fix(interfaces): assign default metric for WANs (#1441)

Tbaile · web-flow · commit 982e9a6ea74d · 2025-11-26T08:57:29.000+01:00
diff --git a/packages/ns-api/README.md b/packages/ns-api/README.md
@@ -5195,7 +5195,8 @@ All parameters:
 - `dhcp_client_id`: Client ID to send when requesting DHCP
 - `dhcp_vendor_class`: Vendor class to send when requesting DHCP
 - `dhcp_hostname_to_send`: Hostname to send when requesting DHCP, can be `deviceHostname`, `doNotSendHostname` or `customHostname`
-- `dhcp_custom_hostname`: Custom hostname to use when `dhcp_hostname_to_send = customHostname`
+- `dhcp_custom_hostname`: Custom hostname to use when `dhcp_hostname_to_send = customHostname
+- `metric`: Routing metric for the interface, if left empty, system will assign an incremental value
 
 ```bash
 api-cli ns.devices configure-device --data '{"device_type": "physical", "interface_name": "myiface", "protocol": "static", "zone": "lan", "ip6_enabled": false, "device_name": "eth2", "ip4_address": "10.20.30.40/24"}'
diff --git a/packages/ns-api/files/misc/wireguard-migrate.py b/packages/ns-api/files/misc/wireguard-migrate.py
@@ -61,11 +61,26 @@ def fix_addresses():
                         fixed_addresses.append(address)
                 else:
                     fixed_addresses.append(address)
-            e_uci.set("network", wg_id, "addresses", fixed_addresses)
+            if fixed_addresses != list(addresses):
+                e_uci.set("network", wg_id, "addresses", fixed_addresses)
 
     e_uci.save("network")
 
 
+def add_metric_to_wans():
+    """
+    Add metric to WAN interfaces if missing. This fixes https://github.com/NethServer/nethsecurity/issues/1428.
+    This logic has been borrowed from https://github.com/NethServer/python3-nethsec/blob/ab7bfb757d602bdbba5aeb2b6e53ef0f3a36d02b/src/nethsec/mwan/__init__.py#L64.
+    """
+    e_uci = EUci()
+    for network in e_uci.get('firewall', 'ns_wan', 'network', dtype=str, default=[], list=True):
+        if e_uci.get('network', network, 'metric', default=None) is None:
+            e_uci.set('network', network, 'metric', 20)
+
+    e_uci.save('network')
+
+
 if __name__ == "__main__":
     migrate_old()
     fix_addresses()
+    add_metric_to_wans()
diff --git a/packages/ns-api/files/ns.devices b/packages/ns-api/files/ns.devices
@@ -610,7 +610,7 @@ def get_bonding_values(ip4_addr_cidr, attached_devices, bonding_policy, bond_pri
     return values
 
 
-def set_network_configuration(device_type, interface_name, logical_type, interface_to_edit, protocol, zone, ip4_addr_cidr, ip4_gateway, ip6_enabled, ip6_address, ip6_gateway, attached_devices, bonding_policy, bond_primary_device, pppoe_username, pppoe_password, dhcp_client_id, dhcp_vendor_class, dhcp_hostname_to_send, dhcp_custom_hostname, uci):
+def set_network_configuration(device_type, interface_name, logical_type, interface_to_edit, protocol, zone, ip4_addr_cidr, ip4_gateway, ip6_enabled, ip6_address, ip6_gateway, attached_devices, bonding_policy, bond_primary_device, pppoe_username, pppoe_password, dhcp_client_id, dhcp_vendor_class, dhcp_hostname_to_send, dhcp_custom_hostname, uci, metric: int = None):
     if device_type == 'logical' and logical_type == 'bond':
         values = get_bonding_values(
             ip4_addr_cidr, attached_devices, bonding_policy, bond_primary_device)
@@ -697,9 +697,26 @@ def set_network_configuration(device_type, interface_name, logical_type, interfa
                 if interface_to_edit and delete_dhcp_hostname:
                     uci.delete('network', interface_name, 'hostname')
 
-    # disable "force link" on red interfaces
     if zone == 'wan':
+        # disable "force link" on red interfaces
         values['force_link'] = '0'
+        # assign metric if missing
+        if metric is not None:
+            values["metric"] = metric
+        else:
+            metrics = set()
+            for network in uci.get("firewall", "ns_wan", "network", dtype=str, default=[], list=True):
+                metric = uci.get("network", network, "metric", default=None, dtype=int)
+                if metric is not None:
+                    metrics.add(metric)
+
+            base_metric = 20
+            while base_metric in metrics:
+                base_metric += 10
+            values["metric"] = base_metric
+    else:
+        # remove metric if interface changes zone
+        values['metric'] = ''
 
     for key, value in values.items():
         uci.set('network', interface_name, key, value)
@@ -833,6 +850,7 @@ def configure_device(input_data):
     dhcp_vendor_class = input_data.get('dhcp_vendor_class')
     dhcp_hostname_to_send = input_data.get('dhcp_hostname_to_send')
     dhcp_custom_hostname = input_data.get('dhcp_custom_hostname')
+    metric = input_data.get('metric')
     bridge_device_name = ''
 
     # validate input data
@@ -848,7 +866,7 @@ def configure_device(input_data):
             device_name, device_type, interface_name, protocol, logical_type, bridge_device_name, uci)
 
     set_network_configuration(device_type, interface_name, logical_type, interface_to_edit, protocol, zone, ip4_address, ip4_gateway, ip6_enabled, ip6_address, ip6_gateway,
-                              attached_devices, bonding_policy, bond_primary_device, pppoe_username, pppoe_password, dhcp_client_id, dhcp_vendor_class, dhcp_hostname_to_send, dhcp_custom_hostname, uci)
+                              attached_devices, bonding_policy, bond_primary_device, pppoe_username, pppoe_password, dhcp_client_id, dhcp_vendor_class, dhcp_hostname_to_send, dhcp_custom_hostname, uci, metric)
 
     set_firewall_zone(interface_name, zone, interface_to_edit, uci)
 
@@ -1180,6 +1198,7 @@ if cmd == 'list':
             'dhcp_vendor_class': 'string',
             'dhcp_hostname_to_send': 'string',
             'dhcp_custom_hostname': 'string',
+            'metric': 'integer'
         },
         'unconfigure-device': {
             'iface_name': 'string',
