From ccac4779b7d9f31d3af12b4f35d18808d1852128 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 23:29:32 +0200
Subject: [PATCH] interfaces: introduce vpn_map event

There appear to be no callers in plugins.  We could argue
that the vpn/vpn_map event isn't really needed as it brings
just OpenVPN, IPsec and WireGuard to the table, but we can
decide on this later.
---
 src/etc/inc/plugins.inc.d/ipsec.inc     | 13 +++++++++----
 src/etc/inc/plugins.inc.d/openvpn.inc   | 21 +++++++--------------
 src/etc/inc/plugins.inc.d/wireguard.inc |  2 +-
 src/etc/rc.bootup                       |  3 ++-
 src/etc/rc.newwanip                     |  3 ++-
 src/etc/rc.newwanipv6                   |  3 ++-
 src/etc/rc.reload_all                   |  3 ++-
 src/opnsense/scripts/shell/setports.php |  3 ++-
 8 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 80d28f19f..da9ae3c93 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -120,7 +120,7 @@ function ipsec_configure()
 {
     return [
         'ipsec' => ['ipsec_configure_do:2'],
-        'vpn' => ['ipsec_configure_do:2'],
+        'vpn_map' => ['ipsec_configure_do:2'],
     ];
 }
 
@@ -1232,23 +1232,28 @@ function ipsec_write_secrets()
     return $secrets;
 }
 
-function ipsec_configure_do($verbose = false, $interface = '')
+function ipsec_configure_do($verbose = false, $interface_map = null)
 {
     global $config;
 
     if (!empty($interface)) {
-         $active = false;
+        $interface_map = explode(',', $interface_map);
+        $active = false;
+
         if (isset($config['ipsec']['phase1'])) {
             foreach ($config['ipsec']['phase1'] as $phase1) {
-                if (!isset($phase1['disabled']) && $phase1['interface'] == $interface) {
+                if (!isset($phase1['disabled']) && in_array($phase1['interface'], $interface_map)) {
                     $active = true;
+                    break;
                 }
             }
         }
+
         if (!$active) {
             return;
         }
     }
+
     $ipsec_mdl = new \OPNsense\IPsec\IPsec();
 
     /* configure VTI if needed */
diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index 9ff36d084..3da318f8e 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -1086,7 +1086,7 @@ function openvpn_configure_single($id)
     }
 }
 
-function openvpn_configure_do($verbose = false, $interface = '', $carp_event = false)
+function openvpn_configure_do($verbose = false, $interface_map = null, $carp_event = false)
 {
     global $config;
 
@@ -1096,31 +1096,24 @@ function openvpn_configure_do($verbose = false, $interface = '', $carp_event = f
         return;
     }
 
-    if (!empty($interface)) {
-        log_msg(sprintf(
-            'Resyncing OpenVPN instances for interface %s.',
-            convert_friendly_interface_to_friendly_descr($interface)
-        ), LOG_INFO);
-    } else {
-        log_msg('Resyncing OpenVPN instances.', LOG_INFO);
-    }
-
     service_log('Syncing OpenVPN settings...', $verbose);
 
-    $reconfigure_count = 0;
+    $interface_map = !empty($interface_map) ? explode(',', $interface_map) : [];
+    $reconfigured = false;
+
     foreach (array('server', 'client') as $mode) {
         if (isset($config['openvpn']["openvpn-{$mode}"])) {
             foreach ($config['openvpn']["openvpn-{$mode}"] as $settings) {
-                if (empty($interface) || $interface == $settings['interface']) {
+                if (empty($interface_map) || in_array($settings['interface'], $interface_map)) {
                     openvpn_reconfigure($mode, $settings, $carp_event);
                     openvpn_restart($mode, $settings, $carp_event);
-                    $reconfigure_count++;
+                    $reconfigured = true;
                 }
             }
         }
     }
 
-    if ($reconfigure_count > 0) {
+    if ($reconfigured) {
         configd_run('filter reload'); /* XXX required for NAT rules, but needs coalescing */
     }
 
diff --git a/src/etc/inc/plugins.inc.d/wireguard.inc b/src/etc/inc/plugins.inc.d/wireguard.inc
index 0817aa223..61be4cf72 100644
--- a/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -145,7 +145,7 @@ function wireguard_configure()
 {
     return [
         'newwanip_map' => ['wireguard_sync'],
-        'vpn' => ['wireguard_configure_do'],
+        'vpn_map' => ['wireguard_configure_do'],
     ];
 }
 
diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup
index 5ebf2b866..5ded3c0fc 100755
--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -99,7 +99,8 @@ plugins_configure('dns', true);
 
 filter_configure_sync(true);
 plugins_configure('monitor', true, [null, true]);
-plugins_configure('vpn', true);
+plugins_configure('vpn_map', true);
+plugins_configure('vpn', true); /* XXX remove in 25.1 */
 plugins_configure('bootup', true);
 rrd_configure(true, true);
 
diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip
index 43dba6977..9760c24d6 100755
--- a/src/etc/rc.newwanip
+++ b/src/etc/rc.newwanip
@@ -115,7 +115,8 @@ if (is_ipaddr($cacheip) && $ip != $cacheip) {
 /* register IP change not before this point as basic connectivity is needed */
 @file_put_contents($cacheip_file, $ip . PHP_EOL);
 
-plugins_configure('vpn', false, [$interface]);
+plugins_configure('vpn_map', false, [$interface, 'inet']);
+plugins_configure('vpn', false, [$interface]); /* XXX remove in 25.1 */
 plugins_configure('newwanip', false, [$interface]); /* XXX remove in 25.1 */
 plugins_configure('newwanip_map', false, [$interface, 'inet']);
 rrd_configure();
diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6
index 409977995..c0dd2136e 100755
--- a/src/etc/rc.newwanipv6
+++ b/src/etc/rc.newwanipv6
@@ -126,9 +126,10 @@ foreach ($interfaces as $interface) {
 }
 
 filter_configure_sync();
+plugins_configure('vpn_map', false, [join(',', $interfaces), 'inet6']);
 
 foreach ($interfaces as $interface) {
-    plugins_configure('vpn', false, [$interface]);
+    plugins_configure('vpn', false, [$interface]); /* XXX remove in 25.1 */
     plugins_configure('newwanip', false, [$interface]); /* XXX remove in 25.1 */
 }
 
diff --git a/src/etc/rc.reload_all b/src/etc/rc.reload_all
index 4f6fd2ca5..839a605c6 100755
--- a/src/etc/rc.reload_all
+++ b/src/etc/rc.reload_all
@@ -55,7 +55,8 @@ interfaces_configure(true);
 system_routing_configure(true);
 filter_configure_sync(true);
 plugins_configure('local', true);
-plugins_configure('vpn', true);
+plugins_configure('vpn_map', true);
+plugins_configure('vpn', true); /* XXX remove in 25.1 */
 rrd_configure(true);
 
 /* plugins service reload */
diff --git a/src/opnsense/scripts/shell/setports.php b/src/opnsense/scripts/shell/setports.php
index b480700e9..2d5c2eae8 100755
--- a/src/opnsense/scripts/shell/setports.php
+++ b/src/opnsense/scripts/shell/setports.php
@@ -45,6 +45,7 @@ if (set_networking_interfaces_ports()) {
     system_routing_configure(true);
     filter_configure_sync(true);
     plugins_configure('local', true);
-    plugins_configure('vpn', true);
+    plugins_configure('vpn_map', true);
+    plugins_configure('vpn', true); /* XXX remove in 25.1 */
     rrd_configure(true);
 }