diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-05 10:59:47 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-05 10:59:47 +0200 |
commit | d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e (patch) | |
tree | a39307f088a78d4e0b9503a2a9a0d612c949c31c /src | |
parent | e990b2f4c045f5d1be02915ec7d8869d5475ed4e (diff) | |
download | vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.tar.gz vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.zip |
firewall: T970: Maintain a domain state to fallback if resolution fails
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/firewall.py | 3 | ||||
-rwxr-xr-x | src/helpers/vyos-domain-group-resolve.py | 24 |
2 files changed, 17 insertions, 10 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 3c6aff386..335098bf1 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -427,7 +427,8 @@ def apply(firewall): domains.append(address) # Add elements to domain-group, try to resolve domain => ip # and add elements to nft set - elements = get_ips_domains_dict(domains) + ip_dict = get_ips_domains_dict(domains) + elements = sum(ip_dict.values(), []) nft_init_set(group) nft_add_set_elements(group, elements) else: diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py index ebb2057ec..e8501cfc6 100755 --- a/src/helpers/vyos-domain-group-resolve.py +++ b/src/helpers/vyos-domain-group-resolve.py @@ -28,10 +28,11 @@ from vyos.util import call base = ['firewall', 'group', 'domain-group'] check_required = True -count_failed = 0 +# count_failed = 0 # Timeout in sec between checks timeout = 300 +domain_state = {} if __name__ == '__main__': @@ -41,14 +42,19 @@ if __name__ == '__main__': domain_groups = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) for set_name, domain_config in domain_groups.items(): list_domains = domain_config['address'] - elements = get_ips_domains_dict(list_domains) + elements = [] + ip_dict = get_ips_domains_dict(list_domains) + + for domain in list_domains: + # Resolution succeeded, update domain state + if domain in ip_dict: + domain_state[domain] = ip_dict[domain] + elements += ip_dict[domain] + # Resolution failed, use previous domain state + elif domain in domain_state: + elements += domain_state[domain] + # Resolve successful - if bool(elements): + if elements: nft_update_set_elements(set_name, elements) - count_failed = 0 - else: - count_failed += 1 - # Domains not resolved 3 times by timeout - if count_failed >= timeout * 3: - nft_flush_set(set_name) time.sleep(timeout) |