summaryrefslogtreecommitdiff
path: root/src/etc/ipsec.d/vti-up-down
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-03-20 20:53:47 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-03-21 09:23:10 +0000
commitc104f9aea60416dbff3bf8de994921069ee6a928 (patch)
tree451d395fa95b2584c1df017238d1999c9c1a6607 /src/etc/ipsec.d/vti-up-down
parentf7a005ebecdfabc0a0af75ed9ad84b44ef1d6d5b (diff)
downloadvyos-1x-c104f9aea60416dbff3bf8de994921069ee6a928.tar.gz
vyos-1x-c104f9aea60416dbff3bf8de994921069ee6a928.zip
vti: T6085: interface is always down and only enabled by IPSec daemon
When a VTI interface is just created, it is in ADMIN UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected. This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected. This changes to logic so ADMIN UP/DOWN state can only be changed by the vti-up-down helper script. Error was introduced during the Perl -> Python migration and move to the generic vyos.ifconfig abstraction during the 1.4 development cycle. (cherry picked from commit 9eb018c4935235d292d7c693ac15da5761be064a)
Diffstat (limited to 'src/etc/ipsec.d/vti-up-down')
-rwxr-xr-xsrc/etc/ipsec.d/vti-up-down4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 441b316c2..01e9543c9 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -57,7 +57,9 @@ if __name__ == '__main__':
if 'disable' not in vti:
tmp = VTIIf(interface)
tmp.update(vti)
+ call(f'sudo ip link set {interface} up')
else:
+ call(f'sudo ip link set {interface} down')
syslog(f'Interface {interface} is admin down ...')
elif verb in ['down-client', 'down-host']:
if vti_link_up: