support to read /etc/ipsec.d/*.conf

dennisstritzke / ipsec_exporter

Prometheus exporter for IPsec metrics.

MIT License

51 stars 39 forks source link

support to read /etc/ipsec.d/*.conf #6

Closed danielmrosa closed 5 years ago

danielmrosa commented 5 years ago

Hi @dennisstritzke , Is there a way to configure support to read /etc/ipsec.d/*.conf ? instead of /etc/ipsec.conf ?

Thanks in advance,

dennisstritzke commented 5 years ago

Currently, you are only able to specify a different config file via the --collector.ipsec.conf flag. This won't enable you to load multiple configuration files.

Could you describe what kind of behaviour you would expect, if /etc/ipsec.d/*.conf would be supported? I am definitely open to implement this.

danielmrosa commented 5 years ago

Hi @dennisstritzke , I´m not sure if it´s a best practice nowadays but I´m used to create all my configuration files under /etc/ipsec.d to better management of configuration files. I think it will be very nice to support it!

Reference: https://libreswan.org/man/ipsec.conf.5.html

The intention of the include facility is mostly to permit keeping information on connections, or sets of connections, separate from the main configuration file. This permits such connection descriptions to be changed, copied to the other security gateways involved, etc., without having to constantly extract them from the configuration file and then insert them back into it. Note also the also and alsoflip parameters (described below) which permit splitting a single logical section (e.g. a connection description) into several distinct sections.

Thanks!

dennisstritzke commented 5 years ago

That sound absolutely reasonable. I also think that these approaches should be supported. I will start work on this in the near future.

dennisstritzke commented 5 years ago

@danielmrosa, now I changed the exporter to follow all include directives in the IPsec config files. You are also able to specify, which config file to start parsing by using the --collector.ipsec.conf flag. Does this address your requirement?

danielmrosa commented 5 years ago

Hi @dennisstritzke , I really appreciate it. I will try it as soon as possible and let you know. Thanks a lot!

dennisstritzke commented 5 years ago

I released version 0.3 of the exporter, which includes the change of this issue. Please be aware of the breaking changes.

I am closing this issue as the functionality is released. But I am still very much interested in you feedback.