Merge pull request #1428 from sever-sever/T4552

IPsec: T4552: Fix reset vpn ipsec peer

2 files changed, 74 insertions, 3 deletions

diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in
index 3d997c143..f1f43755b 100644
--- a/op-mode-definitions/vpn-ipsec.xml.in
+++ b/op-mode-definitions/vpn-ipsec.xml.in
@@ -19,16 +19,16 @@
                 <properties>
                   <help>Reset a specific tunnel for given peer</help>
                 </properties>
-                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="$6"</command>
+                <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="$6"</command>
               </tagNode>
               <node name="vti">
                 <properties>
                   <help>Reset the VTI tunnel for given peer</help>
                 </properties>
-                <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="vti"</command>
+                <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="vti"</command>
               </node>
             </children>
-            <command>sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-peer" --name="$4" --tunnel="all"</command>
+            <command>sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="all"</command>
           </tagNode>
           <tagNode name="ipsec-profile">
             <properties>
diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py
new file mode 100755
index 000000000..432856585
--- /dev/null
+++ b/src/op_mode/ipsec.py
@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import sys
+from vyos.util import call
+import vyos.opmode
+
+
+SWANCTL_CONF = '/etc/swanctl/swanctl.conf'
+
+
+def get_peer_connections(peer, tunnel, return_all = False):
+    peer = peer.replace(':', '-')
+    search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*'
+    matches = []
+    with open(SWANCTL_CONF, 'r') as f:
+        for line in f.readlines():
+            result = re.match(search, line)
+            if result:
+                suffix = f'tunnel_{tunnel}' if tunnel.isnumeric() else tunnel
+                if return_all or (result[2] == suffix):
+                    matches.append(result[1])
+    return matches
+
+
+def reset_peer(peer: str, tunnel:str):
+    if not peer:
+        print('Invalid peer, aborting')
+        return
+
+    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
+
+    if not conns:
+        print('Tunnel(s) not found, aborting')
+        return
+
+    result = True
+    for conn in conns:
+        try:
+            call(f'sudo /usr/sbin/ipsec down {conn}{{*}}', timeout = 10)
+            call(f'sudo /usr/sbin/ipsec up {conn}', timeout = 10)
+        except TimeoutExpired as e:
+            print(f'Timed out while resetting {conn}')
+            result = False
+
+
+    print('Peer reset result: ' + ('success' if result else 'failed'))
+
+
+if __name__ == '__main__':
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except ValueError as e:
+        print(e)
+        sys.exit(1)