From 9a16fd2cdb81a952608f5bda481e46ef915a82e3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 17 Aug 2018 22:02:27 +0200 Subject: T778: dhcpv6-server: XML and Python rewrite --- interface-definitions/dhcpv6-server.xml | 316 +++++++++++++++++++++++++++ src/conf_mode/dhcpv6_server.py | 374 ++++++++++++++++++++++++++++++++ 2 files changed, 690 insertions(+) create mode 100644 interface-definitions/dhcpv6-server.xml create mode 100755 src/conf_mode/dhcpv6_server.py diff --git a/interface-definitions/dhcpv6-server.xml b/interface-definitions/dhcpv6-server.xml new file mode 100644 index 000000000..e63eb2242 --- /dev/null +++ b/interface-definitions/dhcpv6-server.xml @@ -0,0 +1,316 @@ + + + + + + + + DHCP for IPv6 (DHCPv6) server + 900 + + + + + Option to disable DHCPv6 server + + + + + + Preference of this DHCPv6 server compared with others + + 0-255 + DHCPv6 server preference (0-255) + + + + + Preference must be between 0 and 255 + + + + + DHCPv6 shared network name [REQUIRED] + + ^[-_a-zA-Z0-9.]+$ + + Invalid DHCPv6 pool name + + + + + Option to disable DHCPv6 configuration for shared-network + + + + + + IPv6 DHCP subnet for this shared network [REQUIRED] + + ipv6net + IPv6 address and prefix length + + + + + + + + + Parameters setting ranges for assigning IPv6 addresses + + + + + IPv6 prefix defining range of addresses to assign + + ipv6net + IPv6 address and prefix length + + + + + + + + + Address range will be used for temporary addresses + + + + + + + + First in range of consecutive IPv6 addresses to assign + + ipv6 + IPv6 address + + + + + + + + + Last in range of consecutive IPv6 addresses + + ipv6 + IPv6 address + + + + + + + + + + + + + Domain name for client to search + + ^[-_a-zA-Z0-9.]+$ + + Invalid domain name syntax + + + + + + Parameters relating to the lease time + + + + + Default time (in seconds) that will be assigned to a lease + + + + + Maximum time (in seconds) that will be assigned to a lease + + + + + Minimum time (in seconds) that will be assigned to a lease + + + + + + + IPv6 address of a Recursive DNS Server + + ipv6 + IPv6 address of DNS name server + + + + + + + + + + NIS domain name for client to use + + ^[-_a-zA-Z0-9.]+$ + + Invalid NIS domain name syntax + + + + + IPv6 address of a NIS Server + + ipv6 + IPv6 address of NIS server + + + + + + + + + + NIS+ domain name for client to use + + ^[-_a-zA-Z0-9.]+$ + + Invalid NIS+ domain name syntax + + + + + IPv6 address of a NIS+ Server + + ipv6 + IPv6 address of NIS+ server + + + + + + + + + + Parameters relating to IPv6 prefix delegation + + + + + First in range of IPv6 addresses to be used in prefix delegation + + ipv6 + IPv6 address used in prefix delegation + + + + + + + + + Length in bits of prefixes to be delegated + + 0-255 + DHCPv6 server preference (0-255) + + + + + Preference must be between 0 and 255 + + + + + Last in range of IPv6 addresses to be used in prefix delegation + + ipv6 + IPv6 address used in prefix delegation + + + + + + + + + + + + + IPv6 address of SIP server + + ipv6 + IPv6 address of SIP server + + + + + + + + + + SIP server name + + ^[-_a-zA-Z0-9.]+$ + + Invalid SIP server name syntax + + + + + + IPv6 address of an SNTP Server for client to use + + + + + + + + + Name of static mapping + + + + + Option to disable static-mapping + + + + + + Client identifier for this static mapping + + + + + Client IPv5 address for this static mapping + + ipv6 + IPv6 address for this tatic mapping + + + + + + + + + + + + + + + + + diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py new file mode 100755 index 000000000..260ccf395 --- /dev/null +++ b/src/conf_mode/dhcpv6_server.py @@ -0,0 +1,374 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import os + +import jinja2 + +from vyos.config import Config +from vyos import ConfigError + +config_file = r'/etc/dhcp/dhcpd6.conf' +lease_file = r'/config/dhcpd6.leases' +daemon_config_file = r'/etc/default/isc-dhcpv6-server' + +# Please be careful if you edit the template. +config_tmpl = """ +### Autogenerated by dhcpv6_server.py ### + +# For options please consult the following website: +# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html + +log-facility local7; +{%- if preference %} +option dhcp6.preference {{ preference }}; +{%- endif %} + +# Shared network configration(s) +{% for network in shared_network %} +{%- if not network.disabled -%} +shared-network {{ network.name }} { + {%- for subnet in network.subnet %} + subnet6 {{ subnet.network }} { + {%- for range in subnet.range6_temporary %} + range6 {{ range.prefix }}{{ " temporary" if range.temporary }}; + {%- endfor %} + {%- for range in subnet.range6 %} + range6 {{ range.start }} {{ range.stop }}; + {%- endfor %} + {%- if subnet.domain_search %} + option dhcp6.domain-search {{ subnet.domain_search | join(', ') }}; + {%- endif %} + {%- if subnet.lease_def %} + default-lease-time {{ subnet.lease_def }}; + {%- endif %} + {%- if subnet.lease_max %} + max-lease-time {{ subnet.lease_max }}; + {%- endif %} + {%- if subnet.lease_min %} + min-lease-time {{ subnet.lease_min }}; + {%- endif %} + {%- if subnet.dns_server %} + option dhcp6.name-servers {{ subnet.dns_server | join(', ') }}; + {%- endif %} + {%- if subnet.nis_domain %} + option dhcp6.nis-domain-name "{{ subnet.nis_domain }}"; + {%- endif %} + {%- if subnet.nis_server %} + option dhcp6.nis-servers {{ subnet.nis_server | join(', ') }}; + {%- endif %} + {%- if subnet.nisp_domain %} + option dhcp6.nisp-domain-name "{{ subnet.nisp_domain }}"; + {%- endif %} + {%- if subnet.nisp_server %} + option dhcp6.nisp-servers {{ subnet.nisp_server | join(', ') }}; + {%- endif %} + {%- if subnet.sip_address %} + option dhcp6.sip-servers-addresses {{ subnet.sip_address | join(', ') }}; + {%- endif %} + {%- if subnet.sip_hostname %} + option dhcp6.sip-servers-names {{ subnet.sip_hostname | join(', ') }}; + {%- endif %} + {%- if subnet.sntp_server %} + option dhcp6.sntp-servers {{ subnet.sntp_server | join(', ') }}; + {%- endif %} + {%- for host in subnet.static_mapping %} + {% if not host.disabled -%} + host {{ network.name }}_{{ host.name }} { + host-identifier option dhcp6.client-id "{{ host.client_identifier }}"; + fixed-address6 {{ host.ipv6_address }}; + } + {%- endif %} + {%- endfor %} + } + {%- endfor %} +} +{%- endif %} +{% endfor %} + +""" + +daemon_tmpl = """ +### Autogenerated by dhcp_server.py ### + +# sourced by /etc/init.d/isc-dhcpv6-server + +DHCPD_CONF=/etc/dhcp/dhcpd6.conf +DHCPD_PID=/var/run/dhcpd6.pid +OPTIONS="-6 -lf {{ lease_file }}" +INTERFACES="" +""" + +default_config_data = { + 'lease_file': lease_file, + 'preference': '', + 'disabled': False, + 'shared_network': [] +} + +def get_config(): + dhcpv6 = default_config_data + conf = Config() + if not conf.exists('service dhcpv6-server'): + return None + else: + conf.set_level('service dhcpv6-server') + + # Check for global disable of DHCPv6 service + if conf.exists('disable'): + dhcpv6['disabled'] = True + return dhcpv6 + + # Preference of this DHCPv6 server compared with others + if conf.exists('preference'): + dhcpv6['preference'] = conf.return_value('preference') + + # check for multiple, shared networks served with DHCPv6 addresses + if conf.exists('shared-network-name'): + for network in conf.list_nodes('shared-network-name'): + conf.set_level('service dhcpv6-server shared-network-name {0}'.format(network)) + config = { + 'name': network, + 'disabled': False, + 'subnet': [] + } + + # If disabled, the shared-network configuration becomes inactive + if conf.exists('disable'): + config['disabled'] = True + + # check for multiple subnet configurations in a shared network + if conf.exists('subnet'): + for net in conf.list_nodes('subnet'): + conf.set_level('service dhcpv6-server shared-network-name {0} subnet {1}'.format(network, net)) + subnet = { + 'network': net, + 'range6_temporary': [], + 'range6': [], + 'default_router': '', + 'dns_server': [], + 'domain_name': '', + 'domain_search': [], + 'lease_def': '', + 'lease_min': '', + 'lease_max': '', + 'nis_domain': '', + 'nis_server': [], + 'nisp_domain': '', + 'nisp_server': [], + 'sip_address': [], + 'sip_hostname': [], + 'sntp_server': [], + 'static_mapping': [] + } + + # For any subnet on which addresses will be assigned dynamically, there must be at + # least one address range statement. The range statement gives the lowest and highest + # IP addresses in a range. All IP addresses in the range should be in the subnet in + # which the range statement is declared. + if conf.exists('address-range prefix'): + for prefix in conf.list_nodes('address-range prefix'): + range = { + 'prefix': prefix, + 'temporary': False + } + + # Address range will be used for temporary addresses + if conf.exists('address-range prefix {0} temporary'.format(range['prefix'])): + range['temporary'] = True + + # Append to subnet temporary range6 list + subnet['range6_temporary'].append(range) + + if conf.exists('address-range start'): + for range in conf.list_nodes('address-range start'): + range = { + 'start': range, + 'stop': conf.return_value('address-range start {0} stop'.format(range)) + } + + # Append to subnet range6 list + subnet['range6'].append(range) + + # The domain-search option specifies a 'search list' of Domain Names to be used + # by the client to locate not-fully-qualified domain names. + if conf.exists('domain-search'): + for domain in conf.return_values('domain-search'): + subnet['domain_search'].append('"' + domain + '"') + + # IPv6 address valid lifetime + # (at the end the address is no longer usable by the client) + # (set to 30 days, the usual IPv6 default) + if conf.exists('lease-time default'): + subnet['lease_def'] = conf.return_value('lease-time