libreswan: uci configuration support

- add patch to call hotplug script - handle uci config with reload in init script Signed-off-by: Jaymin Patel <[email protected]>
openwrt · Aug 14, 2022 · f27a980 · f27a980
1 parent ad7d2e5
commit f27a980
Show file tree

Hide file tree

Showing 13 changed files with 591 additions and 43 deletions.
diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile
@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libreswan
 PKG_VERSION:=4.7
-PKG_RELEASE:=1
+PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.libreswan.org/
@@ -61,9 +61,10 @@ endef
 
 define Package/libreswan/conffiles
 /etc/ipsec.d
-/etc/ipsec.conf
-/etc/ipsec.secrets
+/etc/config/libreswan
+/etc/ipsec.user
 endef
+
 TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
 TARGET_CFLAGS += -flto
 
@@ -101,20 +102,17 @@ endef
 
 define Package/libreswan/install
 	$(INSTALL_DIR) \
-	 $(1)/etc/init.d \
 	 $(1)/etc/ipsec.d/policies \
 	 $(1)/usr/libexec/ipsec \
 	 $(1)/usr/sbin
 
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec  \
 	    $(1)/usr/sbin/ipsec
-	$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
-	$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
-	$(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \
 	     $(1)/etc/ipsec.d/policies/
 	$(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \
 	    $(1)/usr/libexec/ipsec/
+	$(CP) ./files/* $(1)/
 endef
 
 $(eval $(call BuildPackage,libreswan))
diff --git a/net/libreswan/files/etc/config/libreswan b/net/libreswan/files/etc/config/libreswan
@@ -0,0 +1,37 @@
+config libreswan 'globals'
+	option debug '0' # set debug mode none/all
+	list virtual_private '10.0.0.0/8'
+	list virtual_private '192.168.0.0/16'
+	list virtual_private '172.16.0.0/12'
+	list virtual_private '25.0.0.0/8'
+	list virtual_private '100.64.0.0/10'
+	list virtual_private '!100.64.0.0/24'  # the address ranges that may live behind a NAT router through which a client connects
+	# option listen '192.168.2.100' # listening address, if set listen_interface would not be used
+	# option listen_interface 'wan' # listening interface
+	# option uniqueids 'yes' # yes/no
+
+# config crypto_proposal 'p1'
+# 	option encryption_algorithm '3des' # possible values: 3des, aes, aes_ctr, aes_cbc, aes128, aes192, aes256, camellia_cbc
+# 	option hash_algorithm 'md5' # possible values: md5, sha1, sha256, sha384, sha512
+# 	list dh_group 'modp1536' # possible values: modp1536, modp2048, modp3072, modp4096, modp6144, modp8192, dh19, dh20, dh21, dh22, dh31
+
+# config tunnel 'vti2_1_5'
+# 	option left '%wan'  # left can be interface of ipaddress
+# 	option leftid '@left' # local id
+# 	option right '192.168.2.201' # remote endpoint public ip
+# 	option rightid '@62dd3e3f82339b002405245b' # rightid
+# 	option auto 'start' # what  operation, should be done automatically at IPsec startup
+# 	option authby 'secret' # how  the  two security gateways should authenticate each other
+# 	option psk 'AyG9RlTtQJIUxgxG' # preshare key
+# 	option ikev2 '1' # ike version
+# 	option ikelifetime '10800'
+# 	option rekey '1'
+# 	option rekeymargin '540'
+# 	option dpdaction 'restart'
+# 	option dpddelay '30'
+# 	option dpdtimeout '150'
+# 	option vti_interface 'vti2_1_5' # only for route based tunnels
+# 	option leftvti '172.16.31.2/30' # only for route based tunnels
+# 	option mark '0x5' # only if vti interface is set
+# 	list leftsubnets '0.0.0.0/0'
+# 	list rightsubnets '0.0.0.0/0'
diff --git a/net/libreswan/files/etc/firewall.libreswan-rules b/net/libreswan/files/etc/firewall.libreswan-rules
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+IPTABLES="iptables -w"
+IPSEC_HOOK="ipsec_hook"
+IPSEC_SET="IPSEC_REMOTE_SUBNETS"
+
+init_ipsec_chains_rules() {
+	$IPTABLES -t filter -N "$IPSEC_HOOK"
+	$IPTABLES -t filter -C forwarding_rule -j "$IPSEC_HOOK"
+	[ $? -ne 0 ] && $IPTABLES -t filter -I forwarding_rule -j "$IPSEC_HOOK"
+
+	$IPTABLES -t filter -C "$IPSEC_HOOK" -m set --match-set "$IPSEC_SET" src -j ACCEPT
+	[ $? -ne 0 ] && $IPTABLES -t filter -A "$IPSEC_HOOK" -m set --match-set "$IPSEC_SET" src -j ACCEPT
+
+	$IPTABLES -t nat -N "$IPSEC_HOOK"
+	$IPTABLES -t nat -C postrouting_rule -j "$IPSEC_HOOK"
+	[ $? -ne 0 ] && $IPTABLES -t nat -I postrouting_rule -j "$IPSEC_HOOK"
+
+	$IPTABLES -t nat -C "$IPSEC_HOOK" -m set --match-set "$IPSEC_SET" dst -m policy --dir out --pol ipsec -j ACCEPT
+	[ $? -ne 0 ] && $IPTABLES -t nat -A "$IPSEC_HOOK" -m set --match-set "$IPSEC_SET" dst -m policy --dir out --pol ipsec -j ACCEPT
+}
+
+rightsubnets_rules() {
+	local id=$1
+	local subnet
+
+	config_get rightsubnets "$id" rightsubnets
+
+	ipset flush "$IPSEC_SET"
+	for subnet in $rightsubnets; do
+		[ -z "$subnet" ] && continue
+		ipset -exist add "$IPSEC_SET" "$subnet" comment "$id"
+	done
+}
+
+update_ipsec_ipsets() {
+	config_load libreswan
+	config_foreach rightsubnets_rules tunnel
+}
+
+init_ipsec_chains_rules
+update_ipsec_ipsets
diff --git a/net/libreswan/files/etc/hotplug.d/ipsec/01-user b/net/libreswan/files/etc/hotplug.d/ipsec/01-user
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+[ -e "/etc/ipsec.user" ] && {
+	. /etc/ipsec.user
+}
+
+exit 0
diff --git a/net/libreswan/files/etc/hotplug.d/ipsec/02-vti b/net/libreswan/files/etc/hotplug.d/ipsec/02-vti
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+addvti() {
+	[ -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ] && ip tun del ${VTI_IFACE}
+	ip tunnel add ${VTI_IFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${CONNMARK_OUT%/*} ikey ${CONNMARK_IN%/*}  
+	sysctl -w net.ipv4.conf.${VTI_IFACE}.disable_policy=1
+	sysctl -w net.ipv4.conf.${VTI_IFACE}.rp_filter=0
+	sysctl -w net.ipv4.conf.${VTI_IFACE}.forwarding=1
+	[ -n "${VTI_IP}" ] && ip addr add ${VTI_IP} dev ${VTI_IFACE}
+	ip link set ${VTI_IFACE} up
+}
+
+delvti() {
+	if [ -n "${VTI_IFACE}" -a -d /proc/sys/net/ipv4/conf/${VTI_IFACE} ]; then
+		ip tun del ${VTI_IFACE}
+	fi
+}
+
+[ -z "$VTI_IFACE" ] && exit 0
+
+case "${PLUTO_VERB}" in
+	up-host | up-client)
+		addvti
+		;;
+	down-host | down-client)
+		delvti
+		;;
+esac