Merge pull request #62616 from basvandijk/strongswan-5.8.0
strongswan: 5.7.2 -> 5.8.0
This commit is contained in:
commit
f6ba5b91e8
3 changed files with 50 additions and 64 deletions
|
@ -6,7 +6,7 @@
|
|||
#
|
||||
# git clone https://github.com/strongswan/strongswan.git
|
||||
# cd strongswan
|
||||
# git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt
|
||||
# git diff 5.7.2..5.8.0 src/swanctl/swanctl.opt
|
||||
|
||||
lib: with (import ./param-constructors.nix lib);
|
||||
|
||||
|
@ -227,6 +227,22 @@ in {
|
|||
irrespective of the value of this option (even when set to no).
|
||||
'';
|
||||
|
||||
childless = mkEnumParam [ "allow" "force" "never" ] "allow" ''
|
||||
Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values
|
||||
are <literal>allow</literal> (the default), <literal>force</literal> and
|
||||
<literal>never</literal>. If set to <literal>allow</literal>, responders
|
||||
will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
|
||||
response) while initiators continue to create regular IKE_SAs with the
|
||||
first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated
|
||||
explicitly without any children (which will fail if the responder does not
|
||||
support or has disabled this extension). If set to
|
||||
<literal>force</literal>, only childless initiation is accepted and the
|
||||
first CHILD_SA is created with a separate CREATE_CHILD_SA exchange
|
||||
(e.g. to use an independent DH exchange for all CHILD_SAs). Finally,
|
||||
setting the option to <literal>never</literal> disables support for
|
||||
childless IKE_SAs as responder.
|
||||
'';
|
||||
|
||||
send_certreq = mkYesNoParam yes ''
|
||||
Send certificate request payloads to offer trusted root CA certificates to
|
||||
the peer. Certificate requests help the peer to choose an appropriate
|
||||
|
@ -350,6 +366,16 @@ in {
|
|||
name from either the pools section or an external pool.
|
||||
'';
|
||||
|
||||
if_id_in = mkStrParam "0" ''
|
||||
XFRM interface ID set on inbound policies/SA, can be overridden by child
|
||||
config, see there for details.
|
||||
'';
|
||||
|
||||
if_id_out = mkStrParam "0" ''
|
||||
XFRM interface ID set on outbound policies/SA, can be overridden by child
|
||||
config, see there for details.
|
||||
'';
|
||||
|
||||
mediation = mkYesNoParam no ''
|
||||
Whether this connection is a mediation connection, that is, whether this
|
||||
connection is used to mediate other connections using the IKEv2 Mediation
|
||||
|
@ -799,7 +825,7 @@ in {
|
|||
Updown script to invoke on CHILD_SA up and down events.
|
||||
'';
|
||||
|
||||
hostaccess = mkYesNoParam yes ''
|
||||
hostaccess = mkYesNoParam no ''
|
||||
Hostaccess variable to pass to <literal>updown</literal> script.
|
||||
'';
|
||||
|
||||
|
@ -960,6 +986,26 @@ in {
|
|||
mask requires at least Linux 4.19.
|
||||
'';
|
||||
|
||||
if_id_in = mkStrParam "0" ''
|
||||
XFRM interface ID set on inbound policies/SA. This allows installing
|
||||
duplicate policies/SAs and associates them with an interface with the
|
||||
same ID. The special value <literal>%unique</literal> sets a unique
|
||||
interface ID on each CHILD_SA instance, beyond that the value
|
||||
<literal>%unique-dir</literal> assigns a different unique interface ID
|
||||
for each CHILD_SA direction (in/out).
|
||||
'';
|
||||
|
||||
if_id_out = mkStrParam "0" ''
|
||||
XFRM interface ID set on outbound policies/SA. This allows installing
|
||||
duplicate policies/SAs and associates them with an interface with the
|
||||
same ID. The special value <literal>%unique</literal> sets a unique
|
||||
interface ID on each CHILD_SA instance, beyond that the value
|
||||
<literal>%unique-dir</literal> assigns a different unique interface ID
|
||||
for each CHILD_SA direction (in/out).
|
||||
|
||||
The daemon will not install routes for CHILD_SAs that have this option set.
|
||||
'';
|
||||
|
||||
tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
|
||||
Pads ESP packets with additional data to have a consistent ESP packet
|
||||
size for improved Traffic Flow Confidentiality. The padding defines the
|
||||
|
|
|
@ -19,11 +19,11 @@ with stdenv.lib;
|
|||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "strongswan-${version}";
|
||||
version = "5.7.2";
|
||||
version = "5.8.0"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://download.strongswan.org/${name}.tar.bz2";
|
||||
sha256 = "0w6cks42lvvyj5ivyhqyqxya48x93yzfpz281q3xmqicdskkp3ih";
|
||||
sha256 = "0cq9m86ydd2i0awxkv4a256f4926p2f9pzlisyskl9fngl6f3c8m";
|
||||
};
|
||||
|
||||
dontPatchELF = true;
|
||||
|
@ -40,10 +40,6 @@ stdenv.mkDerivation rec {
|
|||
./ext_auth-path.patch
|
||||
./firewall_defaults.patch
|
||||
./updown-path.patch
|
||||
(optional stdenv.isLinux (substituteAll {
|
||||
src = ./modprobe-path.patch;
|
||||
inherit kmod;
|
||||
}))
|
||||
];
|
||||
|
||||
postPatch = optionalString stdenv.isLinux ''
|
||||
|
|
|
@ -1,56 +0,0 @@
|
|||
diff --git a/src/starter/klips.c b/src/starter/klips.c
|
||||
index 2216546..d626677 100644
|
||||
--- a/src/starter/klips.c
|
||||
+++ b/src/starter/klips.c
|
||||
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ipsec"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -42,9 +42,9 @@ bool starter_klips_init(void)
|
||||
}
|
||||
|
||||
/* load crypto algorithm modules */
|
||||
- ignore_result(system("modprobe -qv ipsec_aes"));
|
||||
- ignore_result(system("modprobe -qv ipsec_blowfish"));
|
||||
- ignore_result(system("modprobe -qv ipsec_sha2"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_aes"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_blowfish"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_sha2"));
|
||||
|
||||
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
||||
return TRUE;
|
||||
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
|
||||
index b150d3e..0a7c2ff 100644
|
||||
--- a/src/starter/netkey.c
|
||||
+++ b/src/starter/netkey.c
|
||||
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv af_key"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv af_key"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ah4"));
|
||||
- ignore_result(system("modprobe -qv esp4"));
|
||||
- ignore_result(system("modprobe -qv ipcomp"));
|
||||
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
|
||||
- ignore_result(system("modprobe -qv xfrm_user"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ah4"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv esp4"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv ipcomp"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm4_tunnel"));
|
||||
+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm_user"));
|
||||
}
|
||||
|
||||
DBG2(DBG_APP, "found netkey IPsec stack");
|
Loading…
Reference in a new issue