Project

General

Profile

Feature #475

Provide 'strongswan.d' configuration functionality

Added by Jonathan Davies over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Target version:
Start date:
31.12.2013
Due date:
Estimated time:
Resolution:
Fixed

Description

It would be nice if strongswan could provide configuration snippets with a /etc/strongswan.d/ directory (a la /etc/fstab /etc/fstab.d/).

This would enable package maintainers a way to drop in snippets for plugins. For instance, I would like to enable test vectors by default - but I have no way of doing that without touching the main strongswan.conf file.

Also, it'd provide a way to give users configuration files with comments - which have the plugins disabled by default but have all the visible options available.

Associated revisions

Revision 55015036
Added by Tobias Brunner over 6 years ago

Merge branch 'modular-load'

Introduces a new configuration file layout. strongswan.conf is now only
very simple and mainly includes the config snippets from the strongswan.d
and strongswan.d/charon directories (the latter containing snippets for
individual plugins).

Config snippets with commented defaults are generated for all currently
defined settings and are installed if they don't exist yet and the
respective plugin/component is enabled. Similarly, the strongswan.conf(5)
man page, which documents all these settings, is automatically generated
from the same source.
The config snippets are also installed in $prefix/share/strongswan so
existing files can be compared to the most current defaults.

As an alternative to the non-extensible charon.load option, the plugins
to load can now be determined via the respective charon.plugins.<name>.load
setting. This functionality is enabled by the new default strongswan.conf
file (via the charon.load_modular option) and the load setting in the
generated config snippets of all enabled plugins. The load setting
optionally takes a numeric priority value that allows reordering the
plugins (plugins with the same priority are ordered according to the
default plugin order).

Additionally, all settings that were formerly defined in library
specific "global" sections are now application specific. For instance,
instead of configuring libstrongswan.plugins.random.random and affecting
charon, charon-cmd, pki, basically every application using libstrongswan,
the option can now be set individually for each application (e.g.
pki.plugins.random.random to affect only pki). The old options are still
supported though, which actually allows to define defaults for all
applications in the libstrongswan section.

The libtls options are mapped to <app>.tls. The libimcv and libtnccs options
are mapped to <app>.imcv and <app>.tnc, respectively (while their plugin's
options are now under <app>.plugins together with all the others).

Fixes #475.

History

#1 Updated by Tobias Brunner over 6 years ago

  • Category set to configuration
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

It would be nice if strongswan could provide configuration snippets with a /etc/strongswan.d/ directory (a la /etc/fstab /etc/fstab.d/).

This would enable package maintainers a way to drop in snippets for plugins. For instance, I would like to enable test vectors by default - but I have no way of doing that without touching the main strongswan.conf file.

You could easily add

include /etc/strongswan.d/*.conf

at the end of /etc/strongswan.conf that is delivered with the Debian/Ubuntu package. Plugins that were built are always (tried to be) loaded, unless a custom charon.load statement is used, which is not recommended and currently not extensible. I experimented with a more extensible load statement (see this commit message) but I wasn't sure what the best syntax would be. Perhaps you have some thoughts on this.

Anyway, you could disable all plugins (that provide such an option - unfortunately, not all are disabled by default - and sadly not all have such an option) in /etc/strongswan.conf and then enable them in the config snippets (perhaps commented) provided by the respective plugin package.

Also, it'd provide a way to give users configuration files with comments - which have the plugins disabled by default but have all the visible options available.

As mentioned above not all plugins have an option to disable them once they are loaded (depending on the possibility to load them more dynamically that might not be required). And regarding commented config files, that would be great, but requires quite some work (might be something the community could work on once a more modular config system has been established?).

#2 Updated by Yves-Alexis Perez over 6 years ago

Tobias Brunner wrote:

It would be nice if strongswan could provide configuration snippets with a /etc/strongswan.d/ directory (a la /etc/fstab /etc/fstab.d/).

This would enable package maintainers a way to drop in snippets for plugins. For instance, I would like to enable test vectors by default - but I have no way of doing that without touching the main strongswan.conf file.

You could easily add

[...]

at the end of /etc/strongswan.conf that is delivered with the Debian/Ubuntu package.

We can integrate that, but wouldn't it make sense to do that upstream directly? That would benefit everyone shipping strongSwan, not just us.

#3 Updated by Tobias Brunner over 6 years ago

  • Target version set to 5.1.2
  • Resolution set to Fixed

I just pushed changes that implement this to master. See the commit message of the associated commit for details.

#4 Updated by Tobias Brunner over 6 years ago

  • Status changed from Feedback to Resolved

#5 Updated by Tobias Brunner over 6 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF