diff options
| -rw-r--r-- | interface-definitions/include/version/openvpn-version.xml.i | 2 | ||||
| -rw-r--r-- | interface-definitions/interfaces_openvpn.xml.in | 12 | ||||
| -rw-r--r-- | python/vyos/opmode.py | 10 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces_openvpn.py | 7 | ||||
| -rw-r--r-- | src/migration-scripts/openvpn/2-to-3 | 43 | ||||
| -rwxr-xr-x | src/op_mode/bridge.py | 2 | ||||
| -rwxr-xr-x | src/op_mode/dhcp.py | 2 | ||||
| -rwxr-xr-x | src/op_mode/ssh.py | 2 | ||||
| -rw-r--r-- | src/op_mode/zone.py | 4 | ||||
| -rw-r--r-- | src/services/api/graphql/session/errors/op_mode_errors.py | 2 |
10 files changed, 73 insertions, 13 deletions
diff --git a/interface-definitions/include/version/openvpn-version.xml.i b/interface-definitions/include/version/openvpn-version.xml.i index e4eb13b7c..e03ad55c0 100644 --- a/interface-definitions/include/version/openvpn-version.xml.i +++ b/interface-definitions/include/version/openvpn-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/openvpn-version.xml.i --> -<syntaxVersion component='openvpn' version='2'></syntaxVersion> +<syntaxVersion component='openvpn' version='3'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in index 23cc83e9a..1860523c2 100644 --- a/interface-definitions/interfaces_openvpn.xml.in +++ b/interface-definitions/interfaces_openvpn.xml.in @@ -589,25 +589,25 @@ <properties> <help>Topology for clients</help> <completionHelp> - <list>net30 point-to-point subnet</list> + <list>subnet point-to-point net30</list> </completionHelp> <valueHelp> - <format>net30</format> - <description>net30 topology</description> + <format>subnet</format> + <description>Subnet topology (recommended)</description> </valueHelp> <valueHelp> <format>point-to-point</format> <description>Point-to-point topology</description> </valueHelp> <valueHelp> - <format>subnet</format> - <description>Subnet topology</description> + <format>net30</format> + <description>net30 topology (deprecated)</description> </valueHelp> <constraint> <regex>(subnet|point-to-point|net30)</regex> </constraint> </properties> - <defaultValue>net30</defaultValue> + <defaultValue>subnet</defaultValue> </leafNode> <node name="mfa"> <properties> diff --git a/python/vyos/opmode.py b/python/vyos/opmode.py index 8dab9a4ca..a9819dc4b 100644 --- a/python/vyos/opmode.py +++ b/python/vyos/opmode.py @@ -31,7 +31,15 @@ class Error(Exception): class UnconfiguredSubsystem(Error): """ Requested operation is valid, but cannot be completed - because corresponding subsystem is not configured and running. + because corresponding subsystem is not configured + and thus is not running. + """ + pass + +class UnconfiguredObject(UnconfiguredSubsystem): + """ Requested operation is valid but cannot be completed + because its parameter refers to an object that does not exist + in the system configuration. """ pass diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py index 017010a61..0dc76b39a 100755 --- a/src/conf_mode/interfaces_openvpn.py +++ b/src/conf_mode/interfaces_openvpn.py @@ -432,6 +432,13 @@ def verify(openvpn): if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') + if 'topology' in openvpn['server']: + if openvpn['server']['topology'] == 'net30': + DeprecationWarning('Topology net30 is deprecated '\ + 'and will be removed in future VyOS versions. '\ + 'Switch to "subnet" or "p2p"' + ) + # add mfa users to the file the mfa plugin uses if dict_search('server.mfa.totp', openvpn): user_data = '' diff --git a/src/migration-scripts/openvpn/2-to-3 b/src/migration-scripts/openvpn/2-to-3 new file mode 100644 index 000000000..0b9073ae6 --- /dev/null +++ b/src/migration-scripts/openvpn/2-to-3 @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# Adds an explicit old default for 'server topology' +# to keep old configs working as before even though the default has changed. + +from vyos.configtree import ConfigTree + +def migrate(config: ConfigTree) -> None: + if not config.exists(['interfaces', 'openvpn']): + # Nothing to do + return + + ovpn_intfs = config.list_nodes(['interfaces', 'openvpn']) + for i in ovpn_intfs: + mode = config.return_value(['interfaces', 'openvpn', i, 'mode']) + if mode != 'server': + # If it's a client or a site-to-site OpenVPN interface, + # the topology setting is not applicable + # and will cause commit errors on load, + # so we must not change such interfaces. + continue + else: + # The default OpenVPN server topology was changed from net30 to subnet + # because net30 is deprecated and causes problems with Windows clients. + # We add 'net30' to old configs if topology is not set there + # to ensure that if anyone relies on net30, their configs work as before. + topology_path = ['interfaces', 'openvpn', i, 'server', 'topology'] + if not config.exists(topology_path): + config.set(topology_path, value='net30', replace=False) diff --git a/src/op_mode/bridge.py b/src/op_mode/bridge.py index d04f1541f..e80b1c21d 100755 --- a/src/op_mode/bridge.py +++ b/src/op_mode/bridge.py @@ -70,7 +70,7 @@ def _get_raw_data_fdb(bridge): # From iproute2 fdb.c, fdb_show() will only exit(-1) in case of # non-existent bridge device; raise error. if code == 255: - raise vyos.opmode.UnconfiguredSubsystem(f"no such bridge device {bridge}") + raise vyos.opmode.UnconfiguredObject(f"bridge {bridge} does not exist in the system") data_dict = json.loads(json_data) return data_dict diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 6f57f22a5..e5455c8af 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -332,7 +332,7 @@ def _verify_client(func): # Check if config does not exist if not config.exists(f'interfaces {interface_path} address dhcp{v}'): - raise vyos.opmode.UnconfiguredSubsystem(unconf_message) + raise vyos.opmode.UnconfiguredObject(unconf_message) return func(*args, **kwargs) return _wrapper diff --git a/src/op_mode/ssh.py b/src/op_mode/ssh.py index 102becc55..0c51576b0 100755 --- a/src/op_mode/ssh.py +++ b/src/op_mode/ssh.py @@ -65,7 +65,7 @@ def show_fingerprints(raw: bool, ascii: bool): def show_dynamic_protection(raw: bool): config = ConfigTreeQuery() if not config.exists(['service', 'ssh', 'dynamic-protection']): - raise vyos.opmode.UnconfiguredSubsystem("SSH server dynamic-protection is not enabled.") + raise vyos.opmode.UnconfiguredObject("SSH server dynamic-protection is not enabled.") attackers = [] try: diff --git a/src/op_mode/zone.py b/src/op_mode/zone.py index d24b1065b..49fecdf28 100644 --- a/src/op_mode/zone.py +++ b/src/op_mode/zone.py @@ -104,7 +104,7 @@ def _convert_config(zones_config: dict, zone: str = None) -> list: if zones_config: output = [_convert_one_zone_data(zone, zones_config)] else: - raise vyos.opmode.DataUnavailable(f'Zone {zone} not found') + raise vyos.opmode.UnconfiguredObject(f'Zone {zone} not found') else: if zones_config: output = _convert_zones_data(zones_config) @@ -212,4 +212,4 @@ if __name__ == '__main__': print(res) except (ValueError, vyos.opmode.Error) as e: print(e) - sys.exit(1)
\ No newline at end of file + sys.exit(1) diff --git a/src/services/api/graphql/session/errors/op_mode_errors.py b/src/services/api/graphql/session/errors/op_mode_errors.py index 18d555f2d..800767219 100644 --- a/src/services/api/graphql/session/errors/op_mode_errors.py +++ b/src/services/api/graphql/session/errors/op_mode_errors.py @@ -1,5 +1,6 @@ op_mode_err_msg = { "UnconfiguredSubsystem": "subsystem is not configured or not running", + "UnconfiguredObject": "object does not exist in the system configuration", "DataUnavailable": "data currently unavailable", "PermissionDenied": "client does not have permission", "InsufficientResources": "insufficient system resources", @@ -9,6 +10,7 @@ op_mode_err_msg = { op_mode_err_code = { "UnconfiguredSubsystem": 2000, + "UnconfiguredObject": 2003, "DataUnavailable": 2001, "InsufficientResources": 2002, "PermissionDenied": 1003, |