From 20533c665138a3c97ee2aaf881f482d1bb4e7f8b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 30 Aug 2023 16:19:39 +0200
Subject: [PATCH] net/wireguard -  missed the time constraint in the previous
 bash script for reresolve-dns

---
 .../scripts/Wireguard/reresolve-dns.py        | 42 ++++++++++++-------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
index 6b724abad..219f6d5f2 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
@@ -29,33 +29,47 @@
 # https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns
 import glob
 import os
+import time
 import subprocess
 
 
+
+sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'latest-handshakes'], capture_output=True, text=True)
+ts_now = time.time()
+handshakes = {}
+for line in sp.stdout.split('\n'):
+    parts = line.split()
+    if len(parts) == 3 and parts[2].isdigit():
+        handshakes["%s-%s" % (parts[0], parts[1])] = ts_now - int(parts[2])
+
+
 for filename in glob.glob('/usr/local/etc/wireguard/*.conf'):
     this_peer = {}
     ifname = os.path.basename(filename).split('.')[0]
     with open(filename, 'r') as fhandle:
         for line in fhandle:
             if line.startswith('[Peer]'):
-                this_peer = {}
+                this_peer = {'ifname': ifname}
             elif line.startswith('PublicKey'):
                 this_peer['PublicKey'] = line.split('=', 1)[1].strip()
             elif line.startswith('Endpoint'):
                 this_peer['Endpoint'] = line.split('=', 1)[1].strip()
 
             if 'Endpoint' in this_peer and 'PublicKey' in this_peer:
-                subprocess.run(
-                    [
-                        '/usr/bin/wg',
-                        'set',
-                        ifname,
-                        'peer',
-                        this_peer['PublicKey'],
-                        'endpoint',
-                        this_peer['Endpoint']
-                    ],
-                    capture_output=True,
-                    text=True
-                )
+                peer_key = "%(ifname)s-%(PublicKey)s" % this_peer
+                if handshakes.get(peer_key, 999) > 135:
+                    # skip if there has been a handshake recently
+                    subprocess.run(
+                        [
+                            '/usr/bin/wg',
+                            'set',
+                            ifname,
+                            'peer',
+                            this_peer['PublicKey'],
+                            'endpoint',
+                            this_peer['Endpoint']
+                        ],
+                        capture_output=True,
+                        text=True
+                    )
                 this_peer = {}