diff options
| -rw-r--r-- | data/templates/squid/squid.conf.j2 | 10 | ||||
| -rw-r--r-- | interface-definitions/service-webproxy.xml.in | 26 | ||||
| -rw-r--r-- | python/vyos/configdict.py | 4 | ||||
| -rw-r--r-- | python/vyos/configverify.py | 13 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_interfaces_macsec.py | 4 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_service_webproxy.py | 8 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 11 |
7 files changed, 68 insertions, 8 deletions
diff --git a/data/templates/squid/squid.conf.j2 b/data/templates/squid/squid.conf.j2 index a0fdeb20e..5781c883f 100644 --- a/data/templates/squid/squid.conf.j2 +++ b/data/templates/squid/squid.conf.j2 @@ -2,6 +2,11 @@ acl net src all acl SSL_ports port 443 +{% if ssl_safe_ports is vyos_defined %} +{% for port in ssl_safe_ports %} +acl SSL_ports port {{ port }} +{% endfor %} +{% endif %} acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https @@ -13,6 +18,11 @@ acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http +{% if safe_ports is vyos_defined %} +{% for port in safe_ports %} +acl Safe_ports port {{ port }} +{% endfor %} +{% endif %} acl CONNECT method CONNECT {% if authentication is vyos_defined %} diff --git a/interface-definitions/service-webproxy.xml.in b/interface-definitions/service-webproxy.xml.in index e4609b699..a315aa2ef 100644 --- a/interface-definitions/service-webproxy.xml.in +++ b/interface-definitions/service-webproxy.xml.in @@ -8,6 +8,32 @@ <priority>500</priority> </properties> <children> + <leafNode name="safe-ports"> + <properties> + <help>Safe port ACL</help> + <valueHelp> + <format>u32:1-1024</format> + <description>Port number. Ports included by default: 21,70,80,210,280,443,488,591,777,873,1025-65535</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-20 --range 22-69 --range 71-79 --range 81-209 --range 211-279 --range 281-442 --range 444-487 --range 489-590 --range 592-776 --range 778-872 --range 874-1024"/> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="ssl-safe-ports"> + <properties> + <help>SSL safe port</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Port number. Ports included by default: 443</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-442 --range 444-65535"/> + </constraint> + <multi/> + </properties> + </leafNode> <leafNode name="append-domain"> <properties> <help>Default domain name</help> diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 20cc7de2a..8f822a97d 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -303,8 +303,8 @@ def is_source_interface(conf, interface, intftype=None): for it in intftype: base = ['interfaces', it] for intf in conf.list_nodes(base): - lower_intf = base + [intf, 'source-interface'] - if conf.exists(lower_intf) and interface in conf.return_values(lower_intf): + src_intf = base + [intf, 'source-interface'] + if conf.exists(src_intf) and interface in conf.return_values(src_intf): ret_val = intf break diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index ac56da204..2ab3cb408 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -284,15 +284,16 @@ def verify_source_interface(config): raise ConfigError('Specified source-interface {source_interface} does ' 'not exist'.format(**config)) + src_ifname = config['source_interface'] if 'source_interface_is_bridge_member' in config: - raise ConfigError('Invalid source-interface {source_interface}. Interface ' - 'is already a member of bridge ' - '{source_interface_is_bridge_member}'.format(**config)) + bridge_name = next(iter(config['source_interface_is_bridge_member'])) + raise ConfigError(f'Invalid source-interface "{src_ifname}". Interface ' + f'is already a member of bridge "{bridge_name}"!') if 'source_interface_is_bond_member' in config: - raise ConfigError('Invalid source-interface {source_interface}. Interface ' - 'is already a member of bond ' - '{source_interface_is_bond_member}'.format(**config)) + bond_name = next(iter(config['source_interface_is_bond_member'])) + raise ConfigError(f'Invalid source-interface "{src_ifname}". Interface ' + f'is already a member of bond "{bond_name}"!') def verify_dhcpv6(config): """ diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py index e5e5a558e..ca70e2c18 100755 --- a/smoketest/scripts/cli/test_interfaces_macsec.py +++ b/smoketest/scripts/cli/test_interfaces_macsec.py @@ -104,6 +104,10 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase): tmp = get_config_value(src_interface, 'mka_ckn') self.assertTrue(mak_ckn in tmp) + # check that we use the new macsec_csindex option (T4537) + tmp = get_config_value(src_interface, 'macsec_csindex') + self.assertTrue("1" in tmp) + # check that the default priority of 255 is programmed tmp = get_config_value(src_interface, 'mka_priority') self.assertTrue("255" in tmp) diff --git a/smoketest/scripts/cli/test_service_webproxy.py b/smoketest/scripts/cli/test_service_webproxy.py index 772d6ab16..fb9b46a06 100755 --- a/smoketest/scripts/cli/test_service_webproxy.py +++ b/smoketest/scripts/cli/test_service_webproxy.py @@ -87,6 +87,8 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): max_obj_size = '8192' block_mine = ['application/pdf', 'application/x-sh'] body_max_size = '4096' + safe_port = '88' + ssl_safe_port = '8443' self.cli_set(base_path + ['listen-address', listen_ip]) self.cli_set(base_path + ['append-domain', domain]) @@ -104,6 +106,9 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['reply-body-max-size', body_max_size]) + self.cli_set(base_path + ['safe-ports', safe_port]) + self.cli_set(base_path + ['ssl-safe-ports', ssl_safe_port]) + # commit changes self.cli_commit() @@ -122,6 +127,9 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): self.assertIn(f'reply_body_max_size {body_max_size} KB', config) + self.assertIn(f'acl Safe_ports port {safe_port}', config) + self.assertIn(f'acl SSL_ports port {ssl_safe_port}', config) + # Check for running process self.assertTrue(process_named_running(PROCESS_NAME)) diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 65b0612ea..870049a88 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -22,6 +22,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import is_node_changed +from vyos.configdict import is_source_interface from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete @@ -65,6 +66,10 @@ def get_config(config=None): if is_node_changed(conf, base + [ifname, 'source_interface']): macsec.update({'shutdown_required': {}}) + if 'source_interface' in macsec: + tmp = is_source_interface(conf, macsec['source_interface'], 'macsec') + if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp}) + return macsec @@ -97,6 +102,12 @@ def verify(macsec): # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit raise ConfigError('gcm-aes-128 requires a 256bit long key!') + if 'is_source_interface' in macsec: + tmp = macsec['is_source_interface'] + src_ifname = macsec['source_interface'] + raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \ + f'belongs to interface "{tmp}"!') + if 'source_interface' in macsec: # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad # and 802.1q) - we need to check the underlaying MTU if our configured |