diff options
author | Lucas Christian <lucas@lucasec.com> | 2021-09-19 17:02:42 -0700 |
---|---|---|
committer | Lucas Christian <lucas@lucasec.com> | 2021-09-19 19:44:02 -0700 |
commit | d768aee9bd93280210980d621ecc7b2da1a8d4af (patch) | |
tree | c712a6673e9ee084ba8edba9918a0ebb689bc154 | |
parent | e83a113360ba18043edcf7f70689c7042dee2b37 (diff) | |
download | vyos-1x-d768aee9bd93280210980d621ecc7b2da1a8d4af.tar.gz vyos-1x-d768aee9bd93280210980d621ecc7b2da1a8d4af.zip |
ipsec: T1441: Clean up vti-up-down script for XFRM interfaces
-rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 4 | ||||
-rwxr-xr-x | src/etc/ipsec.d/vti-up-down | 12 |
2 files changed, 2 insertions, 14 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index e039e98aa..8c3776bf1 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -60,7 +60,7 @@ life_time = {{ vti_esp.lifetime }}s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 - updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} {% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} @@ -119,7 +119,7 @@ dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} {% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} - updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} {% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down index 011013a2e..1ffb32955 100755 --- a/src/etc/ipsec.d/vti-up-down +++ b/src/etc/ipsec.d/vti-up-down @@ -29,19 +29,10 @@ from vyos.util import call from vyos.util import get_interface_config from vyos.util import get_interface_address -def get_dhcp_address(interface): - addr = get_interface_address(interface) - if not addr: - return None - if len(addr['addr_info']) == 0: - return None - return addr['addr_info'][0]['local'] - if __name__ == '__main__': verb = os.getenv('PLUTO_VERB') connection = os.getenv('PLUTO_CONNECTION') interface = sys.argv[1] - dhcp_interface = sys.argv[2] openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO) syslog(f'Interface {interface} {verb} {connection}') @@ -63,9 +54,6 @@ if __name__ == '__main__': if verb in ['up-client', 'up-host']: if not vti_link_up: - if dhcp_interface != 'no': - local_ip = get_dhcp_address(dhcp_interface) - call(f'sudo ip tunnel change {interface} local {local_ip}') if 'disable' not in vti_dict: call(f'sudo ip link set {interface} up') else: |