diff options
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/ipsec-settings.py | 6 | ||||
-rwxr-xr-x | src/conf_mode/protocols_static_multicast.py | 115 | ||||
-rwxr-xr-x | src/conf_mode/service_ipoe-server.py | 4 | ||||
-rwxr-xr-x | src/conf_mode/service_pppoe-server.py | 14 | ||||
-rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 12 | ||||
-rwxr-xr-x | src/conf_mode/vpn_pptp.py | 426 | ||||
-rwxr-xr-x | src/conf_mode/vpn_sstp.py | 10 | ||||
-rwxr-xr-x | src/migration-scripts/pptp/1-to-2 | 71 | ||||
-rwxr-xr-x | src/op_mode/version.py | 93 | ||||
-rwxr-xr-x | src/op_mode/vrrp.py | 1 | ||||
-rwxr-xr-x | src/services/vyos-http-api-server | 34 |
11 files changed, 477 insertions, 309 deletions
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py index da19dcb26..3398bcdf2 100755 --- a/src/conf_mode/ipsec-settings.py +++ b/src/conf_mode/ipsec-settings.py @@ -170,7 +170,7 @@ def generate(data): if data["ipsec_l2tp"]: remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file) # old_umask = os.umask(0o077) - # render(ipsec_secrets_file, 'ipsec/ipsec.secrets.tmpl', c, trim_blocks=True) + # render(ipsec_secrets_file, 'ipsec/ipsec.secrets.tmpl', data, trim_blocks=True) # os.umask(old_umask) ## Use this method while IPSec CLI handler won't be overwritten to python write_ipsec_secrets(data) @@ -181,12 +181,12 @@ def generate(data): if not os.path.exists(ipsec_ra_conn_dir): os.makedirs(ipsec_ra_conn_dir) - render(ipsec_ra_conn_file, 'ipsec/remote-access.tmpl', c, trim_blocks=True) + render(ipsec_ra_conn_file, 'ipsec/remote-access.tmpl', data, trim_blocks=True) os.umask(old_umask) remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_file) # old_umask = os.umask(0o077) - # render(ipsec_conf_file, 'ipsec/ipsec.conf.tmpl', c, trim_blocks=True) + # render(ipsec_conf_file, 'ipsec/ipsec.conf.tmpl', data, trim_blocks=True) # os.umask(old_umask) ## Use this method while IPSec CLI handler won't be overwritten to python write_ipsec_conf(data) diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py new file mode 100755 index 000000000..411a130ec --- /dev/null +++ b/src/conf_mode/protocols_static_multicast.py @@ -0,0 +1,115 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from ipaddress import IPv4Address +from sys import exit + +from vyos import ConfigError +from vyos.config import Config +from vyos.util import call +from vyos.template import render + + +config_file = r'/tmp/static_mcast.frr' + +# Get configuration for static multicast route +def get_config(): + conf = Config() + mroute = { + 'old_mroute' : {}, + 'mroute' : {} + } + + base_path = "protocols static multicast" + + if not (conf.exists(base_path) or conf.exists_effective(base_path)): + return None + + conf.set_level(base_path) + + # Get multicast effective routes + for route in conf.list_effective_nodes('route'): + mroute['old_mroute'][route] = {} + for next_hop in conf.list_effective_nodes('route {0} next-hop'.format(route)): + mroute['old_mroute'][route].update({ + next_hop : conf.return_value('route {0} next-hop {1} distance'.format(route, next_hop)) + }) + + # Get multicast effective interface-routes + for route in conf.list_effective_nodes('interface-route'): + if not route in mroute['old_mroute']: + mroute['old_mroute'][route] = {} + for next_hop in conf.list_effective_nodes('interface-route {0} next-hop-interface'.format(route)): + mroute['old_mroute'][route].update({ + next_hop : conf.return_value('interface-route {0} next-hop-interface {1} distance'.format(route, next_hop)) + }) + + # Get multicast routes + for route in conf.list_nodes('route'): + mroute['mroute'][route] = {} + for next_hop in conf.list_nodes('route {0} next-hop'.format(route)): + mroute['mroute'][route].update({ + next_hop : conf.return_value('route {0} next-hop {1} distance'.format(route, next_hop)) + }) + + # Get multicast interface-routes + for route in conf.list_nodes('interface-route'): + if not route in mroute['mroute']: + mroute['mroute'][route] = {} + for next_hop in conf.list_nodes('interface-route {0} next-hop-interface'.format(route)): + mroute['mroute'][route].update({ + next_hop : conf.return_value('interface-route {0} next-hop-interface {1} distance'.format(route, next_hop)) + }) + + return mroute + +def verify(mroute): + if mroute is None: + return None + + for route in mroute['mroute']: + route = route.split('/') + if IPv4Address(route[0]) < IPv4Address('224.0.0.0'): + raise ConfigError(route + " not a multicast network") + +def generate(mroute): + if mroute is None: + return None + + render(config_file, 'frr-mcast/static_mcast.frr.tmpl', mroute) + return None + +def apply(mroute): + if mroute is None: + return None + + if os.path.exists(config_file): + call("sudo vtysh -d staticd -f " + config_file) + os.remove(config_file) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 23a2091bd..17fa2c3f0 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -238,7 +238,7 @@ def verify(ipoe): for interface in ipoe['interfaces']: if not interface['range']: - raise ConfigError(f'No IPoE client subnet defined on interface "{{ interface }}"') + raise ConfigError(f'No IPoE client subnet defined on interface "{ interface }"') if len(ipoe['dnsv4']) > 2: raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') @@ -253,7 +253,7 @@ def verify(ipoe): for radius in ipoe['radius_server']: if not radius['key']: server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') if ipoe['client_ipv6_delegate_prefix'] and not ipoe['client_ipv6_pool']: raise ConfigError('IPoE IPv6 deletate-prefix requires IPv6 prefix to be configured!') diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index f0dd3751a..95cb066d8 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -23,7 +23,7 @@ from sys import exit from vyos.config import Config from vyos.template import render -from vyos.util import call +from vyos.util import call, get_half_cpus() from vyos.validate import is_ipv4 from vyos import ConfigError @@ -78,7 +78,7 @@ default_config_data = { 'radius_dynamic_author': '', 'sesscrtl': 'replace', 'snmp': False, - 'thread_cnt': '1' + 'thread_cnt': get_half_cpus() } def get_config(): @@ -90,10 +90,6 @@ def get_config(): conf.set_level(base_path) pppoe = deepcopy(default_config_data) - cpu = os.cpu_count() - if cpu > 1: - pppoe['thread_cnt'] = int(cpu/2) - # general options if conf.exists(['access-concentrator']): pppoe['concentrator'] = conf.return_value(['access-concentrator']) @@ -393,7 +389,7 @@ def verify(pppoe): for radius in pppoe['radius_server']: if not radius['key']: server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') if len(pppoe['wins']) > 2: raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') @@ -423,10 +419,10 @@ def generate(pppoe): if not os.path.exists(dirname): os.mkdir(dirname) - render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', c, trim_blocks=True) + render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe, trim_blocks=True) if pppoe['local_users']: - render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', c, trim_blocks=True) + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pppoe, trim_blocks=True) os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(pppoe_chap_secrets): diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 417520e09..a4ef99d45 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -25,7 +25,7 @@ from time import sleep from ipaddress import ip_network from vyos.config import Config -from vyos.util import call +from vyos.util import call, get_half_cpus from vyos.validate import is_ipv4 from vyos import ConfigError from vyos.template import render @@ -65,7 +65,7 @@ default_config_data = { 'radius_dynamic_author': '', 'wins': [], 'ip6_column': [], - 'thread_cnt': 1 + 'thread_cnt': get_half_cpus() } def get_config(): @@ -77,10 +77,6 @@ def get_config(): conf.set_level(base_path) l2tp = deepcopy(default_config_data) - cpu = os.cpu_count() - if cpu > 1: - l2tp['thread_cnt'] = int(cpu/2) - ### general options ### if conf.exists(['name-server']): for name_server in conf.return_values(['name-server']): @@ -313,7 +309,7 @@ def verify(l2tp): for radius in l2tp['radius_server']: if not radius['key']: - raise ConfigError(f"Missing RADIUS secret for server {{ radius['key'] }}") + raise ConfigError(f"Missing RADIUS secret for server { radius['key'] }") # check for the existence of a client ip pool if not (l2tp['client_ip_pool'] or l2tp['client_ip_subnets']): @@ -348,7 +344,7 @@ def generate(l2tp): if not os.path.exists(dirname): os.mkdir(dirname) - render(l2tp_conf, 'accel-ppp/l2tp.config.tmpl', c, trim_blocks=True) + render(l2tp_conf, 