diff mbox series

IPsec: Bring down connections after reloading configuration

Message ID 20200917163522.4034-1-michael.tremer@ipfire.org
State Accepted
Commit b45faf9e7046e9b183b029591f6b9ebba2a1a82b
Headers
Series IPsec: Bring down connections after reloading configuration |

Commit Message

Michael Tremer Sept. 17, 2020, 4:35 p.m. UTC 
  It could happen that the remote peer re-established the connection
before "ipsec reload" removed it from the daemon.

Now, we write the configuration files first, reload them
and then bring down any connections that are still established.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vpnmain.cgi   | 6 +++---
 src/misc-progs/ipsecctrl.c | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)
diff mbox series

Patch

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index e0f2c7a5e..ae5e80d38 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -689,12 +689,12 @@  END
 			my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
 			if ($test =~ /: OK/) {
 				# Delete connection
-				system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
 				unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
 				unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
 				delete $confighash{$key};
 				&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 				&writeipsecfiles();
+				system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
 			}
 		}
 		unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
@@ -1227,10 +1227,10 @@  END
 			&writeipsecfiles();
 			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
 		} else {
-			system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 			$confighash{$cgiparams{'KEY'}}[0] = 'off';
 			&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 			&writeipsecfiles();
+			system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 		}
 		sleep $sleepDelay;
 	} else {
@@ -1261,12 +1261,12 @@  END
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 
 	if ($confighash{$cgiparams{'KEY'}}) {
-		system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 		unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
 		unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
 		delete $confighash{$cgiparams{'KEY'}};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
+		system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
 	}
diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
index 2a64775f0..001587fca 100644
--- a/src/misc-progs/ipsecctrl.c
+++ b/src/misc-progs/ipsecctrl.c
@@ -141,14 +141,14 @@  void turn_connection_off (char *name) {
 	 */
         char command[STRING_SIZE];
 
+	// Reload, so the connection is dropped.
+	ipsec_reload();
+
 	// Bring down the connection.
         snprintf(command, STRING_SIZE - 1, 
                 "/usr/sbin/ipsec down %s >/dev/null", name);
         safe_system(command);
 
-	// Reload, so the connection is dropped.
-	ipsec_reload();
-
 	// Reload the IPsec firewall policy
 	safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");