From: Michael Tremer Date: Tue, 18 Sep 2018 11:21:19 +0000 (+0200) Subject: ipsec: Allow adding a zone to a VPN connection X-Git-Tag: 010~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80a752f219db55e8c66bb243fda6552af84db201;p=network.git ipsec: Allow adding a zone to a VPN connection Signed-off-by: Michael Tremer --- diff --git a/src/bash-completion/network b/src/bash-completion/network index 2621628a..d19dcf27 100644 --- a/src/bash-completion/network +++ b/src/bash-completion/network @@ -413,7 +413,7 @@ _network_vpn_ipsec_connection_subcommands() { shift local words=( $@ ) - local commands="authentication color description down inactivity-timeout local mode peer remote security-policy show up" + local commands="authentication color description down inactivity-timeout local mode peer remote security-policy show up zone" local cmd="$(_network_find_on_cmdline "${commands}")" if [[ -z "${cmd}" ]]; then COMPREPLY=( $(compgen -W "${commands}" -- "${cur}") ) @@ -444,7 +444,10 @@ _network_vpn_ipsec_connection_subcommands() { security-policy) _network_vpn_ipsec_connection_subcommands_security_policy ${args} ;; - esac + zone) + _network_vpn_ipsec_connection_subcommands_zone "${connection}" ${args} + ;; + esac } _network_vpn_ipsec_connection_subcommands_authentication() { @@ -529,6 +532,15 @@ _network_vpn_ipsec_connection_subcommands_security_policy() { fi } +_network_vpn_ipsec_connection_subcommands_zone() { + local connection="${1}" + shift + + local words=( $@ ) + + # XXX TODO find zones that can be attached here +} + _network_vpn_security_policies() { local words=( $@ ) diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec index d8206e01..b7e09a4c 100644 --- a/src/functions/functions.ipsec +++ b/src/functions/functions.ipsec @@ -37,7 +37,8 @@ IPSEC_CONNECTION_CONFIG_SETTINGS="\ SECURITY_POLICY \ START_ACTION \ TYPE \ - ENABLED" + ENABLED \ + ZONE" # Default values IPSEC_DEFAULT_AUTH_MODE="PSK" @@ -80,7 +81,7 @@ cli_ipsec_connection() { shift 2 case "${key}" in - authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up) + authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up|zone) ipsec_connection_${key} ${connection} "$@" ;; color) @@ -710,6 +711,70 @@ ipsec_connection_mode() { return ${EXIT_OK} } +ipsec_connection_zone() { + local connection="${1}" + local zone="${2}" + shift 2 + + # Check if we got an argument + if ! isset zone; then + error "Zone is not set" + return ${EXIT_ERROR} + fi + + local ZONE + case "${zone}" in + -) + if ! ipsec_connection_read_config "${connection}" "ZONE"; then + log ERROR "Could not read configuration for IPsec connection ${connection}" + return ${EXIT_ERROR} + fi + + # Removes zone setting + zone="" + + if isset ZONE; then + log INFO "Removing zone ${ZONE} from IPsec connection '${connection}'" + fi + ;; + + *) + # Check if the zone exists + if ! zone_exists "${zone}"; then + error "Zone ${zone} does not exist" + return ${EXIT_ERROR} + fi + + # Zone must be of type tunnel + local hook="$(zone_get_hook "${zone}")" + + case "${hook}" in + ip-tunnel) + # We support ip-tunnels + ;; + + *) + error "Zones of type ${hook} are not supported" + return ${EXIT_ERROR} + ;; + esac + + # Check if this zone is alreadz attached to another IPsec connection + # XXX + + log INFO "Adding zone ${zone} to IPsec connection '${connection}'" + ;; + esac + + # Save settings + if ! ipsec_connection_write_config_key "${connection}" "ZONE" "${zone}"; then + error "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + return ${EXIT_OK} +} + # Set the local address ipsec_connection_local_address() { if [ ! $# -eq 2 ]; then