diff options
author | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-10-27 09:34:53 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-27 09:34:53 +0100 |
commit | 0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8 (patch) | |
tree | b4255783c8208dbe5b00a6b3980e33b566a80409 /nixos/modules/services/networking | |
parent | 549b61cc59d4808a16ab9ef8dcf8a96cfc493dbd (diff) | |
parent | ca655e8b1489137773cb83162b55fdda21dd6d05 (diff) | |
download | nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar.gz nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar.bz2 nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar.lz nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar.xz nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.tar.zst nixlib-0b381dd9ca53e9f22bb2b7276e061734aeb1c6e8.zip |
Merge pull request #49197 from LumiGuide/strongswan-swanctl-5.7.1
strongswan-swanctl: adapt options to strongswan-5.7.1
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index b16d299917fe..d4f7e95f859f 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -248,6 +248,14 @@ in { </itemizedlist> ''; + ppk_id = mkOptionalStrParam '' + String identifying the Postquantum Preshared Key (PPK) to be used. + ''; + + ppk_required = mkYesNoParam no '' + Whether a Postquantum Preshared Key (PPK) is required for this connection. + ''; + keyingtries = mkIntParam 1 '' Number of retransmission sequences to perform during initial connect. Instead of giving up initiation after the first retransmission @@ -922,6 +930,36 @@ in { <literal>0xffffffff</literal>. ''; + set_mark_in = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the inbound IPsec SA processed + them. This way it's not necessary to mark packets via Netfilter before + decryption or right afterwards to match policies or process them + differently (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_in</option> as mark value, which can be fixed, + <literal>%unique</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM input requires Linux 4.19 or higher. + ''; + + set_mark_out = mkStrParam "0/0x00000000" '' + Netfilter mark applied to packets after the outbound IPsec SA processed + them. This allows processing ESP packets differently than the original + traffic (e.g. via policy routing). + + An additional mask may be appended to the mark, separated by + <literal>/</literal>. The default mask if omitted is 0xffffffff. The + special value <literal>%same</literal> uses the value (but not the mask) + from <option>mark_out</option> as mark value, which can be fixed, + <literal>%unique_</literal> or <literal>%unique-dir</literal>. + + Setting marks in XFRM output is supported since Linux 4.14. Setting a + mask requires at least Linux 4.19. + ''; + tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 '' Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality. The padding defines the @@ -946,6 +984,33 @@ in { supported, but the installation does not fail otherwise. ''; + copy_df = mkYesNoParam yes '' + Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This + effectively disables Path MTU discovery (PMTUD). Controlling this + behavior is not supported by all kernel interfaces. + ''; + + copy_ecn = mkYesNoParam yes '' + Whether to copy the ECN (Explicit Congestion Notification) header field + to/from the outer IP header in tunnel mode. Controlling this behavior is + not supported by all kernel interfaces. + ''; + + copy_dscp = mkEnumParam [ "out" "in" "yes" "no" ] "out" '' + Whether to copy the DSCP (Differentiated Services Field Codepoint) + header field to/from the outer IP header in tunnel mode. The value + <literal>out</literal> only copies the field from the inner to the outer + header, the value <literal>in</literal> does the opposite and only + copies the field from the outer to the inner header when decapsulating, + the value <literal>yes</literal> copies the field in both directions, + and the value <literal>no</literal> disables copying the field + altogether. Setting this to <literal>yes</literal> or + <literal>in</literal> could allow an attacker to adversely affect other + traffic at the receiver, which is why the default is + <literal>out</literal>. Controlling this behavior is not supported by + all kernel interfaces. + ''; + start_action = mkEnumParam ["none" "trap" "start"] "none" '' Action to perform after loading the configuration. <itemizedlist> @@ -1060,6 +1125,24 @@ in { defined in a unique section having the <literal>ike</literal> prefix. ''; + ppk = mkPrefixedAttrsOfParams { + secret = mkOptionalStrParam '' + Value of the PPK. It may either be an ASCII string, a hex encoded string + if it has a <literal>0x</literal> prefix or a Base64 encoded string if + it has a <literal>0s</literal> prefix in its value. Should have at least + 256 bits of entropy for 128-bit security. + ''; + + id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") '' + PPK identity the PPK belongs to. Multiple unique identities may be + specified, each having an <literal>id</literal> prefix, if a secret is + shared between multiple peers. + ''; + } '' + Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is + defined in a unique section having the <literal>ppk</literal> prefix. + ''; + private = mkPrefixedAttrsOfParams { file = mkOptionalStrParam '' File name in the private folder for which this passphrase should be used. |