diff options
Diffstat (limited to 'python/vyos')
-rw-r--r-- | python/vyos/firewall.py | 51 | ||||
-rw-r--r-- | python/vyos/frr.py | 22 | ||||
-rw-r--r-- | python/vyos/remote.py | 10 |
3 files changed, 54 insertions, 29 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 8b7402b7e..2ab78ff18 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -45,13 +45,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'state' in rule_conf and rule_conf['state']: states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable']) - output.append(f'ct state {{{states}}}') + + if states: + output.append(f'ct state {{{states}}}') if 'protocol' in rule_conf and rule_conf['protocol'] != 'all': proto = rule_conf['protocol'] + operator = '' + if proto[0] == '!': + operator = '!=' + proto = proto[1:] if proto == 'tcp_udp': proto = '{tcp, udp}' - output.append('meta l4proto ' + proto) + output.append(f'meta l4proto {operator} {proto}') for side in ['destination', 'source']: if side in rule_conf: @@ -59,7 +65,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): side_conf = rule_conf[side] if 'address' in side_conf: - output.append(f'{ip_name} {prefix}addr {side_conf["address"]}') + suffix = side_conf['address'] + if suffix[0] == '!': + suffix = f'!= {suffix[1:]}' + output.append(f'{ip_name} {prefix}addr {suffix}') if 'mac_address' in side_conf: suffix = side_conf["mac_address"] @@ -69,15 +78,27 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'port' in side_conf: proto = rule_conf['protocol'] - port = side_conf["port"] + port = side_conf['port'].split(',') - if isinstance(port, list): - port = ",".join(port) + ports = [] + negated_ports = [] + + for p in port: + if p[0] == '!': + negated_ports.append(p[1:]) + else: + ports.append(p) if proto == 'tcp_udp': proto = 'th' - output.append(f'{proto} {prefix}port {{{port}}}') + if ports: + ports_str = ','.join(ports) + output.append(f'{proto} {prefix}port {{{ports_str}}}') + + if negated_ports: + negated_ports_str = ','.join(negated_ports) + output.append(f'{proto} {prefix}port != {{{negated_ports_str}}}') if 'group' in side_conf: group = side_conf['group'] @@ -87,6 +108,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): elif 'network_group' in group: group_name = group['network_group'] output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}') + if 'mac_group' in group: + group_name = group['mac_group'] + output.append(f'ether {prefix}addr $M_{group_name}') if 'port_group' in group: proto = rule_conf['protocol'] group_name = group['port_group'] @@ -150,7 +174,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if tcp_flags: output.append(parse_tcp_flags(tcp_flags)) - output.append('counter') if 'set' in rule_conf: @@ -165,14 +188,8 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): return " ".join(output) def parse_tcp_flags(flags): - all_flags = [] - include = [] - for flag in flags.split(","): - if flag[0] == '!': - flag = flag[1:] - else: - include.append(flag) - all_flags.append(flag) + include = [flag for flag in flags if flag != 'not'] + all_flags = include + [flag for flag in flags['not']] if 'not' in flags else [] return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}' def parse_time(time): @@ -209,7 +226,7 @@ def parse_policy_set(set_conf, def_suffix): table = set_conf['table'] if table == 'main': table = '254' - mark = 0x7FFFFFFF - int(set_conf['table']) + mark = 0x7FFFFFFF - int(table) out.append(f'meta mark set {mark}') if 'tcp_mss' in set_conf: mss = set_conf['tcp_mss'] diff --git a/python/vyos/frr.py b/python/vyos/frr.py index a8f115d9a..cbba19ab7 100644 --- a/python/vyos/frr.py +++ b/python/vyos/frr.py @@ -73,15 +73,15 @@ from vyos.util import cmd import logging from logging.handlers import SysLogHandler import os +import sys + LOG = logging.getLogger(__name__) +DEBUG = False -DEBUG = os.path.exists('/tmp/vyos.frr.debug') -if DEBUG: - LOG.setLevel(logging.DEBUG) - ch = SysLogHandler(address='/dev/log') - ch2 = logging.StreamHandler() - LOG.addHandler(ch) - LOG.addHandler(ch2) +ch = SysLogHandler(address='/dev/log') +ch2 = logging.StreamHandler(stream=sys.stdout) +LOG.addHandler(ch) +LOG.addHandler(ch2) _frr_daemons = ['zebra', 'bgpd', 'fabricd', 'isisd', 'ospf6d', 'ospfd', 'pbrd', 'pimd', 'ripd', 'ripngd', 'sharpd', 'staticd', 'vrrpd', 'ldpd', @@ -121,6 +121,12 @@ class ConfigSectionNotFound(FrrError): """ pass +def init_debugging(): + global DEBUG + + DEBUG = os.path.exists('/tmp/vyos.frr.debug') + if DEBUG: + LOG.setLevel(logging.DEBUG) def get_configuration(daemon=None, marked=False): """ Get current running FRR configuration @@ -424,6 +430,8 @@ class FRRConfig: Using this overwrites the current loaded config objects and replaces the original loaded config ''' + init_debugging() + self.imported_config = get_configuration(daemon=daemon) if daemon: LOG.debug(f'load_configuration: Configuration loaded from FRR daemon {daemon}') diff --git a/python/vyos/remote.py b/python/vyos/remote.py index aa62ac60d..66044fa52 100644 --- a/python/vyos/remote.py +++ b/python/vyos/remote.py @@ -83,8 +83,7 @@ def check_storage(path, size): directory = path if os.path.isdir(path) else (os.path.dirname(os.path.expanduser(path)) or os.getcwd()) # `size` can be None or 0 to indicate unknown size. if not size: - print_error('Warning: Cannot determine size of remote file.') - print_error('Bravely continuing regardless.') + print_error('Warning: Cannot determine size of remote file. Bravely continuing regardless.') return if size < 1024 * 1024: @@ -227,7 +226,7 @@ class HttpC: r.raise_for_status() # If the request got redirected, keep the last URL we ended up with. final_urlstring = r.url - if r.history: + if r.history and self.progressbar: print_error('Redirecting to ' + final_urlstring) # Check for the prospective file size. try: @@ -317,11 +316,12 @@ def friendly_download(local_path, urlstring, source_host='', source_port=0): sys.exit(1) except: import traceback + print_error(f'Failed to download {urlstring}.') # There are a myriad different reasons a download could fail. # SSH errors, FTP errors, I/O errors, HTTP errors (403, 404...) # We omit the scary stack trace but print the error nevertheless. - print_error(f'Failed to download {urlstring}.') - traceback.print_exception(*sys.exc_info()[:2], None) + exc_type, exc_value, exc_traceback = sys.exc_info() + traceback.print_exception(exc_type, exc_value, None, 0, None, False) sys.exit(1) else: print_error('Download complete.') |