From 34ce3a9b1b3339d3c5874057e5d31c61b68b0e6e Mon Sep 17 00:00:00 2001 From: Saurabh Mohan Date: Fri, 18 May 2012 14:50:32 -0700 Subject: VTI: cfg mark/bind change handlers. --- .../ipsec/site-to-site/peer/node.tag/vti/bind/node.def | 16 ++++++++++++++++ .../ipsec/site-to-site/peer/node.tag/vti/mark/node.def | 13 +++++++++++++ 2 files changed, 29 insertions(+) (limited to 'templates') diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def index 01bb112..c8b2222 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/bind/node.def @@ -1,3 +1,19 @@ type: txt help: VTI tunnel interface associated with this configuration [REQUIRED] allowed: cli-shell-api listActiveNodes interfaces vti + +update: + old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` + if [ ! -z "$old_vti" ] ; then + if [ -d /sys/class/net/$old_vti ] ; then + sudo ip tunnel del $old_vti + fi + fi + +delete: + old_vti=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti bind` + if [ ! -z "$old_vti" ] ; then + if [ -d /sys/class/net/$old_vti ] ; then + sudo ip tunnel del $old_vti + fi + fi diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def index 1d29970..0841bd2 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/vti/mark/node.def @@ -1,2 +1,15 @@ type: u32 help: Mark associated with the secure tunnel interface [REQUIRED] + +update: + old_mark=`cli-shell-api returnActiveValue vpn ipsec site-to-site peer $VAR(../../@) vti mark` + if [ ! -z "$old_mark" ] ; then + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $old_mark + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $old_mark + fi + sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) + sudo iptables -t mangle -A PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) + +delete: + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p esp -j MARK --set-mark $VAR(@) + sudo iptables -t mangle -D PREROUTING -s $VAR(../../@) -p udp --dport 4500 -j MARK --set-mark $VAR(@) -- cgit v1.2.3