default') + + # Time should be the maximum length in seconds that will be assigned to a lease. + # The only exception to this is that Dynamic BOOTP lease lengths, which are not + # specified by the client, are not limited by this maximum. + if conf.exists('lease-time maximum'): + subnet['lease_max'] = conf.return_value('lease-time maximum') + + # Time should be the minimum length in seconds that will be assigned to a lease + if conf.exists('lease-time minimum'): + subnet['lease_min'] = conf.return_value('lease-time minimum') + + # Specifies a list of Domain Name System name servers available to the client. + # Servers should be listed in order of preference. + if conf.exists('name-server'): + subnet['dns_server'] = conf.return_values('name-server') + + # Ancient NIS (Network Information Service) domain name + if conf.exists('nis-domain'): + subnet['nis_domain'] = conf.return_value('nis-domain') + + # Ancient NIS (Network Information Service) servers + if conf.exists('nis-server'): + subnet['nis_server'] = conf.return_values('nis-server') + + # Ancient NIS+ (Network Information Service) domain name + if conf.exists('nisplus-domain'): + subnet['nisp_domain'] = conf.return_value('nisplus-domain') + + # Ancient NIS+ (Network Information Service) servers + if conf.exists('nisplus-server'): + subnet['nisp_server'] = conf.return_values('nisplus-server') + + # + # Prefix Delegation (RFC 3633) + # + if conf.exists('prefix-delegation'): + print("TODO") + + # Local SIP server that is to be used for all outbound SIP requests - IPv6 address + if conf.exists('sip-server-address'): + subnet['sip_address'] = conf.return_values('sip-server-address') + + # Local SIP server that is to be used for all outbound SIP requests - hostname + if conf.exists('sip-server-name'): + for hostname in conf.return_values('sip-server-name'): + subnet['sip_hostname'].append('"' + hostname + '"') + + # List of local SNTP servers available for the client to synchronize their clocks + if conf.exists('sntp-server'): + subnet['sntp_server'] = conf.return_values('sntp-server') + + # + # Static DHCP v6 leases + # + if conf.exists('static-mapping'): + for mapping in conf.list_nodes('static-mapping'): + conf.set_level('service dhcpv6-server shared-network-name {0} subnet {1} static-mapping {2}'.format(network, net, mapping)) + mapping = { + 'name': mapping, + 'disabled': False, + 'ipv6_address': '', + 'client_identifier': '', + } + + # This static lease is disabled + if conf.exists('disable'): + mapping['disabled'] = True + + # IPv6 address used for this DHCP client + if conf.exists('ipv6-address'): + mapping['ipv6_address'] = conf.return_value('ipv6-address') + + # This option specifies the client’s DUID identifier. DUIDs are similar but different from DHCPv4 client identifiers + if conf.exists('identifier'): + mapping['client_identifier'] = conf.return_value('identifier') + + # append static mapping configuration tu subnet list + subnet['static_mapping'].append(mapping) + + # append subnet configuration to shared network subnet list + config['subnet'].append(subnet) + + + # append shared network configuration to config dictionary + dhcpv6['shared_network'].append(config) + + return dhcpv6 + +def verify(dhcpv6): + if dhcpv6 is None: + return None + + if dhcpv6['disabled']: + return None + + # If DHCP is enabled we need one share-network + if len(dhcpv6['shared_network']) == 0: + raise ConfigError('No DHCPv6 shared networks configured.\n' \ + 'At least one DHCPv6 shared network must be configured.') + + # A shared-network requires a subnet definition + for network in dhcpv6['shared_network']: + if len(network['subnet']) == 0: + raise ConfigError('No DHCPv6 lease subnets configured for {0}. At least one\n' \ + 'lease subnet must be configured for each shared network.'.format(network['name'])) + + + return None + +def generate(dhcpv6): + if dhcpv6 is None: + return None + + if dhcpv6['disabled']: + print('Warning: DHCPv6 server will be deactivated because it is disabled') + return None + + tmpl = jinja2.Template(config_tmpl) + config_text = tmpl.render(dhcpv6) + with open(config_file, 'w') as f: + f.write(config_text) + + tmpl = jinja2.Template(daemon_tmpl) + config_text = tmpl.render(dhcpv6) + with open(daemon_config_file, 'w') as f: + f.write(config_text) + + return None + +def apply(dhcpv6): + if (dhcpv6 is None) or dhcpv6['disabled']: + # DHCP server is removed in the commit + os.system('sudo systemctl stop isc-dhcpv6-server.service') + if os.path.exists(config_file): + os.unlink(config_file) + if os.path.exists(daemon_config_file): + os.unlink(daemon_config_file) + else: + # If our file holding DHCPv6 leases does yet not exist - create it + if not os.path.exists(lease_file): + os.mknod(lease_file) + + os.system('sudo systemctl restart isc-dhcpv6-server.