Add aaa-12 add delete ipsec depend libreswan

RCA： SOL：修改人：zhangtao 检视人：
2019-10-17 17:16:51 +08:00 · 2019-10-17 17:16:51 +08:00 · 11a534d069
parent e0392e644b
commit 11a534d069
3 changed files with 240 additions and 15 deletions
--- a/4
+++ b/4
@ -30,12 +30,12 @@ endif

 export MAKE_TOP_DIR=$(CURDIR)

-.PHONY : demo database openrpc ulog klog klog_test conntrack netlink \
+.PHONY : demo database openrpc ulog klog klog_test  netlink \
 		trace redismq usermanager configm webauth \
 		matchrule logging ulog_test proc_api shm_dev rpdb \
 		object

-all: database openrpc ulog klog klog_test conntrack netlink trace redismq \
+all: database openrpc ulog klog klog_test  netlink trace redismq \
 		usermanager configm webauth matchrule logging ulog_test proc_api shm_dev rpdb \
 		object

--- a/Platform/build/user.configm.Makefile
+++ b/Platform/build/user.configm.Makefile
@ -99,7 +99,9 @@ PLAT_LINUX_CFLAGS := $(COMMOM_CFLAGS)
 PLAT_ARM64_LDFLAGS :=
 PLAT_LINUX_LDFLAGS :=

-COMMON_STD_LIB	:= -lpthread -lm -lcjson -levent -ljson-c -lhiredis -lodbc -lev -ldl  -lipsecconf  -lwhack   -lswan  -llswtool  -lswan -lunbound
+#COMMON_STD_LIB	:= -lpthread -lm -lcjson -levent -ljson-c -lhiredis -lodbc -lev -ldl  -lipsecconf  -lwhack   -lswan  -llswtool  -lswan -lunbound
+COMMON_STD_LIB	:= -lpthread -lm -lcjson -levent -ljson-c -lhiredis -lodbc -lev -ldl
+
 #gcc libs
 PLAT_ARM64_LIBS		:= -lopenrpc-$(ARM64_OBJ_TARGET) -lnetlinku-$(ARM64_OBJ_TARGET) -lredismq-$(ARM64_OBJ_TARGET)
 PLAT_ARM64_LIBS      += -lulogapi-$(ARM64_OBJ_TARGET) -ldatabase-$(ARM64_OBJ_TARGET) $(COMMON_STD_LIB)
--- a/Platform/user/configm/config-server/ipsec_config/ike_config.c
+++ b/Platform/user/configm/config-server/ipsec_config/ike_config.c
@ -1,9 +1,11 @@
-#include "ike_config.h"
-
-#include "lswalloc.h"
-
-#include <ipsecconf/confread.h>
+#if 0
+#include <pluto_constants.h>
 #include <deltatime.h>
+#include <ipsecconf/confread.h>
+
+#endif
+
+#include "ike_config.h"

 ret_code ike_config_chk(uint source, uint *config_type,
                        pointer input, int *input_len,
@ -12,19 +14,240 @@ ret_code ike_config_chk(uint source, uint *config_type,
    return RET_OK;
 }

+#if 0
+
+static int add_ike_conn(ike_config_t ike_cfg, struct starter_config *cfg,
+					const struct starter_conn *conn)
+{
+
+	struct whack_message msg;
+	int r;
+
+	init_whack_msg(&msg);
+
+	msg.whack_connection = TRUE;
+	msg.whack_delete = TRUE;	/* always do replace for now */
+    msg.whack_listen = TRUE;    // 开启IKE监听
+    msg.whack_route = TRUE;     // 添加内核对应的SP（ACL）规则
+    
+	msg.name = ike_cfg->v1.ph2.ph2_name;
+
+	msg.addr_family = conn->left.addr_family;
+	msg.tunnel_addr_family = conn->left.addr_family;
+
+//	if (conn->right.addrtype == KH_IPHOSTNAME)
+//		msg.dnshostname = conn->right.strings[KSCF_IP];
+
+	msg.nic_offload = yna_auto;
+	msg.sa_ike_life_seconds = deltatime(ike_cfg.v1.ph1.sa_ike_life_seconds);       //deltatime(conn->options[KBF_IKELIFETIME]);
+	msg.sa_ipsec_life_seconds = deltatime(ike_cfg.v1.ph2.sa_ipsec_life_seconds);   //deltatime(conn->options[KBF_SALIFETIME]);
+	msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT);
+	msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
+	msg.sa_keying_tries = conn->options[KBF_KEYINGTRIES];
+	msg.sa_replay_window = conn->options[KBF_REPLAY_WINDOW];
+
+	msg.r_interval = deltatime_ms(conn->options[KBF_RETRANSMIT_INTERVAL_MS]);
+	msg.r_timeout = deltatime(conn->options[KBF_RETRANSMIT_TIMEOUT]);
+
+	msg.policy = conn->policy;
+	msg.sighash_policy = conn->sighash_policy;
+
+	msg.connalias = conn->connalias;
+
+	msg.metric = conn->options[KBF_METRIC];
+
+	if (conn->options_set[KBF_CONNMTU])
+		msg.connmtu = conn->options[KBF_CONNMTU];
+	if (conn->options_set[KBF_PRIORITY])
+		msg.sa_priority = conn->options[KBF_PRIORITY];
+	if (conn->options_set[KBF_TFCPAD])
+		msg.sa_tfcpad = conn->options[KBF_TFCPAD];
+	if (conn->options_set[KBF_NO_ESP_TFC])
+		msg.send_no_esp_tfc = conn->options[KBF_NO_ESP_TFC];
+	if (conn->options_set[KBF_NFLOG_CONN])
+		msg.nflog_group = conn->options[KBF_NFLOG_CONN];
+
+	if (conn->options_set[KBF_REQID]) {
+		if (conn->options[KBF_REQID] <= 0 ||
+		    conn->options[KBF_REQID] > IPSEC_MANUAL_REQID_MAX) {
+			starter_log(LOG_LEVEL_ERR,
+				"Ignoring reqid value - range must be 1-%u",
+				IPSEC_MANUAL_REQID_MAX);
+		} else {
+			msg.sa_reqid = conn->options[KBF_REQID];
+		}
+	}
+
+	/* default to HOLD */
+	msg.dpd_action = DPD_ACTION_HOLD;
+	if (conn->options_set[KBF_DPDDELAY] &&
+		conn->options_set[KBF_DPDTIMEOUT]) {
+		msg.dpd_delay = deltatime(conn->options[KBF_DPDDELAY]);
+		msg.dpd_timeout = deltatime(conn->options[KBF_DPDTIMEOUT]);
+		if (conn->options_set[KBF_DPDACTION])
+			msg.dpd_action = conn->options[KBF_DPDACTION];
+
+		if (conn->options_set[KBF_REKEY] && !conn->options[KBF_REKEY]) {
+			if (conn->options[KBF_DPDACTION] ==
+				DPD_ACTION_RESTART) {
+				starter_log(LOG_LEVEL_ERR,
+					"conn: \"%s\" warning dpdaction cannot be 'restart'  when rekey=no - defaulting to 'hold'",
+					conn->name);
+				msg.dpd_action = DPD_ACTION_HOLD;
+			}
+		}
+	} else {
+		if (conn->options_set[KBF_DPDDELAY]  ||
+			conn->options_set[KBF_DPDTIMEOUT] ||
+			conn->options_set[KBF_DPDACTION]) {
+			starter_log(LOG_LEVEL_ERR,
+				"conn: \"%s\" warning dpd settings are ignored unless both dpdtimeout= and dpddelay= are set",
+				conn->name);
+		}
+	}
+
+	if (conn->options_set[KBF_SEND_CA])
+		msg.send_ca = conn->options[KBF_SEND_CA];
+	else
+		msg.send_ca = CA_SEND_NONE;
+
+
+	if (conn->options_set[KBF_ENCAPS])
+		msg.encaps = conn->options[KBF_ENCAPS];
+	else
+		msg.encaps = yna_auto;
+
+	if (conn->options_set[KBF_NAT_KEEPALIVE])
+		msg.nat_keepalive = conn->options[KBF_NAT_KEEPALIVE];
+	else
+		msg.nat_keepalive = TRUE;
+
+	if (conn->options_set[KBF_IKEV1_NATT])
+		msg.ikev1_natt = conn->options[KBF_IKEV1_NATT];
+	else
+		msg.ikev1_natt = NATT_BOTH;
+
+
+	/* Activate sending out own vendorid */
+	if (conn->options_set[KBF_SEND_VENDORID])
+		msg.send_vendorid = conn->options[KBF_SEND_VENDORID];
+
+	/* Activate Cisco quircky behaviour not replacing old IPsec SA's */
+	if (conn->options_set[KBF_INITIAL_CONTACT])
+		msg.initial_contact = conn->options[KBF_INITIAL_CONTACT];
+
+	/* Activate their quircky behaviour - rumored to be needed for ModeCfg and RSA */
+	if (conn->options_set[KBF_CISCO_UNITY])
+		msg.cisco_unity = conn->options[KBF_CISCO_UNITY];
+
+	if (conn->options_set[KBF_VID_STRONGSWAN])
+		msg.fake_strongswan = conn->options[KBF_VID_STRONGSWAN];
+
+	/* Active our Cisco interop code if set */
+	if (conn->options_set[KBF_REMOTEPEERTYPE])
+		msg.remotepeertype = conn->options[KBF_REMOTEPEERTYPE];
+
+#ifdef HAVE_NM
+	/* Network Manager support */
+	if (conn->options_set[KBF_NMCONFIGURED])
+		msg.nmconfigured = conn->options[KBF_NMCONFIGURED];
+
+#endif
+
+#ifdef HAVE_LABELED_IPSEC
+	/* Labeled ipsec support */
+	if (conn->options_set[KBF_LABELED_IPSEC]) {
+		msg.labeled_ipsec = conn->options[KBF_LABELED_IPSEC];
+		msg.policy_label = conn->policy_label;
+		starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" policy_label=%s",
+			conn->name, msg.policy_label);
+	}
+#endif
+
+	msg.modecfg_dns = conn->modecfg_dns;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgdns=%s",
+		conn->name, msg.modecfg_dns == NULL ? "<unset>" :
+			msg.modecfg_dns);
+	msg.modecfg_domains = conn->modecfg_domains;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgdomains=%s",
+		conn->name, msg.modecfg_domains == NULL ? "<unset>" :
+			msg.modecfg_domains);
+	msg.modecfg_banner = conn->modecfg_banner;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s",
+		conn->name, msg.modecfg_banner == NULL ? "<unset>" :
+			msg.modecfg_banner);
+
+	msg.conn_mark_both = conn->conn_mark_both;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s",
+		conn->name, msg.conn_mark_both == NULL ? "<unset>" :
+			msg.conn_mark_both);
+	msg.conn_mark_in = conn->conn_mark_in;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark-in=%s",
+		conn->name, msg.conn_mark_in == NULL ? "<unset>" :
+			msg.conn_mark_in);
+	msg.conn_mark_out = conn->conn_mark_out;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark-out=%s",
+		conn->name, msg.conn_mark_out == NULL ? "<unset>" :
+			msg.conn_mark_out);
+
+	msg.vti_iface = conn->vti_iface;
+	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" vti_iface=%s",
+		conn->name, msg.vti_iface == NULL ? "<unset>" :
+			msg.vti_iface);
+	if (conn->options_set[KBF_VTI_ROUTING])
+		msg.vti_routing = conn->options[KBF_VTI_ROUTING];
+	if (conn->options_set[KBF_VTI_SHARED])
+		msg.vti_shared = conn->options[KBF_VTI_SHARED];
+
+	if (conn->options_set[KBF_XAUTHBY])
+		msg.xauthby = conn->options[KBF_XAUTHBY];
+	if (conn->options_set[KBF_XAUTHFAIL])
+		msg.xauthfail = conn->options[KBF_XAUTHFAIL];
+
+	set_whack_end("left",  &msg.left, &conn->left);
+	set_whack_end("right", &msg.right, &conn->right);
+
+	/* for bug #1004 */
+	update_ports(&msg);
+
+	msg.esp = conn->esp;
+	msg.ike = conn->ike;
+
+
+	r = send_whack_msg(&msg, cfg->ctlsocket);
+	if (r != 0) {
+		return r;
+	}
+
+	
+
+	return 0;
+}
+#endif
+
+
 ret_code ike_config_proc(uint source, uint config_type,
                        pointer input, int input_len,
                        pointer output, int *output_len)
 {
+#if 0
+    struct starter_config *cfg;
    
    ipsecconf_default_values(NULL);
-    /*
-    resolve_defaultroute(conn);
-    starter_whack_add_conn(cfg, conn);
-    starter_whack_listen(cfg);
-    starter_whack_route_conn(cfg, conn);
-    */
-
+   
+    struct starter_conn *conn;
+    for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+        //resolve_defaultroute(conn);
+        starter_whack_add_conn(cfg, conn);
+        starter_whack_listen(cfg);
+        starter_whack_route_conn(cfg, conn);
+    }
+    
+    
+    
+#endif
    return RET_OK;
+FAIL:
+    return RET_ERR;
 }