summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/package-smoketest.yml43
-rw-r--r--.github/workflows/trigger-rebuild-repo-package.yml15
-rw-r--r--debian/control5
-rw-r--r--interface-definitions/interfaces_bonding.xml.in1
-rw-r--r--op-mode-definitions/date.xml.in2
-rw-r--r--op-mode-definitions/execute-ssh.xml.in34
-rwxr-xr-x[-rw-r--r--]op-mode-definitions/firewall.xml.in220
-rw-r--r--op-mode-definitions/install-mok.xml.in13
-rwxr-xr-x[-rw-r--r--]op-mode-definitions/show-log.xml.in125
-rw-r--r--op-mode-definitions/show-secure-boot.xml.in21
-rw-r--r--python/vyos/configverify.py17
-rw-r--r--python/vyos/ifconfig/interface.py72
-rw-r--r--python/vyos/system/grub.py2
-rw-r--r--python/vyos/utils/boot.py6
-rw-r--r--python/vyos/utils/system.py8
-rw-r--r--smoketest/scripts/cli/base_interfaces_test.py162
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_ethernet.py142
-rwxr-xr-xsrc/activation-scripts/20-ethernet_offload.py13
-rwxr-xr-xsrc/conf_mode/interfaces_bonding.py4
-rwxr-xr-xsrc/conf_mode/interfaces_ethernet.py78
-rwxr-xr-xsrc/conf_mode/policy.py8
-rw-r--r--src/etc/sudoers.d/vyos3
-rwxr-xr-xsrc/op_mode/secure_boot.py50
-rwxr-xr-xsrc/op_mode/version.py9
-rwxr-xr-xsrc/op_mode/vpn_ike_sa.py2
25 files changed, 805 insertions, 250 deletions
diff --git a/.github/workflows/package-smoketest.yml b/.github/workflows/package-smoketest.yml
index 467ff062e..a74c35adf 100644
--- a/.github/workflows/package-smoketest.yml
+++ b/.github/workflows/package-smoketest.yml
@@ -15,6 +15,9 @@ permissions:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed for PR comments
+ BUILD_BY: autobuild@vyos.net
+ DEBIAN_MIRROR: http://deb.debian.org/debian/
+ VYOS_MIRROR: https://rolling-packages.vyos.net/current/
jobs:
build_iso:
@@ -23,9 +26,6 @@ jobs:
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
- env:
- BUILD_BY: autobuild@vyos.net
- DEBIAN_MIRROR: http://deb.debian.org/debian/
outputs:
build_version: ${{ steps.version.outputs.build_version }}
steps:
@@ -52,9 +52,11 @@ jobs:
sudo --preserve-env ./build-vyos-image \
--architecture amd64 \
--build-by $BUILD_BY \
+ --build-type release \
+ --custom-package vyos-1x-smoketest \
--debian-mirror $DEBIAN_MIRROR \
--version ${{ steps.version.outputs.build_version }} \
- --build-type release \
+ --vyos-mirror $VYOS_MIRROR \
generic
- uses: actions/upload-artifact@v4
with:
@@ -154,11 +156,43 @@ jobs:
echo "exit_code=fail" >> $GITHUB_OUTPUT
fi
+ test_encrypted_config_tpm:
+ needs: build_iso
+ runs-on: ubuntu-24.04
+ timeout-minutes: 30
+ container:
+ image: vyos/vyos-build:current
+ options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
+ outputs:
+ exit_code: ${{ steps.test.outputs.exit_code }}
+ steps:
+ # We need the test script from vyos-build repo
+ - name: Clone vyos-build source code
+ uses: actions/checkout@v4
+ with:
+ repository: vyos/vyos-build
+ - uses: actions/download-artifact@v4
+ with:
+ name: vyos-${{ needs.build_iso.outputs.build_version }}
+ path: build
+ - name: VyOS TPM encryption tests
+ id: test
+ shell: bash
+ run: |
+ set -e
+ sudo make testtpm
+ if [[ $? == 0 ]]; then
+ echo "exit_code=success" >> $GITHUB_OUTPUT
+ else
+ echo "exit_code=fail" >> $GITHUB_OUTPUT
+ fi
+
result:
needs:
- test_smoketest_cli
- test_config_load
- test_raid1_install
+ - test_encrypted_config_tpm
runs-on: ubuntu-24.04
timeout-minutes: 5
if: always()
@@ -177,6 +211,7 @@ jobs:
* CLI Smoketests ${{ needs.test_smoketest_cli.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
* Config tests ${{ needs.test_config_load.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
* RAID1 tests ${{ needs.test_raid1_install.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
+ * TPM tests ${{ needs.test_encrypted_config_tpm.outputs.exit_code == 'success' && '👍 passed' || '❌ failed' }}
message-id: "SMOKETEST_RESULTS"
allow-repeats: false
diff --git a/.github/workflows/trigger-rebuild-repo-package.yml b/.github/workflows/trigger-rebuild-repo-package.yml
index d0936b572..37ec83274 100644
--- a/.github/workflows/trigger-rebuild-repo-package.yml
+++ b/.github/workflows/trigger-rebuild-repo-package.yml
@@ -1,7 +1,7 @@
name: Trigger to build a deb package from repo
on:
- pull_request:
+ pull_request_target:
types:
- closed
branches:
@@ -23,11 +23,10 @@ jobs:
needs: get_repo_name
uses: vyos/.github/.github/workflows/trigger-rebuild-repo-package.yml@current
with:
- branch: ${{ github.ref_name }}
- package_name: ${{ needs.get_repo_name.outputs.PACKAGE_NAME }}
- REF: main # optinal because the default value is main
+ branch: ${{ github.ref_name }}
+ package_name: ${{ needs.get_repo_name.outputs.PACKAGE_NAME }}
secrets:
- REMOTE_OWNER: ${{ secrets.REMOTE_OWNER }}
- REMOTE_REUSE_REPO: ${{ secrets.REMOTE_REUSE_REPO }}
- GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
- PAT: ${{ secrets.PAT }}
+ REMOTE_OWNER: ${{ secrets.REMOTE_OWNER }}
+ REMOTE_REUSE_REPO: ${{ secrets.REMOTE_REUSE_REPO }}
+ GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+ PAT: ${{ secrets.PAT }}
diff --git a/debian/control b/debian/control
index 890100fd8..d1d1602ae 100644
--- a/debian/control
+++ b/debian/control
@@ -113,8 +113,11 @@ Depends:
efibootmgr,
libefivar1,
dosfstools,
- grub-efi-amd64-bin [amd64],
+ grub-efi-amd64-signed [amd64],
grub-efi-arm64-bin [arm64],
+ mokutil [amd64],
+ shim-signed [amd64],
+ sbsigntool [amd64],
# Image signature verification tool
minisign,
# Live filesystem tools
diff --git a/interface-definitions/interfaces_bonding.xml.in b/interface-definitions/interfaces_bonding.xml.in
index cc0327f3d..b17cad478 100644
--- a/interface-definitions/interfaces_bonding.xml.in
+++ b/interface-definitions/interfaces_bonding.xml.in
@@ -56,6 +56,7 @@
#include <include/interface/disable.xml.i>
#include <include/interface/vrf.xml.i>
#include <include/interface/mirror.xml.i>
+ #include <include/interface/eapol.xml.i>
<node name="evpn">
