Bugfix 8264: Check if the intf name is defined before using it in the script.

Fix the error message for undefined intf name in error message. Also, add changes to incorporate mark's from range 0-2047. Print warning if a vti interface is defined but not used. Hopefully this will help users understand that they have a partial configuration.
author: Saurabh Mohan <saurabh.mohan@vyatta.com> 2012-08-09 14:08:14 -0700
committer: Saurabh Mohan <saurabh.mohan@vyatta.com> 2012-08-09 14:08:14 -0700
commit: 1968f279c0489d32d364da43deee363965188ad4 (patch)
tree: d4da817bc1c90e3a1f5e6cc6607604f1f1d67409
parent: d19c1dafc395261a01887ba5c2444371a2865f2c (diff)
download: vyatta-cfg-vpn-1968f279c0489d32d364da43deee363965188ad4.tar.gz
vyatta-cfg-vpn-1968f279c0489d32d364da43deee363965188ad4.zip
3 files changed, 41 insertions, 9 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 72f9e9c..12b561a 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -1141,7 +1141,7 @@ if ( $vcVPN->exists('ipsec') ) {
       #
       if ($isVti) {
           my $mark = $vcVPN->returnValue("ipsec site-to-site peer $peer vti mark");
-          if (!defined($mark) || $mark eq '' || $mark eq "0") {
+          if (!defined($mark) || $mark eq '') {
             vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","mark"],
                 "$vpn_cfg_err No mark specified for peer \"$peer\" vti\n");
           } else {
@@ -1150,6 +1150,7 @@ if ( $vcVPN->exists('ipsec') ) {
                     "$vpn_cfg_err vti mark $mark already used.\n");
               } else {
                   $marks{ $mark } = 1;
+		  $mark += 0x90000000;
                   $genout .= "\tmark=$mark\n";
               }
           }
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl
index 86c9f95..5c1de52 100755
--- a/scripts/vyatta-vti-config.pl
+++ b/scripts/vyatta-vti-config.pl
@@ -89,6 +89,7 @@ if ($checkref ne '' ) {
 # Collect set of existing Vti's.
 my %existingVtiName = ();
 my %existingVtiMark = ();
+my $vtiMarkBase = 0x90000000;
 
 my @currentVtis = `/sbin/ip tunnel | grep "^vti"`;
 if (@currentVtis != 0) {
@@ -98,7 +99,7 @@ if (@currentVtis != 0) {
 		($remote, $local, $name, $mark) = parseVtiTun($curVti);
 		$key = "remote $remote local $local";
 		$existingVtiName{$key} = $name;
-		$existingVtiMark{$key} = $mark;
+		$existingVtiMark{$key} = $mark-$vtiMarkBase;
 	}
 }
 
@@ -124,6 +125,7 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
 
     my %marks = ();
     my %binds = ();
+    my %vtiVpns = ();
     my @peers = $vcVPN->listNodes('ipsec site-to-site peer');
     foreach my $peer (@peers) {
         if (! $vcVPN->exists("ipsec site-to-site peer $peer vti")) {
@@ -137,6 +139,7 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
         my $tunName = $vcVPN->returnValue("ipsec site-to-site peer $peer vti bind");
         my $change = 0;
 
+        $vtiVpns{ $tunName } = 1;
         # Check local address is valid.
         if (!defined($lip)) {
             print STDERR "$vti_cfg_err local-address not defined.\n";
@@ -149,8 +152,13 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
         }
         # Check tunName is valid.
         if (!defined($tunName) || $tunName eq ""  || ! $vcIntf->exists("vti $tunName") ) {
-            print STDERR "$vti_cfg_err Invalid tunnel name vti \"$tunName\".\n";
-            exit -1;
+	    if (defined($tunName)) {
+	            vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],
+			    "Invalid tunnel name vti \"$tunName\".\n");
+	    } else {
+	            vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],
+			    "tunnel name is empty.\n");
+	    }
         }
         if (exists $binds{ $tunName }) {
                 vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],
@@ -164,7 +172,7 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
             print STDERR "$vti_cfg_err mark not defined.\n";
             exit -1;
         }
-        if ($mark eq "" || $mark eq "0") {
+        if ($mark eq "") {
             print STDERR "$vti_cfg_err Invalid mark \"$mark\".\n";
             exit -1;
         }
@@ -212,10 +220,8 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
             $change = 1;
         }
 
+        deleteVtinamepresent($peer, $lip);
         if ($change eq 0) {
-            # now remove it from the exisiting tunnel list as
-            # we've already configured it.
-            deleteVtinamepresent($peer, $lip);
             next;
         }
 
@@ -223,8 +229,9 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
         # Set the configuration into the output string.
         #
         # By default we delete the tunnel...
+        my $genmark = $mark + $vtiMarkBase;
         $gencmds .= "sudo /sbin/ip link delete $tunName &> /dev/null\n";
-        $gencmds .= "sudo /opt/vyatta/sbin/cfgvti add name $tunName key $mark remote $peer local $lip\n";
+        $gencmds .= "sudo /opt/vyatta/sbin/cfgvti add name $tunName key $genmark remote $peer local $lip\n";
         foreach my $tunIP (@tunIPs) {
             $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n";
         }
@@ -239,6 +246,7 @@ if (!$vcVPN->exists('ipsec site-to-site') ) {
     }
 
     cleanupVtiNotConfigured();
+    checkUnrefIntfVti($vcIntf, %vtiVpns);
     $result = execGenCmds();
     exit $result;
 
@@ -346,6 +354,8 @@ sub iptableDelMark {
 	my ($remote, $local, $mark) = @_;
 	my $opcmd="";
 
+	$mark += $vtiMarkBase;
+
 	$opcmd .= "sudo iptables -t mangle -D PREROUTING -s $remote -d $local -p esp -j MARK --set-mark $mark\n";
 	$opcmd .= "sudo iptables -t mangle -D PREROUTING -s $remote -d $local -p udp --dport 4500 -j MARK --set-mark $mark\n";
 	return $opcmd;
@@ -355,6 +365,8 @@ sub iptableAddMark {
 	my ($remote, $local, $mark) = @_;
 	my $opcmd="";
 
+	$mark += $vtiMarkBase;
+
 	$opcmd .= "sudo iptables -t mangle -A PREROUTING -s $remote -d $local -p esp -j MARK --set-mark $mark\n";
 	$opcmd .= "sudo iptables -t mangle -A PREROUTING -s $remote -d $local -p udp --dport 4500 -j MARK --set-mark $mark\n";
 	return $opcmd;
@@ -392,3 +404,20 @@ sub vti_die {
   Vyatta::Config::outputError(@path, $msg);
   exit 1;
 }
+
+#
+# Check if there are any VTI's defined under 'interface vti'
+# but not specified under VPN configuration
+# For now just print a warning.
+#
+sub checkUnrefIntfVti {
+    my $vcIntf = shift;
+    my (%vtiVpns) = @_;
+
+    my @vtiIntfs = $vcIntf->listNodes("vti");
+    foreach my $tunName (@vtiIntfs) {
+        if ( ! exists($vtiVpns{ $tunName }) ) {
+            print STDOUT "Warning: [interface vti $tunName] defined but not used under VPN configuration\n";
+        }
+    }
+}
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
index 1d29970..0ccee30 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def
@@ -1,2 +1,4 @@
 type: u32
+syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 2047
 help: Mark associated with the secure tunnel interface [REQUIRED]
+val_help: u32:0-2047;
author	Saurabh Mohan <saurabh.mohan@vyatta.com>	2012-08-09 14:08:14 -0700
committer	Saurabh Mohan <saurabh.mohan@vyatta.com>	2012-08-09 14:08:14 -0700
commit	1968f279c0489d32d364da43deee363965188ad4 (patch)
tree	d4da817bc1c90e3a1f5e6cc6607604f1f1d67409
parent	d19c1dafc395261a01887ba5c2444371a2865f2c (diff)
download	vyatta-cfg-vpn-1968f279c0489d32d364da43deee363965188ad4.tar.gz vyatta-cfg-vpn-1968f279c0489d32d364da43deee363965188ad4.zip