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From 6ba2186d7aad2f609a2197057f8404d7be30f2ac Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 31 Aug 2018 22:29:12 +0200 Subject: vyos: package: bugfix in validate.py for is_subnet_connected() --- python/vyos/validate.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python/vyos/validate.py b/python/vyos/validate.py index b681edc5e..1b77f196a 100644 --- a/python/vyos/validate.py +++ b/python/vyos/validate.py @@ -68,7 +68,8 @@ def is_subnet_connected(subnet, primary=False): system. primary check if the subnet is reachable via the primary IP address of this - interface. E.g. ISC DHCP can only listen on primary addresses. + interface, or in other words has a broadcast address configured. ISC DHCP + for instance will complain if it should listen on non broadcast interfaces. Return True/False """ @@ -81,7 +82,7 @@ def is_subnet_connected(subnet, primary=False): for interface in netifaces.interfaces(): # check if the requested address type is configured at all if addr_type not in netifaces.ifaddresses(interface).keys(): - return False + continue # An interface can have multiple addresses, but some software components # only support the primary address :( -- cgit v1.2.3 From 6ff335b675f190b41e76fe8673a5b0d0db33e440 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 31 Aug 2018 22:30:59 +0200 Subject: bcast_relay.py: remove obsolete import statement --- src/conf_mode/bcast_relay.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index 8cc948610..d1257d4a5 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -19,7 +19,6 @@ import sys import os import fnmatch -import subprocess import jinja2 from vyos.config import Config -- cgit v1.2.3 From 91c3b8bdd9f7ff9709a58024c4a89c77d473b8ec Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 31 Aug 2018 22:31:32 +0200 Subject: dhcp_server.py: cleanup --- src/conf_mode/dhcp_server.py | 66 +++++++++++++++++++++++--------------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 1458ed1d0..a26e4626a 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -38,8 +38,8 @@ config_tmpl = """ # For options please consult the following website: # https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html - -log-facility local7; +# +# log-facility local7; {% if hostfile_update %} on commit { @@ -112,12 +112,12 @@ failover peer "{{ subnet.failover_name }}" { {% for network in shared_network %} {%- if not network.disabled -%} shared-network {{ network.name }} { - {% if network.authoritative %}authoritative;{% endif %} + {{ "authoritative;" if network.authoritative }} {%- if network.network_parameters %} # The following {{ network.network_parameters | length }} line(s) were added as shared-network-parameters in the CLI and have not been validated {%- for param in network.network_parameters %} {{ param }} - {%- endfor -%} + {%- endfor %} {%- endif %} {%- for subnet in network.subnet %} subnet {{ subnet.address }} netmask {{ subnet.netmask }} { @@ -195,9 +195,15 @@ shared-network {{ network.name }} { } {%- endif %} {%- endfor %} - {%- for range in subnet.range %} - range {{ range.start }} {{ range.stop }}; - {%- endfor %} + pool { + {%- if subnet.failover_name %} + failover peer "{{ subnet.failover_name }}"; + deny dynamic bootp clients; + {%- endif %} + {%- for range in subnet.range %} + range {{ range.start }} {{ range.stop }}; + {%- endfor %} + } } {%- endfor %} on commit { set shared-networkname = "{{ network.name }}"; } @@ -606,17 +612,17 @@ def verify(dhcp): raise ConfigError('No DHCP shared networks configured.\n' \ 'At least one DHCP shared network must be configured.') + # Inspect shared-network/subnet + failover_names = [] + listen_ok = False + subnets = [] + # A shared-network requires a subnet definition for network in dhcp['shared_network']: if len(network['subnet']) == 0: raise ConfigError('No DHCP lease subnets configured for {0}. At least one\n' \ 'lease subnet must be configured for each shared network.'.format(network['name'])) - # Inspect our subnet configuration - failover_names = [] - listen_ok = False - subnets = [] - for network in dhcp['shared_network']: for subnet in network['subnet']: # Subnet static route declaration requires destination and router if subnet['static_subnet'] or subnet['static_router']: @@ -650,34 +656,34 @@ def verify(dhcp): stop = range['stop'] # DHCP stop IP required after start IP if start and not stop: - raise ConfigError('Stop IP address in DHCP range for start {0} is not defined!'.format(start)) + raise ConfigError('DHCP range stop address for start {0} is not defined!'.format(start)) # Start address must be inside network if not ipaddress.ip_address(start) in ipaddress.ip_network(subnet['network']): - raise ConfigError('Start IP address {0} of DHCP range is not in subnet {1}\n' \ + raise ConfigError('DHCP range start address {0} is not in subnet {1}\n' \ 'specified for shared network {2}!'.format(start, subnet['network'], network['name'])) # Stop address must be inside network if not ipaddress.ip_address(stop) in ipaddress.ip_network(subnet['network']): - raise ConfigError('Stop IP address {0} of DHCP range is not in subnet {1}\n' \ + raise ConfigError('DHCP range stop address {0} is not in subnet {1}\n' \ 'specified for shared network {2}!'.format(stop, subnet['network'], network['name'])) # Stop address must be greater or equal to start address if not ipaddress.ip_address(stop) >= ipaddress.ip_address(start): - raise ConfigError('Stop IP address {0} of DHCP range should be greater or equal\n' \ - 'to the start IP address {1} of this range!'.format(stop, start)) + raise ConfigError('DHCP range stop address {0} must be greater or equal\n' \ + 'to the range start address {1}!'.format(stop, start)) # Range start address must be unique if start in range_start: raise ConfigError('Conflicting DHCP lease range:\n' \ - 'Pool start IP address {0} defined multipe times!'.format(range['start'])) + 'Pool start address {0} defined multipe times!'.format(start)) else: range_start.append(start) # Range stop address must be unique if stop in range_stop: raise ConfigError('Conflicting DHCP lease range:\n' \ - 'Pool stop IP address {0} defined multipe times!'.format(range['stop'])) + 'Pool stop address {0} defined multipe times!'.format(stop)) else: range_stop.append(stop) @@ -705,18 +711,18 @@ def verify(dhcp): for mapping in subnet['static_mapping']: # Static IP address must be configured if not mapping['ip_address']: - raise ConfigError('No static lease IP address specified for static mapping {0}\n' \ - 'under shared network name {1}!'.format(mapping['name'], network['name'])) + raise ConfigError('DHCP static lease IP address not specified for static mapping\n' \ + '{0} under shared network name {1}!'.format(mapping['name'], network['name'])) # Static IP address must be in bound if not ipaddress.ip_address(mapping['ip_address']) in ipaddress.ip_network(subnet['network']): - raise ConfigError('Static DHCP lease IP address {0} under static mapping {1}\n' \ - 'in shared network {2} is outside DHCP lease network {3}!' \ + raise ConfigError('DHCP static lease IP address {0} for static mapping {1}\n' \ + 'in shared network {2} is outside DHCP lease subnet {3}!' \ .format(mapping['ip_address'], mapping['name'], network['name'], subnet['network'])) # Static mapping requires MAC address if not mapping['mac_address']: - raise ConfigError('No static lease MAC address specified for static mapping\n' \ + raise ConfigError('DHCP static lease MAC address not specified for static mapping\n' \ '{0} under shared network name {1}!'.format(mapping['name'], network['name'])) # There must be one subnet connected to a listen interface. @@ -725,28 +731,24 @@ def verify(dhcp): if vyos.validate.is_subnet_connected(subnet['network'], primary=True): listen_ok = True - # # Subnets must be non overlapping - # if subnet['network'] in subnets: - raise ConfigError('Subnets must be unique! Subnet {0} defined multiple times!'.format(subnet)) + raise ConfigError('DHCP subnets must be unique! Subnet {0} defined multiple times!'.format(subnet)) else: subnets.append(subnet['network']) - # # Check for overlapping subnets - # net = ipaddress.ip_network(subnet['network']) for n in subnets: net2 = ipaddress.ip_network(n) - if (net.compare_networks(net2) != 0): + if (net != net2): if net.overlaps(net2): - raise ConfigError('Conflicting subnet ranges: {0} overlaps with {1}'.format(net, net2)) + raise ConfigError('DHCP conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) if not listen_ok: raise ConfigError('None of the DHCP lease subnets are inside any configured subnet on\n' \ 'broadcast interfaces. At least one lease subnet must be set such that\n' \ - 'DHCP server listens on a one broadcast interface') + 'DHCP server listens on a one broadcast interface!') return None -- cgit v1.2.3 From 8a5c00e897a98e8a532a364b1178bd3317bffef9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 31 Aug 2018 22:32:22 +0200 Subject: T811: dhcpv6_server.py: add missing validators when comitting config changes --- src/conf_mode/dhcpv6_server.py | 91 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 84 insertions(+), 7 deletions(-) diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index 260ccf395..bb3e6e90d 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -18,9 +18,12 @@ import sys import os +import ipaddress import jinja2 +import vyos.validate + from vyos.config import Config from vyos import ConfigError @@ -46,7 +49,7 @@ option dhcp6.preference {{ preference }}; shared-network {{ network.name }} { {%- for subnet in network.subnet %} subnet6 {{ subnet.network }} { - {%- for range in subnet.range6_temporary %} + {%- for range in subnet.range6_prefix %} range6 {{ range.prefix }}{{ " temporary" if range.temporary }}; {%- endfor %} {%- for range in subnet.range6 %} @@ -159,7 +162,7 @@ def get_config(): conf.set_level('service dhcpv6-server shared-network-name {0} subnet {1}'.format(network, net)) subnet = { 'network': net, - 'range6_temporary': [], + 'range6_prefix': [], 'range6': [], 'default_router': '', 'dns_server': [], @@ -194,7 +197,7 @@ def get_config(): range['temporary'] = True # Append to subnet temporary range6 list - subnet['range6_temporary'].append(range) + subnet['range6_prefix'].append(range) if conf.exists('address-range start'): for range in conf.list_nodes('address-range start'): @@ -249,11 +252,9 @@ def get_config(): if conf.exists('nisplus-server'): subnet['nisp_server'] = conf.return_values('nisplus-server') - # # Prefix Delegation (RFC 3633) - # if conf.exists('prefix-delegation'): - print("TODO") + print('TODO: This option is actually not implemented right now!') # Local SIP server that is to be used for all outbound SIP requests - IPv6 address if conf.exists('sip-server-address'): @@ -317,12 +318,88 @@ def verify(dhcpv6): raise ConfigError('No DHCPv6 shared networks configured.\n' \ 'At least one DHCPv6 shared network must be configured.') - # A shared-network requires a subnet definition + # Inspect shared-network/subnet + subnets = [] + listen_ok = False + for network in dhcpv6['shared_network']: + # A shared-network requires a subnet definition if len(network['subnet']) == 0: raise ConfigError('No DHCPv6 lease subnets configured for {0}. At least one\n' \ 'lease subnet must be configured for each shared network.'.format(network['name'])) + range6_start = [] + range6_stop = [] + for subnet in network['subnet']: + # Ususal range declaration with a start and stop address + for range6 in subnet['range6']: + # shorten names + start = range6['start'] + stop = range6['stop'] + + # DHCPv6 stop address is required + if start and not stop: + raise ConfigError('DHCPv6 range stop address for start {0} is not defined!'.format(start)) + + # Start address must be inside network + if not ipaddress.ip_address(start) in ipaddress.ip_network(subnet['network']): + raise ConfigError('DHCPv6 range start address {0} is not in subnet {1}\n' \ + 'specified for shared network {2}!'.format(start, subnet['network'], network['name'])) + + # Stop address must be inside network + if not ipaddress.ip_address(stop) in ipaddress.ip_network(subnet['network']): + raise ConfigError('DHCPv6 range stop address {0} is not in subnet {1}\n' \ + 'specified for shared network {2}!'.format(stop, subnet['network'], network['name'])) + + # Stop address must be greater or equal to start address + if not ipaddress.ip_address(stop) >= ipaddress.ip_address(start): + raise ConfigError('DHCPv6 range stop address {0} must be greater or equal\n' \ + 'to the range start address {1}!'.format(stop, start)) + + # DHCPv6 range start address must be unique - two ranges can't + # start with the same address - makes no sense + if start in range6_start: + raise ConfigError('Conflicting DHCPv6 lease range:\n' \ + 'Pool start address {0} defined multipe times!'.format(start)) + else: + range6_start.append(start) + + # DHCPv6 range stop address must be unique - two ranges can't + # end with the same address - makes no sense + if stop in range6_stop: + raise ConfigError('Conflicting DHCPv6 lease range:\n' \ + 'Pool stop address {0} defined multipe times!'.format(stop)) + else: + range6_stop.append(stop) + + # We also have prefixes that require checking + for prefix in subnet['range6_prefix']: + # If configured prefix does not match our subnet, we have to check that it's inside + if ipaddress.ip_network(prefix['prefix']) != ipaddress.ip_network(subnet['network']): + # Configured prefixes must be inside our network + if not ipaddress.ip_network(prefix['prefix']) in ipaddress.ip_network(subnet['network']): + raise ConfigError('DHCPv6 prefix {0} is not in subnet {1}\n' \ + 'specified for shared network {2}!'.format(prefix['prefix'], subnet['network'], network['name'])) + + # DHCPv6 requires at least one configured address range or one static mapping + if not network['disabled']: + if vyos.validate.is_subnet_connected(subnet['network']): + listen_ok = True + + # DHCPv6 subnet must not overlap. ISC DHCP also complains about overlapping + # subnets: "Warning: subnet 2001:db8::/32 overlaps subnet 2001:db8:1::/32" + net = ipaddress.ip_network(subnet['network']) + for n in subnets: + net2 = ipaddress.ip_network(n) + if (net != net2): + if net.overlaps(net2): + raise ConfigError('DHCPv6 conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) + + if not listen_ok: + raise ConfigError('None of the DHCPv6 subnets are connected to a subnet6 on\n' \ + 'this machine. At least one subnet6 must be connected such that\n' \ + 'DHCPv6 listens on an interface!') + return None -- cgit v1.2.3 From 1117cf40eb996b0f29567545b1232dbdfb40ca96 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Sep 2018 14:22:57 +0200 Subject: T771: snmp.px: reduce syslog noise --- src/conf_mode/snmp.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index b98741913..4d84aa4df 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -38,6 +38,7 @@ config_file_client = r'/etc/snmp/snmp.conf' config_file_daemon = r'/etc/snmp/snmpd.conf' config_file_access = r'/usr/share/snmp/snmpd.conf' config_file_user = r'/var/lib/snmp/snmpd.conf' +config_file_init = r'/etc/default/snmpd' # SNMP OIDs used to mark auth/priv type OIDs = { @@ -224,7 +225,17 @@ group {{ u.group }} tsm {{ u.name }} {% endif %} {% endif %} +""" + +init_config_tmpl = """ +### Autogenerated by snmp.py ### +# This file controls the activity of snmpd + +# snmpd control (yes means start daemon). +SNMPDRUN=yes +# snmpd options (use syslog, close stdin/out/err). +SNMPDOPTS='-LSed -u snmp -g snmp -p /run/snmpd.pid' """ default_config_data = { @@ -734,6 +745,12 @@ def generate(snmp): with open(config_file_user, 'w') as f: f.write(config_text) + # Write init config file + tmpl = jinja2.Template(init_config_tmpl) + config_text = tmpl.render(snmp) + with open(config_file_init, 'w') as f: + f.write(config_text) + return None def apply(snmp): -- cgit v1.2.3 From a5b70e5a9176043ada3749775dce51dd864f6b50 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Sep 2018 14:42:33 +0200 Subject: snmp.py: beautify generated snmp.conf --- src/conf_mode/snmp.py | 112 ++++++++++++++++++++------------------------------ 1 file changed, 45 insertions(+), 67 deletions(-) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 4d84aa4df..924c19754 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -72,22 +72,20 @@ rwuser {{ vyos_user }} user_config_tmpl = """ ### Autogenerated by snmp.py ### # user -{% if v3_users %} -{% for u in v3_users %} -{% if u.authOID == 'none' %} +{%- for u in v3_users %} +{%- if u.authOID == 'none' %} createUser {{ u.name }} -{% elif u.authPassword %} +{%- elif u.authPassword %} createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }} -{% else %} +{%- else %} usmUser 1 3 {{ u.engineID }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x -{% endif %} -{% endfor %} -{% endif %} +{%- endif %} +{%- endfor %} createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES -{% if v3_engineid %} +{%- if v3_engineid %} oldEngineID {{ v3_engineid }} -{%- endif -%} +{%- endif %} """ # SNMPS template - be careful if you edit the template. @@ -124,107 +122,87 @@ monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 ######################## # configurable section # ######################## - {% if v3_tsm_key %} [snmp] localCert {{ v3_tsm_key }} -{% endif %} +{%- endif %} # Default system description is VyOS version sysDescr VyOS {{ version }} -{% if description -%} +{% if description %} # Description SysDescr {{ description }} -{% endif %} +{%- endif %} # Listen agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161,udp6:161{% endif %}{% if v3_tsm_key %},tlstcp:{{ v3_tsm_port }},dtlsudp::{{ v3_tsm_port }}{% endif %} # SNMP communities -{% if communities -%} -{% for c in communities %} -{% if c.network -%} -{% for network in c.network_v4 %} +{%- for c in communities %} +{%- for network in c.network_v4 %} {{ c.authorization }}community {{ c.name }} {{ network }} -{% endfor %} -{% for network in c.network_v6 %} +{%- endfor %} +{%- for network in c.network_v6 %} {{ c.authorization }}community6 {{ c.name }} {{ network }} -{% endfor %} -{% else %} +{%- endfor %} +{%- else %} {{ c.authorization }}community {{ c.name }} {{ c.authorization }}community6 {{ c.name }} -{% endif %} -{% endfor %} -{% endif %} +{%- endfor %} -{% if contact -%} +{% if contact %} # system contact information SysContact {{ contact }} -{% endif %} +{%- endif %} -{% if location -%} +{% if location %} # system location information SysLocation {{ location }} -{% endif %} +{%- endif %} {% if smux_peers -%} # additional smux peers -{% for sp in smux_peers %} +{%- for sp in smux_peers %} smuxpeer {{ sp }} -{% endfor %} -{% endif %} +{%- endfor %} +{%- endif %} {% if trap_targets -%} # if there is a problem - tell someone! -{% for t in trap_targets %} +{%- for t in trap_targets %} trap2sink {{ t.target }}{% if t.port -%}:{{ t.port }}{% endif %} {{ t.community }} -{% endfor %} -{% endif %} +{%- endfor %} +{%- endif %} +{%- if v3_enabled %} # # SNMPv3 stuff goes here # -{% if v3_enabled %} - # views -{% if v3_views -%} -{% for v in v3_views %} -{% for oid in v.oids %} +{%- for v in v3_views %} +{%- for oid in v.oids %} view {{ v.name }} included .{{ oid.oid }} -{% endfor %} -{% endfor %} -{% endif %} +{%- endfor %} +{%- endfor %} # access # context sec.model sec.level match read write notif -{% if v3_groups -%} -{% for g in v3_groups %} -{% if g.mode == 'ro' %} -access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} none none -access {{ g.name }} "" tsm {{ g.seclevel }} exact {{ g.view }} none none -{% elif g.mode == 'rw' %} -access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} {{ g.view }} none -access {{ g.name }} "" tsm {{ g.seclevel }} exact {{ g.view }} {{ g.view }} none -{% endif %} -{% endfor -%} -{% endif %} +{%- for g in v3_groups %} +access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} {% if g.mode == 'ro' %}none{% else %}{{ g.view }}{% endif %} none +access {{ g.name }} "" tsm {{ g.seclevel }} exact {{ g.view }} {% if g.mode == 'ro' %}none{% else %}{{ g.view }}{% endif %} none +{%- endfor %} # trap-target -{% if v3_traps -%} -{% for t in v3_traps %} +{%- for t in v3_traps %} trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ t.engineID }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }} -{% endfor -%} -{% endif %} +{%- endfor %} # group -{% if v3_users -%} -{% for u in v3_users %} +{%- for u in v3_users %} group {{ u.group }} usm {{ u.name }} group {{ u.group }} tsm {{ u.name }} {% endfor %} -{% endif %} - -{% endif %} +{%- endif %} """ init_config_tmpl = """ @@ -722,25 +700,25 @@ def generate(snmp): return None # Write client config file - tmpl = jinja2.Template(client_config_tmpl, trim_blocks=True) + tmpl = jinja2.Template(client_config_tmpl) config_text = tmpl.render(snmp) with open(config_file_client, 'w') as f: f.write(config_text) # Write server config file - tmpl = jinja2.Template(daemon_config_tmpl, trim_blocks=True) + tmpl = jinja2.Template(daemon_config_tmpl) config_text = tmpl.render(snmp) with open(config_file_daemon, 'w') as f: f.write(config_text) # Write access rights config file - tmpl = jinja2.Template(access_config_tmpl, trim_blocks=True) + tmpl = jinja2.Template(access_config_tmpl) config_text = tmpl.render(snmp) with open(config_file_access, 'w') as f: f.write(config_text) # Write access rights config file - tmpl = jinja2.Template(user_config_tmpl, trim_blocks=True) + tmpl = jinja2.Template(user_config_tmpl) config_text = tmpl.render(snmp) with open(config_file_user, 'w') as f: f.write(config_text) -- cgit v1.2.3 From bd2f3a42ec9fafdd133d78faa385a19a656f7240 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Sep 2018 14:43:21 +0200 Subject: snmp.py: bugfix writing rocommunity string in config --- src/conf_mode/snmp.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 924c19754..86a10c496 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -273,9 +273,9 @@ def get_config(): if conf.exists('community {0} network'.format(name)): for addr in conf.return_values('community {0} network'.format(name)): if vyos.validate.is_ipv4(addr): - community['network_v4'] = addr + community['network_v4'].append(addr) else: - community['network_v6'] = addr + community['network_v6'].append(addr) snmp['communities'].append(community) -- cgit v1.2.3 From bfde18e1064d0622d1eb022ffca2fa9a95bace0f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Sep 2018 14:48:06 +0200 Subject: snmp.py: bugfix - CLI client community node was not processed --- src/conf_mode/snmp.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 86a10c496..ef5db4690 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -270,6 +270,7 @@ def get_config(): if conf.exists('community {0} authorization'.format(name)): community['authorization'] = conf.return_value('community {0} authorization'.format(name)) + # Subnet of SNMP client(s) allowed to contact system if conf.exists('community {0} network'.format(name)): for addr in conf.return_values('community {0} network'.format(name)): if vyos.validate.is_ipv4(addr): @@ -277,6 +278,14 @@ def get_config(): else: community['network_v6'].append(addr) + # IP address of SNMP client allowed to contact system + if conf.exists('community {0} client'.format(name)): + for addr in conf.return_values('community {0} client'.format(name)): + if vyos.validate.is_ipv4(addr): + community['network_v4'].append(addr) + else: + community['network_v6'].append(addr) + snmp['communities'].append(community) if conf.exists('contact'): -- cgit v1.2.3 From d48e5d8d196365862feae6943e97cbc803469cbb Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Sep 2018 14:57:53 +0200 Subject: snmp.py: beautify generated snmp.conf #2 --- src/conf_mode/snmp.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index ef5db4690..a4e776d49 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -60,12 +60,12 @@ clientaddr {{ trap_source }} # SNMPS template - be careful if you edit the template. access_config_tmpl = """ ### Autogenerated by snmp.py ### -{% if v3_users %} -{% for u in v3_users %} +{%- for u in v3_users %} {{ u.mode }}user {{ u.name }} -{% endfor %} -{% endif -%} +{%- endfor %} + rwuser {{ vyos_user }} + """ # SNMPS template - be careful if you edit the template. -- cgit v1.2.3