<properties>
<help>EVPN Multihoming</help>
diff --git a/op-mode-definitions/date.xml.in b/op-mode-definitions/date.xml.in
index 6d8586025..4e62a8335 100644
--- a/op-mode-definitions/date.xml.in
+++ b/op-mode-definitions/date.xml.in
@@ -35,7 +35,7 @@
<list>&lt;MMDDhhmm&gt; &lt;MMDDhhmmYY&gt; &lt;MMDDhhmmCCYY&gt; &lt;MMDDhhmmCCYY.ss&gt;</list>
</completionHelp>
</properties>
- <command>/bin/date "$3"</command>
+ <command>sudo bash -c "/bin/date '$3' &amp;&amp; hwclock --systohc --localtime"</command>
</tagNode>
</children>
</node>
diff --git a/op-mode-definitions/execute-ssh.xml.in b/op-mode-definitions/execute-ssh.xml.in
new file mode 100644
index 000000000..7fa656f5e
--- /dev/null
+++ b/op-mode-definitions/execute-ssh.xml.in
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="execute">
+ <children>
+ <node name="ssh">
+ <properties>
+ <help>SSH to a node</help>
+ </properties>
+ <children>
+ <tagNode name="host">
+ <properties>
+ <help>Hostname or IP address</help>
+ <completionHelp>
+ <list>&lt;hostname&gt; &lt;x.x.x.x&gt; &lt;h:h:h:h:h:h:h:h&gt;</list>
+ </completionHelp>
+ </properties>
+ <command>/usr/bin/ssh $4</command>
+ <children>
+ <tagNode name="user">
+ <properties>
+ <help>Remote server username</help>
+ <completionHelp>
+ <list>&lt;username&gt;</list>
+ </completionHelp>
+ </properties>
+ <command>/usr/bin/ssh $6@$4</command>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index b6ce5bae2..82e6c8668 100644..100755
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -98,6 +98,138 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show bridge input firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge input filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge input filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show bridge output firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge output filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge output filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show bridge prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge prerouting filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge prerouting filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show bridge custom firewall chains</help>
@@ -278,6 +410,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv6 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv6 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv6 custom firewall chains</help>
@@ -458,6 +634,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv4 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv4 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv4 custom firewall chains</help>
diff --git a/op-mode-definitions/install-mok.xml.in b/op-mode-definitions/install-mok.xml.in
new file mode 100644
index 000000000..18526a354
--- /dev/null
+++ b/op-mode-definitions/install-mok.xml.in
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<interfaceDefinition>
+ <node name="install">
+ <children>
+ <leafNode name="mok">
+ <properties>
+ <help>Install Secure Boot MOK (Machine Owner Key)</help>
+ </properties>
+ <command>if test -f /var/lib/shim-signed/mok/MOK.der; then sudo mokutil --ignore-keyring --import /var/lib/shim-signed/mok/MOK.der; else echo "Secure Boot Machine Owner Key not found"; fi</command>
+ </leafNode>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index f0fad63d2..c2504686d 100644..100755
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -172,6 +172,81 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show Bridge input firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall input filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-INP-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show Bridge output firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall output filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-OUT-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show Bridge prerouting firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall prerouting filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-PRE-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show custom Bridge firewall log</help>
@@ -295,6 +370,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv4 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv4 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
<node name="ipv6">
@@ -398,6 +498,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv6 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv6 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
</children>
diff --git a/op-mode-definitions/show-secure-boot.xml.in b/op-mode-definitions/show-secure-boot.xml.in
new file mode 100644
index 000000000..ff731bac9
--- /dev/null
+++ b/op-mode-definitions/show-secure-boot.xml.in
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="show">
+ <children>
+ <node name="secure-boot">
+ <properties>
+ <help>Show Secure Boot state</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/secure_boot.py show</command>
+ <children>
+ <leafNode name="keys">
+ <properties>
+ <help>Show enrolled certificates</help>
+ </properties>
+ <command>mokutil --list-enrolled</command>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 59b67300d..92996f2ee 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -520,3 +520,20 @@ def verify_pki_dh_parameters(config: dict, dh_name: str, min_key_size: int=0):
dh_bits = dh_numbers.p.bit_length()
if dh_bits < min_key_size:
raise ConfigError(f'Minimum DH key-size is {min_key_size} bits!')
+
+def verify_eapol(config: dict):
+ """
+ Common helper function used by interface implementations to perform
+ recurring validation of EAPoL configuration.
+ """
+ if 'eapol' not in config:
+ return
+
+ if 'certificate' not in config['eapol']:
+ raise ConfigError('Certificate must be specified when using EAPoL!')
