diff options
| author | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-07-25 14:53:42 -0700 |
|---|---|---|
| committer | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-07-25 14:53:42 -0700 |
| commit | f1f5731f32e744ba11aef2ecdf0e6bc0e0c03307 (patch) | |
| tree | 29e09b9b3c86930ef3949d144f61e11d7fd7137d /templates | |
| parent | 2afcd1518814ae1ff900196e57b9fcbd4b61b56f (diff) | |
| download | vyatta-cfg-vpn-f1f5731f32e744ba11aef2ecdf0e6bc0e0c03307.tar.gz vyatta-cfg-vpn-f1f5731f32e744ba11aef2ecdf0e6bc0e0c03307.zip | |
Bugfix 8222: deletion and adding bind parameter under vti deletes vti interface in show interfaces output though vti configuration exists
The bind, mark parameters can be changed individually but the vti script runs
at the vpn node level. By that time the old value is not known.
With this change now I find out the exisiting vti tunnels from the kernel and
discover the old vti-name, and mark setting from there.
After that it is possible to figure out if
a. No change was done to a VTI: In that case do not do any config.
b. If a tunnel was changed: Delete and create the tunnel again.
c. If a tunnel was deleted: Remove the tunnel config from the kernel.
d. If the tunnel was added: Configure it.
Also, configure the vti interface prior to the strongswan configuration.
This way if the ipsec tunnel comes up then we can bring the interface up/down
(see Bug 8219).
Remove the disable configuration param (see Bug 8221).
Diffstat (limited to 'templates')
4 files changed, 2 insertions, 34 deletions
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def index c8b2222..01bb112 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def @@ -1,19 +1,3 @@ type: txt help: VTI tunnel interface associated with this configuration [REQUIRED] allowed: cli-shell-api listActiveNodes interfaces vti - -update: - old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` - if [ ! -z "$old_vti" ] ; then - if [ -d /sys/class/net/$old_vti ] ; then - sudo ip tunnel del $old_vti - fi - fi - -delete: - old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` - if [ ! -z "$old_vti" ] ; then - if [ -d /sys/class/net/$old_vti ] ; then - sudo ip tunnel del $old_vti - fi - fi diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/disable/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/disable/node.def deleted file mode 100644 index b797d44..0000000 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/disable/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to disable vpn tunnel diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def index 807ae5a..1d29970 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def @@ -1,17 +1,2 @@ type: u32 help: Mark associated with the secure tunnel interface [REQUIRED] - -update: - old_mark=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti mark` - if [ ! -z "$old_mark" ] ; then - sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $old_mark - sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $old_mark - fi - sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) - sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) - -delete: - sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) - sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) - # need a exit 0 because if there is no iptables entry then we want to keep the commit going. - exit 0 diff --git a/templates/vpn/node.def b/templates/vpn/node.def index 8adc512..a504791 100644 --- a/templates/vpn/node.def +++ b/templates/vpn/node.def @@ -1,9 +1,9 @@ priority: 900 help: Virtual Private Network (VPN) -end:sudo /opt/vyatta/sbin/vpn-config.pl \ +end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 + sudo /opt/vyatta/sbin/vpn-config.pl \ --config_file='/etc/ipsec.conf' \ --secrets_file='/etc/ipsec.secrets' \ --init_script='/etc/init.d/ipsec' || exit 1 sudo /opt/vyatta/sbin/vyatta-update-l2tp.pl || exit 1 sudo /opt/vyatta/sbin/vyatta-update-pptp.pl || exit 1 - sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 |