(ipsec) restart should stop/start the service

(cherry picked from commit 5a6f5b64) (cherry picked from commit 8b6108a8) (cherry picked from commit 8f00c9c7)

(ipsec) restart should stop/start the service
(cherry picked from commit 5a6f5b64) (cherry picked from commit 8b6108a8) (cherry picked from commit 8f00c9c7)
c8d13a73 · Ad Schellevis · Franco Fichtner · c0a801a1 · c8d13a73 · c8d13a73
Commit c8d13a73 authored Oct 22, 2016 by Ad Schellevis Committed by Franco Fichtner Oct 24, 2016
7 changed files
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -1288,35 +1288,15 @@ EOD;
    return count($filterdns_list);
 }

-/*
- * Forcefully restart IPsec
- * This is required for when dynamic interfaces reload
- * For all other occasions the normal ipsec_configure()
- * will gracefully reload the settings without restarting
- */
-function ipsec_force_reload($interface = '')
+function ipsec_configured_on_interface($interface)
 {
    global $config;
-
-    $ipseccfg = $config['ipsec'];
-
-    if (!empty($interface) && isset($ipseccfg['phase1']) && is_array($ipseccfg['phase1'])) {
-        $found = false;
-        foreach ($ipseccfg['phase1'] as $ipsec) {
-            if (!isset($ipsec['disabled']) && ($ipsec['interface'] == $interface)) {
-                $found = true;
-                break;
+    if (!empty($config['ipsec']['phase1'][0])) {
+        foreach ($config['ipsec']['phase1'] as $phase1) {
+            if (!isset($phase1['disabled']) && $phase1['interface'] == $interface) {
+                return true;
            }
        }
-        if (!$found) {
-            log_error(sprintf('Ignoring IPsec reload since there are no tunnels on interface %s', $interface));
-            return;
-        }
-    }
-
-    /* if ipsec is enabled, start up again */
-    if (isset($ipseccfg['enable'])) {
-        log_error('Forcefully reloading IPsec');
-        ipsec_configure();
    }
+    return false;
 }
--- a/src/etc/inc/plugins.inc.d/if_ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/if_ipsec.inc
@@ -49,9 +49,11 @@ function if_ipsec_services()
        $pconfig['name'] = 'ipsec';
        $pconfig['description'] = gettext('IPsec VPN');
        $pconfig['pidfile'] = '/var/run/charon.pid';
-        $pconfig['php']['restart'] = array('ipsec_force_reload');
-        $pconfig['php']['start'] = array('ipsec_force_reload');
-        $pconfig['mwexec']['stop'] = array('/usr/local/sbin/ipsec stop');
+        $pconfig['configd'] = array(
+          'restart' => array('ipsec restart'),
+          'start' => array('ipsec start'),
+          'stop' => array('ipsec stop'),
+        );
        $services[] = $pconfig;
    }


--- a/src/etc/rc.newipsecdns
+++ b/src/etc/rc.newipsecdns
@@ -37,21 +37,14 @@ require_once("interfaces.inc");

 /* make sure to wait until the boot scripts have finished */
 if (file_exists('/var/run/booting')) {
-        return;
+    return;
+} elseif (isset($config['ipsec']['enable'])) {
+    sleep(15);
+    log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.");
+} else {
+    return;
 }

-if (isset($config['ipsec']['enable'])) {
-	sleep(15);
-	log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.");
-} else
-	return;
-
 $ipseclck = lock('ipsecdns', LOCK_EX);
-
 ipsec_configure();
-
-if (isset($config['ipsec']['failoverforcereload'])) {
-	ipsec_force_reload();
-}
-
 unlock($ipseclck);
--- a/src/etc/rc.newwanip
+++ b/src/etc/rc.newwanip
@@ -200,7 +200,9 @@ if (!is_ipaddr($oldip) || $curwanip != $oldip || !is_ipaddrv4($config['interface
    services_dyndns_configure($interface);

    /* reconfigure IPsec tunnels */
-    ipsec_force_reload($interface);
+    if (ipsec_configured_on_interface($interface)) {
+        ipsec_configure();
+    }

