diff options
author | Christian Breunig <christian@breunig.cc> | 2024-07-22 12:32:12 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-22 12:32:12 +0200 |
commit | eb39342171b4767e483d616df16f4d94c86be108 (patch) | |
tree | 4bcaf2606a436026b8dabdcd55374f0561ca3a6a /src/conf_mode | |
parent | a3d76254f4d47665f56261c9089a8a34761e0e18 (diff) | |
parent | 99bce9f6291ef53ecb9507f9b6d61ec28be7be17 (diff) | |
download | vyos-1x-eb39342171b4767e483d616df16f4d94c86be108.tar.gz vyos-1x-eb39342171b4767e483d616df16f4d94c86be108.zip |
Merge pull request #3842 from vyos/mergify/bp/circinus/pr-3841
T6599: ipsec: support disabling rekey of CHILD_SA, converge and fix defaults (backport #3841)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index dc78c755e..cf82b767f 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -24,6 +24,7 @@ from time import sleep from vyos.base import Warning from vyos.config import Config +from vyos.config import config_dict_merge from vyos.configdep import set_dependents from vyos.configdep import call_dependents from vyos.configdict import leaf_node_changed @@ -86,9 +87,22 @@ def get_config(config=None): ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True, - with_recursive_defaults=True, with_pki=True) + # We have to cleanup the default dict, as default values could + # enable features which are not explicitly enabled on the + # CLI. E.g. dead-peer-detection defaults should not be injected + # unless the feature is explicitly opted in to by setting the + # top-level node + default_values = conf.get_config_defaults(**ipsec.kwargs, recursive=True) + + if 'ike_group' in ipsec: + for name, ike in ipsec['ike_group'].items(): + if 'dead_peer_detection' not in ike: + del default_values['ike_group'][name]['dead_peer_detection'] + + ipsec = config_dict_merge(default_values, ipsec) + ipsec['dhcp_interfaces'] = set() ipsec['dhcp_no_address'] = {} ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes |