diff options
47 files changed, 385 insertions, 165 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 81ba74b9b..7b865fb11 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -45,3 +45,12 @@ done # Enable Cloud-init pre-configuration service systemctl enable vyos-config-cloud-init.service + +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --quiet radius +fi + +# And add RADIUS users to this group +usermod -aG radius radius_user +usermod -aG radius radius_priv_user diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index ec22693c9..85baec2ba 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -147,7 +147,7 @@ </leafNode> <leafNode name="memory"> <properties> - <help>Memory (RAM) available to this container (default: 512)</help> + <help>Memory (RAM) available to this container</help> <valueHelp> <format>u32:0</format> <description>Unlimited</description> @@ -165,7 +165,7 @@ </leafNode> <leafNode name="shared-memory"> <properties> - <help>Shared memory available to this container (default: 64)</help> + <help>Shared memory available to this container</help> <valueHelp> <format>u32:0</format> <description>Unlimited</description> @@ -243,7 +243,7 @@ </leafNode> <leafNode name="protocol"> <properties> - <help>Transport protocol used for port mapping (default: tcp)</help> + <help>Transport protocol used for port mapping</help> <completionHelp> <list>tcp udp</list> </completionHelp> @@ -265,7 +265,7 @@ </tagNode> <leafNode name="restart"> <properties> - <help>Restart options for container (default: on-failure)</help> + <help>Restart options for container</help> <completionHelp> <list>no on-failure always</list> </completionHelp> @@ -312,7 +312,7 @@ </leafNode> <leafNode name="mode"> <properties> - <help>Volume access mode ro/rw (default: rw)</help> + <help>Volume access mode ro/rw</help> <completionHelp> <list>ro rw</list> </completionHelp> diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index e9eb4b5c7..1b62c19a1 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -28,7 +28,7 @@ <help>Policy to discard packets that have reached specified hop-count</help> <valueHelp> <format>u32:1-255</format> - <description>Hop count (default: 10)</description> + <description>Hop count</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> @@ -42,7 +42,7 @@ <help>Maximum packet size to send to a DHCPv4/BOOTP server</help> <valueHelp> <format>u32:64-1400</format> - <description>Maximum packet size (default: 576)</description> + <description>Maximum packet size</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 64-1400"/> @@ -53,7 +53,7 @@ </leafNode> <leafNode name="relay-agents-packets"> <properties> - <help>Policy to handle incoming DHCPv4 packets which already contain relay agent options (default: forward)</help> + <help>Policy to handle incoming DHCPv4 packets which already contain relay agent options</help> <completionHelp> <list>append replace forward discard</list> </completionHelp> diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index c1f2fe2fd..37aaef739 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -198,7 +198,7 @@ </leafNode> <leafNode name="lease"> <properties> - <help>Lease timeout in seconds (default: 86400)</help> + <help>Lease timeout in seconds</help> <valueHelp> <format>u32</format> <description>DHCP lease time in seconds</description> diff --git a/interface-definitions/dhcpv6-relay.xml.in b/interface-definitions/dhcpv6-relay.xml.in index 7162cf353..5abcbe804 100644 --- a/interface-definitions/dhcpv6-relay.xml.in +++ b/interface-definitions/dhcpv6-relay.xml.in @@ -36,7 +36,7 @@ <help>Maximum hop count for which requests will be processed</help> <valueHelp> <format>u32:1-255</format> - <description>Hop count (default: 10)</description> + <description>Hop count</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index 64826516e..eb57ab927 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -47,7 +47,7 @@ </leafNode> <leafNode name="ttl"> <properties> - <help>Time To Live (default: 600)</help> + <help>Time To Live</help> <valueHelp> <format>u32:1-86400</format> <description>DNS forwarding cache size</description> diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 0d639eaac..d7ef32745 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -16,7 +16,7 @@ <children> <leafNode name="cache-size"> <properties> - <help>DNS forwarding cache size (default: 10000)</help> + <help>DNS forwarding cache size</help> <valueHelp> <format>u32:0-2147483647</format> <description>DNS forwarding cache size</description> @@ -50,7 +50,7 @@ </leafNode> <leafNode name="dnssec"> <properties> - <help>DNSSEC mode (default: process-no-validate)</help> + <help>DNSSEC mode</help> <completionHelp> <list>off process-no-validate process log-fail validate</list> </completionHelp> @@ -153,7 +153,7 @@ </leafNode> <leafNode name="negative-ttl"> <properties> - <help>Maximum amount of time negative entries are cached (default: 3600)</help> + <help>Maximum amount of time negative entries are cached</help> <valueHelp> <format>u32:0-7200</format> <description>Seconds to cache NXDOMAIN entries</description> diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/igmp-proxy.xml.in index 91c912d8b..c7ab60929 100644 --- a/interface-definitions/igmp-proxy.xml.in +++ b/interface-definitions/igmp-proxy.xml.in @@ -39,7 +39,7 @@ </leafNode> <leafNode name="role"> <properties> - <help>IGMP interface role (default: downstream)</help> + <help>IGMP interface role</help> <completionHelp> <list>upstream downstream disabled</list> </completionHelp> @@ -49,7 +49,7 @@ </valueHelp> <valueHelp> <format>downstream</format> - <description>Downstream interface(s) (default)</description> + <description>Downstream interface(s)</description> </valueHelp> <valueHelp> <format>disabled</format> @@ -63,10 +63,10 @@ </leafNode> <leafNode name="threshold"> <properties> - <help>TTL threshold (default: 1)</help> + <help>TTL threshold</help> <valueHelp> <format>u32:1-255</format> - <description>TTL threshold for the interfaces (default: 1)</description> + <description>TTL threshold for the interfaces</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> diff --git a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i index a692f2335..01cf0e040 100644 --- a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i +++ b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i @@ -21,7 +21,7 @@ <help>Prefix length used for individual client</help> <valueHelp> <format>u32:48-128</format> - <description>Client prefix length (default: 64)</description> + <description>Client prefix length</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 48-128"/> diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index 9e7a089af..ecd03a4cc 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -34,7 +34,7 @@ <help>Accounting port</help> <valueHelp> <format>u32:1-65535</format> - <description>Numeric IP port (default: 1813)</description> + <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> @@ -143,7 +143,7 @@ </leafNode> <leafNode name="port"> <properties> - <help>Port for Dynamic Authorization Extension server (DM/CoA) (default: 1700)</help> + <help>Port for Dynamic Authorization Extension server (DM/CoA)</help> <valueHelp> <format>u32:1-65535</format> <description>TCP port</description> diff --git a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i index babe6d20f..3b9294dd0 100644 --- a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i +++ b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/ipv6-dup-addr-detect-transmits.xml.i --> <leafNode name="dup-addr-detect-transmits"> <properties> - <help>Number of NS messages to send while performing DAD (default: 1)</help> + <help>Number of NS messages to send while performing DAD</help> <valueHelp> <format>u32:0</format> <description>Disable Duplicate Address Dectection (DAD)</description> @@ -14,5 +14,6 @@ <validator name="numeric" argument="--non-negative"/> </constraint> </properties> + <defaultValue>1</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index 7a41bb242..89b5baf64 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -20,7 +20,7 @@ #include <include/interface/disable.xml.i> <leafNode name="protocol"> <properties> - <help>Protocol used for service VLAN (default: 802.1ad)</help> + <help>Protocol used for service VLAN</help> <completionHelp> <list>802.1ad 802.1q</list> </completionHelp> diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index 5b12bec62..6a432bac9 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -47,6 +47,26 @@ <multi/> </properties> </leafNode> + <leafNode name="security-mode"> + <properties> + <help>Security mode for RADIUS authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if RADIUS answers with Access-Reject</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/radius-server-port.xml.i b/interface-definitions/include/radius-server-port.xml.i index 4e5d906bc..c6b691a0f 100644 --- a/interface-definitions/include/radius-server-port.xml.i +++ b/interface-definitions/include/radius-server-port.xml.i @@ -4,7 +4,7 @@ <help>Authentication port</help> <valueHelp> <format>u32:1-65535</format> - <description>Numeric IP port (default: 1812)</description> + <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 6b5335d2a..aa71713d1 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -64,7 +64,7 @@ </completionHelp> <valueHelp> <format>layer2</format> - <description>use MAC addresses to generate the hash (802.3ad, default)</description> + <description>use MAC addresses to generate the hash</description> </valueHelp> <valueHelp> <format>layer2+3</format> @@ -130,7 +130,7 @@ </completionHelp> <valueHelp> <format>slow</format> - <description>Request partner to transmit LACPDUs every 30 seconds (default)</description> + <description>Request partner to transmit LACPDUs every 30 seconds</description> </valueHelp> <valueHelp> <format>fast</format> @@ -150,7 +150,7 @@ </completionHelp> <valueHelp> <format>802.3ad</format> - <description>IEEE 802.3ad Dynamic link aggregation (Default)</description> + <description>IEEE 802.3ad Dynamic link aggregation</description> </valueHelp> <valueHelp> <format>active-backup</format> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 47bba2782..df03ab6c3 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -26,7 +26,7 @@ </valueHelp> <valueHelp> <format>u32:10-1000000</format> - <description>MAC