    /* start OpenVPN server & clients */
    if (substr($interface_real, 0, 4) != "ovpn") {

--- a/src/etc/rc.newwanipv6
+++ b/src/etc/rc.newwanipv6
@@ -125,7 +125,9 @@ if (is_ipaddrv6($oldipv6)) {
 		// Still need to sync VPNs on PPPoE and such, as even with the same IP the VPN software is unhappy with the IP disappearing.
 		if (in_array($config['interfaces'][$interface]['ipaddrv6'], array('pppoe', 'pptp', 'ppp'))) {
 			/* reconfigure IPsec tunnels */
-			ipsec_force_reload($interface);
+			if (ipsec_configured_on_interface($interface)) {
+				ipsec_configure();
+			}

 			/* start OpenVPN server & clients */
 			if (substr($interface_real, 0, 4) != "ovpn")
@@ -145,7 +147,9 @@ services_dnsupdate_process($interface);
 services_dyndns_configure($interface);

 /* reconfigure IPsec tunnels */
-ipsec_force_reload($interface);
+if (ipsec_configured_on_interface($interface)) {
+	ipsec_configure();
+}

 /* start OpenVPN server & clients */
 if (substr($interface_real, 0, 4) != "ovpn")

--- a/src/opnsense/service/conf/actions.d/actions_ipsec.conf
+++ b/src/opnsense/service/conf/actions.d/actions_ipsec.conf
@@ -10,7 +10,6 @@ parameters:
 type:script_output
 message:IPsec list ip address pools

-
 [connect]
 command:/usr/local/opnsense/scripts/ipsec/connect.py
 parameters:%s
@@ -22,3 +21,21 @@ command:/usr/local/opnsense/scripts/ipsec/disconnect.py
 parameters:%s
 type=script
 message:IPsec disconnect %s
+
+[start]
+command:/usr/local/sbin/ipsec start
+parameters:
+type=script
+message:IPsec service start
+
+[stop]
+command:/usr/local/sbin/ipsec stop
+parameters:
+type=script
+message:IPsec service stop
+
+[restart]
+command:/usr/local/sbin/ipsec restart
+parameters:
+type=script
+message:IPsec service restart
--- a/src/www/vpn_ipsec_settings.php
+++ b/src/www/vpn_ipsec_settings.php
@@ -49,7 +49,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $pconfig["ipsec_{$lkey}"] = null;
        }
    }
-    $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // save form data
    $pconfig = $_POST;
@@ -75,12 +74,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        }
    }

-    if (isset($pconfig['failoverforcereload']) && $pconfig['failoverforcereload'] == "yes") {
-        $config['ipsec']['failoverforcereload'] = true;
-    } elseif (isset($config['ipsec']['failoverforcereload'])) {
-        unset($config['ipsec']['failoverforcereload']);
-    }
-
    write_config();
    $savemsg = get_std_save_message();
    filter_configure();
@@ -167,19 +160,6 @@ endforeach; ?>
                        </div>
                      </td>
                    </tr>
-                    <tr>
-                      <td><a id="help_for_failoverforcereloadg" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPsec Reload on Failover"); ?></td>
-                      <td>
-                        <input name="failoverforcereload" type="checkbox" id="failoverforcereload" value="yes" <?= !empty($pconfig['failoverforcereload']) ? "checked=\"checked\"" : "";?> />
-                        <strong><?=gettext("Force IPsec Reload on Failover"); ?></strong>
-                        <div class="hidden" for="help_for_failoverforcereloadg">
-                            <?=gettext("In some circumstances using a gateway group as the interface for " .
-                                                  "an IPsec tunnel does not function properly, and IPsec must be forcefully reloaded " .
-                                                  "when a failover occurs. Because this will disrupt all IPsec tunnels, this behavior" .
-                                                  " is disabled by default. Check this box to force IPsec to fully reload on failover."); ?>
-                        </div>
-                      </td>
-                    </tr>
                    <tr>
                      <td>&nbsp;</td>
                      <td>