|
|
|
|
@@ -1,348 +0,0 @@
|
|
|
|
|
From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
|
|
|
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
|
|
Date: Mon, 16 Jan 2023 19:38:17 +0100
|
|
|
|
|
Subject: [PATCH] Make manual paths follow build configuration
|
|
|
|
|
MIME-Version: 1.0
|
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
|
|
Use build-configured paths in manual pages instead of default values.
|
|
|
|
|
Makes easier customization to non-default values as done on Fedora for
|
|
|
|
|
example.
|
|
|
|
|
|
|
|
|
|
Squashed commit of the following:
|
|
|
|
|
|
|
|
|
|
commit e99de2aee9f26e3ab97d88902308107d9f048acd
|
|
|
|
|
Merge: 8effb06d6 29e324709
|
|
|
|
|
Author: Tobias Brunner <tobias@strongswan.org>
|
|
|
|
|
Date: Mon Jan 16 11:41:17 2023 +0100
|
|
|
|
|
|
|
|
|
|
Merge branch 'man-sysconfdir'
|
|
|
|
|
|
|
|
|
|
Closes strongswan/strongswan#1511
|
|
|
|
|
|
|
|
|
|
commit 29e32470974aea614c2486c2982767bd62670063
|
|
|
|
|
Author: Tobias Brunner <tobias@strongswan.org>
|
|
|
|
|
Date: Mon Jan 16 11:39:29 2023 +0100
|
|
|
|
|
|
|
|
|
|
swanctl: Don't use hard-coded path to sysconfdir
|
|
|
|
|
|
|
|
|
|
commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
|
|
|
|
|
Author: Tobias Brunner <tobias@strongswan.org>
|
|
|
|
|
Date: Mon Jan 16 11:37:27 2023 +0100
|
|
|
|
|
|
|
|
|
|
conf: Add swanctl.conf and swanctl man pages to SEE ALSO
|
|
|
|
|
|
|
|
|
|
commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
|
|
|
|
|
Author: Tobias Brunner <tobias@strongswan.org>
|
|
|
|
|
Date: Mon Jan 16 11:35:42 2023 +0100
|
|
|
|
|
|
|
|
|
|
conf: Replace hard-coded /etc where appropriate
|
|
|
|
|
|
|
|
|
|
Also document the actual value of ${sysconfdir}.
|
|
|
|
|
|
|
|
|
|
commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
|
|
|
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
|
|
Date: Sun Jan 15 16:55:45 2023 +0100
|
|
|
|
|
|
|
|
|
|
man: Use configured path for config files in man pages
|
|
|
|
|
|
|
|
|
|
commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
|
|
|
|
|
Author: Petr Menšík <pemensik@redhat.com>
|
|
|
|
|
Date: Sun Jan 15 16:17:07 2023 +0100
|
|
|
|
|
|
|
|
|
|
ipsec: Include IPSEC_CONFDIR variable replacement in man page
|
|
|
|
|
|
|
|
|
|
Fedora has chosena different default directory to avoid conflicts with
|
|
|
|
|
libreswan. Use ${sysconfdir} variable to provide the correct location.
|
|
|
|
|
---
|
|
|
|
|
conf/options/charon.opt | 4 ++--
|
|
|
|
|
conf/plugins/unbound.opt | 2 +-
|
|
|
|
|
conf/strongswan.conf.5.tail.in | 10 ++++++----
|
|
|
|
|
man/ipsec.conf.5.in | 22 +++++++++++-----------
|
|
|
|
|
man/ipsec.secrets.5.in | 8 ++++----
|
|
|
|
|
src/ipsec/Makefile.am | 1 +
|
|
|
|
|
src/ipsec/_ipsec.8.in | 20 ++++++++++----------
|
|
|
|
|
src/swanctl/swanctl.conf.5.tail.in | 2 +-
|
|
|
|
|
8 files changed, 36 insertions(+), 33 deletions(-)
|
|
|
|
|
|
|
|
|
|
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
|
|
|
|
|
index 00949222a..72efd17de 100644
|
|
|
|
|
--- a/conf/options/charon.opt
|
|
|
|
|
+++ b/conf/options/charon.opt
|
|
|
|
|
@@ -38,8 +38,8 @@ charon.cert_cache = yes
|
|
|
|
|
charon.cache_crls = no
|
|
|
|
|
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
|
|
|
|
|
be saved under a unique file name derived from the public key of the
|
|
|
|
|
- Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
|
|
|
|
|
- **/etc/swanctl/x509crl** (vici), respectively.
|
|
|
|
|
+ Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
|
|
|
|
|
+ **${sysconfdir}/swanctl/x509crl** (vici), respectively.
|
|
|
|
|
|
|
|
|
|
charon.check_current_path = no
|
|
|
|
|
Whether to use DPD to check if the current path still works after any
|
|
|
|
|
diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
|
|
|
|
|
index f8ca9ca12..007797310 100644
|
|
|
|
|
--- a/conf/plugins/unbound.opt
|
|
|
|
|
+++ b/conf/plugins/unbound.opt
|
|
|
|
|
@@ -1,7 +1,7 @@
|
|
|
|
|
charon.plugins.unbound.resolv_conf = /etc/resolv.conf
|
|
|
|
|
File to read DNS resolver configuration from.
|
|
|
|
|
|
|
|
|
|
-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
|
|
|
|
|
+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
|
|
|
|
|
File to read DNSSEC trust anchors from (usually root zone KSK).
|
|
|
|
|
|
|
|
|
|
File to read DNSSEC trust anchors from (usually root zone KSK). The format
|
|
|
|
|
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
|
|
|
|
|
index baad476d1..74bbd8eec 100644
|
|
|
|
|
--- a/conf/strongswan.conf.5.tail.in
|
|
|
|
|
+++ b/conf/strongswan.conf.5.tail.in
|
|
|
|
|
@@ -458,6 +458,7 @@ The variables used above are configured as follows:
|
|
|
|
|
.na
|
|
|
|
|
${piddir} @piddir@
|
|
|
|
|
${prefix} @prefix@
|
|
|
|
|
+${sysconfdir} @sysconfdir@
|
|
|
|
|
${random_device} @random_device@
|
|
|
|
|
${urandom_device} @urandom_device@
|
|
|
|
|
.ad
|
|
|
|
|
@@ -467,18 +468,19 @@ ${urandom_device} @urandom_device@
|
|
|
|
|
.
|
|
|
|
|
.nf
|
|
|
|
|
.na
|
|
|
|
|
-/etc/strongswan.conf configuration file
|
|
|
|
|
-/etc/strongswan.d/ directory containing included config snippets
|
|
|
|
|
-/etc/strongswan.d/charon/ plugin specific config snippets
|
|
|
|
|
+@sysconfdir@/strongswan.conf configuration file
|
|
|
|
|
+@sysconfdir@/strongswan.d/ directory containing included config snippets
|
|
|
|
|
+@sysconfdir@/strongswan.d/charon/ plugin specific config snippets
|
|
|
|
|
.ad
|
|
|
|
|
.fi
|
|
|
|
|
.
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
|
|
|
|
|
\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
|
|
|
|
|
|
|
|
|
|
.SH HISTORY
|
|
|
|
|
Written for the
|
|
|
|
|
-.UR http://www.strongswan.org
|
|
|
|
|
+.UR https://www.strongswan.org
|
|
|
|
|
strongSwan project
|
|
|
|
|
.UE
|
|
|
|
|
by Tobias Brunner, Andreas Steffen and Martin Willi.
|
|
|
|
|
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
|
|
|
|
|
index ced12680f..4e256538e 100644
|
|
|
|
|
--- a/man/ipsec.conf.5.in
|
|
|
|
|
+++ b/man/ipsec.conf.5.in
|
|
|
|
|
@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
|
|
|
|
|
.BR leftcert " = <path>"
|
|
|
|
|
the path to the left participant's X.509 certificate. The file can be encoded
|
|
|
|
|
either in PEM or DER format. OpenPGP certificates are supported as well.
|
|
|
|
|
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
|
|
|
|
|
+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
|
|
|
|
|
are accepted. By default
|
|
|
|
|
.B leftcert
|
|
|
|
|
sets
|
|
|
|
|
@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
|
|
|
|
|
the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
|
|
|
|
|
respectively.
|
|
|
|
|
Also accepted is the path to a file containing the public key in PEM, DER or SSH
|
|
|
|
|
-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
|
|
|
|
|
+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
|
|
|
|
|
are accepted.
