[OpenWrt-Devel] [PATCH 2/2] network: add virtual tunnel interface (VTI) support

Sat, 26 Dec 2015 14:59:23 -0800 

This adds support for configuring VTI interfaces within /etc/config/network.
VTI interfaces are used to create IPsec tunnel interfaces. These interfaces
may be used for routing and other purposes.

Example config:
config interface 'vti1'
        option proto 'vti'
        option mtu '1500'
        option tunlink 'wan'
        option peeraddr '192.168.5.16'
        option zone 'VPN'
        option ikey 2
        option okey 2

config interface 'vti1_static'
        option proto 'static'
        option ifname '@vti1'
        option ipaddr '192.168.7.2/24'

The options ikey and okey correspond to the fwmark value of a ipsec policy.
The may be null if you do not want fwmarks. 
Also peeraddr may be 0.0.0 if you want all ESP packets go through the 
interface. 
Example strongswan config:
conn vti
        left=%any
        leftcert=peer2.test.der
        leftid=@peer2.test
        right=192.168.5.16
        rightid=@peer3.test
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        mark=2
        auto=route



Signed-off-by: André Valentin <avalen...@marcant.net>
---
 package/network/config/vti/Makefile     |  65 +++++++++
 package/network/config/vti/files/vti.sh | 151 ++++++++++++++++++++
 2 files changed, 216 insertions(+)
 create mode 100644 package/network/config/vti/Makefile
 create mode 100755 package/network/config/vti/files/vti.sh

