New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: resolve: add search domain and resolveconf path settings #744
base: master
Are you sure you want to change the base?
Conversation
I've no problem with that, but don't these other packages you mention provide a
That's not really what a search domain is, you are thinking about split-DNS (routing domain in systemd-resolved speak). Search domains are used as suffix for incomplete hostnames (e.g. makes |
They typically do, but the resolve plugin currently uses
Yeah, so if you tell I'm happy to rename things, but technically what's being passed to
This all adds up to a working split-DNS, but it's quite messy. I'd be happy to move to |
I guess that could be fixed with another symlink at that path (
The former wouldn't work if we'd still call the absolute path so we'd have to switch to calling it just as For instance, the Debian version only provides support for very limited arguments (e.g. no
Are you referring to the
Nice, does that support multiple domains? Because
No, that's OK (maybe make it
Ah, didn't know about that ticket. Would be great if there was an option to add DNS servers, domains etc. under a generic (i.e. non-interface) name. |
The path in my case (NixOS) is
Agreed. This seems very fragile. I think my preference would be to either:
Either of these would allow
I actually set a configuration option in
I believe this does the same thing as
Yeah, it should. I'd like to support that in the plugin, I just need to add the conversion logic and test it.
Makes sense. I have yet to implement the resolv.conf handling.
I'd like to find a way to configure this per-connection. The closest thing I could fine was |
Sounds good to me, not sure about the error, might be simpler to just ignore
I wonder if
The option could just be documented to expect space-separated domain names, like it's documented for
What the radius plugin does is very specific to authentication methods (and required a lot of changes all over the place to support it). There are two relatively easy approaches that plugins may use if they want to make something connection-specific (based on the connection's name). Both use settings in strongswan.conf, not swanctl.conf and there are very few examples at the moment.
Not sure if doing either is worth the effort right now. We could easily add this at some point if there is a need for it (maybe until then we have some kind of facility to add plugin-usable key-value pairs in swanctl.conf). |
Prefer the configured command over finding it at the default location over installing in the configured file. References #744
Note that the change that adds the |
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have the users @corngood on file. In order for us to review and merge your code, please contact the project maintainers via info@strongswan.org to get yourself added. |
I'm just looking for feedback on this before I put any work into documentation/testing.
First, allowing the location of
resolvconf
to be specified. This is to help with non-FHS systems (NixOS in my case). An alternative here would be to depend on$PATH
, but we'd then need to change howuse_resolvconf
is determined. Currently nixpkgs patches strongswan to depend directly onopenresolv
, but this doesn't account for other implementations ofresolvconf
, such assystemd-resolved
.Secondly, allow a search domain to be specified in the configuration fragment passed to
resolvconf
. Using this I can configureresolvconf
to treat this as a private interface, which will in turn configurednsmasq
to use nameservers from charon only for the specified domain.