* [PATCH] IPsec: Bring down connections after reloading configuration
@ 2020-09-17 16:35 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2020-09-17 16:35 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3256 bytes --]
It could happen that the remote peer re-established the connection
before "ipsec reload" removed it from the daemon.
Now, we write the configuration files first, reload them
and then bring down any connections that are still established.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
html/cgi-bin/vpnmain.cgi | 6 +++---
src/misc-progs/ipsecctrl.c | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e0f2c7a5e..ae5e80d38 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -689,12 +689,12 @@ END
my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
if ($test =~ /: OK/) {
# Delete connection
- system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
delete $confighash{$key};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
}
}
unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
@@ -1227,10 +1227,10 @@ END
&writeipsecfiles();
system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
} else {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
$confighash{$cgiparams{'KEY'}}[0] = 'off';
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
}
sleep $sleepDelay;
} else {
@@ -1261,12 +1261,12 @@ END
&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
if ($confighash{$cgiparams{'KEY'}}) {
- system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
delete $confighash{$cgiparams{'KEY'}};
&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
&writeipsecfiles();
+ system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
} else {
$errormessage = $Lang::tr{'invalid key'};
}
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index 2a64775f0..001587fca 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -141,14 +141,14 @@ void turn_connection_off (char *name) {
*/
char command[STRING_SIZE];
+ // Reload, so the connection is dropped.
+ ipsec_reload();
+
// Bring down the connection.
snprintf(command, STRING_SIZE - 1,
"/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- // Reload, so the connection is dropped.
- ipsec_reload();
-
// Reload the IPsec firewall policy
safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
--
2.20.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-09-17 16:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-17 16:35 [PATCH] IPsec: Bring down connections after reloading configuration Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox