diff options
| author | Alex Harpin <development@landsofshadow.co.uk> | 2014-12-04 22:10:05 +0000 |
|---|---|---|
| committer | Alex Harpin <development@landsofshadow.co.uk> | 2014-12-04 22:10:05 +0000 |
| commit | e8b6f69422f26b85008e640a3d8f6f4726571db6 (patch) | |
| tree | 2932f1f17def1ef6bacd4122c25506ccb35fe4a4 /scripts/vyatta-vti-config.pl | |
| parent | 09f1979c4bf0cfe1e1c60ca48b4d9be3cc5e0454 (diff) | |
| download | vyatta-cfg-vpn-e8b6f69422f26b85008e640a3d8f6f4726571db6.tar.gz vyatta-cfg-vpn-e8b6f69422f26b85008e640a3d8f6f4726571db6.zip | |
vyatta-cfg-vpn: update vti creation in line with changes to strongswan
Update the VTI creation process to go along with the changes added to
the vyatta-strongswan package, due to changes in the kernel vti module.
This also removes the need for additional netfilter rules to ensure that
packets are directed to the corresponding VTI.
Bug #358 http://bugzilla.vyos.net/show_bug.cgi?id=358
Diffstat (limited to 'scripts/vyatta-vti-config.pl')
| -rwxr-xr-x | scripts/vyatta-vti-config.pl | 31 |
1 files changed, 4 insertions, 27 deletions
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index aaec27a..ba2cbcc 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -175,8 +175,7 @@ if (!$vcVPN->exists('ipsec site-to-site') ) { if ($vtiPresent ne $tunName) { # Binding changed. my $currMark = vtiIntf::isVtimarkpresent($peer, $lip); - $gencmds .= "sudo /sbin/ip link delete $vtiPresent &> /dev/null\n"; - $gencmds .= iptableDelMark($peer, $lip, $currMark); + $gencmds .= "sudo /sbin/ip link delete $vtiPresent type vti &> /dev/null\n"; vtiIntf::deleteVtibyname($vtiPresent); $change = 1; } @@ -205,8 +204,8 @@ if (!$vcVPN->exists('ipsec site-to-site') ) { # # By default we delete the tunnel... my $genmark = $mark; - $gencmds .= "sudo /sbin/ip link delete $tunName &> /dev/null\n"; - $gencmds .= "sudo /opt/vyatta/sbin/cfgvti add name $tunName key $genmark remote $peer local $lip\n"; + $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; + $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n"; foreach my $tunIP (@tunIPs) { $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; } @@ -215,9 +214,6 @@ if (!$vcVPN->exists('ipsec site-to-site') ) { if (defined($description)) { $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n"; } - - # setup the new mark. - $gencmds .= iptableAddMark($peer, $lip, $mark); } cleanupVtiNotConfigured(); @@ -260,24 +256,6 @@ sub vti_check_reference { return 0; } -sub iptableDelMark { - my ($remote, $local, $mark) = @_; - my $opcmd=""; - - $opcmd .= "sudo iptables -t mangle -D PREROUTING -s $remote -d $local -p esp -j MARK --set-mark $mark\n"; - $opcmd .= "sudo iptables -t mangle -D PREROUTING -s $remote -d $local -p udp --dport 4500 -j MARK --set-mark $mark\n"; - return $opcmd; -} - -sub iptableAddMark { - my ($remote, $local, $mark) = @_; - my $opcmd=""; - - $opcmd .= "sudo iptables -t mangle -A PREROUTING -s $remote -d $local -p esp -j MARK --set-mark $mark\n"; - $opcmd .= "sudo iptables -t mangle -A PREROUTING -s $remote -d $local -p udp --dport 4500 -j MARK --set-mark $mark\n"; - return $opcmd; -} - sub cleanupVtiNotConfigured { # for all remaining entries in the Vtinamepresent hash # remove them from the system. @@ -287,12 +265,11 @@ sub cleanupVtiNotConfigured { my ($remote, $local) = vtiIntf::extractRemoteLocal($tunKey); my $existingMark = vtiIntf::isVtimarkpresent($remote, $local); $gencmds .= "# For peer $remote local $local.\n"; - $gencmds .= iptableDelMark($remote, $local, $existingMark); vtiIntf::freeVtiMark($existingMark); } for my $name (keys %$localVtibyNames) { $gencmds .= "#For tunnel name $name.\n"; - $gencmds .= "sudo /sbin/ip link delete $name &> /dev/null\n"; + $gencmds .= "sudo /sbin/ip link delete $name type vti &> /dev/null\n"; } } |