starter: Use custom type for SA specific options (flags).

4 files changed, 36 insertions, 22 deletions

diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 9a1d29504..b3caaeba0 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -49,7 +49,7 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
 	if ((c1 == NULL) || (c2 == NULL))
 		return FALSE;
 
-	VARCMP(policy);
+	VARCMP(options);
 	VARCMP(mark_in.value);
 	VARCMP(mark_in.mask);
 	VARCMP(mark_out.value);
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 8a4e38a55..d6d36fade 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -83,7 +83,7 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.startup = STARTUP_NO;
 	cfg->conn_default.state   = STATE_IGNORE;
 	cfg->conn_default.mode    = MODE_TUNNEL;
-	cfg->conn_default.policy  = POLICY_MOBIKE;
+	cfg->conn_default.options = SA_OPTION_MOBIKE;
 
 	cfg->conn_default.ike                   = strdupnull(ike_defaults);
 	cfg->conn_default.esp                   = strdupnull(esp_defaults);
@@ -108,10 +108,10 @@ static void default_values(starter_config_t *cfg)
 	cfg->ca_default.seen = SEEN_NONE;
 }
 
-#define KW_POLICY_FLAG(sy, sn, fl) \
-		if (streq(kw->value, sy)) { conn->policy |= fl; } \
-		else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
-		else { DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
+#define KW_SA_OPTION_FLAG(sy, sn, fl) \
+		if (streq(kw->value, sy)) { conn->options |= fl; } \
+		else if (streq(kw->value, sn)) { conn->options &= ~fl; } \
+		else { DBG1(DBG_APP, "# bad option value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
 
 static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 {
@@ -499,10 +499,10 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 			}
 			break;
 		case KW_COMPRESS:
-			KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
 			break;
 		case KW_AUTH:
-			KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+			KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE)
 			break;
 		case KW_MARK:
 			if (!handle_mark(kw->value, &conn->mark_in))
@@ -561,22 +561,22 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 			}
 			break;
 		case KW_REKEY:
-			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+			KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY)
 			break;
 		case KW_REAUTH:
-			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
+			KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH)
 			break;
 		case KW_MOBIKE:
-			KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE)
 			break;
 		case KW_FORCEENCAPS:
-			KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
+			KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP)
 			break;
 		case KW_MODECONFIG:
-			KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
+			KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH)
 			break;
 		case KW_XAUTH:
-			KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
+			KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
 			break;
 		default:
 			break;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 2d8534ea9..5064f6cd8 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -55,6 +55,20 @@ typedef enum {
 		STRICT_IFURI
 } strict_t;
 
+typedef enum {
+		/* IPsec options */
+		SA_OPTION_AUTHENTICATE	= 1 << 0, /* use AH instead of ESP? */
+		SA_OPTION_COMPRESS      = 1 << 1, /* use IPComp */
+
+		/* IKE and other other options */
+		SA_OPTION_DONT_REKEY	= 1 << 2, /* don't rekey state either Phase */
+		SA_OPTION_DONT_REAUTH	= 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
+		SA_OPTION_MODECFG_PUSH	= 1 << 4, /* is modecfg pushed by server? */
+		SA_OPTION_XAUTH_SERVER  = 1 << 5, /* are we an XAUTH server? */
+		SA_OPTION_MOBIKE		= 1 << 6, /* enable MOBIKE for IKEv2  */
+		SA_OPTION_FORCE_ENCAP   = 1 << 7, /* force UDP encapsulation */
+} sa_option_t;
+
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
@@ -112,7 +126,7 @@ struct starter_conn {
 		char            *authby;
 		ipsec_mode_t    mode;
 		bool            proxy_mode;
-		lset_t          policy;
+		sa_option_t     options;
 		time_t          sa_ike_life_seconds;
 		time_t          sa_ipsec_life_seconds;
 		time_t          sa_rekey_margin;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 34cfca0ed..28846be1a 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -167,9 +167,9 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.mode = conn->mode;
 	msg.add_conn.proxy_mode = conn->proxy_mode;
 
-	if (!(conn->policy & POLICY_DONT_REKEY))
+	if (!(conn->options & SA_OPTION_DONT_REKEY))
 	{
-		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
+		msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
 		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
 		msg.add_conn.rekey.margin = conn->sa_rekey_margin;
@@ -180,9 +180,9 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		msg.add_conn.rekey.tries = conn->sa_keying_tries;
 		msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
 	}
-	msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
-	msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
-	msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
+	msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
+	msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+	msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
 	msg.add_conn.install_policy = conn->install_policy;
 	msg.add_conn.aggressive = conn->aggressive;
 	msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
@@ -226,7 +226,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		{
 			msg.add_conn.me.auth = push_string(&msg, "pubkey");
 			msg.add_conn.other.auth = push_string(&msg, "pubkey");
-			if (conn->policy & POLICY_XAUTH_SERVER)
+			if (conn->options & SA_OPTION_XAUTH_SERVER)
 			{
 				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
 			}
@@ -239,7 +239,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		{
 			msg.add_conn.me.auth = push_string(&msg, "psk");
 			msg.add_conn.other.auth = push_string(&msg, "psk");
-			if (conn->policy & POLICY_XAUTH_SERVER)
+			if (conn->options & SA_OPTION_XAUTH_SERVER)
 			{
 				msg.add_conn.other.auth2 = push_string(&msg, "xauth");
 			}