diff options
author | Nicolas Thill <nico@openwrt.org> | 2008-08-20 22:00:41 +0000 |
---|---|---|
committer | Nicolas Thill <nico@openwrt.org> | 2008-08-20 22:00:41 +0000 |
commit | 89124c8a0ab1baeb926108bb8dd503c24a25b75d (patch) | |
tree | 27743e0b45f666445f1b7cdb4287364bb008fe70 /package/strongswan | |
parent | d9b755b3dc4f9121ab70b9d816ce813f6038ad6b (diff) | |
download | master-31e0f0ae-89124c8a0ab1baeb926108bb8dd503c24a25b75d.tar.gz master-31e0f0ae-89124c8a0ab1baeb926108bb8dd503c24a25b75d.tar.bz2 master-31e0f0ae-89124c8a0ab1baeb926108bb8dd503c24a25b75d.zip |
move more extra packages from ./trunk to ./packages
SVN-Revision: 12359
Diffstat (limited to 'package/strongswan')
-rw-r--r-- | package/strongswan/Makefile | 98 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.button | 34 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.conf | 34 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.config | 21 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.cron | 2 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.iface | 8 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.init | 101 | ||||
-rw-r--r-- | package/strongswan/patches/100-ar-fixes.patch | 81 | ||||
-rw-r--r-- | package/strongswan/patches/110-make-ipsec.patch | 11 | ||||
-rw-r--r-- | package/strongswan/patches/120-make-pluto.patch | 13 | ||||
-rw-r--r-- | package/strongswan/patches/130-make-starter.patch | 21 | ||||
-rw-r--r-- | package/strongswan/patches/200-wakeup-showstatus.patch | 234 | ||||
-rw-r--r-- | package/strongswan/patches/210-updown.patch | 662 | ||||
-rw-r--r-- | package/strongswan/patches/300-openwrt.patch | 26 | ||||
-rw-r--r-- | package/strongswan/patches/310-make-ipsec-alg.patch | 19 | ||||
-rw-r--r-- | package/strongswan/patches/320-no-modprobe.patch | 108 | ||||
-rw-r--r-- | package/strongswan/patches/350-make-programs.patch | 21 |
17 files changed, 0 insertions, 1494 deletions
diff --git a/package/strongswan/Makefile b/package/strongswan/Makefile deleted file mode 100644 index 65a77bef5d..0000000000 --- a/package/strongswan/Makefile +++ /dev/null @@ -1,98 +0,0 @@ -# -# Copyright (C) 2006 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# -# $Id$ - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=strongswan -PKG_VERSION:=2.8.2 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=http://download.strongswan.org/ -PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6 - -include $(INCLUDE_DIR)/package.mk - -define Package/strongswan/Default - TITLE:=strongSwan - DEPENDS:=@LINUX_2_4 - URL:=http://www.strongswan.org/ -endef - -define Package/strongswan/Default/description - strongSwan is an IPsec implementation for Linux. -endef - -define Package/strongswan -$(call Package/strongswan/Default) - SECTION:=net - CATEGORY:=Network - DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4 - TITLE+= (daemon) -endef - -define Package/strongswan/description -$(call Package/strongswan/Default/description) - This package contains the strongSwan user-land daemon. -endef - -define KernelPackage/strongswan -$(call Package/strongswan/Default) - SUBMENU:=Network Support - TITLE+= (kernel module) - DEPENDS:=@LINUX_2_4 - FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX) - AUTOLOAD:=$(call AutoLoad,50,ipsec) -endef - -define KernelPackage/strongswan/description -$(call Package/strongswan/Default/description) - This package contains the strongSwan kernel module. -endef - -PKG_MAKE_OPTS:= \ - LINUX_RELEASE="$(LINUX_RELEASE)" \ - KERNELSRC="$(LINUX_DIR)" \ - ARCH="$(LINUX_KARCH)" \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS)" \ - IPSECDIR="/usr/lib/ipsec" \ - INC_USRLOCAL="/usr" \ - -define Build/Compile - $(MAKE) -C $(PKG_BUILD_DIR) \ - $(TARGET_CONFIGURE_OPTS) \ - $(PKG_MAKE_OPTS) \ - LDFLAGS="$(TARGET_LDFLAGS)" \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - programs module install -endef - -define Package/strongswan/install - $(CP) $(PKG_INSTALL_DIR)/* $(1) - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DIR) $(1)/etc/cron.tick - $(INSTALL_DIR) $(1)/etc/hotplug.d/iface - $(INSTALL_DIR) $(1)/etc/hotplug.d/button - $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec - $(INSTALL_BIN) ./files/ipsec.cron $(1)/etc/cron.tick/ipsec-wakeup - $(INSTALL_BIN) ./files/ipsec.iface $(1)/etc/hotplug.d/iface/65-ipsec - $(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec - $(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec - $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf - rm -rf $(1)/usr/share - rm -rf $(1)/usr/man - rm -rf $(1)/var - rm -rf $(1)/etc/rc.d - find $(1) -name \*.old | xargs rm -rf -endef - -$(eval $(call BuildPackage,strongswan)) -$(eval $(call KernelPackage,strongswan)) diff --git a/package/strongswan/files/ipsec.button b/package/strongswan/files/ipsec.button deleted file mode 100644 index 9bd9023560..0000000000 --- a/package/strongswan/files/ipsec.button +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -# snarf the code that loads the config values -# since we also load the functions, might as well save the shell calls -. /etc/init.d/ipsec - -[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit - -if [ ! -e /var/run/pluto.pid ] ; then - - [ "$ACTION" = "pressed" ] && start - -else - - if [ "$ACTION" = "pressed" ] ; then - - stop - - elif [ "$ACTION" = "released" ] ; then - - while [ -e /var/run/pluto.pid ] ; do - sleep 1 - done - - while ps auxww | grep ipsec | grep -v grep ; do - sleep 1 - done - - start - - fi - -fi - diff --git a/package/strongswan/files/ipsec.conf b/package/strongswan/files/ipsec.conf deleted file mode 100644 index 8f59008831..0000000000 --- a/package/strongswan/files/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ - -version 2.0 - -config setup - interfaces=%defaultroute - nat_traversal=yes # required on both ends - uniqueids=yes # makes sense on client, not server - hidetos=no - -conn %default - authby=rsasig - keyingtries=3 - keyexchange=ike - left=%defaultroute - leftrsasigkey=%cert - rightrsasigkey=%cert - dpdtimeout=30 # keepalive must arrive within - dpddelay=5 # secs before keepalives start - compress=no # breaks double nat installations - pfs=yes - -conn sample - leftca=%same - leftcert=my.certificate.crt - leftsourceip=192.168.10.1 - leftsubnet=192.168.10.0/24 - right=my.vpn.concentrator.net. - rightca=%same - rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net" - rightsourceip=192.168.11.1 - rightsubnet=192.168.11.0/24 - dpdaction=hold - auto=start - diff --git a/package/strongswan/files/ipsec.config b/package/strongswan/files/ipsec.config deleted file mode 100644 index b4865e40b5..0000000000 --- a/package/strongswan/files/ipsec.config +++ /dev/null @@ -1,21 +0,0 @@ - -# Configure button/light behavior here. -config device - option reset_button ses - option status_start ses_orange - option status_valid ses_white - -# iptables setup for traffic to/from this host -config filter - option rule_in input_rule - option dest_in ACCEPT - option rule_out output_rule - option dest_out ACCEPT - -# iptables setup for traffic to/from another host -config forward - option rule_in forwarding_rule - option dest_in forwarding_vpn_in - option rule_out forwarding_rule - option dest_out forwarding_vpn_out - diff --git a/package/strongswan/files/ipsec.cron b/package/strongswan/files/ipsec.cron deleted file mode 100644 index d8c7dccfa8..0000000000 --- a/package/strongswan/files/ipsec.cron +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/usr/sbin/ipsec wakeup diff --git a/package/strongswan/files/ipsec.iface b/package/strongswan/files/ipsec.iface deleted file mode 100644 index 0716bf79bc..0000000000 --- a/package/strongswan/files/ipsec.iface +++ /dev/null @@ -1,8 +0,0 @@ -NAME=ipsec -CTLFILE="/var/run/pluto.ctl" - -[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit - -[ -e "$CTLFILE" ] || exit - -/etc/init.d/ipsec update diff --git a/package/strongswan/files/ipsec.init b/package/strongswan/files/ipsec.init deleted file mode 100644 index 4e8b8a2166..0000000000 --- a/package/strongswan/files/ipsec.init +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=65 - -config_cb() { - local cfg="$CONFIG_SECTION" - local cfgt - config_get cfgt "$cfg" TYPE - - case "$cfgt" in - device) - config_get IPSEC_RESET_BUTTON $cfg reset_button - config_get IPSEC_STATUS_LED_START $cfg status_start - config_get IPSEC_STATUS_LED_VALID $cfg status_valid - ;; - filter) - config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in - config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in - config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out - config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out - ;; - forward) - config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in - config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in - config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out - config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out - ;; - *) - ;; - esac -} - -config_load ipsec - -export IPSEC_RESET_BUTTON -export IPSEC_STATUS_LED_START -export IPSEC_STATUS_LED_VALID - -export IPSEC_UPDOWN_RULE_IN -export IPSEC_UPDOWN_DEST_IN -export IPSEC_UPDOWN_RULE_OUT -export IPSEC_UPDOWN_DEST_OUT - -export IPSEC_UPDOWN_FWD_RULE_IN -export IPSEC_UPDOWN_FWD_DEST_IN -export IPSEC_UPDOWN_FWD_RULE_OUT -export IPSEC_UPDOWN_FWD_DEST_OUT - - -start() { - - [ -f /etc/ipsec.conf ] || exit - [ -e /var/run/starter.pid ] && exit - - /usr/sbin/ipsec _showstatus start - - # stuff the dnsmasq cache in case dns is on our own subnet - for peer in `grep left= /etc/ipsec.conf | \ - cut -f 1 -d% | cut -f 2 -d=` ; do - ping -c 1 $peer > /dev/null 2>&1 - done - - /usr/sbin/ipsec start || exit - - # work around broken routing behavior: - # a route to the local wan segment will appear - # the need was removed in the patched _updown script - - while ! route -n | grep -q ipsec ; do sleep 1 ; done - - defint=`route -n | awk '/^0.0.0.0/{print $8}'` - defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'` - dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'` - tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'` - - route del -net $defnet netmask $dnmask dev $tundev -} - - -stop() { - - /usr/sbin/ipsec stop 2> /dev/null - - # wait until the shutdown actually happens - while [ -e /var/run/starter.pid ] ; do - if [ -d /proc/`cat /var/run/starter.pid` ] ; then - sleep 1 - else - rm /var/run/starter.pid - fi - done - - # kill any lingering processes - while ps auxww | grep -q ipsec | grep -v init.d; do - kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null - sleep 1 - done - - ipsec _showstatus stop -} - diff --git a/package/strongswan/patches/100-ar-fixes.patch b/package/strongswan/patches/100-ar-fixes.patch deleted file mode 100644 index 2e9d7800eb..0000000000 --- a/package/strongswan/patches/100-ar-fixes.patch +++ /dev/null @@ -1,81 +0,0 @@ -Index: strongswan-2.8.2/lib/libcrypto/libaes/Makefile -=================================================================== ---- strongswan-2.8.2.orig/lib/libcrypto/libaes/Makefile 2007-06-04 13:23:04.777007680 +0200 -+++ strongswan-2.8.2/lib/libcrypto/libaes/Makefile 2007-06-04 13:23:04.873992936 +0200 -@@ -25,10 +25,8 @@ - - $(BLIB): $(LIBOBJ) - /bin/rm -f $(BLIB) -- ar cr $(BLIB) $(LIBOBJ) -- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ -- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ -- else exit 0; fi; fi -+ $(AR) cr $(BLIB) $(LIBOBJ) -+ $(RANLIB) $(BLIB) - - testx: test_main_mac.o $(BLIB) - $(CC) -o $@ $^ -Index: strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile -=================================================================== ---- strongswan-2.8.2.orig/lib/libcrypto/libblowfish/Makefile 2007-06-04 13:23:04.783006768 +0200 -+++ strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile 2007-06-04 13:23:04.873992936 +0200 -@@ -58,7 +58,7 @@ - lib: $(LIB) - - $(LIB): $(LIBOBJ) -- $(AR) $(LIB) $(LIBOBJ) -+ $(AR) -r $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) - - # elf -Index: strongswan-2.8.2/lib/libcrypto/libserpent/Makefile -=================================================================== ---- strongswan-2.8.2.orig/lib/libcrypto/libserpent/Makefile 2007-06-04 13:23:04.790005704 +0200 -+++ strongswan-2.8.2/lib/libcrypto/libserpent/Makefile 2007-06-04 13:23:04.873992936 +0200 -@@ -8,10 +8,8 @@ - - $(BLIB): $(LIBOBJ) - /bin/rm -f $(BLIB) -- ar cr $(BLIB) $(LIBOBJ) -- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ -- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ -- else exit 0; fi; fi -+ $(AR) cr $(BLIB) $(LIBOBJ) -+ $(RANLIB) $(BLIB) - - test: test_main.o $(BLIB) - $(CC) -o $@ $^ -Index: strongswan-2.8.2/lib/libcrypto/libsha2/Makefile -=================================================================== ---- strongswan-2.8.2.orig/lib/libcrypto/libsha2/Makefile 2007-06-04 13:23:04.796004792 +0200 -+++ strongswan-2.8.2/lib/libcrypto/libsha2/Makefile 2007-06-04 13:23:04.874992784 +0200 -@@ -9,10 +9,8 @@ - - $(BLIB): $(LIBOBJ) - /bin/rm -f $(BLIB) -- ar cr $(BLIB) $(LIBOBJ) -- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ -- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ -- else exit 0; fi; fi -+ $(AR) cr $(BLIB) $(LIBOBJ) -+ $(RANLIB) $(BLIB) - - test: test_main.o $(BLIB) - $(CC) -o $@ $^ -Index: strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile -=================================================================== ---- strongswan-2.8.2.orig/lib/libcrypto/libtwofish/Makefile 2007-06-04 13:23:04.804003576 +0200 -+++ strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile 2007-06-04 13:23:04.874992784 +0200 -@@ -9,10 +9,8 @@ - - $(BLIB): $(LIBOBJ) - /bin/rm -f $(BLIB) -- ar cr $(BLIB) $(LIBOBJ) -- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ -- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ -- else exit 0; fi; fi -+ $(AR) cr $(BLIB) $(LIBOBJ) -+ $(RANLIB) $(BLIB) - - test: test_main.o $(BLIB) - $(CC) -o $@ $^ diff --git a/package/strongswan/patches/110-make-ipsec.patch b/package/strongswan/patches/110-make-ipsec.patch deleted file mode 100644 index 0d2a4e6fb1..0000000000 --- a/package/strongswan/patches/110-make-ipsec.patch +++ /dev/null @@ -1,11 +0,0 @@ -Index: strongswan-2.8.2/programs/ipsec/Makefile -=================================================================== ---- strongswan-2.8.2.orig/programs/ipsec/Makefile 2007-06-04 13:23:04.756010872 +0200 -+++ strongswan-2.8.2/programs/ipsec/Makefile 2007-06-04 13:23:05.227939128 +0200 -@@ -24,5 +24,5 @@ - include ../Makefile.program - - install:: ipsec -- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec -+ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec - diff --git a/package/strongswan/patches/120-make-pluto.patch b/package/strongswan/patches/120-make-pluto.patch deleted file mode 100644 index e0dd813bb7..0000000000 --- a/package/strongswan/patches/120-make-pluto.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: strongswan-2.8.2/programs/pluto/alg/Makefile -=================================================================== ---- strongswan-2.8.2.orig/programs/pluto/alg/Makefile 2007-06-04 13:23:04.734014216 +0200 -+++ strongswan-2.8.2/programs/pluto/alg/Makefile 2007-06-04 13:23:05.416910400 +0200 -@@ -20,7 +20,7 @@ - include Config.ike_alg - - LIBCRYPTO:=../../../lib/libcrypto --ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) -+ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE) - LIBALG := libalg.o - - all : $(LIBALG) diff --git a/package/strongswan/patches/130-make-starter.patch b/package/strongswan/patches/130-make-starter.patch deleted file mode 100644 index 93888ab6b6..0000000000 --- a/package/strongswan/patches/130-make-starter.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: strongswan-2.8.2/programs/starter/Makefile -=================================================================== ---- strongswan-2.8.2.orig/programs/starter/Makefile 2007-06-04 13:23:04.711017712 +0200 -+++ strongswan-2.8.2/programs/starter/Makefile 2007-06-04 13:23:06.227787128 +0200 -@@ -16,7 +16,6 @@ - FREESWANSRCDIR?=$(shell cd ../..; pwd) - include ${FREESWANSRCDIR}/Makefile.inc - --LD=$(CC) - RM=rm - LEX=flex - BISON=bison -@@ -59,7 +58,7 @@ - all: starter - - starter: $(OBJS) $(FREESWANLIB) -- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS) -+ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS) - - lex.yy.c: parser.tab.c parser.l parser.y parser.h - $(LEX) parser.l diff --git a/package/strongswan/patches/200-wakeup-showstatus.patch b/package/strongswan/patches/200-wakeup-showstatus.patch deleted file mode 100644 index 731f83c2e0..0000000000 --- a/package/strongswan/patches/200-wakeup-showstatus.patch +++ /dev/null @@ -1,234 +0,0 @@ -Index: strongswan-2.8.2/programs/Makefile -=================================================================== ---- strongswan-2.8.2.orig/programs/Makefile 2007-06-04 13:23:04.661025312 +0200 -+++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:06.414758704 +0200 -@@ -22,7 +22,7 @@ - SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark - SUBDIRS+=auto barf ipsec look manual ranbits secrets starter - SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey --SUBDIRS+=ikeping examples openac scepclient -+SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup - - ifeq ($(USE_LWRES),true) - SUBDIRS+=lwdnsq -Index: strongswan-2.8.2/programs/_showstatus/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-06-04 13:23:06.414758704 +0200 -@@ -0,0 +1,22 @@ -+# Makefile for miscelaneous programs -+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. -+# -+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ -+ -+FREESWANSRCDIR=../.. -+include ${FREESWANSRCDIR}/Makefile.inc -+ -+PROGRAM=_showstatus -+PROGRAMDIR=${LIBDIR} -+ -+include ../Makefile.program -Index: strongswan-2.8.2/programs/_showstatus/_showstatus.8 -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-06-04 13:23:06.414758704 +0200 -@@ -0,0 +1,23 @@ -+.TH _showstatus 8 "03 Feb 2007" -+.\" -+.\" RCSID $Id: _showstatus.8 -+.\" -+.SH NAME -+ipsec _showstatus \- give state feedback via led or other method -+.SH SYNOPSIS -+.I _showstatus -+is invoked by _updown to trigger led's, or other distribution -+or platform specific behavior. Presently, the SES button is -+supported as a status light on OpenWRT platforms. The button -+is configurable by environment variable: -+-B IPSEC_STATUS_LED_START -+defaults to ses_orange, and -+-B IPSEC_STATUS_LED_VALID -+defaults to ses_white. -+.SH "SEE ALSO" -+ipsec(8), ipsec_updown(8). -+.SH HISTORY -+Man page written for the Linux strongSwan project <http://www.strongswan.org/> -+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson. -+Original program written by Henry Spencer. Extended for the Linux strongSwan -+project <http://www.strongswan.org/> by Andreas Steffen. -Index: strongswan-2.8.2/programs/_showstatus/_showstatus.in -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-06-04 13:23:06.414758704 +0200 -@@ -0,0 +1,70 @@ -+#! /bin/sh -+# -+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com> -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. -+# -+# RCSID $Id: _showstatus.in -+ -+ -+LED_START=$IPSEC_STATUS_LED_START -+LED_VALID=$IPSEC_STATUS_LED_VALID -+ -+[ -z "$LED_START" ] && LED_START="ses_orange" -+[ -z "$LED_VALID" ] && LED_VALID="ses_white" -+ -+ -+setled() { -+ led=$1 -+ st=$2 -+ -+ [ -n "$led" -a -n "$st" ] || return -+ -+ if [ -w "/proc/diag/led/$led" ] ; then -+ echo "$st" > "/proc/diag/led/$led" -+ fi -+ -+ # integrate other led control methods here -+ -+} -+ -+ -+case "$1" in -+ 'start') -+ [ -n "$LED_VALID" ] && setled "$LED_START" 1 -+ [ -z "$LED_VALID" ] && setled "$LED_START" f -+ setled "$LED_VALID" 0 -+ ;; -+ 'stop') -+ setled "$LED_START" 0 -+ setled "$LED_VALID" 0 -+ ;; -+ 'valid') -+ setled "$LED_VALID" 1 -+ ;; -+ 'invalid') -+ setled "$LED_VALID" 0 -+ ;; -+ 'up') -+ [ -n "$LED_VALID" ] && setled "$LED_START" 0 -+ [ -z "$LED_VALID" ] && setled "$LED_START" 1 -+ setled "$LED_VALID" 1 -+ ;; -+ 'down') -+ [ -n "$LED_VALID" ] && setled "$LED_START" 1 -+ [ -z "$LED_VALID" ] && setled "$LED_START" f -+ setled "$LED_VALID" f -+ ;; -+ *) -+ echo "$0: unknown status $status" >&2 -+ ;; -+esac -+ -Index: strongswan-2.8.2/programs/wakeup/Makefile -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/wakeup/Makefile 2007-06-04 13:23:06.415758552 +0200 -@@ -0,0 +1,22 @@ -+# Makefile for miscelaneous programs -+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. -+# -+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ -+ -+FREESWANSRCDIR=../.. -+include ${FREESWANSRCDIR}/Makefile.inc -+ -+PROGRAM=wakeup -+PROGRAMDIR=${LIBDIR} -+ -+include ../Makefile.program -Index: strongswan-2.8.2/programs/wakeup/wakeup.8 -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-06-04 13:23:06.415758552 +0200 -@@ -0,0 +1,16 @@ -+.TH wakeup 8 "03 Feb 2007" -+.\" -+.\" RCSID $Id: wakeup.8 -+.\" -+.SH NAME -+ipsec wakeup \- stalled and down connection detection -+.SH SYNOPSIS -+.I wakeup -+is invoked by cron and checks ipsec status, whacking as necessary. -+.SH "SEE ALSO" -+ipsec(8), ipsec_whack(8). -+.SH HISTORY -+Man page written for the Linux strongSwan project <http://www.strongswan.org/> -+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson. -+Original program written by Henry Spencer. Extended for the Linux strongSwan -+project <http://www.strongswan.org/> by Andreas Steffen. -Index: strongswan-2.8.2/programs/wakeup/wakeup.in -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-06-04 13:23:06.415758552 +0200 -@@ -0,0 +1,38 @@ -+#! /bin/sh -+# wakeup script -+# -+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com> -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. -+# -+ -+# only applicable when ipsec is running -+[ -e /var/run/pluto.pid ] || exit -+ -+# loop through any erouted tunnels in the HOLD state -+for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do -+ -+ # only whack if no pending events at all exists -+ ipsec status | grep STATE | grep -q $f || -+ ipsec whack --name $f --initiate --asynchronous -+ -+done -+ -+# loop through any tunnels that don't quite exist -+for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do -+ -+ ipsec status | grep STATE_QUICK | grep -q $f || { -+ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f -+ ipsec up $f -+ } -+ -+done -+ diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch deleted file mode 100644 index d546625316..0000000000 --- a/package/strongswan/patches/210-updown.patch +++ /dev/null @@ -1,662 +0,0 @@ -Index: strongswan-2.8.2/programs/_updown/_updown.8 -=================================================================== ---- strongswan-2.8.2.orig/programs/_updown/_updown.8 2007-06-04 13:23:04.632029720 +0200 -+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-06-04 13:23:06.656721920 +0200 -@@ -8,8 +8,23 @@ - .I _updown - is invoked by pluto when it has brought up a new connection. This script - is used to insert the appropriate routing entries for IPsec operation. --It can also be used to insert and delete dynamic iptables firewall rules. --The interface to the script is documented in the pluto man page. -+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT! -+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD -+tables. Most distributions will want to change that to provide more -+flexibility in their firewall configuration. -+The script looks for the environment variables -+.B IPSEC_UPDOWN_RULE_IN -+for the iptables table it should insert into, -+.B IPSEC_UPDOWN_DEST_IN -+for where the rule should -j jump to, -+.B IPSEC_UPDOWN_RULE_OUT -+.B IPSEC_UPDOWN_DEST_OUT -+for the same on outgoing packets, and -+.B IPSEC_UPDOWN_FWD_RULE_IN -+.B IPSEC_UPDOWN_FWD_DEST_IN -+.B IPSEC_UPDOWN_FWD_RULE_OUT -+.B IPSEC_UPDOWN_FWD_DEST_OUT -+respectively for packets being forwarded to/from the local networks. - .SH "SEE ALSO" - ipsec(8), ipsec_pluto(8). - .SH HISTORY -Index: strongswan-2.8.2/programs/_updown/_updown.in -=================================================================== ---- strongswan-2.8.2.orig/programs/_updown/_updown.in 2007-06-04 13:23:04.642028200 +0200 -+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-06-04 13:23:06.657721768 +0200 -@@ -5,6 +5,7 @@ - # Copyright (C) 2003-2004 Tuomo Soini - # Copyright (C) 2002-2004 Michael Richardson - # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org> -+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com> - # - # This program is free software; you can redistribute it and/or modify it - # under the terms of the GNU General Public License as published by the -@@ -118,20 +119,61 @@ - # restricted on the peer side. - # - --# uncomment to log VPN connections --VPN_LOGGING=1 --# -+# set to /bin/true to silence log messages -+LOGGER=logger -+ - # tag put in front of each log entry: - TAG=vpn --# -+ - # syslog facility and priority used: --FAC_PRIO=local0.notice --# --# to create a special vpn logging file, put the following line into --# the syslog configuration file /etc/syslog.conf: --# --# local0.notice -/var/log/vpn --# -+FAC_PRIO=authpriv.info -+ -+ -+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then -+ IPSEC_POLICY_IN="" -+ IPSEC_POLICY_OUT="" -+else -+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" -+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -+fi -+ -+# are there port numbers? -+if [ "$PLUTO_MY_PORT" != 0 ] ; then -+ S_MY_PORT="--sport $PLUTO_MY_PORT" -+ D_MY_PORT="--dport $PLUTO_MY_PORT" -+fi -+ -+if [ "$PLUTO_PEER_PORT" != 0 ] ; then -+ S_PEER_PORT="--sport $PLUTO_PEER_PORT" -+ D_PEER_PORT="--dport $PLUTO_PEER_PORT" -+fi -+ -+# import firewall behavior -+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN -+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN -+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT -+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT -+ -+# import forwarding behavior -+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN -+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN -+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT -+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT -+ -+# default firewall behavior -+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT -+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT -+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT -+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT -+ -+# default forwarding behavior -+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD -+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT -+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD -+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT -+ - - # check interface version - case "$PLUTO_VERSION" in -@@ -150,8 +192,6 @@ - case "$1:$*" in - ':') # no parameters - ;; --iptables:iptables) # due to (left/right)firewall; for default script only -- ;; - custom:*) # custom parameters (see above CAUTION comment) - ;; - *) echo "$0: unknown parameters \`$*'" >&2 -@@ -159,345 +199,307 @@ - ;; - esac - -+ - # utility functions for route manipulation - # Meddling with this stuff should not be necessary and requires great care. -+ - uproute() { - doroute add - ip route flush cache - } -+ - downroute() { - doroute delete - ip route flush cache - } - -+upfirewall() { -+ in_rule=$1 -+ in_dest=$2 -+ out_rule=$3 -+ out_dest=$4 -+ -+ [ -n "$in_rule" -a -n "$in_dest" ] && \ -+ iptables -I $in_rule 1 \ -+ -i $PLUTO_INTERFACE \ -+ -p $PLUTO_MY_PROTOCOL \ -+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -+ -d $PLUTO_MY_CLIENT $D_MY_PORT \ -+ $IPSEC_POLICY_IN \ -+ -j $in_dest -+ -+ [ -n "$out_rule" -a -n "$out_dest" ] && \ -+ iptables -I $out_rule 1 \ -+ -o $PLUTO_INTERFACE \ -+ -p $PLUTO_PEER_PROTOCOL \ -+ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -+ $IPSEC_POLICY_OUT \ -+ -j $out_dest -+ -+} -+ -+downfirewall() { -+ in_rule=$1 -+ in_dest=$2 -+ out_rule=$3 -+ out_dest=$4 -+ -+ [ -n "$in_rule" -a -n "$in_dest" ] && \ -+ iptables -D $in_rule \ -+ -i $PLUTO_INTERFACE \ -+ -p $PLUTO_MY_PROTOCOL \ -+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -+ -d $PLUTO_MY_CLIENT $D_MY_PORT \ -+ $IPSEC_POLICY_IN \ -+ -j $in_dest -+ -+ [ -n "$out_rule" -a -n "$out_dest" ] && \ -+ iptables -D $out_rule \ -+ -o $PLUTO_INTERFACE \ -+ -p $PLUTO_PEER_PROTOCOL \ -+ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ -+ $IPSEC_POLICY_OUT \ -+ -j $out_dest -+ -+} -+ - addsource() { - st=0 -- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local -- then -+ -+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then -+ - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? -- if test " $oops" = " " -a " $st" != " 0" -- then -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then - oops="silent error, exit status $st" - fi -- if test " $oops" != " " -o " $st" != " 0" -- then -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi -+ - return $st - } - - doroute() { - st=0 - parms="$PLUTO_PEER_CLIENT" -+ parms2="dev $PLUTO_INTERFACE" - -- parms2= -- if [ -n "$PLUTO_NEXT_HOP" ] -- then -- parms2="via $PLUTO_NEXT_HOP" -- fi -- parms2="$parms2 dev $PLUTO_INTERFACE" -- -- if [ -z "$PLUTO_MY_SOURCEIP" ] -- then -- if [ -f /etc/sysconfig/defaultsource ] -- then -- . /etc/sysconfig/defaultsource -- fi -+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then - -- if [ -f /etc/conf.d/defaultsource ] -- then -- . /etc/conf.d/defaultsource -- fi -+ [ -f /etc/sysconfig/defaultsource ] && \ -+ . /etc/sysconfig/defaultsource -+ -+ [ -f /etc/conf.d/defaultsource ] && \ -+ . /etc/conf.d/defaultsource -+ -+ [ -n "$DEFAULTSOURCE" ] && \ -+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - -- if [ -n "$DEFAULTSOURCE" ] -- then -- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE -- fi - fi - - parms3= -- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" -- then -+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then - addsource - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" - fi - -- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in -- "0.0.0.0/0.0.0.0") -+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ -+ "0.0.0.0/0.0.0.0" ] ; then - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. -- it="ip route $1 0.0.0.0/1 $parms2 $parms3 && -- ip route $1 128.0.0.0/1 $parms2 $parms3" -- ;; -- *) it="ip route $1 $parms $parms2 $parms3" -- ;; -- esac -+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 && -+ ip route $1 128.0.0.0/1 $parms2 $parms3" -+ else -+ it="ip route $1 $parms $parms2 $parms3" -+ fi -+ - oops="`eval $it 2>&1`" - st=$? -- if test " $oops" = " " -a " $st" != " 0" -- then -- oops="silent error, exit status $st" -- fi -- if test " $oops" != " " -o " $st" != " 0" -- then -- echo "$0: doroute \`$it' failed ($oops)" >&2 -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then -+ oops="silent error, exit status $st" - fi -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then -+ echo "$0: doroute \`$it' failed ($oops)" >&2 -+ fi -+ - return $st - } -- --# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY --if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] --then -- IPSEC_POLICY_IN="" -- IPSEC_POLICY_OUT="" --else -- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" -- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" --fi - --# are there port numbers? --if [ "$PLUTO_MY_PORT" != 0 ] --then -- S_MY_PORT="--sport $PLUTO_MY_PORT" -- D_MY_PORT="--dport $PLUTO_MY_PORT" --fi --if [ "$PLUTO_PEER_PORT" != 0 ] --then -- S_PEER_PORT="--sport $PLUTO_PEER_PORT" -- D_PEER_PORT="--dport $PLUTO_PEER_PORT" --fi -+dologentry() { -+ action=$1 -+ -+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then -+ rem="$PLUTO_PEER" -+ else -+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER" -+ fi -+ -+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then -+ loc="$PLUTO_ME" -+ else -+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT" -+ fi -+ -+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)" -+} -+ - - # the big choice -+ - case "$PLUTO_VERB:$1" in - prepare-host:*|prepare-client:*) - # delete possibly-existing route (preliminary to adding a route) -- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in -- "0.0.0.0/0.0.0.0") -- # need to provide route that eclipses default, without -+ -+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ -+ "0.0.0.0/0.0.0.0" ] ; then -+ # need to remove the route that eclipses default, without - # replacing it. -- parms1="0.0.0.0/1" -- parms2="128.0.0.0/1" -- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" -- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" -- ;; -- *) -- parms="$PLUTO_PEER_CLIENT" -- it="ip route delete $parms 2>&1" -- oops="`ip route delete $parms 2>&1`" -- ;; -- esac -- status="$?" -- if test " $oops" = " " -a " $status" != " 0" -- then -- oops="silent error, exit status $status" -+ it="( ip route delete 0.0.0.0/1 ; -+ ip route delete 128.0.0.0/1 )" -+ else -+ it="ip route delete $PLUTO_PEER_CLIENT" -+ fi -+ -+ oops="`$it 2>&1`" -+ st="$?" -+ -+ if [ " $oops" = " " -a " $st" != " 0" ] ; then -+ oops="silent error, exit status $st" - fi -+ - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= -- status=0 -+ st=0 - ;; - esac -- if test " $oops" != " " -o " $status" != " 0" -- then -+ -+ if [ " $oops" != " " -o " $st" != " 0" ] ; then - echo "$0: \`$it' failed ($oops)" >&2 - fi -- exit $status -+ -+ exit $st -+ - ;; - route-host:*|route-client:*) - # connection to me or my client subnet being routed -+ -+ ipsec _showstatus valid - uproute -+ - ;; - unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted -+ -+ ipsec _showstatus invalid - downroute -+ - ;; --up-host:) -+up-host:*) - # connection to me coming up -- # If you are doing a custom version, firewall commands go here. -+ -+ ipsec _showstatus up -+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ dologentry "VPN-UP" -+ - ;; --down-host:) -+down-host:*) - # connection to me going down -- # If you are doing a custom version, firewall commands go here. -- ;; --up-client:) -- # connection to my client subnet coming up -- # If you are doing a custom version, firewall commands go here. -- ;; --down-client:) -- # connection to my client subnet going down -- # If you are doing a custom version, firewall commands go here. -+ -+ ipsec _showstatus down -+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ dologentry "VPN-DN" -+ - ;; --up-host:iptables) -- # connection to me, with (left/right)firewall=yes, coming up -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- # -- # log IPsec host connection setup -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" -- else -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -- fi -- fi -- ;; --down-host:iptables) -- # connection to me, with (left/right)firewall=yes, going down -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT -- # -- # log IPsec host connection teardown -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" -- else -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" -- fi -- fi -- ;; --up-client:iptables) -- # connection to client subnet, with (left/right)firewall=yes, coming up -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] -- then -- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -+up-client:*) -+ # connection to client subnet coming up -+ -+ ipsec _showstatus up -+ -+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ -+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then -+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT - fi -- # -+ - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed -- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] -- then -- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- fi -- # -- # log IPsec client connection setup -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- else -- logger -t $TAG -p $FAC_PRIO \ -- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- fi -- fi -- ;; --down-client:iptables) -- # connection to client subnet, with (left/right)firewall=yes, going down -- # This is used only by the default updown script, not by your custom -- # ones, so do not mess with it; see CAUTION comment up at top. -- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] -- then -- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then -+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT -+ fi -+ -+ dologentry "VPN-UP" -+ -+ ;; -+down-client:*) -+ # connection to client subnet going down -+ -+ ipsec _showstatus down -+ -+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ -+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then -+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT - fi -- # -+ - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed -- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] -- then -- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ -- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ -- $IPSEC_POLICY_IN -j ACCEPT -- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ -- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ -- $IPSEC_POLICY_OUT -j ACCEPT -- fi -- # -- # log IPsec client connection teardown -- if [ $VPN_LOGGING ] -- then -- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] -- then -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- else -- logger -t $TAG -p $FAC_PRIO -- \ -- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" -- fi -+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then -+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT - fi -+ -+ dologentry "VPN-DN" -+ - ;; --# --# IPv6 --# - prepare-host-v6:*|prepare-client-v6:*) -+ - ;; - route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed -+ - #uproute_v6 -+ - ;; - unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted -+ - #downroute_v6 -+ - ;; - up-host-v6:*) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. -+ - ;; - down-host-v6:*) - # connection to me going down - # If you are doing a custom version, firewall commands go here. -+ - ;; - up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. -+ - ;; - down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. -+ - ;; --*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 -+*) -+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 -+ - ;; - esac -+ diff --git a/package/strongswan/patches/300-openwrt.patch b/package/strongswan/patches/300-openwrt.patch deleted file mode 100644 index e249a8d613..0000000000 --- a/package/strongswan/patches/300-openwrt.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: strongswan-2.8.2/Makefile.inc -=================================================================== ---- strongswan-2.8.2.orig/Makefile.inc 2007-06-04 13:23:04.604033976 +0200 -+++ strongswan-2.8.2/Makefile.inc 2007-06-04 13:23:06.855691672 +0200 -@@ -123,7 +123,7 @@ - # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the - # INC_RCDIRS directories has been pre-created under DESTDIR. - INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d --INC_RCDEFAULT=/etc/rc.d/init.d -+INC_RCDEFAULT=/etc/init.d - - # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think - # will finally be (so utils/Makefile can create a symlink in BINDIR to the -Index: strongswan-2.8.2/programs/showhostkey/showhostkey.in -=================================================================== ---- strongswan-2.8.2.orig/programs/showhostkey/showhostkey.in 2007-06-04 13:23:04.612032760 +0200 -+++ strongswan-2.8.2/programs/showhostkey/showhostkey.in 2007-06-04 13:23:06.855691672 +0200 -@@ -62,7 +62,7 @@ - exit 1 - fi - --host="`hostname --fqdn`" -+host="`cat /proc/sys/kernel/hostname`" - - awk ' BEGIN { - inkey = 0 diff --git a/package/strongswan/patches/310-make-ipsec-alg.patch b/package/strongswan/patches/310-make-ipsec-alg.patch deleted file mode 100644 index d5fad3d3e0..0000000000 --- a/package/strongswan/patches/310-make-ipsec-alg.