Project

General

Profile

Download (2.9 KB) Statistics
| Branch: | Tag: | Revision:
1
#!/usr/local/bin/php-cgi -f
2
<?php
3
/*
4
 * rc.ipsec
5
 *
6
 * part of pfSense (https://www.pfsense.org)
7
 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
8
 * All rights reserved.
9
 *
10
 * Licensed under the Apache License, Version 2.0 (the "License");
11
 * you may not use this file except in compliance with the License.
12
 * You may obtain a copy of the License at
13
 *
14
 * http://www.apache.org/licenses/LICENSE-2.0
15
 *
16
 * Unless required by applicable law or agreed to in writing, software
17
 * distributed under the License is distributed on an "AS IS" BASIS,
18
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19
 * See the License for the specific language governing permissions and
20
 * limitations under the License.
21
 */
22

    
23
/* parse the configuration and include all functions used below */
24
require_once("config.inc");
25
require_once("gwlb.inc");
26
require_once("ipsec.inc");
27
require_once("util.inc");
28
require_once("globals.inc");
29

    
30
/* make sure to wait until the boot scripts have finished */
31
if (platform_booting()) {
32
	return;
33
}
34

    
35
if (isset($_GET['interface'])) {
36
	$argument = $_GET['interface'];
37
} else {
38
	$argument = trim($argv[1], " \n");
39
}
40

    
41
$ipsec_reload = false;
42
if (empty($argument)) {
43
	$ipsec_reload = true;
44
} else {
45
	$arg_array = explode(",", $argument);
46
	foreach ($arg_array as $arg_element) {
47
		$gwgroups = array();
48
		if ($arg_element == "all") {
49
			$ipsec_reload = true;
50
			break;
51
		} else {
52
			// e.g. $arg_element = "WANGW", $interface = "wan"
53
			$interface = lookup_gateway_interface_by_name($arg_element);
54
			if (empty($interface)) {
55
				$interface = $arg_element;
56
			} else {
57
				// e.g. $arg_element = "WANGW", $gwgroups = array of gateway groups that use "wan"
58
				$gwgroups = gateway_is_gwgroup_member($arg_element);
59
			}
60
			init_config_arr(array('ipsec', 'phase1'));
61
			foreach ($config['ipsec']['phase1'] as $phase1) {
62
				if (isset($phase1['disabled']) || isset($phase1['mobile']) ||
63
				    ($phase1['startaction'] == 'none')) {
64
					continue;
65
				}
66
				if (substr($phase1['interface'], 0, 4) == "_vip") {
67
					$phase1iface = get_configured_vip_interface($phase1['interface']);
68
					if (substr($phase1iface, 0, 4) == "_vip") {
69
						// vips are nested if its a ipalias with a carp parent
70
						$phase1iface = get_configured_vip_interface($phase1iface);
71
					}
72
				} else {
73
					$phase1iface = $phase1['interface'];
74
				}
75
				if (($phase1iface == $interface) ||
76
				    (!empty($gwgroups) && in_array($phase1iface, $gwgroups))) {
77
					$ipsec_reload = true;
78
					break 2;
79
				}
80
			}
81
		}
82
	}
83
}
84

    
85
if ($ipsec_reload) {
86
	$ipseclck_pending = try_lock('ipsecdns_pending', 0);
87
	if (!$ipseclck_pending) {
88
		/* if a ipsec_configure() is still pending no need to stack up another one */
89
		return;
90
	}
91
	$ipseclck = lock('ipsecdns', LOCK_EX);
92
	sleep(12);
93
	unlock($ipseclck_pending);
94
	sleep(3);
95
	log_error("IPSEC: One or more IPsec tunnel gateways have changed. Refreshing.");
96
	ipsec_configure();
97
	unlock($ipseclck);
98
	ipsec_reload_package_hook();
99
}
(51-51/84)