From b45faf9e7046e9b183b029591f6b9ebba2a1a82b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 17 Sep 2020 16:35:21 +0000 Subject: [PATCH] IPsec: Bring down connections after reloading configuration It could happen that the remote peer re-established the connection before "ipsec reload" removed it from the daemon. Now, we write the configuration files first, reload them and then bring down any connections that are still established. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 +++--- src/misc-progs/ipsecctrl.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e0f2c7a5e5..ae5e80d38e 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -689,12 +689,12 @@ END my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; if ($test =~ /: OK/) { # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); } } unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); @@ -1227,10 +1227,10 @@ END &writeipsecfiles(); system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } sleep $sleepDelay; } else { @@ -1261,12 +1261,12 @@ END &General::readhasharray("${General::swroot}/vpn/config", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); delete $confighash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } else { $errormessage = $Lang::tr{'invalid key'}; } diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 2a64775f02..001587fca0 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -141,14 +141,14 @@ void turn_connection_off (char *name) { */ char command[STRING_SIZE]; + // Reload, so the connection is dropped. + ipsec_reload(); + // Bring down the connection. snprintf(command, STRING_SIZE - 1, "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload, so the connection is dropped. - ipsec_reload(); - // Reload the IPsec firewall policy safe_system("/usr/lib/firewall/ipsec-policy >/dev/null"); -- 2.39.2