]>
Commit | Line | Data |
---|---|---|
3eae7bed JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | VPN_SECURITY_POLICIES_CONFIG_SETTINGS="CIPHER COMPRESSION GROUP_TYPE INTEGRITY KEY_EXCHANGE LIFETIME PFS" | |
23 | VPN_SECURITY_POLICIES_READONLY="system" | |
24 | ||
6fdbda80 MT |
25 | VPN_DEFAULT_SECURITY_POLICY="system" |
26 | ||
3eae7bed JS |
27 | VPN_SUPPORTED_CIPHERS="AES192 AES256 AES512" |
28 | VPN_SUPPORTED_INTEGRITY="SHA512 SHA256 SHA128" | |
29 | VPN_SUPPORTED_GROUP_TYPES="MODP8192 MODP4096" | |
30 | ||
6740c9c5 MT |
31 | # This functions checks if a policy is readonly |
32 | # returns true when yes and false when no | |
3eae7bed | 33 | vpn_security_policies_check_readonly() { |
3eae7bed JS |
34 | if isoneof name ${VPN_SECURITY_POLICIES_READONLY}; then |
35 | return ${EXIT_TRUE} | |
36 | else | |
37 | return ${EXIT_FALSE} | |
38 | fi | |
39 | } | |
40 | ||
6740c9c5 | 41 | # This function writes all values to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 42 | vpn_security_policies_write_config() { |
3eae7bed JS |
43 | assert [ $# -ge 1 ] |
44 | ||
45 | local name="${1}" | |
46 | ||
6740c9c5 | 47 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
48 | log ERROR "No such vpn security policy: ${name}" |
49 | return ${EXIT_ERROR} | |
50 | fi | |
51 | ||
6740c9c5 | 52 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
53 | log ERROR "The ${name} vpn security policy cannot be changed." |
54 | return ${EXIT_ERROR} | |
55 | fi | |
56 | ||
6740c9c5 | 57 | local path="$(vpn_security_policies_path "${name}")" |
3eae7bed JS |
58 | if [ ! -w ${path} ]; then |
59 | log ERROR "${path} is not writeable" | |
60 | return ${EXIT_ERROR} | |
61 | fi | |
62 | ||
63 | if ! settings_write "${path}" ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}; then | |
64 | log ERROR "Could not write configuration settings for vpn security policy ${name}" | |
65 | return ${EXIT_ERROR} | |
66 | fi | |
67 | ||
68 | # TODO everytime we successfully write a config we should call some trigger to take the changes into effect | |
69 | } | |
70 | ||
6740c9c5 | 71 | # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file |
3eae7bed | 72 | vpn_security_policies_write_config_key() { |
3eae7bed | 73 | assert [ $# -ge 3 ] |
6740c9c5 | 74 | |
3eae7bed JS |
75 | local name=${1} |
76 | local key=${2} | |
77 | shift 2 | |
6740c9c5 | 78 | |
3eae7bed JS |
79 | local value="$@" |
80 | ||
6740c9c5 | 81 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
82 | log ERROR "No such vpn security policy: ${name}" |
83 | return ${EXIT_ERROR} | |
84 | fi | |
85 | ||
86 | log DEBUG "Set '${key}' to new value '${value}' in vpn security policy ${name}" | |
87 | ||
88 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
89 | ||
90 | # Read the config settings | |
6740c9c5 | 91 | if ! vpn_security_policies_read_config "${name}"; then |
3eae7bed JS |
92 | return ${EXIT_ERROR} |
93 | fi | |
94 | ||
95 | # Set the key to a new value | |
96 | assign "${key}" "${value}" | |
97 | ||
6740c9c5 | 98 | if ! vpn_security_policies_write_config "${name}"; then |
3eae7bed JS |
99 | return ${EXIT_ERROR} |
100 | fi | |
101 | ||
102 | return ${EXIT_TRUE} | |
3eae7bed JS |
103 | } |
104 | ||
6740c9c5 | 105 | # Reads one or more keys out of a settings file or all if no key is provided. |
3eae7bed | 106 | vpn_security_policies_read_config() { |
3eae7bed JS |
107 | assert [ $# -ge 1 ] |
108 | ||
109 | local name="${1}" | |
110 | shift 1 | |
111 | ||
