From c798e0821c4acbf7ff89e6d2aeb2807cd07f4152 Mon Sep 17 00:00:00 2001 From: hagbard Date: Mon, 5 Nov 2018 16:31:10 -0800 Subject: T965: Fix Wireguard configuration inconsistencies - pubkey updates now work - removing peers or interfaces work, was related tothe fact that tag nodes are called multiple times --- src/conf_mode/wireguard.py | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 5d390f39f..353528aba 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -159,11 +159,37 @@ def apply(c): c_eff = Config() c_eff.set_level('interfaces wireguard') - ### deletion of specific interface + ### deletion of a specific interface for intf in c['interfaces']: if c['interfaces'][intf]['status'] == 'delete': sl.syslog(sl.LOG_NOTICE, "removing interface " + intf) subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True) + + + ### peer deletion + peer_eff = c_eff.list_effective_nodes( intf + ' peer') + peer_cnf = [] + try: + for p in c['interfaces'][intf]['peer']: + peer_cnf.append(p) + except KeyError: + pass + + peer_rem = list(set(peer_eff) - set(peer_cnf)) + for p in peer_rem: + pkey = c_eff.return_effective_value( intf + ' peer ' + p +' pubkey') + remove_peer(intf, pkey) + + ### peer pubkey update + ### wg identifies peers by its pubky, so we have to remove the peer first + ### it will recreated it then below with the new key from the cli config + for p in peer_eff: + if p in peer_cnf: + ekey = c_eff.return_effective_value( intf + ' peer ' + p +' pubkey') + nkey = c['interfaces'][intf]['peer'][p]['pubkey'] + if nkey != ekey: + sl.syslog(sl.LOG_NOTICE, "peer " + p + ' changed pubkey from ' + ekey + 'to key ' + nkey + ' on interface ' + intf) + remove_peer(intf, ekey) ### new config if c['interfaces'][intf]['status'] == 'create': @@ -304,6 +330,11 @@ def del_addr(intf, addr): ret = subprocess.call(['ip a d dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr) +def remove_peer(intf, peer_key): + cmd = 'sudo wg set ' + str(intf) + ' peer ' + peer_key + ' remove &>/dev/null' + ret = subprocess.call([cmd], shell=True) + sl.syslog(sl.LOG_NOTICE, "peer " + peer_key + " removed from " + intf) + if __name__ == '__main__': try: check_kmod() -- cgit v1.2.3