summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2018-12-03 01:42:14 +0100
committerDaniil Baturin <daniil@baturin.org>2018-12-03 01:42:14 +0100
commit26e1a5c2da4f78a94655fd9434ad0cc604735dca (patch)
treea4747e28df1bfc817bdff3d5b6d5ae6f032f243a
parent354c20aa8046d63cad9206810a51d52a2ce65a5e (diff)
parent44c8175dc975c8a3b73bf14c71dd890d52f00e67 (diff)
downloadvyos-1x-26e1a5c2da4f78a94655fd9434ad0cc604735dca.tar.gz
vyos-1x-26e1a5c2da4f78a94655fd9434ad0cc604735dca.zip
Merge branch 'current' into crux
-rw-r--r--debian/changelog12
-rw-r--r--debian/control2
-rw-r--r--interface-definitions/pppoe-server.xml108
-rw-r--r--interface-definitions/wireguard.xml6
-rwxr-xr-xsrc/conf_mode/wireguard.py15
-rwxr-xr-xsrc/op_mode/show_ipsec_sa.py16
6 files changed, 103 insertions, 56 deletions
diff --git a/debian/changelog b/debian/changelog
index 1db603fe5..7666cfd68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+vyos-1x (1.2.0-7) unstable; urgency=low
+
+ * T1061: Wireguard: Missing option to administrativly shutdown interface
+
+ -- hagbard <vyosdev@derith.de> Fri, 30 Nov 2018 10:22:41 -0800
+
+vyos-1x (1.2.0-6) unstable; urgency=medium
+
+ * adding vyos-accel-ppp-ipoe-kmod for T989
+
+ -- hagbard <vyosdev@derith.de> Thu, 22 Nov 2018 10:56:15 -0800
+
vyos-1x (1.2.0-5) unstable; urgency=medium
* T835: accel-ppp: pppoe implementation
diff --git a/debian/control b/debian/control
index 03feeddc8..7061d50ef 100644
--- a/debian/control
+++ b/debian/control
@@ -25,6 +25,7 @@ Depends: python3,
python3-tabulate,
python3-six,
python3-isc-dhcp-leases,
+ python3-hurry.filesize,
ipaddrcheck,
tcpdump,
tshark,
@@ -48,6 +49,7 @@ Depends: python3,
tftpd-hpa,
igmpproxy,
vyos-accel-ppp,
+ vyos-accel-ppp-ipoe-kmod,
mdns-repeater,
udp-broadcast-relay,
pdns-recursor,
diff --git a/interface-definitions/pppoe-server.xml b/interface-definitions/pppoe-server.xml
index 510bfeb3b..a0c22d53a 100644
--- a/interface-definitions/pppoe-server.xml
+++ b/interface-definitions/pppoe-server.xml
@@ -73,19 +73,22 @@
</valueHelp>
<valueHelp>
<format>radius</format>
- <description>Use Radius server to autenticate users</description>
+ <description>Use a RADIUS server to autenticate users</description>
</valueHelp>
<constraint>
<regex>^(local|radius)</regex>
</constraint>
+ <completionHelp>
+ <list>local radius</list>
+ </completionHelp>
</properties>
</leafNode>
<tagNode name="radius-server">
<properties>
- <help>IP address of radius server</help>
+ <help>IP address of RADIUS server</help>
<valueHelp>
<format>ipv4</format>
- <description>IP address of radius server</description>
+ <description>IP address of RADIUS server</description>
</valueHelp>
</properties>
<children>
@@ -96,44 +99,44 @@
</leafNode>
<leafNode name="req-limit">
<properties>
- <help>maximum number of simultaneous requests to server (default: unlimited)</help>
+ <help>Maximum number of simultaneous requests to server (default: unlimited)</help>
</properties>
</leafNode>
<leafNode name="fail-time">
<properties>
- <help>if server doesn't responds mark it as unavailable for this amount of time in seconds</help>
+ <help>If server doesn't responds mark it as unavailable for this amount of time in seconds</help>
</properties>
</leafNode>
</children>
</tagNode>
<node name="radius-settings">
<properties>
- <help>radius settings</help>
+ <help>RADIUS settings</help>
</properties>
<children>
<leafNode name="timeout">
<properties>
- <help>timeout to wait response from server (sec)</help>
+ <help>Timeout to wait response from server (seconds)</help>
</properties>
</leafNode>
<leafNode name="acct-timeout">
<properties>
- <help>timeout to wait reply for Interim-Update packets. (default 3 sec)</help>
+ <help>Timeout to wait reply for Interim-Update packets. (default 3 seconds)</help>
</properties>
</leafNode>
<leafNode name="max-try">
<properties>
- <help>maximum number of tries to send Access-Request/Accounting-Request queries</help>
+ <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help>
</properties>
</leafNode>
<leafNode name="nas-identifier">
<properties>
- <help>value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help>
+ <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help>
</properties>
</leafNode>
<leafNode name="nas-ip-address">
<properties>
- <help>value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.</help>
+ <help>Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.</help>
</properties>
</leafNode>
<node name="dae-server">
@@ -148,12 +151,12 @@
</leafNode>
<leafNode name="port">
<properties>
- <help>port for Dynamic Authorization Extension server (DM/CoA)</help>
+ <help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
</properties>
</leafNode>
<leafNode name="secret">
<properties>
- <help>secret for Dynamic Authorization Extension server (DM/CoA)</help>
+ <help>Secret for Dynamic Authorization Extension server (DM/CoA)</help>
</properties>
</leafNode>
</children>
@@ -164,7 +167,7 @@
</node>
<node name="client-ip-pool">
<properties>
- <help>Pool of client IP address (must be within a /24)</help>
+ <help>Pool of client IP addresses (must be within a /24)</help>
</properties>
<children>
<leafNode name="start">
@@ -188,18 +191,18 @@
<node name="client-ipv6-pool">
<properties>
- <help>pool of client IP space</help>
+ <help>Pool of client IPv6 addresses</help>
</properties>
<children>
<leafNode name="prefix">
<properties>
- <help>format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients)</help>
+ <help>Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients)</help>
<multi />
</properties>
</leafNode>
<leafNode name="delegate-prefix">
<properties>
- <help>format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633)</help>
+ <help>Format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633)</help>
<multi />
</properties>
</leafNode>
@@ -306,12 +309,12 @@
</leafNode>
<node name="limits">
<properties>
- <help>limits the connection rate from a single source</help>
+ <help>Limits the connection rate from a single source</help>
</properties>
<children>
<leafNode name="connection-limit">
<properties>
- <help>acceptable rate of connections (e.g. 1/min, 60/sec)</help>
+ <help>Acceptable rate of connections (e.g. 1/min, 60/sec)</help>
<constraint>
<regex>^[0-9]+\/(min|sec)$</regex>
</constraint>
@@ -320,12 +323,12 @@
</leafNode>
<leafNode name="burst">
<properties>
- <help>burst count</help>
+ <help>Burst count</help>
</properties>
</leafNode>
<leafNode name="timeout">
<properties>
- <help>timeout in seconds</help>
+ <help>Timeout in seconds</help>
</properties>
</leafNode>
</children>
@@ -355,7 +358,7 @@
<constraint>
<regex>^[a-zA-Z0-9\-]{1,100}</regex>
</constraint>
- <constraintErrorMessage>servicename can contain aplhanumerical characters and dash only (max. 100)</constraintErrorMessage>
+ <constraintErrorMessage>servicename can contain aplhanumerical characters and dashes only (max. 100)</constraintErrorMessage>
</properties>
</leafNode>
<node name="wins-servers">
@@ -382,10 +385,13 @@
</children>
</node>
<node name="ppp-options">
+ <properties>
+ <help>Advanced protocol options</help>
+ </properties>
<children>
<leafNode name="min-mtu">
<properties>
- <help>minimum acceptable MTU (68-65535)</help>
+ <help>Minimum acceptable MTU (68-65535)</help>
<constraint>
<validator name="numeric" argument="--range 68-65535"/>
</constraint>
@@ -393,7 +399,7 @@
</leafNode>
<leafNode name="mru">
<properties>
- <help>preferred MRU (68-65535)</help>
+ <help>Preferred MRU (68-65535)</help>
<constraint>
<validator name="numeric" argument="--range 68-65535"/>
</constraint>
@@ -401,30 +407,30 @@
</leafNode>
<leafNode name="ccp">
<properties>
- <help>ccp negotiation (default disabled)</help>
+ <help>CCP negotiation (default disabled)</help>
<valueless />
</properties>
</leafNode>
<node name="mppe">
<properties>
- <help>specifies mppe negotiation preference. (default prefer mppe)</help>
+ <help>Specifies MPPE negotiation preference. (default prefer mppe)</help>
</properties>
<children>
<leafNode name="require">
<properties>
- <help>ask client for mppe, if it rejects drop connection</help>
+ <help>Ask client for MPPE, if it rejects then drop the connection</help>
<valueless />
</properties>
</leafNode>
<leafNode name="prefer">
<properties>
- <help>ask client for mppe, if it rejects don't fail</help>
+ <help>Ask client for MPPE, if it rejects don't fail</help>
<valueless />
</properties>
</leafNode>
<leafNode name="deny">
<properties>
- <help>deny mppe</help>
+ <help>Deny MPPE</help>
<valueless />
</properties>
</leafNode>
@@ -432,7 +438,7 @@
</node>
<leafNode name="lcp-echo-interval">
<properties>
- <help>lcp echo-requests/sec</help>
+ <help>LCP echo-requests/sec</help>
<constraint>
<validator name="numeric" argument="--positive"/>
</constraint>
@@ -440,7 +446,7 @@
</leafNode>
<leafNode name="lcp-echo-failure">
<properties>
- <help>maximum number of Echo-Requests may be sent without valid reply</help>
+ <help>Maximum number of Echo-Requests may be sent without valid reply</help>
<constraint>
<validator name="numeric" argument="--positive"/>
</constraint>
@@ -448,7 +454,7 @@
</leafNode>
<leafNode name="lcp-echo-timeout">
<properties>
- <help>timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used.</help>
+ <help>Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used.</help>
<constraint>
<validator name="numeric" argument="--positive"/>
</constraint>
@@ -456,60 +462,60 @@
</leafNode>
<leafNode name="ipv4">
<properties>
- <help>specify IPv4 (IPCP) negotiation algorithm</help>
+ <help>IPv4 (IPCP) negotiation algorithm</help>
<constraint>
<regex>^(deny|allow|prefer|require)</regex>
</constraint>
<constraintErrorMessage>invalid value</constraintErrorMessage>
<valueHelp>
<format>deny</format>
- <description>don't negotiate IPv4</description>
+ <description>Don't negotiate IPv4</description>
</valueHelp>
<valueHelp>
<format>allow</format>
- <description>negotiate IPv4 only if client requests</description>
+ <description>Negotiate IPv4 only if client requests</description>
</valueHelp>
<valueHelp>
<format>prefer</format>
- <description>ask client for IPv4 negotiation, don't fail if he rejects</description>
+ <description>Ask client for IPv4 negotiation, don't fail if it rejects</description>
</valueHelp>
<valueHelp>
<format>require</format>
- <description>require IPv4 negotiation</description>
+ <description>Require IPv4 negotiation</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="ipv6">
<properties>
- <help>specify IPv6 (IPCP6) negotiation algorithm</help>
+ <help>IPv6 (IPCP6) negotiation algorithm</help>
<constraint>
<regex>^(deny|allow|prefer|require)</regex>
</constraint>
<constraintErrorMessage>invalid value</constraintErrorMessage>
<valueHelp>
<format>deny</format>
- <description>don't negotiate IPv6</description>
+ <description>Don't negotiate IPv6</description>
</valueHelp>
<valueHelp>
<format>allow</format>
- <description>negotiate IPv6 only if client requests</description>
+ <description>Negotiate IPv6 only if client requests</description>
</valueHelp>
<valueHelp>
<format>prefer</format>
- <description>ask client for IPv6 negotiation, don't fail if he rejects</description>
+ <description>Ask client for IPv6 negotiation, don't fail if it rejects</description>
</valueHelp>
<valueHelp>
<format>require</format>
- <description>require IPv6 negotiation</description>
+ <description>Require IPv6 negotiation</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="ipv6-intf-id">
<properties>
- <help>Specify fixed or random interface identifier for IPv6</help>
+ <help>Fixed or random interface identifier for IPv6</help>
<valueHelp>
<format>random</format>
- <description>specify random interface identifier for IPv6</description>
+ <description>Random interface identifier for IPv6</description>
</valueHelp>
<valueHelp>
<format>x:x:x:x</format>
@@ -519,33 +525,31 @@
</leafNode>
<leafNode name="ipv6-peer-intf-id">
<properties>
- <help>specify peer interface identifier for IPv6</help>
+ <help>Peer interface identifier for IPv6</help>
<valueHelp>
<format>x:x:x:x</format>
- <description>specify interface identifier for IPv6</description>
+ <description>Interface identifier for IPv6</description>
</valueHelp>
<valueHelp>
<format>random</format>
- <description>specify a random interface identifier for IPv6</description>
+ <description>Use a random interface identifier for IPv6</description>
</valueHelp>
<valueHelp>
<format>ipv4</format>
- <description>calculate interface identifier from IPv4 address, for example 192:168:0:1</description>
