From 689fea253d9019df20d5c6ac7fa22d5e8454afab Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 4 Mar 2024 10:23:26 +0000
Subject: T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug

If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.

Use config dependency instead of the old `resync_nhrp` function
fixes this issue
---
 data/config-mode-dependencies/vyos-1x.json |  3 +++
 src/conf_mode/vpn_ipsec.py                 | 21 +++++++++++++--------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 6ab36005b..afe3dd838 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -31,6 +31,9 @@
         "rpki": ["protocols_rpki"],
         "sstp": ["vpn_sstp"]
     },
+    "vpn_ipsec": {
+        "nhrp": ["protocols_nhrp"]
+    },
     "vpn_l2tp": {
         "ipsec": ["vpn_ipsec"]
     },
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d074ed159..388f2a709 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -25,6 +25,8 @@ from time import time
 
 from vyos.base import Warning
 from vyos.config import Config
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
 from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_interface_exists
 from vyos.configverify import dynamic_interface_pattern
@@ -97,6 +99,9 @@ def get_config(config=None):
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
     ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
 
+    if ipsec['nhrp_exists']:
+        set_dependents('nhrp', conf)
+
     tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'),
                                no_tag_node_value_mangle=True,
                                get_first_key=True)
@@ -575,13 +580,6 @@ def generate(ipsec):
     render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec)
     render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec)
 
-def resync_nhrp(ipsec):
-    if ipsec and not ipsec['nhrp_exists']:
-        return
-
-    tmp = run('/usr/libexec/vyos/conf_mode/protocols_nhrp.py')
-    if tmp > 0:
-        print('ERROR: failed to reapply NHRP settings!')
 
 def apply(ipsec):
     systemd_service = 'strongswan.service'
@@ -590,7 +588,14 @@ def apply(ipsec):
     else:
         call(f'systemctl reload-or-restart {systemd_service}')
 
-    resync_nhrp(ipsec)
+        if ipsec.get('nhrp_exists', False):
+            try:
+                call_dependents()
+            except ConfigError:
+                # Ignore config errors on dependent due to being called too early. Example:
+                # ConfigError("ConfigError('Interface ethN requires an IP address!')")
+                pass
+
 
 if __name__ == '__main__':
     try:
-- 
cgit v1.2.3