WAIT_FOR_INTF=0
+CONFIG_FAIL=0
+
time2seconds()
{
local timestring="$1"
echo "WARNING: $@" >&2
}
+fatal() {
+ echo "ERROR: $@" >&2
+ CONFIG_FAIL=1
+}
+
is_aead() {
local cipher="$1"
case "$cipher" in
aes*gcm*|aes*ccm*|aes*gmac*)
return 0 ;;
+ chacha20poly1305)
+ return 0 ;;
esac
return 1
# check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
- warning "Can't have $hash_algorithm with $encryption_algorithm"
+ fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm=
fi
parse_esp_proposal() {
local conf="$1"
+ local var="$2"
+
local crypto=""
config_list_foreach "$conf" crypto_proposal add_esp_proposal
- echo "$crypto"
+ export -n "$var=$crypto"
}
add_ike_proposal() {
# check for AEAD and clobber hash_algorithm if set
if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
- warning "Can't have $hash_algorithm with $encryption_algorithm"
+ fatal "Can't have $hash_algorithm with $encryption_algorithm"
hash_algorithm=
fi
parse_ike_proposal() {
local conf="$1"
+ local var="$2"
+
local crypto=""
config_list_foreach "$conf" crypto_proposal add_ike_proposal
- echo "$crypto"
+ export -n "$var=$crypto"
}
config_conn() {
config_get if_id "$1" if_id ""
config_get rekeytime "$1" rekeytime ""
- local esp_proposal="$(parse_esp_proposal "$1")"
+ local esp_proposal
+ parse_esp_proposal "$1" esp_proposal
# translate from ipsec to swanctl
case "$startaction" in
# already using new syntax
;;
*)
- warning "Startaction $startaction unknown"
+ fatal "Startaction $startaction unknown"
startaction=
;;
esac
# already using new syntax
;;
*)
- warning "Closeaction $closeaction unknown"
+ fatal "Closeaction $closeaction unknown"
closeaction=
;;
esac
# already using new syntax
;;
*)
- warning "Dpdaction $dpdaction unknown"
+ fatal "Dpdaction $dpdaction unknown"
dpdaction=
;;
esac
# already using new syntax
;;
*)
- warning "Fragmentation $fragmentation not supported"
+ fatal "Fragmentation $fragmentation not supported"
fragmentation=
;;
esac
local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
}
- local ike_proposal="$(parse_ike_proposal "$1")"
+ local ike_proposal
+ parse_ike_proposal "$1" ike_proposal
- [ -n "$firewall" ] && warning "Firewall not supported"
+ [ -n "$firewall" ] && fatal "Firewall not supported"
swanctl_xappend0 "# config for $config_name"
swanctl_xappend0 "connections {"
ikev2)
swanctl_xappend2 "version = 2" ;;
*)
- warning "Keyexchange $keyexchange not supported"
+ fatal "Keyexchange $keyexchange not supported"
keyexchange=
;;
esac
fi
fi
else
- warning "AuthenticationMode $auth_mode not supported"
+ fatal "AuthenticationMode $auth_mode not supported"
fi
swanctl_xappend0 ""
[ $WAIT_FOR_INTF -eq 1 ] && return
+ if [ $CONFIG_FAIL -ne 0 ]; then
+ procd_set_param error "Invalid configuration"
+ return
+ fi
+
procd_open_instance
procd_set_param command $PROG --daemon charon --nofork