summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2024-03-04 10:23:26 +0000
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-03-05 10:28:05 +0000
commitb822eb0f2ab2f6cb272e4efc07c9948e829b6faf (patch)
treea48e54ef727562a13e8b84a0318835d2db84dcbe
parent999cbce33bf40cc37232d2a54a47185d1292f5d0 (diff)
downloadvyos-1x-b822eb0f2ab2f6cb272e4efc07c9948e829b6faf.tar.gz
vyos-1x-b822eb0f2ab2f6cb272e4efc07c9948e829b6faf.zip
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug
If we have any `vpn ipsec` and `protocol nhrp` configuration we get the empty configuration file `/run/opennhrp/opennhrp.conf` after rebooting the system. Use config dependency instead of the old `resync_nhrp` function fixes this issue (cherry picked from commit 689fea253d9019df20d5c6ac7fa22d5e8454afab)
-rw-r--r--data/config-mode-dependencies/vyos-1x.json3
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py21
2 files changed, 16 insertions, 8 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 6ab36005b..afe3dd838 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -31,6 +31,9 @@
"rpki": ["protocols_rpki"],
"sstp": ["vpn_sstp"]
},
+ "vpn_ipsec": {
+ "nhrp": ["protocols_nhrp"]
+ },
"vpn_l2tp": {
"ipsec": ["vpn_ipsec"]
},
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d074ed159..388f2a709 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -25,6 +25,8 @@ from time import time
from vyos.base import Warning
from vyos.config import Config
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
from vyos.configverify import dynamic_interface_pattern
@@ -97,6 +99,9 @@ def get_config(config=None):
ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
+ if ipsec['nhrp_exists']:
+ set_dependents('nhrp', conf)
+
tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True,
get_first_key=True)
@@ -575,13 +580,6 @@ def generate(ipsec):
render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec)
render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec)
-def resync_nhrp(ipsec):
- if ipsec and not ipsec['nhrp_exists']:
- return
-
- tmp = run('/usr/libexec/vyos/conf_mode/protocols_nhrp.py')
- if tmp > 0:
- print('ERROR: failed to reapply NHRP settings!')
def apply(ipsec):
systemd_service = 'strongswan.service'
@@ -590,7 +588,14 @@ def apply(ipsec):
else:
call(f'systemctl reload-or-restart {systemd_service}')
- resync_nhrp(ipsec)
+ if ipsec.get('nhrp_exists', False):
+ try:
+ call_dependents()
+ except ConfigError:
+ # Ignore config errors on dependent due to being called too early. Example:
+ # ConfigError("ConfigError('Interface ethN requires an IP address!')")
+ pass
+
if __name__ == '__main__':
try: