From eee2bb6c242f9fdb83fd19eb6eeac3ae6a50aa4b Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 7 Jun 2021 19:35:51 +0200
Subject: ipsec: T2816: adjust Jinja2 template to common style pattern
---
data/templates/ipsec/ipsec.conf.tmpl | 108 +++++++++++++++++------------------
1 file changed, 53 insertions(+), 55 deletions(-)
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl
index 67447366c..342887883 100644
--- a/data/templates/ipsec/ipsec.conf.tmpl
+++ b/data/templates/ipsec/ipsec.conf.tmpl
@@ -6,96 +6,94 @@ config setup
charondebug = "{{ charondebug }}"
uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }}
-{% if site_to_site is defined and "peer" in site_to_site -%}
-{% for peer, peer_conf in site_to_site.peer.items() %}
-{% set peer_index = loop.index %}
-{% set peer_ike = ike_group[peer_conf.ike_group] %}
-{% set peer_esp = esp_group[peer_conf.default_esp_group] if 'default_esp_group' in peer_conf else None %}
+{% if site_to_site is defined and site_to_site.peer is defined %}
+{% for peer, peer_conf in site_to_site.peer.items() %}
+{% set peer_index = loop.index %}
+{% set peer_ike = ike_group[peer_conf.ike_group] %}
+{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
conn peer-{{ peer }}
-{% if peer_conf.authentication.mode in authby %}
+{% if peer_conf.authentication.mode in authby %}
authby = {{ authby[peer_conf.authentication.mode] }}
-{% endif %}
-{% if peer_conf.authentication.mode == 'x509' %}
-{% set cert_file = peer_conf.authentication.x509.cert_file %}
+{% endif %}
+{% if peer_conf.authentication.mode == 'x509' %}
+{% set cert_file = peer_conf.authentication.x509.cert_file %}
leftcert = {{ cert_file if cert_file.startswith(x509_path) else (x509_path + cert_file) }}
leftsendcert = always
rightca = %same
-{% elif peer_conf.authentication.mode == 'rsa' %}
+{% elif peer_conf.authentication.mode == 'rsa' %}
leftsigkey = localhost.pub
rightsigkey = {{ peer_conf.authentication.rsa_key_name }}.pub
-{% endif %}
+{% endif %}
left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
-{% if "id" in peer_conf.authentication and "use_x509_id" not in peer_conf.authentication %}
+{% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
leftid = "{{ peer_conf.authentication.id }}"
-{% endif %}
+{% endif %}
right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }}
-{% if "remote_id" in peer_conf.authentication %}
+{% if peer_conf.authentication.remote_id is defined %}
rightid = "{{ peer_conf.authentication.remote_id }}"
-{% elif peer[0:1] == '@' %}
+{% elif peer[0:1] == '@' %}
rightid = "{{ peer }}"
-{% endif %}
+{% endif %}
keylife = 3600s
rekeymargin = 540s
{{ ike_esp.conn(peer_ike, ciphers.ike[peer_conf.ike_group], peer_esp, ciphers.esp[peer_conf.default_esp_group] if peer_esp else None) }}
-{% if "vti" in peer_conf and "bind" in peer_conf.vti %}
-{% set vti_esp = esp_group[peer_conf.vti.esp_group] if "esp_group" in peer_conf.vti else None %}
+{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
+{% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %}
conn peer-{{ peer }}-vti
also = peer-{{ peer }}
leftsubnet = 0.0.0.0/0
- leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}"
+ leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
rightsubnet = 0.0.0.0/0
mark = {{ marks[peer_conf.vti.bind] }}
{{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }}
-{% if peer[0:1] == '@' %}
+{% if peer[0:1] == '@' %}
rekey = no
auto = add
keyingtries = %forever
-{% else %}
-{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %}
+{% else %}
+{% if peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
auto = start
keyingtries = %forever
-{% endif %}
-{% if peer_conf.connection_type == 'respond' %}
+{% elif peer_conf.connection_type == 'respond' %}
auto = route
keyingtries = 1
-{% endif %}
-{% endif %}
-{% elif "tunnel" in peer_conf %}
-{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() %}
-{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %}
-{% set tunnel_esp = esp_group[tunnel_esp_name] %}
-{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %}
+{% endif %}
+{% endif %}
+{% elif peer_conf.tunnel is defined %}
+{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() %}
+{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %}
+{% set tunnel_esp = esp_group[tunnel_esp_name] %}
+{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %}
conn peer-{{ peer }}-tunnel-{{tunnel_id}}
also = peer-{{ peer }}
-{% if 'mode' not in tunnel_esp or tunnel_esp.mode == 'tunnel' %}
-{% if 'local' in tunnel_conf and 'prefix' in tunnel_conf.local %}
+{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
+{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
leftsubnet = {{ tunnel_conf.local.prefix if tunnel_conf.local.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.local.port if "port" in tunnel_conf.local else '%any' }}]
-{% endif %}
-{% if 'remote' in tunnel_conf and 'prefix' in tunnel_conf.remote %}
+{% endif %}
+{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %}
rightsubnet = {{ tunnel_conf.remote.prefix if tunnel_conf.remote.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.remote.port if "port" in tunnel_conf.remote else '%any' }}]
-{% endif %}
-{% elif tunnel_esp.mode == 'transport' %}
+{% endif %}
+{% elif tunnel_esp.mode == 'transport' %}
leftsubnet = {{ peer_conf.local_address }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}]
rightsubnet = {{ peer }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}]
-{% endif %}
-{% if 'esp_group' in tunnel_conf %}
+{% endif %}
+{% if tunnel_conf.esp_group is defined %}
{{ ike_esp.conn(None, None, tunnel_esp, ciphers.esp[tunnel_esp_name]) }}
-{% endif %}
-{% if peer[0:1] == '@' %}
+{% endif %}
+{% if peer[0:1] == '@' %}
rekey = no
auto = add
keyingtries = %forever
-{% else %}
-{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %}
+{% else %}
+{% if peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
auto = start
keyingtries = %forever
-{% endif %}
-{% if peer_conf.connection_type == 'respond' %}
+{% elif peer_conf.connection_type == 'respond' %}
auto = route
keyingtries = 1
-{% endif %}
-{% endif %}
-{% if 'passthrough' in tunnel_conf and tunnel_conf.passthrough %}
+{% endif %}
+{% endif %}
+{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough is not none %}
conn peer-{{ peer }}-tunnel-{{ tunnel_id }}-passthough
left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }}
right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }}
@@ -104,18 +102,18 @@ conn peer-{{ peer }}-tunnel-{{ tunnel_id }}-passthough
type = passthrough
authby = never
auto = route
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{%- endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
{% if include_ipsec_conf is defined %}
include {{ include_ipsec_conf }}
{% endif %}
-{% if delim_ipsec_l2tp_begin is defined -%}
+{% if delim_ipsec_l2tp_begin is defined %}
{{delim_ipsec_l2tp_begin}}
include {{ipsec_ra_conn_file}}
{{delim_ipsec_l2tp_end}}
-{%- endif %}
+{% endif %}
--
cgit v1.2.3