From a31ab24a9d3be2b74c50bd0b506dc981bb0ed6af Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 29 May 2021 19:11:35 +0200 Subject: vpn: ipsec: T3093: test for VTI interface availability the easy way We do not need to query the actual configuration if the VTI peer is configured or not. This can be done in a much more simples way by just checking if the desired interface exists on the running system. This is safe to do as the VTI priority is less then IPSec. --- src/conf_mode/vpn_ipsec.py | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 2d280a5c6..e59f20a5d 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -24,7 +24,11 @@ from time import sleep from vyos.config import Config from vyos.configdiff import ConfigDiff from vyos.template import render -from vyos.util import call, get_interface_address, process_named_running, run, cidr_fit +from vyos.util import call +from vyos.util import get_interface_address +from vyos.util import process_named_running +from vyos.util import run +from vyos.util import cidr_fit from vyos import ConfigError from vyos import airbag airbag.enable() @@ -230,8 +234,8 @@ def verify(ipsec): if 'bind' in peer_conf['vti']: vti_interface = peer_conf['vti']['bind'] - if not get_vti_interface(vti_interface): - raise ConfigError(f'Invalid VTI interface on site-to-site peer {peer}') + if not os.path.exists(f'/sys/class/net/{vti_interface}'): + raise ConfigError(f'VTI interface {vti_interface} for site-to-site peer {peer} does not exist!') if 'vti' not in peer_conf and 'tunnel' not in peer_conf: raise ConfigError(f"No vti or tunnels specified on site-to-site peer {peer}") @@ -380,14 +384,6 @@ def apply(ipsec): resync_l2tp(conf) resync_nhrp(conf) -def get_vti_interface(vti_interface): - global conf - section = conf.get_config_dict(['interfaces', 'vti'], get_first_key=True) - for interface, interface_conf in section.items(): - if interface == vti_interface: - return interface_conf - return None - def get_mark(vti_interface): vti_num = int(vti_interface.lstrip('vti')) return mark_base + vti_num -- cgit v1.2.3