diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-11-03 18:00:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-03 18:00:20 +0100 |
| commit | d8a71978b4628e30b25346f4ff690e8705020408 (patch) | |
| tree | 60d43f2b41468000479165c1fcc4ac96b7232230 /src | |
| parent | 031a5c8a1b1a0d31d7ecf2134c9ba90c68657713 (diff) | |
| parent | 2fc8738bc9c2fb6364a22d86079e8635cee91949 (diff) | |
| download | vyos-1x-d8a71978b4628e30b25346f4ff690e8705020408.tar.gz vyos-1x-d8a71978b4628e30b25346f4ff690e8705020408.zip | |
Merge pull request #2431 from c-po/wireguard-t5707
wireguard: T5707: remove previously deconfigured peer
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 122d9589a..79e5d3f44 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -51,17 +51,9 @@ def get_config(config=None): tmp = is_node_changed(conf, base + [ifname, 'port']) if tmp: wireguard['port_changed'] = {} - # Determine which Wireguard peer has been removed. - # Peers can only be removed with their public key! - if 'peer' in wireguard: - peer_remove = {} - for peer, peer_config in wireguard['peer'].items(): - # T4702: If anything on a peer changes we remove the peer first and re-add it - if is_node_changed(conf, base + [ifname, 'peer', peer]): - if 'public_key' in peer_config: - peer_remove = dict_merge({'peer_remove' : {peer : peer_config['public_key']}}, peer_remove) - if peer_remove: - wireguard.update(peer_remove) + # T4702: If anything on a peer changes we remove the peer first and re-add it + if is_node_changed(conf, base + [ifname, 'peer']): + wireguard.update({'rebuild_required': {}}) return wireguard @@ -113,12 +105,21 @@ def verify(wireguard): public_keys.append(peer['public_key']) def apply(wireguard): - tmp = WireGuardIf(wireguard['ifname']) - if 'deleted' in wireguard: - tmp.remove() - return None + if 'rebuild_required' in wireguard or 'deleted' in wireguard: + wg = WireGuardIf(**wireguard) + # WireGuard only supports peer removal based on the configured public-key, + # by deleting the entire interface this is the shortcut instead of parsing + # out all peers and removing them one by one. + # + # Peer reconfiguration will always come with a short downtime while the + # WireGuard interface is recreated (see below) + wg.remove() + + # Create the new interface if required + if 'deleted' not in wireguard: + wg = WireGuardIf(**wireguard) + wg.update(wireguard) - tmp.update(wireguard) return None if __name__ == '__main__': |