whitelist Plugin

Purpose

The whitelist plugin for libcharon checks a successfully authenticated peer identity against an in-memory whitelist. Only identities listed are allowed to connect wheras connection attempts with other identities get rejected using AUTHENTICATION_FAILED.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-whitelist

Implementation

Any identity successfully authenticated using any authentication method in every authentication round gets checked against a whitelist. Only whitelisted identities get accepted. The whitelist is held in-memory in a hashtable to have good lookup times. The whitelist is volatile and listed identities get lost during a daemon restart.

To manipulate the whitelist, a UNIX socket exports an interface to add/list/remove whitelisted identities. A simple command line frontend is provided to manipulate the whitelist.

Configuration

The whitelist plugin is configured using the following options in the charon.plugins.whitelist section of strongswan.conf:

Key Default Description

Key	Default	Description
enabled	`no`	Enable whitelist checking
socket		Socket provided by the whitelist plugin. `[unix://${piddir}/charon.wlst]`

enabled

no

Enable whitelist checking

socket

Socket provided by the whitelist plugin. [unix://${piddir}/charon.wlst]

This enabled option can be changed during runtime using the whitelist enable|disable commands (see below).

Manage Whitelist

The whitelist ipsec utility usually invoked by

/usr/libexec/ipsec/whitelist ...

can be used to manipulate the whitelist while the daemon is running. It supports the following operations:

Command Description

Command	Description
`whitelist add <identity>`	Add a single identity to the whitelist
`whitelist remove <identity>`	Remove a single identity from the whitelist
`whitelist add-from [<file>]`	Add identities read from a newline separated file, by default stdin
`whitelist remove-from [<file>]`	Remove identities read from a newline separated file, by default stdin
`whitelist flush [<pattern>]`	Flush identities from the whitelist, optionally matching an identity with wildcards
`whitelist list [<pattern>]`	List whitelisted identities, optionally matching an identity with wildcards
`whitelist enable`	Enable whitelist checking
`whitelist disable`	Disable whitelist checking

whitelist add <identity>

Add a single identity to the whitelist

whitelist remove <identity>

Remove a single identity from the whitelist

whitelist add-from [<file>]

Add identities read from a newline separated file, by default stdin

whitelist remove-from [<file>]

Remove identities read from a newline separated file, by default stdin

whitelist flush [<pattern>]

Flush identities from the whitelist, optionally matching an identity with wildcards

whitelist list [<pattern>]

List whitelisted identities, optionally matching an identity with wildcards

whitelist enable

Enable whitelist checking

whitelist disable

Disable whitelist checking

Socket interface

The whitelist socket interface definition can be found here: src/libcharon/plugins/whitelist/whitelist_msg.h.

The whitelist tool demonstrating how the interface can be used: src/libcharon/plugins/whitelist/whitelist.c