|
|
|
|
|
.TP
|
|
|
|
|
.BR leftsendcert " = never | no | " ifasked " | always | yes"
|
|
|
|
|
@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
|
|
|
|
|
.SH "CA SECTIONS"
|
|
|
|
|
These are optional sections that can be used to assign special
|
|
|
|
|
parameters to a Certification Authority (CA). Because the daemons
|
|
|
|
|
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
|
|
|
|
|
+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
|
|
|
|
|
there is no need to explicitly add them with a CA section, unless you
|
|
|
|
|
want to assign special parameters (like a CRL) to a CA.
|
|
|
|
|
.TP
|
|
|
|
|
@@ -1235,7 +1235,7 @@ currently can have either the value
|
|
|
|
|
.TP
|
|
|
|
|
.BR cacert " = <path>"
|
|
|
|
|
defines a path to the CA certificate either relative to
|
|
|
|
|
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
|
|
|
|
|
+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
|
|
|
|
|
.br
|
|
|
|
|
A value in the form
|
|
|
|
|
.B %smartcard[<slot nr>[@<module>]]:<keyid>
|
|
|
|
|
@@ -1284,7 +1284,7 @@ section are:
|
|
|
|
|
.BR cachecrls " = yes | " no
|
|
|
|
|
if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
|
|
|
|
|
be cached in
|
|
|
|
|
-.I /etc/ipsec.d/crls/
|
|
|
|
|
+.I @sysconfdir@/ipsec.d/crls/
|
|
|
|
|
under a unique file name derived from the certification authority's public key.
|
|
|
|
|
.TP
|
|
|
|
|
.BR charondebug " = <debug list>"
|
|
|
|
|
@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
|
|
|
|
|
|
|
|
|
|
.SH FILES
|
|
|
|
|
.nf
|
|
|
|
|
-/etc/ipsec.conf
|
|
|
|
|
-/etc/ipsec.d/aacerts
|
|
|
|
|
-/etc/ipsec.d/acerts
|
|
|
|
|
-/etc/ipsec.d/cacerts
|
|
|
|
|
-/etc/ipsec.d/certs
|
|
|
|
|
-/etc/ipsec.d/crls
|
|
|
|
|
+@sysconfdir@/ipsec.conf
|
|
|
|
|
+@sysconfdir@/ipsec.d/aacerts
|
|
|
|
|
+@sysconfdir@/ipsec.d/acerts
|
|
|
|
|
+@sysconfdir@/ipsec.d/cacerts
|
|
|
|
|
+@sysconfdir@/ipsec.d/certs
|
|
|
|
|
+@sysconfdir@/ipsec.d/crls
|
|
|
|
|
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
strongswan.conf(5), ipsec.secrets(5), ipsec(8)
|
|
|
|
|
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
|
|
|
|
|
index 15e36faff..c54e1a18b 100644
|
|
|
|
|
--- a/man/ipsec.secrets.5.in
|
|
|
|
|
+++ b/man/ipsec.secrets.5.in
|
|
|
|
|
@@ -15,7 +15,7 @@ Here is an example.
|
|
|
|
|
.LP
|
|
|
|
|
.RS
|
|
|
|
|
.nf
|
|
|
|
|
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
|
|
|
|
+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
|
|
|
|
|
192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
|
|
|
|
|
|
|
|
|
|
: RSA moonKey.pem
|
|
|
|
|
@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
|
|
|
|
|
.TQ
|
|
|
|
|
.B : ECDSA <private key file> [ <passphrase> | %prompt ]
|
|
|
|
|
For the private key file both absolute paths or paths relative to
|
|
|
|
|
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
|
|
|
|
|
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
|
|
|
|
|
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
|
|
|
|
|
.B %prompt
|
|
|
|
|
can be used which then causes the daemon to ask the user for the password
|
|
|
|
|
@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
|
|
|
|
|
.TP
|
|
|
|
|
.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
|
|
|
|
|
For the PKCS#12 file both absolute paths or paths relative to
|
|
|
|
|
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
|
|
|
|
|
+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
|
|
|
|
|
encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
|
|
|
|
|
.B %prompt
|
|
|
|
|
can be used which then causes the daemon to ask the user for the password
|
|
|
|
|
@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
|
|
|
|
|
.LP
|
|
|
|
|
|
|
|
|
|
.SH FILES
|
|
|
|
|
-/etc/ipsec.secrets
|
|
|
|
|
+@sysconfdir@/ipsec.secrets
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
ipsec.conf(5), strongswan.conf(5), ipsec(8)
|
|
|
|
|
.br
|
|
|
|
|
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
|
|
|
|
|
index 0ab9ab27c..656eba49b 100644
|
|
|
|
|
--- a/src/ipsec/Makefile.am
|
|
|
|
|
+++ b/src/ipsec/Makefile.am
|
|
|
|
|
@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
|
|
|
|
|
-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
|
|
|
|
|
-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
|
|
|
|
|
-e "s:@IPSEC_DIR@:$(ipsecdir):" \
|
|
|
|
|
+ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
|
|
|
|
|
$(srcdir)/$@.in > $@
|
|
|
|
|
|
|
|
|
|
_ipsec : _ipsec.in
|
|
|
|
|
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
|
|
|
|
|
index bfc4d50c2..de00d3075 100644
|
|
|
|
|
--- a/src/ipsec/_ipsec.8.in
|
|
|
|
|
+++ b/src/ipsec/_ipsec.8.in
|
|
|
|
|
@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listcacerts [" --utc ]
|
|
|
|
|
returns a list of X.509 Certification Authority (CA) certificates that were
|
|
|
|
|
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
|
|
|
|
|
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
|
|
|
|
|
directory or received via the IKE protocol.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listaacerts [" --utc ]
|
|
|
|
|
returns a list of X.509 Authorization Authority (AA) certificates that were
|
|
|
|
|
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
|
|
|
|
|
+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
|
|
|
|
|
directory.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listocspcerts [" --utc ]
|
|
|
|
|
returns a list of X.509 OCSP Signer certificates that were either loaded
|
|
|
|
|
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
|
|
|
|
|
+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
|
|
|
|
|
directory or were sent by an OCSP server.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listacerts [" --utc ]
|
|
|
|
|
returns a list of X.509 Attribute certificates that were loaded locally by
|
|
|
|
|
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
|
|
|
|
|
+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listgroups [" --utc ]
|
|
|
|
|
@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
|
|
|
|
|
.TP
|
|
|
|
|
.BI "listcrls [" --utc ]
|
|
|
|
|
returns a list of Certificate Revocation Lists (CRLs) that were either loaded
|
|
|
|
|
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
|
|
|
|
|
+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
|
|
|
|
|
an HTTP- or LDAP-based CRL distribution point.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadcacerts"
|
|
|
|
|
removes previously loaded CA certificates, reads all certificate files
|
|
|
|
|
-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
|
|
|
|
|
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
|
|
|
|
|
of Certification Authority (CA) certificates. This does not affect certificates
|
|
|
|
|
explicitly defined in a
|
|
|
|
|
.BR ipsec.conf (5)
|
|
|
|
|
@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadaacerts"
|
|
|
|
|
removes previously loaded AA certificates, reads all certificate files
|
|
|
|
|
-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
|
|
|
|
|
+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
|
|
|
|
|
of Authorization Authority (AA) certificates.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadocspcerts"
|
|
|
|
|
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
|
|
|
|
|
+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
|
|
|
|
|
directory and adds them to the list of OCSP signer certificates.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadacerts"
|
|
|
|
|
-reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP
|
|
|
|
|
+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
|
|
|
|
|
directory and adds them to the list of attribute certificates.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadcrls"
|
|
|
|
|
reads all Certificate Revocation Lists (CRLs) contained in the
|
|
|
|
|
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
|
|
|
|
|
+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
|
|
|
|
|
.
|
|
|
|
|
.TP
|
|
|
|
|
.B "rereadall"
|
|
|
|
|
diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
|
|
|
|
|
index 4d24608da..036443843 100644
|
|
|
|
|
--- a/src/swanctl/swanctl.conf.5.tail.in
|
|
|
|
|
+++ b/src/swanctl/swanctl.conf.5.tail.in
|
|
|
|
|
@@ -2,7 +2,7 @@
|
|
|
|
|
.
|
|
|
|
|
.nf
|
|
|
|
|
.na
|
|
|
|
|
-/etc/swanctl/swanctl.conf configuration file
|
|
|
|
|
+@sysconfdir@/swanctl/swanctl.conf configuration file
|
|
|
|
|
.ad
|
|
|
|
|
.fi
|
|
|
|
|
.
|
|
|
|
|
--
|
|
|
|
|
2.39.0
|
|
|
|
|
|
