| Message ID | 20191129133617.8512-1-fe@dev.tdt.de |
|---|---|
| State | Superseded |
| Delegated to: | John Crispin |
| Headers | show |
| Series | [OpenWrt-Devel] wireguard: fix reload config on peer change | expand |
Hi, On 29.11.2019 14:36, Florian Eckert wrote: > If we change a peer section, then the interface of netifd gets not > reloaded. Because the change were not made in an interface section. > And so the netifd does not recognize the change. And the new config gets > not applied until we do a network restart or we restart the interface > with 'ifup <name>'. > > With this new wireguard init script, a md5sum will be calculated on > every network change. The sum is generated over the wireguard peers for > each wireguard interface. If a change in the peers section gets detected > then only the detecated wireguard interface gets restarted. > > With this change we can see if the peer section has changed to the > corresponding interface. The wireguard configuration is rewritten and > reconfigured by the netif proto handler. > > Signed-off-by: Florian Eckert <fe@dev.tdt.de> What has happened to this patch? It's marked as Superseded but I didn't see V2 or anything. It seems to be dealing with issue that WG users complain about, see: https://forum.openwrt.org/t/wiregurad-does-not-reload-wireguard-iface-section-on-change/47137 https://forum.openwrt.org/t/restart-wireguard-via-cli/51935 https://forum.openwrt.org/t/restart-wireguard-interface/58037 > --- > package/network/services/wireguard/Makefile | 2 + > .../services/wireguard/files/wireguard.init | 49 +++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 package/network/services/wireguard/files/wireguard.init > > diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile > index ea34b7550b..d78fcfface 100644 > --- a/package/network/services/wireguard/Makefile > +++ b/package/network/services/wireguard/Makefile > @@ -93,6 +93,8 @@ define Package/wireguard-tools/install > $(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/ > $(INSTALL_DIR) $(1)/lib/netifd/proto/ > $(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/ > + $(INSTALL_DIR) $(1)/etc/init.d/ > + $(INSTALL_BIN) ./files/wireguard.init $(1)/etc/init.d/wireguard > endef > > define KernelPackage/wireguard > diff --git a/package/network/services/wireguard/files/wireguard.init b/package/network/services/wireguard/files/wireguard.init > new file mode 100644 > index 0000000000..24569752b4 > --- /dev/null > +++ b/package/network/services/wireguard/files/wireguard.init > @@ -0,0 +1,49 @@ > +#!/bin/sh /etc/rc.common > + > +START=80 > +USE_PROCD=1 > + > +WG_DIR="/tmp/wireguard" > + > +wireguard_check_peer(){ > + local cfg="${1}" > + local cfile="${2}" > + > + uci show "network.${cfg}" >> "${cfile}" > +} > + > +wireguard_check_interface() { > + local cfg="${1}" > + local proto cfile n_sum o_sum > + > + config_get proto "${cfg}" proto > + [ "${proto}" = "wireguard" ] || return 0 > + cfile="$(mktemp -p "${WG_DIR}")" > + config_foreach wireguard_check_peer "wireguard_${1}" "${cfile}" > + > + . /lib/functions/network.sh > + > + n_sum="$(md5sum "${cfile}" | cut -d" " -f1)" > + rm -rf "${cfile}" > + [ -f "${WG_DIR}/${cfg}.check" ] && { > + o_sum="$(cat "${WG_DIR}/${cfg}.check")" > + [ "${o_sum}" != "${n_sum}" ] && { > + network_is_up "${cfg}" && ifup "${cfg}" > + } > + } > + echo "$n_sum" > "${WG_DIR}/${cfg}.check" > +} > + > +boot() { > + config_load network > + config_foreach wireguard_check_interface interface > +} > + > +service_triggers() { > + procd_add_reload_trigger "network" > +} > + > +reload_service() { > + config_load network > + config_foreach wireguard_check_interface interface > +}
Hello Rafał, >> corresponding interface. The wireguard configuration is rewritten and >> reconfigured by the netif proto handler. >> >> Signed-off-by: Florian Eckert <fe@dev.tdt.de> > > What has happened to this patch? It's marked as Superseded but I didn't > see V2 or anything. > > It seems to be dealing with issue that WG users complain about, see: > https://forum.openwrt.org/t/wiregurad-does-not-reload-wireguard-iface-section-on-change/47137 > https://forum.openwrt.org/t/restart-wireguard-via-cli/51935 > https://forum.openwrt.org/t/restart-wireguard-interface/58037 I think I set the patchset to supperseed and tried it via github [1]. But nobody wanted it there either. I have this patchset in my own openwrt build, which was rejected from upstream. And it is working as expected. --- Best regards Florian [1] https://github.com/openwrt/openwrt/pull/2625
On 14.03.2023 16:12, Florian Eckert wrote: > Hello Rafał, > >>> corresponding interface. The wireguard configuration is rewritten and >>> reconfigured by the netif proto handler. >>> >>> Signed-off-by: Florian Eckert <fe@dev.tdt.de> >> >> What has happened to this patch? It's marked as Superseded but I didn't >> see V2 or anything. >> >> It seems to be dealing with issue that WG users complain about, see: >> https://forum.openwrt.org/t/wiregurad-does-not-reload-wireguard-iface-section-on-change/47137 >> https://forum.openwrt.org/t/restart-wireguard-via-cli/51935 >> https://forum.openwrt.org/t/restart-wireguard-interface/58037 > > I think I set the patchset to supperseed and tried it via github [1]. > But nobody wanted it there either. > > I have this patchset in my own openwrt build, which was rejected from upstream. > And it is working as expected. > > --- > Best regards > > Florian > > [1] https://github.com/openwrt/openwrt/pull/2625 I'm sorry to see how it ended up mishandled. Thanks for this GitHub link.
On 2023-03-14 16:17, Rafał Miłecki wrote: > On 14.03.2023 16:12, Florian Eckert wrote: >> Hello Rafał, >> >>>> corresponding interface. The wireguard configuration is rewritten >>>> and >>>> reconfigured by the netif proto handler. >>>> >>>> Signed-off-by: Florian Eckert <fe@dev.tdt.de> >>> >>> What has happened to this patch? It's marked as Superseded but I >>> didn't >>> see V2 or anything. >>> >>> It seems to be dealing with issue that WG users complain about, see: >>> https://forum.openwrt.org/t/wiregurad-does-not-reload-wireguard-iface-section-on-change/47137 >>> https://forum.openwrt.org/t/restart-wireguard-via-cli/51935 >>> https://forum.openwrt.org/t/restart-wireguard-interface/58037 >> >> I think I set the patchset to supperseed and tried it via github [1]. >> But nobody wanted it there either. >> >> I have this patchset in my own openwrt build, which was rejected from >> upstream. >> And it is working as expected. >> >> --- >> Best regards >> >> Florian >> >> [1] https://github.com/openwrt/openwrt/pull/2625 > > I'm sorry to see how it ended up mishandled. Thanks for this GitHub > link. No problem, that's just how business works. I was probably the only one with this problem at the time. Maybe it will go upstream now. Do you need support?
diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index ea34b7550b..d78fcfface 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -93,6 +93,8 @@ define Package/wireguard-tools/install $(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/ $(INSTALL_DIR) $(1)/lib/netifd/proto/ $(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/ + $(INSTALL_DIR) $(1)/etc/init.d/ + $(INSTALL_BIN) ./files/wireguard.init $(1)/etc/init.d/wireguard endef define KernelPackage/wireguard diff --git a/package/network/services/wireguard/files/wireguard.init b/package/network/services/wireguard/files/wireguard.init new file mode 100644 index 0000000000..24569752b4 --- /dev/null +++ b/package/network/services/wireguard/files/wireguard.init @@ -0,0 +1,49 @@ +#!/bin/sh /etc/rc.common + +START=80 +USE_PROCD=1 + +WG_DIR="/tmp/wireguard" + +wireguard_check_peer(){ + local cfg="${1}" + local cfile="${2}" + + uci show "network.${cfg}" >> "${cfile}" +} + +wireguard_check_interface() { + local cfg="${1}" + local proto cfile n_sum o_sum + + config_get proto "${cfg}" proto + [ "${proto}" = "wireguard" ] || return 0 + cfile="$(mktemp -p "${WG_DIR}")" + config_foreach wireguard_check_peer "wireguard_${1}" "${cfile}" + + . /lib/functions/network.sh + + n_sum="$(md5sum "${cfile}" | cut -d" " -f1)" + rm -rf "${cfile}" + [ -f "${WG_DIR}/${cfg}.check" ] && { + o_sum="$(cat "${WG_DIR}/${cfg}.check")" + [ "${o_sum}" != "${n_sum}" ] && { + network_is_up "${cfg}" && ifup "${cfg}" + } + } + echo "$n_sum" > "${WG_DIR}/${cfg}.check" +} + +boot() { + config_load network + config_foreach wireguard_check_interface interface +} + +service_triggers() { + procd_add_reload_trigger "network" +} + +reload_service() { + config_load network + config_foreach wireguard_check_interface interface +}
If we change a peer section, then the interface of netifd gets not reloaded. Because the change were not made in an interface section. And so the netifd does not recognize the change. And the new config gets not applied until we do a network restart or we restart the interface with 'ifup <name>'. With this new wireguard init script, a md5sum will be calculated on every network change. The sum is generated over the wireguard peers for each wireguard interface. If a change in the peers section gets detected then only the detecated wireguard interface gets restarted. With this change we can see if the peer section has changed to the corresponding interface. The wireguard configuration is rewritten and reconfigured by the netif proto handler. Signed-off-by: Florian Eckert <fe@dev.tdt.de> --- package/network/services/wireguard/Makefile | 2 + .../services/wireguard/files/wireguard.init | 49 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 package/network/services/wireguard/files/wireguard.init