diff options
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/interfaces-vti.py | 31 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_bgp.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 18 |
3 files changed, 10 insertions, 43 deletions
diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py index 6ff23ae59..1b38304c1 100755 --- a/src/conf_mode/interfaces-vti.py +++ b/src/conf_mode/interfaces-vti.py @@ -36,40 +36,9 @@ def get_config(config=None): conf = Config() base = ['interfaces', 'vti'] vti = get_interface_dict(conf, base) - - # VTI is more then an interface - we retrieve the "real" configuration from - # the IPsec peer configuration which binds this VTI - conf.set_level([]) - vti['ipsec'] = conf.get_config_dict(['vpn', 'ipsec', 'site-to-site', 'peer'], - key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - for peer, peer_config in vti['ipsec'].items(): - if dict_search('vti.bind', peer_config) == vti['ifname']: - vti['remote'] = peer - if 'local_address' in peer_config: - vti['source_address'] = peer_config['local_address'] - # we also need to "calculate" a per vti individual key - base = 0x900000 - vti['key'] = base + int(vti['ifname'].lstrip('vti')) - return vti def verify(vti): - if 'deleted' in vti: - return None - - ifname = vti['ifname'] - found = False - for peer, peer_config in vti['ipsec'].items(): - if dict_search('vti.bind', peer_config) == ifname: - found = True - # we can now stop processing the for loop - break - if not found: - tmp = vti['ifname'] - raise ConfigError(f'Interface "{ifname}" not referenced in any VPN configuration!') - return None def generate(vti): diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 74253c2d7..95f277d74 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -88,6 +88,10 @@ def verify_remote_as(peer_config, bgp_config): tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', bgp_config) if tmp: return tmp + if 'v6only' in peer_config['interface']: + if 'remote_as' in peer_config['interface']['v6only']: + return peer_config['interface']['v6only']['remote_as'] + return None def verify(bgp): diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index e8e8b453a..70b4c52e6 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -83,8 +83,6 @@ esp_ciphers = {} dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 -mark_base = 0x900000 - swanctl_dir = '/etc/swanctl' ipsec_conf = '/etc/ipsec.conf' ipsec_secrets = '/etc/ipsec.secrets' @@ -358,8 +356,13 @@ def generate_pki_files(pki, x509_conf): f.write(wrap_private_key(key_data, protected)) def generate(ipsec): - data = {} + if not ipsec: + for config_file in [ipsec_conf, ipsec_secrets, interface_conf, swanctl_conf]: + if os.path.isfile(config_file): + os.unlink(config_file) + return + data = {} if ipsec: if ipsec['dhcp_no_address']: with open(DHCP_HOOK_IFLIST, 'w') as f: @@ -368,7 +371,6 @@ def generate(ipsec): data = ipsec data['authby'] = authby_translate data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers} - data['marks'] = {} data['rsa_local_key'] = verify_rsa_local_key(ipsec) for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]: @@ -394,10 +396,6 @@ def generate(ipsec): data['site_to_site']['peer'][peer]['local_address'] = local_ip - if 'vti' in peer_conf and 'bind' in peer_conf['vti']: - vti_interface = peer_conf['vti']['bind'] - data['marks'][vti_interface] = get_mark(vti_interface) - if 'tunnel' in peer_conf: for tunnel, tunnel_conf in peer_conf['tunnel'].items(): local_prefixes = dict_search('local.prefix', tunnel_conf) @@ -469,10 +467,6 @@ def apply(ipsec): resync_l2tp(ipsec) resync_nhrp(ipsec) -def get_mark(vti_interface): - vti_num = int(vti_interface.lstrip('vti')) - return mark_base + vti_num - if __name__ == '__main__': try: ipsec = get_config() |