'accel-ppp/l2tp.config.tmpl', l2tp, trim_blocks=True) if l2tp['auth_mode'] == 'local': render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', l2tp) diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index 15b80f984..046fc8f9c 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -17,234 +17,260 @@ import os import re -from socket import socket, AF_INET, SOCK_STREAM +from copy import deepcopy +from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit -from time import sleep from vyos.config import Config -from vyos import ConfigError -from vyos.util import run from vyos.template import render +from vyos.util import call, get_half_cpus +from vyos import ConfigError +pptp_conf = '/run/accel-pppd/pptp.conf' +pptp_chap_secrets = '/run/accel-pppd/pptp.chap-secrets' + +default_pptp = { + 'auth_mode' : 'local', + 'local_users' : [], + 'radius_server' : [], + 'radius_acct_tmo' : '30', + 'radius_max_try' : '3', + 'radius_timeout' : '30', + 'radius_nas_id' : '', + 'radius_nas_ip' : '', + 'radius_source_address' : '', + 'radius_shaper_attr' : '', + 'radius_shaper_vendor': '', + 'radius_dynamic_author' : '', + 'chap_secrets_file': pptp_chap_secrets, # used in Jinja2 template + 'outside_addr': '', + 'dnsv4': [], + 'wins': [], + 'client_ip_pool': '', + 'mtu': '1436', + 'auth_proto' : ['auth_mschap_v2'], + 'ppp_mppe' : 'prefer', + 'thread_cnt': get_half_cpus() +} -pidfile = r'/var/run/accel_pptp.pid' -pptp_cnf_dir = r'/etc/accel-ppp/pptp' -chap_secrets = pptp_cnf_dir + '/chap-secrets' -pptp_conf = pptp_cnf_dir + '/pptp.config' +def get_config(): + conf = Config() + base_path = ['vpn', 'pptp', 'remote-access'] + if not conf.exists(base_path): + return None -# config path creation -if not os.path.exists(pptp_cnf_dir): - os.makedirs(pptp_cnf_dir) + pptp = deepcopy(default_pptp) + conf.set_level(base_path) -def _chk_con(): - cnt = 0 - s = socket(AF_INET, SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", 2003)) - break - except ConnectionRefusedError: - sleep(0.5) - cnt += 1 - if cnt == 100: - raise("failed to start pptp server") - break + if conf.exists(['name-server']): + pptp['dnsv4'] = conf.return_values(['name-server']) + if conf.exists(['wins-server']): + pptp['wins'] = conf.return_values(['wins-server']) -def _accel_cmd(command): - return run('/usr/bin/accel-cmd -p 2003 {command}') + if conf.exists(['outside-address']): + pptp['outside_addr'] = conf.return_value(['outside-address']) -### -# inline helper functions end -### + if conf.exists(['authentication', 'mode']): + pptp['auth_mode'] = conf.return_value(['authentication', 'mode']) + # + # local auth + if conf.exists(['authentication', 'local-users']): + for username in conf.list_nodes(['authentication', 'local-users', 'username']): + user = { + 'name': username, + 'password' : '', + 'state' : 'enabled', + 'ip' : '*', + } -def get_config(): - c = Config() - if not c.exists(['vpn', 'pptp', 'remote-access']): - return None + conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) + + if conf.exists(['password']): + user['password'] = conf.return_value(['password']) + + if conf.exists(['disable']): + user['state'] = 'disable' + + if conf.exists(['static-ip']): + user['ip'] = conf.return_value(['static-ip']) + + if not conf.exists(['disable']): + pptp['local_users'].append(user) + + # + # RADIUS auth and settings + conf.set_level(base_path + ['authentication', 'radius']) + if conf.exists(['server']): + for server in conf.list_nodes(['server']): + radius = { + 'server' : server, + 'key' : '', + 'fail_time' : 0, + 'port' : '1812' + } + + conf.set_level(base_path + ['authentication', 'radius', 'server', server]) + + if conf.exists(['fail-time']): + radius['fail-time'] = conf.return_value(['fail-time']) + + if conf.exists(['port']): + radius['port'] = conf.return_value(['port']) + + if conf.exists(['key']): + radius['key'] = conf.return_value(['key']) + + if not conf.exists(['disable']): + pptp['radius_server'].append(radius) + + # + # advanced radius-setting + conf.set_level(base_path + ['authentication', 'radius']) + + if conf.exists(['acct-timeout']): + pptp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) + + if conf.exists(['max-try']): + pptp['radius_max_try'] = conf.return_value(['max-try']) + + if conf.exists(['timeout']): + pptp['radius_timeout'] = conf.return_value(['timeout']) + + if