T4930: make wireguard domain resolver run flag files separated by int…

…erface; code style
vyos · Nov 30, 2024 · 60cd753 · 60cd753
1 parent 9e67192
commit 60cd753
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 9 deletions.
diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py
@@ -206,7 +206,9 @@ def reset_peer(self, peer_name=None, public_key=None):
                         f'Resetting {self.config["ifname"]} peer {peer_public_key} endpoint to {address}:{port} ... ',
                         end='',
                     )
-                    self._cmd(cmd, env={'WG_ENDPOINT_RESOLUTION_RETRIES': str(max_dns_retry)})
+                    self._cmd(
+                        cmd, env={'WG_ENDPOINT_RESOLUTION_RETRIES': str(max_dns_retry)}
+                    )
                     print('done')
                 except:
                     print(f'Error\nPlease try to run command manually:\n{cmd}')

diff --git a/src/conf_mode/interfaces_wireguard.py b/src/conf_mode/interfaces_wireguard.py
@@ -30,14 +30,12 @@
 from vyos.utils.network import check_port_availability
 from vyos.utils.network import is_wireguard_key_pair
 from vyos.utils.process import call
+from vyos.template import is_ip
 from vyos import ConfigError
 from vyos import airbag
 from pathlib import Path
 airbag.enable()
 
-domain_resolver_usage = '/run/use-vyos-domain-resolver-interfaces-wireguard'
-
-
 def get_config(config=None):
     """
     Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
@@ -58,6 +56,12 @@ def get_config(config=None):
     if is_node_changed(conf, base + [ifname, 'peer']):
         wireguard.update({'rebuild_required': {}})
 
+    wireguard['peers_need_resolve'] = []
+    if 'peer' in wireguard:
+        for peer, peer_config in wireguard['peer'].items():
+            if 'disable' not in peer_config and 'address' in peer_config and not is_ip(peer_config['address']):
+                wireguard['peers_need_resolve'].append(peer)
+
     return wireguard
 
 def verify(wireguard):
@@ -126,18 +130,20 @@ def apply(wireguard):
         wg = WireGuardIf(**wireguard)
         wg.update(wireguard)
 
+    domain_resolver_usage = '/run/use-vyos-domain-resolver-interfaces-wireguard-' + wireguard['ifname']
+
     ## DOMAIN RESOLVER
     domain_action = 'restart'
-    if True:
+    if 'peers_need_resolve' in wireguard and len(wireguard['peers_need_resolve']) > 0:
         text = f'# Automatically generated by interfaces_wireguard.py\nThis file indicates that vyos-domain-resolver service is used by the interfaces_wireguard.\n'
+        text += "intefaces:\n" + "".join([f"  - {peer}\n" for peer in wireguard['peers_need_resolve']])
         Path(domain_resolver_usage).write_text(text)
     else:
         Path(domain_resolver_usage).unlink(missing_ok=True)
         if not Path('/run').glob('use-vyos-domain-resolver*'):
             domain_action = 'stop'
     call(f'systemctl {domain_action} vyos-domain-resolver.service')
 
-
     return None
 
 if __name__ == '__main__':

diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
@@ -183,18 +183,26 @@ def update_interfaces(config, node):
                 # check peer if peer address is not ipv4 and not ipv6
                 if 'address' in peer_config and not is_ip(peer_config['address']):
                     # check latest handshake
-                    check_wireguard_peer_public_keys[interface].append(peer_config['public_key'])
+                    check_wireguard_peer_public_keys[interface].append(
+                        peer_config['public_key']
+                    )
 
         now_time = time.time()
-        for interface, check_peer_public_keys in check_wireguard_peer_public_keys.items():
+        for (
+            interface,
+            check_peer_public_keys
+        ) in check_wireguard_peer_public_keys.items():
             if len(check_peer_public_keys) == 0:
                 continue
 
             intf = WireGuardIf(interface, create=False, debug=False)
             handshakes = intf.operational.get_latest_handshakes()
 
             for public_key, handshake_time in handshakes.items():
-                if public_key in check_peer_public_keys and (handshake_time == 0 or now_time - handshake_time > handshake_threshold):
+                if public_key in check_peer_public_keys and (
+                    handshake_time == 0
+                    or now_time - handshake_time > handshake_threshold
+                ):
                     intf.operational.reset_peer(public_key=public_key)
 
                     print(f'Wireguard: reset {interface} peer {public_key}')