diff options
author | hagbard <vyosdev@derith.de> | 2019-02-04 12:14:26 -0800 |
---|---|---|
committer | hagbard <vyosdev@derith.de> | 2019-02-04 12:14:26 -0800 |
commit | 1a5b8f62569be1a9475ba2848da36fe2f74021b9 (patch) | |
tree | 11b4d00d147a7db4758dd2d182c3d02ce6c5d578 | |
parent | 94860b853a41ce241598cb55966f4c2841cd2c1b (diff) | |
download | vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.tar.gz vyos-1x-1a5b8f62569be1a9475ba2848da36fe2f74021b9.zip |
enhancement: T1225 - wireguard implement 'set int wireguard wg0 peer name disable' to disable single peers
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | interface-definitions/wireguard.xml | 8 | ||||
-rwxr-xr-x | src/conf_mode/wireguard.py | 42 |
3 files changed, 36 insertions, 20 deletions
diff --git a/debian/changelog b/debian/changelog index 477ce8a56..6dcc90d6d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyos-1x (1.2.0-12) unstable; urgency=low + + fixes T1225: wireguard implement 'set int wireguard wg0 peer name disable' to disable single peers + + -- hagbard <vyosdev@derith.de> Mon, 04 Feb 2019 10:26:50 -0800 + vyos-1x (1.2.0-11) unstable; urgency=low * Fix: T1217 - cant delete wireguard wg0 interface diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 8bfffac9d..a79152146 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -41,7 +41,7 @@ </leafNode> <leafNode name="disable"> <properties> - <help>disables the wireguard interface</help> + <help>disables peer</help> <valueless /> </properties> </leafNode> @@ -82,6 +82,12 @@ <constraintErrorMessage>peer alias too long (limit 100 characters)</constraintErrorMessage> </properties> <children> + <leafNode name="disable"> + <properties> + <help>disables peer</help> + <valueless /> + </properties> + </leafNode> <leafNode name="pubkey"> <properties> <help>base64 encoded public key</help> diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index c167366f1..e893dba47 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -104,26 +104,27 @@ def get_config(): ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): - config_data['interfaces'][intfc]['peer'].update( + if not c.exists(cnf + ' peer ' + p + ' disable'): + config_data['interfaces'][intfc]['peer'].update( { - p : { + p : { 'allowed-ips' : [], 'endpoint' : '', 'pubkey' : '' - } + } } - ) - if c.exists(cnf + ' peer ' + p + ' pubkey'): - config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') - if c.exists(cnf + ' peer ' + p + ' allowed-ips'): - config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') - if c.exists(cnf + ' peer ' + p + ' endpoint'): - config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') - if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): - config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') - if c.exists(cnf + ' peer ' + p + ' preshared-key'): - config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') - + ) + if c.exists(cnf + ' peer ' + p + ' pubkey'): + config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') + if c.exists(cnf + ' peer ' + p + ' allowed-ips'): + config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') + if c.exists(cnf + ' peer ' + p + ' endpoint'): + config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + if c.exists(cnf + ' peer ' + p + ' preshared-key'): + config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data def verify(c): @@ -238,17 +239,20 @@ def apply(c): sl.syslog(sl.LOG_NOTICE, "setting mtu to " + mtu + " on " + intf) subprocess.call(['ip l set mtu ' + mtu + ' dev ' + intf + ' &>/dev/null'], shell=True) + ### persistent-keepalive - for p in c_eff.list_nodes(intf + ' peer'): + for p in c['interfaces'][intf]['peer']: val_eff = "" val = "" + + try: + val = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + except KeyError: + pass if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'): val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') - if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: - val = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] - ### disable keepalive if val_eff and not val: c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 |