JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #49197 from LumiGuide/strongswan-swanctl-5.7.1

Browse Source 
strongswan-swanctl: adapt options to strongswan-5.7.1
This commit is contained in:
Bas van Dijk 2018-10-27 09:34:53 +01:00 committed by GitHub
commit 0b381dd9ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 83 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View File

@ -248,6 +248,14 @@ in {
</itemizedlist> </itemizedlist>
''; '';
ppk_id = mkOptionalStrParam ''
String identifying the Postquantum Preshared Key (PPK) to be used.
'';
ppk_required = mkYesNoParam no ''
Whether a Postquantum Preshared Key (PPK) is required for this connection.
'';
keyingtries = mkIntParam 1 '' keyingtries = mkIntParam 1 ''
Number of retransmission sequences to perform during initial Number of retransmission sequences to perform during initial
connect. Instead of giving up initiation after the first retransmission connect. Instead of giving up initiation after the first retransmission
@ -922,6 +930,36 @@ in {
<literal>0xffffffff</literal>. <literal>0xffffffff</literal>.
''; '';
set_mark_in = mkStrParam "0/0x00000000" ''
Netfilter mark applied to packets after the inbound IPsec SA processed
them. This way it's not necessary to mark packets via Netfilter before
decryption or right afterwards to match policies or process them
differently (e.g. via policy routing).
An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is 0xffffffff. The
special value <literal>%same</literal> uses the value (but not the mask)
from <option>mark_in</option> as mark value, which can be fixed,
<literal>%unique</literal> or <literal>%unique-dir</literal>.
Setting marks in XFRM input requires Linux 4.19 or higher.
'';
set_mark_out = mkStrParam "0/0x00000000" ''
Netfilter mark applied to packets after the outbound IPsec SA processed
them. This allows processing ESP packets differently than the original
traffic (e.g. via policy routing).
An additional mask may be appended to the mark, separated by
<literal>/</literal>. The default mask if omitted is 0xffffffff. The
special value <literal>%same</literal> uses the value (but not the mask)
from <option>mark_out</option> as mark value, which can be fixed,
<literal>%unique_</literal> or <literal>%unique-dir</literal>.
Setting marks in XFRM output is supported since Linux 4.14. Setting a
mask requires at least Linux 4.19.
'';
tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
Pads ESP packets with additional data to have a consistent ESP packet Pads ESP packets with additional data to have a consistent ESP packet
size for improved Traffic Flow Confidentiality. The padding defines the size for improved Traffic Flow Confidentiality. The padding defines the
@ -946,6 +984,33 @@ in {
supported, but the installation does not fail otherwise. supported, but the installation does not fail otherwise.
''; '';
copy_df = mkYesNoParam yes ''
Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This
effectively disables Path MTU discovery (PMTUD). Controlling this
behavior is not supported by all kernel interfaces.
'';
copy_ecn = mkYesNoParam yes ''
Whether to copy the ECN (Explicit Congestion Notification) header field
to/from the outer IP header in tunnel mode. Controlling this behavior is
not supported by all kernel interfaces.
'';
copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" ''
Whether to copy the DSCP (Differentiated Services Field Codepoint)
header field to/from the outer IP header in tunnel mode. The value
<literal>out</literal> only copies the field from the inner to the outer
header, the value <literal>in</literal> does the opposite and only
copies the field from the outer to the inner header when decapsulating,
the value <literal>yes</literal> copies the field in both directions,
and the value <literal>no</literal> disables copying the field
altogether. Setting this to <literal>yes</literal> or
<literal>in</literal> could allow an attacker to adversely affect other
traffic at the receiver, which is why the default is
<literal>out</literal>. Controlling this behavior is not supported by
all kernel interfaces.
'';
start_action = mkEnumParam ["none" "trap" "start"] "none" '' start_action = mkEnumParam ["none" "trap" "start"] "none" ''
Action to perform after loading the configuration. Action to perform after loading the configuration.
<itemizedlist> <itemizedlist>
@ -1060,6 +1125,24 @@ in {
defined in a unique section having the <literal>ike</literal> prefix. defined in a unique section having the <literal>ike</literal> prefix.
''; '';
ppk = mkPrefixedAttrsOfParams {
secret = mkOptionalStrParam ''
Value of the PPK. It may either be an ASCII string, a hex encoded string
if it has a <literal>0x</literal> prefix or a Base64 encoded string if
it has a <literal>0s</literal> prefix in its value. Should have at least
256 bits of entropy for 128-bit security.
'';
id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
PPK identity the PPK belongs to. Multiple unique identities may be
specified, each having an <literal>id</literal> prefix, if a secret is
shared between multiple peers.
'';
} ''
Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is
defined in a unique section having the <literal>ppk</literal> prefix.
'';
private = mkPrefixedAttrsOfParams { private = mkPrefixedAttrsOfParams {
file = mkOptionalStrParam '' file = mkOptionalStrParam ''
File name in the private folder for which this passphrase should be used. File name in the private folder for which this passphrase should be used.