[PATCH 1/2] ipsec: reload connection when the config changes

[PATCH 1/2] ipsec: reload connection when the config changes

[Jonatan Schlag]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 src/functions/functions.ipsec | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 70931ed..6dc4d5b 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -285,7 +285,17 @@ ipsec_connection_exists() {
 
 # Reloads the connection after config changes
 ipsec_reload() {
-	return ${EXIT_TRUE}
+	local connection=${1}
+
+	if ! ipsec_connection_to_strongswan ${connection}; then
+		log ERROR "Could not generate strongswan config for ${connnection}"
+		return ${EXIT_ERROR}
+	fi
+
+	if ! cmd swanctl --load-all; then
+		log ERROR "Could not reload strongswan config"
+		return ${EXIT_ERROR}
+	fi
 }
 
 # Handle the cli after authentification
-- 
2.6.3

[PATCH 2/2] ipsec: reload connection when the security policy changes

[Jonatan Schlag]

[-- Attachment #1: Type: text/plain, Size: 2363 bytes --]

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 src/functions/functions.ipsec                 | 12 ++++++++----
 src/functions/functions.vpn-security-policies | 25 ++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 6dc4d5b..57897ec 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -283,6 +283,13 @@ ipsec_connection_exists() {
 	[ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
 }
 
+ipsec_strongswan_load() {
+	if ! cmd swanctl --load-all; then
+		log ERROR "Could not reload strongswan config"
+		return ${EXIT_ERROR}
+	fi
+}
+
 # Reloads the connection after config changes
 ipsec_reload() {
 	local connection=${1}
@@ -292,10 +299,7 @@ ipsec_reload() {
 		return ${EXIT_ERROR}
 	fi
 
-	if ! cmd swanctl --load-all; then
-		log ERROR "Could not reload strongswan config"
-		return ${EXIT_ERROR}
-	fi
+	ipsec_strongswan_load
 }
 
 # Handle the cli after authentification
diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
index f73670b..ae652a2 100644
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -334,7 +334,30 @@ vpn_security_policies_write_config() {
 		return ${EXIT_ERROR}
 	fi
 
-	# TODO everytime we successfully write a config we should call some trigger to take the changes into effect
+	if ! vpn_security_policies_reload ${name}; then
+		log WARNING "Could not reload the IPsec connection using this security policy"
+		return ${EXIT_ERROR}
+	fi
+}
+
+# reload IPsec connections using a special policy
+vpn_security_policies_reload() {
+	local name=${1}
+
+	local connection
+	for connection in $(ipsec_list_connections); do
+		if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then
+			continue
+		fi
+
+		if [[ "${SECURITY_POLICY}" = "${name}" ]]; then
+			if ! ipsec_connection_to_strongswan "${connection}"; then
+				log ERROR "Could not generate strongswan config for ${connnection}"
+			fi
+		fi
+	done
+
+	ipsec_strongswan_load
 }
 
 # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file
-- 
2.6.3