VTI: cfg mark/bind change handlers.

3 files changed, 38 insertions, 3 deletions

diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl
index 94c2edf..40b9ec6 100755
--- a/scripts/vyatta-vti-config.pl
+++ b/scripts/vyatta-vti-config.pl
@@ -87,7 +87,11 @@ if (@peers == 0) {
             exit -1;
         }
         # Check mark is valid.
-        if (!defined($mark) || $mark eq "" || $mark eq "0") {
+        if (!defined($mark)) {
+            print STDERR "$vti_cfg_err mark not defined.\n";
+            exit -1;
+        }
+        if ($mark eq "" || $mark eq "0") {
             print STDERR "$vti_cfg_err Invalid mark \"$mark\".\n";
             exit -1;
         }
@@ -130,17 +134,19 @@ if (@peers == 0) {
             # @SM TODO: Add the static routes over this tunnel...
         }
         if (defined($description)) {
-            $gencmds .= "sudo /sbin/ip tunnel show $tunName || sudo echo \"$description\" > /sys/class/net/$tunName/ifalias\n";
+            $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n";
         }
     }
 
 if ($gencmds ne "") {
     open my $output_config, '>', '/tmp/vti_config' or die "Can't open /tmp/vti_config $!";
     print ${output_config} "#!/bin/sh\n";
+    print ${output_config} "sudo modprobe ip_vti\n";
     print ${output_config} $gencmds;
     close $output_config;
     `chmod 755 /tmp/vti_config`;
-    #$result=`/tmp/vti_config`;
+    system("/tmp/vti_config");
+    $result = $? >> 8;
     #@SM TODO: remove /tmp/vti_config;
 }
 exit $result;
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def
index 01bb112..c8b2222 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def
@@ -1,3 +1,19 @@
 type: txt
 help: VTI tunnel interface associated with this configuration [REQUIRED]
 allowed: cli-shell-api listActiveNodes interfaces vti
+
+update:
+    old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind`
+    if [ ! -z "$old_vti" ] ; then
+        if [ -d /sys/class/net/$old_vti ] ; then
+            sudo ip tunnel del $old_vti
+        fi
+    fi
+
+delete:
+    old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind`
+    if [ ! -z "$old_vti" ] ; then
+        if [ -d /sys/class/net/$old_vti ] ; then
+            sudo ip tunnel del $old_vti
+        fi
+    fi
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
index 1d29970..0841bd2 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
@@ -1,2 +1,15 @@
 type: u32
 help: Mark associated with the secure tunnel interface [REQUIRED]
+
+update:
+    old_mark=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti mark`
+    if [ ! -z "$old_mark" ] ; then
+        sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $old_mark
+        sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $old_mark
+    fi
+    sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@)
+    sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@)
+
+delete:
+    sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@)
+    sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@)