* Fix Bug 4017 Add the ability to restart individual IPSec tunnels

  added new operational mode commands -

  clear vpn ipsec-peer peer <peer> # clear all tunnels for given peer
  clear vpn ipsec-peer peer <peer> tunnel <tunnel> # clear specific tunnel

  If peer is 0.0.0.0/any/@id then tunnel is brought down and loaded again
  but connection is not initiated as remote end could be multiple end-points
  The remote ends will bring up the tunnel when they get/detect tunnel down

* don't call script with sudo from templates. use sudo in script where needed
* script clean up

8 files changed, 109 insertions, 17 deletions

diff --git a/scripts/vyatta-vpn-op.pl b/scripts/vyatta-vpn-op.pl
index ce6f957..ca44011 100755
--- a/scripts/vyatta-vpn-op.pl
+++ b/scripts/vyatta-vpn-op.pl
@@ -1,28 +1,102 @@
 #!/usr/bin/perl -w
 
 use strict;
+use warnings;
 use lib "/opt/vyatta/share/perl5/";
-
+use Vyatta::Config;
 use Getopt::Long;
 my $op='';
-GetOptions("op=s" => \$op);
+my $peer=undef;
+my $tunnel=undef;
+my $s2s_peer_path='vpn ipsec site-to-site peer';
+
+GetOptions( "op=s"      => \$op,
+            "peer=s"    => \$peer,
+            "tunnel=s"  => \$tunnel);
+
+sub get_tunnels {
+  my $s2s_peer = undef;
+  $s2s_peer = shift;
+  my @peer_tunnels = ();
+  if (defined $s2s_peer) {
+    my $config = new Vyatta::Config;
+    @peer_tunnels = $config->listOrigNodes("$s2s_peer_path $s2s_peer tunnel");
+  }
+  return @peer_tunnels;
+}
+
+sub clear_tunnel {
+  my ($peer, $tunnel) = @_;
+  my $error = undef;
+  my $cmd = undef;
+  
+  # replace connection i.e. sequentially run down, delete, load connection
+  $cmd = "sudo ipsec auto --replace peer-$peer-tunnel-$tunnel &> /dev/null";
+  $error = system "$cmd";
+  
+  if ($error eq '0') {
+    if (!($peer =~ /^\@/ || $peer eq 'any' || $peer eq '0.0.0.0')) {
+      # initiate the connection to peer if peer is a specific IP
+      $cmd =  "sudo ipsec auto --asynchronous --up " .
+              "peer-$peer-tunnel-$tunnel &> /dev/null";
+      system "$cmd";
+    }
+  } else {
+    die "Error clearing tunnel $tunnel for peer $peer\n";
+  }
+}
 
 if ($op eq '') {
 	die 'No op specified';
 }
 
 if ($op eq 'clear-vpn-ipsec-process') {
-	system '/usr/sbin/ipsec setup restart';
-	exit 0;
-}
-if ($op eq 'show-vpn-debug') {
-	system '/usr/sbin/ipsec auto --status';
-	exit 0;
-}
-if ($op eq 'show-vpn-debug-detail') {
-	system '/usr/sbin/ipsec barf';
-	exit 0;
-}
+	system 'sudo /usr/sbin/ipsec setup restart';
+
+} elsif ($op eq 'show-vpn-debug') {
+	system 'sudo /usr/sbin/ipsec auto --status';
+
+} elsif ($op eq 'show-vpn-debug-detail') {
+	system 'sudo /usr/sbin/ipsec barf';
+
+} elsif ($op eq 'get-all-peers') {
+  # get all site-to-site peers
+  my $config = new Vyatta::Config;
+  my @peers = ();
+  @peers = $config->listOrigNodes("$s2s_peer_path");
+  print "@peers\n";
 
-die "Unknown op: $op";
+} elsif ($op eq 'get-tunnels-for-peer') {
+  # get all tunnels for a specific site-to-site peer
+  die 'Undefined peer to get list of tunnels for' if ! defined $peer;
+  my @peer_tunnels = get_tunnels("$peer");
+  print "@peer_tunnels\n";
 
+} elsif ($op eq 'clear-tunnels-for-peer') {
+  # clear all tunnels for a given site-to-site peer
+  die 'Undefined peer to clear tunnels for' if ! defined $peer;
+  my @peer_tunnels = get_tunnels("$peer");
+  if (scalar(@peer_tunnels)>0) {
+    foreach my $tun (@peer_tunnels) {
+      clear_tunnel($peer, $tun);
+    }
+  } else {
+    die "No tunnel defined for peer $peer\n";
+  }
+
+} elsif ($op eq 'clear-specific-tunnel-for-peer') {
+  # clear a specific tunnel for a given site-to-site peer
+  die 'Undefined peer to clear tunnel for' if ! defined $peer;
+  die 'Undefined tunnel for peer $peer' if ! defined $tunnel;
+  my @peer_tunnels = get_tunnels("$peer");
+  if (scalar(grep(/^$tunnel$/,@peer_tunnels))>0) {
+    clear_tunnel($peer, $tunnel);
+  } else {
+    die "Undefined tunnel $tunnel for peer $peer\n";
+  }
+
+} else { 
+  die "Unknown op: $op";
+}
+ 
+exit 0;
diff --git a/templates/clear/vpn/ipsec-peer/node.def b/templates/clear/vpn/ipsec-peer/node.def
new file mode 100644
index 0000000..48cdff9
--- /dev/null
+++ b/templates/clear/vpn/ipsec-peer/node.def
@@ -0,0 +1 @@
+help: Clear all tunnels for given peer
diff --git a/templates/clear/vpn/ipsec-peer/node.tag/node.def b/templates/clear/vpn/ipsec-peer/node.tag/node.def
new file mode 100644
index 0000000..0e29756
--- /dev/null
+++ b/templates/clear/vpn/ipsec-peer/node.tag/node.def
@@ -0,0 +1,6 @@
+help: Clear all tunnels for given peer
+
+allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers
+
+run:  /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \
+      --op=clear-tunnels-for-peer --peer="$4"
diff --git a/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.def b/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.def
new file mode 100644
index 0000000..2add8cd
--- /dev/null
+++ b/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.def
@@ -0,0 +1 @@
+help: Clear a specific tunnel for given peer
diff --git a/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def b/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def
new file mode 100644
index 0000000..91b4ff3
--- /dev/null
+++ b/templates/clear/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def
@@ -0,0 +1,10 @@
+help: Clear a specific tunnel for given peer
+
+allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \
+        --op=get-tunnels-for-peer \
+        --peer="${COMP_WORDS[COMP_CWORD-2]}"
+
+run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \
+        --op=clear-specific-tunnel-for-peer \
+        --peer="$4" \
+        --tunnel="$6"
diff --git a/templates/clear/vpn/ipsec-process/node.def b/templates/clear/vpn/ipsec-process/node.def
index 0f7e233..8ced091 100644
--- a/templates/clear/vpn/ipsec-process/node.def
+++ b/templates/clear/vpn/ipsec-process/node.def
@@ -1,6 +1,6 @@
 help: Restart VPN ipsec process
 run: if [ -d $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer ] && [ -n "`ls $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer/`" ] ; then
-        sudo /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process
+        /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process
      else
         echo VPN ipsec not configured
      fi
diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def
index c12cac8..112cbf6 100644
--- a/templates/show/vpn/debug/detail/node.def
+++ b/templates/show/vpn/debug/detail/node.def
@@ -1,6 +1,6 @@
 help: Show detailed VPN debugging information
 run: if [ -d $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer ] && [ -n "`ls $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer/`" ] ; then
-        sudo /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail
+        /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail
      else
         echo VPN ipsec not configured
      fi
diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def
index ceb64c9..2327d95 100644
--- a/templates/show/vpn/debug/node.def
+++ b/templates/show/vpn/debug/node.def
@@ -1,6 +1,6 @@
 help: Show VPN debugging information
 run: if [ -d $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer ] && [ -n "`ls $VYATTA_ACTIVE_CONFIGURATION_DIR/vpn/ipsec/site-to-site/peer/`" ] ; then
-        sudo /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug
+        /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug
      else
         echo VPN ipsec not configured
      fi