firewall: T970: Maintain a domain state to fallback if resolution fails

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-06-05 10:59:47 +0200
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-06-05 10:59:47 +0200
commit: d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e (patch)
tree: a39307f088a78d4e0b9503a2a9a0d612c949c31c /src
parent: e990b2f4c045f5d1be02915ec7d8869d5475ed4e (diff)
download: vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.tar.gz
vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.zip
2 files changed, 17 insertions, 10 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3c6aff386..335098bf1 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -427,7 +427,8 @@ def apply(firewall):
                     domains.append(address)
                 # Add elements to domain-group, try to resolve domain => ip
                 # and add elements to nft set
-                elements = get_ips_domains_dict(domains)
+                ip_dict = get_ips_domains_dict(domains)
+                elements = sum(ip_dict.values(), [])
                 nft_init_set(group)
                 nft_add_set_elements(group, elements)
         else:
diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py
index ebb2057ec..e8501cfc6 100755
--- a/src/helpers/vyos-domain-group-resolve.py
+++ b/src/helpers/vyos-domain-group-resolve.py
@@ -28,10 +28,11 @@ from vyos.util import call
 
 base = ['firewall', 'group', 'domain-group']
 check_required = True
-count_failed = 0
+# count_failed = 0
 # Timeout in sec between checks
 timeout = 300
 
+domain_state = {}
 
 if __name__ == '__main__':
 
@@ -41,14 +42,19 @@ if __name__ == '__main__':
             domain_groups = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
             for set_name, domain_config in domain_groups.items():
                 list_domains = domain_config['address']
-                elements = get_ips_domains_dict(list_domains)
+                elements = []
+                ip_dict = get_ips_domains_dict(list_domains)
+
+                for domain in list_domains:
+                    # Resolution succeeded, update domain state
+                    if domain in ip_dict:
+                        domain_state[domain] = ip_dict[domain]
+                        elements += ip_dict[domain]
+                    # Resolution failed, use previous domain state
+                    elif domain in domain_state:
+                        elements += domain_state[domain]
+
                 # Resolve successful
-                if bool(elements):
+                if elements:
                     nft_update_set_elements(set_name, elements)
-                    count_failed = 0
-                else:
-                    count_failed += 1
-                    # Domains not resolved 3 times by timeout
-                    if count_failed >= timeout * 3:
-                        nft_flush_set(set_name)
         time.sleep(timeout)
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-06-05 10:59:47 +0200
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-06-05 10:59:47 +0200
commit	d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e (patch)
tree	a39307f088a78d4e0b9503a2a9a0d612c949c31c /src
parent	e990b2f4c045f5d1be02915ec7d8869d5475ed4e (diff)
download	vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.tar.gz vyos-1x-d1bdf2b9d80d2e34b7370823d6f684102d7c9f4e.zip