summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-09-17 20:36:22 +0200
committerChristian Poessinger <christian@poessinger.com>2022-09-17 21:10:04 +0200
commit99b63a1eb5a4441aba4bd0c8908007450ceb7d1c (patch)
treecfc0fcd81bb5d589b2ed105646f4fc81a2509d96 /src/conf_mode
parent435016fdb353b79577c40baa23af8e01fcadd098 (diff)
downloadvyos-1x-99b63a1eb5a4441aba4bd0c8908007450ceb7d1c.tar.gz
vyos-1x-99b63a1eb5a4441aba4bd0c8908007450ceb7d1c.zip
wireguard: T4702: actively revoke peer if it gets disabled
When any configured peer is set to `disable` while the Wireguard tunnel is up and running it does not get actively revoked and removed. This poses a security risk as connections keep beeing alive. Whenever any parameter of a peer changes we actively remove the peer and fully recreate it on the fly. (cherry picked from commit a4feb96af9ac45aff41ded1744cf302b5c5a9e7e)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py21
1 files changed, 11 insertions, 10 deletions
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index 34e80cca3..b28aa9568 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -17,13 +17,11 @@
import os
from sys import exit
-from copy import deepcopy
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import get_interface_dict
-from vyos.configdict import node_changed
-from vyos.configdict import leaf_node_changed
+from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
@@ -52,13 +50,16 @@ def get_config(config=None):
# Determine which Wireguard peer has been removed.
# Peers can only be removed with their public key!
- dict = {}
- tmp = node_changed(conf, ['peer'], key_mangling=('-', '_'))
- for peer in (tmp or []):
- pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
- if pubkey:
- dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict)
- wireguard.update(dict)
+ if 'peer' in wireguard:
+ ifname = wireguard['ifname']
+ peer_remove = {}
+ for peer, peer_config in wireguard['peer'].items():
+ # T4702: If anything on a peer changes we remove the peer first and re-add it
+ if is_node_changed(conf, ['peer', peer]):
+ if 'pubkey' in peer_config:
+ peer_remove = dict_merge({'peer_remove' : {peer : peer_config['pubkey']}}, peer_remove)
+ if peer_remove:
+ wireguard.update(peer_remove)
return wireguard