src/etc/ipsec.d/vti-up-down


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
## Called as vti_up_down vti_intf_name

import os
import sys

from syslog import syslog
from syslog import openlog
from syslog import LOG_PID
from syslog import LOG_INFO

from vyos.configquery import ConfigTreeQuery
from vyos.util import call
from vyos.util import get_interface_config
from vyos.util import get_interface_address

def get_dhcp_address(interface):
    addr = get_interface_address(interface)
    if not addr:
        return None
    if len(addr['addr_info']) == 0:
        return None
    return addr['addr_info'][0]['local']

if __name__ == '__main__':
    verb = os.getenv('PLUTO_VERB')
    connection = os.getenv('PLUTO_CONNECTION')
    interface = sys.argv[1]
    dhcp_interface = sys.argv[2]

    openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO)
    syslog(f'Interface {interface} {verb} {connection}')

    if verb in ['up-client', 'up-host']:
        call('sudo ip route delete default table 220')

    vti_link = get_interface_config(interface)

    if not vti_link:
        syslog(f'Interface {interface} not found')
        sys.exit(0)

    vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False)

    config = ConfigTreeQuery()
    vti_dict = config.get_config_dict(['interfaces', 'vti', interface],
                                      get_first_key=True)

    if verb in ['up-client', 'up-host']:
        if not vti_link_up:
            if dhcp_interface != 'no':
                local_ip = get_dhcp_address(dhcp_interface)
                call(f'sudo ip tunnel change {interface} local {local_ip}')
            if 'disable' not in vti_dict:
                call(f'sudo ip link set {interface} up')
            else:
                syslog(f'Interface {interface} is admin down ...')
    elif verb in ['down-client', 'down-host']:
        if vti_link_up:
            call(f'sudo ip link set {interface} down')