From f480346bb8e934b1ce2e0fc3be23f7168273bba1 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Fri, 2 Jul 2021 10:57:32 +0200 Subject: ipsec: T3656: T3659: Fix pass-through with ipv6. Fix op-mode ipsec commands. Remove python3-crypto dependency. --- debian/control | 2 +- op-mode-definitions/vpn-ipsec.xml.in | 2 +- python/vyos/util.py | 32 -------------------------------- src/conf_mode/vpn_ipsec.py | 6 ++++-- src/op_mode/show_ipsec_sa.py | 2 +- src/op_mode/vpn_ipsec.py | 2 +- 6 files changed, 8 insertions(+), 38 deletions(-) diff --git a/debian/control b/debian/control index c0805804e..ddccc9e14 100644 --- a/debian/control +++ b/debian/control @@ -110,7 +110,7 @@ Depends: procps, python3, python3-certbot-nginx, - python3-crypt | python3-pycryptodome, + python3-pycryptodome, python3-cryptography, python3-flask, python3-hurry.filesize, diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index 76f4893c1..fe0597eed 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -101,7 +101,7 @@ Restart IPSec VPN - if pgrep charon >/dev/null ; then sudo /usr/sbin/ipsec restart ; else echo "IPSec process not running" ; fi + if pgrep charon >/dev/null ; then sudo ipsec restart ; sleep 3 ; sudo swanctl -q ; else echo "IPSec process not running" ; fi diff --git a/python/vyos/util.py b/python/vyos/util.py index 586c79fff..cf90dc74f 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -705,38 +705,6 @@ def get_all_vrfs(): data[name] = entry return data -def cidr_fit(cidr_a, cidr_b, both_directions = False): - """ - Does CIDR A fit inside of CIDR B? - - Credit: https://gist.github.com/magnetikonline/686fde8ee0bce4d4930ce8738908a009 - """ - def split_cidr(cidr): - part_list = cidr.split("/") - if len(part_list) == 1: - # if just an IP address, assume /32 - part_list.append("32") - - # return address and prefix size - return part_list[0].strip(), int(part_list[1]) - def address_to_bits(address): - # convert each octet of IP address to binary - bit_list = [bin(int(part)) for part in address.split(".")] - - # join binary parts together - # note: part[2:] to slice off the leading "0b" from bin() results - return "".join([part[2:].zfill(8) for part in bit_list]) - def binary_network_prefix(cidr): - # return CIDR as bits, to the length of the prefix size only (drop the rest) - address, prefix_size = split_cidr(cidr) - return address_to_bits(address)[:prefix_size] - - prefix_a = binary_network_prefix(cidr_a) - prefix_b = binary_network_prefix(cidr_b) - if both_directions: - return prefix_a.startswith(prefix_b) or prefix_b.startswith(prefix_a) - return prefix_a.startswith(prefix_b) - def print_error(str='', end='\n'): """ Print `str` to stderr, terminated with `end`. diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index bf4aa332a..ce72ee094 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import ipaddress import os from sys import exit @@ -34,7 +35,6 @@ from vyos.util import call from vyos.util import dict_search from vyos.util import process_named_running from vyos.util import run -from vyos.util import cidr_fit from vyos import ConfigError from vyos import airbag airbag.enable() @@ -407,7 +407,9 @@ def generate(ipsec): for local_prefix in local_prefixes: for remote_prefix in remote_prefixes: - if cidr_fit(local_prefix, remote_prefix): + local_net = ipaddress.ip_network(local_prefix) + remote_net = ipaddress.ip_network(remote_prefix) + if local_net.overlaps(remote_net): passthrough.append(local_prefix) data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index a94c7efc6..e491267fd 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -26,7 +26,7 @@ import vyos.util def format_output(conns, sas): sa_data = [] - for peer, parent_conn in conn.items(): + for peer, parent_conn in conns.items(): if peer not in sas: continue diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index dd5a85ed3..ad7efbf2d 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -23,7 +23,7 @@ import argparse from subprocess import TimeoutExpired from vyos.util import ask_yes_no, call, cmd, process_named_running -from Crypto.PublicKey.RSA import importKey +from Cryptodome.PublicKey.RSA import importKey RSA_LOCAL_KEY_PATH = '/config/ipsec.d/rsa-keys/localhost.key' RSA_LOCAL_PUB_PATH = '/etc/ipsec.d/certs/localhost.pub' -- cgit v1.2.3