From 19a58bed0818f19c1e970c2bc5e128325a322c54 Mon Sep 17 00:00:00 2001 From: Saurabh Mohan Date: Tue, 5 Feb 2013 15:00:20 -0800 Subject: Merge + support show vpn ipsec sa detail/statistics profile --- lib/vpnprof/OPMode.pm | 55 ++++++++++++++++++++++ scripts/vyatta-dmvpn-op.pl | 22 +++++++-- scripts/vyatta-op-vpnprof.pl | 5 ++ templates/show/vpn/ipsec/sa/detail/node.def | 1 + .../show/vpn/ipsec/sa/detail/profile/node.def | 1 + .../vpn/ipsec/sa/detail/profile/node.tag/node.def | 3 ++ .../sa/detail/profile/node.tag/tunnel/node.def | 1 + .../profile/node.tag/tunnel/node.tag/node.def | 3 ++ templates/show/vpn/ipsec/sa/statistics/node.def | 1 + .../show/vpn/ipsec/sa/statistics/profile/node.def | 1 + .../ipsec/sa/statistics/profile/node.tag/node.def | 3 ++ .../sa/statistics/profile/node.tag/tunnel/node.def | 1 + .../profile/node.tag/tunnel/node.tag/node.def | 3 ++ 13 files changed, 96 insertions(+), 4 deletions(-) create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def diff --git a/lib/vpnprof/OPMode.pm b/lib/vpnprof/OPMode.pm index 00c1ffd..6af2a37 100644 --- a/lib/vpnprof/OPMode.pm +++ b/lib/vpnprof/OPMode.pm @@ -572,6 +572,12 @@ sub show_ipsec_sa_detail display_ipsec_sa_detail(\%tunnel_hash); } +sub show_ipsec_sa_stats +{ + my %tunnel_hash = get_tunnel_info(); + display_ipsec_sa_stats(\%tunnel_hash); +} + sub show_ipsec_sa_profile { my $profile = pop(@_); @@ -820,4 +826,53 @@ sub display_ipsec_sa_detail print "\n"; } } + +sub display_ipsec_sa_stats +{ + my %th = %{pop(@_)}; + my $listref = []; + my %tunhash = (); + my $myid = undef; + my $peerid = undef; + for my $connectid (keys %th){ + my $lip = conv_ip($th{$connectid}->{_lip}); + $peerid = conv_ip($th{$connectid}->{_rip}); + my $tunnel = "$peerid-$lip"; + + if (not exists $tunhash{$tunnel}) { + $tunhash{$tunnel}={ + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), + _tunnels => [] + }; + } + my @tmp = ( $th{$connectid}->{_tunnelnum}, + $th{$connectid}->{_lsnet}, + $th{$connectid}->{_rsnet}, + $th{$connectid}->{_inbytes}, + $th{$connectid}->{_outbytes} ); + push (@{$tunhash{$tunnel}->{_tunnels}}, [ @tmp ]); + } + for my $connid (keys %tunhash){ + print <{_tunnels}})){ + (my $tunnum, my $srcnet, my $dstnet, + my $inbytes, my $outbytes) = @{$tunnel}; + printf " %-6s %-3s %-28s %-28s %-8s\n", + $tunnum, 'in', $dstnet, $srcnet, $inbytes; + printf " %-6s %-3s %-28s %-28s %-8s\n", + $tunnum, 'out', $srcnet, $dstnet, $outbytes; + } + print "\n \n"; + } +} 1; diff --git a/scripts/vyatta-dmvpn-op.pl b/scripts/vyatta-dmvpn-op.pl index 4a33498..8f27596 100644 --- a/scripts/vyatta-dmvpn-op.pl +++ b/scripts/vyatta-dmvpn-op.pl @@ -33,16 +33,30 @@ sub clear_tunnel { print "Resetting tunnel $tunnel with profile $profile...\n"; # turn down the connection - `sudo ipsec down dmvpn-$profile-tunnel-$tunnel`; + `sudo ipsec down vpnprof-tunnel-$tunnel`; # sleep for 1/4th of a second for connection to go down `sudo sleep 0.25`; - # turn connection up - `sudo ipsec up dmvpn-$profile-tunnel-$tunnel`; + # turn connection up. For conns with 'right=%any' it's useless to up, so commented it + #`sudo ipsec up vpnprof-tunnel-$tunnel`; # sleep for 3/4th of a second for connection to come up - `sudo sleep 0.75`; + #`sudo sleep 0.75`; + + my @addresses = split(' ', `cli-shell-api returnActiveValues interfaces tunnel $tunnel address`); + for my $addr (@addresses) { + $addr =~ /'(.*)\.(.*)\.(.*)\.(.*)\//; + my $pattern = "$1.$2.$3.$4-to-"; + my $line = `sudo ipsec statusall | grep $pattern | head -n 1`; + if ($line =~ /\"(.*-to-.*)\"/) { + my $conn = $1; + `sudo ipsec down $conn`; + #Actually, we don't need timeouts here cause this script will wait child process to be finished. + `sudo ipsec up $conn`; + } + } + } if ($op eq '') { diff --git a/scripts/vyatta-op-vpnprof.pl b/scripts/vyatta-op-vpnprof.pl index 2f173fb..3988e04 100644 --- a/scripts/vyatta-op-vpnprof.pl +++ b/scripts/vyatta-op-vpnprof.pl @@ -24,6 +24,7 @@ GetOptions("show-ipsec-sa!" => \$show_ipsec_sa, "show-ipsec-sa-profile-detail=s" => \$show_ipsec_sa_profile_detail, "show-ipsec-sa-stats!" => \$show_ipsec_sa_stats, "show-ipsec-sa-stats-profile=s" => \$show_ipsec_sa_stats_profile, + "show-ipsec-sa-stats-conn=s{2}" => \@show_ipsec_sa_stats_conn, "show-ipsec-sa-conn-detail=s{2}" => \@show_ipsec_sa_conn_detail, "show-ipsec-sa-conn=s{2}" => \@show_ipsec_sa_conn); @@ -57,3 +58,7 @@ if (defined $show_ipsec_sa_stats) { if (defined $show_ipsec_sa_stats_profile) { Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_profile($show_ipsec_sa_stats_profile); } +if (defined @show_ipsec_sa_stats_conn) { + Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_conn(@show_ipsec_sa_stats_conn); +} + diff --git a/templates/show/vpn/ipsec/sa/detail/node.def b/templates/show/vpn/ipsec/sa/detail/node.def index 1fb13e4..1397817 100644 --- a/templates/show/vpn/ipsec/sa/detail/node.def +++ b/templates/show/vpn/ipsec/sa/detail/node.def @@ -1,2 +1,3 @@ help: Show details for all active IPsec Security Associations (SA) run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-detail diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.def new file mode 100644 index 0000000..00a4e7c --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.def @@ -0,0 +1 @@ +help: Show details for all active IPsec Security Associations (SA) for a profile diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def new file mode 100644 index 0000000..fbb6218 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show details for all active IPsec Security Associations (SA) for a profile +allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli +run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-profile-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def new file mode 100644 index 0000000..58100d8 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Show details for the active IPsec Security Association (SA) for a tunnel bound to profile diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def new file mode 100644 index 0000000..ac5fd14 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show details for the active IPsec Security Associations (SA) for a tunnel bound to profile +allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def b/templates/show/vpn/ipsec/sa/statistics/node.def index ad7c5d8..84fa4b7 100644 --- a/templates/show/vpn/ipsec/sa/statistics/node.def +++ b/templates/show/vpn/ipsec/sa/statistics/node.def @@ -1,2 +1,3 @@ help: Show statistics of all active tunnels that have IPsec Security Associations (SA) run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.def new file mode 100644 index 0000000..7b5e040 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.def @@ -0,0 +1 @@ +help: Show stats for all active IPsec Security Associations (SA) for a profile diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def new file mode 100644 index 0000000..9d49f44 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show stats for all active IPsec Security Associations (SA) for a profile +allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli +run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-profile="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def new file mode 100644 index 0000000..4b131c5 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def new file mode 100644 index 0000000..b8aa7dc --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile +allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-conn $7 $9 -- cgit v1.2.3