summaryrefslogtreecommitdiff
path: root/src/swanctl
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2018-09-24 15:11:14 +0200
committerYves-Alexis Perez <corsac@debian.org>2018-09-24 15:11:14 +0200
commite0e280b7669435b991b7e457abd8aa450930b3e8 (patch)
tree3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/swanctl
parent51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff)
downloadvyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz
vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip
New upstream version 5.7.0
Diffstat (limited to 'src/swanctl')
-rw-r--r--src/swanctl/Makefile.in11
-rw-r--r--src/swanctl/commands/counters.c4
-rw-r--r--src/swanctl/commands/initiate.c2
-rw-r--r--src/swanctl/commands/list_conns.c16
-rw-r--r--src/swanctl/commands/list_sas.c4
-rw-r--r--src/swanctl/commands/load_all.c10
-rw-r--r--src/swanctl/commands/load_authorities.c10
-rw-r--r--src/swanctl/commands/load_conns.c10
-rw-r--r--src/swanctl/commands/load_creds.c13
-rw-r--r--src/swanctl/commands/load_pools.c10
-rw-r--r--src/swanctl/commands/rekey.c13
-rw-r--r--src/swanctl/swanctl.conf38
-rw-r--r--src/swanctl/swanctl.conf.5.head.in4
-rw-r--r--src/swanctl/swanctl.conf.5.main117
-rw-r--r--src/swanctl/swanctl.opt86
15 files changed, 318 insertions, 30 deletions
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index ea7130bbb..c746573f8 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -331,7 +331,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
-RUBY = @RUBY@
RUBYGEMDIR = @RUBYGEMDIR@
SED = @SED@
SET_MAKE = @SET_MAKE@
@@ -357,6 +356,8 @@ am__tar = @am__tar@
am__untar = @am__untar@
attest_plugins = @attest_plugins@
bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
@@ -377,8 +378,6 @@ dvidir = @dvidir@
exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -433,8 +432,6 @@ random_device = @random_device@
resolv_conf = @resolv_conf@
routing_table = @routing_table@
routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
runstatedir = @runstatedir@
s_plugins = @s_plugins@
sbindir = @sbindir@
@@ -463,8 +460,12 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
tss2_CFLAGS = @tss2_CFLAGS@
tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
urandom_device = @urandom_device@
diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c
index ab386b5d8..909ca4366 100644
--- a/src/swanctl/commands/counters.c
+++ b/src/swanctl/commands/counters.c
@@ -48,7 +48,7 @@ static int counters(vici_conn_t *conn)
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
char *arg, *name = NULL;
- int ret;
+ int ret = 0;
bool all = FALSE, reset = FALSE;
while (TRUE)
@@ -131,7 +131,7 @@ static int counters(vici_conn_t *conn)
}
}
vici_free_res(res);
- return 0;
+ return ret;
}
/**
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
index 8e452a6f6..bf8d2cd79 100644
--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
@@ -131,7 +131,7 @@ static void __attribute__ ((constructor))reg()
{"--child <name> [--ike <name>] [--timeout <s>] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
- {"child", 'c', 1, "initate a CHILD_SA configuration"},
+ {"child", 'c', 1, "initiate a CHILD_SA configuration"},
{"ike", 'i', 1, "name of the connection to which the child belongs"},
{"timeout", 't', 1, "timeout in seconds before detaching"},
{"raw", 'r', 0, "dump raw response message"},
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index f692e9966..5f7dd8189 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -2,7 +2,7 @@
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
- * Copyright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -199,6 +199,10 @@ CALLBACK(conn_sn, int,
{
printf(" groups: %s\n", auth->get(auth, "groups"));
}
+ if (auth->get(auth, "cert_policy"))
+ {
+ printf(" cert policy: %s\n", auth->get(auth, "cert_policy"));
+ }
if (auth->get(auth, "certs"))
{
printf(" certs: %s\n", auth->get(auth, "certs"));
@@ -234,7 +238,7 @@ CALLBACK(conns, int,
void *null, vici_res_t *res, char *name)
{
int ret;
- char *version, *reauth_time, *rekey_time, *dpd_delay;
+ char *version, *reauth_time, *rekey_time, *dpd_delay, *ppk_id, *ppk_req;
hashtable_t *ike;
version = vici_find_str(res, "", "%s.version", name);
@@ -278,6 +282,14 @@ CALLBACK(conns, int,
}
printf("\n");
+ ppk_id = vici_find_str(res, NULL, "%s.ppk_id", name);
+ ppk_req = vici_find_str(res, NULL, "%s.ppk_required", name);
+ if (ppk_id || ppk_req)
+ {
+ printf(" ppk: %s%s%srequired\n", ppk_id ?: "", ppk_id ? ", " : "",
+ !ppk_req || !streq(ppk_req, "yes") ? "not " : "");
+ }
+
ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike);
free_hashtable(ike);
return ret;
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 28602fc65..232f03cc2 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -266,6 +266,10 @@ CALLBACK(ike_sa, int,
}
printf("/%s", ike->get(ike, "prf-alg"));
printf("/%s", ike->get(ike, "dh-group"));
+ if (streq(ike->get(ike, "ppk"), "yes"))
+ {
+ printf("/PPK");
+ }
printf("\n");
}
diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c
index 0010ce140..26f043a6a 100644
--- a/src/swanctl/commands/load_all.c
+++ b/src/swanctl/commands/load_all.c
@@ -31,8 +31,8 @@ static int load_all(vici_conn_t *conn)
bool clear = FALSE, noprompt = FALSE;
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
+ char *arg, *file = SWANCTL_CONF;
int ret = 0;
- char *arg;
while (TRUE)
{
@@ -52,6 +52,9 @@ static int load_all(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'f':
+ file = arg;
+ continue;
case EOF:
break;
default:
@@ -60,10 +63,10 @@ static int load_all(vici_conn_t *conn)
break;
}
- cfg = settings_create(SWANCTL_CONF);
+ cfg = settings_create(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+ fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
@@ -104,6 +107,7 @@ static void __attribute__ ((constructor))reg()
{"noprompt", 'n', 0, "do not prompt for passwords"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"file", 'f', 1, "custom path to swanctl.conf"},
}
});
}
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index d82c0f98e..61682a386 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg;
+ char *arg, *file = SWANCTL_CONF;
int ret;
while (TRUE)
@@ -325,6 +325,9 @@ static int load_authorities(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'f':
+ file = arg;
+ continue;
case EOF:
break;
default:
@@ -333,10 +336,10 @@ static int load_authorities(vici_conn_t *conn)
break;
}
- cfg = settings_create(SWANCTL_CONF);
+ cfg = settings_create(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+ fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
@@ -360,6 +363,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"file", 'f', 1, "custom path to swanctl.conf"},
}
});
}
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 0518ef54f..dad03945d 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -425,7 +425,7 @@ static int load_conns(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg;
+ char *arg, *file = SWANCTL_CONF;
int ret;
while (TRUE)
@@ -440,6 +440,9 @@ static int load_conns(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'f':
+ file = arg;
+ continue;
case EOF:
break;
default:
@@ -448,10 +451,10 @@ static int load_conns(vici_conn_t *conn)
break;
}
- cfg = settings_create(SWANCTL_CONF);
+ cfg = settings_create(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+ fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
@@ -474,6 +477,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"file", 'f', 1, "custom path to swanctl.conf"},
}
});
}
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 15ef2f151..a9e352f7e 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -665,6 +665,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
"xauth",
"ntlm",
"ike",
+ "ppk",
"private",
"rsa",
"ecdsa",
@@ -688,7 +689,7 @@ static bool load_secret(load_ctx_t *ctx, char *section)
return FALSE;
}
if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") &&
- !streq(type, "ike"))
+ !streq(type, "ike") && !streq(type, "ppk"))
{ /* skip non-shared secrets */
return TRUE;
}
@@ -945,7 +946,7 @@ static int load_creds(vici_conn_t *conn)
bool clear = FALSE, noprompt = FALSE;
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg;
+ char *arg, *file = SWANCTL_CONF;
int ret;
while (TRUE)
@@ -966,6 +967,9 @@ static int load_creds(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'f':
+ file = arg;
+ continue;
case EOF:
break;
default:
@@ -974,10 +978,10 @@ static int load_creds(vici_conn_t *conn)
break;
}
- cfg = settings_create(SWANCTL_CONF);
+ cfg = settings_create(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+ fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
@@ -1002,6 +1006,7 @@ static void __attribute__ ((constructor))reg()
{"noprompt", 'n', 0, "do not prompt for passwords"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"file", 'f', 1, "custom path to swanctl.conf"},
}
});
}
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index feb8d3a52..ec9508efb 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn)
{
command_format_options_t format = COMMAND_FORMAT_NONE;
settings_t *cfg;
- char *arg;
+ char *arg, *file = SWANCTL_CONF;
int ret;
while (TRUE)
@@ -266,6 +266,9 @@ static int load_pools(vici_conn_t *conn)
case 'r':
format |= COMMAND_FORMAT_RAW;
continue;
+ case 'f':
+ file = arg;
+ continue;
case EOF:
break;
default:
@@ -274,10 +277,10 @@ static int load_pools(vici_conn_t *conn)
break;
}
- cfg = settings_create(SWANCTL_CONF);
+ cfg = settings_create(file);
if (!cfg)
{
- fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF);
+ fprintf(stderr, "parsing '%s' failed\n", file);
return EINVAL;
}
@@ -300,6 +303,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
+ {"file", 'f', 1, "custom path to swanctl.conf"},
}
});
}
diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c
index 47a313657..f44ecaa3c 100644
--- a/src/swanctl/commands/rekey.c
+++ b/src/swanctl/commands/rekey.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Tobias Brunner
+ * Copyright (C) 2017-2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@ static int rekey(vici_conn_t *conn)
command_format_options_t format = COMMAND_FORMAT_NONE;
char *arg, *child = NULL, *ike = NULL;
int ret = 0, child_id = 0, ike_id = 0;
+ bool reauth = FALSE;
while (TRUE)
{
@@ -49,6 +50,9 @@ static int rekey(vici_conn_t *conn)
case 'I':
ike_id = atoi(arg);
continue;
+ case 'a':
+ reauth = TRUE;
+ continue;
case EOF:
break;
default:
@@ -74,6 +78,10 @@ static int rekey(vici_conn_t *conn)
{
vici_add_key_valuef(req, "ike-id", "%d", ike_id);
}
+ if (reauth)
+ {
+ vici_add_key_valuef(req, "reauth", "yes");
+ }
res = vici_submit(req, conn);
if (!res)
{
@@ -111,13 +119,14 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
rekey, 'R', "rekey", "rekey an SA",
{"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
- "[--raw|--pretty]"},
+ "[--reauth] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "rekey by CHILD_SA name"},
{"ike", 'i', 1, "rekey by IKE_SA name"},
{"child-id", 'C', 1, "rekey by CHILD_SA unique identifier"},
{"ike-id", 'I', 1, "rekey by IKE_SA unique identifier"},
+ {"reauth", 'a', 0, "reauthenticate instead of rekey an IKEv2 SA"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
}
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 9b87a963a..c50f20dc6 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -56,6 +56,13 @@
# Send certificate payloads (always, never or ifasked).
# send_cert = ifasked
+ # String identifying the Postquantum Preshared Key (PPK) to be used.
+ # ppk_id =
+
+ # Whether a Postquantum Preshared Key (PPK) is required for this
+ # connection.
+ # ppk_required = no
+
# Number of retransmission sequences to perform during initial connect.
# keyingtries = 1
@@ -311,6 +318,14 @@
# Netfilter mark and mask for output traffic.
# mark_out = 0/0x00000000
+ # Netfilter mark applied to packets after the inbound IPsec SA
+ # processed them.
+ # set_mark_in = 0/0x00000000
+
+ # Netfilter mark applied to packets after the outbound IPsec SA
+ # processed them.
+ # set_mark_out = 0/0x00000000
+
# Traffic Flow Confidentiality padding.
# tfc_padding = 0
@@ -321,6 +336,18 @@
# IPsec implementation.
# hw_offload = no
+ # Whether to copy the DF bit to the outer IPv4 header in tunnel
+ # mode.
+ # copy_df = yes
+
+ # Whether to copy the ECN header field to/from the outer IP
+ # header in tunnel mode.
+ # copy_ecn = yes
+
+ # Whether to copy the DSCP header field to/from the outer IP
+ # header in tunnel mode.
+ # copy_dscp = out
+
# Action to perform after loading the configuration (none, trap,
# start).
# start_action = none
@@ -379,6 +406,17 @@
# }
+ # Postquantum Preshared Key (PPK) section for a specific secret.
+ # ppk<suffix> {
+
+ # Value of the PPK.
+ # secret =
+
+ # PPK identity the PPK belongs to.
+ # id<suffix> =
+
+ # }
+
# Private key decryption passphrase for a key in the private folder.
# private<suffix> {
diff --git a/src/swanctl/swanctl.conf.5.head.in b/src/swanctl/swanctl.conf.5.head.in
index 5742d2593..a14225df0 100644
--- a/src/swanctl/swanctl.conf.5.head.in
+++ b/src/swanctl/swanctl.conf.5.head.in
@@ -6,8 +6,8 @@ swanctl.conf is the configuration file used by the
.BR swanctl (8)
tool to load configurations and credentials into the strongSwan IKE daemon.
-For a description of the basic file syntax, including how to split the
-configuration in multiple files by including other files, refer to
+For a description of the basic file syntax, including how to reference sections
+or split the configuration in multiple files by including other files, refer to
.BR strongswan.conf (5).
.SH TIME FORMATS
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 1f7e3a2cc..1f8900959 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -217,6 +217,14 @@ causes certificate payloads to be sent unconditionally
whenever certificate authentication is used.
.TP
+.BR connections.<conn>.ppk_id " []"
+String identifying the Postquantum Preshared Key (PPK) to be used.
+
+.TP
+.BR connections.<conn>.ppk_required " [no]"
+Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
+.TP
.BR connections.<conn>.keyingtries " [1]"
Number of retransmission sequences to perform during initial connect. Instead of
giving up initiation after the first retransmission sequence with the default
@@ -1127,6 +1135,52 @@ The default
mask if omitted is 0xffffffff.
.TP
+.BR connections.<conn>.children.<child>.set_mark_in " [0/0x00000000]"
+Netfilter mark applied to packets after the inbound IPsec SA processed them.
+This way it's not necessary to mark packets via Netfilter before decryption or
+right afterwards to match policies or process them differently (e.g. via policy
+routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_in" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM input requires Linux 4.19 or higher.
+
+.TP
+.BR connections.<conn>.children.<child>.set_mark_out " [0/0x00000000]"
+Netfilter mark applied to packets after the outbound IPsec SA processed them.
+This allows processing ESP packets differently than the original traffic (e.g.
+via policy routing).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
+mask if omitted is 0xffffffff. The special value
+.RI "" "%same" ""
+uses the value (but not
+the mask) from
+.RB "" "mark_out" ""
+as mark value, which can be fixed,
+.RI "" "%unique" ""
+or
+.RI "" "%unique\-dir" "."
+
+
+Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+requires at least Linux 4.19.
+
+.TP
.BR connections.<conn>.children.<child>.tfc_padding " [0]"
Pads ESP packets with additional data to have a consistent ESP packet size for
improved Traffic Flow Confidentiality. The padding defines the minimum size of
@@ -1155,6 +1209,44 @@ enables offloading, if it's supported, but the installation does not fail
otherwise.
.TP
+.BR connections.<conn>.children.<child>.copy_df " [yes]"
+Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+effectively disables Path MTU discovery (PMTUD). Controlling this behavior is
+not supported by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_ecn " [yes]"
+Whether to copy the ECN (Explicit Congestion Notification) header field to/from
+the outer IP header in tunnel mode. Controlling this behavior is not supported
+by all kernel interfaces.
+
+.TP
+.BR connections.<conn>.children.<child>.copy_dscp " [out]"
+Whether to copy the DSCP (Differentiated Services Field Codepoint) header field
+to/from the outer IP header in tunnel mode. The value
+.RI "" "out" ""
+only copies the
+field from the inner to the outer header, the value
+.RI "" "in" ""
+does the opposite and
+only copies the field from the outer to the inner header when decapsulating, the
+value
+.RI "" "yes" ""
+copies the field in both directions, and the value
+.RI "" "no" ""
+disables
+copying the field altogether. Setting this to
+.RI "" "yes" ""
+or
+.RI "" "in" ""
+could allow an
+attacker to adversely affect other traffic at the receiver, which is why the
+default is
+.RI "" "out" "."
+Controlling this behavior is not supported by all kernel
+interfaces.
+
+.TP
.BR connections.<conn>.children.<child>.start_action " [none]"
Action to perform after loading the configuration. The default of
.RI "" "none" ""
@@ -1297,6 +1389,31 @@ prefix, if a secret is shared between multiple
peers.
.TP
+.B secrets.ppk<suffix>
+.br
+Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+defined in a unique section having the
+.RI "" "ppk" ""
+prefix.
+
+.TP
+.BR secrets.ppk<suffix>.secret " []"
+Value of the PPK. It may either be an ASCII string, a hex encoded string if
+it has a
+.RI "" "0x" ""
+prefix or a Base64 encoded string if it has a
+.RI "" "0s" ""
+prefix in its
+value. Should have at least 256 bits of entropy for 128\-bit security.
+
+.TP
+.BR secrets.ppk<suffix>.id<suffix> " []"
+PPK identity the PPK belongs to. Multiple unique identities may be specified,
+each having an
+.RI "" "id" ""
+prefix, if a secret is shared between multiple peers.
+
+.TP
.B secrets.private<suffix>
.br
Private key decryption passphrase for a key in the
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 120e5812e..1c1e85e3e 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -188,6 +188,12 @@ connections.<conn>.send_cert = ifasked
certificate payloads altogether, _always_ causes certificate payloads to be
sent unconditionally whenever certificate authentication is used.
+connections.<conn>.ppk_id =
+ String identifying the Postquantum Preshared Key (PPK) to be used.
+
+connections.<conn>.ppk_required = no
+ Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
connections.<conn>.keyingtries = 1
Number of retransmission sequences to perform during initial connect.
@@ -910,6 +916,37 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
+connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
+ Netfilter mark applied to packets after the inbound IPsec SA processed them.
+
+ Netfilter mark applied to packets after the inbound IPsec SA processed them.
+ This way it's not necessary to mark packets via Netfilter before decryption
+ or right afterwards to match policies or process them differently (e.g. via
+ policy routing).
+
+ An additional mask may be appended to the mark, separated by _/_. The
+ default mask if omitted is 0xffffffff. The special value _%same_ uses
+ the value (but not the mask) from **mark_in** as mark value, which can be
+ fixed, _%unique_ or _%unique-dir_.
+
+ Setting marks in XFRM input requires Linux 4.19 or higher.
+
+connections.<conn>.children.<child>.set_mark_out = 0/0x00000000
+ Netfilter mark applied to packets after the outbound IPsec SA processed
+ them.
+
+ Netfilter mark applied to packets after the outbound IPsec SA processed
+ them. This allows processing ESP packets differently than the original
+ traffic (e.g. via policy routing).
+
+ An additional mask may be appended to the mark, separated by _/_. The
+ default mask if omitted is 0xffffffff. The special value _%same_ uses
+ the value (but not the mask) from **mark_out** as mark value, which can be
+ fixed, _%unique_ or _%unique-dir_.
+
+ Setting marks in XFRM output is supported since Linux 4.14. Setting a mask
+ requires at least Linux 4.19.
+
connections.<conn>.children.<child>.tfc_padding = 0
Traffic Flow Confidentiality padding.
@@ -937,6 +974,35 @@ connections.<conn>.children.<child>.hw_offload = no
enables offloading, if it's supported, but the installation does not fail
otherwise.
+connections.<conn>.children.<child>.copy_df = yes
+ Whether to copy the DF bit to the outer IPv4 header in tunnel mode.
+
+ Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
+ effectively disables Path MTU discovery (PMTUD). Controlling this behavior
+ is not supported by all kernel interfaces.
+
+connections.<conn>.children.<child>.copy_ecn = yes
+ Whether to copy the ECN header field to/from the outer IP header in tunnel
+ mode.
+
+ Whether to copy the ECN (Explicit Congestion Notification) header field
+ to/from the outer IP header in tunnel mode. Controlling this behavior is not
+ supported by all kernel interfaces.
+
+connections.<conn>.children.<child>.copy_dscp = out
+ Whether to copy the DSCP header field to/from the outer IP header in tunnel
+ mode.
+
+ Whether to copy the DSCP (Differentiated Services Field Codepoint) header
+ field to/from the outer IP header in tunnel mode. The value _out_ only
+ copies the field from the inner to the outer header, the value _in_ does the
+ opposite and only copies the field from the outer to the inner header when
+ decapsulating, the value _yes_ copies the field in both directions, and the
+ value _no_ disables copying the field altogether. Setting this to _yes_ or
+ _in_ could allow an attacker to adversely affect other traffic at the
+ receiver, which is why the default is _out_. Controlling this behavior is
+ not supported by all kernel interfaces.
+
connections.<conn>.children.<child>.start_action = none
Action to perform after loading the configuration (_none_, _trap_, _start_).
@@ -1047,6 +1113,26 @@ secrets.ike<suffix>.id<suffix> =
may be specified, each having an _id_ prefix, if a secret is shared between
multiple peers.
+secrets.ppk<suffix> { # }
+ Postquantum Preshared Key (PPK) section for a specific secret.
+
+ Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
+ defined in a unique section having the _ppk_ prefix.
+
+secrets.ppk<suffix>.secret =
+ Value of the PPK.
+
+ Value of the PPK. It may either be an ASCII string, a hex encoded string if
+ it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in
+ its value. Should have at least 256 bits of entropy for 128-bit security.
+
+secrets.ppk<suffix>.id<suffix> =
+ PPK identity the PPK belongs to.
+
+ PPK identity the PPK belongs to. Multiple unique identities
+ may be specified, each having an _id_ prefix, if a secret is shared between
+ multiple peers.
+
secrets.private<suffix> { # }
Private key decryption passphrase for a key in the _private_ folder.