ipsec: security policies: system: Order by complexity

strongswan uses the cipher suites in the order as listed by first
match instead of complexity. This patch re-orders them so that
maximum complexity is tried first and everything else after.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Set traffic selectors to all when using GRE/VTI devices

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ip-tunnel: Allow to set MAC address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: Use default port pattern for all ports

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: New port hook

This allows to create layer-2 tunnels using the GRETAP protocol

Fixes: #11608
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Add support for GRETAP tunnels

Fixes: 11608
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Do not attempt to rename any devices with an invalid MAC address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Do not allow to create ethernet devices with an invalid MAC address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network-hotplug: Try to use fewer checks when deleting a device

This code basically does the same but runs fewer checks to
find the right device type

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Handle special devices by name only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Do not attempt to remove the special ip6gre0 device

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Do not attempt to remove special device ip_vti0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Don't try to remove gre0

This device cannot be removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop unused function: device_is_ipsec

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: Refactor check for device type

There is now one implementation for various types of devices

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Cleanup code that deletes ports/zones

This is used for network reset and it wasn't clear
before if the command were successful

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Ignore all PPP interfaces

Those will come up when a PPP session is being established
with the pppoe-server.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lock: Accept names instead of paths

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Parse command line correctly when running commands

Before, empty arguments where just dropped

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: Remove line to enable kernel mode

This is enabled anyways since it is the only mode
we are supporting right now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: Refactor pppoe_server_poolfile

Due to output of other functions changed, this function
needed to be slightly rewritten.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv4: Fix ipv4_range_explicit function

Inputs where not converted correctly and therefore
the function returned an invalid output.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove debugging line

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireless: Try to automatically enable HT40+/- on devices that support it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

copy: Automatically create target directory when copying files

Fixes: #11663
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Add function to check if a PHY supports a specific channel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Show driver name in device status

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

colors: Fix length of LISTENING label

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Let bridges create their ports in hotplug event

This patch changes that all ports are being created in the
hotplug event and allows us to start bridges at any time
with ports existing or being added later.

Fixes: #11360
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

boot: Fix bringing up zones when system is booting

An incorrect target was required and no zone was brought
up during boot.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

util: Fail silently when directory already exists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

colors: Remove extra space character in BLOCKING msg

This message was not properly aligned

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move creating port configurations into network-hotplug-rename

This script is now actually creating a new configuration while
it is holding the lock.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Refactor network-hotplug-rename

This is now using a new locking mechanism that is working
faster and more reliable then looping for forever.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Correctly create new configurations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: Fix saving HOOK name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Refactor hotplug script

This script is doing the same as before, but has been refactored
to be cleaner and faster.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hotplug: Continue running through script for ipsec devices

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zones: Drop unused commands

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Extend "network status"

This now takes ports, devices and PHYs and prints the appropriate
status.

This is very handy and just a shortcut.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Speed up device_list() by removing the alphabetical sort

We are now returning all devices, then all PHYs, then all
serial devices.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix generating device_list()

It was returning values like bonding_masters which are not
an actual device.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Validate input for --offloading flag and throw an error when empty

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: ethernet+bonding: Allow to disable all offloading

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move offloading code into an own file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add support for hardware offloading

Hardware offloading will now be enabled on physical
and bonding devices automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move DEFAULT_MTU to constants

This is where it belongs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Rewrite adding routes script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

constants: Remove unused BATMAN variable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Use combined setting for advertised link speeds

This patch removes the speed and duplex settings and replaces them
with a configuration option that allows to change advertised link
speeds to a certain speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Allow setting duplex mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Allow setting link speed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Bring back accidentially dropped hook_create function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Return OK only to rename ports

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Use default hook_new() function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-port: Start with empty set of settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

port: ethernet: Allow setting the MTU

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Restart ports after edit to apply settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

header-port: Print errors if config could not be read/written

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ports: ethernet: Allow changing MAC address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add support for LEDs

This patch configures LEDs on some Wireless PHYs to flash
on activity. This makes debugging easier.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Add support for 802.11ac

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Always enable 802.11d

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Write VHT capabilities to configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Actually store index

Index was always zero and therefore only the first PHY could
be queried only.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Remove debug output

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Fix typo in RX-LDPC HT capability

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Fix looping though HT capabilities

The last capability was never looped through

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ibnetwork: Add command to show available VHT capabilities of phys

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Always enable all HT caps

Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Make --peer optional

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: VTI keys are static now and don't need to be updated

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: GRE/VTI connections are now possible as on-demand

This change implements using zones as GRE/VTI devices so that
we can use IPsec connections in on-demand mode, too.

The device will be created first (as a zone) and might trigger
an IPsec connection. If that happens, the settings of the device
will be updated automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Add support for VTI interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Show ZONE setting when configuration is being dumped

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Change mode to transport/tunnel only

VTI is being removed and will be possible via the new
zone command.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Allow adding a zone to a VPN connection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security policies: Fix typos in plural variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Add tests for ip-tunnels in GRE mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Makefile: Forgot to remove 6to4-tunnel hook

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'jschlag/master'

Drop 6to4-tunnel hook which is (partly) replaced by ip-tunnel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

man: Add documentation for IP tunnel hook

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add generic IP tunnel zone hook

This is useful to create GRE connections and can easily
be extended to do more later.

Fixes: #11607
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Create a function that determines if all IP addresses match

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Fix protocol detection when local address is empty

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security policies: Add documentation for pseudo-random-functions command

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CLI: Fix destroying zones

The old delayed removal process doesn't exist any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'upstream/master'

ipsec: security policies: Make integrity command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'upstream/master'

Move vpn tests into an own directory structure

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security policies: Make group type command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Adjust include paths because of the new include path feature

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security policies: Show PRFs when dumping SecPol conf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security polices: Make cipher command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Use new include path feature of nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security-policies: Make PRF command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security-policies: Add CLI to modify PRFs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Generate IKE proposals with PRFs

This is now a requirement for AEAD ciphers and strongswan
refuses to start.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>