summaryrefslogtreecommitdiff
path: root/src/swanctl
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl')
-rw-r--r--src/swanctl/Makefile.am2
-rw-r--r--src/swanctl/Makefile.in35
-rw-r--r--src/swanctl/commands/list_conns.c112
-rw-r--r--src/swanctl/commands/list_sas.c7
-rw-r--r--src/swanctl/commands/load_authorities.c2
-rw-r--r--src/swanctl/commands/load_conns.c2
-rw-r--r--src/swanctl/commands/load_pools.c2
-rw-r--r--src/swanctl/swanctl.conf6
-rw-r--r--src/swanctl/swanctl.conf.5.main14
-rw-r--r--src/swanctl/swanctl.opt12
10 files changed, 173 insertions, 21 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index fb027149a..37a0224c3 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -27,7 +27,7 @@ swanctl_SOURCES = \
swanctl_LDADD = \
$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(PTHREADLIB) $(DLLIB)
+ $(PTHREADLIB) $(ATOMICLIB) $(DLLIB)
swanctl.o : $(top_builddir)/config.status
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index 94921af6d..ebe1aba0d 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
@SET_MAKE@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -80,9 +90,6 @@ build_triplet = @build@
host_triplet = @host@
sbin_PROGRAMS = swanctl$(EXEEXT)
subdir = src/swanctl
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(srcdir)/swanctl.8.in $(srcdir)/swanctl.conf.5.head.in \
- $(srcdir)/swanctl.conf.5.tail.in $(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -96,6 +103,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = swanctl.8 swanctl.conf.5.head swanctl.conf.5.tail
@@ -122,7 +130,8 @@ am__DEPENDENCIES_1 =
swanctl_DEPENDENCIES = \
$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
@@ -218,12 +227,16 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/swanctl.8.in \
+ $(srcdir)/swanctl.conf.5.head.in \
+ $(srcdir)/swanctl.conf.5.tail.in $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
+ATOMICLIB = @ATOMICLIB@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
@@ -273,6 +286,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
@@ -307,6 +321,7 @@ PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
@@ -418,6 +433,7 @@ random_device = @random_device@
resolv_conf = @resolv_conf@
routing_table = @routing_table@
routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
s_plugins = @s_plugins@
sbindir = @sbindir@
scepclient_plugins = @scepclient_plugins@
@@ -473,7 +489,7 @@ swanctl_SOURCES = \
swanctl_LDADD = \
$(top_builddir)/src/libcharon/plugins/vici/libvici.la \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(PTHREADLIB) $(DLLIB)
+ $(PTHREADLIB) $(ATOMICLIB) $(DLLIB)
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
@@ -505,7 +521,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/swanctl/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu src/swanctl/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -993,6 +1008,8 @@ uninstall-man: uninstall-man5 uninstall-man8
uninstall-man uninstall-man5 uninstall-man8 \
uninstall-sbinPROGRAMS
+.PRECIOUS: Makefile
+
swanctl.o : $(top_builddir)/config.status
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 019c88888..19e7050da 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -2,6 +2,9 @@
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
@@ -80,15 +83,64 @@ CALLBACK(children_sn, int,
hashtable_t *ike, vici_res_t *res, char *name)
{
hashtable_t *child;
+ char *mode, *interface, *priority;
+ char *rekey_time, *rekey_bytes, *rekey_packets;
+ bool no_time, no_bytes, no_packets, or = FALSE;
int ret;
child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
ret = vici_parse_cb(res, NULL, values, list, child);
if (ret == 0)
{
- printf(" %s: %s\n", name, child->get(child, "mode"));
+ mode = child->get(child, "mode");
+ printf(" %s: %s, ", name, mode);
+
+ rekey_time = child->get(child, "rekey_time");
+ rekey_bytes = child->get(child, "rekey_bytes");
+ rekey_packets = child->get(child, "rekey_packets");
+ no_time = streq(rekey_time, "0");
+ no_bytes = streq(rekey_bytes, "0");
+ no_packets = streq(rekey_packets, "0");
+
+ if (strcaseeq(mode, "PASS") || strcaseeq(mode, "DROP") ||
+ (no_time && no_bytes && no_packets))
+ {
+ printf("no rekeying\n");
+ }
+ else
+ {
+ printf("rekeying every");
+ if (!no_time)
+ {
+ printf(" %ss", rekey_time);
+ or = TRUE;
+ }
+ if (!no_bytes)
+ {
+ printf("%s %s bytes", or ? " or" : "", rekey_bytes);
+ or = TRUE;
+ }
+ if (!no_packets)
+ {
+ printf("%s %s packets", or ? " or" : "", rekey_packets);
+ }
+ printf("\n");
+ }
+
printf(" local: %s\n", child->get(child, "local-ts"));
printf(" remote: %s\n", child->get(child, "remote-ts"));
+
+ interface = child->get(child, "interface");
+ if (interface)
+ {
+ printf(" interface: %s\n", interface);
+ }
+
+ priority = child->get(child, "priority");
+ if (priority)
+ {
+ printf(" priority: %s\n", priority);
+ }
}
free_hashtable(child);
return ret;
@@ -106,18 +158,35 @@ CALLBACK(conn_sn, int,
if (strpfx(name, "local") || strpfx(name, "remote"))
{
hashtable_t *auth;
+ char *class;
auth = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1);
ret = vici_parse_cb(res, NULL, values, list, auth);
if (ret == 0)
{
+ class = auth->get(auth, "class") ?: "unspecified";
+ if (strcaseeq(class, "EAP"))
+ {
+ class = auth->get(auth, "eap-type") ?: class;
+ }
printf(" %s %s authentication:\n",
- strpfx(name, "local") ? "local" : "remote",
- auth->get(auth, "class") ?: "unspecified");
+ strpfx(name, "local") ? "local" : "remote", class);
if (auth->get(auth, "id"))
{
printf(" id: %s\n", auth->get(auth, "id"));
}
+ if (auth->get(auth, "eap_id"))
+ {
+ printf(" eap_id: %s\n", auth->get(auth, "eap_id"));
+ }
+ if (auth->get(auth, "xauth_id"))
+ {
+ printf(" xauth_id: %s\n", auth->get(auth, "xauth_id"));
+ }
+ if (auth->get(auth, "aaa_id"))
+ {
+ printf(" aaa_id: %s\n", auth->get(auth, "aaa_id"));
+ }
if (auth->get(auth, "groups"))
{
printf(" groups: %s\n", auth->get(auth, "groups"));
@@ -156,8 +225,43 @@ CALLBACK(conn_list, int,
CALLBACK(conns, int,
void *null, vici_res_t *res, char *name)
{
- printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name));
+ char *version, *reauth_time, *rekey_time;
+
+ version = vici_find_str(res, "", "%s.version", name);
+ reauth_time = vici_find_str(res, "", "%s.reauth_time", name);
+ rekey_time = vici_find_str(res, "", "%s.rekey_time", name);
+ printf("%s: %s, ", name, version);
+ if (streq(version, "IKEv1"))
+ {
+ if (streq(reauth_time, "0"))
+ {
+ reauth_time = rekey_time;
+ }
+ }
+ if (streq(reauth_time, "0"))
+ {
+ printf("no reauthentication");
+ }
+ else
+ {
+ printf("reauthentication every %ss", reauth_time);
+ }
+ if (streq(version, "IKEv1"))
+ {
+ printf("\n");
+ }
+ else
+ {
+ if (streq(rekey_time, "0"))
+ {
+ printf(", no rekeying\n");
+ }
+ else
+ {
+ printf(", rekeying every %ss\n", rekey_time);
+ }
+ }
return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL);
}
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index fd080227d..e5f251d17 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -196,10 +196,13 @@ CALLBACK(ike_sa, int,
{
if (streq(name, "child-sas"))
{
- printf("%s: #%s, %s, IKEv%s, %s:%s\n",
+ bool is_initiator = streq(ike->get(ike, "initiator"), "yes");
+
+ printf("%s: #%s, %s, IKEv%s, %s_i%s %s_r%s\n",
ike->get(ike, "name"), ike->get(ike, "uniqueid"),
ike->get(ike, "state"), ike->get(ike, "version"),
- ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi"));
+ ike->get(ike, "initiator-spi"), is_initiator ? "*" : "",
+ ike->get(ike, "responder-spi"), is_initiator ? "" : "*");
printf(" local '%s' @ %s[%s]",
ike->get(ike, "local-id"), ike->get(ike, "local-host"),
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 88dde6aaf..352a185e8 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -292,7 +292,7 @@ int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format,
}
if (found == 0)
{
- printf("no authorities found, %u unloaded\n", unloaded);
+ fprintf(stderr, "no authorities found, %u unloaded\n", unloaded);
return 0;
}
if (loaded == found)
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index bbc700d5c..87526bc79 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -396,7 +396,7 @@ int load_conns_cfg(vici_conn_t *conn, command_format_options_t format,
}
if (found == 0)
{
- printf("no connections found, %u unloaded\n", unloaded);
+ fprintf(stderr, "no connections found, %u unloaded\n", unloaded);
return 0;
}
if (loaded == found)
diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c
index d7fbd1341..2b9fa2d42 100644
--- a/src/swanctl/commands/load_pools.c
+++ b/src/swanctl/commands/load_pools.c
@@ -235,7 +235,7 @@ int load_pools_cfg(vici_conn_t *conn, command_format_options_t format,
}
if (found == 0)
{
- printf("no pools found, %u unloaded\n", unloaded);
+ fprintf(stderr, "no pools found, %u unloaded\n", unloaded);
return 0;
}
if (loaded == found)
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 428be91e7..6bc81becf 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -213,6 +213,12 @@
# Fixed reqid to use for this CHILD_SA.
# reqid = 0
+ # Optional fixed priority for IPsec policies.
+ # priority = 0
+
+ # Optional interface name to restrict IPsec policies.
+ # interface =
+
# Netfilter mark and mask for input traffic.
# mark_in = 0/0x00000000
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index a5b2a731f..013e35fb7 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -519,7 +519,7 @@ an absolute path.
Comma separated list of raw public keys to accept for authentication. The public
keys may use a relative path from the
.RB "" "swanctl" ""
-.RI "" "x509" ""
+.RI "" "pubkey" ""
directory or an
absolute path.
@@ -856,6 +856,18 @@ once. The default of
uses dynamic reqids, allocated incrementally.
.TP
+.BR connections.<conn>.children.<child>.priority " [0]"
+Optional fixed priority for IPsec policies. This could be useful to install
+high\-priority drop policies. The default of
+.RI "" "0" ""
+uses dynamically calculated
+priorities based on the size of the traffic selectors.
+
+.TP
+.BR connections.<conn>.children.<child>.interface " []"
+Optional interface name to restrict IPsec policies.
+
+.TP
.BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]"
Netfilter mark and mask for input traffic. On Linux Netfilter may require marks
on each packet to match an SA having that option set. This allows Netfilter
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 145fab28d..fe5b293fb 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -416,7 +416,7 @@ connections.<conn>.remote<suffix>.pubkeys =
Comma separated list of raw public keys to accept for authentication.
Comma separated list of raw public keys to accept for authentication.
- The public keys may use a relative path from the **swanctl** _x509_
+ The public keys may use a relative path from the **swanctl** _pubkey_
directory or an absolute path.
connections.<conn>.remote<suffix>.revocation = relaxed
@@ -684,6 +684,16 @@ connections.<conn>.children.<child>.reqid = 0
not more than once. The default of _0_ uses dynamic reqids, allocated
incrementally.
+connections.<conn>.children.<child>.priority = 0
+ Optional fixed priority for IPsec policies.
+
+ Optional fixed priority for IPsec policies. This could be useful to install
+ high-priority drop policies. The default of _0_ uses dynamically calculated
+ priorities based on the size of the traffic selectors.
+
+connections.<conn>.children.<child>.interface =
+ Optional interface name to restrict IPsec policies.
+
connections.<conn>.children.<child>.mark_in = 0/0x00000000
Netfilter mark and mask for input traffic.