From c798e0821c4acbf7ff89e6d2aeb2807cd07f4152 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Mon, 5 Nov 2018 16:31:10 -0800
Subject: T965: Fix Wireguard configuration inconsistencies

  - pubkey updates now work
  - removing peers or interfaces work, was related tothe fact that tag nodes are called multiple times
---
 src/conf_mode/wireguard.py | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 5d390f39f..353528aba 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -159,11 +159,37 @@ def apply(c):
   c_eff = Config()
   c_eff.set_level('interfaces wireguard')
 
-  ### deletion of specific interface
+  ### deletion of a specific interface
   for intf in c['interfaces']:
     if c['interfaces'][intf]['status'] == 'delete':
       sl.syslog(sl.LOG_NOTICE, "removing interface " + intf)
       subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True)
+      
+
+    ### peer deletion
+    peer_eff = c_eff.list_effective_nodes( intf + ' peer')
+    peer_cnf = []
+    try:
+      for p in c['interfaces'][intf]['peer']:
+        peer_cnf.append(p)
+    except KeyError:
+      pass
+
+    peer_rem = list(set(peer_eff) - set(peer_cnf))
+    for p in peer_rem:
+      pkey = c_eff.return_effective_value( intf + ' peer ' + p +' pubkey')
+      remove_peer(intf, pkey)
+
+    ### peer pubkey update
+    ### wg identifies peers by its pubky, so we have to remove the peer first
+    ### it will recreated it then below with the new key from the cli config
+    for p in peer_eff:
+      if p in peer_cnf:
+        ekey = c_eff.return_effective_value( intf + ' peer ' + p +' pubkey')
+        nkey = c['interfaces'][intf]['peer'][p]['pubkey']
+        if nkey != ekey:
+          sl.syslog(sl.LOG_NOTICE, "peer " + p + ' changed pubkey from ' + ekey + 'to key ' + nkey + ' on interface ' + intf)
+          remove_peer(intf, ekey)
 
     ### new config
     if c['interfaces'][intf]['status'] == 'create':
@@ -304,6 +330,11 @@ def del_addr(intf, addr):
   ret = subprocess.call(['ip a d dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True)
   sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr)
 
+def remove_peer(intf, peer_key):
+  cmd = 'sudo wg set ' + str(intf) + ' peer ' + peer_key + ' remove &>/dev/null'
+  ret = subprocess.call([cmd], shell=True)
+  sl.syslog(sl.LOG_NOTICE, "peer " + peer_key + " removed from " + intf)
+
 if __name__ == '__main__':
   try:
     check_kmod()
-- 
cgit v1.2.3