From bb893dcd86744a5167d92529d4a7e3c0fb29d9d8 Mon Sep 17 00:00:00 2001 From: Christian Schmidt Date: Fri, 21 Jan 2011 17:52:32 +0100 Subject: [PATCH] Fixed several bugs in vpn-watch script. The counter was pending between 0 and 1 and not going up to 9. If ipsec whack is returning and empty page we do not need to check if the remoteip has changed because the tunnel is not up. If ipsec is restarted the counter can be reset. All these facts causes that on low powered system the tunnels are intable if you have a lot of them. But we need to check if the convergation timer is okay because with these bugs the tunnels were minutly restarted and with correct handling after 10. --- config/rootfiles/core/45/filelists/files | 3 ++- config/rootfiles/core/45/update.sh | 4 ++++ src/scripts/vpn-watch | 15 ++++++++++----- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/core/45/filelists/files b/config/rootfiles/core/45/filelists/files index 8df8185fb3..4d88e2395f 100644 --- a/config/rootfiles/core/45/filelists/files +++ b/config/rootfiles/core/45/filelists/files @@ -7,4 +7,5 @@ srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/sbin/updxlrator var/ipfire/outgoing/bin/outgoingfw.pl -srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat \ No newline at end of file +srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat +usr/local/bin/vpn-watch \ No newline at end of file diff --git a/config/rootfiles/core/45/update.sh b/config/rootfiles/core/45/update.sh index 03c6cfbba9..d227791720 100644 --- a/config/rootfiles/core/45/update.sh +++ b/config/rootfiles/core/45/update.sh @@ -28,6 +28,8 @@ #Stop services echo Stopping Proxy /etc/init.d/squid stop 2>/dev/null +echo Stopping vpn-watch +killall vpn-watch # #Extract files @@ -39,6 +41,8 @@ echo Starting Proxy /etc/init.d/squid start 2>/dev/null echo Rewriting Outgoing FW Rules /var/ipfire/outgoing/bin/outgoingfw.pl +echo Starting vpn-watch +/usr/local/bin/vpn-watch & # #Update Language cache diff --git a/src/scripts/vpn-watch b/src/scripts/vpn-watch index 0c5f62d59f..32a854983e 100755 --- a/src/scripts/vpn-watch +++ b/src/scripts/vpn-watch @@ -1,6 +1,6 @@ #!/usr/bin/perl ################################################## -##### VPN-Watch.pl Version 0.5 ##### +##### VPN-Watch.pl Version 0.6 ##### ################################################## # # # VPN-Watch is part of the IPFire Firewall # @@ -32,7 +32,7 @@ while ( $i == 0){ $round++; # Reset roundcounter after 10 min. To do established check. - if ($round > 9) { $round=0 } + if ($round > 9) { $round==0 } if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = ; close(FILE); @@ -55,17 +55,22 @@ foreach (@vpnsettings){ my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip); if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}} my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`; - my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; + my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`; - if ( $ipmatch eq '' ){ + if ( $ipmatch eq '' && $status ne ''){ logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec."); system("/usr/local/bin/ipsecctrl S $settings[0]"); + $round=0; last; #all connections will reloaded #remove this if ipsecctrl can restart single con again } - if ( ($round = 0) && ($established eq '')) { + + if ($debug){logger("Round=".$round." and established=".$established);} + + if ( ($round == 0) && ($established eq '')) { logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec."); system("/usr/local/bin/ipsecctrl S $settings[0]"); + $round=0; last; #all connections will reloaded #remove this if ipsecctrl can restart single con again -- 2.39.2