conf.exists(['nas-identifier']): + pptp['radius_nas_id'] = conf.return_value(['nas-identifier']) + + if conf.exists(['nas-ip-address']): + pptp['radius_nas_ip'] = conf.return_value(['nas-ip-address']) + + if conf.exists(['source-address']): + pptp['radius_source_address'] = conf.return_value(['source-address']) + + # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) + if conf.exists(['dae-server']): + dae = { + 'port' : '', + 'server' : '', + 'key' : '' + } - c.set_level(['vpn', 'pptp', 'remote-access']) - config_data = { - 'authentication': { - 'mode': 'local', - 'local-users': { - }, - 'radiussrv': {}, - 'auth_proto': 'auth_mschap_v2', - 'mppe': 'require' - }, - 'outside_addr': '', - 'dns': [], - 'wins': [], - 'client_ip_pool': '', - 'mtu': '1436', - } - - ### general options ### - - if c.exists(['dns-servers', 'server-1']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-1'])) - if c.exists(['dns-servers', 'server-2']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-2'])) - if c.exists(['wins-servers', 'server-1']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-1'])) - if c.exists(['wins-servers', 'server-2']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-2'])) - if c.exists(['outside-address']): - config_data['outside_addr'] = c.return_value(['outside-address']) - - # auth local - if c.exists(['authentication', 'mode', 'local']): - if c.exists(['authentication', 'local-users', 'username']): - for usr in c.list_nodes(['authentication', 'local-users', 'username']): - config_data['authentication']['local-users'].update( - { - usr: { - 'passwd': '', - 'state': 'enabled', - 'ip': '' - } - } - ) - - if c.exists(['authentication', 'local-users', 'username', usr, 'password']): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'password']) - if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): - config_data['authentication']['local-users'][usr]['state'] = 'disable' - if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'static-ip']) - - # authentication mode radius servers and settings - - if c.exists(['authentication', 'mode', 'radius']): - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes(['authentication', 'radius', 'server']) - for rsrv in rsrvs: - if not c.return_value(['authentication', 'radius', 'server', rsrv, 'fail-time']): - ftime = '0' - else: - ftime = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'fail-time']) - if not c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']): - reql = '0' - else: - reql = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'req-limit']) - - config_data['authentication']['radiussrv'].update( - { - rsrv: { - 'secret': c.return_value(['authentication', 'radius', 'server', rsrv, 'key']), - 'fail-time': ftime, - 'req-limit': reql - } - } - ) - - if c.exists(['client-ip-pool']): - if c.exists(['client-ip-pool', 'start']): - config_data['client_ip_pool'] = c.return_value( - ['client-ip-pool', 'start']) - if c.exists(['client-ip-pool', 'stop']): - config_data['client_ip_pool'] += '-' + \ - re.search( - '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) - if c.exists(['mtu']): - config_data['mtu'] = c.return_value(['mtu']) + if conf.exists(['dynamic-author', 'ip-address']): + dae['server'] = conf.return_value(['dynamic-author', 'ip-address']) + + if conf.exists(['dynamic-author', 'port']): + dae['port'] = conf.return_value(['dynamic-author', 'port']) + + if conf.exists(['dynamic-author', 'key']): + dae['key'] = conf.return_value(['dynamic-author', 'key']) + + pptp['radius_dynamic_author'] = dae + + if conf.exists(['rate-limit', 'enable']): + pptp['radius_shaper_attr'] = 'Filter-Id' + c_attr = ['rate-limit', 'enable', 'attribute'] + if conf.exists(c_attr): + pptp['radius_shaper_attr'] = conf.return_value(c_attr) + + c_vendor = ['rate-limit', 'enable', 'vendor'] + if conf.exists(c_vendor): + pptp['radius_shaper_vendor'] = conf.return_value(c_vendor) + + conf.set_level(base_path) + if conf.exists(['client-ip-pool']): + if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): + start = conf.return_value(['client-ip-pool', 'start']) + stop = conf.return_value(['client-ip-pool', 'stop']) + pptp['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0) + + if conf.exists(['mtu']): + pptp['mtu'] = conf.return_value(['mtu']) # gateway