Created attachment 200820 [details]
Ugly patch that loads swanctl.conf
Migrating from a legacy, stroke-based configuration to a modern, vici-based (from ipsec.conf to swanctl.conf) I realized that the current rc script does not load the swanctl.conf file, instead one has to manually invoke `swanctl --load-all` to start it.
I am attaching a very ugly patch to the strongswan.in file, however I am confident a more elegant solution will be implemented.
Like Jose, I too recently noticed that rc.d/strongswan had to be modified to load swanctl.conf, and made local changes to the service script. My version of the ugly patch and a test output is attached. It mostly passes rclint(8), except the "one-line functions discouraged" errors that I haven't found a good solution. Please check the code carefully, since I'm new to FreeBSD ports. Thanks.
Created attachment 200947 [details]
Patch set #2 for security/strongswan
Created attachment 200948 [details]
strongswan service test output for patch #2
Created attachment 201047 [details]
Use a separate rc.d script
I guess it is better to use a separate rc.d script (like upstream is doing it with systemd). The script is still ugly, but the idea is to load charon and then load the configuration using swanctl, avoiding the use of starter.
Created attachment 201171 [details]
Use a separate rc.d script
This version uses daemon(8) to handle charon.
(In reply to Jose Luis Duran from comment #5)
I will have a look at the script.
Nice work, Jose. I agree it's a step forward to manage charon under the BSD rc.d framework. Let me remove my hacked script from Attachments.
Now I think backwards compatibility is important for ipsec config migration. I've expanded on your earlier rc.d script and added support for enabling both rc.d/strongswan and rc.d/strongswan_swanctl simultaneously. And added code to extra_commands for "reload statusall". rc.d/strongswan will start BEFORE (rclist(8)) rc.d/strongswan_swanctl for reason noted in the code--also changed the former to pass rclint.
One code digression is mine removes the command_args "-r" to daemon(8). Upstream's systemd strongswan-swanctl does not auto-restart charon, nor do almost all BSD ports that use daemon(8). There could be an issue where ipsec starter.c's 5 sec auto-restart of charon affects BSD daemon(8)'s 1 sec auto-restart interval.
Also between charon invocation and swanctl run I introduced an up-to 5 sec wait loop for charon.pid file. A fixed 1 sec wait could be just on the edge for that overloaded cloud VM.
Please find the revised "Patch set #2" and test output, attached. Thanks.
Created attachment 201208 [details]
Patch set type #2 for security/strongswan (rev 1)
Created attachment 201209 [details]
strongswan w/ strongswan_swanctl test output for patch set type #2
(In reply to Sam Chen from comment #7)
Thank you Sam! I agree with most of your suggestions. I think the maintainer will move this conversation over to Phabricator and we'll take it from there.
Thank you all!