strongswan: fail on serious configuration errors

Signed-off-by: Philip Prindeville <redacted>

diff --git a/net/strongswan/files/swanctl.init b/net/strongswan/files/swanctl.init
index 344518e3c875d79620042fb4d58b57df7375f842..692cc2bbe6749f574f16590dab9bc8fb0c4e8482 100644 (file)
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@@ -17,6 +17,8 @@ SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
 
 WAIT_FOR_INTF=0
 
+CONFIG_FAIL=0
+
 time2seconds()
 {
        local timestring="$1"
@@ -128,6 +130,11 @@ warning() {
        echo "WARNING: $@" >&2
 }
 
+fatal() {
+       echo "ERROR: $@" >&2
+       CONFIG_FAIL=1
+}
+
 is_aead() {
        local cipher="$1"
 
@@ -150,7 +157,7 @@ add_esp_proposal() {
 
        # check for AEAD and clobber hash_algorithm if set
        if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-               warning "Can't have $hash_algorithm with $encryption_algorithm"
+               fatal "Can't have $hash_algorithm with $encryption_algorithm"
                hash_algorithm=
        fi
 
@@ -182,7 +189,7 @@ add_ike_proposal() {
 
        # check for AEAD and clobber hash_algorithm if set
        if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
-               warning "Can't have $hash_algorithm with $encryption_algorithm"
+               fatal "Can't have $hash_algorithm with $encryption_algorithm"
                hash_algorithm=
        fi
 
@@ -245,7 +252,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Startaction $startaction unknown"
+               fatal "Startaction $startaction unknown"
                startaction=
                ;;
        esac
@@ -261,7 +268,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Closeaction $closeaction unknown"
+               fatal "Closeaction $closeaction unknown"
                closeaction=
                ;;
        esac
@@ -283,7 +290,7 @@ config_conn() {
                # already using new syntax
                ;;
        *)
-               warning "Dpdaction $dpdaction unknown"
+               fatal "Dpdaction $dpdaction unknown"
                dpdaction=
                ;;
        esac
@@ -378,7 +385,7 @@ config_remote() {
                # already using new syntax
                ;;
        *)
-               warning "Fragmentation $fragmentation not supported"
+               fatal "Fragmentation $fragmentation not supported"
                fragmentation=
                ;;
        esac
@@ -395,7 +402,7 @@ config_remote() {
        local ike_proposal
        parse_ike_proposal "$1" ike_proposal
 
-       [ -n "$firewall" ] && warning "Firewall not supported"
+       [ -n "$firewall" ] && fatal "Firewall not supported"
 
        swanctl_xappend0 "# config for $config_name"
        swanctl_xappend0 "connections {"
@@ -434,7 +441,7 @@ config_remote() {
        ikev2)
                swanctl_xappend2 "version = 2" ;;
        *)
-               warning "Keyexchange $keyexchange not supported"
+               fatal "Keyexchange $keyexchange not supported"
                keyexchange=
                ;;
        esac
@@ -489,7 +496,7 @@ config_remote() {
                        fi
                fi
        else
-               warning "AuthenticationMode $auth_mode not supported"
+               fatal "AuthenticationMode $auth_mode not supported"
        fi
 
        swanctl_xappend0 ""
@@ -593,6 +600,11 @@ start_service() {
 
        [ $WAIT_FOR_INTF -eq 1 ] && return
 
+       if [ $CONFIG_FAIL -ne 0 ]; then
+               procd_set_param error "Invalid configuration"
+               return
+       fi
+
        procd_open_instance
 
        procd_set_param command $PROG --daemon charon --nofork