ipsec: add ability to configure "none" SA

Also added myself as co-maintainer

Signed-Off-By: Vitaly Protsko <redacted>
---
 Makefile           |    5 +++--
 files/functions.sh |   35 +++++++++++++++++++++++++++++++++++
 files/racoon       |    4 ++++
 files/racoon.init  |   12 ++++++++----
 4 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile
index 806c16090a4949713168526b922287543a97f82e..6134a09186900ae5a5ca845fa19ad3231c56c0db 100644 (file)
--- a/net/ipsec-tools/Makefile
+++ b/net/ipsec-tools/Makefile
@@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ipsec-tools
 PKG_VERSION:=0.8.2
-PKG_RELEASE:=5
-PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
+PKG_RELEASE:=6
+PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
+       Vitaly Protsko <villy@sft.ru>
 PKG_LICENSE := BSD-3-Clause
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2

diff --git a/net/ipsec-tools/files/functions.sh b/net/ipsec-tools/files/functions.sh
index e3e739b93b98ef795998ed082f8f1c742ed2bae3..45715b5a398a582fd7ba50de3981436f194c3938 100644 (file)
--- a/net/ipsec-tools/files/functions.sh
+++ b/net/ipsec-tools/files/functions.sh
@@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
   done
 }
 
+manage_nonesa() {
+  local spdcmd
+  local item
+  local cout cin
+
+  if [ -z "$4" ]; then
+    $log "Bad usage of manage_nonesa"
+    errno=3; return 3
+  fi
+
+  case "$1" in
+    add|up|1) spdcmd=add ;;
+    del|down|0) spdcmd=delete ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  case "$2" in
+    local|remote) ;;
+    *) errno=3; return 3 ;;
+  esac
+
+  for item in $3 ; do
+    if [ "$2" = "local" ]; then
+      cout="$4 $item"
+      cin="$item $4"
+    else
+      cout="$item $4"
+      cin="$4 $item"
+    fi
+    echo "
+spd$spdcmd $cout any -P out none;
+spd$spdcmd $cin any -P in none;
+" | /usr/sbin/setkey -c 1>&2
+  done
+}
 
 . /lib/functions/network.sh
 

diff --git a/net/ipsec-tools/files/racoon b/net/ipsec-tools/files/racoon
index 3ce41eb495863bb9c68f77d3b79860bc0820d8f6..e2c8400b47f33c592ecc629a0ed1fc7b6d518873 100644 (file)
--- a/net/ipsec-tools/files/racoon
+++ b/net/ipsec-tools/files/racoon
@@ -51,6 +51,10 @@ config sainfo 'office'
        option  p2_proposal     'example_prop2'
        option  local_net       '192.168.8.0/24'
        option  remote_net      '192.168.1.0/24'
+# you can exclude some local or remote
+# addresses from SA rules
+       list    local_exclude   '192.168.8.0/30'
+       list    remote_exclude  '192.168.1.128/29'
 
 config sainfo 'welcome'
        option  p2_proposal     'example_in2'

diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init
index 6520d5bdeb9e3772d36a567d00849218a2b18044..247bdfc674c058bbecb4e2d52bf2c6e856ff3623 100644 (file)
--- a/net/ipsec-tools/files/racoon.init
+++ b/net/ipsec-tools/files/racoon.init
@@ -183,10 +183,12 @@ setup_sa() {
     echo -e "  split_network include $locnet;\n}" >> $conf
 
   elif [ -z "$client" ]; then
-    manage_sa add $locnet $remnet $remote
+    config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
+    config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
+    manage_sa add "$locnet" "$remnet" $remote
     test $? -gt 0 -o $errno -gt 0 && return $errno
 
-    manage_fw add $confIntZone $confExtZone $remnet
+    manage_fw add $confIntZone $confExtZone "$remnet"
   fi
 }
 
@@ -339,8 +341,10 @@ destroy_sa() {
     errno=4; return 4
   fi
 
-  manage_sa del $locnet $remnet $2
-  manage_fw del $confIntZone $confExtZone $remnet
+  config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
+  config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
+  manage_sa del "$locnet" "$remnet" $2
+  manage_fw del $confIntZone $confExtZone "$remnet"
 }
 
 destroy_tunnel() {