address - if c.exists(['gateway-address']): - config_data['gw_ip'] = c.return_value(['gateway-address']) + if conf.exists(['gateway-address']): + pptp['gw_ip'] = conf.return_value(['gateway-address']) else: - config_data['gw_ip'] = re.sub( - '[0-9]+$', '1', config_data['client_ip_pool']) + # calculate gw-ip-address + if conf.exists(['client-ip-pool', 'start']): + # use start ip as gw-ip-address + pptp['gateway_address'] = conf.return_value(['client-ip-pool', 'start']) - if c.exists(['authentication', 'require']): - if c.return_value(['authentication', 'require']) == 'pap': - config_data['authentication']['auth_proto'] = 'auth_pap' - if c.return_value(['authentication', 'require']) == 'chap': - config_data['authentication']['auth_proto'] = 'auth_chap_md5' - if c.return_value(['authentication', 'require']) == 'mschap': - config_data['authentication']['auth_proto'] = 'auth_mschap_v1' - if c.return_value(['authentication', 'require']) == 'mschap-v2': - config_data['authentication']['auth_proto'] = 'auth_mschap_v2' + if conf.exists(['authentication', 'require']): + # clear default list content, now populate with actual CLI values + pptp['auth_proto'] = [] + auth_mods = { + 'pap': 'auth_pap', + 'chap': 'auth_chap_md5', + 'mschap': 'auth_mschap_v1', + 'mschap-v2': 'auth_mschap_v2' + } - if c.exists(['authentication', 'mppe']): - config_data['authentication']['mppe'] = c.return_value( - ['authentication', 'mppe']) + for proto in conf.return_values(['authentication', 'require']): + pptp['auth_proto'].append(auth_mods[proto]) - return config_data + if conf.exists(['authentication', 'mppe']): + pptp['ppp_mppe'] = conf.return_value(['authentication', 'mppe']) + return pptp -def verify(c): - if c == None: - return None - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: - raise ConfigError( - 'pptp-server authentication local-users required') - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: - raise ConfigError('user ' + usr + ' requires a password') - - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: - raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: - raise ConfigError('radius server ' + rsrv + - ' needs a secret configured') - - -def generate(c): - if c == None: +def verify(pptp): + if not pptp: return None - # accel-cmd reload doesn't work so any change results in a restart of the daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - - render(pptp_conf, 'pptp/pptp.config.tmpl', c, trim_blocks=True) - - if c['authentication']['local-users']: - old_umask = os.umask(0o077) - render(chap_secrets, 'pptp/chap-secrets.tmpl', c, trim_blocks=True) - os.umask(old_umask) - # return c ?? - return c - - -def apply(c): - if c == None: - if os.path.exists(pidfile): - _accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) + if pptp['auth_mode'] == 'local': + if not pptp['local_users']: + raise ConfigError('PPTP local auth mode requires local users to be configured!') + + for user in pptp['local_users']: + username = user['name'] + if not user['password']: + raise ConfigError(f'Password required for local user "{username}"') + + elif pptp['auth_mode'] == 'radius': + if len(pptp['radius_server']) == 0: + raise ConfigError('RADIUS authentication requires at least one server') + + for radius in pptp['radius_server']: + if not radius['key']: + server = radius['server'] + raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') + + if len(pptp['dnsv4']) > 2: + raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + + if len(pptp['wins']) > 2: + raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') + + +def generate(pptp): + if not pptp: return None - if not os.path.exists(pidfile): - ret = run(f'/usr/sbin/accel-pppd -c {pptp_conf} -p {pidfile} -d') - _chk_con() - if ret != 0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') + dirname = os.path.dirname(pptp_conf) + if not os.path.exists(dirname): + os.mkdir(dirname) + + render(pptp_conf, 'accel-ppp/pptp.config.tmpl', pptp, trim_blocks=True) + + if pptp['local_users']: + render(pptp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pptp, trim_blocks=True) + os.chmod(pptp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: - # if gw ip changes, only restart doesn't work - _accel_cmd('restart') + if os.path.exists(pptp_chap_secrets): + os.unlink(pptp_chap_secrets) + + +def apply(pptp): + if not pptp: + call('systemctl stop accel-ppp@pptp.service') + for file in [pptp_conf, pptp_chap_secrets]: + if os.path.exists(file): + os.unlink(file) + + return None + + call('systemctl restart accel-ppp@pptp.service') if __name__ == '__main__': try: diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 9ec352290..e6ce94709 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -23,7 +23,7 @@ from stat import S_IRUSR, S_IWUSR, S_IRGRP from vyos.config import Config from vyos import ConfigError -from vyos.util import call, run +from vyos.util import call, run, get_half_cpus from vyos.template import render @@ -56,7 +56,7 @@ default_config_data = { 'ppp_echo_failure' : '', 'ppp_echo_interval' : '', 'ppp_echo_timeout' : '', - 'thread_cnt' : 1 + 'thread_cnt' : get_half_cpus() } def get_config(): @@ -68,10 +68,6 @@ def get_config(): conf.set_level(base_path) - cpu = os.cpu_count() - if cpu > 1: - sstp['thread_cnt'] = int(cpu/2) - if conf.exists(['authentication', 'mode']): sstp['auth_mode'] = conf.return_value(['authentication', 'mode']) @@ -301,7 +297,7 @@ def verify(sstp): for radius in sstp['radius_server']: if not radius['key']: server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') def generate(sstp): if not sstp: diff --git a/src/migration-scripts/pptp/1-to-2 b/src/migration-scripts/pptp/1-to-2 new file mode 100755 index 000000000..a13cc3a4f --- /dev/null +++ b/src/migration-scripts/pptp/1-to-2 @@ -0,0 +1,71 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# - migrate dns-servers node to common name-servers +# - remove radios req-limit node + +from sys import argv, exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'pptp', 'remote-access'] +if not config.exists(base): + # Nothing to do + exit(0) +else: + # Migrate IPv4 DNS servers + dns_base = base + ['dns-servers'] + if config.exists(dns_base): + for server in ['server-1', 'server-2']: + if config.exists(dns_base + [server]): + dns = config.return_value(dns_base + [server]) + config.set(base + ['name-server'], value=dns, replace=False) + + config.delete(dns_base) + + # Migrate IPv4 WINS servers + wins_base = base + ['wins-servers'] + if config.exists(wins_base): + for server in ['server-1', 'server-2']: + if config.exists(wins_base + [server]): + wins = config.return_value(wins_base + [server]) + config.set(base + ['wins-server'], value=wins, replace=False) + + config.delete(wins_base) + + # Remove RADIUS server req-limit node + radius_base = base + ['authentication', 'radius'] + if config.exists(radius_base): + for server in config.list_nodes(radius_base + ['server']): + if config.exists(radius_base + ['server', server, 'req-limit']): + config.delete(radius_base + ['server', server, 'req-limit']) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/version.py b/src/op_mode/version.py index 2791f5e5c..c335eefce 100755 --- a/src/op_mode/version.py +++ b/src/op_mode/version.py @@ -25,14 +25,13 @@ import sys import argparse import json -import pystache - import vyos.version import vyos.limericks from vyos.util import cmd from vyos.util import call from vyos.util import run +from vyos.util import read_file from vyos.util import DEVNULL @@ -41,90 +40,42 @@ parser.add_argument("-a", "--all", action="store_true", help="Include individual parser.add_argument("-f", "--funny", action="store_true", help="Add something funny to the output") parser.add_argument("-j", "--json", action="store_true", help="Produce JSON output") -def read_file(name): - try: - with open (name, "r") as f: - data = f.read() - return data.strip() - except: - # This works since we only read /sys/class/* stuff - # with this function - return "Unknown" version_output_tmpl = """ -Version: VyOS {{version}} -Release Train: {{release_train}} +Version: VyOS {version} +Release Train: {release_train} -Built by: {{built_by}} -Built on: {{built_on}} -Build UUID: {{build_uuid}} -Build Commit ID: {{build_git}} +Built by: {built_by} +Built on: {built_on} +Build UUID: {build_uuid} +Build Commit ID: {build_git} -Architecture: {{system_arch}} -Boot via: {{boot_via}} -System type: {{system_type}} +Architecture: {system_arch} +Boot via: {boot_via} +System type: {system_type} -Hardware vendor: {{hardware_vendor}} -Hardware model: {{hardware_model}} -Hardware S/N: {{hardware_serial}} -Hardware UUID: {{hardware_uuid}} +Hardware vendor: {hardware_vendor} +Hardware model: {hardware_model} +Hardware S/N: {hardware_serial} +Hardware UUID: {hardware_uuid} Copyright: VyOS maintainers and contributors - """ if __name__ == '__main__': args = parser.parse_args() - version_data = vyos.version.get_version_data() - - # Get system architecture (well, kernel architecture rather) - version_data['system_arch'] = cmd('uname -m') - - - # Get hypervisor name, if any - system_type = "bare metal" - try: - hypervisor = cmd('hvinfo',stderr=DEVNULL) - system_type = "{0} guest".format(hypervisor) - except OSError: - # hvinfo returns 1 if it cannot detect any hypervisor - pass - version_data['system_type'] = system_type - - - # Get boot type, it can be livecd, installed image, or, possible, a system installed - # via legacy "install system" mechanism - # In installed images, the squashfs image file is named after its image version, - # while on livecd it's just "filesystem.squashfs", that's how we tell a livecd boot - # from an installed image - boot_via = "installed image" - if run(""" grep -e '^overlay.*/filesystem.squashfs' /proc/mounts >/dev/null""") == 0: - boot_via = "livecd" - elif run(""" grep '^overlay /' /proc/mounts >/dev/null """) != 0: - boot_via = "legacy non-image installation" - version_data['boot_via'] = boot_via - - - # Get hardware details from DMI - version_data['hardware_vendor'] = read_file('/sys/class/dmi/id/sys_vendor') - version_data['hardware_model'] = read_file('/sys/class/dmi/id/product_name') - - # These two assume script is run as root, normal users can't access those files - version_data['hardware_serial'] = read_file('/sys/class/dmi/id/subsystem/id/product_serial') - version_data['hardware_uuid'] = read_file('/sys/class/dmi/id/subsystem/id/product_uuid') - + version_data = vyos.version.get_full_version_data() if args.json: print(json.dumps(version_data)) sys.exit(0) - else: - output = pystache.render(version_output_tmpl, version_data).strip() - print(output) - if args.all: - print("Package versions:") - call("dpkg -l") + print(version_output_tmpl.format(**version_data).strip()) + + if args.all: + print("Package versions:") + call("dpkg -l") - if args.funny: - print(vyos.limericks.get_random()) + if args.funny: + print(vyos.limericks.get_random()) diff --git a/src/op_mode/vrrp.py b/src/op_mode/vrrp.py index 923cfa4d4..e024d7f63 100755 --- a/src/op_mode/vrrp.py +++ b/src/op_mode/vrrp.py @@ -21,7 +21,6 @@ import argparse import json import tabulate -import vyos.keepalived import vyos.util from vyos.ifconfig.vrrp import VRRP diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server index a3624052e..c36cbd640 100755 --- a/src/services/vyos-http-api-server +++ b/src/services/vyos-http-api-server @@ -318,11 +318,20 @@ def generate_op(): command = json.loads(command) try: - cmd = command['cmd'] - res = session.generate(cmd) + op = command['op'] + path = command['path'] except KeyError: - return error(400, "Missing required field \"cmd\"") - except VyOSError as e: + return error(400, "Missing required field. \"op\" and \"path\" fields are required") + + if not isinstance(path, list): + return error(400, "Malformed command: \"path\" field must be a list of strings") + + try: + if op == 'generate': + res = session.generate(path) + else: + return error(400, "\"{0}\" is not a valid operation".format(op)) + except ConfigSessionError as e: return error(400, str(e)) except Exception as e: print(traceback.format_exc(), file=sys.stderr) @@ -339,11 +348,20 @@ def show_op(): command = json.loads(command) try: - cmd = command['cmd'] - res = session.show(cmd) + op = command['op'] + path = command['path'] except KeyError: - return error(400, "Missing required field \"cmd\"") - except VyOSError as e: + return error(400, "Missing required field. \"op\" and \"path\" fields are required") + + if not isinstance(path, list): + return error(400, "Malformed command: \"path\" field must be a list of strings") + + try: + if op == 'show': + res = session.show(path) + else: + return error(400, "\"{0}\" is not a valid operation".format(op)) + except ConfigSessionError as e: return error(400, str(e)) except Exception as e: print(traceback.format_exc(), file=sys.stderr) |