public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

strongswan-swanctl: support strongswan-5.6.1 configuration options

Browse Source 
I determined which options got changed by executing the following
commands in the strongswan repository:

  git diff -U20 5.6.0..5.6.1 src/swanctl/swanctl.opt
  git diff -U20 5.6.0..5.6.1 conf
This commit is contained in:
Bas van Dijk 2017-11-28 00:51:40 +01:00
parent bd24b3addd
commit 7cc5ee2354
4 changed files with 88 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
View File

@ -431,6 +431,10 @@ in {
Priority of the routing table. Priority of the routing table.
''; '';
rsa_pss = mkYesNoParam no ''
Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
'';
send_delay = mkIntParam 0 '' send_delay = mkIntParam 0 ''
Delay in ms for sending packets, to simulate larger RTT. Delay in ms for sending packets, to simulate larger RTT.
''; '';

10
nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
View File

@ -214,6 +214,11 @@ lib : with (import ./param-constructors.nix lib); {
virtual IP. virtual IP.
''; '';
eap-radius.accounting_send_class = mkYesNoParam no ''
If enabled, adds the Class attributes received in Access-Accept
message to the RADIUS accounting messages.
'';
eap-radius.class_group = mkYesNoParam no '' eap-radius.class_group = mkYesNoParam no ''
Use the class attribute sent in the Access-Accept message as group Use the class attribute sent in the Access-Accept message as group
membership information, see EapRadius. membership information, see EapRadius.
@ -916,6 +921,11 @@ lib : with (import ./param-constructors.nix lib); {
strptime(3) format used to parse threshold option. strptime(3) format used to parse threshold option.
''; '';
systime-fix.timeout = mkDurationParam "0s" ''
How long to wait for a valid system time if an interval is
configured. 0 to recheck indefinitely.
'';
tnc-ifmap.client_cert = mkOptionalStrParam '' tnc-ifmap.client_cert = mkOptionalStrParam ''
Path to X.509 certificate file of IF-MAP client. Path to X.509 certificate file of IF-MAP client.
''; '';

41
nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
View File

@ -144,12 +144,6 @@ in {
''; '';
}; };
pacman.database = mkOptionalStrParam ''
Database URI for the database that stores the package information. If it
contains a password, make sure to adjust the permissions of the config
file accordingly.
'';
pki.load = mkSpaceSepListParam [] '' pki.load = mkSpaceSepListParam [] ''
Plugins to load in ipsec pki tool. Plugins to load in ipsec pki tool.
''; '';
@ -174,6 +168,41 @@ in {
Plugins to load in ipsec scepclient tool. Plugins to load in ipsec scepclient tool.
''; '';
sec-updater = {
database = mkOptionalStrParam ''
Global IMV policy database URI. If it contains a password, make
sure to adjust the permissions of the config file accordingly.
'';
swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" ''
SWID generator command to be executed.
'';
swid_gen.tag_creator.name = mkStrParam "strongSwan Project" ''
Name of the tagCreator entity.
'';
swid_gen.tag_creator.regid = mkStrParam "strongswan.org" ''
regid of the tagCreator entity.
'';
tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" ''
strongTNC manage.py command used to import SWID tags.
'';
tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" ''
Temporary storage for downloaded deb package file.
'';
tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" ''
Temporary storage for generated SWID tags.
'';
load = mkSpaceSepListParam [] ''
Plugins to load in sec-updater tool.
'';
};
starter = { starter = {
config_file = mkStrParam "\${sysconfdir}/ipsec.conf" '' config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
Location of the ipsec.conf file. Location of the ipsec.conf file.

56
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View File

@ -286,7 +286,7 @@ in {
On initiators this setting specifies whether an INITIAL_CONTACT notify is On initiators this setting specifies whether an INITIAL_CONTACT notify is
sent during IKE_AUTH if no existing connection is found with the remote sent during IKE_AUTH if no existing connection is found with the remote
peer (determined by the identities of the first authentication peer (determined by the identities of the first authentication
round). Only if set to keep or replace will the client send a notify. round). Unless set to <literal>never</literal> the client will send a notify.
''; '';
reauth_time = mkDurationParam "0s" '' reauth_time = mkDurationParam "0s" ''
@ -444,7 +444,12 @@ in {
<literal>ike:</literal> prefix are configured any signature scheme <literal>ike:</literal> prefix are configured any signature scheme
constraint (without <literal>ike:</literal> prefix) will also apply to constraint (without <literal>ike:</literal> prefix) will also apply to
IKEv2 authentication, unless this is disabled in IKEv2 authentication, unless this is disabled in
<literal>strongswan.conf</literal>. <literal>strongswan.conf</literal>. To use RSASSA-PSS signatures use
<literal>rsa/pss</literal> instead of <literal>pubkey</literal> or
<literal>rsa</literal> as in e.g.
<literal>ike:rsa/pss-sha256</literal>. If <literal>pubkey</literal> or
<literal>rsa</literal> constraints are configured RSASSA-PSS signatures
will only be used if enabled in <literal>strongswan.conf</literal>(5).
</para></listitem> </para></listitem>
</itemizedlist> </itemizedlist>
''; '';
@ -585,7 +590,12 @@ in {
<option>local</option> section's <option>auth</option> keyword for <option>local</option> section's <option>auth</option> keyword for
details), such key types and hash algorithms are also applied as details), such key types and hash algorithms are also applied as
constraints against IKEv2 signature authentication schemes used by the constraints against IKEv2 signature authentication schemes used by the
remote side. remote side. To require RSASSA-PSS signatures use
<literal>rsa/pss</literal> instead of <literal>pubkey</literal> or
<literal>rsa</literal> as in e.g. <literal>rsa/pss-sha256</literal>. If
<literal>pubkey</literal> or <literal>rsa</literal> constraints are
configured RSASSA-PSS signatures will only be accepted if enabled in
<literal>strongswan.conf</literal>(5).
</para><para> </para><para>
To specify trust chain constraints for EAP-(T)TLS, append a colon to the To specify trust chain constraints for EAP-(T)TLS, append a colon to the
EAP method, followed by the key type/size and hash algorithm as EAP method, followed by the key type/size and hash algorithm as
@ -872,27 +882,39 @@ in {
''; '';
mark_in = mkStrParam "0/0x00000000" '' mark_in = mkStrParam "0/0x00000000" ''
Netfilter mark and mask for input traffic. On Linux Netfilter may Netfilter mark and mask for input traffic. On Linux, Netfilter may
require marks on each packet to match an SA having that option set. This require marks on each packet to match an SA/policy having that option
allows Netfilter rules to select specific tunnels for incoming set. This allows installing duplicate policies and enables Netfilter
traffic. The special value <literal>%unique</literal> sets a unique mark rules to select specific SAs/policies for incoming traffic. Note that
on each CHILD_SA instance, beyond that the value inbound marks are only set on policies, by default, unless
<literal>%unique-dir</literal> assigns a different unique mark for each <option>mark_in_sa</option> is enabled. The special value
CHILD_SA direction (in/out). <literal>%unique</literal> sets a unique mark on each CHILD_SA instance,
beyond that the value <literal>%unique-dir</literal> assigns a different
unique mark for each
</para><para> </para><para>
An additional mask may be appended to the mark, separated by An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is <literal>/</literal>. The default mask if omitted is
<literal>0xffffffff</literal>. <literal>0xffffffff</literal>.
''; '';
mark_in_sa = mkYesNoParam no ''
Whether to set <option>mark_in</option> on the inbound SA. By default,
the inbound mark is only set on the inbound policy. The tuple destination
address, protocol and SPI is unique and the mark is not required to find
the correct SA, allowing to mark traffic after decryption instead (where
more specific selectors may be used) to match different policies. Marking
packets before decryption is still possible, even if no mark is set on
the SA.
'';
mark_out = mkStrParam "0/0x00000000" '' mark_out = mkStrParam "0/0x00000000" ''
Netfilter mark and mask for output traffic. On Linux Netfilter may Netfilter mark and mask for output traffic. On Linux, Netfilter may
require marks on each packet to match a policy having that option require marks on each packet to match a policy/SA having that option
set. This allows Netfilter rules to select specific tunnels for outgoing set. This allows installing duplicate policies and enables Netfilter
traffic. The special value <literal>%unique</literal> sets a unique mark rules to select specific policies/SAs for outgoing traffic. The special
on each CHILD_SA instance, beyond that the value value <literal>%unique</literal> sets a unique mark on each CHILD_SA
<literal>%unique-dir</literal> assigns a different unique mark for each instance, beyond that the value <literal>%unique-dir</literal> assigns a
CHILD_SA direction (in/out). different unique mark for each CHILD_SA direction (in/out).
</para><para> </para><para>
An additional mask may be appended to the mark, separated by An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is <literal>/</literal>. The default mask if omitted is