src/etc/ipsec.d/vti-up-down


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Script called up strongswan to bring the VTI interface up/down based on
# the state of the IPSec tunnel. Called as vti_up_down vti_intf_name

import os
import sys

from syslog import syslog
from syslog import openlog
from syslog import LOG_PID
from syslog import LOG_INFO

from vyos.configquery import ConfigTreeQuery
from vyos.configdict import get_interface_dict
from vyos.utils.commit import wait_for_commit_lock
from vyos.utils.process import call
from vyos.utils.vti_updown_db import open_vti_updown_db_for_update

def supply_interface_dict(interface):
    # Lazy-load the running config on first invocation
    try:
        conf = supply_interface_dict.cached_config
    except AttributeError:
        conf = ConfigTreeQuery()
        supply_interface_dict.cached_config = conf

    _, vti = get_interface_dict(conf.config, ['interfaces', 'vti'], interface)
    return vti

if __name__ == '__main__':
    verb = os.getenv('PLUTO_VERB')
    connection = os.getenv('PLUTO_CONNECTION')
    interface = sys.argv[1]

    if verb.endswith('-v6'):
        protocol = 'v6'
    else:
        protocol = 'v4'

    openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO)
    syslog(f'Interface {interface} {verb} {connection}')

    wait_for_commit_lock()

    if verb in ['up-client', 'up-client-v6', 'up-host', 'up-host-v6']:
        with open_vti_updown_db_for_update() as db:
            db.add(interface, connection, protocol)
            db.commit(supply_interface_dict)
    elif verb in ['down-client', 'down-client-v6', 'down-host', 'down-host-v6']:
        with open_vti_updown_db_for_update() as db:
            db.remove(interface, connection, protocol)
            db.commit(supply_interface_dict)