From 9fd73cbcc25437169d1eaf627dd56009cb50d32b Mon Sep 17 00:00:00 2001 From: Dirk Steinkopf Date: Sun, 2 Dec 2018 07:49:27 +0100 Subject: T1060: Add webproxy migration script (proxy-bypass -> whitelist). --- src/migration-scripts/webproxy/0-to-1 | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100755 src/migration-scripts/webproxy/0-to-1 diff --git a/src/migration-scripts/webproxy/0-to-1 b/src/migration-scripts/webproxy/0-to-1 new file mode 100755 index 000000000..4acabba3e --- /dev/null +++ b/src/migration-scripts/webproxy/0-to-1 @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +# migrate old style `webproxy proxy-bypass 1.2.3.4/24` +# to new style `webproxy whitelist destination-address 1.2.3.4/24` + +import sys + +from vyos.configtree import ConfigTree + +if len(sys.argv) < 1: + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +cfg_webproxy_base = ['service', 'webproxy'] +if not config.exists(cfg_webproxy_base): + # Nothing to do + sys.exit(0) +else: + bypass_addresses = config.return_values(cfg_webproxy_base + ['proxy-bypass']) + # delete old configuration node + config.delete(cfg_webproxy_base + ['proxy-bypass']) + for bypass_address in bypass_addresses: + # add data to new configuration node + config.set(cfg_webproxy_base + ['whitelist', 'destination-address'], value=bypass_address, replace=False) + + # save updated configuration + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From a2ef71b8878f395d4d259a75df3d68695fd7c004 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 7 Dec 2018 20:00:14 +0100 Subject: T1060: build fix for wrong config-version number Commit 9d35610c173 ("T1060: add missing version file for webproxy") assumed that there is a webproxy config version of 0 but we already have 1. This lead to duplicate files detected by apt. --- src/migration-scripts/webproxy/0-to-1 | 39 ----------------------------------- src/migration-scripts/webproxy/1-to-2 | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 39 deletions(-) delete mode 100755 src/migration-scripts/webproxy/0-to-1 create mode 100755 src/migration-scripts/webproxy/1-to-2 diff --git a/src/migration-scripts/webproxy/0-to-1 b/src/migration-scripts/webproxy/0-to-1 deleted file mode 100755 index 4acabba3e..000000000 --- a/src/migration-scripts/webproxy/0-to-1 +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env python3 - -# migrate old style `webproxy proxy-bypass 1.2.3.4/24` -# to new style `webproxy whitelist destination-address 1.2.3.4/24` - -import sys - -from vyos.configtree import ConfigTree - -if len(sys.argv) < 1: - print("Must specify file name!") - sys.exit(1) - -file_name = sys.argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - -config = ConfigTree(config_file) - -cfg_webproxy_base = ['service', 'webproxy'] -if not config.exists(cfg_webproxy_base): - # Nothing to do - sys.exit(0) -else: - bypass_addresses = config.return_values(cfg_webproxy_base + ['proxy-bypass']) - # delete old configuration node - config.delete(cfg_webproxy_base + ['proxy-bypass']) - for bypass_address in bypass_addresses: - # add data to new configuration node - config.set(cfg_webproxy_base + ['whitelist', 'destination-address'], value=bypass_address, replace=False) - - # save updated configuration - try: - with open(file_name, 'w') as f: - f.write(config.to_string()) - except OSError as e: - print("Failed to save the modified config: {}".format(e)) - sys.exit(1) diff --git a/src/migration-scripts/webproxy/1-to-2 b/src/migration-scripts/webproxy/1-to-2 new file mode 100755 index 000000000..4acabba3e --- /dev/null +++ b/src/migration-scripts/webproxy/1-to-2 @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +# migrate old style `webproxy proxy-bypass 1.2.3.4/24` +# to new style `webproxy whitelist destination-address 1.2.3.4/24` + +import sys + +from vyos.configtree import ConfigTree + +if len(sys.argv) < 1: + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +cfg_webproxy_base = ['service', 'webproxy'] +if not config.exists(cfg_webproxy_base): + # Nothing to do + sys.exit(0) +else: + bypass_addresses = config.return_values(cfg_webproxy_base + ['proxy-bypass']) + # delete old configuration node + config.delete(cfg_webproxy_base + ['proxy-bypass']) + for bypass_address in bypass_addresses: + # add data to new configuration node + config.set(cfg_webproxy_base + ['whitelist', 'destination-address'], value=bypass_address, replace=False) + + # save updated configuration + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From f9ad571f6d2a6238fe841f8eb1acf7daced1c7d5 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 9 Dec 2018 21:39:20 +0100 Subject: T1091: add DNS forwarding completion helpers for DNSSEC --- interface-definitions/dns-forwarding.