ipsec: Add prototype-level support for VTI

This will create a VTI interface for IPsec connections
configured as such and bring it up so that traffic can
be passed around.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/functions/functions.device b/src/functions/functions.device
index bdca75e21586ada8230abe9d81c76e3a093b8db6..be3fe954035d67ba546e839ec4424a5cdeebfb28 100644 (file)
--- a/src/functions/functions.device
+++ b/src/functions/functions.device
@@ -287,6 +287,12 @@ device_is_dummy() {
        [[ ${device} =~ ^dummy[0-9]+$ ]]
 }
 
+device_is_ipsec() {
+       local device="${1}"
+
+       [[ ${device} =~ ^ipsec\- ]]
+}
+
 # Check if the device is a wireless device
 device_is_wireless() {
        local device=${1}

diff --git a/src/functions/functions.ip-tunnel b/src/functions/functions.ip-tunnel
index 195ee9320366b7c7fa11e07a649776449f52d562..b9e063561f1052346b96d56c45cccb1a99014886 100644 (file)
--- a/src/functions/functions.ip-tunnel
+++ b/src/functions/functions.ip-tunnel
@@ -132,3 +132,50 @@ ip_tunnel_del() {
        ip tunnel del ${device}
        assert [ $? -eq 0 ]
 }
+
+ip_tunnel_change_keys() {
+       local device="${1}"
+       shift
+
+       if ! isset device; then
+               error "No device given"
+               return ${EXIT_ERROR}
+       fi
+
+       local ikey
+       local okey
+
+       while [ $# -gt 0 ]; do
+               case "${1}" in
+                       --ikey=*)
+                               ikey="$(cli_get_val ${1})"
+                               ;;
+                       --okey=*)
+                               okey="$(cli_get_val ${1})"
+                               ;;
+                       *)
+                               error "Invalid argument: ${1}"
+                               return ${EXIT_ERROR}
+                               ;;
+               esac
+               shift
+       done
+
+       if ! isset ikey || ! isset okey; then
+               error "You need to set --ikey= and --okey="
+               return ${EXIT_ERROR}
+       fi
+
+       if ! device_exists "${device}"; then
+               error "No such device: ${device}"
+               return ${EXIT_ERROR}
+       fi
+
+       if ! cmd ip link change dev "${device}" \
+               type vti ikey "${ikey}" okey "${okey}"; then
+               log ERROR "Could not change keys of device ${device}"
+               return ${EXIT_ERROR}
+       fi
+
+       return ${EXIT_OK}
+}

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 5fc8b081ae37c70df0d56f824bcae008b6daf6f6..911e5be4df0d69f1d6f5e7cfccb64fa071ca40ca 100644 (file)
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -1079,6 +1079,12 @@ _ipsec_connection_to_strongswan_connection() {
        fi
        print
 
+       # Netfilter Marks
+       print_indent 4 "# Netfilter Marks"
+       print_indent 4 "mark_in = %unique"
+       print_indent 4 "mark_out = %unique"
+       print
+
        # Rekeying
        if isset LIFETIME; then
                print_indent 4 "# Rekey Time"

diff --git a/src/helpers/ipsec-updown b/src/helpers/ipsec-updown
index 8541d2a0b8b69e7bd09fda56d1cc8a5d1fa5bd70..2be4e0cbda6927104fbab4b00eaab5ae0505faac 100644 (file)
--- a/src/helpers/ipsec-updown
+++ b/src/helpers/ipsec-updown
@@ -31,6 +31,9 @@ assert isset PLUTO_VERSION
 
 CONNECTION="${PLUTO_CONNECTION}"
 
+# Interface name for this IPsec connection
+INTERFACE="ipsec-${CONNECTION}"
+
 if ! ipsec_connection_read_config "${CONNECTION}"; then
        log ERROR "Could not read configuration for ${CONNECTION}"
        exit ${EXIT_ERROR}
@@ -40,9 +43,39 @@ log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
 
 case "${PLUTO_VERB}" in
        up-client)
+               case "${MODE}" in
+                       vti)
+                               if device_exists "${INTERFACE}"; then
+                                       ip_tunnel_change_keys "${INTERFACE}" \
+                                               --ikey="${PLUTO_MARK_IN%/*}" \
+                                               --okey="${PLUTO_MARK_OUT%/*}"
+
+                               else
+                                       if ! ip_tunnel_add "${INTERFACE}" \
+                                               --mode="vti" \
+                                               --local-address="${PLUTO_ME}" \
+                                               --remote-address="${PLUTO_PEER}" \
+                                               --ikey="${PLUTO_MARK_IN%/*}" \
+                                               --okey="${PLUTO_MARK_OUT%/*}"; then
+                                               log ERROR "Could not create VTI device for ${CONNECTION}"
+                                       fi
+                               fi
+
+                               device_set_up "${INTERFACE}"
+                               ;;
+               esac
                ;;
 
        down-client)
+               case "${MODE}" in
+                       vti)
+                               if device_exists "${INTERFACE}"; then
+                                       device_set_down "${INTERFACE}"
+
+                                       ip_tunnel_del "${INTERFACE}"
+                               fi
+                               ;;
+               esac
                ;;
 esac
 

diff --git a/src/udev/network-hotplug b/src/udev/network-hotplug
index 4ab490a6ca370dbe96bdd6149e5c614dbcde30b7..40d08cb99cdaa7133601066af23e8fca83286133 100644 (file)
--- a/src/udev/network-hotplug
+++ b/src/udev/network-hotplug
@@ -59,6 +59,10 @@ case "${SUBSYSTEM}" in
                elif device_is_loopback ${INTERFACE}; then
                        exit ${EXIT_OK}
 
+               # Stop processing rules for IPsec devices
+               elif device_is_ipsec ${INTERFACE}; then
+                       exit ${EXIT_OK}
+
                # Stop processing rules for wireless monitoring devices
                elif device_is_wireless_monitor ${INTERFACE}; then
                        exit ${EXIT_OK}