From f480346bb8e934b1ce2e0fc3be23f7168273bba1 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 2 Jul 2021 10:57:32 +0200
Subject: ipsec: T3656: T3659: Fix pass-through with ipv6. Fix op-mode ipsec
commands. Remove python3-crypto dependency.
---
debian/control | 2 +-
op-mode-definitions/vpn-ipsec.xml.in | 2 +-
python/vyos/util.py | 32 --------------------------------
src/conf_mode/vpn_ipsec.py | 6 ++++--
src/op_mode/show_ipsec_sa.py | 2 +-
src/op_mode/vpn_ipsec.py | 2 +-
6 files changed, 8 insertions(+), 38 deletions(-)
diff --git a/debian/control b/debian/control
index c0805804e..ddccc9e14 100644
--- a/debian/control
+++ b/debian/control
@@ -110,7 +110,7 @@ Depends:
procps,
python3,
python3-certbot-nginx,
- python3-crypt | python3-pycryptodome,
+ python3-pycryptodome,
python3-cryptography,
python3-flask,
python3-hurry.filesize,
diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in
index 76f4893c1..fe0597eed 100644
--- a/op-mode-definitions/vpn-ipsec.xml.in
+++ b/op-mode-definitions/vpn-ipsec.xml.in
@@ -101,7 +101,7 @@
Restart IPSec VPN
- if pgrep charon >/dev/null ; then sudo /usr/sbin/ipsec restart ; else echo "IPSec process not running" ; fi
+ if pgrep charon >/dev/null ; then sudo ipsec restart ; sleep 3 ; sudo swanctl -q ; else echo "IPSec process not running" ; fi
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 586c79fff..cf90dc74f 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -705,38 +705,6 @@ def get_all_vrfs():
data[name] = entry
return data
-def cidr_fit(cidr_a, cidr_b, both_directions = False):
- """
- Does CIDR A fit inside of CIDR B?
-
- Credit: https://gist.github.com/magnetikonline/686fde8ee0bce4d4930ce8738908a009
- """
- def split_cidr(cidr):
- part_list = cidr.split("/")
- if len(part_list) == 1:
- # if just an IP address, assume /32
- part_list.append("32")
-
- # return address and prefix size
- return part_list[0].strip(), int(part_list[1])
- def address_to_bits(address):
- # convert each octet of IP address to binary
- bit_list = [bin(int(part)) for part in address.split(".")]
-
- # join binary parts together
- # note: part[2:] to slice off the leading "0b" from bin() results
- return "".join([part[2:].zfill(8) for part in bit_list])
- def binary_network_prefix(cidr):
- # return CIDR as bits, to the length of the prefix size only (drop the rest)
- address, prefix_size = split_cidr(cidr)
- return address_to_bits(address)[:prefix_size]
-
- prefix_a = binary_network_prefix(cidr_a)
- prefix_b = binary_network_prefix(cidr_b)
- if both_directions:
- return prefix_a.startswith(prefix_b) or prefix_b.startswith(prefix_a)
- return prefix_a.startswith(prefix_b)
-
def print_error(str='', end='\n'):
"""
Print `str` to stderr, terminated with `end`.
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index bf4aa332a..ce72ee094 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
+import ipaddress
import os
from sys import exit
@@ -34,7 +35,6 @@ from vyos.util import call
from vyos.util import dict_search
from vyos.util import process_named_running
from vyos.util import run
-from vyos.util import cidr_fit
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -407,7 +407,9 @@ def generate(ipsec):
for local_prefix in local_prefixes:
for remote_prefix in remote_prefixes:
- if cidr_fit(local_prefix, remote_prefix):
+ local_net = ipaddress.ip_network(local_prefix)
+ remote_net = ipaddress.ip_network(remote_prefix)
+ if local_net.overlaps(remote_net):
passthrough.append(local_prefix)
data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py
index a94c7efc6..e491267fd 100755
--- a/src/op_mode/show_ipsec_sa.py
+++ b/src/op_mode/show_ipsec_sa.py
@@ -26,7 +26,7 @@ import vyos.util
def format_output(conns, sas):
sa_data = []
- for peer, parent_conn in conn.items():
+ for peer, parent_conn in conns.items():
if peer not in sas:
continue
diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py
index dd5a85ed3..ad7efbf2d 100755
--- a/src/op_mode/vpn_ipsec.py
+++ b/src/op_mode/vpn_ipsec.py
@@ -23,7 +23,7 @@ import argparse
from subprocess import TimeoutExpired
from vyos.util import ask_yes_no, call, cmd, process_named_running
-from Crypto.PublicKey.RSA import importKey
+from Cryptodome.PublicKey.RSA import importKey
RSA_LOCAL_KEY_PATH = '/config/ipsec.d/rsa-keys/localhost.key'
RSA_LOCAL_PUB_PATH = '/etc/ipsec.d/certs/localhost.pub'
--
cgit v1.2.3