From patchwork Thu Sep 17 16:35:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3470 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4BsjJ44gd4z3x3W for ; Thu, 17 Sep 2020 16:35:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4BsjJ10qFpz1v; Thu, 17 Sep 2020 16:35:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4BsjJ06nh0z2ydc; Thu, 17 Sep 2020 16:35:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4BsjHz6DLtz2xZJ for ; Thu, 17 Sep 2020 16:35:27 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4BsjHy71ztz1v; Thu, 17 Sep 2020 16:35:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1600360527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oR6D82Ga6u2blo68Ie1SIYWsXNTzzhskRyPBpP3P1U4=; b=Tec9arLZrIBTx4H7xot3vH9wUQPRIQy4L3LcytzczouXjw81hnrwJxJiBbrHjqBZzPTas8 s66I7LlVx7lA2VAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1600360527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oR6D82Ga6u2blo68Ie1SIYWsXNTzzhskRyPBpP3P1U4=; b=c8zoERI34VqKp7C8IXSOi4Fm2iKLIpP/MIFSd0tTQ6hbckY3IGhbM3gSR8o+t+nqeKb90a TPTQspTcVAsXj4GAFaOe5kF8A3PpbFOs1PYWaVHCulq+9v7ldHEsXSAmMAwHVfw3VRqYc6 X0f1D0qmqo7sJ/dTMZyztlaq6H+7bp1m5l2J0bNwWjuF4utm4Hvmy0r/2abseA+X9eurPB zmSJY+BRPopsF1bhGzIl/LiqRozf7RZMbQOVYOEoc89luWJndy2hzXSxtIotJnQQTCVG18 ooFyz2hMjILJLXdpBXadadxiBrKpKHTBoGi/wZMsJywySmtItm/qCEMBP/720A== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] IPsec: Bring down connections after reloading configuration Date: Thu, 17 Sep 2020 16:35:21 +0000 Message-Id: <20200917163522.4034-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" It could happen that the remote peer re-established the connection before "ipsec reload" removed it from the daemon. Now, we write the configuration files first, reload them and then bring down any connections that are still established. Signed-off-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 6 +++--- src/misc-progs/ipsecctrl.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e0f2c7a5e..ae5e80d38 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -689,12 +689,12 @@ END my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; if ($test =~ /: OK/) { # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); } } unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); @@ -1227,10 +1227,10 @@ END &writeipsecfiles(); system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } sleep $sleepDelay; } else { @@ -1261,12 +1261,12 @@ END &General::readhasharray("${General::swroot}/vpn/config", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); delete $confighash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/vpn/config", \%confighash); &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); } else { $errormessage = $Lang::tr{'invalid key'}; } diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 2a64775f0..001587fca 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -141,14 +141,14 @@ void turn_connection_off (char *name) { */ char command[STRING_SIZE]; + // Reload, so the connection is dropped. + ipsec_reload(); + // Bring down the connection. snprintf(command, STRING_SIZE - 1, "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command); - // Reload, so the connection is dropped. - ipsec_reload(); - // Reload the IPsec firewall policy safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");