From 0593173f6b7002b7d24f44b43eccbd07c71a3d79 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sat, 29 May 2021 14:40:12 +0200 Subject: vti: ipsec: T2816: Fix vti-up-down --- data/templates/ipsec/ipsec.conf.tmpl | 2 +- src/etc/ipsec.d/vti-up-down | 56 +++++++----------------------------- 2 files changed, 11 insertions(+), 47 deletions(-) diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index 75f3de39c..67447366c 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -42,7 +42,7 @@ conn peer-{{ peer }} conn peer-{{ peer }}-vti also = peer-{{ peer }} leftsubnet = 0.0.0.0/0 - leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" + leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}" rightsubnet = 0.0.0.0/0 mark = {{ marks[peer_conf.vti.bind] }} {{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }} diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down index 9abca1fd6..0e1cd7753 100755 --- a/src/etc/ipsec.d/vti-up-down +++ b/src/etc/ipsec.d/vti-up-down @@ -5,16 +5,8 @@ import os import sys -from vyos.config import Config from vyos.util import call, get_interface_config, get_interface_address -def get_config(config, base): - if not config.exists(base): - return None - - return conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - def get_dhcp_address(interface): addr = get_interface_address(interface) if not addr: @@ -26,58 +18,30 @@ def get_dhcp_address(interface): if __name__ == '__main__': verb = os.getenv('PLUTO_VERB') connection = os.getenv('PLUTO_CONNECTION') - parent_conn = connection[:-3] interface = sys.argv[1] + dhcp_interface = sys.argv[2] print(f'vti-up-down: start: {verb} {connection} {interface}') if verb in ['up-client', 'up-host']: call('sudo ip route delete default table 220') - vti_base = ['interfaces', 'vti', interface] - ipsec_base = ['vpn', 'ipsec', 'site-to-site'] - - conf = Config() - vti_conf = get_config(conf, vti_base) - ipsec_conf = get_config(conf, ipsec_base) - - if not vti_conf or 'disable' in vti_conf or not ipsec_conf or 'peer' not in ipsec_conf: - print('vti-up-down: exit: vti not found, disabled or no peers found') - sys.exit(0) - - peer_conf = None - - for peer, peer_tmp_conf in ipsec_conf['peer'].items(): - if 'vti' in peer_tmp_conf and 'bind' in peer_tmp_conf['vti']: - bind = peer_tmp_conf['vti']['bind'] - if isinstance(bind, str): - bind = [bind] - if interface in bind: - peer_conf = peer_tmp_conf - break + vti_link = get_interface_config(interface) - if not peer_conf: - print(f'vti-up-down: exit: No peer found for {interface}') + if not vti_link: + print('vti-up-down: interface not found') sys.exit(0) - vti_link = get_interface_config(interface) - vti_link_up = vti_link['operstate'] == 'UP' if vti_link else False - - child_sa_installed = False - try: - child_sa_installed = (call(f'sudo /usr/sbin/swanctl -l -r -i {connection} {parent_conn} | grep -s -q state=INSTALLED', timeout = 5) == 0) - except: - print('vti-up-down: child-sa check failed') + vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False) if verb in ['up-client', 'up-host']: if not vti_link_up: - if 'dhcp_interface' in peer_conf: - local_ip = get_dhcp_address(peer_conf['dhcp_interface']) + if dhcp_interface != 'no': + local_ip = get_dhcp_address(dhcp_interface) call(f'sudo ip tunnel change {interface} local {local_ip}') - if child_sa_installed: - call(f'sudo ip link set {interface} up') + call(f'sudo ip link set {interface} up') elif verb in ['down-client', 'down-host']: - if vti_link_up and not child_sa_installed: + if vti_link_up: call(f'sudo ip link set {interface} down') - print('vti-up-down: finish') + print('vti-up-down: finish') \ No newline at end of file -- cgit v1.2.3