summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py10
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py18
-rwxr-xr-xsrc/conf_mode/interfaces-wireless.py19
-rwxr-xr-xsrc/conf_mode/nat.py7
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py421
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py346
-rwxr-xr-xsrc/conf_mode/vrrp.py1
-rwxr-xr-xsrc/migration-scripts/pppoe-server/0-to-161
-rwxr-xr-xsrc/migration-scripts/pppoe-server/1-to-277
-rwxr-xr-xsrc/migration-scripts/pppoe-server/2-to-3117
-rwxr-xr-xsrc/migration-scripts/pppoe-server/3-to-4107
-rwxr-xr-xsrc/migration-scripts/pppoe-server/4-to-549
-rwxr-xr-xsrc/migration-scripts/sstp/0-to-15
-rwxr-xr-xsrc/migration-scripts/sstp/2-to-378
-rwxr-xr-xsrc/op_mode/show_openvpn.py3
-rwxr-xr-xsrc/services/vyos-configd26
16 files changed, 443 insertions, 902 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 613648adb..2c8367ff3 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -16,6 +16,7 @@
import os
+from netifaces import interfaces
from sys import exit
from vyos.config import Config
@@ -58,8 +59,7 @@ def get_config(config=None):
# Check if interface has been removed
if 'deleted' in macsec:
- source_interface = conf.return_effective_value(
- base + ['source-interface'])
+ source_interface = conf.return_effective_value(['source-interface'])
macsec.update({'source_interface': source_interface})
return macsec
@@ -110,11 +110,13 @@ def generate(macsec):
def apply(macsec):
# Remove macsec interface
- if 'deleted' in macsec.keys():
+ if 'deleted' in macsec:
call('systemctl stop wpa_supplicant-macsec@{source_interface}'
.format(**macsec))
- MACsecIf(macsec['ifname']).remove()
+ if macsec['ifname'] in interfaces():
+ tmp = MACsecIf(macsec['ifname'])
+ tmp.remove()
# delete configuration on interface removal
if os.path.isfile(wpa_suppl_conf.format(**macsec)):
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index d5800264f..9bda35d0a 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -57,13 +57,13 @@ def get_config(config=None):
# Determine which Wireguard peer has been removed.
# Peers can only be removed with their public key!
+ dict = {}
tmp = node_changed(conf, ['peer'])
- if tmp:
- dict = {}
- for peer in tmp:
- peer_config = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
- dict = dict_merge({'peer_remove' : {peer : {'pubkey' : peer_config}}}, dict)
- wireguard.update(dict)
+ for peer in (tmp or []):
+ pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
+ if pubkey:
+ dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict)
+ wireguard.update(dict)
return wireguard
@@ -101,12 +101,12 @@ def verify(wireguard):
f'for peer "{tmp}" if either one of them is set!')
def apply(wireguard):
+ tmp = WireGuardIf(wireguard['ifname'])
if 'deleted' in wireguard:
- WireGuardIf(wireguard['ifname']).remove()
+ tmp.remove()
return None
- w = WireGuardIf(wireguard['ifname'])
- w.update(wireguard)
+ tmp.update(wireguard)
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index f8520aecf..ad8aee168 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -74,7 +74,18 @@ def get_config(config=None):
else:
conf = Config()
base = ['interfaces', 'wireless']
+
wifi = get_interface_dict(conf, base)
+ # defaults include RADIUS server specifics per TAG node which need to be
+ # added to individual RADIUS servers instead - so we can simply delete them
+ if vyos_dict_search('security.wpa.radius.server.port', wifi):
+ del wifi['security']['wpa']['radius']['server']['port']
+ if not len(wifi['security']['wpa']['radius']['server']):
+ del wifi['security']['wpa']['radius']
+ if not len(wifi['security']['wpa']):
+ del wifi['security']['wpa']
+ if not len(wifi['security']):
+ del wifi['security']
if 'security' in wifi and 'wpa' in wifi['security']:
wpa_cipher = wifi['security']['wpa'].get('cipher')
@@ -99,6 +110,14 @@ def get_config(config=None):
tmp = find_other_stations(conf, base, wifi['ifname'])
if tmp: wifi['station_interfaces'] = tmp
+ # Add individual RADIUS server default values
+ if vyos_dict_search('security.wpa.radius.server', wifi):
+ default_values = defaults(base + ['security', 'wpa', 'radius', 'server'])
+
+ for server in vyos_dict_search('security.wpa.radius.server', wifi):
+ wifi['security']['wpa']['radius']['server'][server] = dict_merge(
+ default_values, wifi['security']['wpa']['radius']['server'][server])
+
return wifi
def verify(wifi):
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index eb634fd78..b66cd370a 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -238,8 +238,11 @@ def verify(nat):
if rule['translation_address']:
addr = rule['translation_address']
- if addr != 'masquerade' and not is_addr_assigned(addr):
- print(f'Warning: IP address {addr} does not exist on the system!')
+ if addr != 'masquerade':
+ for ip in addr.split('-'):
+ if not is_addr_assigned(ip):
+ print(f'Warning: IP address {ip} does not exist on the system!')
+
elif not rule['exclude']:
raise ConfigError(f'{err_msg} translation address not specified')
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index a4e937b1a..a520120f8 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -15,433 +15,56 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
-from copy import deepcopy
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from sys import exit
from vyos.config import Config
+from vyos.configdict import get_accel_dict
+from vyos.configverify import verify_accel_ppp_base_service
from vyos.template import render
-from vyos.util import call, get_half_cpus
-from vyos.validate import is_ipv4
+from vyos.util import call
+from vyos.util import vyos_dict_search
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
pppoe_conf = r'/run/accel-pppd/pppoe.conf'
pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets'
-default_config_data = {
- 'auth_mode': 'local',
- 'auth_proto': ['auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5', 'auth_pap'],
- 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template
- 'client_ip_pool': '',
- 'client_ip_subnets': [],
- 'client_ipv6_pool': [],
- 'client_ipv6_delegate_prefix': [],
- 'concentrator': 'vyos-ac',
- 'interfaces': [],
- 'local_users' : [],
-
- 'svc_name': [],
- 'dnsv4': [],
- 'dnsv6': [],
- 'wins': [],
- 'mtu': '1492',
-
- 'limits_burst': '',
- 'limits_connections': '',
- 'limits_timeout': '',
-
- 'pado_delay': '',
- 'ppp_ccp': False,
- 'ppp_gw': '',
- 'ppp_ipv4': '',
- 'ppp_ipv6': '',
- 'ppp_ipv6_accept_peer_intf_id': False,
- 'ppp_ipv6_intf_id': '',
- 'ppp_ipv6_peer_intf_id': '',
- 'ppp_echo_failure': '3',
- 'ppp_echo_interval': '30',
- 'ppp_echo_timeout': '0',
- 'ppp_min_mtu': '',
- 'ppp_mppe': 'prefer',
- 'ppp_mru': '',
- 'ppp_preallocate_vif': False,
-
- 'radius_server': [],
- 'radius_acct_inter_jitter': '',
- 'radius_acct_tmo': '3',
- 'radius_max_try': '3',
- 'radius_timeout': '3',
- 'radius_nas_id': '',
- 'radius_nas_ip': '',
- 'radius_source_address': '',
- 'radius_shaper_attr': '',
- 'radius_shaper_vendor': '',
- 'radius_dynamic_author': '',
- 'sesscrtl': 'replace',
- 'snmp': False,
- 'thread_cnt': get_half_cpus()
-}
-
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
- base_path = ['service', 'pppoe-server']
- if not conf.exists(base_path):
+ base = ['service', 'pppoe-server']
+ if not conf.exists(base):
return None
- conf.set_level(base_path)
- pppoe = deepcopy(default_config_data)
-
- # general options
- if conf.exists(['access-concentrator']):
- pppoe['concentrator'] = conf.return_value(['access-concentrator'])
-
- if conf.exists(['service-name']):
- pppoe['svc_name'] = conf.return_values(['service-name'])
-
- if conf.exists(['interface']):
- for interface in conf.list_nodes(['interface']):
- conf.set_level(base_path + ['interface', interface])
- tmp = {
- 'name': interface,
- 'vlans': []
- }
-
- if conf.exists(['vlan-id']):
- tmp['vlans'] += conf.return_values(['vlan-id'])
-
- if conf.exists(['vlan-range']):
- tmp['vlans'] += conf.return_values(['vlan-range'])
-
- pppoe['interfaces'].append(tmp)
-
- conf.set_level(base_path)
-
- if conf.exists(['local-ip']):
- pppoe['ppp_gw'] = conf.return_value(['local-ip'])
-
- if conf.exists(['name-server']):
- for name_server in conf.return_values(['name-server']):
- if is_ipv4(name_server):
- pppoe['dnsv4'].append(name_server)
- else:
- pppoe['dnsv6'].append(name_server)
-
- if conf.exists(['wins-server']):
- pppoe['wins'] = conf.return_values(['wins-server'])
-
-
- if conf.exists(['client-ip-pool']):
- if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']):
- start = conf.return_value(['client-ip-pool', 'start'])
- stop = conf.return_value(['client-ip-pool', 'stop'])
- pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0)
-
- if conf.exists(['client-ip-pool', 'subnet']):
- pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet'])
-
-
- if conf.exists(['client-ipv6-pool', 'prefix']):
- for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']):
- tmp = {
- 'prefix': prefix,
- 'mask': '64'
- }
-
- if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']):
- tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask'])
-
- pppoe['client_ipv6_pool'].append(tmp)
-
-
- if conf.exists(['client-ipv6-pool', 'delegate']):
- for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']):
- tmp = {
- 'prefix': prefix,
- 'mask': ''
- }
-
- if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']):
- tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix'])
-
- pppoe['client_ipv6_delegate_prefix'].append(tmp)
-
-
- if conf.exists(['limits']):
- if conf.exists(['limits', 'burst']):
- pppoe['limits_burst'] = conf.return_value(['limits', 'burst'])
-
- if conf.exists(['limits', 'connection-limit']):
- pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit'])
-
- if conf.exists(['limits', 'timeout']):
- pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout'])
-
-
- if conf.exists(['snmp']):
- pppoe['snmp'] = True
-
- if conf.exists(['snmp', 'master-agent']):
- pppoe['snmp'] = 'enable-ma'
-
- # authentication mode local
- if conf.exists(['authentication', 'mode']):
- pppoe['auth_mode'] = conf.return_value(['authentication', 'mode'])
-
- if conf.exists(['authentication', 'local-users']):
- for username in conf.list_nodes(['authentication', 'local-users', 'username']):
- user = {
- 'name' : username,
- 'password' : '',
- 'state' : 'enabled',
- 'ip' : '*',
- 'upload' : None,
- 'download' : None
- }
- conf.set_level(base_path + ['authentication', 'local-users', 'username', username])
-
- if conf.exists(['password']):
- user['password'] = conf.return_value(['password'])
-
- if conf.exists(['disable']):
- user['state'] = 'disable'
-
- if conf.exists(['static-ip']):
- user['ip'] = conf.return_value(['static-ip'])
-
- if conf.exists(['rate-limit', 'download']):
- user['download'] = conf.return_value(['rate-limit', 'download'])
-
- if conf.exists(['rate-limit', 'upload']):
- user['upload'] = conf.return_value(['rate-limit', 'upload'])
-
- pppoe['local_users'].append(user)
-
- conf.set_level(base_path)
-
- if conf.exists(['authentication', 'protocols']):
- auth_mods = {
- 'mschap-v2': 'auth_mschap_v2',
- 'mschap': 'auth_mschap_v1',
- 'chap': 'auth_chap_md5',
- 'pap': 'auth_pap'
- }
-
- pppoe['auth_proto'] = []
- for proto in conf.return_values(['authentication', 'protocols']):
- pppoe['auth_proto'].append(auth_mods[proto])
-
- #
- # authentication mode radius servers and settings
- if conf.exists(['authentication', 'mode', 'radius']):
-
- for server in conf.list_nodes(['authentication', 'radius', 'server']):
