diff options
Diffstat (limited to 'src/swanctl')
-rw-r--r-- | src/swanctl/Makefile.am | 1 | ||||
-rw-r--r-- | src/swanctl/Makefile.in | 9 | ||||
-rw-r--r-- | src/swanctl/command.c | 4 | ||||
-rw-r--r-- | src/swanctl/swanctl.conf | 6 | ||||
-rw-r--r-- | src/swanctl/swanctl.conf.5.main | 29 | ||||
-rw-r--r-- | src/swanctl/swanctl.opt | 16 |
6 files changed, 55 insertions, 10 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 2fc998262..19815c51a 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -64,6 +64,7 @@ maintainer-clean-local: install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)" || true + test -e "$(DESTDIR)$(swanctldir)/conf.d" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/conf.d" || true test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index b5313a37d..6da739b88 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -330,8 +330,6 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -432,6 +430,8 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -460,6 +460,10 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ @@ -1039,6 +1043,7 @@ maintainer-clean-local: install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)" || true + test -e "$(DESTDIR)$(swanctldir)/conf.d" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/conf.d" || true test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true diff --git a/src/swanctl/command.c b/src/swanctl/command.c index fd9bc0083..7f65d2b0e 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -315,6 +315,10 @@ int command_dispatch(int c, char *v[]) { int op, i; + uri = lib->settings->get_str(lib->settings, "%s.socket", + lib->settings->get_str(lib->settings, "%s.plugins.vici.socket", + NULL, lib->ns), lib->ns); + options = options_create(); atexit(cleanup); active = help_idx = registered; diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index b2045a3d8..1ff5ee8fb 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -151,6 +151,9 @@ # IKE identity to expect for authentication round. # id = %any + # Identity to use as peer identity during EAP authentication. + # eap_id = id + # Authorization group memberships to require. # groups = @@ -502,3 +505,6 @@ # } +# Include config snippets +include conf.d/*.conf + diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 9f4044d7e..d1aced493 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -569,6 +569,13 @@ IKE identity to expect for authentication round. Refer to the section for details. .TP +.BR connections.<conn>.remote<suffix>.eap_id " [id]" +Identity to use as peer identity during EAP authentication. If set to +.RI "" "%any" "" +the +EAP\-Identity method will be used to ask the client for an identity. + +.TP .BR connections.<conn>.remote<suffix>.groups " []" Comma separated authorization group memberships to require. The peer must prove membership to at least one of the specified groups. Group membership can be @@ -1050,9 +1057,14 @@ Netfilter mark and mask for input traffic. On Linux Netfilter may require marks on each packet to match an SA having that option set. This allows Netfilter rules to select specific tunnels for incoming traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance. - -An additional mask may be appended to the mark, separated by _/_. The default +sets a unique mark on each CHILD_SA instance, beyond that the value +.RI "" "%unique\-dir" "" +assigns a different unique mark for each CHILD_SA direction +(in/out). + +An additional mask may be appended to the mark, separated by +.RI "" "/" "." +The default mask if omitted is 0xffffffff. .TP @@ -1061,9 +1073,14 @@ Netfilter mark and mask for output traffic. On Linux Netfilter may require marks on each packet to match a policy having that option set. This allows Netfilter rules to select specific tunnels for outgoing traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance. - -An additional mask may be appended to the mark, separated by _/_. The default +sets a unique mark on each CHILD_SA instance, beyond that the value +.RI "" "%unique\-dir" "" +assigns a different unique mark for each CHILD_SA direction +(in/out). + +An additional mask may be appended to the mark, separated by +.RI "" "/" "." +The default mask if omitted is 0xffffffff. .TP diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 7e204db61..d0a0d21dd 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -460,6 +460,12 @@ connections.<conn>.remote<suffix>.id = %any IKE identity to expect for authentication round. Refer to the _local_ _id_ section for details. +connections.<conn>.remote<suffix>.eap_id = id + Identity to use as peer identity during EAP authentication. + + Identity to use as peer identity during EAP authentication. If set to _%any_ + the EAP-Identity method will be used to ask the client for an identity. + connections.<conn>.remote<suffix>.groups = Authorization group memberships to require. @@ -864,7 +870,9 @@ connections.<conn>.children.<child>.mark_in = 0/0x00000000 Netfilter mark and mask for input traffic. On Linux Netfilter may require marks on each packet to match an SA having that option set. This allows Netfilter rules to select specific tunnels for incoming traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance. + special value _%unique_ sets a unique mark on each CHILD_SA instance, + beyond that the value _%unique-dir_ assigns a different unique mark for each + CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -875,7 +883,9 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000 Netfilter mark and mask for output traffic. On Linux Netfilter may require marks on each packet to match a policy having that option set. This allows Netfilter rules to select specific tunnels for outgoing traffic. The - special value _%unique_ sets a unique mark on each CHILD_SA instance. + special value _%unique_ sets a unique mark on each CHILD_SA instance, + beyond that the value _%unique-dir_ assigns a different unique mark for each + CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. @@ -1152,3 +1162,5 @@ authorities.<name>.cert_uri_base = built by appending the SHA1 hash of the DER encoded certificates to this base URI. +include conf.d/*.conf + Include config snippets |