enhancement: T1225 - wireguard implement 'set int wireguard wg0 peer name disable' to disable single peers

author: hagbard <vyosdev@derith.de> 2019-02-04 12:14:26 -0800
committer: hagbard <vyosdev@derith.de> 2019-02-04 12:14:26 -0800
commit: 1a5b8f62569be1a9475ba2848da36fe2f74021b9 (patch)
tree: 11b4d00d147a7db4758dd2d182c3d02ce6c5d578
parent: 94860b853a41ce241598cb55966f4c2841cd2c1b (diff)
download: vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.tar.gz
vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.zip
3 files changed, 36 insertions, 20 deletions
diff --git a/debian/changelog b/debian/changelog
index 477ce8a56..6dcc90d6d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+vyos-1x (1.2.0-12) unstable; urgency=low
+
+  fixes T1225: wireguard implement 'set int wireguard wg0 peer name disable' to disable single peers 
+
+ -- hagbard <vyosdev@derith.de>  Mon, 04 Feb 2019 10:26:50 -0800
+
 vyos-1x (1.2.0-11) unstable; urgency=low
 
   * Fix: T1217 - cant delete wireguard wg0 interface
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index 8bfffac9d..a79152146 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -41,7 +41,7 @@
           </leafNode>
           <leafNode name="disable">
             <properties>
-              <help>disables the wireguard interface</help>
+              <help>disables peer</help>
               <valueless />
             </properties>
           </leafNode>
@@ -82,6 +82,12 @@
               <constraintErrorMessage>peer alias too long (limit 100 characters)</constraintErrorMessage>
             </properties>
             <children>
+              <leafNode name="disable">
+                <properties>
+                  <help>disables peer</help>
+                  <valueless />
+                </properties>
+              </leafNode>
               <leafNode name="pubkey">
                 <properties>
                   <help>base64 encoded public key</help>
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index c167366f1..e893dba47 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -104,26 +104,27 @@ def get_config():
       ### peers
       if c.exists(cnf + ' peer'):
         for p in c.list_nodes(cnf + ' peer'):
-          config_data['interfaces'][intfc]['peer'].update(
+          if not c.exists(cnf + ' peer ' + p + ' disable'):
+            config_data['interfaces'][intfc]['peer'].update(
               {
-                  p : {
+                p : {
                       'allowed-ips' : [],
                       'endpoint'  : '',
                       'pubkey'  : ''
-                  }
+                }
               }
-          )
-          if c.exists(cnf + ' peer ' + p + ' pubkey'):
-            config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey')
-          if c.exists(cnf + ' peer ' + p + ' allowed-ips'):
-            config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips')
-          if c.exists(cnf + ' peer ' + p + ' endpoint'):
-            config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint')
-          if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'):
-            config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
-          if c.exists(cnf + ' peer ' + p + ' preshared-key'):
-            config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key')
-  
+            )
+            if c.exists(cnf + ' peer ' + p + ' pubkey'):
+              config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey')
+            if c.exists(cnf + ' peer ' + p + ' allowed-ips'):
+              config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips')
+            if c.exists(cnf + ' peer ' + p + ' endpoint'):
+              config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint')
+            if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'):
+              config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
+            if c.exists(cnf + ' peer ' + p + ' preshared-key'):
+              config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key')
+
   return config_data
 
 def verify(c):
@@ -238,17 +239,20 @@ def apply(c):
         sl.syslog(sl.LOG_NOTICE, "setting mtu to " + mtu + " on " + intf)
         subprocess.call(['ip l set mtu ' + mtu + ' dev ' + intf + ' &>/dev/null'], shell=True)
 
+
       ### persistent-keepalive
-      for p in c_eff.list_nodes(intf + ' peer'):
+      for p in c['interfaces'][intf]['peer']:
         val_eff = ""
         val = ""
+      
+        try:
+          val = c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+        except KeyError:
+          pass
 
         if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'):
           val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive')
 
-        if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
-          val = c['interfaces'][intf]['peer'][p]['persistent-keepalive']
-
         ### disable keepalive
         if val_eff and not val:
           c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0
author	hagbard <vyosdev@derith.de>	2019-02-04 12:14:26 -0800
committer	hagbard <vyosdev@derith.de>	2019-02-04 12:14:26 -0800
commit	1a5b8f62569be1a9475ba2848da36fe2f74021b9 (patch)
tree	11b4d00d147a7db4758dd2d182c3d02ce6c5d578
parent	94860b853a41ce241598cb55966f4c2841cd2c1b (diff)
download	vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.tar.gz vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.zip