From a1b33575a316c36c3d2a1176154c00d68b99b803 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 21 Nov 2018 09:45:11 -0800 Subject: T835: syslog debug message removed (to verbose) --- src/conf_mode/accel_pppoe.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py index d110f51e1..7f721f932 100755 --- a/src/conf_mode/accel_pppoe.py +++ b/src/conf_mode/accel_pppoe.py @@ -512,7 +512,6 @@ def generate(c): tmpl = jinja2.Template(pppoe_config, trim_blocks=True) config_text = tmpl.render(c) open(pppoe_conf,'w').write(config_text) - sl.syslog(sl.LOG_NOTICE, pppoe_config + ' written') if c['authentication']['local-users']: write_chap_secrets(c) -- cgit v1.2.3 From b7b45384b4398d1b4fa6ef94664eed600c9d71aa Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 22 Nov 2018 10:35:42 -0800 Subject: T835: accel-ppp: pppoe implementation - verify if an auth mode is set and if its local checking that a user and password for chap-secrets exists. --- src/conf_mode/accel_pppoe.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py index 7f721f932..f0a7fcf96 100755 --- a/src/conf_mode/accel_pppoe.py +++ b/src/conf_mode/accel_pppoe.py @@ -368,7 +368,9 @@ def get_config(): config_data['snmp'] = 'enable-ma' #### authentication mode local - + if not c.exists('authentication mode'): + raise ConfigError('pppoe-server authentication mode required') + if c.exists('authentication mode local'): if c.exists('authentication local-users username'): for usr in c.list_nodes('authentication local-users username'): @@ -478,13 +480,16 @@ def get_config(): def verify(c): if c == None: return None - - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]: - raise ConfigError('user ' + usr + ' has no password set') + if c['authentication']['mode'] == 'local': + if not c['authentication']['local-users']: + raise ConfigError('pppoe-server authentication local-users required') + + for usr in c['authentication']['local-users']: + if not c['authentication']['local-users'][usr]['passwd']: + raise ConfigError('user ' + usr + ' requires a password') if not c['ppp_gw']: - raise ConfigError('pppoe gateway-ip required') + raise ConfigError('pppoe-server local-ip required') if c['authentication']['mode'] == 'radius': if len(c['authentication']['radiussrv']) == 0: -- cgit v1.2.3 From 48bfbb8ecf30edf634f1998d4b7dcc1a92e28f53 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 22 Nov 2018 10:57:30 -0800 Subject: T989: IPoE implementation - adding vyos-accel-ppp-ipoe-kmod to dependencies --- debian/changelog | 6 ++++++ debian/control | 1 + 2 files changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1db603fe5..8157d97f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyos-1x (1.2.0-6) unstable; urgency=medium + + * adding vyos-accel-ppp-ipoe-kmod for T989 + + -- hagbard Thu, 22 Nov 2018 10:56:15 -0800 + vyos-1x (1.2.0-5) unstable; urgency=medium * T835: accel-ppp: pppoe implementation diff --git a/debian/control b/debian/control index 03feeddc8..34e95a547 100644 --- a/debian/control +++ b/debian/control @@ -48,6 +48,7 @@ Depends: python3, tftpd-hpa, igmpproxy, vyos-accel-ppp, + vyos-accel-ppp-ipoe-kmod, mdns-repeater, udp-broadcast-relay, pdns-recursor, -- cgit v1.2.3 From 253ce1ed71590d7ebe9af196debadec36b45fbcd Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 23 Nov 2018 22:17:36 +0100 Subject: New verse for "run show version funny". --- python/vyos/limericks.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/python/vyos/limericks.py b/python/vyos/limericks.py index 97bb5ae76..e03ccd32b 100644 --- a/python/vyos/limericks.py +++ b/python/vyos/limericks.py @@ -55,6 +55,14 @@ greeted friends with a three-way handshake and refused to proceed if they didn't complete it, that standards-compliant guy Drake. +""", + +""" +A network admin from Nantucket +used hierarchy token buckets. +Bandwidth limits he set +slowed down his net, +users drove him away from Nantucket. """ ] -- cgit v1.2.3 From 9a4f7d66d4102fb645c5924bf83671f97ee25e91 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 23 Nov 2018 13:44:58 -0800 Subject: T835: adding description to ppp-options --- interface-definitions/pppoe-server.