diff options
| author | Daniil Baturin <daniil@vyos.io> | 2023-11-03 17:02:51 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-03 17:02:51 +0000 |
| commit | 8391fb5f2c3db32a925f23c3df4fa08d4980c252 (patch) | |
| tree | 0a219712b8a5f179433584109de6280e5e1c1d8e /src | |
| parent | a327526240c9d9f42930e9a1ce871e9fa8036258 (diff) | |
| parent | ecdb142f3c60bd30601289a0397104eb6afd3a55 (diff) | |
| download | vyos-1x-8391fb5f2c3db32a925f23c3df4fa08d4980c252.tar.gz vyos-1x-8391fb5f2c3db32a925f23c3df4fa08d4980c252.zip | |
Merge pull request #2433 from vyos/mergify/bp/sagitta/pr-2431
wireguard: T5707: remove previously deconfigured peer (backport #2431)
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 122d9589a..79e5d3f44 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -51,17 +51,9 @@ def get_config(config=None): tmp = is_node_changed(conf, base + [ifname, 'port']) if tmp: wireguard['port_changed'] = {} - # Determine which Wireguard peer has been removed. - # Peers can only be removed with their public key! - if 'peer' in wireguard: - peer_remove = {} - for peer, peer_config in wireguard['peer'].items(): - # T4702: If anything on a peer changes we remove the peer first and re-add it - if is_node_changed(conf, base + [ifname, 'peer', peer]): - if 'public_key' in peer_config: - peer_remove = dict_merge({'peer_remove' : {peer : peer_config['public_key']}}, peer_remove) - if peer_remove: - wireguard.update(peer_remove) + # T4702: If anything on a peer changes we remove the peer first and re-add it + if is_node_changed(conf, base + [ifname, 'peer']): + wireguard.update({'rebuild_required': {}}) return wireguard @@ -113,12 +105,21 @@ def verify(wireguard): public_keys.append(peer['public_key']) def apply(wireguard): - tmp = WireGuardIf(wireguard['ifname']) - if 'deleted' in wireguard: - tmp.remove() - return None + if 'rebuild_required' in wireguard or 'deleted' in wireguard: + wg = WireGuardIf(**wireguard) + # WireGuard only supports peer removal based on the configured public-key, + # by deleting the entire interface this is the shortcut instead of parsing + # out all peers and removing them one by one. + # + # Peer reconfiguration will always come with a short downtime while the + # WireGuard interface is recreated (see below) + wg.remove() + + # Create the new interface if required + if 'deleted' not in wireguard: + wg = WireGuardIf(**wireguard) + wg.update(wireguard) - tmp.update(wireguard) return None if __name__ == '__main__': |