+
+ verify_pki_certificate(config, config['eapol']['certificate'], no_password_protected=True)
+
+ if 'ca_certificate' in config['eapol']:
+ for ca_cert in config['eapol']['ca_certificate']:
+ verify_pki_ca_certificate(config, ca_cert)
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 72d3d3afe..31fcf6ca6 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -32,6 +32,12 @@ from vyos.configdict import list_diff
from vyos.configdict import dict_merge
from vyos.configdict import get_vlan_ids
from vyos.defaults import directories
+from vyos.pki import find_chain
+from vyos.pki import encode_certificate
+from vyos.pki import load_certificate
+from vyos.pki import wrap_private_key
+from vyos.template import is_ipv4
+from vyos.template import is_ipv6
from vyos.template import render
from vyos.utils.network import mac2eui64
from vyos.utils.dict import dict_search
@@ -41,9 +47,8 @@ from vyos.utils.network import get_vrf_tableid
from vyos.utils.network import is_netns_interface
from vyos.utils.process import is_systemd_service_active
from vyos.utils.process import run
-from vyos.template import is_ipv4
-from vyos.template import is_ipv6
from vyos.utils.file import read_file
+from vyos.utils.file import write_file
from vyos.utils.network import is_intf_addr_assigned
from vyos.utils.network import is_ipv6_link_local
from vyos.utils.assertion import assert_boolean
@@ -52,7 +57,6 @@ from vyos.utils.assertion import assert_mac
from vyos.utils.assertion import assert_mtu
from vyos.utils.assertion import assert_positive
from vyos.utils.assertion import assert_range
-
from vyos.ifconfig.control import Control
from vyos.ifconfig.vrrp import VRRP
from vyos.ifconfig.operational import Operational
@@ -377,6 +381,9 @@ class Interface(Control):
>>> i = Interface('eth0')
>>> i.remove()
"""
+ # Stop WPA supplicant if EAPoL was in use
+ if is_systemd_service_active(f'wpa_supplicant-wired@{self.ifname}'):
+ self._cmd(f'systemctl stop wpa_supplicant-wired@{self.ifname}')
# remove all assigned IP addresses from interface - this is a bit redundant
# as the kernel will remove all addresses on interface deletion, but we
@@ -1522,6 +1529,61 @@ class Interface(Control):
return None
self.set_interface('per_client_thread', enable)
+ def set_eapol(self) -> None:
+ """ Take care about EAPoL supplicant daemon """
+
+ # XXX: wpa_supplicant works on the source interface
+ cfg_dir = '/run/wpa_supplicant'
+ wpa_supplicant_conf = f'{cfg_dir}/{self.ifname}.conf'
+ eapol_action='stop'
+
+ if 'eapol' in self.config:
+ # The default is a fallback to hw_id which is not present for any interface
+ # other then an ethernet interface. Thus we emulate hw_id by reading back the
+ # Kernel assigned MAC address
+ if 'hw_id' not in self.config:
+ self.config['hw_id'] = read_file(f'/sys/class/net/{self.ifname}/address')
+ render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', self.config)
+
+ cert_file_path = os.path.join(cfg_dir, f'{self.ifname}_cert.pem')
+ cert_key_path = os.path.join(cfg_dir, f'{self.ifname}_cert.key')
+
+ cert_name = self.config['eapol']['certificate']
+ pki_cert = self.config['pki']['certificate'][cert_name]
+
+ loaded_pki_cert = load_certificate(pki_cert['certificate'])
+ loaded_ca_certs = {load_certificate(c['certificate'])
+ for c in self.config['pki']['ca'].values()} if 'ca' in self.config['pki'] else {}
+
+ cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
+
+ write_file(cert_file_path,
+ '\n'.join(encode_certificate(c) for c in cert_full_chain))
+ write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
+
+ if 'ca_certificate' in self.config['eapol']:
+ ca_cert_file_path = os.path.join(cfg_dir, f'{self.ifname}_ca.pem')
+ ca_chains = []
+
+ for ca_cert_name in self.config['eapol']['ca_certificate']:
+ pki_ca_cert = self.config['pki']['ca'][ca_cert_name]
+ loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
+ ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
+ ca_chains.append(
+ '\n'.join(encode_certificate(c) for c in ca_full_chain))
+
+ write_file(ca_cert_file_path, '\n'.join(ca_chains))
+
+ eapol_action='reload-or-restart'
+
+ # start/stop WPA supplicant service
+ self._cmd(f'systemctl {eapol_action} wpa_supplicant-wired@{self.ifname}')
+
+ if 'eapol' not in self.config:
+ # delete configuration on interface removal
+ if os.path.isfile(wpa_supplicant_conf):
+ os.unlink(wpa_supplicant_conf)
+
def update(self, config):
""" General helper function which works on a dictionary retrived by
get_config_dict(). It's main intention is to consolidate the scattered
@@ -1609,7 +1671,6 @@ class Interface(Control):
tmp = get_interface_config(config['ifname'])
if 'master' in tmp and tmp['master'] != bridge_if:
self.set_vrf('')
-
else:
self.set_vrf(config.get('vrf', ''))
@@ -1752,6 +1813,9 @@ class Interface(Control):
value = '1' if (tmp != None) else '0'
self.set_per_client_thread(value)
+ # enable/disable EAPoL (Extensible Authentication Protocol over Local Area Network)
+ self.set_eapol()
+
# Enable/Disable of an interface must always be done at the end of the
# derived class to make use of the ref-counting set_admin_state()
# function. We will only enable the interface if 'up' was called as
diff --git a/python/vyos/system/grub.py b/python/vyos/system/grub.py
index daddb799a..de8303ee2 100644
--- a/python/vyos/system/grub.py
+++ b/python/vyos/system/grub.py
@@ -82,7 +82,7 @@ def install(drive_path: str, boot_dir: str, efi_dir: str, id: str = 'VyOS', chro
f'{chroot_cmd} grub-install --no-floppy --recheck --target={efi_installation_arch}-efi \
--force-extra-removable --boot-directory={boot_dir} \