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/interface-definitions/pppoe-server.xml b/interface-definitions/pppoe-server.xml index 510bfeb3b..c01f784f6 100644 --- a/interface-definitions/pppoe-server.xml +++ b/interface-definitions/pppoe-server.xml @@ -382,6 +382,9 @@ + + advanced protocol options + -- cgit v1.2.3 From bd536044ce753e1cc40753c296752b4303291021 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 26 Nov 2018 20:19:11 +0100 Subject: T835: improve help text for PPPoE CLI. --- interface-definitions/pppoe-server.xml | 107 +++++++++++++++++---------------- 1 file changed, 54 insertions(+), 53 deletions(-) diff --git a/interface-definitions/pppoe-server.xml b/interface-definitions/pppoe-server.xml index c01f784f6..a0c22d53a 100644 --- a/interface-definitions/pppoe-server.xml +++ b/interface-definitions/pppoe-server.xml @@ -73,19 +73,22 @@ radius - Use Radius server to autenticate users + Use a RADIUS server to autenticate users ^(local|radius) + + local radius + - IP address of radius server + IP address of RADIUS server ipv4 - IP address of radius server + IP address of RADIUS server @@ -96,44 +99,44 @@ - maximum number of simultaneous requests to server (default: unlimited) + Maximum number of simultaneous requests to server (default: unlimited) - if server doesn't responds mark it as unavailable for this amount of time in seconds + If server doesn't responds mark it as unavailable for this amount of time in seconds - radius settings + RADIUS settings - timeout to wait response from server (sec) + Timeout to wait response from server (seconds) - timeout to wait reply for Interim-Update packets. (default 3 sec) + Timeout to wait reply for Interim-Update packets. (default 3 seconds) - maximum number of tries to send Access-Request/Accounting-Request queries + Maximum number of tries to send Access-Request/Accounting-Request queries - value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. + Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. - value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. @@ -148,12 +151,12 @@ - port for Dynamic Authorization Extension server (DM/CoA) + Port for Dynamic Authorization Extension server (DM/CoA) - secret for Dynamic Authorization Extension server (DM/CoA) + Secret for Dynamic Authorization Extension server (DM/CoA) @@ -164,7 +167,7 @@ - Pool of client IP address (must be within a /24) + Pool of client IP addresses (must be within a /24) @@ -188,18 +191,18 @@ - pool of client IP space + Pool of client IPv6 addresses - format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients) + Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients) - format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633) + Format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633) @@ -306,12 +309,12 @@ - limits the connection rate from a single source + Limits the connection rate from a single source - acceptable rate of connections (e.g. 1/min, 60/sec) + Acceptable rate of connections (e.g. 1/min, 60/sec) ^[0-9]+\/(min|sec)$ @@ -320,12 +323,12 @@ - burst count + Burst count - timeout in seconds + Timeout in seconds @@ -355,7 +358,7 @@ ^[a-zA-Z0-9\-]{1,100} - servicename can contain aplhanumerical characters and dash only (max. 100) + servicename can contain aplhanumerical characters and dashes only (max. 100) @@ -383,12 +386,12 @@ - advanced protocol options + Advanced protocol options - minimum acceptable MTU (68-65535) + Minimum acceptable MTU (68-65535) @@ -396,7 +399,7 @@ - preferred MRU (68-65535) + Preferred MRU (68-65535) @@ -404,30 +407,30 @@ - ccp negotiation (default disabled) + CCP negotiation (default disabled) - specifies mppe negotiation preference. (default prefer mppe) + Specifies MPPE negotiation preference. (default prefer mppe) - ask client for mppe, if it rejects drop connection + Ask client for MPPE, if it rejects then drop the connection - ask client for mppe, if it rejects don't fail + Ask client for MPPE, if it rejects don't fail - deny mppe + Deny MPPE @@ -435,7 +438,7 @@ - lcp echo-requests/sec + LCP echo-requests/sec @@ -443,7 +446,7 @@ - maximum number of Echo-Requests may be sent without valid reply + Maximum number of Echo-Requests may be sent without valid reply @@ -451,7 +454,7 @@ - timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. + Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. @@ -459,60 +462,60 @@ - specify IPv4 (IPCP) negotiation algorithm + IPv4 (IPCP) negotiation algorithm ^(deny|allow|prefer|require) invalid value deny - don't negotiate IPv4 + Don't negotiate IPv4 allow - negotiate IPv4 only if client requests + Negotiate IPv4 only if client requests prefer - ask client for IPv4 negotiation, don't fail if he rejects + Ask client for IPv4 negotiation, don't fail if it rejects require - require IPv4 negotiation + Require IPv4 negotiation - specify IPv6 (IPCP6) negotiation algorithm + IPv6 (IPCP6) negotiation algorithm ^(deny|allow|prefer|require) invalid value deny - don't negotiate IPv6 + Don't negotiate IPv6 allow - negotiate IPv6 only if client requests + Negotiate IPv6 only if client requests prefer - ask client for IPv6 negotiation, don't fail if he rejects + Ask client for IPv6 negotiation, don't fail if it rejects require - require IPv6 negotiation + Require IPv6 negotiation - Specify fixed or random interface identifier for IPv6 + Fixed or random interface identifier for IPv6 random - specify random interface identifier for IPv6 + Random interface identifier for IPv6 x:x:x:x @@ -522,33 +525,31 @@ - specify peer interface identifier for IPv6 + Peer interface identifier for IPv6 x:x:x:x - specify interface identifier for IPv6 + Interface identifier for IPv6 random - specify a random interface identifier for IPv6 + Use a random interface identifier for IPv6 ipv4 - calculate interface identifier from IPv4 address, for example 192:168:0:1 + Calculate interface identifier from IPv4 address, for example 192:168:0:1 calling-sid - calculate interface identifier from calling-station-Id + Calculate interface identifier from calling-station-id - accept peer's interface identifier + Accept peer's interface identifier - - -- cgit v1.2.3 From bf55a3a40f1e247b944eea266d4cd384d20087d1 Mon Sep 17 00:00:00 2001 From: arnehaak <45362083+arnehaak@users.noreply.github.com> Date: Thu, 29 Nov 2018 00:01:32 +0100 Subject: T1001: Bugfix: Handle backslashes in values with "show configuration commands" This script is usually called with the output of "cli-shell-api showCfg", which does not escape backslashes. "ConfigTree()" expects escaped backslashes when parsing a config string (and also prints them itself). Therefore this script would fail. Manually escape backslashes here to handle backslashes in any configuration strings properly. The alternative would be to modify the output of "cli-shell-api showCfg", but that may be break other things who rely on that specific output. This fixes https://phabricator.vyos.net/T1001 --- src/utils/vyos-config-to-commands | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/utils/vyos-config-to-commands b/src/utils/vyos-config-to-commands index 8b50f7c5d..7147bc5ff 100755 --- a/src/utils/vyos-config-to-commands +++ b/src/utils/vyos-config-to-commands @@ -19,6 +19,14 @@ else: except OSError as e: print("Could not read config file {0}: {1}".format(file_name, e), file=sys.stderr) +# This script is usually called with the output of "cli-shell-api showCfg", which does not +# escape backslashes. "ConfigTree()" expects escaped backslashes when parsing a config +# string (and also prints them itself). Therefore this script would fail. +# Manually escape backslashes here to handle backslashes in any configuration strings +# properly. The alternative would be to modify the output of "cli-shell-api showCfg", +# but that may be break other things who rely on that specific output. +config_string = config_string.replace("\\", "\\\\") + try: config = ConfigTree(config_string) commands = config.to_commands() -- cgit v1.2.3 From 652c626644d03ccf7d03de8f51ae5a2a6e27fd66 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Thu, 29 Nov 2018 01:49:55 +0100 Subject: T1001: escape backslashes in the input in the commands pipe as well. --- src/helpers/commands-pipe.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/helpers/commands-pipe.py b/src/helpers/commands-pipe.py index 1120bb09e..ab68ccade 100755 --- a/src/helpers/commands-pipe.py +++ b/src/helpers/commands-pipe.py @@ -9,6 +9,7 @@ from vyos.configtree import ConfigTree signal(SIGPIPE,SIG_DFL) config_string = sys.stdin.read().strip() +config_string = config_string.replace("\\", "\\\\") if not config_string: sys.exit(0) -- cgit v1.2.3 From a29898b2ea15b7d9cea7fade1b27d38967c52d52 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 30 Nov 2018 10:26:36 -0800 Subject: Fixes: T1061: Wireguard: Missing option to administrativly shutdown interface --- debian/changelog | 6 ++++++ interface-definitions/wireguard.xml | 6 ++++++ src/conf_mode/wireguard.py | 15 ++++++++++++++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 8157d97f8..7666cfd68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyos-1x (1.2.0-7) unstable; urgency=low + + * T1061: Wireguard: Missing option to administrativly shutdown interface + + -- hagbard Fri, 30 Nov 2018 10:22:41 -0800 + vyos-1x (1.2.0-6) unstable; urgency=medium * adding vyos-accel-ppp-ipoe-kmod for T989 diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index b0923bbe0..8bfffac9d 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -39,6 +39,12 @@ interface description is too long (limit 100 characters) + + + disables the wireguard interface + + + Local port number to accept connections diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 353528aba..f5452579e 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -89,6 +89,9 @@ def get_config(): ### addresses if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') + ### interface up/down + if c.exists(cnf + ' disable'): + config_data['interfaces'][intfc]['state'] = 'disable' ### listen port if c.exists(cnf + ' port'): config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port') @@ -121,6 +124,7 @@ def get_config(): if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data def verify(c): @@ -159,12 +163,21 @@ def apply(c): c_eff = Config() c_eff.set_level('interfaces wireguard') + ### link status up/down aka interface disable + + for intf in c['interfaces']: + if c['interfaces'][intf]['state'] == 'disable': + sl.syslog(sl.LOG_NOTICE, "disable interface " + intf) + subprocess.call(['ip l s dev ' + intf + ' down ' + ' &>/dev/null'], shell=True) + else: + sl.syslog(sl.LOG_NOTICE, "enable interface " + intf) + subprocess.call(['ip l s dev ' + intf + ' up ' + ' &>/dev/null'], shell=True) + ### deletion of a specific interface for intf in c['interfaces']: if c['interfaces'][intf]['status'] == 'delete': sl.syslog(sl.LOG_NOTICE, "removing interface " + intf) subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True) - ### peer deletion peer_eff = c_eff.list_effective_nodes( intf + ' peer') -- cgit v1.2.3 From f285e0cba6550b316794bf04f9992e9b471ea562 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 3 Dec 2018 01:29:38 +0100 Subject: T956: correct IKE proposal string parsing for SAs with non-zero counters. --- src/op_mode/show_ipsec_sa.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index c0ef1feef..b03014b2f 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -10,11 +10,15 @@ def parse_conn_spec(s): return re.search(r'.*ESTABLISHED\s+(.*)ago,\s(.*)\[(.*)\]\.\.\.(.*)\[(.*)\].*', s).groups() def parse_ike_line(s): - # Example: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes try: - return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups() + # Example with traffic: AES_CBC_256/HMAC_SHA2_256_128/ECP_521, 2382660 bytes_i (1789 pkts, 2s ago), 2382660 bytes_o ... + return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i\s\(.*pkts,.*\),\s+(\d+)\s+bytes_o', s).groups() except AttributeError: - return (None, None, None, None, None) + try: + # Example without traffic: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes + return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups() + except AttributeError: + return (None, None, None, None, None) # Get a list of all configured connections -- cgit v1.2.3 From 44c8175dc975c8a3b73bf14c71dd890d52f00e67 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 3 Dec 2018 01:35:23 +0100 Subject: T956: display SA traffic counters in human-redable units. --- debian/control | 1 + src/op_mode/show_ipsec_sa.py | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/debian/control b/debian/control index 34e95a547..7061d50ef 100644 --- a/debian/control +++ b/debian/control @@ -25,6 +25,7 @@ Depends: python3, python3-tabulate, python3-six, python3-isc-dhcp-leases, + python3-hurry.filesize, ipaddrcheck, tcpdump, tshark, diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index b03014b2f..3c8d678eb 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -4,6 +4,7 @@ import re import subprocess import tabulate +import hurry.filesize def parse_conn_spec(s): # Example: ESTABLISHED 14 seconds ago, 10.0.0.2[foo]...10.0.0.1[10.0.0.1] @@ -39,6 +40,11 @@ for conn in connections: if ip == id: id = None enc, hash, dh, bytes_in, bytes_out = parse_ike_line(status) + + # Convert bytes to human-readable units + bytes_in = hurry.filesize.size(bytes_in) + bytes_out = hurry.filesize.size(bytes_out) + status_line = [conn, "up", time, "{0}/{1}".format(bytes_in, bytes_out), ip, id, "{0}/{1}/{2}".format(enc, hash, dh)] except Exception as e: print(status) -- cgit v1.2.3