4 files changed, 61 insertions, 3 deletions

diff --git a/collectors/charts.d.plugin/libreswan/Makefile.inc b/collectors/charts.d.plugin/libreswan/Makefile.inc
new file mode 100644
index 000000000..af767d0dd
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/Makefile.inc
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# THIS IS NOT A COMPLETE Makefile
+# IT IS INCLUDED BY ITS PARENT'S Makefile.am
+# IT IS REQUIRED TO REFERENCE ALL FILES RELATIVE TO THE PARENT
+
+# install these files
+dist_charts_DATA       += libreswan/libreswan.chart.sh
+dist_chartsconfig_DATA += libreswan/libreswan.conf
+
+# do not install these files, but include them in the distribution
+dist_noinst_DATA       += libreswan/README.md libreswan/Makefile.inc
+
diff --git a/collectors/charts.d.plugin/libreswan/README.md b/collectors/charts.d.plugin/libreswan/README.md
new file mode 100644
index 000000000..41026cf72
--- /dev/null
+++ b/collectors/charts.d.plugin/libreswan/README.md
@@ -0,0 +1,42 @@
+# libreswan
+
+The plugin will collects bytes-in, bytes-out and uptime for all established libreswan IPSEC tunnels.
+
+The following charts are created, **per tunnel**:
+
+1. **Uptime**
+
+ * the uptime of the tunnel
+
+2. **Traffic**
+
+ * bytes in
+ * bytes out
+
+### configuration
+
+Its config file is `/etc/netdata/charts.d/libreswan.conf`.
+
+The plugin executes 2 commands to collect all the information it needs:
+
+```sh
+ipsec whack --status
+ipsec whack --trafficstatus
+```
+
+The first command is used to extract the currently established tunnels, their IDs and their names.
+The second command is used to extract the current uptime and traffic.
+
+Most probably user `netdata` will not be able to query libreswan, so the `ipsec` commands will be denied.
+The plugin attempts to run `ipsec` as `sudo ipsec ...`, to get access to libreswan statistics.
+
+To allow user `netdata` execute `sudo ipsec ...`, create the file `/etc/sudoers.d/netdata` with this content:
+
+```
+netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
+netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus
+```
+
+Make sure the path `/sbin/ipsec` matches your setup (execute `which ipsec` to find the right path).
+
+---
diff --git a/charts.d/libreswan.chart.sh b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
index 30632e9ce..6e29f8473 100644
--- a/charts.d/libreswan.chart.sh
+++ b/collectors/charts.d.plugin/libreswan/libreswan.chart.sh
@@ -1,9 +1,10 @@
+# shellcheck shell=bash disable=SC1117
 # no need for shebang - this file is loaded from charts.d.plugin
+# SPDX-License-Identifier: GPL-3.0-or-later
 
 # netdata
 # real-time performance and health monitoring, done right!
 # (C) 2018 Costa Tsaousis <costa@tsaousis.gr>
-# GPL v3+
 #
 
 # _update_every is a special variable - it holds the number of seconds
@@ -60,7 +61,8 @@ libreswan_get() {
 	libreswan_connected_tunnels=()
 
 	# convert the ipsec command output to a shell script
-	# and source it to get the values
+        # and source it to get the values
+        # shellcheck disable=SC1090
 	source <(
 		{
 			libreswan_ipsec whack --status;
@@ -85,6 +87,7 @@ libreswan_check() {
 	require_cmd ipsec || return 1
 
 	# make sure it is libreswan
+	# shellcheck disable=SC2143
 	if [ -z "$(ipsec --version | grep -i libreswan)" ]
 	then
 	    error "ipsec command is not Libreswan. Disabling Libreswan plugin."
@@ -140,7 +143,7 @@ libreswan_update_one() {
 
 	[ -z "${id}" ] && libreswan_create_one "${name}"
 
-	uptime=$(( ${libreswan_now} - ${libreswan_established_add_time[${n}]} ))
+	uptime=$(( libreswan_now - libreswan_established_add_time[${n}] ))
 	[ ${uptime} -lt 0 ] && uptime=0
 
 		# write the result of the work.
diff --git a/conf.d/charts.d/libreswan.conf b/collectors/charts.d.plugin/libreswan/libreswan.conf
index 9b3ee77b7..9b3ee77b7 100644
--- a/conf.d/charts.d/libreswan.conf
+++ b/collectors/charts.d.plugin/libreswan/libreswan.conf