Merge pull request #62616 from basvandijk/strongswan-5.8.0

strongswan: 5.7.2 -> 5.8.0
This commit is contained in:
Bas van Dijk 2019-06-03 23:43:20 +02:00 committed by GitHub
commit f6ba5b91e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 50 additions and 64 deletions

View file

@ -6,7 +6,7 @@
#
# git clone https://github.com/strongswan/strongswan.git
# cd strongswan
# git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt
# git diff 5.7.2..5.8.0 src/swanctl/swanctl.opt
lib: with (import ./param-constructors.nix lib);
@ -227,6 +227,22 @@ in {
irrespective of the value of this option (even when set to no).
'';
childless = mkEnumParam [ "allow" "force" "never" ] "allow" ''
Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values
are <literal>allow</literal> (the default), <literal>force</literal> and
<literal>never</literal>. If set to <literal>allow</literal>, responders
will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
response) while initiators continue to create regular IKE_SAs with the
first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated
explicitly without any children (which will fail if the responder does not
support or has disabled this extension). If set to
<literal>force</literal>, only childless initiation is accepted and the
first CHILD_SA is created with a separate CREATE_CHILD_SA exchange
(e.g. to use an independent DH exchange for all CHILD_SAs). Finally,
setting the option to <literal>never</literal> disables support for
childless IKE_SAs as responder.
'';
send_certreq = mkYesNoParam yes ''
Send certificate request payloads to offer trusted root CA certificates to
the peer. Certificate requests help the peer to choose an appropriate
@ -350,6 +366,16 @@ in {
name from either the pools section or an external pool.
'';
if_id_in = mkStrParam "0" ''
XFRM interface ID set on inbound policies/SA, can be overridden by child
config, see there for details.
'';
if_id_out = mkStrParam "0" ''
XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details.
'';
mediation = mkYesNoParam no ''
Whether this connection is a mediation connection, that is, whether this
connection is used to mediate other connections using the IKEv2 Mediation
@ -799,7 +825,7 @@ in {
Updown script to invoke on CHILD_SA up and down events.
'';
hostaccess = mkYesNoParam yes ''
hostaccess = mkYesNoParam no ''
Hostaccess variable to pass to <literal>updown</literal> script.
'';
@ -960,6 +986,26 @@ in {
mask requires at least Linux 4.19.
'';
if_id_in = mkStrParam "0" ''
XFRM interface ID set on inbound policies/SA. This allows installing
duplicate policies/SAs and associates them with an interface with the
same ID. The special value <literal>%unique</literal> sets a unique
interface ID on each CHILD_SA instance, beyond that the value
<literal>%unique-dir</literal> assigns a different unique interface ID
for each CHILD_SA direction (in/out).
'';
if_id_out = mkStrParam "0" ''
XFRM interface ID set on outbound policies/SA. This allows installing
duplicate policies/SAs and associates them with an interface with the
same ID. The special value <literal>%unique</literal> sets a unique
interface ID on each CHILD_SA instance, beyond that the value
<literal>%unique-dir</literal> assigns a different unique interface ID
for each CHILD_SA direction (in/out).
The daemon will not install routes for CHILD_SAs that have this option set.
'';
tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
Pads ESP packets with additional data to have a consistent ESP packet
size for improved Traffic Flow Confidentiality. The padding defines the

View file

@ -19,11 +19,11 @@ with stdenv.lib;
stdenv.mkDerivation rec {
name = "strongswan-${version}";
version = "5.7.2";
version = "5.8.0"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
src = fetchurl {
url = "https://download.strongswan.org/${name}.tar.bz2";
sha256 = "0w6cks42lvvyj5ivyhqyqxya48x93yzfpz281q3xmqicdskkp3ih";
sha256 = "0cq9m86ydd2i0awxkv4a256f4926p2f9pzlisyskl9fngl6f3c8m";
};
dontPatchELF = true;
@ -40,10 +40,6 @@ stdenv.mkDerivation rec {
./ext_auth-path.patch
./firewall_defaults.patch
./updown-path.patch
(optional stdenv.isLinux (substituteAll {
src = ./modprobe-path.patch;
inherit kmod;
}))
];
postPatch = optionalString stdenv.isLinux ''

View file

@ -1,56 +0,0 @@
diff --git a/src/starter/klips.c b/src/starter/klips.c
index 2216546..d626677 100644
--- a/src/starter/klips.c
+++ b/src/starter/klips.c
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ipsec"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec"));
}
/* now test again */
@@ -42,9 +42,9 @@ bool starter_klips_init(void)
}
/* load crypto algorithm modules */
- ignore_result(system("modprobe -qv ipsec_aes"));
- ignore_result(system("modprobe -qv ipsec_blowfish"));
- ignore_result(system("modprobe -qv ipsec_sha2"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_aes"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_blowfish"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ipsec_sha2"));
DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
diff --git a/src/starter/netkey.c b/src/starter/netkey.c
index b150d3e..0a7c2ff 100644
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv af_key"));
+ ignore_result(system("@kmod@/bin/modprobe -qv af_key"));
}
/* now test again */
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ah4"));
- ignore_result(system("modprobe -qv esp4"));
- ignore_result(system("modprobe -qv ipcomp"));
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
- ignore_result(system("modprobe -qv xfrm_user"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ah4"));
+ ignore_result(system("@kmod@/bin/modprobe -qv esp4"));
+ ignore_result(system("@kmod@/bin/modprobe -qv ipcomp"));
+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm4_tunnel"));
+ ignore_result(system("@kmod@/bin/modprobe -qv xfrm_user"));
}
DBG2(DBG_APP, "found netkey IPsec stack");