diff options
| author | Seth Mos <seth.mos@xs4all.nl> | 2007-07-06 21:07:48 +0000 |
|---|---|---|
| committer | Seth Mos <seth.mos@xs4all.nl> | 2007-07-06 21:07:48 +0000 |
| commit | 116880408f7af303b5e3cef40af4590605375759 (patch) | |
| tree | 1a2c326f6f60adb56f0a3978397beea67ea19f3c | |
| parent | ff46cd46c70f00d65b063ecce8a9cace31f46d76 (diff) | |
| download | pfsense-116880408f7af303b5e3cef40af4590605375759.zip pfsense-116880408f7af303b5e3cef40af4590605375759.tar.gz | |
MFC IPSEC fixes from seth, this should properly reload and handle large
configs > 300 tunnels.
| -rw-r--r-- | etc/inc/vpn.inc | 34 | ||||
| -rwxr-xr-x | usr/local/bin/slowdownpipe.sh | 9 |
2 files changed, 27 insertions, 16 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 3637dc4..13323ae 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -247,12 +247,6 @@ function vpn_ipsec_configure($ipchg = false) { fwrite($fd, $spdconf); fclose($fd); - - /* flushie, flushie spds */ - mwexec("/sbin/setkey -FP"); - - /* load SPD */ - mwexec("/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); } /* generate racoon.conf */ @@ -564,12 +558,24 @@ EOD; if(is_process_running("racoon")) { /* We are already online, reload */ mwexec("/usr/bin/killall -HUP racoon"); + // sleep(2); + /* flushie, flushie spds */ + mwexec("/usr/local/sbin/setkey -FP"); + mwexec("/usr/local/sbin/setkey -F"); + /* load SPD */ + mwexec("/bin/cat {$g['varetc_path']}/spd.conf | /usr/local/bin/slowdownpipe.sh | /usr/local/sbin/setkey -c"); + sleep(1); } else { - /* sleep for a bit */ - sleep (2); - /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); + /* sleep for a bit */ + // sleep (2); + /* flushie, flushie spds */ + mwexec("/usr/local/sbin/setkey -FP"); + mwexec("/usr/local/sbin/setkey -F"); + /* load SPD */ + mwexec("/bin/cat {$g['varetc_path']}/spd.conf | /usr/local/bin/slowdownpipe.sh | /usr/local/sbin/setkey -c"); + sleep(1); } } } @@ -1035,17 +1041,13 @@ function vpn_ipsec_force_reload() { mwexec("/usr/bin/killall racoon"); /* wait for process to die */ - sleep(2); + sleep(4); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); - /* flush SPD and SAD */ - mwexec("/sbin/setkey -FP"); - mwexec("/sbin/setkey -F"); - /* wait for flushing to finish */ - sleep(5); + sleep(1); /* if ipsec is enabled, start up again */ if (isset($ipseccfg['enable'])) { @@ -1055,4 +1057,4 @@ function vpn_ipsec_force_reload() { } -?>
\ No newline at end of file +?> diff --git a/usr/local/bin/slowdownpipe.sh b/usr/local/bin/slowdownpipe.sh new file mode 100755 index 0000000..88be614 --- /dev/null +++ b/usr/local/bin/slowdownpipe.sh @@ -0,0 +1,9 @@ +#!/bin/sh +# Illustrates use of a while loop to read a file + +cat - | \ +while read line +do + echo "$line" + sleep 0.005 +done |
