[IPFire-SCM] [git.ipfire.org] IPFire 2.x development tree branch, next, updated. d1bd615e9f10000bcf307e984a78a1ba384231cd - IPFire-SCM

22 Aug 2011

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  d1bd615e9f10000bcf307e984a78a1ba384231cd (commit)
       via  6e2ba31bff62dc8eda9450139961cfb3c668240f (commit)
      from  86525dfc52009003a0976fb8df135ba0808ae121 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d1bd615e9f10000bcf307e984a78a1ba384231cd
Merge: 6e2ba31 86525df
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Mon Aug 22 20:53:02 2011 +0200
Merge branch 'next' of ssh://arne_f@git.ipfire.org/pub/git/ipfire-2.x into next
commit 6e2ba31bff62dc8eda9450139961cfb3c668240f
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Mon Aug 22 20:47:35 2011 +0200
ipsec: change ipsecctrl and vpn-watch to restart a single tunnel.
-----------------------------------------------------------------------
Summary of changes:
 src/misc-progs/ipsecctrl.c |   39 ++++++++++++++++++++++++++++++++++++---
 src/scripts/vpn-watch      |   11 +++--------
 2 files changed, 39 insertions(+), 11 deletions(-)
Difference in files:

diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index a018289..0b05177 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -142,10 +142,42 @@ int decode_line (char *s,
 */
 void turn_connection_on (char *name, char *type) {
 /*
-    if you find a way to start a single connection without changing all add it
-    here. Change also vpn-watch.
+	Rename the connection and run ipsec update and rename it back to readd
+	a deleted connection. Because ipsec update ignores connection that have
+	not changed since last load.
 */
-        safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
+        char command[STRING_SIZE];
+        memset(command, 0, STRING_SIZE);
+        snprintf(command, STRING_SIZE - 1, 
+                "sed -i -e 's|^conn %s$|conn %s-renamed|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
+        safe_system(command);
+
+	// Down and delete IKEv2 Tunnel before ipsec update
+        snprintf(command, STRING_SIZE - 1, 
+                "/usr/sbin/ipsec stroke down %s >/dev/null", name);
+        safe_system(command);
+        snprintf(command, STRING_SIZE - 1, 
+                "/usr/sbin/ipsec stroke delete %s >/dev/null", name);
+        safe_system(command);
+
+        safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
+
+	sleep(1);
+
+	// Back to original name
+	snprintf(command, STRING_SIZE - 1, 
+                "sed -i -e 's|^conn %s-renamed$|conn %s|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
+        safe_system(command);
+
+	// Down and delete IKEv2 Tunnel before ipsec update
+        snprintf(command, STRING_SIZE - 1, 
+                "/usr/sbin/ipsec stroke down %s-renamed >/dev/null", name);
+        safe_system(command);
+        snprintf(command, STRING_SIZE - 1, 
+                "/usr/sbin/ipsec stroke delete %s-renamed >/dev/null", name);
+        safe_system(command);
+
+        safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
 }
 /*
     issue ipsec commmands to turn off connection 'name'
@@ -162,6 +194,7 @@ void turn_connection_off (char *name) {
         snprintf(command, STRING_SIZE - 1, 
                 "/usr/sbin/ipsec stroke delete %s >/dev/null", name);
         safe_system(command);
+
         safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
         safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch
index 63b2442..563c14c 100755
--- a/src/scripts/vpn-watch
+++ b/src/scripts/vpn-watch
@@ -1,6 +1,6 @@
 #!/usr/bin/perl 
 ##################################################
-#####     VPN-Watch.pl     Version 0.6a      #####
+#####     VPN-Watch.pl     Version 0.7       #####
 ##################################################
 #                                                #
 #   VPN-Watch is part of the IPFire Firewall     #
@@ -39,12 +39,11 @@ while ( $i == 0){
     unless(@vpnsettings) {exit 1;}
   }
-my $status = `ipsec whack --status`;
+my $status = `ipsec status`;
 foreach (@vpnsettings){
  my @settings = split(/,/,$_);
chomp($settings[30]);
-  if ($settings[30] eq 'ikev2'){next;}
   if ($settings[27] ne 'RED'){next;}
   if ($settings[4] ne 'net'){next;}  
   if ($settings[1] ne 'on'){next;}chomp($settings[29]);
@@ -57,15 +56,13 @@ foreach (@vpnsettings){
   my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print $3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
   if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
   my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
-  my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
+  my $established= `echo "$status" | grep '$settings[2]' | grep -e 'erouted;' -e 'INSTALLED'`;
   my $known= `echo "$status" | grep '$settings[2]'`;
if ( $ipmatch eq '' && $known ne '' ){
     logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
     system("/usr/local/bin/ipsecctrl S $settings[0]");
     $round=0;
-    last; #all connections will reloaded
-          #remove this if ipsecctrl can restart single con again
   }
if ($debug){logger("Round=".$round." and established=".$established);}
@@ -74,8 +71,6 @@ foreach (@vpnsettings){
     logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
     system("/usr/local/bin/ipsecctrl S $settings[0]");
     $round=0;
-    last; #all connections will reloaded
-          #remove this if ipsecctrl can restart single con again
}
  }
hooks/post-receive
--
IPFire 2.x development tree

    