diff options
Diffstat (limited to 'src/swanctl')
-rw-r--r-- | src/swanctl/Makefile.am | 2 | ||||
-rw-r--r-- | src/swanctl/Makefile.in | 35 | ||||
-rw-r--r-- | src/swanctl/commands/list_conns.c | 112 | ||||
-rw-r--r-- | src/swanctl/commands/list_sas.c | 7 | ||||
-rw-r--r-- | src/swanctl/commands/load_authorities.c | 2 | ||||
-rw-r--r-- | src/swanctl/commands/load_conns.c | 2 | ||||
-rw-r--r-- | src/swanctl/commands/load_pools.c | 2 | ||||
-rw-r--r-- | src/swanctl/swanctl.conf | 6 | ||||
-rw-r--r-- | src/swanctl/swanctl.conf.5.main | 14 | ||||
-rw-r--r-- | src/swanctl/swanctl.opt | 12 |
10 files changed, 173 insertions, 21 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index fb027149a..37a0224c3 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -27,7 +27,7 @@ swanctl_SOURCES = \ swanctl_LDADD = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(PTHREADLIB) $(DLLIB) + $(PTHREADLIB) $(ATOMICLIB) $(DLLIB) swanctl.o : $(top_builddir)/config.status diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index 94921af6d..ebe1aba0d 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -80,9 +90,6 @@ build_triplet = @build@ host_triplet = @host@ sbin_PROGRAMS = swanctl$(EXEEXT) subdir = src/swanctl -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(srcdir)/swanctl.8.in $(srcdir)/swanctl.conf.5.head.in \ - $(srcdir)/swanctl.conf.5.tail.in $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -96,6 +103,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = swanctl.8 swanctl.conf.5.head swanctl.conf.5.tail @@ -122,7 +130,8 @@ am__DEPENDENCIES_1 = swanctl_DEPENDENCIES = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -218,12 +227,16 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/swanctl.8.in \ + $(srcdir)/swanctl.conf.5.head.in \ + $(srcdir)/swanctl.conf.5.tail.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ +ATOMICLIB = @ATOMICLIB@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ @@ -273,6 +286,7 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ @@ -307,6 +321,7 @@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ @@ -418,6 +433,7 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ @@ -473,7 +489,7 @@ swanctl_SOURCES = \ swanctl_LDADD = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(PTHREADLIB) $(DLLIB) + $(PTHREADLIB) $(ATOMICLIB) $(DLLIB) AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ @@ -505,7 +521,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/swanctl/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/swanctl/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -993,6 +1008,8 @@ uninstall-man: uninstall-man5 uninstall-man8 uninstall-man uninstall-man5 uninstall-man8 \ uninstall-sbinPROGRAMS +.PRECIOUS: Makefile + swanctl.o : $(top_builddir)/config.status diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c index 019c88888..19e7050da 100644 --- a/src/swanctl/commands/list_conns.c +++ b/src/swanctl/commands/list_conns.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -80,15 +83,64 @@ CALLBACK(children_sn, int, hashtable_t *ike, vici_res_t *res, char *name) { hashtable_t *child; + char *mode, *interface, *priority; + char *rekey_time, *rekey_bytes, *rekey_packets; + bool no_time, no_bytes, no_packets, or = FALSE; int ret; child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1); ret = vici_parse_cb(res, NULL, values, list, child); if (ret == 0) { - printf(" %s: %s\n", name, child->get(child, "mode")); + mode = child->get(child, "mode"); + printf(" %s: %s, ", name, mode); + + rekey_time = child->get(child, "rekey_time"); + rekey_bytes = child->get(child, "rekey_bytes"); + rekey_packets = child->get(child, "rekey_packets"); + no_time = streq(rekey_time, "0"); + no_bytes = streq(rekey_bytes, "0"); + no_packets = streq(rekey_packets, "0"); + + if (strcaseeq(mode, "PASS") || strcaseeq(mode, "DROP") || + (no_time && no_bytes && no_packets)) + { + printf("no rekeying\n"); + } + else + { + printf("rekeying every"); + if (!no_time) + { + printf(" %ss", rekey_time); + or = TRUE; + } + if (!no_bytes) + { + printf("%s %s bytes", or ? " or" : "", rekey_bytes); + or = TRUE; + } + if (!no_packets) + { + printf("%s %s packets", or ? " or" : "", rekey_packets); + } + printf("\n"); + } + printf(" local: %s\n", child->get(child, "local-ts")); printf(" remote: %s\n", child->get(child, "remote-ts")); + + interface = child->get(child, "interface"); + if (interface) + { + printf(" interface: %s\n", interface); + } + + priority = child->get(child, "priority"); + if (priority) + { + printf(" priority: %s\n", priority); + } } free_hashtable(child); return ret; @@ -106,18 +158,35 @@ CALLBACK(conn_sn, int, if (strpfx(name, "local") || strpfx(name, "remote")) { hashtable_t *auth; + char *class; auth = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1); ret = vici_parse_cb(res, NULL, values, list, auth); if (ret == 0) { + class = auth->get(auth, "class") ?: "unspecified"; + if (strcaseeq(class, "EAP")) + { + class = auth->get(auth, "eap-type") ?: class; + } printf(" %s %s authentication:\n", - strpfx(name, "local") ? "local" : "remote", - auth->get(auth, "class") ?: "unspecified"); + strpfx(name, "local") ? "local" : "remote", class); if (auth->get(auth, "id")) { printf(" id: %s\n", auth->get(auth, "id")); } + if (auth->get(auth, "eap_id")) + { + printf(" eap_id: %s\n", auth->get(auth, "eap_id")); + } + if (auth->get(auth, "xauth_id")) + { + printf(" xauth_id: %s\n", auth->get(auth, "xauth_id")); + } + if (auth->get(auth, "aaa_id")) + { + printf(" aaa_id: %s\n", auth->get(auth, "aaa_id")); + } if (auth->get(auth, "groups")) { printf(" groups: %s\n", auth->get(auth, "groups")); @@ -156,8 +225,43 @@ CALLBACK(conn_list, int, CALLBACK(conns, int, void *null, vici_res_t *res, char *name) { - printf("%s: %s\n", name, vici_find_str(res, "", "%s.version", name)); + char *version, *reauth_time, *rekey_time; + + version = vici_find_str(res, "", "%s.version", name); + reauth_time = vici_find_str(res, "", "%s.reauth_time", name); + rekey_time = vici_find_str(res, "", "%s.rekey_time", name); + printf("%s: %s, ", name, version); + if (streq(version, "IKEv1")) + { + if (streq(reauth_time, "0")) + { + reauth_time = rekey_time; + } + } + if (streq(reauth_time, "0")) + { + printf("no reauthentication"); + } + else + { + printf("reauthentication every %ss", reauth_time); + } + if (streq(version, "IKEv1")) + { + printf("\n"); + } + else + { + if (streq(rekey_time, "0")) + { + printf(", no rekeying\n"); + } + else + { + printf(", rekeying every %ss\n", rekey_time); + } + } return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL); } diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index fd080227d..e5f251d17 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -196,10 +196,13 @@ CALLBACK(ike_sa, int, { if (streq(name, "child-sas")) { - printf("%s: #%s, %s, IKEv%s, %s:%s\n", + bool is_initiator = streq(ike->get(ike, "initiator"), "yes"); + + printf("%s: #%s, %s, IKEv%s, %s_i%s %s_r%s\n", ike->get(ike, "name"), ike->get(ike, "uniqueid"), ike->get(ike, "state"), ike->get(ike, "version"), - ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi")); + ike->get(ike, "initiator-spi"), is_initiator ? "*" : "", + ike->get(ike, "responder-spi"), is_initiator ? "" : "*"); printf(" local '%s' @ %s[%s]", ike->get(ike, "local-id"), ike->get(ike, "local-host"), diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c index 88dde6aaf..352a185e8 100644 --- a/src/swanctl/commands/load_authorities.c +++ b/src/swanctl/commands/load_authorities.c @@ -292,7 +292,7 @@ int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format, } if (found == 0) { - printf("no authorities found, %u unloaded\n", unloaded); + fprintf(stderr, "no authorities found, %u unloaded\n", unloaded); return 0; } if (loaded == found) diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index bbc700d5c..87526bc79 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -396,7 +396,7 @@ int load_conns_cfg(vici_conn_t *conn, command_format_options_t format, } if (found == 0) { - printf("no connections found, %u unloaded\n", unloaded); + fprintf(stderr, "no connections found, %u unloaded\n", unloaded); return 0; } if (loaded == found) diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c index d7fbd1341..2b9fa2d42 100644 --- a/src/swanctl/commands/load_pools.c +++ b/src/swanctl/commands/load_pools.c @@ -235,7 +235,7 @@ int load_pools_cfg(vici_conn_t *conn, command_format_options_t format, } if (found == 0) { - printf("no pools found, %u unloaded\n", unloaded); + fprintf(stderr, "no pools found, %u unloaded\n", unloaded); return 0; } if (loaded == found) diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 428be91e7..6bc81becf 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -213,6 +213,12 @@ # Fixed reqid to use for this CHILD_SA. # reqid = 0 + # Optional fixed priority for IPsec policies. + # priority = 0 + + # Optional interface name to restrict IPsec policies. + # interface = + # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index a5b2a731f..013e35fb7 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -519,7 +519,7 @@ an absolute path. Comma separated list of raw public keys to accept for authentication. The public keys may use a relative path from the .RB "" "swanctl" "" -.RI "" "x509" "" +.RI "" "pubkey" "" directory or an absolute path. @@ -856,6 +856,18 @@ once. The default of uses dynamic reqids, allocated incrementally. .TP +.BR connections.<conn>.children.<child>.priority " [0]" +Optional fixed priority for IPsec policies. This could be useful to install +high\-priority drop policies. The default of +.RI "" "0" "" +uses dynamically calculated +priorities based on the size of the traffic selectors. + +.TP +.BR connections.<conn>.children.<child>.interface " []" +Optional interface name to restrict IPsec policies. + +.TP .BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]" Netfilter mark and mask for input traffic. On Linux Netfilter may require marks on each packet to match an SA having that option set. This allows Netfilter diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 145fab28d..fe5b293fb 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -416,7 +416,7 @@ connections.<conn>.remote<suffix>.pubkeys = Comma separated list of raw public keys to accept for authentication. Comma separated list of raw public keys to accept for authentication. - The public keys may use a relative path from the **swanctl** _x509_ + The public keys may use a relative path from the **swanctl** _pubkey_ directory or an absolute path. connections.<conn>.remote<suffix>.revocation = relaxed @@ -684,6 +684,16 @@ connections.<conn>.children.<child>.reqid = 0 not more than once. The default of _0_ uses dynamic reqids, allocated incrementally. +connections.<conn>.children.<child>.priority = 0 + Optional fixed priority for IPsec policies. + + Optional fixed priority for IPsec policies. This could be useful to install + high-priority drop policies. The default of _0_ uses dynamically calculated + priorities based on the size of the traffic selectors. + +connections.<conn>.children.<child>.interface = + Optional interface name to restrict IPsec policies. + connections.<conn>.children.<child>.mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. |