--efi-directory={efi_dir} --bootloader-id="{id}" \
- --no-uefi-secure-boot'
+ --uefi-secure-boot'
)
diff --git a/python/vyos/utils/boot.py b/python/vyos/utils/boot.py
index 3aecbec64..708bef14d 100644
--- a/python/vyos/utils/boot.py
+++ b/python/vyos/utils/boot.py
@@ -1,4 +1,4 @@
-# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -33,3 +33,7 @@ def boot_configuration_success() -> bool:
if int(res) == 0:
return True
return False
+
+def is_uefi_system() -> bool:
+ efi_fw_dir = '/sys/firmware/efi'
+ return os.path.exists(efi_fw_dir) and os.path.isdir(efi_fw_dir)
diff --git a/python/vyos/utils/system.py b/python/vyos/utils/system.py
index fca93d118..7b12efb14 100644
--- a/python/vyos/utils/system.py
+++ b/python/vyos/utils/system.py
@@ -139,3 +139,11 @@ def get_load_averages():
res[15] = float(matches["fifteen"]) / core_count
return res
+
+def get_secure_boot_state() -> bool:
+ from vyos.utils.process import cmd
+ from vyos.utils.boot import is_uefi_system
+ if not is_uefi_system():
+ return False
+ tmp = cmd('mokutil --sb-state')
+ return bool('enabled' in tmp)
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index e7e29387f..593b4b415 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -12,6 +12,8 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import re
+
from netifaces import AF_INET
from netifaces import AF_INET6
from netifaces import ifaddresses
@@ -22,6 +24,7 @@ from vyos.configsession import ConfigSessionError
from vyos.defaults import directories
from vyos.ifconfig import Interface
from vyos.ifconfig import Section
+from vyos.pki import CERT_BEGIN
from vyos.utils.file import read_file
from vyos.utils.dict import dict_search
from vyos.utils.process import cmd
@@ -40,6 +43,79 @@ dhclient_process_name = 'dhclient'
dhcp6c_base_dir = directories['dhcp6_client_dir']
dhcp6c_process_name = 'dhcp6c'
+server_ca_root_cert_data = """
+MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw
+HjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjBa
+Fw0zMjAyMTUxOTQxMjBaMB4xHDAaBgNVBAMME1Z5T1Mgc2VydmVyIHJvb3QgQ0Ew
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0y24GzKQf4aM2Ir12tI9yITOIzAUj
+ZXyJeCmYI6uAnyAMqc4Q4NKyfq3nBi4XP87cs1jlC1P2BZ8MsjL5MdGWozIwMDAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRwC/YaieMEnjhYa7K3Flw/o0SFuzAK
+BggqhkjOPQQDAgNJADBGAiEAh3qEj8vScsjAdBy5shXzXDVVOKWCPTdGrPKnu8UW
+a2cCIQDlDgkzWmn5ujc5ATKz1fj+Se/aeqwh4QyoWCVTFLIxhQ==
+"""
+
+server_ca_intermediate_cert_data = """
+MIIBmTCCAT+gAwIBAgIUNzrtHzLmi3QpPK57tUgCnJZhXXQwCgYIKoZIzj0EAwIw
+HjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFa
+Fw0zMjAyMTUxOTQxMjFaMCYxJDAiBgNVBAMMG1Z5T1Mgc2VydmVyIGludGVybWVk
+aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEl2nJ1CzoqPV6hWII2m
+eGN/uieU6wDMECTk/LgG8CCCSYb488dibUiFN/1UFsmoLIdIhkx/6MUCYh62m8U2
+WNujUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMV3YwH88I5gFsFUibbQ
+kMR0ECPsMB8GA1UdIwQYMBaAFHAL9hqJ4wSeOFhrsrcWXD+jRIW7MAoGCCqGSM49
+BAMCA0gAMEUCIQC/ahujD9dp5pMMCd3SZddqGC9cXtOwMN0JR3e5CxP13AIgIMQm
+jMYrinFoInxmX64HfshYqnUY8608nK9D2BNPOHo=
+"""
+
+client_ca_root_cert_data = """
+MIIBcDCCARagAwIBAgIUZmoW2xVdwkZSvglnkCq0AHKa6zIwCgYIKoZIzj0EAwIw
+HjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFa
+Fw0zMjAyMTUxOTQxMjFaMB4xHDAaBgNVBAMME1Z5T1MgY2xpZW50IHJvb3QgQ0Ew
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUpKXzQk2NOVKDN4VULk2yw4mOKPvn
+mg947+VY7lbpfOfAUD0QRg95qZWCw899eKnXp/U4TkAVrmEKhUb6OJTFozIwMDAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTXu6xGWUl25X3sBtrhm3BJSICIATAK
+BggqhkjOPQQDAgNIADBFAiEAnTzEwuTI9bz2Oae3LZbjP6f/f50KFJtjLZFDbQz7
+DpYCIDNRHV8zBUibC+zg5PqMpQBKd/oPfNU76nEv6xkp/ijO
+"""
+
+client_ca_intermediate_cert_data = """
+MIIBmDCCAT+gAwIBAgIUJEMdotgqA7wU4XXJvEzDulUAGqgwCgYIKoZIzj0EAwIw
+HjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjJa
+Fw0zMjAyMTUxOTQxMjJaMCYxJDAiBgNVBAMMG1Z5T1MgY2xpZW50IGludGVybWVk
+aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGyIVIi217s9j3O+WQ2b
+6R65/Z0ZjQpELxPjBRc0CA0GFCo+pI5EvwI+jNFArvTAJ5+ZdEWUJ1DQhBKDDQdI
+avCjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOUS8oNJjChB1Rb9Blcl
+ETvziHJ9MB8GA1UdIwQYMBaAFNe7rEZZSXblfewG2uGbcElIgIgBMAoGCCqGSM49
+BAMCA0cAMEQCIArhaxWgRsAUbEeNHD/ULtstLHxw/P97qPUSROLQld53AiBjgiiz
+9pDfISmpekZYz6bIDWRIR0cXUToZEMFNzNMrQg==
+"""
+
+client_cert_data = """
+MIIBmTCCAUCgAwIBAgIUV5T77XdE/tV82Tk4Vzhp5BIFFm0wCgYIKoZIzj0EAwIw
+JjEkMCIGA1UEAwwbVnlPUyBjbGllbnQgaW50ZXJtZWRpYXRlIENBMB4XDTIyMDIx
+NzE5NDEyMloXDTMyMDIxNTE5NDEyMlowIjEgMB4GA1UEAwwXVnlPUyBjbGllbnQg
+Y2VydGlmaWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuyynqfc/qJj5e
+KJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAh
+CIhytmJao1AwTjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTIFKrxZ+PqOhYSUqnl
+TGCUmM7wTjAfBgNVHSMEGDAWgBTlEvKDSYwoQdUW/QZXJRE784hyfTAKBggqhkjO
+PQQDAgNHADBEAiAvO8/jvz05xqmP3OXD53XhfxDLMIxzN4KPoCkFqvjlhQIgIHq2
+/geVx3rAOtSps56q/jiDouN/aw01TdpmGKVAa9U=
+"""
+
+client_key_data = """
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxaxAQsJwjoOCByQE
++qSYKtKtJzbdbOnTsKNSrfgkFH6hRANCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDe
+APO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJa
+"""
+
+def get_wpa_supplicant_value(interface, key):
+ tmp = read_file(f'/run/wpa_supplicant/{interface}.conf')
+ tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
+ return tmp[0]
+
+def get_certificate_count(interface, cert_type):
+ tmp = read_file(f'/run/wpa_supplicant/{interface}_{cert_type}.pem')
+ return tmp.count(CERT_BEGIN)
+
def is_mirrored_to(interface, mirror_if, qdisc):
"""
Ask TC if we are mirroring traffic to a discrete interface.