- radius = {
- 'server' : server,
- 'key' : '',
- 'fail_time' : 0,
- 'port' : '1812',
- 'acct_port' : '1813'
- }
-
- conf.set_level(base_path + ['authentication', 'radius', 'server', server])
-
- if conf.exists(['fail-time']):
- radius['fail_time'] = conf.return_value(['fail-time'])
-
- if conf.exists(['port']):
- radius['port'] = conf.return_value(['port'])
-
- if conf.exists(['acct-port']):
- radius['acct_port'] = conf.return_value(['acct-port'])
-
- if conf.exists(['key']):
- radius['key'] = conf.return_value(['key'])
-
- if not conf.exists(['disable']):
- pppoe['radius_server'].append(radius)
-
- #
- # advanced radius-setting
- conf.set_level(base_path + ['authentication', 'radius'])
-
- if conf.exists(['acct-interim-jitter']):
- pppoe['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter'])
-
- if conf.exists(['acct-timeout']):
- pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout'])
-
- if conf.exists(['max-try']):
- pppoe['radius_max_try'] = conf.return_value(['max-try'])
-
- if conf.exists(['timeout']):
- pppoe['radius_timeout'] = conf.return_value(['timeout'])
-
- if conf.exists(['nas-identifier']):
- pppoe['radius_nas_id'] = conf.return_value(['nas-identifier'])
-
- if conf.exists(['nas-ip-address']):
- pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
-
- if conf.exists(['preallocate-vif']):
- pppoe['ppp_preallocate_vif'] = True
-
- if conf.exists(['source-address']):
- pppoe['radius_source_address'] = conf.return_value(['source-address'])
-
- # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA)
- if conf.exists(['dynamic-author']):
- dae = {
- 'port' : '',
- 'server' : '',
- 'key' : ''
- }
-
- if conf.exists(['dynamic-author', 'server']):
- dae['server'] = conf.return_value(['dynamic-author', 'server'])
-
- if conf.exists(['dynamic-author', 'port']):
- dae['port'] = conf.return_value(['dynamic-author', 'port'])
-
- if conf.exists(['dynamic-author', 'key']):
- dae['key'] = conf.return_value(['dynamic-author', 'key'])
-
- pppoe['radius_dynamic_author'] = dae
-
- # RADIUS based rate-limiter
- if conf.exists(['rate-limit', 'enable']):
- pppoe['radius_shaper_attr'] = 'Filter-Id'
- c_attr = ['rate-limit', 'enable', 'attribute']
- if conf.exists(c_attr):
- pppoe['radius_shaper_attr'] = conf.return_value(c_attr)
-
- c_vendor = ['rate-limit', 'enable', 'vendor']
- if conf.exists(c_vendor):
- pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor)
-
- # re-set config level
- conf.set_level(base_path)
-
- if conf.exists(['mtu']):
- pppoe['mtu'] = conf.return_value(['mtu'])
-
- if conf.exists(['session-control']):
- pppoe['sesscrtl'] = conf.return_value(['session-control'])
-
- # ppp_options
- if conf.exists(['ppp-options']):
- conf.set_level(base_path + ['ppp-options'])
-
- if conf.exists(['ccp']):
- pppoe['ppp_ccp'] = True
-
- if conf.exists(['ipv4']):
- pppoe['ppp_ipv4'] = conf.return_value(['ipv4'])
-
- if conf.exists(['ipv6']):
- pppoe['ppp_ipv6'] = conf.return_value(['ipv6'])
-
- if conf.exists(['ipv6-accept-peer-intf-id']):
- pppoe['ppp_ipv6_peer_intf_id'] = True
-
- if conf.exists(['ipv6-intf-id']):
- pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id'])
-
- if conf.exists(['ipv6-peer-intf-id']):
- pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id'])
-
- if conf.exists(['lcp-echo-failure']):
- pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure'])
-
- if conf.exists(['lcp-echo-failure']):
- pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure'])
-
- if conf.exists(['lcp-echo-timeout']):
- pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout'])
-
- if conf.exists(['min-mtu']):
- pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu'])
-
- if conf.exists(['mppe']):
- pppoe['ppp_mppe'] = conf.return_value(['mppe'])
-
- if conf.exists(['mru']):
- pppoe['ppp_mru'] = conf.return_value(['mru'])
-
- if conf.exists(['pado-delay']):
- pppoe['pado_delay'] = '0'
- a = {}
- for id in conf.list_nodes(['pado-delay']):
- if not conf.return_value(['pado-delay', id, 'sessions']):
- a[id] = 0
- else:
- a[id] = conf.return_value(['pado-delay', id, 'sessions'])
-
- for k in sorted(a.keys()):
- if k != sorted(a.keys())[-1]:
- pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k])
- else:
- pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k])
-
+ # retrieve common dictionary keys
+ pppoe = get_accel_dict(conf, base, pppoe_chap_secrets)
return pppoe
-
def verify(pppoe):
if not pppoe:
return None
- # vertify auth settings
- if pppoe['auth_mode'] == 'local':
- if not pppoe['local_users']:
- raise ConfigError('PPPoE local auth mode requires local users to be configured!')
-
- for user in pppoe['local_users']:
- username = user['name']
- if not user['password']:
- raise ConfigError(f'Password required for local user "{username}"')
+ verify_accel_ppp_base_service(pppoe)
- # if up/download is set, check that both have a value
- if user['upload'] and not user['download']:
- raise ConfigError(f'Download speed value required for local user "{username}"')
-
- if user['download'] and not user['upload']:
- raise ConfigError(f'Upload speed value required for local user "{username}"')
-
- elif pppoe['auth_mode'] == 'radius':
- if len(pppoe['radius_server']) == 0:
- raise ConfigError('RADIUS authentication requires at least one server')
-
- for radius in pppoe['radius_server']:
- if not radius['key']:
- server = radius['server']
- raise ConfigError(f'Missing RADIUS secret key for server "{ server }"')
-
- if len(pppoe['wins']) > 2:
+ if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
- if len(pppoe['dnsv4']) > 2:
- raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
-
- if len(pppoe['dnsv6']) > 3:
- raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
-
- if not pppoe['interfaces']:
+ if 'interface' not in pppoe:
raise ConfigError('At least one listen interface must be defined!')
# local ippool and gateway settings config checks
- if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']:
- if not pppoe['ppp_gw']:
- raise ConfigError('PPPoE server requires local IP to be configured')
+ if not (vyos_dict_search('client_ip_pool.subnet', pppoe) or
+ (vyos_dict_search('client_ip_pool.start', pppoe) and
+ vyos_dict_search('client_ip_pool.stop', pppoe))):
+ print('Warning: No PPPoE client pool defined')
- if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']:
- print("Warning: No PPPoE client pool defined")
+ if vyos_dict_search('authentication.radius.dynamic_author.server', pppoe):
+ if not vyos_dict_search('authentication.radius.dynamic_author.key', pppoe):
+ raise ConfigError('DA/CoE server key required!')
return None
@@ -452,12 +75,12 @@ def generate(pppoe):
render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe, trim_blocks=True)
- if pppoe['local_users']:
- render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pppoe, trim_blocks=True)
- os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
+ if vyos_dict_search('authentication.mode', pppoe) == 'local':
+ render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.config_dict.tmpl',
+ pppoe, trim_blocks=True, permission=0o640)
else:
if os.path.exists(pppoe_chap_secrets):
- os.unlink(pppoe_chap_secrets)
+ os.unlink(pppoe_chap_secrets)
return None
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 7fc370f99..2597ba42f 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -16,340 +16,66 @@
import os
-from time import sleep
from sys import exit
-from copy import deepcopy
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from vyos.config import Config
+from vyos.configdict import get_accel_dict
+from vyos.configverify import verify_accel_ppp_base_service
from vyos.template import render
-from vyos.util import call, run, get_half_cpus
-from vyos.validate import is_ipv4
+from vyos.util import call
+from vyos.util import vyos_dict_search
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
sstp_conf = '/run/accel-pppd/sstp.conf'
sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets'
-default_config_data = {
- 'local_users' : [],
- 'auth_mode' : 'local',
- 'auth_proto' : ['auth_mschap_v2'],
- 'chap_secrets_file': sstp_chap_secrets, # used in Jinja2 template
- 'client_ip_pool' : [],
- 'client_ipv6_pool': [],
- 'client_ipv6_delegate_prefix': [],
- 'client_gateway': '',
- 'dnsv4' : [],
- 'dnsv6' : [],
- 'radius_server' : [],
- 'radius_acct_tmo' : '3',
- 'radius_max_try' : '3',
- 'radius_timeout' : '3',
- 'radius_nas_id' : '',
- 'radius_nas_ip' : '',
- 'radius_source_address' : '',
- 'radius_shaper_attr' : '',
- 'radius_shaper_vendor': '',
- 'radius_dynamic_author' : '',
- 'ssl_ca' : '',
- 'ssl_cert' : '',
- 'ssl_key' : '',
- 'mtu' : '',
- 'ppp_mppe' : 'prefer',
- 'ppp_echo_failure' : '',
- 'ppp_echo_interval' : '',
- 'ppp_echo_timeout' : '',
- 'thread_cnt' : get_half_cpus()
-}
-
def get_config(config=None):
- sstp = deepcopy(default_config_data)
- base_path = ['vpn', 'sstp']
if config:
conf = config
else:
conf = Config()
- if not conf.exists(base_path):
+ base = ['vpn', 'sstp']
+ if not conf.exists(base):
return None
- conf.set_level(base_path)
-
- if conf.exists(['authentication', 'mode']):
- sstp['auth_mode'] = conf.return_value(['authentication', 'mode'])
-
- #
- # local auth
- if conf.exists(['authentication', 'local-users']):
- for username in conf.list_nodes(['authentication', 'local-users', 'username']):
- user = {
- 'name' : username,
- 'password' : '',
- 'state' : 'enabled',
- 'ip' : '*',
- 'upload' : None,
- 'download' : None
- }
-
- conf.set_level(base_path + ['authentication', 'local-users', 'username', username])
-
- if conf.exists(['password']):
- user['password'] = conf.return_value(['password'])
-
- if conf.exists(['disable']):
- user['state'] = 'disable'
-
- if conf.exists(['static-ip']):
- user['ip'] = conf.return_value(['static-ip'])
-
- if conf.exists(['rate-limit', 'download']):
- user['download'] = conf.return_value(['rate-limit', 'download'])
-
- if conf.exists(['rate-limit', 'upload']):
- user['upload'] = conf.return_value(['rate-limit', 'upload'])
-
- sstp['local_users'].append(user)
-
- #
- # RADIUS auth and settings
- conf.set_level(base_path + ['authentication', 'radius'])
- if conf.exists(['server']):
- for server in conf.list_nodes(['server']):
- radius = {
- 'server' : server,
- 'key' : '',
- 'fail_time' : 0,
- 'port' : '1812',
- 'acct_port' : '1813'
- }
-
- conf.set_level(base_path + ['authentication', 'radius', 'server', server])
-
- if conf.exists(['fail-time']):
- radius['fail_time'] = conf.return_value(['fail-time'])
-
- if conf.exists(['port']):
- radius['port'] = conf.return_value(['port'])
-
- if conf.exists(['acct-port']):
- radius['acct_port'] = conf.return_value(['acct-port'])
-
- if conf.exists(['key']):
- radius['key'] = conf.return_value(['key'])
-
- if not conf.exists(['disable']):
- sstp['radius_server'].append(radius)
-
- #
- # advanced radius-setting
- conf.set_level(base_path + ['authentication', 'radius'])
-
- if conf.exists(['acct-timeout']):
- sstp['radius_acct_tmo'] = conf.return_value(['acct-timeout'])
-
- if conf.exists(['max-try']):
- sstp['radius_max_try'] = conf.return_value(['max-try'])
-
- if conf.exists(['timeout']):
- sstp['radius_timeout'] = conf.return_value(['timeout'])
-
- if conf.exists(['nas-identifier']):
- sstp['radius_nas_id'] = conf.return_value(['nas-identifier'])
-
- if conf.exists(['nas-ip-address']):
- sstp['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
-
- if conf.exists(['source-address']):
- sstp['radius_source_address'] = conf.return_value(['source-address'])
-
- # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA)
- if conf.exists(['dynamic-author']):
- dae = {
- 'port' : '',
- 'server' : '',
- 'key' : ''
- }
-
- if conf.exists(['dynamic-author', 'server']):
- dae['server'] = conf.return_value(['dynamic-author', 'server'])
-
- if conf.exists(['dynamic-author', 'port']):
- dae['port'] = conf.return_value(['dynamic-author', 'port'])
-
- if conf.exists(['dynamic-author', 'key']):
- dae['key'] = conf.return_value(['dynamic-author', 'key'])
-
- sstp['radius_dynamic_author'] = dae
-
- if conf.exists(['rate-limit', 'enable']):
- sstp['radius_shaper_attr'] = 'Filter-Id'
- c_attr = ['rate-limit', 'enable', 'attribute']
- if conf.exists(c_attr):
- sstp['radius_shaper_attr'] = conf.return_value(c_attr)
-
- c_vendor = ['rate-limit', 'enable', 'vendor']
- if conf.exists(c_vendor):
- sstp['radius_shaper_vendor'] = conf.return_value(c_vendor)
-
- #
- # authentication protocols
- conf.set_level(base_path + ['authentication'])
- if conf.exists(['protocols']):
- # clear default list content, now populate with actual CLI values
- sstp['auth_proto'] = []
- auth_mods = {
- 'pap': 'auth_pap',
- 'chap': 'auth_chap_md5',
- 'mschap': 'auth_mschap_v1',
- 'mschap-v2': 'auth_mschap_v2'
- }
-
- for proto in conf.return_values(['protocols']):
- sstp['auth_proto'].append(auth_mods[proto])
-
- #
- # read in SSL certs
- conf.set_level(base_path + ['ssl'])
- if conf.exists(['ca-cert-file']):
- sstp['ssl_ca'] = conf.return_value(['ca-cert-file'])
-
- if conf.exists(['cert-file']):
- sstp['ssl_cert'] = conf.return_value(['cert-file'])
-
- if conf.exists(['key-file']):
- sstp['ssl_key'] = conf.return_value(['key-file'])
-
-
- #
- # read in client IPv4 pool
- conf.set_level(base_path + ['network-settings', 'client-ip-settings'])
- if conf.exists(['subnet']):
- sstp['client_ip_pool'] = conf.return_values(['subnet'])
-
