From 3333a4e2065f467cce9e769ceca7d4500d6d557d Mon Sep 17 00:00:00 2001 From: jow Date: Sun, 5 Feb 2012 15:50:27 +0000 Subject: [PATCH] [packages_10.03.2] openswan: merge r29580, r29581, r29582, r29584, r29585, r29586 git-svn-id: svn://svn.openwrt.org/openwrt/branches/packages_10.03.2@30234 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- net/openswan/Makefile | 11 +- net/openswan/files/ipsec.conf | 8 + net/openswan/files/ipsec.config | 2 + net/openswan/files/ipsec.init | 184 +++++++++++++++++++++- net/openswan/files/ipsec.secrets | 7 + net/openswan/files/ipsec.upgrade | 3 + net/openswan/patches/110-scripts.patch | 14 -- net/openswan/patches/130-compat_net_dev_ops.patch | 19 --- 8 files changed, 212 insertions(+), 36 deletions(-) create mode 100644 net/openswan/files/ipsec.conf create mode 100644 net/openswan/files/ipsec.config create mode 100644 net/openswan/files/ipsec.secrets create mode 100644 net/openswan/files/ipsec.upgrade delete mode 100644 net/openswan/patches/110-scripts.patch delete mode 100644 net/openswan/patches/130-compat_net_dev_ops.patch diff --git a/net/openswan/Makefile b/net/openswan/Makefile index 1a33dd1..b1388a3 100644 --- a/net/openswan/Makefile +++ b/net/openswan/Makefile @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=openswan PKG_VERSION:=2.6.37 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.openswan.org/download @@ -37,7 +37,7 @@ $(call Package/openswan/Default) SECTION:=net CATEGORY:=Network TITLE+= (daemon) - DEPENDS+= +kmod-openswan +libgmp +ip + DEPENDS+= +libgmp +ip endef define Package/openswan/description @@ -87,17 +87,24 @@ endef define Package/openswan/conffiles /etc/ipsec.conf /etc/ipsec.secrets +/etc/config/ipsec endef define Package/openswan/install $(CP) $(PKG_INSTALL_DIR)/* $(1) $(INSTALL_DIR) $(1)/etc/init.d $(CP) ./files/ipsec.init $(1)/etc/init.d/ipsec + $(CP) ./files/ipsec.conf $(1)/etc/ipsec.conf + $(CP) ./files/ipsec.secrets $(1)/etc/ipsec.secrets + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/ipsec.config $(1)/etc/config/ipsec rm -rf $(1)/usr/share rm -rf $(1)/usr/man rm -rf $(1)/var rm -rf $(1)/etc/rc.d find $(1) -name \*.old | xargs rm -rf + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) files/ipsec.upgrade $(1)/lib/upgrade/keep.d/ipsec endef $(eval $(call BuildPackage,openswan)) diff --git a/net/openswan/files/ipsec.conf b/net/openswan/files/ipsec.conf new file mode 100644 index 0000000..b214bac --- /dev/null +++ b/net/openswan/files/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - IPsec configuration file + +version 2.0 + +include /etc/ipsec.uci.conf + +# Include non-UCI connections here +# They will be preserved across restarts/upgrades diff --git a/net/openswan/files/ipsec.config b/net/openswan/files/ipsec.config new file mode 100644 index 0000000..6469e98 --- /dev/null +++ b/net/openswan/files/ipsec.config @@ -0,0 +1,2 @@ +config ipsec_config setup + option nat_traversal yes diff --git a/net/openswan/files/ipsec.init b/net/openswan/files/ipsec.init index 68ad359..b0961b3 100755 --- a/net/openswan/files/ipsec.init +++ b/net/openswan/files/ipsec.init @@ -32,7 +32,187 @@ START=60 EXTRA_COMMANDS=status -EXTRA_HELP=" status Show the status of the service" +EXTRA_HELP=" status Show the status of the service" + +# Format a list into a delimited string and print it +config_list_delimit() { + local SECTION="$1" + local OPTION="$2" + local DELIMITER="${3:- }" + + config_list_foreach "$SECTION" "$OPTION" "printf \"%s%s\"" "$DELIMITER" | sed "s/.\{${#DELIMITER}\}$//" +} + +# Callback for each ipsec configuration section +# Converts list options from UCI to ipsec format and writes ipsec section headers +CUR_SECTION_NAME= +CUR_SECTION_TYPE= +config_cb() { + local TYPE="$1" + local NAME="$2" + + # Handle list options from previous section + if [ "$CUR_SECTION_TYPE" = "ipsec_conn" ] ; then + local IKE="$(config_list_delimit "$CUR_SECTION_NAME" "ike" ", ")" + if [ -n "$IKE" ] ; then + printf "\tike=\"%s\"\n" "$IKE" >> "$IPSEC_UCI_CONF" + fi + + local SUBNETS + local SPACE_PAT="* *" + config_get "SUBNETS" "$CUR_SECTION_NAME" "leftsubnets" + case "$SUBNETS" in + $SPACE_PAT) + printf "\tleftsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF" + ;; + ?*) + printf "\tleftsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF" + ;; + esac + + config_get "SUBNETS" "$CUR_SECTION_NAME" "rightsubnets" + case "$SUBNETS" in + $SPACE_PAT) + printf "\trightsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF" + ;; + ?*) + printf "\trightsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF" + ;; + esac + elif [ "$CUR_SECTION_TYPE" = "ipsec_config" ] ; then + local VPRIV="$(config_list_delimit "$CUR_SECTION_NAME" "virtual_private" ",")" + if [ -n "$VPRIV" ] ; then + printf "\tvirtual_private=%s\n" "$VPRIV" >> "$IPSEC_UCI_CONF" + fi + fi + + CUR_SECTION_NAME="$NAME" + CUR_SECTION_TYPE="$TYPE" + + case "$CUR_SECTION_TYPE" in + ipsec_config|ipsec_conn) + # Handled in option_cb + echo >> "$IPSEC_UCI_CONF" + echo "${TYPE#ipsec_} $NAME" >> "$IPSEC_UCI_CONF" + ;; + *) + # Not handled in option_cb + ;; + esac + + return 0 +} + +# Callback for each ipsec configuration option +# Prints each UCI option to $IPSEC_UCI_CONF in ipsec.conf format +option_cb() { + local NAME="$1" + local VALUE="$2" + + case "$CUR_SECTION_TYPE" in + ipsec_config|ipsec_conn) + # Handle option in these sections + ;; + *) + # Ignore options in all other sections + return 0 + ;; + esac + + case "$NAME" in + modecfgdns_ITEM[0-9]*) + printf "\tmodecfgdns%d=%s\n" "${NAME##modecfgdns_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF" + ;; + modecfgwins_ITEM[0-9]*) + printf "\tmodecfgwins%d=%s\n" "${NAME##modecfgwins_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF" + ;; + *_ITEM[0-9]*|*_LENGTH) + # Ignore list items and length updates + ;; + [!a-zA-Z]*) + # Ignore non-ipsec.conf parameters + ;; + *) + # Quote values with characers which require quoting + if echo "$VALUE" | grep -q '^[[:alnum:]_%.]*$' ; then + printf "\t%s=%s\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF" + else + printf "\t%s=\"%s\"\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF" + fi + ;; + esac + + return 0 +} + +ipsec_config_convert() { + IPSEC_UCI_CONF="${IPSEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.conf}" + ipsec_config_print_header + config_load "ipsec" + # Conversion for $IPSEC_UCI_CONF handled in section_cb and option_cb + + IPSEC_SEC_UCI_CONF="${IPSEC_SEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.secrets}" + ipsec_config_print_header_secret + echo >> "$IPSEC_SEC_UCI_CONF" + echo "# Certificate