ipsec: derive required route interfaces for dynamic changes #5263

2026-03-19 19:15:22 +00:00 · 2021-10-18 09:24:03 +02:00 · 2021-10-18 09:24:03 +02:00 · 35992e7003
commit 35992e7003
parent 7ab4686b18
2 changed files with 40 additions and 7 deletions
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -330,6 +330,13 @@ function ipsec_xmlrpc_sync()
    return $result;
 }

+function ipsec_run()
+{
+    return array(
+        'link_interface_to_ipsec' => 'link_interface_to_ipsec:2',
+    );
+}
+
 /*
 * Return phase1 local address
 */
@ -1820,13 +1827,16 @@ function generate_strongswan_conf(array $tree, $level = 0): string
 function ipsec_get_configured_vtis()
 {
    global $config;
-    $configured_intf = array();
-    $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : array();
-    $a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : array();
+
+    $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : [];
+    $a_phase2 = isset($config['ipsec']['phase2']) ? $config['ipsec']['phase2'] : [];
+    $configured_intf = [];
+
    foreach ($a_phase1 as $ph1ent) {
        if (empty($ph1ent['disabled'])) {
-            $phase2items = array();
-            $phase2reqids = array();
+            $phase2items = [];
+            $phase2reqids = [];
+
            foreach ($a_phase2 as $ph2ent) {
                if (
                    $ph2ent['mode'] == 'route-based' &&
@ -1838,6 +1848,7 @@ function ipsec_get_configured_vtis()
                    }
                }
            }
+
            foreach ($phase2items as $idx => $phase2) {
                if (empty($phase2['reqid'])) {
                    continue;
@ -1852,11 +1863,12 @@ function ipsec_get_configured_vtis()
                }
                $intfnm = sprintf("ipsec%s", $reqid);
                if (empty($tunnels[$intfnm])) {
-                    $configured_intf[$intfnm] = array("reqid" => $reqid);
+                    $configured_intf[$intfnm] = ['reqid' => $reqid];
                    $configured_intf[$intfnm]['local'] = ipsec_get_phase1_src($ph1ent);
                    $configured_intf[$intfnm]['remote'] = $ph1ent['remote-gateway'];
+                    $configured_intf[$intfnm]['interface'] = $ph1ent['interface'];
                    $configured_intf[$intfnm]['descr'] = $descr;
-                    $configured_intf[$intfnm]['networks'] = array();
+                    $configured_intf[$intfnm]['networks'] = [];
                }

                $inet = is_ipaddrv6($phase2['tunnel_local']) ? 'inet6' : 'inet';
@ -1874,6 +1886,19 @@ function ipsec_get_configured_vtis()
    return $configured_intf;
 }

+function link_interface_to_ipsec($unused, $interface)
+{
+    $linked = [];
+
+    foreach (ipsec_get_configured_vtis() as $ipsec => $info) {
+        if ($info['interface'] == $interface) {
+            $linked = $ipsec;
+        }
+    }
+
+    return $linked;
+}
+
 /**
 * Configure required Virtual Terminal Interfaces (synchronizes configuration with local interfaces named ipsec%)
 */
--- a/src/etc/rc.newwanip
+++ b/src/etc/rc.newwanip
@ -98,6 +98,8 @@ if (!empty($bridgetmp)) {
    interface_bridge_add_member($bridgetmp, $interface_real);
 }

+$ipsecs = plugins_run('link_interface_to_ipsec', false, array($interface));
+
 system_resolvconf_generate();
 system_hosts_generate();

@ -138,6 +140,12 @@ foreach (legacy_config_get_interfaces(['enable' => true, 'virtual' => false]) as
            $restartifs[$ifname] = 1;
        }
    }
+
+    foreach ($ipsecs as $ipsec) {
+        if ($ifparent['if'] == $ipsec) {
+            $restartifs[$ifname] = 1;
+        }
+    }
 }

 foreach (array_keys($restartifs) as $ifname) {