From: Michael Tremer Date: Fri, 4 Aug 2017 12:12:44 +0000 (+0000) Subject: ipsec: Add prototype-level support for VTI X-Git-Url: http://git.ipfire.org/?p=people%2Fstevee%2Fnetwork.git;a=commitdiff_plain;h=82fac748571611444b30cba78ff538f9eab69e09 ipsec: Add prototype-level support for VTI This will create a VTI interface for IPsec connections configured as such and bring it up so that traffic can be passed around. Signed-off-by: Michael Tremer --- diff --git a/src/functions/functions.device b/src/functions/functions.device index bdca75e2..be3fe954 100644 --- a/src/functions/functions.device +++ b/src/functions/functions.device @@ -287,6 +287,12 @@ device_is_dummy() { [[ ${device} =~ ^dummy[0-9]+$ ]] } +device_is_ipsec() { + local device="${1}" + + [[ ${device} =~ ^ipsec\- ]] +} + # Check if the device is a wireless device device_is_wireless() { local device=${1} diff --git a/src/functions/functions.ip-tunnel b/src/functions/functions.ip-tunnel index 195ee932..b9e06356 100644 --- a/src/functions/functions.ip-tunnel +++ b/src/functions/functions.ip-tunnel @@ -132,3 +132,50 @@ ip_tunnel_del() { ip tunnel del ${device} assert [ $? -eq 0 ] } + +ip_tunnel_change_keys() { + local device="${1}" + shift + + if ! isset device; then + error "No device given" + return ${EXIT_ERROR} + fi + + local ikey + local okey + + while [ $# -gt 0 ]; do + case "${1}" in + --ikey=*) + ikey="$(cli_get_val ${1})" + ;; + --okey=*) + okey="$(cli_get_val ${1})" + ;; + *) + error "Invalid argument: ${1}" + return ${EXIT_ERROR} + ;; + esac + shift + done + + if ! isset ikey || ! isset okey; then + error "You need to set --ikey= and --okey=" + return ${EXIT_ERROR} + fi + + if ! device_exists "${device}"; then + error "No such device: ${device}" + return ${EXIT_ERROR} + fi + + if ! cmd ip link change dev "${device}" \ + type vti ikey "${ikey}" okey "${okey}"; then + log ERROR "Could not change keys of device ${device}" + return ${EXIT_ERROR} + fi + + return ${EXIT_OK} +} diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec index 5fc8b081..911e5be4 100644 --- a/src/functions/functions.ipsec +++ b/src/functions/functions.ipsec @@ -1079,6 +1079,12 @@ _ipsec_connection_to_strongswan_connection() { fi print + # Netfilter Marks + print_indent 4 "# Netfilter Marks" + print_indent 4 "mark_in = %unique" + print_indent 4 "mark_out = %unique" + print + # Rekeying if isset LIFETIME; then print_indent 4 "# Rekey Time" diff --git a/src/helpers/ipsec-updown b/src/helpers/ipsec-updown index 8541d2a0..2be4e0cb 100644 --- a/src/helpers/ipsec-updown +++ b/src/helpers/ipsec-updown @@ -31,6 +31,9 @@ assert isset PLUTO_VERSION CONNECTION="${PLUTO_CONNECTION}" +# Interface name for this IPsec connection +INTERFACE="ipsec-${CONNECTION}" + if ! ipsec_connection_read_config "${CONNECTION}"; then log ERROR "Could not read configuration for ${CONNECTION}" exit ${EXIT_ERROR} @@ -40,9 +43,39 @@ log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}" case "${PLUTO_VERB}" in up-client) + case "${MODE}" in + vti) + if device_exists "${INTERFACE}"; then + ip_tunnel_change_keys "${INTERFACE}" \ + --ikey="${PLUTO_MARK_IN%/*}" \ + --okey="${PLUTO_MARK_OUT%/*}" + + else + if ! ip_tunnel_add "${INTERFACE}" \ + --mode="vti" \ + --local-address="${PLUTO_ME}" \ + --remote-address="${PLUTO_PEER}" \ + --ikey="${PLUTO_MARK_IN%/*}" \ + --okey="${PLUTO_MARK_OUT%/*}"; then + log ERROR "Could not create VTI device for ${CONNECTION}" + fi + fi + + device_set_up "${INTERFACE}" + ;; + esac ;; down-client) + case "${MODE}" in + vti) + if device_exists "${INTERFACE}"; then + device_set_down "${INTERFACE}" + + ip_tunnel_del "${INTERFACE}" + fi + ;; + esac ;; esac diff --git a/src/udev/network-hotplug b/src/udev/network-hotplug index 4ab490a6..40d08cb9 100644 --- a/src/udev/network-hotplug +++ b/src/udev/network-hotplug @@ -59,6 +59,10 @@ case "${SUBSYSTEM}" in elif device_is_loopback ${INTERFACE}; then exit ${EXIT_OK} + # Stop processing rules for IPsec devices + elif device_is_ipsec ${INTERFACE}; then + exit ${EXIT_OK} + # Stop processing rules for wireless monitoring devices elif device_is_wireless_monitor ${INTERFACE}; then exit ${EXIT_OK}