address aging time in seconds (default: 300)</description> + <description>MAC address aging time in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-0 --range 10-1000000"/> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index 27d555552..f47634684 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -36,7 +36,7 @@ </completionHelp> <valueHelp> <format>auto</format> - <description>Auto negotiation (default)</description> + <description>Auto negotiation</description> </valueHelp> <valueHelp> <format>half</format> @@ -105,7 +105,7 @@ </node> <leafNode name="speed"> <properties> - <help>Link speed (default: auto)</help> + <help>Link speed</help> <completionHelp> <list>auto 10 100 1000 2500 5000 10000 25000 40000 50000 100000</list> </completionHelp> diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 1cd30b86e..881cfbde7 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -20,7 +20,7 @@ #include <include/interface/description.xml.i> <leafNode name="destination-port"> <properties> - <help>UDP destination port for L2TPv3 tunnel (default: 5000)</help> + <help>UDP destination port for L2TPv3 tunnel</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric IP port</description> @@ -34,7 +34,7 @@ #include <include/interface/disable.xml.i> <leafNode name="encapsulation"> <properties> - <help>Encapsulation type (default: UDP)</help> + <help>Encapsulation type</help> <completionHelp> <list>udp ip</list> </completionHelp> @@ -99,7 +99,7 @@ </leafNode> <leafNode name="source-port"> <properties> - <help>UDP source port for L2TPv3 tunnel (default: 5000)</help> + <help>UDP source port for L2TPv3 tunnel</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric IP port</description> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 7543df412..f2f2e96f1 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -83,7 +83,7 @@ </leafNode> <leafNode name="priority"> <properties> - <help>Priority of MACsec Key Agreement protocol (MKA) actor (default: 255)</help> + <help>Priority of MACsec Key Agreement protocol (MKA) actor</help> <valueHelp> <format>u32:0-255</format> <description>MACsec Key Agreement protocol (MKA) priority</description> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 20a37ac48..8d1e68b2a 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -36,7 +36,7 @@ #include <include/interface/description.xml.i> <leafNode name="device-type"> <properties> - <help>OpenVPN interface device-type (default: tun)</help> + <help>OpenVPN interface device-type</help> <completionHelp> <list>tun tap</list> </completionHelp> @@ -204,7 +204,7 @@ <children> <leafNode name="failure-count"> <properties> - <help>Maximum number of keepalive packet failures (default: 60)</help> + <help>Maximum number of keepalive packet failures</help> <valueHelp> <format>u32:0-1000</format> <description>Maximum number of keepalive packet failures</description> @@ -217,7 +217,7 @@ </leafNode> <leafNode name="interval"> <properties> - <help>Keepalive packet interval in seconds (default: 10)</help> + <help>Keepalive packet interval in seconds</help> <valueHelp> <format>u32:0-600</format> <description>Keepalive packet interval (seconds)</description> @@ -611,13 +611,13 @@ </leafNode> <leafNode name="topology"> <properties> - <help>Topology for clients (default: net30)</help> + <help>Topology for clients</help> <completionHelp> <list>net30 point-to-point subnet</list> </completionHelp> <valueHelp> <format>net30</format> - <description>net30 topology (default)</description> + <description>net30 topology</description> </valueHelp> <valueHelp> <format>point-to-point</format> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 5e39ac65d..cdecc6540 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -21,7 +21,7 @@ #include <include/interface/dial-on-demand.xml.i> <leafNode name="default-route"> <properties> - <help>Default route insertion behaviour (default: auto)</help> + <help>Default route insertion behaviour</help> <completionHelp> <list>auto none force</list> </completionHelp> @@ -116,7 +116,7 @@ </leafNode> <leafNode name="mru"> <properties> - <help>Maximum Receive Unit (MRU)</help> + <help>Maximum Receive Unit (MRU) (default: MTU value)</help> <valueHelp> <format>u32:128-16384</format> <description>Maximum Receive Unit in byte</description> @@ -126,7 +126,6 @@ </constraint> <constraintErrorMessage>MRU must be between 128 and 16384</constraintErrorMessage> </properties> - <defaultValue>1492</defaultValue> </leafNode> <leafNode name="no-peer-dns"> <properties> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 366892032..1bf884a7d 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -29,7 +29,7 @@ #include <include/interface/mac.xml.i> <leafNode name="mode"> <properties> - <help>Receive mode (default: private)</help> + <help>Receive mode</help> <completionHelp> <list>private vepa bridge passthru</list> </completionHelp> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 2c15abec7..b1c738264 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -157,7 +157,7 @@ </completionHelp> <valueHelp> <format>u32:0-255</format> - <description>Encaplimit (default: 4)</description> + <description>Encaplimit</description> </valueHelp> <valueHelp> <format>none</format> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index efc019e04..e0d3c6cc7 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -46,7 +46,7 @@ </leafNode> <leafNode name="port"> <properties> - <help>Destination port of VXLAN tunnel (default: 8472)</help> + <help>Destination port of VXLAN tunnel</help> <valueHelp> <format>u32:1-65535</format> <description>Numeric IP port</description> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index 77afa3b15..54c4c2910 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -432,7 +432,7 @@ </node> <leafNode name="channel"> <properties> - <help>Wireless radio channel (default: 0)</help> + <help>Wireless radio channel</help> <valueHelp> <format>0</format> <description>Automatic Channel Selection (ACS)</description> @@ -516,7 +516,7 @@ </completionHelp> <valueHelp> <format>disabled</format> - <description>no MFP (hostapd default)</description> + <description>no MFP</description> </valueHelp> <valueHelp> <format>optional</format> @@ -548,7 +548,7 @@ </valueHelp> <valueHelp> <format>g</format> - <description>802.11g - 54 Mbits/sec (default)</description> + <description>802.11g - 54 Mbits/sec</description> </valueHelp> <valueHelp> <format>n</format> @@ -566,7 +566,7 @@ </leafNode> <leafNode name="physical-device"> <properties> - <help>Wireless physical device (default: phy0)</help> + <help>Wireless physical device</help> <completionHelp> <script>${vyos_completion_dir}/list_wireless_phys.sh</script> </completionHelp> diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in index 4714355bb..5442289ee 100644 --- a/interface-definitions/protocols-rpki.xml.in +++ b/interface-definitions/protocols-rpki.xml.in @@ -82,7 +82,7 @@ </tagNode> <leafNode name="polling-period"> <properties> - <help>RPKI cache polling period (default: 300)</help> + <help>RPKI cache polling period</help> <valueHelp> <format>u32:1-86400</format> <description>Polling period in seconds</description> diff --git a/interface-definitions/service_console-server.xml.in b/interface-definitions/service_console-server.xml.in index 28aa7ea71..549edb813 100644 --- a/interface-definitions/service_console-server.xml.in +++ b/interface-definitions/service_console-server.xml.in @@ -41,7 +41,7 @@ </leafNode> <leafNode name="data-bits"> <properties> - <help>Serial port data bits (default: 8)</help> + <help>Serial port data bits</help> <completionHelp> <list>7 8</list> </completionHelp> @@ -53,7 +53,7 @@ </leafNode> <leafNode name="stop-bits"> <properties> - <help>Serial port stop bits (default: 1)</help> + <help>Serial port stop bits</help> <completionHelp> <list>1 2</list> </completionHelp> @@ -65,7 +65,7 @@ </leafNode> <leafNode name="parity"> <properties> - <help>Parity setting (default: none)</help> + <help>Parity setting</help> <completionHelp> <list>even odd none</list> </completionHelp> diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in index 8a6b31d8c..df8663a45 100644 --- a/interface-definitions/service_monitoring_telegraf.xml.in +++ b/interface-definitions/service_monitoring_telegraf.xml.in @@ -50,13 +50,13 @@ </leafNode> <leafNode name="source"> <properties> - <help>Source parameters for monitoring (default: all)</help> + <help>Source parameters for monitoring</help> <completionHelp> <list>all hardware-utilization logs network system telegraf</list> </completionHelp> <valueHelp> <format>all</format> - <description>All parameters (default)</description> + <description>All parameters</description> </valueHelp> <valueHelp> <format>hardware-utilization</format> @@ -150,7 +150,7 @@ <help>Metric version control mapping from Telegraf to Prometheus format</help> <valueHelp> <format>u32:1-2</format> - <description>Metric version (default: 2)</description> + <description>Metric version</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-2"/> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index a15ce8b8f..01a262f8e 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -18,7 +18,7 @@ <children> <leafNode name="hop-limit"> <properties> - <help>Set Hop Count field of the IP header for outgoing packets (default: 64)</help> + <help>Set Hop Count field of the IP header for outgoing packets</help> <valueHelp> <format>u32:0</format> <description>Unspecified (by this router)</description> @@ -63,7 +63,7 @@ </valueHelp> <valueHelp> <format>medium</format> - <description>Default router has medium preference (default)</description> + <description>Default router has medium preference</description> </valueHelp> <valueHelp> <format>high</format> @@ -108,7 +108,7 @@ <children> <leafNode name="max"> <properties> - <help>Maximum interval between unsolicited multicast RAs (default: 600)</help> + <help>Maximum interval between unsolicited multicast RAs</help> <valueHelp> <format>u32:4-1800</format> <description>Maximum interval in seconds</description> @@ -156,7 +156,7 @@ <children> <leafNode name="valid-lifetime"> <properties> - <help>Time in seconds that the route will remain valid (default: 1800 seconds)</help> + <help>Time in seconds that the route will remain valid</help> <completionHelp> <list>infinity</list> </completionHelp> @@ -187,7 +187,7 @@ </valueHelp> <valueHelp> <format>medium</format> - <description>Route has medium preference (default)</description> + <description>Route has medium preference</description> </valueHelp> <valueHelp> <format>high</format> @@ -255,7 +255,7 @@ </leafNode> <leafNode name="valid-lifetime"> <properties> - <help>Time in seconds that the prefix will remain valid (default: 30 days)</help> + <help>Time in seconds that the prefix will remain valid</help> <completionHelp> <list>infinity</list> </completionHelp> diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in index 9136e2fe7..f5a2b12f0 100644 --- a/interface-definitions/service_webproxy.xml.in +++ b/interface-definitions/service_webproxy.xml.in @@ -28,7 +28,7 @@ <children> <leafNode name="children"> <properties> - <help>Number of authentication helper processes (default: 5)</help> + <help>Number of authentication helper processes</help> <valueHelp> <format>n</format> <description>Number of authentication helper processes</description> @@ -41,7 +41,7 @@ </leafNode> <leafNode name="credentials-ttl"> <properties> - <help>Authenticated session time to live in minutes (default: 60)</help> + <help>Authenticated session time to live in minutes</help> <valueHelp> <format>n</format> <description>Authenticated session timeout</description> @@ -85,7 +85,7 @@ </leafNode> <leafNode name="port"> <properties> - <help>LDAP server port to use (default: 389)</help> + <help>LDAP server port to use</help> <valueHelp> <format>u32:1-65535</format> <description>Port number to use</description> @@ -114,7 +114,7 @@ </leafNode> <leafNode name="version"> <properties> - <help>LDAP protocol version (default: 3)</help> + <help>LDAP protocol version</help> <completionHelp> <list>2 3</list> </completionHelp> @@ -186,7 +186,7 @@ </leafNode> <leafNode name="http-port"> <properties> - <help>Default Proxy Port (default: 3128)</help> + <help>Default Proxy Port</help> <valueHelp> <format>u32:1025-65535</format> <description>Default port number</description> @@ -199,7 +199,7 @@ </leafNode> <leafNode name="icp-port"> <properties> - <help>Cache peer ICP port (default: disabled)</help> + <help>Cache peer ICP port</help> <valueHelp> <format>u32:1-65535</format> <description>Cache peer ICP port</description> @@ -212,7 +212,7 @@ </leafNode> <leafNode name="options"> <properties> - <help>Cache peer options (default: "no-query default")</help> + <help>Cache peer options</help> <valueHelp> <format>txt</format> <description>Cache peer options</description> @@ -248,7 +248,7 @@ </tagNode> <leafNode name="cache-size"> <properties> - <help>Disk cache size in MB (default: 100)</help> + <help>Disk cache size in MB</help> <valueHelp> <format>u32</format> <description>Disk cache size in MB</description> @@ -262,7 +262,7 @@ </leafNode> <leafNode name="default-port"> <properties> - <help>Default Proxy Port (default: 3128)</help> + <help>Default Proxy Port</help> <valueHelp> <format>u32:1025-65535</format> <description>Default port number</description> @@ -423,7 +423,7 @@ </node> <leafNode name="redirect-url"> <properties> - <help>Redirect URL for filtered websites (default: block.vyos.net)</help> + <help>Redirect URL for filtered websites</help> <valueHelp> <format>url</format> <description>URL for redirect</description> diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 4bfe82268..a5519ee88 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -124,7 +124,7 @@ <help>Session timeout</help> <valueHelp> <format>u32:1-30</format> - <description>Session timeout in seconds (default: 2)</description> + <description>Session timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-30"/> @@ -138,7 +138,7 @@ <help>Server priority</help> <valueHelp> <format>u32:1-255</format> - <description>Server priority (default: 255)</description> + <description>Server priority</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 888f32b99..3f363a263 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -60,7 +60,7 @@ <help>Session timeout</help> <valueHelp> <format>u32:1-30</format> - <description>Session timeout in seconds (default: 2)</description> + <description>Session timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-30"/> @@ -80,10 +80,10 @@ <children> <leafNode name="tcp"> <properties> - <help>tcp port number to accept connections (default: 443)</help> + <help>tcp port number to accept connections</help> <valueHelp> <format>u32:1-65535</format> - <description>Numeric IP port (default: 443)</description> + <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> @@ -93,10 +93,10 @@ </leafNode> <leafNode name="udp"> <properties> - <help>udp port number to accept connections (default: 443)</help> + <help>udp port number to accept connections</help> <valueHelp> <format>u32:1-65535</format> - <description>Numeric IP port (default: 443)</description> + <description>Numeric IP port</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-65535"/> @@ -180,7 +180,7 @@ <help>Prefix length used for individual client</help> <valueHelp> <format>u32:48-128</format> - <description>Client prefix length (default: 64)</description> + <description>Client prefix length</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 48-128"/> diff --git a/interface-definitions/vrrp.xml.in b/interface-definitions/vrrp.xml.in index 829845385..2589d61d1 100644 --- a/interface-definitions/vrrp.xml.in +++ b/interface-definitions/vrrp.xml.in @@ -64,7 +64,7 @@ <help>Advertise interval</help> <valueHelp> <format>u32:1-255</format> - <description>Advertise interval in seconds (default: 1)</description> + <description>Advertise interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> @@ -125,7 +125,7 @@ <children> <leafNode name="failure-count"> <properties> - <help>Health check failure count required for transition to fault (default: 3)</help> + <help>Health check failure count required for transition to fault</help> <constraint> <validator name="numeric" argument="--positive" /> </constraint> @@ -134,7 +134,7 @@ </leafNode> <leafNode name="interval"> <properties> - <help>Health check execution interval in seconds (default: 60)</help> + <help>Health check execution interval in seconds</help> <constraint> <validator name="numeric" argument="--positive"/> </constraint> @@ -206,7 +206,7 @@ </leafNode> <leafNode name="priority"> <properties> - <help>Router priority (default: 100)</help> + <help>Router priority</help> <valueHelp> <format>u32:1-255</format> <description>Router priority</description> diff --git a/op-mode-definitions/generate-interfaces-debug-archive.xml.in b/op-mode-definitions/generate-interfaces-debug-archive.xml.in new file mode 100644 index 000000000..5e4f4daad --- /dev/null +++ b/op-mode-definitions/generate-interfaces-debug-archive.xml.in @@ -0,0 +1,20 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="interfaces"> + <properties> + <help>Interface specific commands</help> + </properties> + <children> + <node name="debug-archive"> + <properties> + <help>Generate interfaces debug-archive</help> + </properties> + <command>${vyos_op_scripts_dir}/generate_interfaces_debug_archive.py</command> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py index bddbc08c9..59a001ec7 100644 --- a/python/vyos/defaults.py +++ b/python/vyos/defaults.py @@ -50,7 +50,7 @@ api_data = { 'strict' : False, 'gql' : False, 'debug' : False, - 'api_keys' : [ {"id": "testapp", "key": "qwerty"} ] + 'api_keys' : [ ] } vyos_cert_data = { diff --git a/scripts/build-command-templates b/scripts/build-command-templates index a0d1015b4..26ffd0745 100755 --- a/scripts/build-command-templates +++ b/scripts/build-command-templates @@ -117,7 +117,7 @@ def collect_validators(ve): return regex_args + " " + validator_args -def get_properties(p): +def get_properties(p, default=None): props = {} if p is None: @@ -125,7 +125,12 @@ def get_properties(p): # Get the help string try: - props["help"] = p.find("help").text + help = p.find("help").text + if default != None: + # DNS forwarding for instance has multiple defaults - specified as whitespace separated list + tmp = ', '.join(default.text.split()) + help += f' (default: {tmp})' + props["help"] = help except: pass @@ -134,7 +139,11 @@ def get_properties(p): vhe = p.findall("valueHelp") vh = [] for v in vhe: - vh.append( (v.find("format").text, v.find("description").text) ) + format = v.find("format").text + description = v.find("description").text + if default != None and default.text == format: + description += f' (default)' + vh.append( (format, description) ) props["val_help"] = vh except: props["val_help"] = [] @@ -271,7 +280,7 @@ def process_node(n, tmpl_dir): print("Name of the node: {0}. Created directory: {1}\n".format(name, "/".join(my_tmpl_dir)), end="") os.makedirs(make_path(my_tmpl_dir), exist_ok=True) - props = get_properties(props_elem) + props = get_properties(props_elem, n.find("defaultValue")) if owner: props["owner"] = owner # Type should not be set for non-tag, non-leaf nodes diff --git a/smoketest/scripts/cli/test_interfaces_pppoe.py b/smoketest/scripts/cli/test_interfaces_pppoe.py index 2aaccbb13..e46354aee 100755 --- a/smoketest/scripts/cli/test_interfaces_pppoe.py +++ b/smoketest/scripts/cli/test_interfaces_pppoe.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -58,13 +58,11 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): user = 'VyOS-user-' + interface passwd = 'VyOS-passwd-' + interface mtu = '1400' - mru = '1300' self.cli_set(base_path + [interface, 'authentication', 'user', user]) self.cli_set(base_path + [interface, 'authentication', 'password', passwd]) self.cli_set(base_path + [interface, 'default-route', 'auto']) self.cli_set(base_path + [interface, 'mtu', mtu]) - self.cli_set(base_path + [interface, 'mru', '9000']) self.cli_set(base_path + [interface, 'no-peer-dns']) # check validate() - a source-interface is required @@ -72,11 +70,6 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_set(base_path + [interface, 'source-interface', self._source_interface]) - # check validate() - MRU needs to be less or equal then MTU - with self.assertRaises(ConfigSessionError): - self.cli_commit() - self.cli_set(base_path + [interface, 'mru', mru]) - # commit changes self.cli_commit() @@ -88,7 +81,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): tmp = get_config_value(interface, 'mtu')[1] self.assertEqual(tmp, mtu) tmp = get_config_value(interface, 'mru')[1] - self.assertEqual(tmp, mru) + self.assertEqual(tmp, mtu) tmp = get_config_value(interface, 'user')[1].replace('"', '') self.assertEqual(tmp, user) tmp = get_config_value(interface, 'password')[1].replace('"', '') @@ -233,5 +226,47 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): tmp = get_config_value(interface, 'host-uniq')[1] self.assertEqual(tmp, f'"{host_uniq}"') + def test_pppoe_mtu_mru(self): + # Check if PPPoE dialer can be configured and runs + for interface in self._interfaces: + user = f'VyOS-user-{interface}' + passwd = f'VyOS-passwd-{interface}' + mtu = '1400' + mru = '1300' + + self.cli_set(base_path + [interface, 'authentication', 'user', user]) + self.cli_set(base_path + [interface, 'authentication', 'password', passwd]) + self.cli_set(base_path + [interface, 'mtu', mtu]) + self.cli_set(base_path + [interface, 'mru', '9000']) + + # check validate() - a source-interface is required + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_set(base_path + [interface, 'source-interface', self._source_interface]) + + # check validate() - MRU needs to be less or equal then MTU + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_set(base_path + [interface, 'mru', mru]) + + # commit changes + self.cli_commit() + + # verify configuration file(s) + for interface in self._interfaces: + user = f'VyOS-user-{interface}' + passwd = f'VyOS-passwd-{interface}' + + tmp = get_config_value(interface, 'mtu')[1] + self.assertEqual(tmp, mtu) + tmp = get_config_value(interface, 'mru')[1] + self.assertEqual(tmp, mru) + tmp = get_config_value(interface, 'user')[1].replace('"', '') + self.assertEqual(tmp, user) + tmp = get_config_value(interface, 'password')[1].replace('"', '') + self.assertEqual(tmp, passwd) + tmp = get_config_value(interface, 'ifname')[1] + self.assertEqual(tmp, interface) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_tftp-server.py b/smoketest/scripts/cli/test_service_tftp-server.py index 642b6af88..850c012ff 100755 --- a/smoketest/scripts/cli/test_service_tftp-server.py +++ b/smoketest/scripts/cli/test_service_tftp-server.py @@ -31,7 +31,6 @@ base_path = ['service', 'tftp-server'] dummy_if_path = ['interfaces', 'dummy', 'dum69'] address_ipv4 = '192.0.2.1' address_ipv6 = '2001:db8::1' -vrf = 'mgmt' class TestServiceTFTPD(VyOSUnitTestSHIM.TestCase): @classmethod @@ -121,45 +120,5 @@ class TestServiceTFTPD(VyOSUnitTestSHIM.TestCase): count += 1 self.assertEqual(count, len(address)) - def test_03_tftpd_vrf(self): - directory = '/tmp' - port = '69' # default port - - self.cli_set(base_path + ['allow-upload']) - self.cli_set(base_path + ['directory', directory]) - self.cli_set(base_path + ['listen-address', address_ipv4, 'vrf', vrf]) - - # VRF does yet not exist - an error must be thrown - with self.assertRaises(ConfigSessionError): - self.cli_commit() - - self.cli_set(['vrf', 'name', vrf, 'table', '1338']) - self.cli_set(dummy_if_path + ['vrf', vrf]) - - # commit changes - self.cli_commit() - - config = read_file('/etc/default/tftpd0') - # verify listen IP address - self.assertIn(f'{address_ipv4}:{port} -4', config) - # verify directory - self.assertIn(directory, config) - # verify upload - self.assertIn('--create --umask 000', config) - - # Check for process in VRF - count = 0 - while count < 10: - count += 1 - tmp = cmd(f'ip vrf pids {vrf}') - print(tmp) - if tmp: break - sleep(1) - self.assertIn(PROCESS_NAME, tmp) - - # delete VRF - self.cli_delete(dummy_if_path + ['vrf']) - self.cli_delete(['vrf', 'name', vrf]) - if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py index 00f3d4f7f..2ade3476d 100755 --- a/src/conf_mode/http-api.py +++ b/src/conf_mode/http-api.py @@ -39,7 +39,7 @@ vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode'] def get_config(config=None): http_api = deepcopy(vyos.defaults.api_data) x = http_api.get('api_keys') - if x is None: + if not x: default_key = None else: default_key = x[0] diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 1e58bb1e4..f02e32cd1 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -25,6 +25,7 @@ from vyos.config import Config from vyos.configverify import verify_vrf from vyos import ConfigError from vyos.util import call +from vyos.util import dict_search from vyos.template import render from vyos import airbag @@ -160,6 +161,30 @@ def verify(https): "matching the 'certbot domain-name' is required.") verify_vrf(https) + + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + return None def generate(https): diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 49714c558..7434c5b3b 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -44,6 +44,12 @@ def get_config(config=None): base = ['interfaces', 'pppoe'] pppoe = get_interface_dict(conf, base) + if 'deleted' not in pppoe: + # We always set the MRU value to the MTU size. This code path only re-creates + # the old behavior if MRU is not set on the CLI. + if 'mru' not in pppoe: + pppoe['mru'] = pppoe['mtu'] + return pppoe def verify(pppoe): diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 7cfd5c940..4e61bd8ad 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -299,9 +299,15 @@ def apply(login): env = os.environ.copy() env['DEBIAN_FRONTEND'] = 'noninteractive' try: + # Disable PAM before enabling or modifying anything + cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env) if 'radius' in login: # Enable RADIUS in PAM - cmd('pam-auth-update --package --enable radius', env=env) + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}', env=env) # Make NSS system aware of RADIUS # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/\smapname/b\' \ @@ -312,8 +318,6 @@ def apply(login): -e \'/^group:[^#]*$/s/: */&mapname /\' \ /etc/nsswitch.conf" else: - # Disable RADIUS in PAM - cmd('pam-auth-update --package --remove radius', env=env) # Drop RADIUS from NSS NSS system # This fancy snipped was copied from old Vyatta code command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \ diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py index e579e81b2..4ec865454 100755 --- a/src/helpers/vyos-load-config.py +++ b/src/helpers/vyos-load-config.py @@ -66,7 +66,7 @@ def get_local_config(filename): return config_str -if any(x in file_name for x in protocols): +if any(file_name.startswith(f'{x}://') for x in protocols): config_string = vyos.remote.get_remote_config(file_name) if not config_string: sys.exit(f"No such config file at '{file_name}'") diff --git a/src/op_mode/generate_interfaces_debug_archive.py b/src/op_mode/generate_interfaces_debug_archive.py new file mode 100644 index 000000000..683484a65 --- /dev/null +++ b/src/op_mode/generate_interfaces_debug_archive.py @@ -0,0 +1,115 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from datetime import datetime +from pathlib import Path +from shutil import rmtree +from socket import gethostname +from sys import exit +from tarfile import open as tar_open +from vyos.util import rc_cmd +import os + +# define a list of commands that needs to be executed + +CMD_LIST = [ + "journalctl -b -n 500", + "journalctl -b -k -n 500", + "ip -s l", + "cat /proc/interrupts", + "cat /proc/softirqs", + "top -b -d 1 -n 2 -1", + "netstat -l", + "cat /proc/net/dev", + "cat /proc/net/softnet_stat", + "cat /proc/net/icmp", + "cat /proc/net/udp", + "cat /proc/net/tcp", + "cat /proc/net/netstat", + "sysctl net", + "timeout 10 tcpdump -c 500 -eni any port not 22" +] + +CMD_INTERFACES_LIST = [ + "ethtool -i ", + "ethtool -S ", + "ethtool -g ", + "ethtool -c ", + "ethtool -a ", + "ethtool -k ", + "ethtool -i ", + "ethtool --phy-statistics " +] + +# get intefaces info +interfaces_list = os.popen('ls /sys/class/net/').read().split() + +# modify CMD_INTERFACES_LIST for all interfaces +CMD_INTERFACES_LIST_MOD=[] +for command_interface in interfaces_list: + for command_interfacev2 in CMD_INTERFACES_LIST: + CMD_INTERFACES_LIST_MOD.append (f'{command_interfacev2}{command_interface}') + +# execute a command and save the output to a file + +def save_stdout(command: str, file: Path) -> None: + rc, stdout = rc_cmd(command) + body: str = f'''### {command} ### +Command: {command} +Exit code: {rc} +Stdout: +{stdout} + +''' + with file.open(mode='a') as f: + f.write(body) + +# get local host name +hostname: str = gethostname() +# get current time +time_now: str = datetime.now().isoformat(timespec='seconds') + +# define a temporary directory for logs and collected data +tmp_dir: Path = Path(f'/tmp/drops-debug_{time_now}') +# set file paths +drops_file: Path = Path(f'{tmp_dir}/drops.txt') +interfaces_file: Path = Path(f'{tmp_dir}/interfaces.txt') +archive_file: str = f'/tmp/packet-drops-debug_{time_now}.tar.bz2' + +# create files +tmp_dir.mkdir() +drops_file.touch() +interfaces_file.touch() + +try: + # execute all commands + for command in CMD_LIST: + save_stdout(command, drops_file) + for command_interface in CMD_INTERFACES_LIST_MOD: + save_stdout(command_interface, interfaces_file) + + # create an archive + with tar_open(name=archive_file, mode='x:bz2') as tar_file: + tar_file.add(tmp_dir) + + # inform user about success + print(f'Debug file is generated and located in {archive_file}') +except Exception as err: + print(f'Error during generating a debug file: {err}') +finally: + # cleanup + rmtree(tmp_dir) + exit() diff --git a/src/pam-configs/radius b/src/pam-configs/radius deleted file mode 100644 index 0e2c71e38..000000000 --- a/src/pam-configs/radius +++ /dev/null @@ -1,20 +0,0 @@ -Name: RADIUS authentication -Default: yes -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so - -Account-Type: Primary -Account: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so - -Session-Type: Additional -Session: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory new file mode 100644 index 000000000..3368fe7ff --- /dev/null +++ b/src/pam-configs/radius-mandatory @@ -0,0 +1,19 @@ +Name: RADIUS authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so +Auth: + [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=bad success=ok] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional new file mode 100644 index 000000000..73085061d --- /dev/null +++ b/src/pam-configs/radius-optional @@ -0,0 +1,19 @@ +Name: RADIUS authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_radius_auth.so +Auth: + [default=ignore success=end] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=end] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so |