From e0e280b7669435b991b7e457abd8aa450930b3e8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 24 Sep 2018 15:11:14 +0200 Subject: New upstream version 5.7.0 --- src/swanctl/Makefile.in | 11 +-- src/swanctl/commands/counters.c | 4 +- src/swanctl/commands/initiate.c | 2 +- src/swanctl/commands/list_conns.c | 16 ++++- src/swanctl/commands/list_sas.c | 4 ++ src/swanctl/commands/load_all.c | 10 ++- src/swanctl/commands/load_authorities.c | 10 ++- src/swanctl/commands/load_conns.c | 10 ++- src/swanctl/commands/load_creds.c | 13 ++-- src/swanctl/commands/load_pools.c | 10 ++- src/swanctl/commands/rekey.c | 13 +++- src/swanctl/swanctl.conf | 38 +++++++++++ src/swanctl/swanctl.conf.5.head.in | 4 +- src/swanctl/swanctl.conf.5.main | 117 ++++++++++++++++++++++++++++++++ src/swanctl/swanctl.opt | 86 +++++++++++++++++++++++ 15 files changed, 318 insertions(+), 30 deletions(-) (limited to 'src/swanctl') diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index ea7130bbb..c746573f8 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -331,7 +331,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -357,6 +356,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -377,8 +378,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -433,8 +432,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -463,8 +460,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ diff --git a/src/swanctl/commands/counters.c b/src/swanctl/commands/counters.c index ab386b5d8..909ca4366 100644 --- a/src/swanctl/commands/counters.c +++ b/src/swanctl/commands/counters.c @@ -48,7 +48,7 @@ static int counters(vici_conn_t *conn) vici_res_t *res; command_format_options_t format = COMMAND_FORMAT_NONE; char *arg, *name = NULL; - int ret; + int ret = 0; bool all = FALSE, reset = FALSE; while (TRUE) @@ -131,7 +131,7 @@ static int counters(vici_conn_t *conn) } } vici_free_res(res); - return 0; + return ret; } /** diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c index 8e452a6f6..bf8d2cd79 100644 --- a/src/swanctl/commands/initiate.c +++ b/src/swanctl/commands/initiate.c @@ -131,7 +131,7 @@ static void __attribute__ ((constructor))reg() {"--child [--ike ] [--timeout ] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, - {"child", 'c', 1, "initate a CHILD_SA configuration"}, + {"child", 'c', 1, "initiate a CHILD_SA configuration"}, {"ike", 'i', 1, "name of the connection to which the child belongs"}, {"timeout", 't', 1, "timeout in seconds before detaching"}, {"raw", 'r', 0, "dump raw response message"}, diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c index f692e9966..5f7dd8189 100644 --- a/src/swanctl/commands/list_conns.c +++ b/src/swanctl/commands/list_conns.c @@ -2,7 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * - * Copyright (C) 2016 Andreas Steffen + * Copyright (C) 2016-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -199,6 +199,10 @@ CALLBACK(conn_sn, int, { printf(" groups: %s\n", auth->get(auth, "groups")); } + if (auth->get(auth, "cert_policy")) + { + printf(" cert policy: %s\n", auth->get(auth, "cert_policy")); + } if (auth->get(auth, "certs")) { printf(" certs: %s\n", auth->get(auth, "certs")); @@ -234,7 +238,7 @@ CALLBACK(conns, int, void *null, vici_res_t *res, char *name) { int ret; - char *version, *reauth_time, *rekey_time, *dpd_delay; + char *version, *reauth_time, *rekey_time, *dpd_delay, *ppk_id, *ppk_req; hashtable_t *ike; version = vici_find_str(res, "", "%s.version", name); @@ -278,6 +282,14 @@ CALLBACK(conns, int, } printf("\n"); + ppk_id = vici_find_str(res, NULL, "%s.ppk_id", name); + ppk_req = vici_find_str(res, NULL, "%s.ppk_required", name); + if (ppk_id || ppk_req) + { + printf(" ppk: %s%s%srequired\n", ppk_id ?: "", ppk_id ? ", " : "", + !ppk_req || !streq(ppk_req, "yes") ? "not " : ""); + } + ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike); free_hashtable(ike); return ret; diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 28602fc65..232f03cc2 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -266,6 +266,10 @@ CALLBACK(ike_sa, int, } printf("/%s", ike->get(ike, "prf-alg")); printf("/%s", ike->get(ike, "dh-group")); + if (streq(ike->get(ike, "ppk"), "yes")) + { + printf("/PPK"); + } printf("\n"); } diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c index 0010ce140..26f043a6a 100644 --- a/src/swanctl/commands/load_all.c +++ b/src/swanctl/commands/load_all.c @@ -31,8 +31,8 @@ static int load_all(vici_conn_t *conn) bool clear = FALSE, noprompt = FALSE; command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; + char *arg, *file = SWANCTL_CONF; int ret = 0; - char *arg; while (TRUE) { @@ -52,6 +52,9 @@ static int load_all(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'f': + file = arg; + continue; case EOF: break; default: @@ -60,10 +63,10 @@ static int load_all(vici_conn_t *conn) break; } - cfg = settings_create(SWANCTL_CONF); + cfg = settings_create(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } @@ -104,6 +107,7 @@ static void __attribute__ ((constructor))reg() {"noprompt", 'n', 0, "do not prompt for passwords"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"file", 'f', 1, "custom path to swanctl.conf"}, } }); } diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c index d82c0f98e..61682a386 100644 --- a/src/swanctl/commands/load_authorities.c +++ b/src/swanctl/commands/load_authorities.c @@ -310,7 +310,7 @@ static int load_authorities(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg; + char *arg, *file = SWANCTL_CONF; int ret; while (TRUE) @@ -325,6 +325,9 @@ static int load_authorities(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'f': + file = arg; + continue; case EOF: break; default: @@ -333,10 +336,10 @@ static int load_authorities(vici_conn_t *conn) break; } - cfg = settings_create(SWANCTL_CONF); + cfg = settings_create(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } @@ -360,6 +363,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"file", 'f', 1, "custom path to swanctl.conf"}, } }); } diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 0518ef54f..dad03945d 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -425,7 +425,7 @@ static int load_conns(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg; + char *arg, *file = SWANCTL_CONF; int ret; while (TRUE) @@ -440,6 +440,9 @@ static int load_conns(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'f': + file = arg; + continue; case EOF: break; default: @@ -448,10 +451,10 @@ static int load_conns(vici_conn_t *conn) break; } - cfg = settings_create(SWANCTL_CONF); + cfg = settings_create(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } @@ -474,6 +477,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"file", 'f', 1, "custom path to swanctl.conf"}, } }); } diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 15ef2f151..a9e352f7e 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -665,6 +665,7 @@ static bool load_secret(load_ctx_t *ctx, char *section) "xauth", "ntlm", "ike", + "ppk", "private", "rsa", "ecdsa", @@ -688,7 +689,7 @@ static bool load_secret(load_ctx_t *ctx, char *section) return FALSE; } if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") && - !streq(type, "ike")) + !streq(type, "ike") && !streq(type, "ppk")) { /* skip non-shared secrets */ return TRUE; } @@ -945,7 +946,7 @@ static int load_creds(vici_conn_t *conn) bool clear = FALSE, noprompt = FALSE; command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg; + char *arg, *file = SWANCTL_CONF; int ret; while (TRUE) @@ -966,6 +967,9 @@ static int load_creds(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'f': + file = arg; + continue; case EOF: break; default: @@ -974,10 +978,10 @@ static int load_creds(vici_conn_t *conn) break; } - cfg = settings_create(SWANCTL_CONF); + cfg = settings_create(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } @@ -1002,6 +1006,7 @@ static void __attribute__ ((constructor))reg() {"noprompt", 'n', 0, "do not prompt for passwords"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"file", 'f', 1, "custom path to swanctl.conf"}, } }); } diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c index feb8d3a52..ec9508efb 100644 --- a/src/swanctl/commands/load_pools.c +++ b/src/swanctl/commands/load_pools.c @@ -251,7 +251,7 @@ static int load_pools(vici_conn_t *conn) { command_format_options_t format = COMMAND_FORMAT_NONE; settings_t *cfg; - char *arg; + char *arg, *file = SWANCTL_CONF; int ret; while (TRUE) @@ -266,6 +266,9 @@ static int load_pools(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'f': + file = arg; + continue; case EOF: break; default: @@ -274,10 +277,10 @@ static int load_pools(vici_conn_t *conn) break; } - cfg = settings_create(SWANCTL_CONF); + cfg = settings_create(file); if (!cfg) { - fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + fprintf(stderr, "parsing '%s' failed\n", file); return