The script is an combination of the existing startup script for strongswan combined with the suggestions made to load vici-configurations.
Ideally only one of the two configuration options should be used.
An a additional rc.conf variable has been added to allow specifying which interface to use.
The variable is named "strongswan_interface" and valid options are "stroke" or "vici". It defaults to stroke to work with any existing installations.
Details
Create configuration for vici as well as stroke, and test the options to ensure both start up correctly.
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
Works fine. Thank you!
security/strongswan/files/strongswan.in | ||
---|---|---|
91 | Not sure if the output: command=/usr/sbin/daemon Is a debugging/testing leftover? |
Thanks. Made the update to remove the debugging code.
I can't see any reason that one would want to run both interfaces.
security/strongswan/files/strongswan.in | ||
---|---|---|
91 | Yeah, my bad. |
I can't see any reason that one would want to run both interfaces.
The only reason I can think of is to partially migrate connections from stroke to vici. In that case, the user will need to manually invoke swanctl --load-all, keeping the strongswan_interface in stroke. This will load both configurations from ipsec.conf and swanctl.conf.
If this scenario is requested, a third interface named both could be defined that has the extra command.
My opinion is that it is fine as it is right now. I appreciate the effort. Thank you!
security/strongswan/files/strongswan.in | ||
---|---|---|
10 | Minor: there is an extra white space at the end of this line. |
Along the same idea, I think dual active interfaces is useful during configuration file conversion from ipsec.conf to swanctl.conf. When multiple connection stanzas exists in ipsec.conf, it'd be nice to be able to test and bake each individually. But currently that baking process is interrupted whenever the system reboots and "swanctl --load-all" has to be manually rerun.
That's just a suggestion and not a hard request. Thanks.
security/strongswan/files/strongswan.in | ||
---|---|---|
35 | Is this case statement missing a catch-all '*' pattern? Because a typo in rc variable strongswan_interfaces will cause rc.d/strongswan to try to run an undefined command. # service strongswan start /usr/local/etc/rc.d/strongswan: WARNING: run_rc_command: cannot run |
security/strongswan/files/strongswan.in | ||
---|---|---|
35 | Agreed, something like: # "default" *) warn "\$strongswan_interface is not set properly - see rc.conf(5)." exit 1 ;; |
security/strongswan/files/strongswan.in | ||
---|---|---|
35 | Nice catch. My suggestion is something like. # "default" *) warn "\$strongswan_interface setting is invalid - supported options are \"stroke\" or \"vici\"." exit 1 ;; |
That looks like a code snippet from rc.subr checkyesno(), a stable source. Clever work. Thanks.
Syslog message is clean too:
...
Mar 4 16:12:08 devhost root: /etc/rc: WARNING: $strongswan_interface setting is invalid - supported options are "stroke" or "vici".
...