Added openconnect

net/openconnect/Config.in

@@ -0,0 +1,18 @@
+# openconnect avanced configuration
+
+menu "Configuration"
+	depends on PACKAGE_openconnect
+
+choice
+	prompt "SSL library"
+	default OPENCONNECT_GNUTLS
+
+config OPENCONNECT_GNUTLS
+	bool "GnuTLS support"
+
+config OPENCONNECT_OPENSSL
+	bool "OpenSSL"
+
+endchoice
+
+endmenu

net/openconnect/Makefile

@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=openconnect
+PKG_VERSION:=5.03
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
+PKG_MD5SUM:=ff43ed1dbaccd2537fd7c5bfb04295a6
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/openconnect/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/openconnect
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libxml2 +kmod-tun +resolveip +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls
+  TITLE:=VPN client for Cisco's AnyConnect SSL VPN
+  URL:=http://www.infradead.org/openconnect/
+  SUBMENU:=VPN
+endef
+
+define Package/openconnect/description
+	A VPN client compatible with Cisco's AnyConnect SSL VPN and ocserv.
+
+        OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is
+        supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800,
+        3800, 7200 Series and Cisco 7301 Routers.
+endef
+
+CONFIGURE_ARGS += \
+	--disable-shared \
+	--with-vpnc-script=/lib/netifd/vpnc-script
+
+ifeq ($(CONFIG_OPENCONNECT_OPENSSL),y)
+CONFIGURE_ARGS += \
+	--without-gnutls
+endif
+
+define Package/openconnect/install
+	$(INSTALL_DIR) $(1)/lib/netifd/proto
+	$(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/
+	$(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/openconnect $(1)/usr/sbin/
+endef
+
+$(eval $(call BuildPackage,openconnect))

net/openconnect/files/openconnect.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+. /lib/functions.sh
+. ../netifd-proto.sh
+init_proto "$@"
+
+proto_openconnect_init_config() {
+	proto_config_add_string "server"
+	proto_config_add_int "port"
+	proto_config_add_string "username"
+	proto_config_add_string "cookie"
+	proto_config_add_string "password"
+	no_device=1
+	available=1
+}
+
+proto_openconnect_setup() {
+	local config="$1"
+
+	json_get_vars server port username cookie password
+
+	grep -q tun /proc/modules || insmod tun
+
+	serv_addr=
+	for ip in $(resolveip -t 5 "$server"); do
+		proto_add_host_dependency "$config" "$server"
+		serv_addr=1
+	done
+	[ -n "$serv_addr" ] || {
+		echo "Could not resolve server address"
+		sleep 5
+		proto_setup_failed "$config"
+		exit 1
+	}
+
+	[ -n "$port" ] && port=":$port"
+
+	cmdline="$server$port -i vpn-$config --no-cert-check --non-inter --syslog --script /lib/netifd/vpnc-script"
+
+	[ -n "$cookie" ] && append cmdline "-C $cookie"
+	[ -n "$username" ] && append cmdline "-u $username"
+	[ -n "$password" ] && {
+		umask 077
+		pwfile="/var/run/openconnect-$config.passwd"
+		echo "$password" > "$pwfile"
+		append cmdline "--passwd-on-stdin"
+	}
+
+	proto_export INTERFACE="$config"
+	proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile
+}
+
+proto_openconnect_teardown() {
+	proto_kill_command "$config"
+}
+
+add_protocol openconnect

net/openconnect/files/vpnc-script

@@ -0,0 +1,156 @@
+#!/bin/sh
+# List of parameters passed through environment
+#* reason                       -- why this script was called, one of: pre-init connect disconnect
+#* VPNGATEWAY                   -- vpn gateway address (always present)
+#* TUNDEV                       -- tunnel device (always present)
+#* INTERNAL_IP4_ADDRESS         -- address (always present)
+#* INTERNAL_IP4_MTU             -- mtu (often unset)
+#* INTERNAL_IP4_NETMASK         -- netmask (often unset)
+#* INTERNAL_IP4_NETMASKLEN      -- netmask length (often unset)
+#* INTERNAL_IP4_NETADDR         -- address of network (only present if netmask is set)
+#* INTERNAL_IP4_DNS             -- list of dns servers
+#* INTERNAL_IP4_NBNS            -- list of wins servers
+#* INTERNAL_IP6_ADDRESS         -- IPv6 address
+#* INTERNAL_IP6_NETMASK         -- IPv6 netmask
+#* INTERNAL_IP6_DNS             -- IPv6 list of dns servers
+#* CISCO_DEF_DOMAIN             -- default domain name
+#* CISCO_BANNER                 -- banner from server
+#* CISCO_SPLIT_INC              -- number of networks in split-network-list
+#* CISCO_SPLIT_INC_%d_ADDR      -- network address
+#* CISCO_SPLIT_INC_%d_MASK      -- subnet mask (for example: 255.255.255.0)
+#* CISCO_SPLIT_INC_%d_MASKLEN   -- subnet masklen (for example: 24)
+#* CISCO_SPLIT_INC_%d_PROTOCOL  -- protocol (often just 0)
+#* CISCO_SPLIT_INC_%d_SPORT     -- source port (often just 0)
+#* CISCO_SPLIT_INC_%d_DPORT     -- destination port (often just 0)
+#* CISCO_IPV6_SPLIT_INC         -- number of networks in IPv6 split-network-list
+#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
+#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
+
+# FIXMEs:
+
+# Section A: route handling
+
+# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored
+#   In order to use them, we'll probably need os specific solutions
+#   * Linux: iptables -t mangle -I PREROUTING <conditions> -j ROUTE --oif $TUNDEV
+#       This would be an *alternative* to changing the routes (and thus 2) and 3)
+#       shouldn't be relevant at all)
+# 2) There are two different functions to set routes: generic routes and the
+#   default route. Why isn't the defaultroute handled via the generic route case?
+# 3) In the split tunnel case, all routes but the default route might get replaced
+#   without getting restored later. We should explicitely check and save them just
+#   like the defaultroute
+# 4) Replies to a dhcp-server should never be sent into the tunnel
+
+# Section B: Split DNS handling
+
+# 1) Maybe dnsmasq can do something like that
+# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
+
+do_connect() {
+	if [ -n "$CISCO_BANNER" ]; then
+		echo "Connect Banner:"
+		echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
+		echo
+	fi
+
+	proto_init_update "$TUNDEV" 1
+
+	if [ -n "$INTERNAL_IP4_MTU" ]; then
+		MTU=$INTERNAL_IP4_MTU
+	fi
+
+	if [ -z "$MTU" ]; then
+		MTU=1412
+	fi
+
+	proto_add_ipv4_address "$INTERNAL_IP4_ADDRESS" 32 "" "$INTERNAL_IP4_ADDRESS"
+
+	if [ -n "$INTERNAL_IP4_NETMASKLEN" ]; then
+		proto_add_ipv4_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASKLEN"
+	fi
+
+	# If the netmask is provided, it contains the address _and_ netmask
+	if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
+	    INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
+	fi
+
+	if [ -n "$INTERNAL_IP6_NETMASK" ]; then
+		addr="${INTERNAL_IP6_NETMASK%%/*}"
+		mask="${INTERNAL_IP6_NETMASK##*/}"
+		[[ "$addr" != "$mask" ]] && proto_add_ipv6_address "$addr" "$mask"
+	fi
+
+	[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
+	[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+
+	if [ -n "$CISCO_SPLIT_INC" ]; then
+		i=0
+		while [ $i -lt $CISCO_SPLIT_INC ] ; do
+			eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
+			eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
+			eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
+			if [ $NETWORK != "0.0.0.0" ]; then
+				proto_add_ipv4_route "$NETWORK" "$NETMASKLEN"
+			else
+				proto_add_ipv4_route "0.0.0.0" 0
+			fi
+			i=$(($i + 1))
+		done
+	elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
+		proto_add_ipv4_route "0.0.0.0" 0
+	fi
+	if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
+		i=0
+		while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
+			eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
+			eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
+			if [ $NETMASKLEN -lt 128 ]; then
+				proto_add_ipv6_route "$NETWORK" "$NETMASKLEN"
+			else
+				proto_add_ipv6_route "::0" 0
+			fi
+			i=$(($i + 1))
+		done
+	elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
+		proto_add_ipv6_route "::0" 0
+	fi
+	proto_send_update "$INTERFACE"
+}
+
+do_disconnect() {
+	proto_init_update "$TUNDEV" 0
+	proto_send_update "$INTERFACE"
+}
+
+#### Main
+
+if [ -z "$reason" ]; then
+	echo "this script must be called from vpnc" 1>&2
+	exit 1
+fi
+if [ -z "$INTERFACE" ]; then
+	echo "this script must be called for an active interface"
+	exit 1
+fi
+
+. /lib/netifd/netifd-proto.sh
+
+case "$reason" in
+	pre-init)
+		;;
+	connect)
+		do_connect
+		;;
+	disconnect)
+		do_disconnect
+		;;
+	reconnect)
+		;;
+	*)
+		echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
+		exit 1
+		;;
+esac
+
+exit 0