summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-11 08:20:44 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-01-11 15:18:19 +0000
commit7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd (patch)
tree910d968b2ad9652f19c097279662fc6f35e7c6f2
parent900289cf5d94cfc2dbb59cad548efb126389bbf9 (diff)
downloadvyos-1x-7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd.tar.gz
vyos-1x-7e9d465dc23e7395b24b088e4f107c6ef1a0a8fd.zip
ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemon
Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS. (cherry picked from commit 8c941e316035e56757d77b782cf39702c73546e0)
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index adbac0405..d074ed159 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -27,6 +27,7 @@ from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
+from vyos.configverify import dynamic_interface_pattern
from vyos.defaults import directories
from vyos.ifconfig import Interface
from vyos.pki import encode_certificate
@@ -160,8 +161,15 @@ def verify(ipsec):
raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"')
if 'interface' in ipsec:
- for ifname in ipsec['interface']:
- verify_interface_exists(ifname)
+ tmp = re.compile(dynamic_interface_pattern)
+ for interface in ipsec['interface']:
+ # exclude check interface for dynamic interfaces
+ if tmp.match(interface):
+ if not interface_exists(interface):
+ Warning(f'Interface "{interface}" does not exist yet and cannot be used '
+ f'for IPsec until it is up!')
+ else:
+ verify_interface_exists(interface)
if 'l2tp' in ipsec:
if 'esp_group' in ipsec['l2tp']: