summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-11 08:20:44 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-11 16:02:23 +0100
commit8c941e316035e56757d77b782cf39702c73546e0 (patch)
tree4cf48d1cc4a5a771b0bae63cc5714741b0010c78
parente5ce4222c6e9b24d276625678db7339ada0c54ef (diff)
downloadvyos-1x-8c941e316035e56757d77b782cf39702c73546e0.tar.gz
vyos-1x-8c941e316035e56757d77b782cf39702c73546e0.zip
ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemon
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS.
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index adbac0405..d074ed159 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -27,6 +27,7 @@ from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
+from vyos.configverify import dynamic_interface_pattern
from vyos.defaults import directories
from vyos.ifconfig import Interface
from vyos.pki import encode_certificate
@@ -160,8 +161,15 @@ def verify(ipsec):
raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"')
if 'interface' in ipsec:
- for ifname in ipsec['interface']:
- verify_interface_exists(ifname)
+ tmp = re.compile(dynamic_interface_pattern)
+ for interface in ipsec['interface']:
+ # exclude check interface for dynamic interfaces
+ if tmp.match(interface):
+ if not interface_exists(interface):
+ Warning(f'Interface "{interface}" does not exist yet and cannot be used '
+ f'for IPsec until it is up!')
+ else:
+ verify_interface_exists(interface)
if 'l2tp' in ipsec:
if 'esp_group' in ipsec['l2tp']: