Fixed several bugs in vpn-watch script.

The counter was pending between 0 and 1 and not going up to 9.

If ipsec whack is returning and empty page we do not need to check
if the remoteip has changed because the tunnel is not up.

If ipsec is restarted the counter can be reset.

All these facts causes that on low powered system the tunnels are
intable if you have a lot of them. But we need to check if the
convergation timer is okay because with these bugs the tunnels
were minutly restarted and with correct handling after 10.

diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files
index 8df8185fb3e733ad4955e45a31d3228b2d2e5a37..4d88e2395f099753196a5c8b269a66d584c09b42 100644 (file)
--- a/config/rootfiles/core/45/filelists/files
+++ b/config/rootfiles/core/45/filelists/files
@@ -7,4 +7,5 @@ srv/web/ipfire/cgi-bin/proxy.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/sbin/updxlrator
 var/ipfire/outgoing/bin/outgoingfw.pl
-srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
\ No newline at end of file
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
+usr/local/bin/vpn-watch
\ No newline at end of file

diff --git a/config/rootfiles/core/45/update.sh b/config/rootfiles/core/45/update.sh
index 03c6cfbba91c0931f5dc6851d5876f627f7d9738..d22779172099f7fd2bce7b6b9278ab76a3e9a4e2 100644 (file)
--- a/config/rootfiles/core/45/update.sh
+++ b/config/rootfiles/core/45/update.sh
@@ -28,6 +28,8 @@
 #Stop services
 echo Stopping Proxy
 /etc/init.d/squid stop 2>/dev/null
+echo Stopping vpn-watch
+killall vpn-watch
 
 #
 #Extract files
@@ -39,6 +41,8 @@ echo Starting Proxy
 /etc/init.d/squid start 2>/dev/null
 echo Rewriting Outgoing FW Rules
 /var/ipfire/outgoing/bin/outgoingfw.pl
+echo Starting vpn-watch
+/usr/local/bin/vpn-watch &
 
 #
 #Update Language cache

diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch
index 0c5f62d59f8c85e6651db7cf13679085d87d6f50..32a854983ea251e0b8b88d1f046a9af95b735dd9 100755 (executable)
--- a/src/scripts/vpn-watch
+++ b/src/scripts/vpn-watch
@@ -1,6 +1,6 @@
 #!/usr/bin/perl 
 ##################################################
-#####     VPN-Watch.pl     Version 0.5       #####
+#####     VPN-Watch.pl     Version 0.6       #####
 ##################################################
 #                                                #
 #   VPN-Watch is part of the IPFire Firewall     #
@@ -32,7 +32,7 @@ while ( $i == 0){
   $round++;
 
    # Reset roundcounter after 10 min. To do established check.
-  if ($round > 9) { $round=0 }
+  if ($round > 9) { $round==0 }
 
   if (open(FILE, "<${General::swroot}/vpn/config")) {    @vpnsettings = <FILE>;
     close(FILE);
@@ -55,17 +55,22 @@ foreach (@vpnsettings){
   my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
   if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
   my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
-  my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; 
+  my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
   
-  if ( $ipmatch eq '' ){
+  if ( $ipmatch eq '' && $status ne ''){
     logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
     system("/usr/local/bin/ipsecctrl S $settings[0]");
+    $round=0;
     last; #all connections will reloaded
           #remove this if ipsecctrl can restart single con again
   }
-  if ( ($round = 0) && ($established eq '')) {
+
+  if ($debug){logger("Round=".$round." and established=".$established);}
+
+  if ( ($round == 0) && ($established eq '')) {
     logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
     system("/usr/local/bin/ipsecctrl S $settings[0]");
+    $round=0;
     last; #all connections will reloaded
           #remove this if ipsecctrl can restart single con again