@@ -57,10 +133,10 @@ def is_mirrored_to(interface, mirror_if, qdisc):
if mirror_if in tmp:
ret_val = True
return ret_val
-
class BasicInterfaceTest:
class TestCase(VyOSUnitTestSHIM.TestCase):
_test_dhcp = False
+ _test_eapol = False
_test_ip = False
_test_mtu = False
_test_vlan = False
@@ -92,6 +168,7 @@ class BasicInterfaceTest:
cls._test_vlan = cli_defined(cls._base_path, 'vif')
cls._test_qinq = cli_defined(cls._base_path, 'vif-s')
cls._test_dhcp = cli_defined(cls._base_path, 'dhcp-options')
+ cls._test_eapol = cli_defined(cls._base_path, 'eapol')
cls._test_ip = cli_defined(cls._base_path, 'ip')
cls._test_ipv6 = cli_defined(cls._base_path, 'ipv6')
cls._test_ipv6_dhcpc6 = cli_defined(cls._base_path, 'dhcpv6-options')
@@ -1158,3 +1235,86 @@ class BasicInterfaceTest:
# as until commit() is called, nothing happens
section = Section.section(delegatee)
self.cli_delete(['interfaces', section, delegatee])
+
+ def test_eapol(self):
+ if not self._test_eapol:
+ self.skipTest('not supported')
+
+ cfg_dir = '/run/wpa_supplicant'
+
+ ca_certs = {
+ 'eapol-server-ca-root': server_ca_root_cert_data,
+ 'eapol-server-ca-intermediate': server_ca_intermediate_cert_data,
+ 'eapol-client-ca-root': client_ca_root_cert_data,
+ 'eapol-client-ca-intermediate': client_ca_intermediate_cert_data,
+ }
+ cert_name = 'eapol-client'
+
+ for name, data in ca_certs.items():
+ self.cli_set(['pki', 'ca', name, 'certificate', data.replace('\n','')])
+
+ self.cli_set(['pki', 'certificate', cert_name, 'certificate', client_cert_data.replace('\n','')])
+ self.cli_set(['pki', 'certificate', cert_name, 'private', 'key', client_key_data.replace('\n','')])
+
+ for interface in self._interfaces:
+ path = self._base_path + [interface]
+ for option in self._options.get(interface, []):
+ self.cli_set(path + option.split())
+
+ # Enable EAPoL
+ self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-server-ca-intermediate'])
+ self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate'])
+ self.cli_set(self._base_path + [interface, 'eapol', 'certificate', cert_name])
+
+ self.cli_commit()
+
+ # Test multiple CA chains
+ self.assertEqual(get_certificate_count(interface, 'ca'), 4)
+
+ for interface in self._interfaces:
+ self.cli_delete(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate'])
+
+ self.cli_commit()
+
+ # Validate interface config
+ for interface in self._interfaces:
+ tmp = get_wpa_supplicant_value(interface, 'key_mgmt')
+ self.assertEqual('IEEE8021X', tmp)
+
+ tmp = get_wpa_supplicant_value(interface, 'eap')
+ self.assertEqual('TLS', tmp)
+
+ tmp = get_wpa_supplicant_value(interface, 'eapol_flags')
+ self.assertEqual('0', tmp)
+
+ tmp = get_wpa_supplicant_value(interface, 'ca_cert')
+ self.assertEqual(f'"{cfg_dir}/{interface}_ca.pem"', tmp)
+
+ tmp = get_wpa_supplicant_value(interface, 'client_cert')
+ self.assertEqual(f'"{cfg_dir}/{interface}_cert.pem"', tmp)
+
+ tmp = get_wpa_supplicant_value(interface, 'private_key')
+ self.assertEqual(f'"{cfg_dir}/{interface}_cert.key"', tmp)
+
+ mac = read_file(f'/sys/class/net/{interface}/address')
+ tmp = get_wpa_supplicant_value(interface, 'identity')
+ self.assertEqual(f'"{mac}"', tmp)
+
+ # Check certificate files have the full chain
+ self.assertEqual(get_certificate_count(interface, 'ca'), 2)
+ self.assertEqual(get_certificate_count(interface, 'cert'), 3)
+
+ # Check for running process
+ self.assertTrue(process_named_running('wpa_supplicant', cmdline=f'-i{interface}'))
+
+ # Remove EAPoL configuration
+ for interface in self._interfaces:
+ self.cli_delete(self._base_path + [interface, 'eapol'])
+
+ # Commit and check that process is no longer running
+ self.cli_commit()
+ self.assertFalse(process_named_running('wpa_supplicant'))
+
+ for name in ca_certs:
+ self.cli_delete(['pki', 'ca', name])
+ self.cli_delete(['pki', 'certificate', cert_name])
diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py
index 4843a40da..3d12364f7 100755
--- a/smoketest/scripts/cli/test_interfaces_ethernet.py
+++ b/smoketest/scripts/cli/test_interfaces_ethernet.py
@@ -15,7 +15,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
import unittest
from glob import glob
@@ -28,86 +27,11 @@ from netifaces import ifaddresses
from base_interfaces_test import BasicInterfaceTest
from vyos.configsession import ConfigSessionError
from vyos.ifconfig import Section
-from vyos.pki import CERT_BEGIN
from vyos.utils.process import cmd
-from vyos.utils.process import process_named_running
from vyos.utils.process import popen
from vyos.utils.file import read_file
from vyos.utils.network import is_ipv6_link_local
-server_ca_root_cert_data = """
-MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw
-HjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjBa
-Fw0zMjAyMTUxOTQxMjBaMB4xHDAaBgNVBAMME1Z5T1Mgc2VydmVyIHJvb3QgQ0Ew
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ0y24GzKQf4aM2Ir12tI9yITOIzAUj
-ZXyJeCmYI6uAnyAMqc4Q4NKyfq3nBi4XP87cs1jlC1P2BZ8MsjL5MdGWozIwMDAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRwC/YaieMEnjhYa7K3Flw/o0SFuzAK
-BggqhkjOPQQDAgNJADBGAiEAh3qEj8vScsjAdBy5shXzXDVVOKWCPTdGrPKnu8UW
-a2cCIQDlDgkzWmn5ujc5ATKz1fj+Se/aeqwh4QyoWCVTFLIxhQ==
-"""
-
-server_ca_intermediate_cert_data = """
-MIIBmTCCAT+gAwIBAgIUNzrtHzLmi3QpPK57tUgCnJZhXXQwCgYIKoZIzj0EAwIw
-HjEcMBoGA1UEAwwTVnlPUyBzZXJ2ZXIgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFa
-Fw0zMjAyMTUxOTQxMjFaMCYxJDAiBgNVBAMMG1Z5T1Mgc2VydmVyIGludGVybWVk
-aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEl2nJ1CzoqPV6hWII2m
-eGN/uieU6wDMECTk/LgG8CCCSYb488dibUiFN/1UFsmoLIdIhkx/6MUCYh62m8U2
-WNujUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMV3YwH88I5gFsFUibbQ
-kMR0ECPsMB8GA1UdIwQYMBaAFHAL9hqJ4wSeOFhrsrcWXD+jRIW7MAoGCCqGSM49
-BAMCA0gAMEUCIQC/ahujD9dp5pMMCd3SZddqGC9cXtOwMN0JR3e5CxP13AIgIMQm
-jMYrinFoInxmX64HfshYqnUY8608nK9D2BNPOHo=
-"""
-
-client_ca_root_cert_data = """
-MIIBcDCCARagAwIBAgIUZmoW2xVdwkZSvglnkCq0AHKa6zIwCgYIKoZIzj0EAwIw
-HjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjFa
-Fw0zMjAyMTUxOTQxMjFaMB4xHDAaBgNVBAMME1Z5T1MgY2xpZW50IHJvb3QgQ0Ew
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUpKXzQk2NOVKDN4VULk2yw4mOKPvn
-mg947+VY7lbpfOfAUD0QRg95qZWCw899eKnXp/U4TkAVrmEKhUb6OJTFozIwMDAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTXu6xGWUl25X3sBtrhm3BJSICIATAK
-BggqhkjOPQQDAgNIADBFAiEAnTzEwuTI9bz2Oae3LZbjP6f/f50KFJtjLZFDbQz7
-DpYCIDNRHV8zBUibC+zg5PqMpQBKd/oPfNU76nEv6xkp/ijO
-"""
-
-client_ca_intermediate_cert_data = """
-MIIBmDCCAT+gAwIBAgIUJEMdotgqA7wU4XXJvEzDulUAGqgwCgYIKoZIzj0EAwIw
-HjEcMBoGA1UEAwwTVnlPUyBjbGllbnQgcm9vdCBDQTAeFw0yMjAyMTcxOTQxMjJa
-Fw0zMjAyMTUxOTQxMjJaMCYxJDAiBgNVBAMMG1Z5T1MgY2xpZW50IGludGVybWVk
-aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGyIVIi217s9j3O+WQ2b
-6R65/Z0ZjQpELxPjBRc0CA0GFCo+pI5EvwI+jNFArvTAJ5+ZdEWUJ1DQhBKDDQdI
-avCjUzBRMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOUS8oNJjChB1Rb9Blcl
-ETvziHJ9MB8GA1UdIwQYMBaAFNe7rEZZSXblfewG2uGbcElIgIgBMAoGCCqGSM49
-BAMCA0cAMEQCIArhaxWgRsAUbEeNHD/ULtstLHxw/P97qPUSROLQld53AiBjgiiz
-9pDfISmpekZYz6bIDWRIR0cXUToZEMFNzNMrQg==
-"""
-
-client_cert_data = """
-MIIBmTCCAUCgAwIBAgIUV5T77XdE/tV82Tk4Vzhp5BIFFm0wCgYIKoZIzj0EAwIw
-JjEkMCIGA1UEAwwbVnlPUyBjbGllbnQgaW50ZXJtZWRpYXRlIENBMB4XDTIyMDIx
-NzE5NDEyMloXDTMyMDIxNTE5NDEyMlowIjEgMB4GA1UEAwwXVnlPUyBjbGllbnQg
-Y2VydGlmaWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuyynqfc/qJj5e
-KJ03oOH8X4Z8spDeAPO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAh
-CIhytmJao1AwTjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTIFKrxZ+PqOhYSUqnl
-TGCUmM7wTjAfBgNVHSMEGDAWgBTlEvKDSYwoQdUW/QZXJRE784hyfTAKBggqhkjO
-PQQDAgNHADBEAiAvO8/jvz05xqmP3OXD53XhfxDLMIxzN4KPoCkFqvjlhQIgIHq2
-/geVx3rAOtSps56q/jiDouN/aw01TdpmGKVAa9U=
-"""
-
-client_key_data = """
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgxaxAQsJwjoOCByQE
-+qSYKtKtJzbdbOnTsKNSrfgkFH6hRANCAARuyynqfc/qJj5eKJ03oOH8X4Z8spDe
-APO9WYckMM0ldPj+9kU607szFzPwjaPWzPdgyIWz3hcN8yAhCIhytmJa
-"""
-
-def get_wpa_supplicant_value(interface, key):
- tmp = read_file(f'/run/wpa_supplicant/{interface}.conf')
- tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
- return tmp[0]
-
-def get_certificate_count(interface, cert_type):
- tmp = read_file(f'/run/wpa_supplicant/{interface}_{cert_type}.pem')
- return tmp.count(CERT_BEGIN)
-
class EthernetInterfaceTest(BasicInterfaceTest.TestCase):
@classmethod
def setUpClass(cls):
@@ -237,72 +161,6 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase):
self.cli_set(self._base_path + [interface, 'speed', 'auto'])
self.cli_commit()
- def test_eapol_support(self):
- ca_certs = {
- 'eapol-server-ca-root': server_ca_root_cert_data,
- 'eapol-server-ca-intermediate': server_ca_intermediate_cert_data,
- 'eapol-client-ca-root': client_ca_root_cert_data,
- 'eapol-client-ca-intermediate': client_ca_intermediate_cert_data,
- }
- cert_name = 'eapol-client'
-
- for name, data in ca_certs.items():
- self.cli_set(['pki', 'ca', name, 'certificate', data.replace('\n','')])
-
- self.cli_set(['pki', 'certificate', cert_name, 'certificate', client_cert_data.replace('\n','')])
- self.cli_set(['pki', 'certificate', cert_name, 'private', 'key', client_key_data.replace('\n','')])
-
- for interface in self._interfaces:
- # Enable EAPoL
- self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-server-ca-intermediate'])
- self.cli_set(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate'])
- self.cli_set(self._base_path + [interface, 'eapol', 'certificate', cert_name])
-
- self.cli_commit()
-
- # Test multiple CA chains
- self.assertEqual(get_certificate_count(interface, 'ca'), 4)
-
- for interface in self._interfaces:
- self.cli_delete(self._base_path + [interface, 'eapol', 'ca-certificate', 'eapol-client-ca-intermediate'])
-
- self.cli_commit()
-
- # Check for running process
- self.assertTrue(process_named_running('wpa_supplicant'))
-
- # Validate interface config
- for interface in self._interfaces:
- tmp = get_wpa_supplicant_value(interface, 'key_mgmt')
- self.assertEqual('IEEE8021X', tmp)
-
- tmp = get_wpa_supplicant_value(interface, 'eap')
- self.assertEqual('TLS', tmp)
-
- tmp = get_wpa_supplicant_value(interface, 'eapol_flags')
- self.assertEqual('0', tmp)
-
- tmp = get_wpa_supplicant_value(interface, 'ca_cert')
- self.assertEqual(f'"/run/wpa_supplicant/{interface}_ca.pem"', tmp)
-
- tmp = get_wpa_supplicant_value(interface, 'client_cert')
- self.assertEqual(f'"/run/wpa_supplicant/{interface}_cert.pem"', tmp)
-
- tmp = get_wpa_supplicant_value(interface, 'private_key')
- self.assertEqual(f'"/run/wpa_supplicant/{interface}_cert.key"', tmp)
-
- mac = read_file(f'/sys/class/net/{interface}/address')
- tmp = get_wpa_supplicant_value(interface, 'identity')
- self.assertEqual(f'"{mac}"', tmp)
-
- # Check certificate files have the full chain
- self.assertEqual(get_certificate_count(interface, 'ca'), 2)