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/interface-definitions/dns-forwarding.xml b/interface-definitions/dns-forwarding.xml index e3d33e8cc..eda31f029 100644 --- a/interface-definitions/dns-forwarding.xml +++ b/interface-definitions/dns-forwarding.xml @@ -35,6 +35,9 @@ DNSSEC mode + + off process-no-validate process log-fail validate + off -- cgit v1.2.3 From f968d0846abc416c0eac51aeff55551f9df2dea0 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 9 Dec 2018 21:46:00 +0100 Subject: T1091: extend DNS forwarding/DNSSEC completion help text --- interface-definitions/dns-forwarding.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/interface-definitions/dns-forwarding.xml b/interface-definitions/dns-forwarding.xml index eda31f029..88af5f4f9 100644 --- a/interface-definitions/dns-forwarding.xml +++ b/interface-definitions/dns-forwarding.xml @@ -40,23 +40,23 @@ off - + No DNSSEC processing whatsoever! process-no-validate - + Respond with DNSSEC records to clients that ask for it. Don't do any validation. process - + Respond with DNSSEC records to clients that ask for it. Validation for clients that request it. log-fail - + Similar behaviour to process, but validate RRSIGs on responses and log bogus responses. validate - + Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses. (off|process-no-validate|process|log-fail|validate) -- cgit v1.2.3 From 51f61991092a163f680e4ec8f122e73f4074ddf9 Mon Sep 17 00:00:00 2001 From: hagbard Date: Tue, 11 Dec 2018 14:06:43 -0800 Subject: T1087: Firewall on Wireguard Interface implementation --- debian/changelog | 5 +++ interface-definitions/wireguard.xml | 76 +++++++++++++++++++++++++++++++ src/conf_mode/wireguard.py | 89 ++++++++++++++++++++++++++++++++++++- 3 files changed, 168 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7666cfd68..f1293e076 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,8 @@ +vyos-1x (1.2.0-8) unstable; urgency=low + + * T1087: Firewall on Wireguard Interface + + -- hagbard Tue, 11 Dec 2018 14:06:14 -0800 vyos-1x (1.2.0-7) unstable; urgency=low * T1061: Wireguard: Missing option to administrativly shutdown interface diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 8bfffac9d..b7a76eedb 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -73,6 +73,82 @@ + + + Firewall options + + + + + Ruleset for forwarded packets on inbound interface + + + + + Inbound IPv4 firewall ruleset name for interface + + firewall name + + + + + + Inbound IPv6 firewall ruleset name for interface + + firewall ipv6-name + + + + + + + + Ruleset for packets destined for this router + + + + + Local IPv4 firewall ruleset name for interface + + firewall name + + + + + + Local IPv4 firewall ruleset name for interface + + firewall ipv6-name + + + + + + + + Ruleset for forwarded packets on outbound interface + + + + + Outbound IPv4 firewall ruleset name for interface + + firewall name + + + + + + Outbound IPv6 firewall ruleset name for interface + + firewall ipv6-name + + + + + + + peer alias diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index f5452579e..c46cf7703 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -64,7 +64,17 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : '1420', - 'peer' : {} + 'peer' : {}, + 'fw' : { + 'in' : None, + 'local' : None, + 'out' : None + }, + 'fwv6' : { + 'in' : None, + 'local' : None, + 'out' : None + } } } ) @@ -101,6 +111,21 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') + ### firewall name + if c.exists(cnf + ' firewall in name'): + config_data['interfaces'][intfc]['fw']['in'] = c.return_value(cnf + ' firewall in name') + if c.exists(cnf + ' firewall local name'): + config_data['interfaces'][intfc]['fw']['local'] = c.return_value(cnf + ' firewall local name') + if c.exists(cnf + ' firewall out name'): + config_data['interfaces'][intfc]['fw']['out'] = c.return_value(cnf + ' firewall out name') + + if c.exists(cnf + ' firewall in ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['in'] = c.return_value(cnf + ' firewall in ipv6-name') + if c.exists(cnf + ' firewall local ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['local'] = c.return_value(cnf + ' firewall local ipv6-name') + if c.exists(cnf + ' firewall out ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['out'] = c.return_value(cnf + ' firewall out ipv6-name') + ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -123,7 +148,6 @@ def get_config(): config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') - return config_data @@ -267,6 +291,67 @@ def apply(c): with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh: fh.write(str(cnf_descr)) + ### firewall v4 + fw_eff_in = c_eff.return_effective_value(intf + ' firewall in name') + fw_eff_loc = c_eff.return_effective_value(intf + ' firewall local name') + fw_eff_out = c_eff.return_effective_value(intf + ' firewall out name') + + if fw_eff_in != c['interfaces'][intf]['fw']['in']: + if c['interfaces'][intf]['fw']['in'] == None: + update_firewall(intf, fw_eff_in, 'v4', 'delete', 'in') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['in'], 'v4', 'update', 'in') + + if fw_eff_loc != c['interfaces'][intf]['fw']['local']: + if c['interfaces'][intf]['fw']['local'] == None: + update_firewall(intf, fw_eff_loc, 'v4', 'delete', 'local') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['local'], 'v4', 'update', 'local') + + if fw_eff_out != c['interfaces'][intf]['fw']['out']: + if c['interfaces'][intf]['fw']['out'] == None: + update_firewall(intf, fw_eff_out, 'v4', 'delete', 'out') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['out'], 'v4', 'update', 'out') + + ### firewall v6 + fwv6_eff_in = c_eff.return_effective_value(intf + ' firewall in ipv6-name') + fwv6_eff_loc = c_eff.return_effective_value(intf + ' firewall local ipv6-name') + fwv6_eff_out = c_eff.return_effective_value(intf + ' firewall out ipv6-name') + + if fwv6_eff_in != c['interfaces'][intf]['fwv6']['in']: + if c['interfaces'][intf]['fwv6']['in'] == None: + update_firewall(intf, fwv6_eff_in, 'v6', 'delete', 'in') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['in'], 'v6', 'update', 'in') + + if fwv6_eff_loc != c['interfaces'][intf]['fwv6']['local']: + if c['interfaces'][intf]['fwv6']['local'] == None: + update_firewall(intf, fwv6_eff_loc, 'v6', 'delete', 'local') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['local'], 'v6', 'update', 'local') + + if fwv6_eff_out != c['interfaces'][intf]['fwv6']['out']: + if c['interfaces'][intf]['fwv6']['out'] == None: + update_firewall(intf, fwv6_eff_out, 'v6', 'delete', 'out') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['out'], 'v6', 'update', 'out') + + return 0 + + +def update_firewall(interf, fw_name, ver, action, table): + cmd = r'sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces ' + cmd += action + ' ' + interf + ' ' + table + ' ' + fw_name + if ver == 'v4': + cmd += ' \"firewall name\"' + if ver == 'v6': + cmd += ' \"firewall ipv6-name\"' + + sl.syslog(sl.LOG_NOTICE, "fw update executing: " + cmd) + subprocess.call([cmd], shell=True) + return 0 + def configure_interface(c, intf): for p in c['interfaces'][intf]['peer']: ## config init for wg call -- cgit v1.2.3 From e734b846ec53f9950da562ea27676f63ac5c1599 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 16 Dec 2018 15:37:51 +0100 Subject: Revert "T1087: Firewall on Wireguard Interface implementation" This reverts commit 51f61991092a163f680e4ec8f122e73f4074ddf9. It's not how it's done, those templates are generated by a script in vyatta-cfg-firewall. If we are planning a firewall overhaul in 1.3.x, there's no reason to transplant the old approach to new code. --- debian/changelog | 5 --- interface-definitions/wireguard.xml | 76 ------------------------------- src/conf_mode/wireguard.py | 89 +------------------------------------ 3 files changed, 2 insertions(+), 168 deletions(-) diff --git a/debian/changelog b/debian/changelog index f1293e076..7666cfd68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,3 @@ -vyos-1x (1.2.0-8) unstable; urgency=low - - * T1087: Firewall on Wireguard Interface - - -- hagbard Tue, 11 Dec 2018 14:06:14 -0800 vyos-1x (1.2.0-7) unstable; urgency=low * T1061: Wireguard: Missing option to administrativly shutdown interface diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index b7a76eedb..8bfffac9d 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -73,82 +73,6 @@ - - - Firewall options - - - - - Ruleset for forwarded packets on inbound interface - - - - - Inbound IPv4 firewall ruleset name for interface - - firewall name - - - - - - Inbound IPv6 firewall ruleset name for interface - - firewall ipv6-name - - - - - - - - Ruleset for packets destined for this router - - - - - Local IPv4 firewall ruleset name for interface - - firewall name - - - - - - Local IPv4 firewall ruleset name for interface - - firewall ipv6-name - - - - - - - - Ruleset for forwarded packets on outbound interface - - - - - Outbound IPv4 firewall ruleset name for interface - - firewall name - - - - - - Outbound IPv6 firewall ruleset name for interface - - firewall ipv6-name - - - - - - - peer alias diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index c46cf7703..f5452579e 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -64,17 +64,7 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : '1420', - 'peer' : {}, - 'fw' : { - 'in' : None, - 'local' : None, - 'out' : None - }, - 'fwv6' : { - 'in' : None, - 'local' : None, - 'out' : None - } + 'peer' : {} } } ) @@ -111,21 +101,6 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') - ### firewall name - if c.exists(cnf + ' firewall in name'): - config_data['interfaces'][intfc]['fw']['in'] = c.return_value(cnf + ' firewall in name') - if c.exists(cnf + ' firewall local name'): - config_data['interfaces'][intfc]['fw']['local'] = c.return_value(cnf + ' firewall local name') - if c.exists(cnf + ' firewall out name'): - config_data['interfaces'][intfc]['fw']['out'] = c.return_value(cnf + ' firewall out name') - - if c.exists(cnf + ' firewall in ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['in'] = c.return_value(cnf + ' firewall in ipv6-name') - if c.exists(cnf + ' firewall local ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['local'] = c.return_value(cnf + ' firewall local ipv6-name') - if c.exists(cnf + ' firewall out ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['out'] = c.return_value(cnf + ' firewall out ipv6-name') - ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -148,6 +123,7 @@ def get_config(): config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data @@ -291,67 +267,6 @@ def apply(c): with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh: fh.write(str(cnf_descr)) - ### firewall v4 - fw_eff_in = c_eff.return_effective_value(intf + ' firewall in name') - fw_eff_loc = c_eff.return_effective_value(intf + ' firewall local name') - fw_eff_out = c_eff.return_effective_value(intf + ' firewall out name') - - if fw_eff_in != c['interfaces'][intf]['fw']['in']: - if c['interfaces'][intf]['fw']['in'] == None: - update_firewall(intf, fw_eff_in, 'v4', 'delete', 'in') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['in'], 'v4', 'update', 'in') - - if fw_eff_loc != c['interfaces'][intf]['fw']['local']: - if c['interfaces'][intf]['fw']['local'] == None: - update_firewall(intf, fw_eff_loc, 'v4', 'delete', 'local') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['local'], 'v4', 'update', 'local') - - if fw_eff_out != c['interfaces'][intf]['fw']['out']: - if c['interfaces'][intf]['fw']['out'] == None: - update_firewall(intf, fw_eff_out, 'v4', 'delete', 'out') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['out'], 'v4', 'update', 'out') - - ### firewall v6 - fwv6_eff_in = c_eff.return_effective_value(intf + ' firewall in ipv6-name') - fwv6_eff_loc = c_eff.return_effective_value(intf + ' firewall local ipv6-name') - fwv6_eff_out = c_eff.return_effective_value(intf + ' firewall out ipv6-name') - - if fwv6_eff_in != c['interfaces'][intf]['fwv6']['in']: - if c['interfaces'][intf]['fwv6']['in'] == None: - update_firewall(intf, fwv6_eff_in, 'v6', 'delete', 'in') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['in'], 'v6', 'update', 'in') - - if fwv6_eff_loc != c['interfaces'][intf]['fwv6']['local']: - if c['interfaces'][intf]['fwv6']['local'] == None: - update_firewall(intf, fwv6_eff_loc, 'v6', 'delete', 'local') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['local'], 'v6', 'update', 'local') - - if fwv6_eff_out != c['interfaces'][intf]['fwv6']['out']: - if c['interfaces'][intf]['fwv6']['out'] == None: - update_firewall(intf, fwv6_eff_out, 'v6', 'delete', 'out') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['out'], 'v6', 'update', 'out') - - return 0 - - -def update_firewall(interf, fw_name, ver, action, table): - cmd = r'sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces ' - cmd += action + ' ' + interf + ' ' + table + ' ' + fw_name - if ver == 'v4': - cmd += ' \"firewall name\"' - if ver == 'v6': - cmd += ' \"firewall ipv6-name\"' - - sl.syslog(sl.LOG_NOTICE, "fw update executing: " + cmd) - subprocess.call([cmd], shell=True) - return 0 - def configure_interface(c, intf): for p in c['interfaces'][intf]['peer']: ## config init for wg call -- cgit v1.2.3