EINVAL; } @@ -300,6 +303,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"file", 'f', 1, "custom path to swanctl.conf"}, } }); } diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c index 47a313657..f44ecaa3c 100644 --- a/src/swanctl/commands/rekey.c +++ b/src/swanctl/commands/rekey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Tobias Brunner + * Copyright (C) 2017-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ static int rekey(vici_conn_t *conn) command_format_options_t format = COMMAND_FORMAT_NONE; char *arg, *child = NULL, *ike = NULL; int ret = 0, child_id = 0, ike_id = 0; + bool reauth = FALSE; while (TRUE) { @@ -49,6 +50,9 @@ static int rekey(vici_conn_t *conn) case 'I': ike_id = atoi(arg); continue; + case 'a': + reauth = TRUE; + continue; case EOF: break; default: @@ -74,6 +78,10 @@ static int rekey(vici_conn_t *conn) { vici_add_key_valuef(req, "ike-id", "%d", ike_id); } + if (reauth) + { + vici_add_key_valuef(req, "reauth", "yes"); + } res = vici_submit(req, conn); if (!res) { @@ -111,13 +119,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { rekey, 'R', "rekey", "rekey an SA", {"--child | --ike | --ike-id ", - "[--raw|--pretty]"}, + "[--reauth] [--raw|--pretty]"}, { {"help", 'h', 0, "show usage information"}, {"child", 'c', 1, "rekey by CHILD_SA name"}, {"ike", 'i', 1, "rekey by IKE_SA name"}, {"child-id", 'C', 1, "rekey by CHILD_SA unique identifier"}, {"ike-id", 'I', 1, "rekey by IKE_SA unique identifier"}, + {"reauth", 'a', 0, "reauthenticate instead of rekey an IKEv2 SA"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, } diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index 9b87a963a..c50f20dc6 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -56,6 +56,13 @@ # Send certificate payloads (always, never or ifasked). # send_cert = ifasked + # String identifying the Postquantum Preshared Key (PPK) to be used. + # ppk_id = + + # Whether a Postquantum Preshared Key (PPK) is required for this + # connection. + # ppk_required = no + # Number of retransmission sequences to perform during initial connect. # keyingtries = 1 @@ -311,6 +318,14 @@ # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 + # Netfilter mark applied to packets after the inbound IPsec SA + # processed them. + # set_mark_in = 0/0x00000000 + + # Netfilter mark applied to packets after the outbound IPsec SA + # processed them. + # set_mark_out = 0/0x00000000 + # Traffic Flow Confidentiality padding. # tfc_padding = 0 @@ -321,6 +336,18 @@ # IPsec implementation. # hw_offload = no + # Whether to copy the DF bit to the outer IPv4 header in tunnel + # mode. + # copy_df = yes + + # Whether to copy the ECN header field to/from the outer IP + # header in tunnel mode. + # copy_ecn = yes + + # Whether to copy the DSCP header field to/from the outer IP + # header in tunnel mode. + # copy_dscp = out + # Action to perform after loading the configuration (none, trap, # start). # start_action = none @@ -379,6 +406,17 @@ # } + # Postquantum Preshared Key (PPK) section for a specific secret. + # ppk { + + # Value of the PPK. + # secret = + + # PPK identity the PPK belongs to. + # id = + + # } + # Private key decryption passphrase for a key in the private folder. # private { diff --git a/src/swanctl/swanctl.conf.5.head.in b/src/swanctl/swanctl.conf.5.head.in index 5742d2593..a14225df0 100644 --- a/src/swanctl/swanctl.conf.5.head.in +++ b/src/swanctl/swanctl.conf.5.head.in @@ -6,8 +6,8 @@ swanctl.conf is the configuration file used by the .BR swanctl (8) tool to load configurations and credentials into the strongSwan IKE daemon. -For a description of the basic file syntax, including how to split the -configuration in multiple files by including other files, refer to +For a description of the basic file syntax, including how to reference sections +or split the configuration in multiple files by including other files, refer to .BR strongswan.conf (5). .SH TIME FORMATS diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 1f7e3a2cc..1f8900959 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -216,6 +216,14 @@ altogether, causes certificate payloads to be sent unconditionally whenever certificate authentication is used. +.TP +.BR connections..ppk_id " []" +String identifying the Postquantum Preshared Key (PPK) to be used. + +.TP +.BR connections..ppk_required " [no]" +Whether a Postquantum Preshared Key (PPK) is required for this connection. + .TP .BR connections..keyingtries " [1]" Number of retransmission sequences to perform during initial connect. Instead of @@ -1126,6 +1134,52 @@ An additional mask may be appended to the mark, separated by The default mask if omitted is 0xffffffff. +.TP +.BR connections..children..set_mark_in " [0/0x00000000]" +Netfilter mark applied to packets after the inbound IPsec SA processed them. +This way it's not necessary to mark packets via Netfilter before decryption or +right afterwards to match policies or process them differently (e.g. via policy +routing). + +An additional mask may be appended to the mark, separated by +.RI "" "/" "." +The default +mask if omitted is 0xffffffff. The special value +.RI "" "%same" "" +uses the value (but not +the mask) from +.RB "" "mark_in" "" +as mark value, which can be fixed, +.RI "" "%unique" "" +or +.RI "" "%unique\-dir" "." + + +Setting marks in XFRM input requires Linux 4.19 or higher. + +.TP +.BR connections..children..set_mark_out " [0/0x00000000]" +Netfilter mark applied to packets after the outbound IPsec SA processed them. +This allows processing ESP packets differently than the original traffic (e.g. +via policy routing). + +An additional mask may be appended to the mark, separated by +.RI "" "/" "." +The default +mask if omitted is 0xffffffff. The special value +.RI "" "%same" "" +uses the value (but not +the mask) from +.RB "" "mark_out" "" +as mark value, which can be fixed, +.RI "" "%unique" "" +or +.RI "" "%unique\-dir" "." + + +Setting marks in XFRM output is supported since Linux 4.14. Setting a mask +requires at least Linux 4.19. + .TP .BR connections..children..tfc_padding " [0]" Pads ESP packets with additional data to have a consistent ESP packet size for @@ -1154,6 +1208,44 @@ fail if it's not supported by either kernel or device. The value enables offloading, if it's supported, but the installation does not fail otherwise. +.TP +.BR connections..children..copy_df " [yes]" +Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This +effectively disables Path MTU discovery (PMTUD). Controlling this behavior is +not supported by all kernel interfaces. + +.TP +.BR connections..children..copy_ecn " [yes]" +Whether to copy the ECN (Explicit Congestion Notification) header field to/from +the outer IP header in tunnel mode. Controlling this behavior is not supported +by all kernel interfaces. + +.TP +.BR connections..children..copy_dscp " [out]" +Whether to copy the DSCP (Differentiated Services Field Codepoint) header field +to/from the outer IP header in tunnel mode. The value +.RI "" "out" "" +only copies the +field from the inner to the outer header, the value +.RI "" "in" "" +does the opposite and +only copies the field from the outer to the inner header when decapsulating, the +value +.RI "" "yes" "" +copies the field in both directions, and the value +.RI "" "no" "" +disables +copying the field altogether. Setting this to +.RI "" "yes" "" +or +.RI "" "in" "" +could allow an +attacker to adversely affect other traffic at the receiver, which is why the +default is +.RI "" "out" "." +Controlling this behavior is not supported by all kernel +interfaces. + .TP .BR connections..children..start_action " [none]" Action to perform after loading the configuration. The default of @@ -1296,6 +1388,31 @@ be specified, each having an prefix, if a secret is shared between multiple peers. +.TP +.B secrets.ppk +.br +Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is +defined in a unique section having the +.RI "" "ppk" "" +prefix. + +.TP +.BR secrets.ppk.secret " []" +Value of the PPK. It may either be an ASCII string, a hex encoded string if +it has a +.RI "" "0x" "" +prefix or a Base64 encoded string if it has a +.RI "" "0s" "" +prefix in its +value. Should have at least 256 bits of entropy for 128\-bit security. + +.TP +.BR secrets.ppk.id " []" +PPK identity the PPK belongs to. Multiple unique identities may be specified, +each having an +.RI "" "id" "" +prefix, if a secret is shared between multiple peers. + .TP .B secrets.private .br diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 120e5812e..1c1e85e3e 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -188,6 +188,12 @@ connections..send_cert = ifasked certificate payloads altogether, _always_ causes certificate payloads to be sent unconditionally whenever certificate authentication is used. +connections..ppk_id = + String identifying the Postquantum