diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-11 08:20:44 +0100 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-01-11 15:18:19 +0000 |
commit | 7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd (patch) | |
tree | 910d968b2ad9652f19c097279662fc6f35e7c6f2 | |
parent | 900289cf5d94cfc2dbb59cad548efb126389bbf9 (diff) | |
download | vyos-1x-7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd.tar.gz vyos-1x-7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd.zip |
ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemon
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface")
so that dynamic interfaces can be used by ipsec but a warning is issued that
this will only work after they are available on the system.
PPPoE interfaces are the best example for this, as they are down during system
bootup and will be available anytime after the boot once we've dialed into
the BRAS.
(cherry picked from commit 8c941e316035e56757d77b782cf39702c73546e0)
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index adbac0405..d074ed159 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -27,6 +27,7 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists +from vyos.configverify import dynamic_interface_pattern from vyos.defaults import directories from vyos.ifconfig import Interface from vyos.pki import encode_certificate @@ -160,8 +161,15 @@ def verify(ipsec): raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"') if 'interface' in ipsec: - for ifname in ipsec['interface']: - verify_interface_exists(ifname) + tmp = re.compile(dynamic_interface_pattern) + for interface in ipsec['interface']: + # exclude check interface for dynamic interfaces + if tmp.match(interface): + if not interface_exists(interface): + Warning(f'Interface "{interface}" does not exist yet and cannot be used ' + f'for IPsec until it is up!') + else: + verify_interface_exists(interface) if 'l2tp' in ipsec: if 'esp_group' in ipsec['l2tp']: |