Secrets" >> "$IPSEC_SEC_UCI_CONF" + config_foreach "ipsec_config_add_secret_cs" "ipsec_secret_cs" + echo >> "$IPSEC_SEC_UCI_CONF" + echo "# Shared Secrets" >> "$IPSEC_SEC_UCI_CONF" + config_foreach "ipsec_config_add_secret_ss" "ipsec_secret_ss" + echo >> "$IPSEC_SEC_UCI_CONF" + echo "# XAUTH Secrets" >> "$IPSEC_SEC_UCI_CONF" + config_foreach "ipsec_config_add_secret_xs" "ipsec_secret_xs" +} + +ipsec_config_print_header() { + cat > "$IPSEC_UCI_CONF" < "$IPSEC_SEC_UCI_CONF" <> "$IPSEC_SEC_UCI_CONF" +} + +ipsec_config_add_secret_ss() { + local SECTNAME="$1" + + config_get "INDICES" "$SECTNAME" "indices" + config_get "SECRET" "$SECTNAME" "secret" + + echo "$INDICES : PSK \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF" +} + +ipsec_config_add_secret_xs() { + local SECTNAME="$1" + + config_get "USERNAME" "$SECTNAME" "username" + config_get "SECRET" "$SECTNAME" "secret" + + echo "@$USERNAME : XAUTH \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF" +} script_init() { me='ipsec setup' # for messages @@ -189,6 +369,7 @@ script_command() { esac } start() { + ipsec_config_convert script_init start "$@" script_command start "$@" } @@ -199,6 +380,7 @@ stop() { } restart() { + ipsec_config_convert script_init stop "$@" script_command stop "$@" script_command start "$@" diff --git a/net/openswan/files/ipsec.secrets b/net/openswan/files/ipsec.secrets new file mode 100644 index 0000000..1384683 --- /dev/null +++ b/net/openswan/files/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - IPsec sensitive configuration file + +# Include configuration information from UCI +include /etc/ipsec.uci.secrets + +# Add non-UCI secrets below +# This file will be preserved across restarts/upgrades diff --git a/net/openswan/files/ipsec.upgrade b/net/openswan/files/ipsec.upgrade new file mode 100644 index 0000000..36ba0c5 --- /dev/null +++ b/net/openswan/files/ipsec.upgrade @@ -0,0 +1,3 @@ +/etc/ipsec.conf +/etc/ipsec.d/ +/etc/ipsec.secrets diff --git a/net/openswan/patches/110-scripts.patch b/net/openswan/patches/110-scripts.patch deleted file mode 100644 index 971ea59..0000000 --- a/net/openswan/patches/110-scripts.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- - programs/_plutorun/_plutorun.in | 2 +- - programs/_realsetup/_realsetup.in | 2 +- - programs/loggerfix | 5 +++++ - 3 files changed, 7 insertions(+), 2 deletions(-) - ---- /dev/null -+++ b/programs/loggerfix -@@ -0,0 +1,5 @@ -+#!/bin/sh -+# use filename instead of /dev/null to log, but dont log to flash or ram -+# pref. log to nfs mount -+echo "$*" >> /dev/null -+exit 0 diff --git a/net/openswan/patches/130-compat_net_dev_ops.patch b/net/openswan/patches/130-compat_net_dev_ops.patch deleted file mode 100644 index 46786fa..0000000 --- a/net/openswan/patches/130-compat_net_dev_ops.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- - linux/include/openswan/ipsec_kversion.h | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/linux/include/openswan/ipsec_kversion.h -+++ b/linux/include/openswan/ipsec_kversion.h -@@ -393,6 +393,12 @@ - # endif - #endif - -+#if LINUX_VERSION_CODE == KERNEL_VERSION(2,6,30) -+# ifndef CONFIG_COMPAT_NET_DEV_OPS -+# define USE_NETDEV_OPS -+# endif -+#endif -+ - #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,31) - # define USE_NETDEV_OPS - #else -- 2.11.0