|
@@ -16,8 +16,10 @@
|
|
|
package ipsec
|
|
package ipsec
|
|
|
|
|
|
|
|
import (
|
|
import (
|
|
|
|
|
+ "errors"
|
|
|
"fmt"
|
|
"fmt"
|
|
|
"net"
|
|
"net"
|
|
|
|
|
+ "syscall"
|
|
|
|
|
|
|
|
log "github.com/golang/glog"
|
|
log "github.com/golang/glog"
|
|
|
"github.com/vishvananda/netlink"
|
|
"github.com/vishvananda/netlink"
|
|
@@ -30,7 +32,7 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
|
|
|
|
|
|
|
|
dst := remoteLease.Subnet.ToIPNet()
|
|
dst := remoteLease.Subnet.ToIPNet()
|
|
|
|
|
|
|
|
- policy := netlink.XfrmPolicy{
|
|
|
|
|
|
|
+ policy := &netlink.XfrmPolicy{
|
|
|
Src: src,
|
|
Src: src,
|
|
|
Dst: dst,
|
|
Dst: dst,
|
|
|
Dir: dir,
|
|
Dir: dir,
|
|
@@ -47,14 +49,23 @@ func AddXFRMPolicy(myLease, remoteLease *subnet.Lease, dir netlink.Dir, reqID in
|
|
|
Reqid: reqID,
|
|
Reqid: reqID,
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- log.Infof("Adding ipsec policy: %+v", tmpl)
|
|
|
|
|
-
|
|
|
|
|
policy.Tmpls = append(policy.Tmpls, tmpl)
|
|
policy.Tmpls = append(policy.Tmpls, tmpl)
|
|
|
|
|
|
|
|
- if err := netlink.XfrmPolicyAdd(&policy); err != nil {
|
|
|
|
|
- return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
|
|
|
|
|
|
|
+ if existingPolicy, err := netlink.XfrmPolicyGet(policy); err != nil {
|
|
|
|
|
+ if errors.Is(err, syscall.ENOENT) {
|
|
|
|
|
+ log.Infof("Adding ipsec policy: %+v", tmpl)
|
|
|
|
|
+ if err := netlink.XfrmPolicyAdd(policy); err != nil {
|
|
|
|
|
+ return fmt.Errorf("error adding policy: %+v err: %v", policy, err)
|
|
|
|
|
+ }
|
|
|
|
|
+ } else {
|
|
|
|
|
+ return fmt.Errorf("error getting policy: %+v err: %v", policy, err)
|
|
|
|
|
+ }
|
|
|
|
|
+ } else {
|
|
|
|
|
+ log.Info("Updating ipsec policy %+v with %+v", existingPolicy, policy)
|
|
|
|
|
+ if err := netlink.XfrmPolicyUpdate(policy); err != nil {
|
|
|
|
|
+ return fmt.Errorf("error updating policy: %+v err: %v", policy, err)
|
|
|
|
|
+ }
|
|
|
}
|
|
}
|
|
|
-
|
|
|
|
|
return nil
|
|
return nil
|
|
|
}
|
|
}
|
|
|
|
|
|
Javier Domingo Cansino