diff -Naur libreswan-3.12-orig/Makefile.inc libreswan-3.12/Makefile.inc
--- libreswan-3.12-orig/Makefile.inc 2014-11-06 22:52:50.000000000 -0500
+++ libreswan-3.12/Makefile.inc 2015-04-28 23:18:45.781649956 -0400
@@ -176,7 +176,10 @@
OSMOD_DESTDIR?=net/ipsec
# What command to use to load the modules. openwrt does not have modprobe
-MODPROBE?=modprobe -q
+# Using -b enables blacklisting - this is needed for some known bad
+# versions of crypto acceleration modules.
+MODPROBEBIN?=modprobe
+MODPROBEARGS?=-q -b
### misc installation stuff
@@ -521,7 +524,8 @@
-e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):g" \
-e "s:@IPSEC_VARDIR@:$(FINALVARDIR):g" \
-e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):g" \
- -e "s:@MODPROBE@:$(MODPROBE):g" \
+ -e "s:@MODPROBEBIN@:$(MODPROBEBIN):g" \
+ -e "s:@MODPROBEARGS@:$(MODPROBEARGS):g" \
-e "s:@USE_DEFAULT_CONNS@:$(USE_DEFAULT_CONNS):g" \
# For KVM testing setup
diff -Naur libreswan-3.12-orig/programs/_stackmanager/_stackmanager.in libreswan-3.12/programs/_stackmanager/_stackmanager.in
--- libreswan-3.12-orig/programs/_stackmanager/_stackmanager.in 2014-11-06 22:52:50.000000000 -0500
+++ libreswan-3.12/programs/_stackmanager/_stackmanager.in 2015-04-28 23:16:25.709947026 -0400
@@ -2,7 +2,7 @@
# STACK startup script
# Copyright (C) 2007 Ken Bantoft <ken@xelerance.com>
# Copyright (C) 2007-2008 Paul Wouters <paul@xelerance.com>
-# Copyright (C) 2008-2014 Tuomo Soini <tis@foobar.fi>
+# Copyright (C) 2008-2015 Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2012-2014 Paul Wouters <paul@libreswan.org>
#
# This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
export PATH
test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
kamepfkey=/proc/net/pfkey
ipsecpfkey=/proc/net/ipsec/version
@@ -119,11 +120,11 @@
xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key ip_vti
do
# echo -n "${mod} " >&2
- @MODPROBE@ ${mod} 2>/dev/null
+ ${MODPROBE} ${mod} 2>/dev/null
done
# xfrm_user is the old name for xfrm4_tunnel - backwards compatibility
- @MODPROBE@ xfrm_user 2>/dev/null
+ ${MODPROBE} xfrm_user 2>/dev/null
fi
# Required for Labeled IPsec
@@ -184,19 +185,19 @@
cryptomodules() {
# load hardware random and crypto related modules.
# some changed names over time
- @MODPROBE@ hw_random 2>/dev/null
- @MODPROBE@ hwrng 2>/dev/null
- @MODPROBE@ virtio-rng 2>/dev/null
- @MODPROBE@ amd-rng 2>/dev/null
- @MODPROBE@ intel-rng 2>/dev/null
- @MODPROBE@ geode-rng 2>/dev/null
- @MODPROBE@ timeriomem-rng 2>/dev/null
- @MODPROBE@ tpm-rng 2>/dev/null
+ ${MODPROBE} hw_random 2>/dev/null
+ ${MODPROBE} hwrng 2>/dev/null
+ ${MODPROBE} virtio-rng 2>/dev/null
+ ${MODPROBE} amd-rng 2>/dev/null
+ ${MODPROBE} intel-rng 2>/dev/null
+ ${MODPROBE} geode-rng 2>/dev/null
+ ${MODPROBE} timeriomem-rng 2>/dev/null
+ ${MODPROBE} tpm-rng 2>/dev/null
# load any OCF and CryptoAPI modules we might need for acceleration
# (OCF works for NETKEY and KLIPS/MAST)
# OCF cryptosoft is for kernel acceleration (ESP/AH)
- @MODPROBE@ cryptosoft 2>/dev/null
+ ${MODPROBE} cryptosoft 2>/dev/null
# We skip cryptodev.ko because we no longer support /dev/crypto offloading
# (the overhead of cryptodev is not worth it even on embedded platforms)
@@ -219,9 +220,9 @@
# padlock must load before aes module - though does not exist on newer
# kernels
# padlock-aes must load before padlock-sha for some reason
- @MODPROBE@ padlock 2>/dev/null
- @MODPROBE@ padlock-aes 2>/dev/null
- @MODPROBE@ padlock-sha 2>/dev/null
+ ${MODPROBE} padlock 2>/dev/null
+ ${MODPROBE} padlock-aes 2>/dev/null
+ ${MODPROBE} padlock-sha 2>/dev/null
# load the most common ciphers/algo's
# aes-x86_64 has higher priority in via crypto api
# kernel directory does not match uname -m on x86_64 :(
@@ -234,7 +235,7 @@
do
module=$(basename ${module} | sed "s/\.ko$//")
# echo -n "${module} " >&2
- @MODPROBE@ ${module} 2>/dev/null
+ ${MODPROBE} ${module} 2>/dev/null
done
}
@@ -264,10 +265,10 @@
;;
esac
# modprobe does not like specifying .o or .ko, but insmod needs it
- if [ "$(basename @MODPROBE@)" = "modprobe" ]; then
- @MODPROBE@ ipsec
+ if [ "$(basename "@MODPROBEBIN@")" = "modprobe" ]; then
+ ${MODPROBE} ipsec
else
- @MODPROBE@ ${modulename}
+ ${MODPROBE} ${modulename}
fi
if [ ! -f ${ipsecpfkey} ]; then
@@ -418,7 +419,12 @@
exit 4
fi
-stack="$(ipsec addconn --config ${IPSEC_CONF} --liststack)"
+if [ "$2" = "--netkey" ]; then
+ # manual override for use in docker
+ stack=netkey
+else
+ stack="$(ipsec addconn --config ${IPSEC_CONF} --liststack)"
+fi
case ${stack} in
netkey|klips|mast|none)
@@ -435,15 +441,18 @@
case ${action} in
stop)
- # We don't unload NETKEY/XFRM on stop - only when we detect a stack change.
+ # We don't unload NETKEY/XFRM on stop - only when we detect a stack
+ # change.
if [ -f ${ipsecpfkey} ]; then
ipsec eroute --clear
- # this clears all IP addresses on ipsecX interfaces by unloading the module
+ # this clears all IP addresses on ipsecX interfaces by
+ # unloading the module
stopklips
elif [ -f ${kamepfkey} ]; then
ip xfrm state flush
ip xfrm policy flush
- # module unloading skipped on purpose - can hang for a long time or fail
+ # module unloading skipped on purpose - can hang for a long
+ # time or fail
fi
;;
start)