From e2e8cb83475d9a71225a5a60adb1d4ad04ed1ded Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 17 Jan 2016 11:06:02 +0000 Subject: [PATCH] network: add virtual tunnel interface (VTI) support MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This adds support for configuring VTI interfaces within /etc/config/network. VTI interfaces are used to create IPsec tunnel interfaces. These interfaces may be used for routing and other purposes. Example config: config interface 'vti1' option proto 'vti' option mtu '1500' option tunlink 'wan' option peeraddr '192.168.5.16' option zone 'VPN' option ikey 2 option okey 2 config interface 'vti1_static' option proto 'static' option ifname '@vti1' option ipaddr '192.168.7.2/24' The options ikey and okey correspond to the fwmark value of a ipsec policy. The may be null if you do not want fwmarks. Also peeraddr may be 0.0.0 if you want all ESP packets go through the interface. Example strongswan config: conn vti left=%any leftcert=peer2.test.der leftid=@peer2.test right=192.168.5.16 rightid=@peer3.test leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 mark=2 auto=route Signed-off-by: André Valentin SVN-Revision: 48274 --- package/network/config/vti/Makefile | 65 ++++++++++ package/network/config/vti/files/vti.sh | 151 ++++++++++++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 package/network/config/vti/Makefile create mode 100755 package/network/config/vti/files/vti.sh diff --git a/package/network/config/vti/Makefile b/package/network/config/vti/Makefile new file mode 100644 index 0000000000..a81e889b23 --- /dev/null +++ b/package/network/config/vti/Makefile @@ -0,0 +1,65 @@ +# +# Copyright (C) 2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=vti +PKG_VERSION:=1 +PKG_RELEASE:=1 +PKG_LICENSE:=GPL-2.0 + +include $(INCLUDE_DIR)/package.mk + +define Package/vti/Default + SECTION:=net + CATEGORY:=Network + MAINTAINER:=Andre Valentin +endef + +define Package/vti +$(call Package/vti/Default) + TITLE:=Virtual IPsec Tunnel Interface config support +endef + +define Package/vti/description + Virtual IPsec Tunnel Interface config support (IPv4 and IPv6) in /etc/config/network. +endef + +define Package/vtiv4 +$(call Package/vti/Default) + TITLE:=Virtual IPsec Tunnel Interface (IPv4) config support + DEPENDS:=@(PACKAGE_vti) +kmod-ip_vti +endef + +define Package/vtiv4/description + Virtual IPsec Tunnel Interface config support (IPv4) in /etc/config/network. +endef + +define Package/vtiv6 +$(call Package/vti/Default) + TITLE:=Virtual IPsec Tunnel Interface (IPv6) config support + DEPENDS:=@(PACKAGE_vti) @IPV6 +kmod-ip6_vti +endef + +define Package/vtiv6/description + Virtual IPsec Tunnel Interface config support (IPv6) in /etc/config/network. +endef + +define Build/Compile +endef + +define Build/Configure +endef + +define Package/vti/install + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/vti.sh $(1)/lib/netifd/proto/vti.sh +endef + +$(eval $(call BuildPackage,vti)) +$(eval $(call BuildPackage,vtiv4)) +$(eval $(call BuildPackage,vtiv6)) diff --git a/package/network/config/vti/files/vti.sh b/package/network/config/vti/files/vti.sh new file mode 100755 index 0000000000..763fd4ee32 --- /dev/null +++ b/package/network/config/vti/files/vti.sh @@ -0,0 +1,151 @@ +#!/bin/sh + +[ -n "$INCLUDE_ONLY" ] || { + . /lib/functions.sh + . /lib/functions/network.sh + . ../netifd-proto.sh + init_proto "$@" +} + +vti_generic_setup() { + local cfg="$1" + local mode="$2" + local local="$3" + local remote="$4" + local link="$5" + local mtu zone ikey + json_get_vars mtu zone ikey okey + + [ -z "$zone" ] && zone="wan" + + proto_init_update "$link" 1 + + proto_add_tunnel + json_add_string mode "$mode" + json_add_int mtu "${mtu:-1280}" + json_add_string local "$local" + json_add_string remote "$remote" + [ -n "$tunlink" ] && json_add_string link "$tunlink" + json_add_string info "${ikey:-0},${okey:-0}" + proto_close_tunnel + + proto_add_data + [ -n "$zone" ] && json_add_string zone "$zone" + proto_close_data + + proto_send_update "$cfg" +} + +vti_setup() { + local cfg="$1" + local mode="$2" + + local ipaddr peeraddr + json_get_vars df ipaddr peeraddr tunlink + + [ -z "$peeraddr" ] && { + proto_notify_error "$cfg" "MISSING_ADDRESS" + proto_block_restart "$cfg" + exit + } + + ( proto_add_host_dependency "$cfg" "$peeraddr" "$tunlink" ) + + [ -z "$ipaddr" ] && { + local wanif="$tunlink" + if [ -z $wanif ] && ! network_find_wan wanif; then + proto_notify_error "$cfg" "NO_WAN_LINK" + exit + fi + + if ! network_get_ipaddr ipaddr "$wanif"; then + proto_notify_error "$cfg" "NO_WAN_LINK" + exit + fi + } + + vti_generic_setup $cfg $mode $ipaddr $peeraddr "vti-$cfg" +} + +proto_vti_setup() { + local cfg="$1" + + vti_setup $cfg "vtiip" +} + +vti6_setup() { + local cfg="$1" + local mode="$2" + + local ip6addr peer6addr weakif + json_get_vars ip6addr peer6addr tunlink weakif + + [ -z "$peer6addr" ] && { + proto_notify_error "$cfg" "MISSING_ADDRESS" + proto_block_restart "$cfg" + exit + } + + ( proto_add_host_dependency "$cfg" "$peer6addr" "$tunlink" ) + + [ -z "$ip6addr" ] && { + local wanif="$tunlink" + if [ -z $wanif ] && ! network_find_wan6 wanif; then + proto_notify_error "$cfg" "NO_WAN_LINK" + exit + fi + + if ! network_get_ipaddr6 ip6addr "$wanif"; then + [ -z "$weakif" ] && weakif="lan" + if ! network_get_ipaddr6 ip6addr "$weakif"; then + proto_notify_error "$cfg" "NO_WAN_LINK" + exit + fi + fi + } + + vti_generic_setup $cfg $mode $ip6addr $peer6addr "vti6-$cfg" +} + +proto_vti6_setup() { + local cfg="$1" + + vti6_setup $cfg "vtiip6" +} + +proto_vti_teardown() { + local cfg="$1" +} + +proto_vti6_teardown() { + local cfg="$1" +} + +vti_generic_init_config() { + no_device=1 + available=1 + + proto_config_add_int "mtu" + proto_config_add_string "tunlink" + proto_config_add_string "zone" + proto_config_add_int "ikey" + proto_config_add_int "okey" +} + +proto_vti_init_config() { + vti_generic_init_config + proto_config_add_string "ipaddr" + proto_config_add_string "peeraddr" +} + +proto_vti6_init_config() { + vti_generic_init_config + proto_config_add_string "ip6addr" + proto_config_add_string "peer6addr" + proto_config_add_string "weakif" +} + +[ -n "$INCLUDE_ONLY" ] || { + [ -f /lib/modules/$(uname -r)/ip_vti.ko ] && add_protocol vti + [ -f /lib/modules/$(uname -r)/ip6_vti.ko ] && add_protocol vti6 +} -- 2.25.1