diff options
| -rw-r--r-- | interface-definitions/ssh.xml.in | 19 | ||||
| -rw-r--r-- | python/vyos/ifconfig/vxlan.py | 28 | ||||
| -rw-r--r-- | python/vyos/ifconfig/wireguard.py | 58 | ||||
| -rw-r--r-- | python/vyos/xml/definition.py | 9 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 9 |
5 files changed, 67 insertions, 56 deletions
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 4e8cf28eb..4adfaecfb 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -76,8 +76,12 @@ <properties> <help>Allowed ciphers</help> <completionHelp> - <script>ssh -Q cipher | tr '\n' ' '</script> + <!-- generated by ssh -Q cipher | tr '\n' ' ' as this will not change dynamically --> + <list>3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com</list> </completionHelp> + <constraint> + <regex>^(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com)$</regex> + </constraint> <multi/> </properties> </leafNode> @@ -97,9 +101,13 @@ <properties> <help>Allowed key exchange (KEX) algorithms</help> <completionHelp> - <script>ssh -Q kex | tr '\n' ' '</script> + <!-- generated by ssh -Q kex | tr '\n' ' ' as this will not change dynamically --> + <list>diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org</list> </completionHelp> <multi/> + <constraint> + <regex>^(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org)$</regex> + </constraint> </properties> </leafNode> <leafNode name="listen-address"> @@ -144,13 +152,18 @@ <description>enable logging of failed login attempts</description> </valueHelp> </properties> + <defaultValue>INFO</defaultValue> </leafNode> <leafNode name="mac"> <properties> <help>Allowed message authentication code (MAC) algorithms</help> <completionHelp> - <script>ssh -Q mac | tr '\n' ' '</script> + <!-- generated by ssh -Q mac | tr '\n' ' ' as this will not change dynamically --> + <list>hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com</list> </completionHelp> + <constraint> + <regex>^(hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com)$</regex> + </constraint> <multi/> </properties> </leafNode> diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index f9f2e38e9..cd9026bf8 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -66,24 +66,26 @@ class VXLANIf(Interface): 'ifname': 'add', 'vni': 'id', 'port': 'dstport', - 'src_address': 'nolearning local', + 'src_address': 'local', + 'src_interface': 'dev', } def _create(self): - cmdline = set() - if self.config['remote']: - cmdline = ('ifname', 'type', 'remote', 'src_interface', 'vni', 'port') - - elif self.config['src_address']: - cmdline = ('ifname', 'type', 'src_address', 'vni', 'port') + cmdline = ['ifname', 'type', 'vni', 'port'] - elif self.config['group'] and self.config['src_interface']: - cmdline = ('ifname', 'type', 'group', 'src_interface', 'vni', 'port') + if self.config['src_address']: + cmdline.append('src_address') - else: - ifname = self.config['ifname'] - raise ConfigError( - f'VXLAN "{ifname}" is missing mandatory underlay interface for a multicast network.') + if self.config['remote']: + cmdline.append('remote') + + if self.config['group'] or self.config['src_interface']: + if self.config['group'] and self.config['src_interface']: + cmdline.append('group', 'src_interface') + else: + ifname = self.config['ifname'] + raise ConfigError( + f'VXLAN "{ifname}" is missing mandatory underlay multicast group or source interface for a multicast network.') cmd = 'ip link' for key in cmdline: diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py index 027b5ea8c..a90a66ac3 100644 --- a/python/vyos/ifconfig/wireguard.py +++ b/python/vyos/ifconfig/wireguard.py @@ -149,10 +149,10 @@ class WireGuardIf(Interface): default = { 'type': 'wireguard', 'port': 0, - 'private-key': None, + 'private_key': None, 'pubkey': None, - 'psk': '/dev/null', - 'allowed-ips': [], + 'psk': '', + 'allowed_ips': [], 'fwmark': 0x00, 'endpoint': None, 'keepalive': 0 @@ -166,8 +166,8 @@ class WireGuardIf(Interface): } } options = Interface.options + \ - ['port', 'private-key', 'pubkey', 'psk', - 'allowed-ips', 'fwmark', 'endpoint', 'keepalive'] + ['port', 'private_key', 'pubkey', 'psk', + 'allowed_ips', 'fwmark', 'endpoint', 'keepalive'] """ Wireguard interface class, contains a comnfig