feat(dhcp-inform): add provider architecture for flexible route sources

packaging/rpm/strongswan-sw.spec

@@ -77,12 +77,17 @@ Enables storing VPN user credentials and configuration in PostgreSQL.
 %package -n strongswan-dhcp-inform
 Summary:        DHCP INFORM responder plugin for strongSwan
 Requires:       strongswan-sw = %{version}-%{release}
-# dhcp-inform plugin stores/retrieves split-tunnel routes in PostgreSQL database
-Requires:       strongswan-pgsql = %{version}-%{release}
+# Database is optional - supports PostgreSQL/MySQL/SQLite via strongSwan SQL plugins
+Recommends:     strongswan-pgsql = %{version}-%{release}
 
 %description -n strongswan-dhcp-inform
-Responds to Windows DHCPINFORM requests with split-tunnel routes
-from PostgreSQL database. Delivers routes via DHCP option 121/249.
+Responds to Windows DHCPINFORM requests with split-tunnel routes.
+Delivers routes via DHCP option 121/249.
+
+Route sources (in priority order):
+1. Traffic Selectors - EXCLUSIVE mode for Windows 7 compatibility
+2. Database (PostgreSQL/MySQL/SQLite) - if configured
+3. Static configuration from strongswan.conf
 
 %prep
 %autosetup -n strongswan-%{upstream_version}-sw.%{sw_rev}

src/libcharon/plugins/dhcp_inform/Makefile.am

@@ -13,6 +13,10 @@ endif
 
 libstrongswan_dhcp_inform_la_SOURCES = \
 	dhcp_inform_plugin.h dhcp_inform_plugin.c \
-	dhcp_inform_responder.h dhcp_inform_responder.c
+	dhcp_inform_responder.h dhcp_inform_responder.c \
+	dhcp_inform_provider.h \
+	dhcp_inform_static_provider.h dhcp_inform_static_provider.c \
+	dhcp_inform_ts_provider.h dhcp_inform_ts_provider.c \
+	dhcp_inform_db_provider.h dhcp_inform_db_provider.c
 
 libstrongswan_dhcp_inform_la_LDFLAGS = -module -avoid-version

src/libcharon/plugins/dhcp_inform/dhcp-inform.conf

@@ -1,20 +1,79 @@
 # dhcp-inform plugin configuration
-# Responds to DHCPINFORM from Windows VPN clients with routes from database
+# Responds to DHCPINFORM from Windows VPN clients with split-tunnel routes
+#
+# PRIORITY-BASED ROUTE SELECTION (first available wins):
+# 1. Traffic Selectors - when use_ts_routes=yes
+# 2. Database - when database URI configured
+# 3. Static configuration - fallback when above unavailable
+#
+# Only ONE source is used per request. Multiple sources can be configured
+# for graceful fallback - highest-priority available source is selected.
 
 dhcp-inform {
     # Enable the plugin
     load = yes
 
-    # PostgreSQL database connection
-    # Same as attr-sql database
-    database = postgresql://vpn_strongswan:<PASSWORD>@localhost/vpn_admin
-
-    # VPN interface to listen on (optional, listens on all if not set)
-    interface = eth0
-
     # Server IP address (required - usually the VPN gateway IP)
     server = 172.16.69.1
 
+    # VPN interface to listen on (optional, listens on all if not set)
+    # interface = eth0
+
     # DNS server to advertise (optional)
-    dns = 172.16.69.1
+    # dns = 172.16.69.1
+
+    # =========================================================================
+    # MODE 1: Traffic Selector Routes (highest priority)
+    # =========================================================================
+    # Routes are extracted from IKE SA traffic selectors.
+    # Designed for Windows 7 compatibility (doesn't handle TS properly).
+    # When enabled, this source takes priority over database and static.
+    #
+    # use_ts_routes = yes
+
+    # =========================================================================
+    # MODE 2: Database Routes (second priority)
+    # =========================================================================
+    # Routes are queried from database by matching client IP to pool CIDR.
+    # Used when TS routes disabled. Takes priority over static routes.
+    # Works with PostgreSQL, MySQL, SQLite via strongSwan database abstraction.
+    #
+    # Requires VIEW v_pool_routes (pool_cidr TEXT, route TEXT):
+    #   - pool_cidr: CIDR notation (e.g., "10.0.0.0/8")
+    #   - route: route to push to clients in this pool
+    #
+    # database = pgsql://vpn_user:password@localhost/vpn_db
+    # database = mysql://vpn_user:password@localhost/vpn_db
+    # database = sqlite:///etc/strongswan/routes.db
+
+    # =========================================================================
+    # MODE 3: Static Routes (fallback)
+    # =========================================================================
+    # Used when TS routes disabled and no database configured.
+    #
+    # Global routes - apply to all clients not matching a specific pool:
+    #
+    # routes {
+    #     route1 = 10.0.0.0/8
+    #     route2 = 172.16.0.0/12
+    #     route3 = 192.168.0.0/16
+    # }
+    #
+    # Per-pool route overrides - clients matching pool CIDR get these instead:
+    #
+    # pools {
+    #     production {
+    #         cidr = 10.100.0.0/16
+    #         routes {
+    #             r1 = 192.168.1.0/24
+    #             r2 = 192.168.2.0/24
+    #         }
+    #     }
+    #     development {
+    #         cidr = 10.200.0.0/16
+    #         routes {
+    #             r1 = 10.50.0.0/16
+    #         }
+    #     }
+    # }
 }