diff --git a/package/network/config/vti/Makefile 
b/package/network/config/vti/Makefile
new file mode 100644
index 0000000..a81e889
--- /dev/null
+++ b/package/network/config/vti/Makefile
@@ -0,0 +1,65 @@
+#
+# Copyright (C) 2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=vti
+PKG_VERSION:=1
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-2.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/vti/Default
+  SECTION:=net
+  CATEGORY:=Network
+  MAINTAINER:=Andre Valentin <avalen...@marcant.net>
+endef
+
+define Package/vti
+$(call Package/vti/Default)
+  TITLE:=Virtual IPsec Tunnel Interface config support
+endef
+
+define Package/vti/description
+ Virtual IPsec Tunnel Interface config support (IPv4 and IPv6) in 
/etc/config/network.
+endef
+
+define Package/vtiv4
+$(call Package/vti/Default)
+  TITLE:=Virtual IPsec Tunnel Interface (IPv4) config support
+  DEPENDS:=@(PACKAGE_vti) +kmod-ip_vti
+endef
+
+define Package/vtiv4/description
+ Virtual IPsec Tunnel Interface config support (IPv4) in /etc/config/network.
+endef
+
+define Package/vtiv6
+$(call Package/vti/Default)
+  TITLE:=Virtual IPsec Tunnel Interface (IPv6) config support
+  DEPENDS:=@(PACKAGE_vti) @IPV6 +kmod-ip6_vti
+endef
+
+define Package/vtiv6/description
+ Virtual IPsec Tunnel Interface config support (IPv6) in /etc/config/network.
+endef
+
+define Build/Compile
+endef
+
+define Build/Configure
+endef
+
+define Package/vti/install
+       $(INSTALL_DIR) $(1)/lib/netifd/proto
+       $(INSTALL_BIN) ./files/vti.sh $(1)/lib/netifd/proto/vti.sh
+endef
+
+$(eval $(call BuildPackage,vti))
+$(eval $(call BuildPackage,vtiv4))
+$(eval $(call BuildPackage,vtiv6))
diff --git a/package/network/config/vti/files/vti.sh 
b/package/network/config/vti/files/vti.sh
new file mode 100755
index 0000000..5d1d42d
--- /dev/null
+++ b/package/network/config/vti/files/vti.sh
@@ -0,0 +1,151 @@
+#!/bin/sh
+
+[ -n "$INCLUDE_ONLY" ] || {
+       . /lib/functions.sh
+       . /lib/functions/network.sh
+       . ../netifd-proto.sh
+       init_proto "$@"
+}
+
+vti_generic_setup() {
+       local cfg="$1"
+       local mode="$2"
+       local local="$3"
+       local remote="$4"
+       local link="$5"
+       local mtu zone ikey
+       json_get_vars mtu zone ikey okey
+
+       [ -z "$zone" ] && zone="wan"
+
+       proto_init_update "$link" 1
+
+       proto_add_tunnel
+       json_add_string mode "$mode"
+       json_add_int mtu "${mtu:-1280}"
+       json_add_string local "$local"
+       json_add_string remote "$remote"
+       [ -n "$tunlink" ] && json_add_string link "$tunlink"
+       json_add_string info "${ikey:-0},${okey:-0}"
+       proto_close_tunnel
+
+       proto_add_data
+       [ -n "$zone" ] && json_add_string zone "$zone"
+       proto_close_data
+
+       proto_send_update "$cfg"
+}
+
+vti_setup() {
+       local cfg="$1"
+       local mode="$2"
+
+       local ipaddr peeraddr
+       json_get_vars df ipaddr peeraddr tunlink
+
+       [ -z "$peeraddr" ] && {
+               proto_notify_error "$cfg" "MISSING_ADDRESS"
+               proto_block_restart "$cfg"
+               exit
+       }
+
+       ( proto_add_host_dependency "$cfg" "$peeraddr" "$tunlink" )
+
+       [ -z "$ipaddr" ] && {
+               local wanif="$tunlink"
+               if [ -z $wanif ] && ! network_find_wan wanif; then
+                       proto_notify_error "$cfg" "NO_WAN_LINK"
+                       exit
+               fi
+
+               if ! network_get_ipaddr ipaddr "$wanif"; then
+                       proto_notify_error "$cfg" "NO_WAN_LINK"
+                       exit
+               fi
+       }
+
+       vti_generic_setup $cfg $mode $ipaddr $peeraddr "vti-$cfg"
+}
+
+proto_vti_setup() {
+       local cfg="$1"
+
+       vti_setup $cfg "vtiip"
+}
+
+vti6_setup() {
+       local cfg="$1"
+       local mode="$2"
+
+       local ip6addr peer6addr weakif
+       json_get_vars ip6addr peer6addr tunlink weakif
+
+       [ -z "$peer6addr" ] && {
+               proto_notify_error "$cfg" "MISSING_ADDRESS"
+               proto_block_restart "$cfg"
+               exit
+       }
+
+       ( proto_add_host_dependency "$cfg" "$peer6addr" "$tunlink" )
+
+       [ -z "$ip6addr" ] && {
+               local wanif="$tunlink"
+               if [ -z $wanif ] && ! network_find_wan6 wanif; then
+                       proto_notify_error "$cfg" "NO_WAN_LINK"
+                       exit
+               fi
+
+               if ! network_get_ipaddr6 ip6addr "$wanif"; then
+                       [ -z "$weakif" ] && weakif="lan"
+                       if ! network_get_ipaddr6 ip6addr "$weakif"; then
+                               proto_notify_error "$cfg" "NO_WAN_LINK"
+                               exit
+                       fi
+               fi
+       }
+
+       vti_generic_setup $cfg $mode $ip6addr $peer6addr "vti6-$cfg"
+}
+
+proto_vti6_setup() {
+       local cfg="$1"
+
+       vti6_setup $cfg "vtiip6"
+}
+
+proto_vti_teardown() {
+       local cfg="$1"
+}
+
+proto_vti6_teardown() {
+       local cfg="$1"
+}
+
+vti_generic_init_config() {
+       no_device=1
+       available=1
+
+       proto_config_add_int "mtu"
+       proto_config_add_string "tunlink"
+       proto_config_add_string "zone"
+       proto_config_add_int "ikey"
+       proto_config_add_int "okey"
+}
+
+proto_vti_init_config() {
+       vti_generic_init_config
+       proto_config_add_string "ipaddr"
+       proto_config_add_string "peeraddr"
+}
+
+proto_vti6_init_config() {
+       vti_generic_init_config
+       proto_config_add_string "ip6addr"
+       proto_config_add_string "peer6addr"
+       proto_config_add_string "weakif"
+}
+
+[ -n "$INCLUDE_ONLY" ] || {
+       [ -f /lib/modules/$(uname -r)/ip_vti.ko ] && add_protocol vti
+       [ -f /lib/modules/$(uname -r)/ip6_vti.ko ] && add_protocol vti6
+}
-- 
2.1.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to