+ <description>Calculate interface identifier from IPv4 address, for example 192:168:0:1</description>
</valueHelp>
<valueHelp>
<format>calling-sid</format>
- <description>calculate interface identifier from calling-station-Id</description>
+ <description>Calculate interface identifier from calling-station-id</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="ipv6-accept-peer-intf-id">
<properties>
- <help>accept peer's interface identifier</help>
+ <help>Accept peer's interface identifier</help>
<valueless />
</properties>
</leafNode>
-
-
</children>
</node>
</children>
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index b0923bbe0..8bfffac9d 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -39,6 +39,12 @@
<constraintErrorMessage>interface description is too long (limit 100 characters)</constraintErrorMessage>
</properties>
</leafNode>
+ <leafNode name="disable">
+ <properties>
+ <help>disables the wireguard interface</help>
+ <valueless />
+ </properties>
+ </leafNode>
<leafNode name="port">
<properties>
<help>Local port number to accept connections</help>
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 353528aba..f5452579e 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -89,6 +89,9 @@ def get_config():
### addresses
if c.exists(cnf + ' address'):
config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address')
+ ### interface up/down
+ if c.exists(cnf + ' disable'):
+ config_data['interfaces'][intfc]['state'] = 'disable'
### listen port
if c.exists(cnf + ' port'):
config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port')
@@ -121,6 +124,7 @@ def get_config():
if c.exists(cnf + ' peer ' + p + ' preshared-key'):
config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key')
+
return config_data
def verify(c):
@@ -159,12 +163,21 @@ def apply(c):
c_eff = Config()
c_eff.set_level('interfaces wireguard')
+ ### link status up/down aka interface disable
+
+ for intf in c['interfaces']:
+ if c['interfaces'][intf]['state'] == 'disable':
+ sl.syslog(sl.LOG_NOTICE, "disable interface " + intf)
+ subprocess.call(['ip l s dev ' + intf + ' down ' + ' &>/dev/null'], shell=True)
+ else:
+ sl.syslog(sl.LOG_NOTICE, "enable interface " + intf)
+ subprocess.call(['ip l s dev ' + intf + ' up ' + ' &>/dev/null'], shell=True)
+
### deletion of a specific interface
for intf in c['interfaces']:
if c['interfaces'][intf]['status'] == 'delete':
sl.syslog(sl.LOG_NOTICE, "removing interface " + intf)
subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True)
-
### peer deletion
peer_eff = c_eff.list_effective_nodes( intf + ' peer')
diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py
index c0ef1feef..3c8d678eb 100755
--- a/src/op_mode/show_ipsec_sa.py
+++ b/src/op_mode/show_ipsec_sa.py
@@ -4,17 +4,22 @@ import re
import subprocess
import tabulate
+import hurry.filesize
def parse_conn_spec(s):
# Example: ESTABLISHED 14 seconds ago, 10.0.0.2[foo]...10.0.0.1[10.0.0.1]
return re.search(r'.*ESTABLISHED\s+(.*)ago,\s(.*)\[(.*)\]\.\.\.(.*)\[(.*)\].*', s).groups()
def parse_ike_line(s):
- # Example: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
try:
- return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups()
+ # Example with traffic: AES_CBC_256/HMAC_SHA2_256_128/ECP_521, 2382660 bytes_i (1789 pkts, 2s ago), 2382660 bytes_o ...
+ return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i\s\(.*pkts,.*\),\s+(\d+)\s+bytes_o', s).groups()
except AttributeError:
- return (None, None, None, None, None)
+ try:
+ # Example without traffic: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
+ return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups()
+ except AttributeError:
+ return (None, None, None, None, None)
# Get a list of all configured connections
@@ -35,6 +40,11 @@ for conn in connections:
if ip == id:
id = None
enc, hash, dh, bytes_in, bytes_out = parse_ike_line(status)
+
+ # Convert bytes to human-readable units
+ bytes_in = hurry.filesize.size(bytes_in)
+ bytes_out = hurry.filesize.size(bytes_out)
+
status_line = [conn, "up", time, "{0}/{1}".format(bytes_in, bytes_out), ip, id, "{0}/{1}/{2}".format(enc, hash, dh)]
except Exception as e:
print(status)