From c00c5e5a354ecda93d1db58aa6055ebe289f381c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 16 Dec 2021 16:51:04 +0100 Subject: [PATCH] vici: Make combination of 'trap' and 'start' configurable --- src/libcharon/plugins/vici/vici_config.c | 9 +++++++++ src/swanctl/swanctl.opt | 12 ++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 2c570c69b6..a7cd7f9d5e 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1011,6 +1011,7 @@ CALLBACK(parse_action, bool, { "none", ACTION_NONE }, { "clear", ACTION_NONE }, }; + char buf[BUF_LEN]; int d; if (parse_map(map, countof(map), &d, v)) @@ -1018,6 +1019,14 @@ CALLBACK(parse_action, bool, *out = d; return TRUE; } + if (!vici_stringify(v, buf, sizeof(buf))) + { + return FALSE; + } + if (enum_flags_from_string(action_names, buf, out)) + { + return TRUE; + } return FALSE; } diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 0ae9d45790..082bf4cbb0 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -885,7 +885,8 @@ connections..children..dpd_action = clear Action to perform for this CHILD_SA on DPD timeout. The default _clear_ closes the CHILD_SA and does not take further action. _trap_ installs a trap policy, which will catch matching traffic and tries to re-negotiate - the tunnel on-demand. _restart_ immediately tries to re-negotiate the + the tunnel on-demand (note that this is redundant if **start_action** + includes _trap_). _restart_ immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA. connections..children..ipcomp = no @@ -1075,19 +1076,22 @@ connections..children..start_action = none The value _trap_ installs a trap policy, which triggers the tunnel as soon as matching traffic has been detected. The value _start_ initiates - the connection actively. + the connection actively. These two modes can be combined with _trap|start_, + to immediately initiate a connection for which trap policies have been + installed. When unloading or replacing a CHILD_SA configuration having a **start_action** different from _none_, the inverse action is performed. Configurations with _start_ get closed, while such with _trap_ get - uninstalled. + uninstalled (both happens for connections with _trap|start_). connections..children..close_action = none Action to perform after a CHILD_SA gets closed (_none_, _trap_, _start_). Action to perform after a CHILD_SA gets closed by the peer. The default of _none_ does not take any action, _trap_ installs a trap policy for the - CHILD_SA. _start_ tries to re-create the CHILD_SA. + CHILD_SA (note that this is redundant if **start_action** includes _trap_). + _start_ tries to immediately re-create the CHILD_SA. **close_action** does not provide any guarantee that the CHILD_SA is kept alive. It acts on explicit close messages only, but not on negotiation -- 2.47.2