From bad2b51ce3b677cfc120afbb632ec9a0b37b7abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= Date: Fri, 24 Jan 2020 00:25:31 +0100 Subject: [PATCH] Add dmvpn termination patch --- ...E_SA-limit-when-checking-out-by-conf.patch | 2 +- ...nal-source-and-remote-overrides-for-.patch | 2 +- ...-send-certificates-for-ike-sa-events.patch | 2 +- ...port-for-individual-sa-state-changes.patch | 2 +- ...-vici-add-deprecated-async-parameter.patch | 2 +- 0006-support-gre-key-in-ikev1.patch | 2 +- ...os-terminate-connections-source-dest.patch | 124 ++++++++++++++++++ strongswan.spec | 5 +- 8 files changed, 133 insertions(+), 8 deletions(-) create mode 100644 0007-vyos-terminate-connections-source-dest.patch diff --git a/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch b/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch index cf0e427..7df6530 100644 --- a/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch +++ b/0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch @@ -1,7 +1,7 @@ From 4904344754c2884e36b40532a8b65229c3355ff6 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 17 Jul 2015 11:53:58 +0200 -Subject: [PATCH 1/6] ike: Adhere to IKE_SA limit when checking out by config +Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config This prevents new SAs from getting created if we hit the global IKE_SA limit (we still allow checkout_new(), which is used for rekeying). diff --git a/0002-charon-add-optional-source-and-remote-overrides-for-.patch b/0002-charon-add-optional-source-and-remote-overrides-for-.patch index f3de584..697f42b 100644 --- a/0002-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/0002-charon-add-optional-source-and-remote-overrides-for-.patch @@ -1,7 +1,7 @@ From bc5cee05ee42b7566ed3539546757c3183aa7053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:41:58 +0300 -Subject: [PATCH 2/6] charon: add optional source and remote overrides for +Subject: [PATCH 2/7] charon: add optional source and remote overrides for initiate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/0003-vici-send-certificates-for-ike-sa-events.patch b/0003-vici-send-certificates-for-ike-sa-events.patch index 08b1de1..f57338b 100644 --- a/0003-vici-send-certificates-for-ike-sa-events.patch +++ b/0003-vici-send-certificates-for-ike-sa-events.patch @@ -1,7 +1,7 @@ From 0220ba579f8df26f90a1152f115f2a339a755708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:05 +0300 -Subject: [PATCH 3/6] vici: send certificates for ike-sa events +Subject: [PATCH 3/7] vici: send certificates for ike-sa events MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0004-vici-add-support-for-individual-sa-state-changes.patch b/0004-vici-add-support-for-individual-sa-state-changes.patch index 6886bc1..56a714e 100644 --- a/0004-vici-add-support-for-individual-sa-state-changes.patch +++ b/0004-vici-add-support-for-individual-sa-state-changes.patch @@ -1,7 +1,7 @@ From 5ad4fd199b718d8281021a6e31d682872b59a34c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:11 +0300 -Subject: [PATCH 4/6] vici: add support for individual sa state changes +Subject: [PATCH 4/7] vici: add support for individual sa state changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0005-vici-add-deprecated-async-parameter.patch b/0005-vici-add-deprecated-async-parameter.patch index 5a1e1b8..09b934b 100644 --- a/0005-vici-add-deprecated-async-parameter.patch +++ b/0005-vici-add-deprecated-async-parameter.patch @@ -1,7 +1,7 @@ From b251c17bfba838ee565a4f4af35b249024e35e77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:15 +0300 -Subject: [PATCH 5/6] vici: add (deprecated) async parameter +Subject: [PATCH 5/7] vici: add (deprecated) async parameter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/0006-support-gre-key-in-ikev1.patch b/0006-support-gre-key-in-ikev1.patch index de901f7..a372e3c 100644 --- a/0006-support-gre-key-in-ikev1.patch +++ b/0006-support-gre-key-in-ikev1.patch @@ -1,7 +1,7 @@ From b2e130f8ce765d5bd0f12ad16ef2434c820c11b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Mon, 21 Sep 2015 13:42:18 +0300 -Subject: [PATCH 6/6] support gre key in ikev1 +Subject: [PATCH 6/7] support gre key in ikev1 this implements gre key negotiation in ikev1 similarly to the ipsec-tools patch in alpine. diff --git a/0007-vyos-terminate-connections-source-dest.patch b/0007-vyos-terminate-connections-source-dest.patch new file mode 100644 index 0000000..65bb877 --- /dev/null +++ b/0007-vyos-terminate-connections-source-dest.patch @@ -0,0 +1,124 @@ +From 4e0a88132b5e3e99b250d044f4434702cae2abaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= +Date: Wed, 22 Jan 2020 13:12:39 +0100 +Subject: [PATCH 7/7] vyos-terminate-connections-source-dest + +--- + src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++--- + src/swanctl/commands/terminate.c | 18 ++++++++++++++- + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c +index 718d14b3c..39da4a10d 100644 +--- a/src/libcharon/plugins/vici/vici_control.c ++++ b/src/libcharon/plugins/vici/vici_control.c +@@ -269,12 +269,13 @@ CALLBACK(terminate, vici_message_t*, + private_vici_control_t *this, char *name, u_int id, vici_message_t *request) + { + enumerator_t *enumerator, *isas, *csas; +- char *child, *ike, *errmsg = NULL; ++ char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str; + u_int child_id, ike_id, current, *del, done = 0; + bool force; + int timeout; + ike_sa_t *ike_sa; + child_sa_t *child_sa; ++ host_t *my_host = NULL, *other_host = NULL; + array_t *ids; + vici_builder_t *builder; + controller_cb_t log_cb = NULL; +@@ -290,12 +291,23 @@ CALLBACK(terminate, vici_message_t*, + force = request->get_bool(request, FALSE, "force"); + timeout = request->get_int(request, 0, "timeout"); + log.level = request->get_int(request, 1, "loglevel"); ++ my_host_str = request->get_str(request, NULL, "my-host"); ++ other_host_str = request->get_str(request, NULL, "other-host"); + +- if (!child && !ike && !ike_id && !child_id) ++ if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str) + { + return send_reply(this, "missing terminate selector"); + } +- ++ if (my_host_str && !other_host_str || other_host_str && !my_host_str) ++ { ++ return send_reply(this, "missing source or remote"); ++ } ++ else ++ { ++ my_host = host_create_from_string(my_host_str, 0); ++ other_host = host_create_from_string(other_host_str, 0); ++ DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host); ++ } + if (ike_id) + { + DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id); +@@ -358,6 +370,15 @@ CALLBACK(terminate, vici_message_t*, + { + array_insert(ids, ARRAY_TAIL, &ike_id); + } ++ else if (my_host && other_host) ++ { ++ if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa))) ++ { ++ continue; ++ } ++ current = ike_sa->get_unique_id(ike_sa); ++ array_insert(ids, ARRAY_TAIL, ¤t); ++ } + } + isas->destroy(isas); + +diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c +index 2309843b2..37d0bde3f 100644 +--- a/src/swanctl/commands/terminate.c ++++ b/src/swanctl/commands/terminate.c +@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn) + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; +- char *arg, *child = NULL, *ike = NULL; ++ char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL; + int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0; + bool force = FALSE; + +@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn) + case 'l': + level = atoi(arg); + continue; ++ case 'S': ++ my_host = arg; ++ continue; ++ case 'R': ++ other_host = arg; ++ continue; + case EOF: + break; + default: +@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn) + { + vici_add_key_valuef(req, "force", "yes"); + } ++ if (my_host) ++ { ++ vici_add_key_valuef(req, "my-host", "%s", my_host); ++ } ++ if (other_host) ++ { ++ vici_add_key_valuef(req, "other-host", "%s", other_host); ++ } + if (timeout) + { + vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); +@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg() + { + {"help", 'h', 0, "show usage information"}, + {"child", 'c', 1, "terminate by CHILD_SA name"}, ++ {"source", 'S', 1, "override source address"}, ++ {"remote", 'R', 1, "override remote address"}, + {"ike", 'i', 1, "terminate by IKE_SA name"}, + {"child-id", 'C', 1, "terminate by CHILD_SA reqid"}, + {"ike-id", 'I', 1, "terminate by IKE_SA unique identifier"}, +-- +2.24.1 + diff --git a/strongswan.spec b/strongswan.spec index 98eac2e..f14a31a 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -3,7 +3,7 @@ Name: strongswan Version: 5.7.2 -Release: 3.nhrp%{?dist} +Release: 3.nhrp.2%{?dist} Summary: An OpenSource IPsec-based VPN and TNC solution License: GPLv2+ URL: http://www.strongswan.org/ @@ -17,6 +17,7 @@ Patch12: 0003-vici-send-certificates-for-ike-sa-events.patch Patch13: 0004-vici-add-support-for-individual-sa-state-changes.patch Patch14: 0005-vici-add-deprecated-async-parameter.patch Patch15: 0006-support-gre-key-in-ikev1.patch +Patch16: 0007-vyos-terminate-connections-source-dest.patch # only needed for pre-release versions #BuildRequires: autoconf automake @@ -94,7 +95,7 @@ PT-TLS to support TNC over TLS. %patch13 -p1 %patch14 -p1 %patch15 -p1 - +%patch16 -p1 %build # only for snapshots