ipsec: add a routing hook and use it for all ipsec devices #6354

src/etc/inc/plugins.inc

@@ -250,9 +250,21 @@ function plugins_firewall($fw)
 
 function plugins_configure($hook, $verbose = false, $args = [])
 {
+    $logargs = [];
+
     array_unshift($args, $verbose);
 
-    log_msg(sprintf('plugins_configure %s (%s)', $hook, implode(',', $args)), LOG_INFO);
+    foreach ($args as $arg) {
+        if (is_null($arg)) {
+            $logargs[] = 'null';
+        } elseif (is_array($arg)) {
+            $logargs[] = '[' . implode(',', $arg) . ']';
+        } else {
+            $logargs[] = $arg;
+        }
+    }
+
+    log_msg(sprintf('plugins_configure %s (%s)', $hook, implode(',', $logargs)), LOG_INFO);
 
     foreach (plugins_scan() as $name => $path) {
         try {
@@ -286,7 +298,7 @@ function plugins_configure($hook, $verbose = false, $args = [])
                             'plugins_configure %s (execute task : %s(%s))',
                             $hook,
                             $argf,
-                            implode(',', array_slice($args, 0, $argc))
+                            implode(',', array_slice($logargs, 0, $argc))
                         ), LOG_DEBUG);
                         try {
                             call_user_func_array($argf, array_slice($args, 0, $argc));

src/etc/inc/plugins.inc.d/core.inc

@@ -477,6 +477,7 @@ function core_configure()
 {
     return [
         'dns_reload' => ['system_resolver_configure'],
+        'route_reload' => ['core_routing_batch:2'],
         'user_changed' => ['core_user_changed_groups:2'],
     ];
 }
@@ -488,6 +489,13 @@ function core_run()
     ];
 }
 
+function core_routing_batch($verbose, $interfaces = [])
+{
+    foreach ($interfaces as $interface) {
+        system_routing_configure($verbose, $interface);
+    }
+}
+
 /**
  * user changed event, synchronize attached system groups for requested user
  */

src/etc/inc/plugins.inc.d/ipsec.inc

@@ -1590,6 +1590,9 @@ function ipsec_configure_do($verbose = false, $interface = '')
     ipsec_configure_spd();
 
     service_log("done.\n", $verbose);
+
+    /* reload routes on all attached VTI devices */
+    plugins_configure('route_reload', $verbose, [array_keys(array_merge(ipsec_get_configured_vtis(), (new \OPNsense\IPsec\Swanctl())->getVtiDevices()))]);
 }
 
 function generate_strongswan_conf(array $tree, $level = 0): string

src/etc/inc/system.inc

@@ -591,7 +591,7 @@ function system_routing_configure($verbose = false, $interface = null, $monitor
 {
     global $config;
 
-    service_log('Setting up routes...', $verbose);
+    service_log(sprintf('Setting up route%s...', empty($interface) ? 's' : " {$interface}"), $verbose);
 
     if (!empty($interface)) {
         log_msg("ROUTING: entering configure using '${interface}'", LOG_DEBUG);
@@ -693,9 +693,9 @@ function system_routing_configure($verbose = false, $interface = null, $monitor
     service_log("done.\n", $verbose);
 
     if ($monitor) {
-        $reloads = [];
-
         if (!empty($interface)) {
+            $reloads = [];
+
             foreach ($gateways->gatewaysIndexedByName(true) as $name => $gateway) {
                 if ($family !== null && $family !== $gateway['ipprotocol']) {
                     continue;
@@ -705,10 +705,12 @@ function system_routing_configure($verbose = false, $interface = null, $monitor
                     $reloads[] = $name;
                 }
             }
-        }
 
-        foreach (count($reloads) ? $reloads : [null] as $reload) {
-            plugins_configure('monitor', $verbose, [$reload]);
+            foreach ($reloads as $reload) {
+                plugins_configure('monitor', $verbose, [$reload]);
+            }
+        } else {
+            plugins_configure('monitor', $verbose);
         }
     }
 }