diff options
author | khramshinr <khramshinr@gmail.com> | 2024-05-29 19:46:20 +0600 |
---|---|---|
committer | khramshinr <khramshinr@gmail.com> | 2024-06-24 20:16:31 +0600 |
commit | f6131611e15a644312e3c4baf5b8f6387c2930e7 (patch) | |
tree | b7b710ca5c9f5f44838f4f4b5b25ed97f70fa1b6 /interface-definitions | |
parent | c90a55375f6b60ba0d0d545b33927a2aae4d6aad (diff) | |
download | vyos-1x-f6131611e15a644312e3c4baf5b8f6387c2930e7.tar.gz vyos-1x-f6131611e15a644312e3c4baf5b8f6387c2930e7.zip |
T5735: Stunnel CLI and configuration
Add CLI commands
Add config
Add conf_mode
Add systemd config
Add stunnel smoketests
Add log level config
Diffstat (limited to 'interface-definitions')
16 files changed, 342 insertions, 0 deletions
diff --git a/interface-definitions/include/stunnel/address.xml.i b/interface-definitions/include/stunnel/address.xml.i new file mode 100644 index 000000000..d2901d595 --- /dev/null +++ b/interface-definitions/include/stunnel/address.xml.i @@ -0,0 +1,20 @@ +<!-- include start from stunnel/address.xml.i --> +<leafNode name="address"> + <properties> + <help>Hostname or IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>hostname</description> + </valueHelp> + <constraint> + <validator name="ip-address"/> + <validator name="fqdn"/> + </constraint> + <constraintErrorMessage>Invalid FQDN or IP address</constraintErrorMessage> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/connect.xml.i b/interface-definitions/include/stunnel/connect.xml.i new file mode 100644 index 000000000..cd6246a00 --- /dev/null +++ b/interface-definitions/include/stunnel/connect.xml.i @@ -0,0 +1,11 @@ +<!-- include start from stunnel/connect.xml.i --> +<node name="connect"> + <properties> + <help>Connect to a remote address</help> + </properties> + <children> + #include <include/stunnel/address.xml.i> + #include <include/port-number.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/listen.xml.i b/interface-definitions/include/stunnel/listen.xml.i new file mode 100644 index 000000000..13d0986ee --- /dev/null +++ b/interface-definitions/include/stunnel/listen.xml.i @@ -0,0 +1,11 @@ +<!-- include start from stunnel/listen.xml.i --> +<node name="listen"> + <properties> + <help>Accept connections on specified address</help> + </properties> + <children> + #include <include/stunnel/address.xml.i> + #include <include/port-number.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-options.xml.i b/interface-definitions/include/stunnel/protocol-options.xml.i new file mode 100644 index 000000000..2f0202875 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-options.xml.i @@ -0,0 +1,75 @@ +<!-- include start from stunel/protocol-options.xml.i --> +<node name="options"> + <properties> + <help>Advanced protocol options</help> + </properties> + <children> + <leafNode name="authentication"> + <properties> + <help>Authentication type for the protocol negotiations</help> + <completionHelp> + <list>basic ntlm plain login</list> + </completionHelp> + <valueHelp> + <format>basic</format> + <description>The default 'connect' authentication type</description> + </valueHelp> + <valueHelp> + <format>ntlm</format> + <description>Supported authentication types for the 'connect' protocol</description> + </valueHelp> + <valueHelp> + <format>plain</format> + <description>The default 'smtp' authentication type</description> + </valueHelp> + <valueHelp> + <format>login</format> + <description>Supported authentication types for the 'smtp' protocol</description> + </valueHelp> + <constraint> + <regex>(basic|ntlm|plain|login)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="domain"> + <properties> + <help>Domain for the 'connect' protocol.</help> + <valueHelp> + <format>domain</format> + <description>domain</description> + </valueHelp> + <constraint> + <validator name="fqdn"/> + </constraint> + </properties> + </leafNode> + <node name="host"> + <properties> + <help>Destination address for the 'connect' protocol</help> + </properties> + <children> + #include <include/stunnel/address.xml.i> + #include <include/port-number.xml.i> + </children> + </node> + <leafNode name="password"> + <properties> + <help>Password for the protocol negotiations</help> + <valueHelp> + <format>txt</format> + <description>Authentication password</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="username"> + <properties> + <help>Username for the protocol negotiations</help> + <valueHelp> + <format>txt</format> + <description>Authentication username</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-cifs.xml.i b/interface-definitions/include/stunnel/protocol-value-cifs.xml.i new file mode 100644 index 000000000..5b9484750 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-cifs.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-cifs.xml.i --> +<valueHelp> + <format>cifs</format> + <description>Proprietary (undocummented) extension of CIFS protocol</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-connect.xml.i b/interface-definitions/include/stunnel/protocol-value-connect.xml.i new file mode 100644 index 000000000..3c30e71ca --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-connect.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-connect.xml.i --> +<valueHelp> + <format>connect</format> + <description>Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-imap.xml.i b/interface-definitions/include/stunnel/protocol-value-imap.xml.i new file mode 100644 index 000000000..033e5479b --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-imap.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-imap.xml.i --> +<valueHelp> + <format>imap</format> + <description>Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-nntp.xml.i b/interface-definitions/include/stunnel/protocol-value-nntp.xml.i new file mode 100644 index 000000000..60a6c02c6 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-nntp.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-nntp.xml.i --> +<valueHelp> + <format>nntp</format> + <description>Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-pgsql.xml.i b/interface-definitions/include/stunnel/protocol-value-pgsql.xml.i new file mode 100644 index 000000000..fd3a166ec --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-pgsql.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-pgsql.xml.i --> +<valueHelp> + <format>pgsql</format> + <description>Based on PostgreSQL frontend/backend protocol</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-pop3.xml.i b/interface-definitions/include/stunnel/protocol-value-pop3.xml.i new file mode 100644 index 000000000..1c8af53e5 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-pop3.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-pop3.xml.i --> +<valueHelp> + <format>pop3</format> + <description>Based on RFC 2449 - POP3 Extension Mechanism</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-proxy.xml.i b/interface-definitions/include/stunnel/protocol-value-proxy.xml.i new file mode 100644 index 000000000..a4c20d1b0 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-proxy.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-proxy.xml.i --> +<valueHelp> + <format>proxy</format> + <description>Passing of the original client IP address with HAProxy PROXY protocol version 1</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-smtp.xml.i b/interface-definitions/include/stunnel/protocol-value-smtp.xml.i new file mode 100644 index 000000000..66ca20426 --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-smtp.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-smtp.xml.i --> +<valueHelp> + <format>smtp</format> + <description>Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/protocol-value-socks.xml.i b/interface-definitions/include/stunnel/protocol-value-socks.xml.i new file mode 100644 index 000000000..e110be5db --- /dev/null +++ b/interface-definitions/include/stunnel/protocol-value-socks.xml.i @@ -0,0 +1,6 @@ +<!-- include start from stunnel/protocol-value-socks.xml.i --> +<valueHelp> + <format>socks</format> + <description>SOCKS versions 4, 4a, and 5 are supported</description> +</valueHelp> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/psk.xml.i b/interface-definitions/include/stunnel/psk.xml.i new file mode 100644 index 000000000..db11a93d3 --- /dev/null +++ b/interface-definitions/include/stunnel/psk.xml.i @@ -0,0 +1,30 @@ +<!-- include start from stunnel/psk.xml.i --> +<tagNode name="psk"> + <properties> + <help>Pre-shared key name</help> + </properties> + <children> + <leafNode name="id"> + <properties> + <help>ID for authentication</help> + <valueHelp> + <format>txt</format> + <description>ID used for authentication</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="secret"> + <properties> + <help>pre-shared secret key</help> + <valueHelp> + <format>txt</format> + <description>pre-shared secret key are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal key</description> + </valueHelp> + <constraint> + <validator name="psk-secret"/> + </constraint> + </properties> + </leafNode> + </children> +</tagNode> +<!-- include end --> diff --git a/interface-definitions/include/stunnel/ssl.xml.i b/interface-definitions/include/stunnel/ssl.xml.i new file mode 100644 index 000000000..8aba299e9 --- /dev/null +++ b/interface-definitions/include/stunnel/ssl.xml.i @@ -0,0 +1,11 @@ +<!-- include start from stunnel/ssl.xml.i --> +<node name="ssl"> + <properties> + <help>SSL Certificate, SSL Key and CA</help> + </properties> + <children> + #include <include/pki/ca-certificate-multi.xml.i> + #include <include/pki/certificate.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/service_stunnel.xml.in b/interface-definitions/service_stunnel.xml.in new file mode 100644 index 000000000..d88909bc9 --- /dev/null +++ b/interface-definitions/service_stunnel.xml.in @@ -0,0 +1,130 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="service"> + <properties> + <help>System services</help> + </properties> + <children> + <node name="stunnel" owner="${vyos_conf_scripts_dir}/service_stunnel.py"> + <properties> + <help>Stunnel TLS Proxy</help> + <priority>1000</priority> + </properties> + <children> + <tagNode name="server"> + <properties> + <help>Stunnel server config</help> + </properties> + <children> + #include <include/stunnel/connect.xml.i> + #include <include/stunnel/listen.xml.i> + #include <include/stunnel/ssl.xml.i> + #include <include/stunnel/psk.xml.i> + <leafNode name="protocol"> + <properties> + <help>Application protocol to negotiate TLS</help> + <completionHelp> + <list>cifs imap pgsql pop3 proxy smtp socks</list> + </completionHelp> + #include <include/stunnel/protocol-value-cifs.xml.i> + #include <include/stunnel/protocol-value-imap.xml.i> + #include <include/stunnel/protocol-value-pgsql.xml.i> + #include <include/stunnel/protocol-value-pop3.xml.i> + #include <include/stunnel/protocol-value-proxy.xml.i> + #include <include/stunnel/protocol-value-smtp.xml.i> + #include <include/stunnel/protocol-value-socks.xml.i> + <constraint> + <regex>(cifs|imap|pgsql|pop3|proxy|smtp|socks)</regex> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="client"> + <properties> + <help>Stunnel client config</help> + </properties> + <children> + #include <include/stunnel/connect.xml.i> + #include <include/stunnel/listen.xml.i> + #include <include/stunnel/ssl.xml.i> + #include <include/stunnel/psk.xml.i> + <leafNode name="protocol"> + <properties> + <help>Application protocol to negotiate TLS</help> + <completionHelp> + <list>cifs connect imap nntp pgsql pop3 proxy smtp socks</list> + </completionHelp> + #include <include/stunnel/protocol-value-cifs.xml.i> + #include <include/stunnel/protocol-value-connect.xml.i> + #include <include/stunnel/protocol-value-imap.xml.i> + #include <include/stunnel/protocol-value-nntp.xml.i> + #include <include/stunnel/protocol-value-pgsql.xml.i> + #include <include/stunnel/protocol-value-pop3.xml.i> + #include <include/stunnel/protocol-value-proxy.xml.i> + #include <include/stunnel/protocol-value-smtp.xml.i> + #include <include/stunnel/protocol-value-socks.xml.i> + <constraint> + <regex>(cifs|connect|imap|nntp|pgsql|pop3|proxy|smtp|socks)</regex> + </constraint> + </properties> + </leafNode> + #include <include/stunnel/protocol-options.xml.i> + </children> + </tagNode> + <node name="log"> + <properties> + <help>Service logging</help> + </properties> + <children> + <leafNode name="level"> + <properties> + <help>Specifies log level.</help> + <completionHelp> + <list>emerg alert crit err warning notice info debug</list> + </completionHelp> + <valueHelp> + <format>emerg</format> + <description>Emerg log level</description> + </valueHelp> + <valueHelp> + <format>alert</format> + <description>Alert log level</description> + </valueHelp> + <valueHelp> + <format>crit</format> + <description>Critical log level</description> + </valueHelp> + <valueHelp> + <format>err</format> + <description>Error log level</description> + </valueHelp> + <valueHelp> + <format>warning</format> + <description>Warning log level</description> + </valueHelp> + <valueHelp> + <format>notice</format> + <description>Notice log level</description> + </valueHelp> + <valueHelp> + <format>info</format> + <description>Info log level</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug log level</description> + </valueHelp> + <constraint> + <regex>(emerg|alert|crit|err|warning|notice|info|debug)</regex> + </constraint> + </properties> + <defaultValue>notice</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> |