6740c9c5 | 112 | if ! vpn_security_policy_exists "${name}"; then |
3eae7bed JS |
113 | log ERROR "No such vpn security policy: ${name}" |
114 | return ${EXIT_ERROR} | |
115 | fi | |
116 | ||
117 | ||
118 | local args | |
119 | if [ $# -eq 0 ] && [ -n "${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}" ]; then | |
120 | list_append args ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
121 | else | |
122 | list_append args $@ | |
123 | fi | |
124 | ||
125 | local path="$(vpn_security_policies_path ${name})" | |
126 | ||
127 | if ! settings_read "${path}" ${args}; then | |
128 | log ERROR "Could not read settings for vpn security policy ${name}" | |
129 | return ${EXIT_ERROR} | |
130 | fi | |
131 | } | |
132 | ||
6740c9c5 | 133 | # Returns the path to a the configuration fora given name |
3eae7bed | 134 | vpn_security_policies_path() { |
3eae7bed | 135 | assert [ $# -eq 1 ] |
6740c9c5 | 136 | |
3eae7bed JS |
137 | local name=${1} |
138 | ||
6740c9c5 | 139 | if vpn_security_policies_check_readonly "${name}"; then |
3eae7bed JS |
140 | echo "${NETWORK_SHARE_DIR}/vpn/security-policies/${name}" |
141 | else | |
142 | echo "${NETWORK_CONFIG_DIR}/vpn/security-policies/${name}" | |
143 | fi | |
144 | } | |
145 | ||
6740c9c5 | 146 | # Print the content of a vpn security policy configuration file in a nice way |
3eae7bed | 147 | vpn_security_policies_show() { |
3eae7bed | 148 | assert [ $# -eq 1 ] |
6740c9c5 | 149 | |
3eae7bed JS |
150 | local name=${1} |
151 | ||
152 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
3eae7bed JS |
153 | if ! vpn_security_policies_read_config ${name}; then |
154 | return ${EXIT_ERROR} | |
155 | fi | |
156 | ||
157 | cli_print_fmt1 0 "Security Policy: ${name}" | |
158 | cli_space | |
159 | ||
160 | # This could be done in a loop but a loop is much more complicated | |
161 | # because we print 'Group Types' but the variable is named 'GROUP_TYPES' | |
162 | cli_print_fmt1 1 "Ciphers:" | |
163 | cli_print_fmt1 2 "${CIPHER}" | |
164 | cli_space | |
6740c9c5 | 165 | |
3eae7bed JS |
166 | cli_print_fmt1 1 "Integrity:" |
167 | cli_print_fmt1 2 "${INTEGRITY}" | |
168 | cli_space | |
6740c9c5 | 169 | |
3eae7bed JS |
170 | cli_print_fmt1 1 "Group Types:" |
171 | cli_print_fmt1 2 "${GROUP_TYPE}" | |
172 | cli_space | |
173 | ||
174 | cli_print_fmt1 1 "Key Exchange:" "${KEY_EXCHANGE}" | |
6740c9c5 MT |
175 | |
176 | # Key Lifetime | |
3eae7bed JS |
177 | if isinteger LIFETIME && [ ${LIFETIME} -gt 0 ]; then |
178 | cli_print_fmt1 1 "Key Lifetime:" "$(format_time ${LIFETIME})" | |
179 | else | |
180 | log ERROR "The value for Key Lifetime is not a valid integer greater zero." | |
181 | fi | |
6740c9c5 MT |
182 | |
183 | # PFS | |
3eae7bed JS |
184 | if enabled PFS; then |
185 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "enabled" | |
186 | else | |
187 | cli_print_fmt1 1 "Perfect Forward Secrecy:" "disabled" | |
188 | fi | |
189 | cli_space | |
6740c9c5 MT |
190 | |
191 | # Compression | |
3eae7bed JS |
192 | if enabled COMPRESSION; then |
193 | cli_print_fmt1 1 "Compression:" "enabled" | |
194 | else | |
195 | cli_print_fmt1 1 "Compression:" "disabled" | |
196 | fi | |
197 | cli_space | |
198 | } | |
199 | ||
6740c9c5 MT |
200 | # This function checks if a vpn security policy exists |
201 | # Returns True when yes and false when not | |
3eae7bed | 202 | vpn_security_policy_exists() { |
3eae7bed | 203 | assert [ $# -eq 1 ] |
6740c9c5 | 204 | |
3eae7bed JS |
205 | local name=${1} |
206 | ||
6740c9c5 MT |
207 | local path=$(vpn_security_policies_path "${name}") |
208 | ||
209 | [ -f ${path} ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
3eae7bed JS |
210 | } |
211 | ||
212 | ||
6740c9c5 | 213 | # This function parses the parameters for the 'cipher' command |
3eae7bed | 214 | vpn_security_policies_cipher(){ |
3eae7bed JS |
215 | local name=${1} |
216 | shift | |
217 | ||
218 | if [ $# -eq 0 ]; then | |
219 | log ERROR "You must pass at least one value after cipher" | |
220 | return ${EXIT_ERROR} | |
221 | fi | |
222 | ||
223 | local CIPHER | |
3eae7bed JS |
224 | if ! vpn_security_policies_read_config ${name} "CIPHER"; then |
225 | return ${EXIT_ERROR} | |
226 | fi | |
227 | ||
228 | # Remove duplicated entries to proceed the list safely | |
229 | CIPHER="$(list_unique ${CIPHER})" | |
230 | ||
231 | while [ $# -gt 0 ]; do | |
232 | case "${1}" in | |
233 | -*) | |
234 | value=${1#-} | |
235 | # Check if the cipher is in the list of ciphers and | |
236 | # check if the list has after removing this cipher at least one valid value | |
237 | if list_match ${value} ${CIPHER}; then | |
238 | list_remove CIPHER ${value} | |
239 | else | |
240 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
241 | log ERROR "Can not remove ${value} from the list of Ciphers because ${value} is not in the list." | |
242 | fi | |
243 | ;; | |
244 | +*) | |
245 | value=${1#+} | |
246 | # Check if the Ciphers is in the list of supported ciphers. | |
247 | if ! isoneof value ${VPN_SUPPORTED_CIPHERS}; then | |
248 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
249 | log ERROR "${value} is not a supported cipher and can thats why not added to the list of ciphers." | |
250 | else | |
251 | if list_match ${value} ${CIPHER}; then | |
252 | log WARNING "${value} is already in the list of ciphers of this policy." | |
253 | else | |
254 | list_append CIPHER ${value} | |
255 | fi | |
256 | fi | |
257 | ;; | |
258 | esac | |
259 | shift | |
260 | done | |
261 | ||
262 | # Check if the list contain at least one valid cipher | |
263 | if [ $(list_length ${CIPHER}) -ge 1 ]; then | |
264 | if ! vpn_security_policies_write_config_key ${name} "CIPHER" ${CIPHER}; then | |
265 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
266 | fi | |
267 | else | |
268 | log ERROR "After proceding all ciphers the list is empty and thats why no changes are written." | |
269 | return ${EXIT_ERROR} | |
270 | fi | |
271 | } | |
272 | ||
6740c9c5 | 273 | # This function parses the parameters for the 'compression' command |
3eae7bed | 274 | vpn_security_policies_compression(){ |
3eae7bed JS |
275 | local name=${1} |
276 | local value=${2} | |
277 | ||
278 | # Check if we get only one argument after compression <name> | |
279 | if [ ! $# -eq 2 ]; then | |
280 | log ERROR "The number of arguments do not match. Only one argument after compression is allowed." | |
281 | return ${EXIT_ERROR} | |
282 | fi | |
283 | ||
284 | if ! isbool value; then | |
285 | # We suggest only two values to avoid overburding the user. | |
286 | log ERROR "Invalid Argument ${value}" | |
287 | return ${EXIT_ERROR} | |
288 | fi | |
289 | ||
290 | vpn_security_policies_write_config_key "${name}" "COMPRESSION" "${value}" | |
291 | } | |
292 | ||
6740c9c5 | 293 | # This function parses the parameters for the 'group-type' command |
3eae7bed | 294 | vpn_security_policies_group_type(){ |
3eae7bed JS |
295 | local name=${1} |
296 | shift | |
297 | ||
298 | if [ $# -eq 0 ]; then | |
299 | log ERROR "You must pass at least one value after group-type" | |
300 | return ${EXIT_ERROR} | |
301 | fi | |
302 | ||
303 | local GROUP_TYPE | |
3eae7bed JS |
304 | if ! vpn_security_policies_read_config ${name} "GROUP_TYPE"; then |
305 | return ${EXIT_ERROR} | |
306 | fi | |
307 | ||
308 | # Remove duplicated entries to proceed the list safely | |
309 | GROUP_TYPE="$(list_unique ${GROUP_TYPE})" | |
310 | ||
311 | while [ $# -gt 0 ]; do | |
312 | case "${1}" in | |
313 | -*) | |
314 | value=${1#-} | |
315 | # Check if the group type is in the list of group types and | |
316 | # check if the list has after removing this group type at leatst one valid value | |
317 | if list_match ${value} ${GROUP_TYPE}; then | |
318 | list_remove GROUP_TYPE ${value} | |
319 | else | |
320 | # We do not break here because this error does not break the processing of the next maybe valid values. | |
321 | log ERROR "Can not remove ${value} from the list of group types because ${value} is not in the list." | |
322 | fi | |
323 | ;; | |
324 | +*) | |
325 | value=${1#+} | |
326 | # Check if the group type is in the list of supported group types. | |
327 | if ! isoneof value ${VPN_SUPPORTED_GROUP_TYPES}; then | |
328 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
329 | log ERROR "${value} is not a supported group type and can thats why not added to the list of group types." | |
330 | else | |
331 | if list_match ${value} ${GROUP_TYPE}; then | |
332 | log WARNING "${value} is already in the list of group-types of this policy." | |
333 | else | |
334 | list_append GROUP_TYPE ${value} | |
335 | fi | |
336 | fi | |
337 | ;; | |
338 | esac | |
339 | shift | |
340 | done | |
341 | ||
342 | # Check if the list contain at least one valid group-type | |
343 | if [ $(list_length ${GROUP_TYPE}) -ge 1 ]; then | |
344 | if ! vpn_security_policies_write_config_key ${name} "GROUP_TYPE" ${GROUP_TYPE}; then | |
345 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
346 | fi | |
347 | else | |
348 | log ERROR "After proceding all group types the list is empty and thats why no changes are written." | |
349 | return ${EXIT_ERROR} | |
350 | fi | |
351 | } | |
6740c9c5 MT |
352 | |
353 | # This function parses the parameters for the 'integrity' command | |
3eae7bed | 354 | vpn_security_policies_integrity(){ |
3eae7bed JS |
355 | local name=${1} |
356 | shift | |
357 | ||
358 | if [ $# -eq 0 ]; then | |
359 | log ERROR "You must pass at least one value after integrity." | |
360 | return ${EXIT_ERROR} | |
361 | fi | |
362 | ||
363 | local INTEGRITY | |
3eae7bed JS |
364 | if ! vpn_security_policies_read_config ${name} "INTEGRITY"; then |
365 | return ${EXIT_ERROR} | |
366 | fi | |
367 | ||
368 | # Remove duplicated entries to proceed the list safely | |
369 | INTEGRITY="$(list_unique ${INTEGRITY})" | |
370 | ||
371 | while [ $# -gt 0 ]; do | |
372 | case "${1}" in | |
373 | -*) | |
374 | value=${1#-} | |
375 | # Check if the integrity hash is in the list of integrity hashes and | |
376 | # check if the list has after removing this integrity hash at least one valid value | |
377 | if list_match ${value} ${INTEGRITY}; then | |
378 | list_remove INTEGRITY ${value} | |
379 | else | |
380 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
381 | log ERROR "Can not remove ${value} from the list of integrity hashes because ${value} is not in the list." | |
382 | fi | |
383 | ;; | |
384 | +*) | |
385 | value=${1#+} | |
386 | # Check if the Ciphers is in the list of supported integrity hashes. | |
387 | if ! isoneof value ${VPN_SUPPORTED_INTEGRITY}; then | |
388 | # We do not break here because the processing of other maybe valid values are indepent from this error. | |
389 | log ERROR "${value} is not a supported integrity hash and can thats why not added to the list of integrity hashes." | |
390 | else | |
391 | if list_match ${value} ${INTEGRITY}; then | |
392 | log WARNING "${value} is already in the list of integrety hashes of this policy." | |
393 | else | |
394 | list_append INTEGRITY ${value} | |
395 | fi | |
396 | fi | |
397 | ;; | |
398 | esac | |
399 | shift | |
400 | done | |
401 | ||
402 | # Check if the list contain at least one valid group-type | |
403 | if [ $(list_length ${INTEGRITY}) -ge 1 ]; then | |
404 | if ! vpn_security_policies_write_config_key ${name} "INTEGRITY" ${INTEGRITY}; then | |
405 | log ERROR "The changes for the vpn security policy ${name} could not be written." | |
406 | fi | |
407 | else | |
408 | log ERROR "After proceding all integrity hashes the list is empty and thats why no changes are written." | |
409 | return ${EXIT_ERROR} | |
410 | fi | |
3eae7bed JS |
411 | } |
412 | ||
6740c9c5 | 413 | # This function parses the parameters for the 'key-exchange' command |
3eae7bed | 414 | vpn_security_policies_key_exchange() { |
3eae7bed JS |
415 | local name=${1} |
416 | local value=${2} | |
6740c9c5 | 417 | |
3eae7bed JS |
418 | # Check if we get only one argument after key-exchange <name> |
419 | if [ ! $# -eq 2 ]; then | |
420 | log ERROR "The number of arguments do not match. Only argument after key-exchange is allowed." | |
421 | return ${EXIT_ERROR} | |
422 | fi | |
423 | ||
3eae7bed JS |
424 | if ! isoneof value "ikev1" "ikev2" "IKEV1" "IKEV2"; then |
425 | log ERROR "Invalid Argument ${value}" | |
426 | return ${EXIT_ERROR} | |
427 | fi | |
428 | ||
429 | vpn_security_policies_write_config_key "${name}" "KEY_EXCHANGE" "${value,,}" | |
430 | } | |
431 | ||
6740c9c5 | 432 | # This function parses the parameters for the 'lifetime' command. |
3eae7bed | 433 | vpn_security_policies_lifetime(){ |
3eae7bed JS |
434 | local name=${1} |
435 | shift | |
6740c9c5 | 436 | |
3eae7bed JS |
437 | local value=$@ |
438 | ||
439 | # Check if we get only one argument after lifetime <name> | |
440 | if [ ! $# -ge 1 ]; then | |
441 | log ERROR "The number of arguments do not match you must provide at least one integer value or a valid time with the format <hours>h <minutes>m <seconds>s" | |
442 | return ${EXIT_ERROR} | |
443 | fi | |
444 | ||
445 | if ! isinteger value; then | |
446 | value=$(parse_time $@) | |
447 | if [ ! $? -eq 0 ]; then | |
448 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
449 | return ${EXIT_ERROR} | |
450 | fi | |
451 | fi | |
452 | ||
453 | if [ ${value} -le 0 ]; then | |
454 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
455 | return ${EXIT_ERROR} | |
456 | fi | |
457 | ||
458 | vpn_security_policies_write_config_key "${name}" "LIFETIME" "${value}" | |
459 | } | |
460 | ||
6740c9c5 | 461 | # This function parses the parameters for the 'pfs' command |
3eae7bed | 462 | vpn_security_policies_pfs(){ |
3eae7bed JS |
463 | local name=${1} |
464 | local value=${2} | |
465 | ||
466 | # Check if we get only one argument after pfs <name> | |
467 | if [ ! $# -eq 2 ]; then | |
468 | log ERROR "The number of arguments do not match. Only argument after pfs is allowed." | |
469 | return ${EXIT_ERROR} | |
470 | fi | |
471 | ||
472 | if [ ! $# -eq 2 ] || ! isbool value; then | |
473 | # We suggest only two values to avoid overburding the user. | |
474 | log ERROR "Invalid Argument ${value}" | |
475 | return ${EXIT_ERROR} | |
476 | fi | |
477 | ||
478 | vpn_security_policies_write_config_key "${name}" "PFS" "${value}" | |
479 | } | |
480 | ||
6740c9c5 MT |
481 | # This function checks if a vpn security policy name is valid |
482 | # Allowed are only A-Za-z0-9 | |
3eae7bed | 483 | vpn_security_policies_check_name() { |
3eae7bed | 484 | assert [ $# -eq 1 ] |
6740c9c5 | 485 | |
3eae7bed | 486 | local name=${1} |
6740c9c5 | 487 | |
3eae7bed JS |
488 | [[ ${name} =~ [^[:alnum:]$] ]] |
489 | } | |
490 | ||
6740c9c5 | 491 | # Function that creates based on the paramters one ore more new vpn security policies |
3eae7bed | 492 | vpn_security_policies_new() { |
58aa0edf MT |
493 | if [ $# -gt 1 ]; then |
494 | error "Too many arguments" | |
3eae7bed JS |
495 | return ${EXIT_ERROR} |
496 | fi | |
497 | ||
58aa0edf MT |
498 | local name="${1}" |
499 | if ! isset name; then | |
500 | error "Please provide a name" | |
501 | return ${EXIT_ERROR} | |
502 | fi | |
3eae7bed | 503 | |
58aa0edf MT |
504 | # Check for duplicates |
505 | if vpn_security_policy_exists "${name}"; then | |
506 | error "The VPN security policy with name ${name} already exists" | |
507 | return ${EXIT_ERROR} | |
508 | fi | |
3eae7bed | 509 | |
58aa0edf MT |
510 | # Check if name is valid |
511 | if vpn_security_policies_check_name "${name}"; then | |
512 | error "'${name}' contains illegal characters" | |
513 | return ${EXIT_ERROR} | |
514 | fi | |
3eae7bed | 515 | |
58aa0edf MT |
516 | # Check if we have a read-only policy with the same name |
517 | if vpn_security_policies_check_readonly "${name}"; then | |
518 | error "The VPN security policy ${name} is read-only" | |
519 | return ${EXIT_ERROR} | |
520 | fi | |
521 | ||
6fdbda80 MT |
522 | # Check if our source policy exists |
523 | if ! vpn_security_policy_exists "${VPN_DEFAULT_SECURITY_POLICY}"; then | |
524 | error "Default VPN Security Policy '${VPN_DEFAULT_SECURITY_POLICY}' does not exist" | |
525 | return ${EXIT_ERROR} | |
526 | fi | |
527 | ||
58aa0edf MT |
528 | log DEBUG "Creating VPN Security Policy ${name}" |
529 | ||
6fdbda80 | 530 | if copy "$(vpn_security_policies_path "${VPN_DEFAULT_SECURITY_POLICY}")" "$(vpn_security_policies_path ${name})"; then |
58aa0edf MT |
531 | log INFO "VPN Security Policy ${name} successfully created" |
532 | else | |
533 | log ERROR "Could not create VPN Security Policy ${name}" | |
534 | return ${EXIT_ERROR} | |
535 | fi | |
c787fea5 MT |
536 | |
537 | # Show the newly created policy | |
538 | vpn_security_policies_show "${name}" | |
3eae7bed JS |
539 | } |
540 | ||
6740c9c5 | 541 | # Function that deletes based on the passed parameters one ore more vpn security policies |
3eae7bed | 542 | vpn_security_policies_destroy() { |
3eae7bed JS |
543 | local name |
544 | for name in $@; do | |
545 | if ! vpn_security_policy_exists ${name}; then | |
546 | log ERROR "The vpn security policy ${name} does not exist." | |
547 | continue | |
548 | fi | |
549 | ||
550 | if vpn_security_policies_check_readonly ${name}; then | |
551 | log ERROR "The vpn security policy ${name} cannot be deleted." | |
552 | continue | |
553 | fi | |
554 | ||
555 | log DEBUG "Deleting vpn security policy ${name}" | |
556 | settings_remove $(vpn_security_policies_path ${name}) | |
557 | done | |
558 | } |