- self.assertEqual(get_certificate_count(interface, 'cert'), 3)
-
- for name in ca_certs:
- self.cli_delete(['pki', 'ca', name])
- self.cli_delete(['pki', 'certificate', cert_name])
-
def test_ethtool_ring_buffer(self):
for interface in self._interfaces:
# We do not use vyos.ethtool here to not have any chance
diff --git a/src/activation-scripts/20-ethernet_offload.py b/src/activation-scripts/20-ethernet_offload.py
index 33b0ea469..ca7213512 100755
--- a/src/activation-scripts/20-ethernet_offload.py
+++ b/src/activation-scripts/20-ethernet_offload.py
@@ -17,9 +17,12 @@
# CLI. See https://vyos.dev/T3619#102254 for all the details.
# T3787: Remove deprecated UDP fragmentation offloading option
# T6006: add to activation-scripts: migration-scripts/interfaces/20-to-21
+# T6716: Honor the configured offload settings and don't automatically add
+# them to the config if the kernel has them set (unless its a live boot)
from vyos.ethtool import Ethtool
from vyos.configtree import ConfigTree
+from vyos.system.image import is_live_boot
def activate(config: ConfigTree):
base = ['interfaces', 'ethernet']
@@ -36,7 +39,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_generic_receive_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'gro'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'gro'])
# If GSO is enabled by the Kernel - we reflect this on the CLI. If GSO is
@@ -45,7 +48,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_generic_segmentation_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'gso'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'gso'])
# If LRO is enabled by the Kernel - we reflect this on the CLI. If LRO is
@@ -54,7 +57,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_large_receive_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'lro'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'lro'])
# If SG is enabled by the Kernel - we reflect this on the CLI. If SG is
@@ -63,7 +66,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_scatter_gather()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'sg'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'sg'])
# If TSO is enabled by the Kernel - we reflect this on the CLI. If TSO is
@@ -72,7 +75,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_tcp_segmentation_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'tso'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'tso'])
# Remove deprecated UDP fragmentation offloading option
diff --git a/src/conf_mode/interfaces_bonding.py b/src/conf_mode/interfaces_bonding.py
index 5e5d5fba1..bbbfb0385 100755
--- a/src/conf_mode/interfaces_bonding.py
+++ b/src/conf_mode/interfaces_bonding.py
@@ -25,6 +25,7 @@ from vyos.configdict import is_source_interface
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_eapol
from vyos.configverify import verify_mirror_redirect
from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_vlan_config
@@ -73,7 +74,7 @@ def get_config(config=None):
else:
conf = Config()
base = ['interfaces', 'bonding']
- ifname, bond = get_interface_dict(conf, base)
+ ifname, bond = get_interface_dict(conf, base, with_pki=True)
# To make our own life easier transfor the list of member interfaces
# into a dictionary - we will use this to add additional information
@@ -196,6 +197,7 @@ def verify(bond):
verify_dhcpv6(bond)
verify_vrf(bond)
verify_mirror_redirect(bond)
+ verify_eapol(bond)
# use common function to verify VLAN configuration
verify_vlan_config(bond)
diff --git a/src/conf_mode/interfaces_ethernet.py b/src/conf_mode/interfaces_ethernet.py
index afc48ead8..34ce7bc47 100755
--- a/src/conf_mode/interfaces_ethernet.py
+++ b/src/conf_mode/interfaces_ethernet.py
@@ -31,32 +31,20 @@ from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_vlan_config
from vyos.configverify import verify_vrf
from vyos.configverify import verify_bond_bridge_member
-from vyos.configverify import verify_pki_certificate
-from vyos.configverify import verify_pki_ca_certificate
+from vyos.configverify import verify_eapol
from vyos.ethtool import Ethtool
from vyos.ifconfig import EthernetIf
from vyos.ifconfig import BondIf
-from vyos.pki import find_chain
-from vyos.pki import encode_certificate
-from vyos.pki import load_certificate
-from vyos.pki import wrap_private_key
-from vyos.template import render
from vyos.template import render_to_string
-from vyos.utils.process import call
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_to_paths_values
from vyos.utils.dict import dict_set
from vyos.utils.dict import dict_delete
-from vyos.utils.file import write_file
from vyos import ConfigError
from vyos import frr
from vyos import airbag
airbag.enable()
-# XXX: wpa_supplicant works on the source interface
-cfg_dir = '/run/wpa_supplicant'
-wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
-
def update_bond_options(conf: Config, eth_conf: dict) -> list:
"""
Return list of blocked options if interface is a bond member
@@ -277,23 +265,6 @@ def verify_allowedbond_changes(ethernet: dict):
f' on interface "{ethernet["ifname"]}".' \
f' Interface is a bond member')
-def verify_eapol(ethernet: dict):
- """
- Common helper function used by interface implementations to perform
- recurring validation of EAPoL configuration.
- """
- if 'eapol' not in ethernet:
- return
-
- if 'certificate' not in ethernet['eapol']:
- raise ConfigError('Certificate must be specified when using EAPoL!')
-
- verify_pki_certificate(ethernet, ethernet['eapol']['certificate'], no_password_protected=True)
-
- if 'ca_certificate' in ethernet['eapol']:
- for ca_cert in ethernet['eapol']['ca_certificate']:
- verify_pki_ca_certificate(ethernet, ca_cert)
-
def verify(ethernet):
if 'deleted' in ethernet:
return None
@@ -346,51 +317,10 @@ def verify_ethernet(ethernet):
verify_vlan_config(ethernet)
return None
-
def generate(ethernet):
- # render real configuration file once
- wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet)
-
if 'deleted' in ethernet:
- # delete configuration on interface removal
- if os.path.isfile(wpa_supplicant_conf):
- os.unlink(wpa_supplicant_conf)
return None
- if 'eapol' in ethernet:
- ifname = ethernet['ifname']
-
- render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet)
-
- cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')
- cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key')
-
- cert_name = ethernet['eapol']['certificate']
- pki_cert = ethernet['pki']['certificate'][cert_name]
-
- loaded_pki_cert = load_certificate(pki_cert['certificate'])
- loaded_ca_certs = {load_certificate(c['certificate'])
- for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {}
-
- cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs)
-
- write_file(cert_file_path,
- '\n'.join(encode_certificate(c) for c in cert_full_chain))
- write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
-
- if 'ca_certificate' in ethernet['eapol']:
- ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem')
- ca_chains = []
-
- for ca_cert_name in ethernet['eapol']['ca_certificate']:
- pki_ca_cert = ethernet['pki']['ca'][ca_cert_name]
- loaded_ca_cert = load_certificate(pki_ca_cert['certificate'])
- ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs)
- ca_chains.append(
- '\n'.join(encode_certificate(c) for c in ca_full_chain))
-
- write_file(ca_cert_file_path, '\n'.join(ca_chains))
-
ethernet['frr_zebra_config'] = ''
if 'deleted' not in ethernet:
ethernet['frr_zebra_config'] = render_to_string('frr/evpn.mh.frr.j2', ethernet)
@@ -399,8 +329,6 @@ def generate(ethernet):
def apply(ethernet):
ifname = ethernet['ifname']
- # take care about EAPoL supplicant daemon
- eapol_action='stop'
e = EthernetIf(ifname)
if 'deleted' in ethernet:
@@ -408,10 +336,6 @@ def apply(ethernet):
e.remove()
else:
e.update(ethernet)
- if 'eapol' in ethernet:
- eapol_action='reload-or-restart'
-
- call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}')
zebra_daemon = 'zebra'
# Save original configuration prior to starting any commit actions
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index 4df893ebf..a5963e72c 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -167,10 +167,10 @@ def verify(policy):
continue
for rule, rule_config in route_map_config['rule'].items():
- # Action 'deny' cannot be used with "continue"
- # FRR does not validate it T4827
- if rule_config['action'] == 'deny' and 'continue' in rule_config:
- raise ConfigError(f'rule {rule} "continue" cannot be used with action deny!')
+ # Action 'deny' cannot be used with "continue" or "on-match"
+ # FRR does not validate it T4827, T6676
+ if rule_config['action'] == 'deny' and ('continue' in rule_config or 'on_match' in rule_config):
+ raise ConfigError(f'rule {rule} "continue" or "on-match" cannot be used with action deny!')
# Specified community-list must exist
tmp = dict_search('match.community.community_list',
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index 63a944f41..67d7babc4 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -57,4 +57,7 @@ Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\
# Allow members of group sudo to execute any command
%sudo ALL=NOPASSWD: ALL
+# Allow any user to query Machine Owner Key status
+%sudo ALL=NOPASSWD: /usr/bin/mokutil
+
_kea ALL=NOPASSWD: KEA_IP6_ROUTES
diff --git a/src/op_mode/secure_boot.py b/src/op_mode/secure_boot.py
new file mode 100755
index 000000000..5f6390a15
--- /dev/null
+++ b/src/op_mode/secure_boot.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import vyos.opmode
+
+from vyos.utils.boot import is_uefi_system
+from vyos.utils.system import get_secure_boot_state
+
+def _get_raw_data(name=None):
+ sb_data = {
+ 'state' : get_secure_boot_state(),
+ 'uefi' : is_uefi_system()
+ }
+ return sb_data
+
+def _get_formatted_output(raw_data):
+ if not raw_data['uefi']:
+ print('System run in legacy BIOS mode!')
+ state = 'enabled' if raw_data['state'] else 'disabled'
+ return f'SecureBoot {state}'
+
+def show(raw: bool):
+ sb_data = _get_raw_data()
+ if raw:
+ return sb_data
+ else:
+ return _get_formatted_output(sb_data)
+
+if __name__ == "__main__":
+ try:
+ res = vyos.opmode.run(sys.modules[__name__])
+ if res:
+ print(res)
+ except (ValueError, vyos.opmode.Error) as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/op_mode/version.py b/src/op_mode/version.py
index 09d69ad1d..71a40dd50 100755
--- a/src/op_mode/version.py
+++ b/src/op_mode/version.py
@@ -25,6 +25,9 @@ import vyos.opmode
import vyos.version
import vyos.limericks
+from vyos.utils.boot import is_uefi_system
+from vyos.utils.system import get_secure_boot_state
+
from jinja2 import Template
version_output_tmpl = """
@@ -43,6 +46,7 @@ Build comment: {{build_comment}}
Architecture: {{system_arch}}
Boot via: {{boot_via}}
System type: {{system_type}}
+Secure Boot: {{secure_boot}}
Hardware vendor: {{hardware_vendor}}
Hardware model: {{hardware_model}}
@@ -57,6 +61,11 @@ Copyright: VyOS maintainers and contributors
def _get_raw_data(funny=False):
version_data = vyos.version.get_full_version_data()
+ version_data["secure_boot"] = "n/a (BIOS)"
+ if is_uefi_system():
+ version_data["secure_boot"] = "disabled"
+ if get_secure_boot_state():
+ version_data["secure_boot"] = "enabled"
if funny:
version_data["limerick"] = vyos.limericks.get_random()
diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py
index 5e2aaae6b..9385bcd0c 100755
--- a/src/op_mode/vpn_ike_sa.py
+++ b/src/op_mode/vpn_ike_sa.py
@@ -38,6 +38,8 @@ def ike_sa(peer, nat):
peers = []
for conn in sas:
for name, sa in conn.items():
+ if peer and s(sa['remote-host']) != peer:
+ continue
if name.startswith('peer_') and name in peers:
continue
if nat and 'nat-local' not in sa: