summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-05 10:59:47 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-05 10:59:47 +0200
commitd1bdf2b9d80d2e34b7370823d6f684102d7c9f4e (patch)
treea39307f088a78d4e0b9503a2a9a0d612c949c31c /src
parente990b2f4c045f5d1be02915ec7d8869d5475ed4e (diff)
downloadvyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.tar.gz
vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.zip
firewall: T970: Maintain a domain state to fallback if resolution fails
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/firewall.py3
-rwxr-xr-xsrc/helpers/vyos-domain-group-resolve.py24
2 files changed, 17 insertions, 10 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3c6aff386..335098bf1 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -427,7 +427,8 @@ def apply(firewall):
domains.append(address)
# Add elements to domain-group, try to resolve domain => ip
# and add elements to nft set
- elements = get_ips_domains_dict(domains)
+ ip_dict = get_ips_domains_dict(domains)
+ elements = sum(ip_dict.values(), [])
nft_init_set(group)
nft_add_set_elements(group, elements)
else:
diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py
index ebb2057ec..e8501cfc6 100755
--- a/src/helpers/vyos-domain-group-resolve.py
+++ b/src/helpers/vyos-domain-group-resolve.py
@@ -28,10 +28,11 @@ from vyos.util import call
base = ['firewall', 'group', 'domain-group']
check_required = True
-count_failed = 0
+# count_failed = 0
# Timeout in sec between checks
timeout = 300
+domain_state = {}
if __name__ == '__main__':
@@ -41,14 +42,19 @@ if __name__ == '__main__':
domain_groups = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
for set_name, domain_config in domain_groups.items():
list_domains = domain_config['address']
- elements = get_ips_domains_dict(list_domains)
+ elements = []
+ ip_dict = get_ips_domains_dict(list_domains)
+
+ for domain in list_domains:
+ # Resolution succeeded, update domain state
+ if domain in ip_dict:
+ domain_state[domain] = ip_dict[domain]
+ elements += ip_dict[domain]
+ # Resolution failed, use previous domain state
+ elif domain in domain_state:
+ elements += domain_state[domain]
+
# Resolve successful
- if bool(elements):
+ if elements:
nft_update_set_elements(set_name, elements)
- count_failed = 0
- else:
- count_failed += 1
- # Domains not resolved 3 times by timeout
- if count_failed >= timeout * 3:
- nft_flush_set(set_name)
time.sleep(timeout)