diff options
| -rwxr-xr-x | scripts/vyatta-vti-config.pl | 12 | ||||
| -rw-r--r-- | templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def | 16 | ||||
| -rw-r--r-- | templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def | 13 |
3 files changed, 38 insertions, 3 deletions
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 94c2edf..40b9ec6 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -87,7 +87,11 @@ if (@peers == 0) { exit -1; } # Check mark is valid. - if (!defined($mark) || $mark eq "" || $mark eq "0") { + if (!defined($mark)) { + print STDERR "$vti_cfg_err mark not defined.\n"; + exit -1; + } + if ($mark eq "" || $mark eq "0") { print STDERR "$vti_cfg_err Invalid mark \"$mark\".\n"; exit -1; } @@ -130,17 +134,19 @@ if (@peers == 0) { # @SM TODO: Add the static routes over this tunnel... } if (defined($description)) { - $gencmds .= "sudo /sbin/ip tunnel show $tunName || sudo echo \"$description\" > /sys/class/net/$tunName/ifalias\n"; + $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n"; } } if ($gencmds ne "") { open my $output_config, '>', '/tmp/vti_config' or die "Can't open /tmp/vti_config $!"; print ${output_config} "#!/bin/sh\n"; + print ${output_config} "sudo modprobe ip_vti\n"; print ${output_config} $gencmds; close $output_config; `chmod 755 /tmp/vti_config`; - #$result=`/tmp/vti_config`; + system("/tmp/vti_config"); + $result = $? >> 8; #@SM TODO: remove /tmp/vti_config; } exit $result; diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def index 01bb112..c8b2222 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def @@ -1,3 +1,19 @@ type: txt help: VTI tunnel interface associated with this configuration [REQUIRED] allowed: cli-shell-api listActiveNodes interfaces vti + +update: + old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` + if [ ! -z "$old_vti" ] ; then + if [ -d /sys/class/net/$old_vti ] ; then + sudo ip tunnel del $old_vti + fi + fi + +delete: + old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` + if [ ! -z "$old_vti" ] ; then + if [ -d /sys/class/net/$old_vti ] ; then + sudo ip tunnel del $old_vti + fi + fi diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def index 1d29970..0841bd2 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def @@ -1,2 +1,15 @@ type: u32 help: Mark associated with the secure tunnel interface [REQUIRED] + +update: + old_mark=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti mark` + if [ ! -z "$old_mark" ] ; then + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $old_mark + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $old_mark + fi + sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) + sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) + +delete: + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) |