- if conf.exists(['gateway-address']):
- sstp['client_gateway'] = conf.return_value(['gateway-address'])
-
- #
- # read in client IPv6 pool
- conf.set_level(base_path + ['network-settings', 'client-ipv6-pool'])
- if conf.exists(['prefix']):
- for prefix in conf.list_nodes(['prefix']):
- tmp = {
- 'prefix': prefix,
- 'mask': '64'
- }
-
- if conf.exists(['prefix', prefix, 'mask']):
- tmp['mask'] = conf.return_value(['prefix', prefix, 'mask'])
-
- sstp['client_ipv6_pool'].append(tmp)
-
- if conf.exists(['delegate']):
- for prefix in conf.list_nodes(['delegate']):
- tmp = {
- 'prefix': prefix,
- 'mask': ''
- }
-
- if conf.exists(['delegate', prefix, 'delegation-prefix']):
- tmp['mask'] = conf.return_value(['delegate', prefix, 'delegation-prefix'])
-
- sstp['client_ipv6_delegate_prefix'].append(tmp)
-
- #
- # read in network settings
- conf.set_level(base_path + ['network-settings'])
- if conf.exists(['name-server']):
- for name_server in conf.return_values(['name-server']):
- if is_ipv4(name_server):
- sstp['dnsv4'].append(name_server)
- else:
- sstp['dnsv6'].append(name_server)
-
- if conf.exists(['mtu']):
- sstp['mtu'] = conf.return_value(['mtu'])
-
- #
- # read in PPP stuff
- conf.set_level(base_path + ['ppp-settings'])
- if conf.exists('mppe'):
- sstp['ppp_mppe'] = conf.return_value(['ppp-settings', 'mppe'])
-
- if conf.exists(['lcp-echo-failure']):
- sstp['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure'])
-
- if conf.exists(['lcp-echo-interval']):
- sstp['ppp_echo_interval'] = conf.return_value(['lcp-echo-interval'])
-
- if conf.exists(['lcp-echo-timeout']):
- sstp['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout'])
-
+ # retrieve common dictionary keys
+ sstp = get_accel_dict(conf, base, sstp_chap_secrets)
return sstp
-
def verify(sstp):
- if sstp is None:
+ if not sstp:
return None
- # vertify auth settings
- if sstp['auth_mode'] == 'local':
- if not sstp['local_users']:
- raise ConfigError('SSTP local auth mode requires local users to be configured!')
-
- for user in sstp['local_users']:
- username = user['name']
- if not user['password']:
- raise ConfigError(f'Password required for local user "{username}"')
-
- # if up/download is set, check that both have a value
- if user['upload'] and not user['download']:
- raise ConfigError(f'Download speed value required for local user "{username}"')
-
- if user['download'] and not user['upload']:
- raise ConfigError(f'Upload speed value required for local user "{username}"')
-
- if not sstp['client_ip_pool']:
- raise ConfigError('Client IP subnet required')
-
- if not sstp['client_gateway']:
- raise ConfigError('Client gateway IP address required')
-
- if len(sstp['dnsv4']) > 2:
- raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
+ verify_accel_ppp_base_service(sstp)
- # check ipv6
- if sstp['client_ipv6_delegate_prefix'] and not sstp['client_ipv6_pool']:
- raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix')
+ if not sstp['client_ip_pool']:
+ raise ConfigError('Client IP subnet required')
- for prefix in sstp['client_ipv6_delegate_prefix']:
- if not prefix['mask']:
- raise ConfigError('Delegation-prefix required for individual delegated networks')
-
- if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']:
- raise ConfigError('One or more SSL certificates missing')
-
- if not os.path.exists(sstp['ssl_ca']):
- file = sstp['ssl_ca']
- raise ConfigError(f'SSL CA certificate file "{file}" does not exist')
-
- if not os.path.exists(sstp['ssl_cert']):
- file = sstp['ssl_cert']
- raise ConfigError(f'SSL public key file "{file}" does not exist')
-
- if not os.path.exists(sstp['ssl_key']):
- file = sstp['ssl_key']
- raise ConfigError(f'SSL private key file "{file}" does not exist')
+ #
+ # SSL certificate checks
+ #
+ tmp = vyos_dict_search('ssl.ca_cert_file', sstp)
+ if not tmp:
+ raise ConfigError(f'SSL CA certificate file required!')
+ else:
+ if not os.path.isfile(tmp):
+ raise ConfigError(f'SSL CA certificate "{tmp}" does not exist!')
- if sstp['auth_mode'] == 'radius':
- if len(sstp['radius_server']) == 0:
- raise ConfigError('RADIUS authentication requires at least one server')
+ tmp = vyos_dict_search('ssl.cert_file', sstp)
+ if not tmp:
+ raise ConfigError(f'SSL public key file required!')
+ else:
+ if not os.path.isfile(tmp):
+ raise ConfigError(f'SSL public key "{tmp}" does not exist!')
- for radius in sstp['radius_server']:
- if not radius['key']:
- server = radius['server']
- raise ConfigError(f'Missing RADIUS secret key for server "{ server }"')
+ tmp = vyos_dict_search('ssl.key_file', sstp)
+ if not tmp:
+ raise ConfigError(f'SSL private key file required!')
+ else:
+ if not os.path.isfile(tmp):
+ raise ConfigError(f'SSL private key "{tmp}" does not exist!')
def generate(sstp):
if not sstp:
@@ -358,9 +84,9 @@ def generate(sstp):
# accel-cmd reload doesn't work so any change results in a restart of the daemon
render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp, trim_blocks=True)
- if sstp['local_users']:
- render(sstp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', sstp, trim_blocks=True)
- os.chmod(sstp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
+ if vyos_dict_search('authentication.mode', sstp) == 'local':
+ render(sstp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.tmpl',
+ sstp, trim_blocks=True, permission=0o640)
else:
if os.path.exists(sstp_chap_secrets):
os.unlink(sstp_chap_secrets)
diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py
index f1ceb261b..4510dd3e7 100755
--- a/src/conf_mode/vrrp.py
+++ b/src/conf_mode/vrrp.py
@@ -62,6 +62,7 @@ def get_config(config=None):
group["sync_group"] = config.return_value("sync-group")
group["preempt_delay"] = config.return_value("preempt-delay")
group["virtual_addresses"] = config.return_values("virtual-address")
+ group["virtual_addresses_excluded"] = config.return_values("virtual-address-excluded")
group["auth_password"] = config.return_value("authentication password")
group["auth_type"] = config.return_value("authentication type")
diff --git a/src/migration-scripts/pppoe-server/0-to-1 b/src/migration-scripts/pppoe-server/0-to-1
index bb24211b6..063c7eb56 100755
--- a/src/migration-scripts/pppoe-server/0-to-1
+++ b/src/migration-scripts/pppoe-server/0-to-1
@@ -1,37 +1,50 @@
#!/usr/bin/env python3
-
-# Convert "service pppoe-server authentication radius-server node key"
-# to:
-# "service pppoe-server authentication radius-server node secret"
-
-import sys
-
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Convert "service pppoe-server authentication radius-server node key"
+# to: "service pppoe-server authentication radius-server node secret"
+
+from sys import argv, exit
from vyos.configtree import ConfigTree
-if (len(sys.argv) < 1):
+if (len(argv) < 1):
print("Must specify file name!")
- sys.exit(1)
+ exit(1)
-file_name = sys.argv[1]
+file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
ctree = ConfigTree(config_file)
+base = ['service', 'pppoe-server', 'authentication', 'radius-server']
-
-if not ctree.exists(['service', 'pppoe-server', 'authentication','radius-server']):
+if not ctree.exists(base):
# Nothing to do
- sys.exit(0)
+ exit(0)
else:
- nodes = ctree.list_nodes(['service', 'pppoe-server', 'authentication','radius-server'])
- for node in nodes:
- if ctree.exists(['service', 'pppoe-server', 'authentication', 'radius-server', node, 'key']):
- val = ctree.return_value(['service', 'pppoe-server', 'authentication', 'radius-server', node, 'key'])
- ctree.set(['service', 'pppoe-server', 'authentication', 'radius-server', node, 'secret'], value=val, replace=False)
- ctree.delete(['service', 'pppoe-server', 'authentication', 'radius-server', node, 'key'])
- try:
- open(file_name,'w').write(ctree.to_string())
- except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- sys.exit(1)
+ nodes = ctree.list_nodes(base)
+ for node in nodes:
+ if ctree.exists(base + [node, 'key']):
+ val = ctree.return_value(base + [node, 'key'])
+ ctree.set(base + [node, 'secret'], value=val, replace=False)
+ ctree.delete(base + [node, 'key'])
+
+ try:
+ open(file_name,'w').write(ctree.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/pppoe-server/1-to-2 b/src/migration-scripts/pppoe-server/1-to-2
index fa83896d3..902efb86b 100755
--- a/src/migration-scripts/pppoe-server/1-to-2
+++ b/src/migration-scripts/pppoe-server/1-to-2
@@ -1,38 +1,61 @@
#!/usr/bin/env python3
-
-# Convert "service pppoe-server interface ethX"
-# to:
-# "service pppoe-server interface ethX {}"
-
-import sys
-
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# change mppe node to a leaf node with value prefer
+
+import os
+
+from sys import argv, exit
from vyos.configtree import ConfigTree
-if (len(sys.argv) < 1):
+if (len(argv) < 1):
print("Must specify file name!")
- sys.exit(1)
+ exit(1)
-file_name = sys.argv[1]
+file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
-ctree = ConfigTree(config_file)
-cbase = ['service', 'pppoe-server','interface']
-
-if not ctree.exists(cbase):
- sys.exit(0)
+config = ConfigTree(config_file)
+base = ['service', 'pppoe-server']
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
else:
- nics = ctree.return_values(cbase)
- # convert leafNode to a tagNode
- ctree.set(cbase)
- ctree.set_tag(cbase)
- for nic in nics:
- ctree.set(cbase + [nic])
-
- try:
- open(file_name,'w').write(ctree.to_string())
- except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- sys.exit(1)
+ mppe_base = base + ['ppp-options', 'mppe']
+ if config.exists(mppe_base):
+ # get current values
+ tmp = config.list_nodes(mppe_base)
+ # drop node(s) first ...
+ config.delete(mppe_base)
+
+ print(tmp)
+ # set new value based on preference
+ if 'require' in tmp:
+ config.set(mppe_base, value='require')
+ elif 'prefer' in tmp:
+ config.set(mppe_base, value='prefer')
+ elif 'deny' in tmp:
+ config.set(mppe_base, value='deny')
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3
index 5f9730a41..7cae3b5bc 100755
--- a/src/migration-scripts/pppoe-server/2-to-3
+++ b/src/migration-scripts/pppoe-server/2-to-3
@@ -14,9 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-# - remove primary/secondary identifier from nameserver
-
-import os
+# Convert "service pppoe-server interface ethX" to: "service pppoe-server interface ethX {}"
from sys import argv, exit
from vyos.configtree import ConfigTree
@@ -30,112 +28,21 @@ file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
-config = ConfigTree(config_file)
-base = ['service', 'pppoe-server']
-if not config.exists(base):
- # Nothing to do
+ctree = ConfigTree(config_file)
+cbase = ['service', 'pppoe-server','interface']
+
+if not ctree.exists(cbase):
exit(0)
else:
-
- # Migrate IPv4 DNS servers
- dns_base = base + ['dns-servers']
- if config.exists(dns_base):
- for server in ['server-1', 'server-2']:
- if config.exists(dns_base + [server]):
- dns = config.return_value(dns_base + [server])
- config.set(base + ['name-server'], value=dns, replace=False)
-
- config.delete(dns_base)
-
- # Migrate IPv6 DNS servers
- dns_base = base + ['dnsv6-servers']
- if config.exists(dns_base):
- for server in ['server-1', 'server-2', 'server-3']:
- if config.exists(dns_base + [server]):
- dns = config.return_value(dns_base + [server])
- config.set(base + ['name-server'], value=dns, replace=False)
-
- config.delete(dns_base)
-
- # Migrate IPv4 WINS servers
- wins_base = base + ['wins-servers']
- if config.exists(wins_base):
- for server in ['server-1', 'server-2']:
- if config.exists(wins_base + [server]):
- wins = config.return_value(wins_base + [server])
- config.set(base + ['wins-server'], value=wins, replace=False)
-
- config.delete(wins_base)
-
- # Migrate radius-settings node to RADIUS and use this as base for the
- # later migration of the RADIUS servers - this will save a lot of code
- radius_settings = base + ['authentication', 'radius-settings']
- if config.exists(radius_settings):
- config.rename(radius_settings, 'radius')
-
- # Migrate RADIUS dynamic author / change of authorisation server
- dae_old = base + ['authentication', 'radius', 'dae-server']
- if config.exists(dae_old):
- config.rename(dae_old, 'dynamic-author')
- dae_new = base + ['authentication', 'radius', 'dynamic-author']
-
- if config.exists(dae_new + ['ip-address']):
- config.rename(dae_new + ['ip-address'], 'server')
-
- if config.exists(dae_new + ['secret']):
- config.rename(dae_new + ['secret'], 'key')
-
- # Migrate RADIUS server
- radius_server = base + ['authentication', 'radius-server']
- if config.exists(radius_server):
- new_base = base + ['authentication', 'radius', 'server']
- config.set(new_base)
- config.set_tag(new_base)
- for server in config.list_nodes(radius_server):
- old_base = radius_server + [server]
- config.copy(old_base, new_base + [server])
-
- # migrate key
- if config.exists(new_base + [server, 'secret']):
- config.rename(new_base + [server, 'secret'], 'key')
-
- # remove old req-limit node
- if config.exists(new_base + [server, 'req-limit']):
- config.delete(new_base + [server, 'req-limit'])
-
- config.delete(radius_server)
-
- # Migrate IPv6 prefixes
- ipv6_base = base + ['client-ipv6-pool']
- if config.exists(ipv6_base + ['prefix']):
- prefix_old = config.return_values(ipv6_base + ['prefix'])
- # delete old prefix CLI nodes
- config.delete(ipv6_base + ['prefix'])
- # create ned prefix tag node
- config.set(ipv6_base + ['prefix'])
- config.set_tag(ipv6_base + ['prefix'])
-
- for p in prefix_old:
- prefix = p.split(',')[0]
- mask = p.split(',')[1]
- config.set(ipv6_base + ['prefix', prefix, 'mask'], value=mask)
-
- if config.exists(ipv6_base + ['delegate-prefix']):
- prefix_old = config.return_values(ipv6_base + ['delegate-prefix'])
- # delete old delegate prefix CLI nodes
- config.delete(ipv6_base + ['delegate-prefix'])
- # create ned delegation tag node
- config.set(ipv6_base + ['delegate'])
- config.set_tag(ipv6_base + ['delegate'])
-
- for p in prefix_old:
- prefix = p.split(',')[0]
- mask = p.split(',')[1]
- config.set(ipv6_base + ['delegate', prefix, 'delegation-prefix'], value=mask)
+ nics = ctree.return_values(cbase)
+ # convert leafNode to a tagNode
+ ctree.set(cbase)
+ ctree.set_tag(cbase)
+ for nic in nics:
+ ctree.set(cbase + [nic])
try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
+ open(file_name,'w').write(ctree.to_string())
except OSError as e:
print("Failed to save the modified config: {}".format(e))
exit(1)
diff --git a/src/migration-scripts/pppoe-server/3-to-4 b/src/migration-scripts/pppoe-server/3-to-4
index ed5a01625..5f9730a41 100755
--- a/src/migration-scripts/pppoe-server/3-to-4
+++ b/src/migration-scripts/pppoe-server/3-to-4
@@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-# change mppe node to a leaf node with value prefer
+# - remove primary/secondary identifier from nameserver
import os
@@ -36,15 +36,102 @@ if not config.exists(base):
# Nothing to do
exit(0)
else:
- mppe_base = base + ['ppp-options', 'mppe']
- if config.exists(mppe_base):
- # drop node first ...
- config.delete(mppe_base)
- # ... and set new default
- config.set(mppe_base, value='prefer')
-
- print(config.to_string())
- exit(1)
+
+ # Migrate IPv4 DNS servers
+ dns_base = base + ['dns-servers']
+ if config.exists(dns_base):
+ for server in ['server-1', 'server-2']:
+ if config.exists(dns_base + [server]):
+ dns = config.return_value(dns_base + [server])
+ config.set(base + ['name-server'], value=dns, replace=False)
+
+ config.delete(dns_base)
+
+ # Migrate IPv6 DNS servers
+ dns_base = base + ['dnsv6-servers']
+ if config.exists(dns_base):
+ for server in ['server-1', 'server-2', 'server-3']:
+ if config.exists(dns_base + [server]):
+ dns = config.return_value(dns_base + [server])
+ config.set(base + ['name-server'], value=dns, replace=False)
+
+ config.delete(dns_base)
+
+ # Migrate IPv4 WINS servers
+ wins_base = base + ['wins-servers']
+ if config.exists(wins_base):
+ for server in ['server-1', 'server-2']:
+ if config.exists(wins_base + [server]):
+ wins = config.return_value(wins_base + [server])
+ config.set(base + ['wins-server'], value=wins, replace=False)
+
+ config.delete(wins_base)
+
+ # Migrate radius-settings node to RADIUS and use this as base for the
+ # later migration of the RADIUS servers - this will save a lot of code
+ radius_settings = base + ['authentication', 'radius-settings']
+ if config.exists(radius_settings):
+ config.rename(radius_settings, 'radius')
+
+ # Migrate RADIUS dynamic author / change of authorisation server
+ dae_old = base + ['authentication', 'radius', 'dae-server']
+ if config.exists(dae_old):
+ config.rename(dae_old, 'dynamic-author')
+ dae_new = base + ['authentication', 'radius', 'dynamic-author']
+
+ if config.exists(dae_new + ['ip-address']):
+ config.rename(dae_new + ['ip-address'], 'server')
+
+ if config.exists(dae_new + ['secret']):
+ config.rename(dae_new + ['secret'], 'key')
+
+ # Migrate RADIUS server
+ radius_server = base + ['authentication', 'radius-server']
+ if config.exists(radius_server):
+ new_base = base + ['authentication', 'radius', 'server']
+ config.set(new_base)
+ config.set_tag(new_base)
+ for server in config.list_nodes(radius_server):
+ old_base = radius_server + [server]
+ config.copy(old_base, new_base + [server])
+
+ # migrate key
+ if config.exists(new_base + [server, 'secret']):
+ config.rename(new_base + [server, 'secret'], 'key')
+
+ # remove old req-limit node
+ if config.exists(new_base + [server, 'req-limit']):
+ config.delete(new_base + [server, 'req-limit'])
+
+ config.delete(radius_server)
+
+ # Migrate IPv6 prefixes
+ ipv6_base = base + ['client-ipv6-pool']
+ if config.exists(ipv6_base + ['prefix']):
+ prefix_old = config.return_values(ipv6_base + ['prefix'])
+ # delete old prefix CLI nodes
+ config.delete(ipv6_base + ['prefix'])
+ # create ned prefix tag node
+ config.set(ipv6_base + ['prefix'])
+ config.set_tag(ipv6_base + ['prefix'])
+
+ for p in prefix_old:
+ prefix = p.split(',')[0]
+ mask = p.split(',')[1]
+ config.set(ipv6_base + ['prefix', prefix, 'mask'], value=mask)
+
+ if config.exists(ipv6_base + ['delegate-prefix']):
+ prefix_old = config.return_values(ipv6_base + ['delegate-prefix'])
+ # delete old delegate prefix CLI nodes
+ config.delete(ipv6_base + ['delegate-prefix'])
+ # create ned delegation tag node
+ config.set(ipv6_base + ['delegate'])
+ config.set_tag(ipv6_base + ['delegate'])
+
+ for p in prefix_old:
+ prefix = p.split(',')[0]
+ mask = p.split(',')[1]
+ config.set(ipv6_base + ['delegate', prefix, 'delegation-prefix'], value=mask)
try:
with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/pppoe-server/4-to-5 b/src/migration-scripts/pppoe-server/4-to-5
new file mode 100755
index 000000000..05e9c17d6
--- /dev/null
+++ b/src/migration-scripts/pppoe-server/4-to-5
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - rename local-ip to gateway-address
+
+from vyos.configtree import ConfigTree
+from sys import argv
+from sys import exit
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base_path = ['service', 'pppoe-server']
+if not config.exists(base_path):
+ # Nothing to do
+ exit(0)
+else:
+ config_gw = base_path + ['local-ip']
+ if config.exists(config_gw):
+ config.rename(config_gw, 'gateway-address')
+ config.delete(config_gw)
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
+
diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1
index 0e8dd1c4b..dc65bdeab 100755
--- a/src/migration-scripts/sstp/0-to-1
+++ b/src/migration-scripts/sstp/0-to-1
@@ -107,9 +107,9 @@ else:
config.delete(radius_server)
# migrate SSL certificates
- old_ssl = new_base + ['sstp-settings', 'ssl-certs']
+ old_ssl = new_base + ['sstp-settings']
new_ssl = new_base + ['ssl']
- config.copy(old_ssl, new_ssl)
+ config.copy(old_ssl + ['ssl-certs'], new_ssl)
config.delete(old_ssl)
if config.exists(new_ssl + ['ca']):
@@ -121,7 +121,6 @@ else:
if config.exists(new_ssl + ['server-key']):
config.rename(new_ssl + ['server-key'], 'key-file')
-
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
diff --git a/src/migration-scripts/sstp/2-to-3 b/src/migration-scripts/sstp/2-to-3
new file mode 100755
index 000000000..963b2ba4b
--- /dev/null
+++ b/src/migration-scripts/sstp/2-to-3
@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - Rename SSTP ppp-settings node to ppp-options to make use of a common
+# Jinja Template to render Accel-PPP services
+
+from vyos.configtree import ConfigTree
+from sys import argv
+from sys import exit
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base_path = ['vpn', 'sstp']
+if not config.exists(base_path):
+ # Nothing to do
+ exit(0)
+else:
+ if config.exists(base_path + ['ppp-settings']):
+ config.rename(base_path + ['ppp-settings'], 'ppp-options')
+
+ config_ns = base_path + ['network-settings', 'name-server']
+ if config.exists(config_ns):
+ config.copy(config_ns, base_path + ['name-server'])
+ config.delete(config_ns)
+
+ config_mtu = base_path + ['network-settings', 'mtu']
+ if config.exists(config_mtu):
+ config.copy(config_mtu, base_path + ['mtu'])
+ config.delete(config_mtu)
+
+ config_gw = base_path + ['network-settings', 'client-ip-settings', 'gateway-address']
+ if config.exists(config_gw):
+ config.copy(config_gw, base_path + ['gateway-address'])
+ config.delete(config_gw)
+
+ config_client_ip = base_path + ['network-settings', 'client-ip-settings']
+ if config.exists(config_client_ip):
+ config.copy(config_client_ip, base_path + ['client-ip-pool'])
+ config.delete(config_client_ip)
+
+ config_client_ipv6 = base_path + ['network-settings', 'client-ipv6-pool']
+ if config.exists(config_client_ipv6):
+ config.copy(config_client_ipv6, base_path + ['client-ipv6-pool'])
+ config.delete(config_client_ipv6)
+
+ # all nodes now have been migrated out of network-settings - delete node
+ config_nw_settings = base_path + ['network-settings']
+ if config.exists(config_nw_settings):
+ config.delete(config_nw_settings)
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
+
diff --git a/src/op_mode/show_openvpn.py b/src/op_mode/show_openvpn.py
index 32918ddce..1da4c7ecb 100755
--- a/src/op_mode/show_openvpn.py
+++ b/src/op_mode/show_openvpn.py
@@ -51,7 +51,7 @@ def bytes2HR(size):
return output
def get_status(mode, interface):
- status_file = '/opt/vyatta/etc/openvpn/status/{}.status'.format(interface)
+ status_file = '/var/run/openvpn/{}.status'.format(interface)
# this is an empirical value - I assume we have no more then 999999
# current OpenVPN connections
routing_table_line = 999999
@@ -175,4 +175,3 @@ if __name__ == '__main__':
tmpl = jinja2.Template(outp_tmpl)
print(tmpl.render(data))
-
diff --git a/src/services/vyos-configd b/src/services/vyos-configd
index 642952936..671a89036 100755
--- a/src/services/vyos-configd
+++ b/src/services/vyos-configd
@@ -27,7 +27,7 @@ import importlib.util
import zmq
from vyos.defaults import directories
-from vyos.configsource import ConfigSourceString
+from vyos.configsource import ConfigSourceString, ConfigSourceError
from vyos.config import Config
from vyos import ConfigError
@@ -59,9 +59,6 @@ configd_env_unset_file = os.path.join(directories['data'], 'vyos-configd-env-uns
# sourced on entering config session
configd_env_file = '/etc/default/vyos-configd-env'
-active_string = ''
-session_string = ''
-
session_tty = None
def key_name_from_file_name(f):
@@ -137,8 +134,19 @@ def initialization(socket):
# Reset config strings:
active_string = ''
session_string = ''
+ # check first for resent init msg, in case of client timeout
+ while True:
+ msg = socket.recv().decode()
+ try:
+ message = json.loads(msg)
+ if message["type"] == "init":
+ resp = "init"
+ socket.send(resp.encode())
+ except:
+ break
+
# zmq synchronous for ipc from single client:
- active_string = socket.recv().decode()
+ active_string = msg
resp = "active"
socket.send(resp.encode())
session_string = socket.recv().decode()
@@ -154,8 +162,12 @@ def initialization(socket):
except FileNotFoundError:
session_tty = None
- configsource = ConfigSourceString(running_config_text=active_string,
- session_config_text=session_string)
+ try:
+ configsource = ConfigSourceString(running_config_text=active_string,
+ session_config_text=session_string)
+ except ConfigSourceError as e:
+ logger.debug(e)
+ return None
config = Config(config_source=configsource)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-21 17:40:38 +0000