diff options
author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2024-03-04 10:23:26 +0000 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-03-05 10:28:05 +0000 |
commit | b822eb0f2ab2f6cb272e4efc07c9948e829b6faf (patch) | |
tree | a48e54ef727562a13e8b84a0318835d2db84dcbe | |
parent | 999cbce33bf40cc37232d2a54a47185d1292f5d0 (diff) | |
download | vyos-1x-b822eb0f2ab2f6cb272e4efc07c9948e829b6faf.tar.gz vyos-1x-b822eb0f2ab2f6cb272e4efc07c9948e829b6faf.zip |
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug
If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.
Use config dependency instead of the old `resync_nhrp` function
fixes this issue
(cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
-rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 3 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 21 |
2 files changed, 16 insertions, 8 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 6ab36005b..afe3dd838 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -31,6 +31,9 @@ "rpki": ["protocols_rpki"], "sstp": ["vpn_sstp"] }, + "vpn_ipsec": { + "nhrp": ["protocols_nhrp"] + }, "vpn_l2tp": { "ipsec": ["vpn_ipsec"] }, diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index d074ed159..388f2a709 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -25,6 +25,8 @@ from time import time from vyos.base import Warning from vyos.config import Config +from vyos.configdep import set_dependents +from vyos.configdep import call_dependents from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists from vyos.configverify import dynamic_interface_pattern @@ -97,6 +99,9 @@ def get_config(config=None): ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface']) ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) + if ipsec['nhrp_exists']: + set_dependents('nhrp', conf) + tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True) @@ -575,13 +580,6 @@ def generate(ipsec): render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec) render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec) -def resync_nhrp(ipsec): - if ipsec and not ipsec['nhrp_exists']: - return - - tmp = run('/usr/libexec/vyos/conf_mode/protocols_nhrp.py') - if tmp > 0: - print('ERROR: failed to reapply NHRP settings!') def apply(ipsec): systemd_service = 'strongswan.service' @@ -590,7 +588,14 @@ def apply(ipsec): else: call(f'systemctl reload-or-restart {systemd_service}') - resync_nhrp(ipsec) + if ipsec.get('nhrp_exists', False): + try: + call_dependents() + except ConfigError: + # Ignore config errors on dependent due to being called too early. Example: + # ConfigError("ConfigError('Interface ethN requires an IP address!')") + pass + if __name__ == '__main__': try: |