Preshared Key (PPK) to be used. + +connections..ppk_required = no + Whether a Postquantum Preshared Key (PPK) is required for this connection. + connections..keyingtries = 1 Number of retransmission sequences to perform during initial connect. @@ -910,6 +916,37 @@ connections..children..mark_out = 0/0x00000000 An additional mask may be appended to the mark, separated by _/_. The default mask if omitted is 0xffffffff. +connections..children..set_mark_in = 0/0x00000000 + Netfilter mark applied to packets after the inbound IPsec SA processed them. + + Netfilter mark applied to packets after the inbound IPsec SA processed them. + This way it's not necessary to mark packets via Netfilter before decryption + or right afterwards to match policies or process them differently (e.g. via + policy routing). + + An additional mask may be appended to the mark, separated by _/_. The + default mask if omitted is 0xffffffff. The special value _%same_ uses + the value (but not the mask) from **mark_in** as mark value, which can be + fixed, _%unique_ or _%unique-dir_. + + Setting marks in XFRM input requires Linux 4.19 or higher. + +connections..children..set_mark_out = 0/0x00000000 + Netfilter mark applied to packets after the outbound IPsec SA processed + them. + + Netfilter mark applied to packets after the outbound IPsec SA processed + them. This allows processing ESP packets differently than the original + traffic (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by _/_. The + default mask if omitted is 0xffffffff. The special value _%same_ uses + the value (but not the mask) from **mark_out** as mark value, which can be + fixed, _%unique_ or _%unique-dir_. + + Setting marks in XFRM output is supported since Linux 4.14. Setting a mask + requires at least Linux 4.19. + connections..children..tfc_padding = 0 Traffic Flow Confidentiality padding. @@ -937,6 +974,35 @@ connections..children..hw_offload = no enables offloading, if it's supported, but the installation does not fail otherwise. +connections..children..copy_df = yes + Whether to copy the DF bit to the outer IPv4 header in tunnel mode. + + Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This + effectively disables Path MTU discovery (PMTUD). Controlling this behavior + is not supported by all kernel interfaces. + +connections..children..copy_ecn = yes + Whether to copy the ECN header field to/from the outer IP header in tunnel + mode. + + Whether to copy the ECN (Explicit Congestion Notification) header field + to/from the outer IP header in tunnel mode. Controlling this behavior is not + supported by all kernel interfaces. + +connections..children..copy_dscp = out + Whether to copy the DSCP header field to/from the outer IP header in tunnel + mode. + + Whether to copy the DSCP (Differentiated Services Field Codepoint) header + field to/from the outer IP header in tunnel mode. The value _out_ only + copies the field from the inner to the outer header, the value _in_ does the + opposite and only copies the field from the outer to the inner header when + decapsulating, the value _yes_ copies the field in both directions, and the + value _no_ disables copying the field altogether. Setting this to _yes_ or + _in_ could allow an attacker to adversely affect other traffic at the + receiver, which is why the default is _out_. Controlling this behavior is + not supported by all kernel interfaces. + connections..children..start_action = none Action to perform after loading the configuration (_none_, _trap_, _start_). @@ -1047,6 +1113,26 @@ secrets.ike.id = may be specified, each having an _id_ prefix, if a secret is shared between multiple peers. +secrets.ppk { # } + Postquantum Preshared Key (PPK) section for a specific secret. + + Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is + defined in a unique section having the _ppk_ prefix. + +secrets.ppk.secret = + Value of the PPK. + + Value of the PPK. It may either be an ASCII string, a hex encoded string if + it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in + its value. Should have at least 256 bits of entropy for 128-bit security. + +secrets.ppk.id = + PPK identity the PPK belongs to. + + PPK identity the PPK belongs to. Multiple unique identities + may be specified, each having an _id_ prefix, if a secret is shared between + multiple peers. + secrets.private { # } Private key decryption passphrase for a key in the _private_ folder. -- cgit v1.2.3