dictionary since @@ -180,44 +180,44 @@ class WireGuardIf(Interface): >>> from vyos.ifconfig import WireGuardIf as wg_if >>> wg_intfc = wg_if("wg01") >>> print (wg_intfc.wg_config) - {'private-key': None, 'keepalive': 0, 'endpoint': None, 'port': 0, - 'allowed-ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'} + {'private_key': None, 'keepalive': 0, 'endpoint': None, 'port': 0, + 'allowed_ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'} >>> wg_intfc.wg_config['keepalive'] = 100 >>> print (wg_intfc.wg_config) - {'private-key': None, 'keepalive': 100, 'endpoint': None, 'port': 0, - 'allowed-ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'} + {'private_key': None, 'keepalive': 100, 'endpoint': None, 'port': 0, + 'allowed_ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'} """ def update(self): - if not self.config['private-key']: + if not self.config['private_key']: raise ValueError("private key required") else: # fmask permission check? pass - cmd = "wg set {} ".format(self.config['ifname']) - cmd += "listen-port {} ".format(self.config['port']) - cmd += "fwmark {} ".format(str(self.config['fwmark'])) - cmd += "private-key {} ".format(self.config['private-key']) - cmd += "peer {} ".format(self.config['pubkey']) - cmd += " preshared-key {} ".format(self.config['psk']) - cmd += " allowed-ips " - for aip in self.config['allowed-ips']: - if aip != self.config['allowed-ips'][-1]: - cmd += aip + "," - else: - cmd += aip + cmd = 'wg set {ifname}'.format(**self.config) + cmd += ' listen-port {port}'.format(**self.config) + cmd += ' fwmark "{fwmark}" '.format(**self.config) + cmd += ' private-key {private_key}'.format(**self.config) + cmd += ' peer {pubkey}'.format(**self.config) + cmd += ' persistent-keepalive {keepalive}'.format(**self.config) + cmd += ' allowed-ips {}'.format(', '.join(self.config['allowed-ips'])) + if self.config['endpoint']: - cmd += " endpoint '{}'".format(self.config['endpoint']) - cmd += " persistent-keepalive {}".format(self.config['keepalive']) + cmd += ' endpoint "{endpoint}"'.format(**self.config) + + psk_file = '' + if self.config['psk']: + psk_file = '/tmp/{ifname}.psk'.format(**self.config) + with open(psk_file, 'w') as f: + f.write(self.config['psk']) + cmd += f' preshared-key {psk_file}' self._cmd(cmd) - # remove psk since it isn't required anymore and is saved in the cli - # config only !! - if self.config['psk'] != '/dev/null': - if os.path.exists(self.config['psk']): - os.remove(self.config['psk']) + # PSK key file is not required to be stored persistently as its backed by CLI + if os.path.exists(psk_file): + os.remove(psk_file) def remove_peer(self, peerkey): """ diff --git a/python/vyos/xml/definition.py b/python/vyos/xml/definition.py index 1ecc2017a..c5f6b0fc7 100644 --- a/python/vyos/xml/definition.py +++ b/python/vyos/xml/definition.py @@ -251,20 +251,21 @@ class XML(dict): d = d[k] r = {} - def _flatten(inside, d, r): - prefix = '_'.join(_.replace('-','_') for _ in inside) + '_' if inside else '' + def _flatten(inside, index, d, r): + local = inside[index:] + prefix = '_'.join(_.replace('-','_') for _ in local) + '_' if local else '' for k in d: under = prefix + k.replace('-','_') level = inside + [k] if isinstance(d[k],dict): - _flatten(level, d[k], r) + _flatten(level, index, d[k], r) continue if self.is_multi(level): r[under] = [_.strip() for _ in d[k].split(',')] continue r[under] = d[k] - _flatten([], d, r) + _flatten(lpath, len(lpath), d, r) return r # from functools import lru_cache diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index ab3e073ae..c24c9a7ce 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -275,7 +275,7 @@ def apply(wg): # peer pubkey # setting up the wg interface - w.config['private-key'] = c['pk'] + w.config['private_key'] = c['pk'] for peer in wg['peer']: # peer pubkey @@ -300,13 +300,8 @@ def apply(wg): if peer['persistent_keepalive']: w.config['keepalive'] = peer['persistent_keepalive'] - # maybe move it into ifconfig.py - # preshared-key - needs to be read from a file if peer['psk']: - psk_file = '/config/auth/wireguard/psk' - with open(psk_file, 'w') as f: - f.write(peer['psk']) - w.config['psk'] = psk_file + w.config['psk'] = peer['psk'] w.update() |