Bugfix 8376: Add vti as an option under 'reset vpn ipsec-peer'

Add a new cli 'reset vpn ipsec-peer <peer-ip> vti'.

2 files changed, 32 insertions, 1 deletions

diff --git a/scripts/vyatta-vpn-op.pl b/scripts/vyatta-vpn-op.pl
index ad20a61..f862ef7 100755
--- a/scripts/vyatta-vpn-op.pl
+++ b/scripts/vyatta-vpn-op.pl
@@ -27,6 +27,17 @@ sub get_tunnels {
   return @peer_tunnels;
 }
 
+sub get_vtis {
+  my $s2s_peer = undef;
+  $s2s_peer = shift;
+  my @peer_tunnels = ();
+  if (defined $s2s_peer) {
+    my $config = new Vyatta::Config;
+    @peer_tunnels = $config->listOrigNodes("$s2s_peer_path $s2s_peer vti");
+  }
+  return @peer_tunnels;
+}
+
 sub clear_tunnel {
   my ($peer, $tunnel) = @_;
   my $error = undef;
@@ -98,7 +109,12 @@ if ($op eq 'clear-vpn-ipsec-process') {
       clear_tunnel($peer, $tun);
     }
   } else {
-    die "No tunnel defined for peer $peer\n";
+    my @peer_vtis = get_vtis("$peer");
+    if (scalar(@peer_vtis)>0) {
+        clear_tunnel($peer, 'vti');
+    } else {
+        die "No tunnel defined for peer $peer\n";
+    }
   }
 
 } elsif ($op eq 'clear-specific-tunnel-for-peer') {
@@ -112,6 +128,16 @@ if ($op eq 'clear-vpn-ipsec-process') {
     die "Undefined tunnel $tunnel for peer $peer\n";
   }
 
+} elsif ($op eq 'clear-vtis-for-peer') {
+  # clear all vti for a given site-to-site peer
+  die 'Undefined peer to clear vti for' if ! defined $peer;
+  my @peer_vtis = get_vtis("$peer");
+  if (scalar(@peer_vtis)>0) {
+      clear_tunnel($peer, 'vti');
+  } else {
+    die "No vti defined for peer $peer\n";
+  }
+
 } else { 
   die "Unknown op: $op";
 }
diff --git a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def
new file mode 100644
index 0000000..f0f39a8
--- /dev/null
+++ b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def
@@ -0,0 +1,5 @@
+help: Reset a vti tunnel for given peer
+
+run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \
+        --op=clear-vtis-for-peer \
+        --peer="$4"