      cout="$item $4"
+      cin="$4 $item"
+    fi
+    echo "
+spd$spdcmd $cout any -P out none;
+spd$spdcmd $cin any -P in none;
+" | /usr/sbin/setkey -c 1>&2
+  done
+}

 . /lib/functions/network.sh

--- a/net/ipsec-tools/files/racoon
+++ b/net/ipsec-tools/files/racoon
@ -51,6 +51,10 @@ config sainfo 'office'
 	option	p2_proposal	'example_prop2'
 	option	local_net	'192.168.8.0/24'
 	option	remote_net	'192.168.1.0/24'
+# you can exclude some local or remote
+# addresses from SA rules
+	list	local_exclude	'192.168.8.0/30'
+	list	remote_exclude	'192.168.1.128/29'

 config sainfo 'welcome'
 	option	p2_proposal	'example_in2'
--- a/net/ipsec-tools/files/racoon.init
+++ b/net/ipsec-tools/files/racoon.init
@ -183,10 +183,12 @@ setup_sa() {
    echo -e "  split_network include $locnet;\n}" >> $conf

  elif [ -z "$client" ]; then
-    manage_sa add $locnet $remnet $remote
+    config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
+    config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
+    manage_sa add "$locnet" "$remnet" $remote
    test $? -gt 0 -o $errno -gt 0 && return $errno

-    manage_fw add $confIntZone $confExtZone $remnet
+    manage_fw add $confIntZone $confExtZone "$remnet"
  fi
 }

@ -339,8 +341,10 @@ destroy_sa() {
    errno=4; return 4
  fi

-  manage_sa del $locnet $remnet $2
-  manage_fw del $confIntZone $confExtZone $remnet
+  config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
+  config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
+  manage_sa del "$locnet" "$remnet" $2
+  manage_fw del $confIntZone $confExtZone "$remnet"
 }

 destroy_tunnel() {