summaryrefslogtreecommitdiff
path: root/src/swanctl
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl')
-rw-r--r--src/swanctl/Makefile.am1
-rw-r--r--src/swanctl/Makefile.in9
-rw-r--r--src/swanctl/command.c4
-rw-r--r--src/swanctl/swanctl.conf6
-rw-r--r--src/swanctl/swanctl.conf.5.main29
-rw-r--r--src/swanctl/swanctl.opt16
6 files changed, 55 insertions, 10 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 2fc998262..19815c51a 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -64,6 +64,7 @@ maintainer-clean-local:
install-data-local: swanctl.conf
test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)" || true
+ test -e "$(DESTDIR)$(swanctldir)/conf.d" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/conf.d" || true
test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index b5313a37d..6da739b88 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -330,8 +330,6 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -432,6 +430,8 @@ random_device = @random_device@
resolv_conf = @resolv_conf@
routing_table = @routing_table@
routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
runstatedir = @runstatedir@
s_plugins = @s_plugins@
sbindir = @sbindir@
@@ -460,6 +460,10 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
tss2_CFLAGS = @tss2_CFLAGS@
tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
@@ -1039,6 +1043,7 @@ maintainer-clean-local:
install-data-local: swanctl.conf
test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)" || true
+ test -e "$(DESTDIR)$(swanctldir)/conf.d" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/conf.d" || true
test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true
test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true
test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true
diff --git a/src/swanctl/command.c b/src/swanctl/command.c
index fd9bc0083..7f65d2b0e 100644
--- a/src/swanctl/command.c
+++ b/src/swanctl/command.c
@@ -315,6 +315,10 @@ int command_dispatch(int c, char *v[])
{
int op, i;
+ uri = lib->settings->get_str(lib->settings, "%s.socket",
+ lib->settings->get_str(lib->settings, "%s.plugins.vici.socket",
+ NULL, lib->ns), lib->ns);
+
options = options_create();
atexit(cleanup);
active = help_idx = registered;
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index b2045a3d8..1ff5ee8fb 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -151,6 +151,9 @@
# IKE identity to expect for authentication round.
# id = %any
+ # Identity to use as peer identity during EAP authentication.
+ # eap_id = id
+
# Authorization group memberships to require.
# groups =
@@ -502,3 +505,6 @@
# }
+# Include config snippets
+include conf.d/*.conf
+
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 9f4044d7e..d1aced493 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -569,6 +569,13 @@ IKE identity to expect for authentication round. Refer to the
section for details.
.TP
+.BR connections.<conn>.remote<suffix>.eap_id " [id]"
+Identity to use as peer identity during EAP authentication. If set to
+.RI "" "%any" ""
+the
+EAP\-Identity method will be used to ask the client for an identity.
+
+.TP
.BR connections.<conn>.remote<suffix>.groups " []"
Comma separated authorization group memberships to require. The peer must prove
membership to at least one of the specified groups. Group membership can be
@@ -1050,9 +1057,14 @@ Netfilter mark and mask for input traffic. On Linux Netfilter may require marks
on each packet to match an SA having that option set. This allows Netfilter
rules to select specific tunnels for incoming traffic. The special value
.RI "" "%unique" ""
-sets a unique mark on each CHILD_SA instance.
-
-An additional mask may be appended to the mark, separated by _/_. The default
+sets a unique mark on each CHILD_SA instance, beyond that the value
+.RI "" "%unique\-dir" ""
+assigns a different unique mark for each CHILD_SA direction
+(in/out).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
mask if omitted is 0xffffffff.
.TP
@@ -1061,9 +1073,14 @@ Netfilter mark and mask for output traffic. On Linux Netfilter may require marks
on each packet to match a policy having that option set. This allows Netfilter
rules to select specific tunnels for outgoing traffic. The special value
.RI "" "%unique" ""
-sets a unique mark on each CHILD_SA instance.
-
-An additional mask may be appended to the mark, separated by _/_. The default
+sets a unique mark on each CHILD_SA instance, beyond that the value
+.RI "" "%unique\-dir" ""
+assigns a different unique mark for each CHILD_SA direction
+(in/out).
+
+An additional mask may be appended to the mark, separated by
+.RI "" "/" "."
+The default
mask if omitted is 0xffffffff.
.TP
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 7e204db61..d0a0d21dd 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -460,6 +460,12 @@ connections.<conn>.remote<suffix>.id = %any
IKE identity to expect for authentication round. Refer to the _local_ _id_
section for details.
+connections.<conn>.remote<suffix>.eap_id = id
+ Identity to use as peer identity during EAP authentication.
+
+ Identity to use as peer identity during EAP authentication. If set to _%any_
+ the EAP-Identity method will be used to ask the client for an identity.
+
connections.<conn>.remote<suffix>.groups =
Authorization group memberships to require.
@@ -864,7 +870,9 @@ connections.<conn>.children.<child>.mark_in = 0/0x00000000
Netfilter mark and mask for input traffic. On Linux Netfilter may require
marks on each packet to match an SA having that option set. This allows
Netfilter rules to select specific tunnels for incoming traffic. The
- special value _%unique_ sets a unique mark on each CHILD_SA instance.
+ special value _%unique_ sets a unique mark on each CHILD_SA instance,
+ beyond that the value _%unique-dir_ assigns a different unique mark for each
+ CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
@@ -875,7 +883,9 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
Netfilter mark and mask for output traffic. On Linux Netfilter may require
marks on each packet to match a policy having that option set. This allows
Netfilter rules to select specific tunnels for outgoing traffic. The
- special value _%unique_ sets a unique mark on each CHILD_SA instance.
+ special value _%unique_ sets a unique mark on each CHILD_SA instance,
+ beyond that the value _%unique-dir_ assigns a different unique mark for each
+ CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
@@ -1152,3 +1162,5 @@ authorities.<name>.cert_uri_base =
built by appending the SHA1 hash of the DER encoded certificates to this
base URI.
+include conf.d/*.conf
+ Include config snippets