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi -=================================================================== ---- strongswan-2.8.2.orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-06-04 13:23:04.583037168 +0200 -+++ strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-06-04 13:23:07.053661576 +0200 -@@ -1,10 +1,10 @@ - MOD_CRYPTOAPI := ipsec_cryptoapi.o - - ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),) --ALG_MODULES += $(MOD_CRYPTOAPI) --obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI) --static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init --alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o -+#ALG_MODULES += $(MOD_CRYPTOAPI) -+#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI) -+#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init -+#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o - else - $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o") - endif diff --git a/package/strongswan/patches/320-no-modprobe.patch b/package/strongswan/patches/320-no-modprobe.patch deleted file mode 100644 index d8c3648baf..0000000000 --- a/package/strongswan/patches/320-no-modprobe.patch +++ /dev/null @@ -1,108 +0,0 @@ -Index: strongswan-2.8.2/programs/starter/klips.c -=================================================================== ---- strongswan-2.8.2.orig/programs/starter/klips.c 2007-06-04 13:23:04.544043096 +0200 -+++ strongswan-2.8.2/programs/starter/klips.c 2007-06-04 13:23:07.238633456 +0200 -@@ -44,7 +44,7 @@ - unsetenv("MODPATH"); - unsetenv("MODULECONF"); - system("depmod -a >/dev/null 2>&1"); -- system("modprobe -qv ipsec"); -+ system("insmod -qv ipsec"); - } - if (stat(PROC_IPSECVERSION, &stb) == 0) - { -@@ -62,11 +62,11 @@ - /* make sure that all available crypto algorithms are loaded */ - if (stat(PROC_MODULES, &stb) == 0) - { -- system("modprobe -qv ipsec_aes"); -- system("modprobe -qv ipsec_serpent"); -- system("modprobe -qv ipsec_twofish"); -- system("modprobe -qv ipsec_blowfish"); -- system("modprobe -qv ipsec_sha2"); -+ system("insmod -qv ipsec_aes"); -+ system("insmod -qv ipsec_serpent"); -+ system("insmod -qv ipsec_twofish"); -+ system("insmod -qv ipsec_blowfish"); -+ system("insmod -qv ipsec_sha2"); - } - - starter_klips_clear(); -Index: strongswan-2.8.2/programs/starter/netkey.c -=================================================================== ---- strongswan-2.8.2.orig/programs/starter/netkey.c 2007-06-04 13:23:04.551042032 +0200 -+++ strongswan-2.8.2/programs/starter/netkey.c 2007-06-04 13:23:07.238633456 +0200 -@@ -36,7 +36,7 @@ - /* af_key module makes the netkey proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- system("modprobe -qv af_key"); -+ system("insmod -qv af_key"); - } - - /* now test again */ -@@ -52,11 +52,11 @@ - /* make sure that all required IPsec modules are loaded */ - if (stat(PROC_MODULES, &stb) == 0) - { -- system("modprobe -qv ah4"); -- system("modprobe -qv esp4"); -- system("modprobe -qv ipcomp"); -- system("modprobe -qv xfrm4_tunnel"); -- system("modprobe -qv xfrm_user"); -+ system("insmod -qv ah4"); -+ system("insmod -qv esp4"); -+ system("insmod -qv ipcomp"); -+ system("insmod -qv xfrm4_tunnel"); -+ system("insmod -qv xfrm_user"); - } - - DBG(DBG_CONTROL, -Index: strongswan-2.8.2/programs/_startklips/_startklips.in -=================================================================== ---- strongswan-2.8.2.orig/programs/_startklips/_startklips.in 2007-06-04 13:23:04.560040664 +0200 -+++ strongswan-2.8.2/programs/_startklips/_startklips.in 2007-06-04 13:23:07.238633456 +0200 -@@ -249,7 +249,7 @@ - - if test ! -f $ipsecversion && test ! -f $netkey - then -- modprobe -v af_key -+ insmod -v af_key - fi - - if test -f $netkey -@@ -257,11 +257,11 @@ - klips=false - if test -f $modules - then -- modprobe -qv ah4 -- modprobe -qv esp4 -- modprobe -qv ipcomp -- modprobe -qv xfrm4_tunnel -- modprobe -qv xfrm_user -+ insmod -qv ah4 -+ insmod -qv esp4 -+ insmod -qv ipcomp -+ insmod -qv xfrm4_tunnel -+ insmod -qv xfrm_user - fi - fi - -@@ -272,7 +272,7 @@ - setmodule - unset MODPATH MODULECONF # no user overrides! - depmod -a >/dev/null 2>&1 -- modprobe -v ipsec -+ insmod -v ipsec - fi - if test ! -f $ipsecversion - then -@@ -288,7 +288,7 @@ - do - if test -f $moduleinstplace/alg/ipsec_$alg.o - then -- modprobe ipsec_$alg -+ insmod ipsec_$alg - fi - done - fi diff --git a/package/strongswan/patches/350-make-programs.patch b/package/strongswan/patches/350-make-programs.patch deleted file mode 100644 index aba957754f..0000000000 --- a/package/strongswan/patches/350-make-programs.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: strongswan-2.8.2/programs/Makefile -=================================================================== ---- strongswan-2.8.2.orig/programs/Makefile 2007-06-04 13:23:06.414758704 +0200 -+++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:07.444602144 +0200 -@@ -17,12 +17,10 @@ - FREESWANSRCDIR=.. - include ${FREESWANSRCDIR}/Makefile.inc - --SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto --SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun --SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark --SUBDIRS+=auto barf ipsec look manual ranbits secrets starter --SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey --SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup -+SUBDIRS=_copyright _updown _showstatus wakeup examples -+SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual -+SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets -+SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec - - ifeq ($(USE_LWRES),true) - SUBDIRS+=lwdnsq |