interfaces: introduce vpn_map event

There appear to be no callers in plugins. We could argue that the vpn/vpn_map event isn't really needed as it brings just OpenVPN, IPsec and WireGuard to the table, but we can decide on this later.
2026-03-13 00:07:27 +00:00 · 2024-08-26 23:29:32 +02:00 · 2024-08-26 23:29:32 +02:00 · ccac4779b7
commit ccac4779b7
parent 0e4cb12f3f
8 changed files with 27 additions and 24 deletions
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -120,7 +120,7 @@ function ipsec_configure()
 {
    return [
        'ipsec' => ['ipsec_configure_do:2'],
-        'vpn' => ['ipsec_configure_do:2'],
+        'vpn_map' => ['ipsec_configure_do:2'],
    ];
 }

@ -1232,23 +1232,28 @@ function ipsec_write_secrets()
    return $secrets;
 }

-function ipsec_configure_do($verbose = false, $interface = '')
+function ipsec_configure_do($verbose = false, $interface_map = null)
 {
    global $config;

    if (!empty($interface)) {
-         $active = false;
+        $interface_map = explode(',', $interface_map);
+        $active = false;
+
        if (isset($config['ipsec']['phase1'])) {
            foreach ($config['ipsec']['phase1'] as $phase1) {
-                if (!isset($phase1['disabled']) && $phase1['interface'] == $interface) {
+                if (!isset($phase1['disabled']) && in_array($phase1['interface'], $interface_map)) {
                    $active = true;
+                    break;
                }
            }
        }
+
        if (!$active) {
            return;
        }
    }
+
    $ipsec_mdl = new \OPNsense\IPsec\IPsec();

    /* configure VTI if needed */
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@ -1086,7 +1086,7 @@ function openvpn_configure_single($id)
    }
 }

-function openvpn_configure_do($verbose = false, $interface = '', $carp_event = false)
+function openvpn_configure_do($verbose = false, $interface_map = null, $carp_event = false)
 {
    global $config;

@ -1096,31 +1096,24 @@ function openvpn_configure_do($verbose = false, $interface = '', $carp_event = f
        return;
    }

-    if (!empty($interface)) {
-        log_msg(sprintf(
-            'Resyncing OpenVPN instances for interface %s.',
-            convert_friendly_interface_to_friendly_descr($interface)
-        ), LOG_INFO);
-    } else {
-        log_msg('Resyncing OpenVPN instances.', LOG_INFO);
-    }
-
    service_log('Syncing OpenVPN settings...', $verbose);

-    $reconfigure_count = 0;
+    $interface_map = !empty($interface_map) ? explode(',', $interface_map) : [];
+    $reconfigured = false;
+
    foreach (array('server', 'client') as $mode) {
        if (isset($config['openvpn']["openvpn-{$mode}"])) {
            foreach ($config['openvpn']["openvpn-{$mode}"] as $settings) {
-                if (empty($interface) || $interface == $settings['interface']) {
+                if (empty($interface_map) || in_array($settings['interface'], $interface_map)) {
                    openvpn_reconfigure($mode, $settings, $carp_event);
                    openvpn_restart($mode, $settings, $carp_event);
-                    $reconfigure_count++;
+                    $reconfigured = true;
                }
            }
        }
    }

-    if ($reconfigure_count > 0) {
+    if ($reconfigured) {
        configd_run('filter reload'); /* XXX required for NAT rules, but needs coalescing */
    }

--- a/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/src/etc/inc/plugins.inc.d/wireguard.inc
@ -145,7 +145,7 @@ function wireguard_configure()
 {
    return [
        'newwanip_map' => ['wireguard_sync'],
-        'vpn' => ['wireguard_configure_do'],
+        'vpn_map' => ['wireguard_configure_do'],
    ];
 }

--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@ -99,7 +99,8 @@ plugins_configure('dns', true);

 filter_configure_sync(true);
 plugins_configure('monitor', true, [null, true]);
-plugins_configure('vpn', true);
+plugins_configure('vpn_map', true);
+plugins_configure('vpn', true); /* XXX remove in 25.1 */
 plugins_configure('bootup', true);
 rrd_configure(true, true);

--- a/src/etc/rc.newwanip
+++ b/src/etc/rc.newwanip
@ -115,7 +115,8 @@ if (is_ipaddr($cacheip) && $ip != $cacheip) {
 /* register IP change not before this point as basic connectivity is needed */
@file_put_contents($cacheip_file, $ip . PHP_EOL);

-plugins_configure('vpn', false, [$interface]);
+plugins_configure('vpn_map', false, [$interface, 'inet']);
+plugins_configure('vpn', false, [$interface]); /* XXX remove in 25.1 */
 plugins_configure('newwanip', false, [$interface]); /* XXX remove in 25.1 */
 plugins_configure('newwanip_map', false, [$interface, 'inet']);
 rrd_configure();
--- a/src/etc/rc.newwanipv6
+++ b/src/etc/rc.newwanipv6
@ -126,9 +126,10 @@ foreach ($interfaces as $interface) {
 }

 filter_configure_sync();
+plugins_configure('vpn_map', false, [join(',', $interfaces), 'inet6']);

 foreach ($interfaces as $interface) {
-    plugins_configure('vpn', false, [$interface]);
+    plugins_configure('vpn', false, [$interface]); /* XXX remove in 25.1 */
    plugins_configure('newwanip', false, [$interface]); /* XXX remove in 25.1 */
 }

--- a/src/etc/rc.reload_all
+++ b/src/etc/rc.reload_all
@ -55,7 +55,8 @@ interfaces_configure(true);
 system_routing_configure(true);
 filter_configure_sync(true);
 plugins_configure('local', true);
-plugins_configure('vpn', true);
+plugins_configure('vpn_map', true);
+plugins_configure('vpn', true); /* XXX remove in 25.1 */
 rrd_configure(true);

 /* plugins service reload */
--- a/src/opnsense/scripts/shell/setports.php
+++ b/src/opnsense/scripts/shell/setports.php
@ -45,6 +45,7 @@ if (set_networking_interfaces_ports()) {
    system_routing_configure(true);
    filter_configure_sync(true);
    plugins_configure('local', true);
-    plugins_configure('vpn', true);
+    plugins_configure('vpn_map', true);
+    plugins_configure('vpn', true); /* XXX remove in 25.1 */
    rrd_configure(true);
 }