From 8361090d15d8022c1e04fa36ee90d69d72d9a48b Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Fri, 24 Jul 2020 12:03:28 +0800 Subject: traceroute: T2723: Support tcptraceroute --- op-mode-definitions/traceroute.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index 340d28280..efbaaeb2f 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -25,6 +25,24 @@ /usr/bin/traceroute -4 "$3" + + + + Route tracing and port detection using TCP + + + + + Perform operations on TCP ports + + 0-65535 + + + sudo /usr/sbin/tcptraceroute "$3" $6 + + + + @@ -34,6 +52,24 @@ /usr/bin/traceroute -6 "$3" + + + + Use TCP/IPv6 packets to perform a traceroute + + + + + Perform operations on TCP ports + + 0-65535 + + + sudo /usr/sbin/tcptraceroute6 "$3" $6 + + + + -- cgit v1.2.3 From ed11b28b2f3e20a07cdfed869fcb2d1992c5f7f6 Mon Sep 17 00:00:00 2001 From: sever-sever Date: Mon, 27 Jul 2020 13:38:26 +0000 Subject: op-mode: T1117: Add show ipv6 bgp route-map --- Makefile | 1 + op-mode-definitions/show-ipv6-bgp.xml | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 op-mode-definitions/show-ipv6-bgp.xml (limited to 'op-mode-definitions') diff --git a/Makefile b/Makefile index fecc093de..6c715d138 100644 --- a/Makefile +++ b/Makefile @@ -94,6 +94,7 @@ op_mode_definitions: rm -f $(OP_TMPL_DIR)/show/node.def rm -f $(OP_TMPL_DIR)/show/interfaces/node.def rm -f $(OP_TMPL_DIR)/show/ipv6/node.def + rm -f $(OP_TMPL_DIR)/show/ipv6/bgp/node.def rm -f $(OP_TMPL_DIR)/show/ipv6/route/node.def rm -f $(OP_TMPL_DIR)/restart/node.def rm -f $(OP_TMPL_DIR)/monitor/node.def diff --git a/op-mode-definitions/show-ipv6-bgp.xml b/op-mode-definitions/show-ipv6-bgp.xml new file mode 100644 index 000000000..67a8c8658 --- /dev/null +++ b/op-mode-definitions/show-ipv6-bgp.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + Show BGP routes matching the specified route map + + policy route-map + + + /usr/bin/vtysh -c "show bgp ipv6 route-map $5" + + + + + + + + -- cgit v1.2.3 From e06948a5445f5ef8d16d2acdaac032c6a7c257be Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 29 Jul 2020 21:48:49 +0200 Subject: op-mode: T2560: rename "show system usb serial" to "show hardware usb serial" This is more inline with the overall op-mode. --- op-mode-definitions/show-hardware.xml | 10 ++++++++-- op-mode-definitions/show-system.xml | 14 -------------- 2 files changed, 8 insertions(+), 16 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-hardware.xml b/op-mode-definitions/show-hardware.xml index a49036397..c3ff3a60f 100644 --- a/op-mode-definitions/show-hardware.xml +++ b/op-mode-definitions/show-hardware.xml @@ -71,14 +71,20 @@ Show peripherals connected to the USB bus - lsusb + /usr/bin/lsusb -t Show detailed USB bus information - lsusb -v + /usr/bin/lsusb -v + + + Show information about connected USB serial ports + + ${vyos_op_scripts_dir}/show_usb_serial.py + diff --git a/op-mode-definitions/show-system.xml b/op-mode-definitions/show-system.xml index 74b34ae92..1b98b559b 100644 --- a/op-mode-definitions/show-system.xml +++ b/op-mode-definitions/show-system.xml @@ -176,20 +176,6 @@ uptime - - - Show information about Universal Serial Bus (USB) - - /usr/bin/lsusb -t - - - - Show information about connected USB serial ports - - ${vyos_op_scripts_dir}/show_usb_serial.py - - - -- cgit v1.2.3 From 37e905de5ec903cff3e83ce4863b22b9e6d53d73 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Aug 2020 12:28:21 +0200 Subject: T2753: add new op-mode command "add system image" --- op-mode-definitions/add-system-image.xml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 op-mode-definitions/add-system-image.xml (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/add-system-image.xml b/op-mode-definitions/add-system-image.xml new file mode 100644 index 000000000..2809f6050 --- /dev/null +++ b/op-mode-definitions/add-system-image.xml @@ -0,0 +1,38 @@ + + + + + + + Add item to a system facility + + + + + Add a new image to the system + + /path/to/vyos-image.iso http://example.com/vyos-image.iso + + + sudo ${vyatta_sbindir}/install-image "$4" + + + + Username for authentication + + + + + Password to use with authentication + + sudo ${vyatta_sbindir}/install-image "$4" "$6" "$8" + + + + + + + + + + -- cgit v1.2.3 From 50a0781b3f3e0c86d6418acb72b0036729a72283 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Aug 2020 13:23:09 +0200 Subject: T2753: adjust "add system image" to new named command line arguments This is needed work for adding VRF support. --- op-mode-definitions/add-system-image.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/add-system-image.xml b/op-mode-definitions/add-system-image.xml index 2809f6050..a39f4cc22 100644 --- a/op-mode-definitions/add-system-image.xml +++ b/op-mode-definitions/add-system-image.xml @@ -14,7 +14,7 @@ /path/to/vyos-image.iso http://example.com/vyos-image.iso - sudo ${vyatta_sbindir}/install-image "$4" + sudo ${vyatta_sbindir}/install-image --url "$4" @@ -25,7 +25,7 @@ Password to use with authentication - sudo ${vyatta_sbindir}/install-image "$4" "$6" "$8" + sudo ${vyatta_sbindir}/install-image --url "$4" --username "$6" --password "$8" -- cgit v1.2.3 From f69fccfead3f2b0608d14d099f5583bb397d6131 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 1 Aug 2020 14:30:27 +0200 Subject: T2690: add VRF support to "add system image" --- op-mode-definitions/add-system-image.xml | 28 ++++++++++++++++++++++++++-- op-mode-definitions/show-vrf.xml | 6 +++--- 2 files changed, 29 insertions(+), 5 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/add-system-image.xml b/op-mode-definitions/add-system-image.xml index a39f4cc22..3dc1c67ab 100644 --- a/op-mode-definitions/add-system-image.xml +++ b/op-mode-definitions/add-system-image.xml @@ -14,8 +14,32 @@ /path/to/vyos-image.iso http://example.com/vyos-image.iso - sudo ${vyatta_sbindir}/install-image --url "$4" + sudo ${vyatta_sbindir}/install-image --url "${4}" + + + Download image via specified VRF + + vrf name + + + sudo ${vyatta_sbindir}/install-image --url "${4}" --vrf "${6}" + + + + Username for authentication + + + + + Password to use with authentication + + sudo ${vyatta_sbindir}/install-image --url "${4}" --vrf "${6}" --username "${8}" --password "${10}" + + + + + Username for authentication @@ -25,7 +49,7 @@ Password to use with authentication - sudo ${vyatta_sbindir}/install-image --url "$4" --username "$6" --password "$8" + sudo ${vyatta_sbindir}/install-image --url "${4}" --username "${6}" --password "${8}" diff --git a/op-mode-definitions/show-vrf.xml b/op-mode-definitions/show-vrf.xml index 1c806908b..438e7c334 100644 --- a/op-mode-definitions/show-vrf.xml +++ b/op-mode-definitions/show-vrf.xml @@ -11,9 +11,9 @@ Show information on specific VRF instance - - vrf name - + + vrf name + ${vyos_op_scripts_dir}/show_vrf.py -e "$3" -- cgit v1.2.3 From f583fa94ba00d4c29abe997d316a381c98cc65bf Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 2 Aug 2020 18:24:19 +0200 Subject: wwan: pppoe: op-mode: T2488: only call pppstats when interface is up Without this check an error will be shown: pppstats: nonexistent interface 'pppoe0' specified. --- op-mode-definitions/show-interfaces-pppoe.xml | 2 +- op-mode-definitions/show-interfaces-wirelessmodem.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-interfaces-pppoe.xml b/op-mode-definitions/show-interfaces-pppoe.xml index 4263a2f0a..393ca912f 100644 --- a/op-mode-definitions/show-interfaces-pppoe.xml +++ b/op-mode-definitions/show-interfaces-pppoe.xml @@ -26,7 +26,7 @@ interfaces pppoe - /usr/sbin/pppstats $4 + if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi diff --git a/op-mode-definitions/show-interfaces-wirelessmodem.xml b/op-mode-definitions/show-interfaces-wirelessmodem.xml index 46f872c85..c0ab9c66f 100644 --- a/op-mode-definitions/show-interfaces-wirelessmodem.xml +++ b/op-mode-definitions/show-interfaces-wirelessmodem.xml @@ -26,7 +26,7 @@ interfaces wirelessmodem - /usr/sbin/pppstats $4 + if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi -- cgit v1.2.3 From 9f67250480d1e6727424d00212d69f008ffdb647 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 2 Aug 2020 19:34:34 +0200 Subject: op-mode: console-server: T2490: cleanup XML Move the connect part to connect-disconnect.xml --- op-mode-definitions/connect-disconnect.xml | 11 ++++++++++- op-mode-definitions/show-console-server.xml | 13 ------------- 2 files changed, 10 insertions(+), 14 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/connect-disconnect.xml b/op-mode-definitions/connect-disconnect.xml index f0fcef5da..ea2883e0b 100644 --- a/op-mode-definitions/connect-disconnect.xml +++ b/op-mode-definitions/connect-disconnect.xml @@ -2,9 +2,18 @@ - Establish a connection + Establish connection + + + Connect to device attached to serial console server + + service console-server device + + + /usr/bin/console "$3" + Bring up a connection-oriented network interface diff --git a/op-mode-definitions/show-console-server.xml b/op-mode-definitions/show-console-server.xml index e47b6cfaa..77a7f3376 100644 --- a/op-mode-definitions/show-console-server.xml +++ b/op-mode-definitions/show-console-server.xml @@ -1,18 +1,5 @@ - - - - - Connect to device attached to serial console server - - service console-server device - - - /usr/bin/console "$3" - - - -- cgit v1.2.3 From f2cc87a259df1d2ab4d0a7eb366224a238422048 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 2 Aug 2020 19:36:39 +0200 Subject: op-mode: use individual XML files for connect and disconnect --- op-mode-definitions/connect-disconnect.xml | 46 ------------------------------ op-mode-definitions/connect.xml | 29 +++++++++++++++++++ op-mode-definitions/disconnect.xml | 20 +++++++++++++ 3 files changed, 49 insertions(+), 46 deletions(-) delete mode 100644 op-mode-definitions/connect-disconnect.xml create mode 100644 op-mode-definitions/connect.xml create mode 100644 op-mode-definitions/disconnect.xml (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/connect-disconnect.xml b/op-mode-definitions/connect-disconnect.xml deleted file mode 100644 index ea2883e0b..000000000 --- a/op-mode-definitions/connect-disconnect.xml +++ /dev/null @@ -1,46 +0,0 @@ - - - - - Establish connection - - - - - Connect to device attached to serial console server - - service console-server device - - - /usr/bin/console "$3" - - - - Bring up a connection-oriented network interface - - interfaces pppoe - interfaces wirelessmodem - - - sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect "$3" - - - - - - Take down a connection - - - - - Take down a connection-oriented network interface - - interfaces pppoe - interfaces wirelessmodem - - - sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect "$3" - - - - diff --git a/op-mode-definitions/connect.xml b/op-mode-definitions/connect.xml new file mode 100644 index 000000000..1ec62949a --- /dev/null +++ b/op-mode-definitions/connect.xml @@ -0,0 +1,29 @@ + + + + + Establish connection + + + + + Connect to device attached to serial console server + + service console-server device + + + /usr/bin/console "$3" + + + + Bring up a connection-oriented network interface + + interfaces pppoe + interfaces wirelessmodem + + + sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect "$3" + + + + diff --git a/op-mode-definitions/disconnect.xml b/op-mode-definitions/disconnect.xml new file mode 100644 index 000000000..bf2c37b89 --- /dev/null +++ b/op-mode-definitions/disconnect.xml @@ -0,0 +1,20 @@ + + + + + Take down a connection + + + + + Take down a connection-oriented network interface + + interfaces pppoe + interfaces wirelessmodem + + + sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect "$3" + + + + -- cgit v1.2.3 From 091efc96bc0fbeea7c7bf1e8e234c72bc8df801b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 2 Aug 2020 20:14:30 +0200 Subject: op-mode: arping: T689: use full path to binary --- op-mode-definitions/force-arp.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/force-arp.xml b/op-mode-definitions/force-arp.xml index 3eadabf0a..c7bcad413 100644 --- a/op-mode-definitions/force-arp.xml +++ b/op-mode-definitions/force-arp.xml @@ -27,13 +27,13 @@ Send gratuitous ARP reply for specified address - sudo arping -I $5 -c 1 -A $7 + sudo /usr/bin/arping -I $5 -c 1 -A $7 Send specified number of ARP replies - sudo arping -I $5 -c $9 -A $7 + sudo /usr/bin/arping -I $5 -c $9 -A $7 @@ -58,13 +58,13 @@ Send gratuitous ARP request for specified address - sudo arping -I $5 -c 1 -U $7 + sudo /usr/bin/arping -I $5 -c 1 -U $7 Send specified number of ARP requests - sudo arping -I $5 -c $9 -U $7 + sudo /usr/bin/arping -I $5 -c $9 -U $7 -- cgit v1.2.3 From 9ef82aa5d4db161fd70af4d015f1cf35cc984524 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 3 Aug 2020 17:43:00 +0800 Subject: ipv6-tool: T2724: Support for IPv6 Toolset --- op-mode-definitions/force-ipv6-nd.xml | 33 +++++++++++++++++++++++++++++++++ op-mode-definitions/force-ipv6-rd.xml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 op-mode-definitions/force-ipv6-nd.xml create mode 100644 op-mode-definitions/force-ipv6-rd.xml (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/force-ipv6-nd.xml b/op-mode-definitions/force-ipv6-nd.xml new file mode 100644 index 000000000..64c8347ea --- /dev/null +++ b/op-mode-definitions/force-ipv6-nd.xml @@ -0,0 +1,33 @@ + + + + + + + ICMPv6 Neighbor Discovery tool + + + + + IPv6 Neighbor Discovery on a specific interface + + + + + + + + The IP address of the target + + <h:h:h:h:h:h:h:h> + + + ndisc6 $6 $4 -m + + + + + + + + diff --git a/op-mode-definitions/force-ipv6-rd.xml b/op-mode-definitions/force-ipv6-rd.xml new file mode 100644 index 000000000..722cb67bf --- /dev/null +++ b/op-mode-definitions/force-ipv6-rd.xml @@ -0,0 +1,34 @@ + + + + + + + IPv6 Router Discovery tool + + + + + IPv6 Router Discovery tool on a specific interface + + + + + rdisc6 $4 + + + + The IP address of the target + + <h:h:h:h:h:h:h:h> + + + rdisc6 $6 $4 -m + + + + + + + + -- cgit v1.2.3 From 787879baa0516ade8d9ad91f19e970c510d7aff3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 14:05:12 +0200 Subject: configure: op-mode: move XML here --- op-mode-definitions/configure.xml | 9 +++++++++ src/op_mode/enter_config_mode.sh | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 op-mode-definitions/configure.xml create mode 100755 src/op_mode/enter_config_mode.sh (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/configure.xml b/op-mode-definitions/configure.xml new file mode 100644 index 000000000..dc534d586 --- /dev/null +++ b/op-mode-definitions/configure.xml @@ -0,0 +1,9 @@ + + + + + Enter configure mode + + ${vyos_op_scripts_dir}/enter_config_mode.sh + + diff --git a/src/op_mode/enter_config_mode.sh b/src/op_mode/enter_config_mode.sh new file mode 100755 index 000000000..082800ce4 --- /dev/null +++ b/src/op_mode/enter_config_mode.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +if [ `id -u` == 0 ]; then + echo "You are attempting to enter configuration mode as root." + echo "It may have unintended consequences and render your system" + echo "unusable until restart." + echo "Please do it as an administrator level VyOS user instead." +else + if grep -q -e '^overlay.*/filesystem.squashfs' /proc/mounts; then + echo "WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed" + fi + history -w + export _OFR_CONFIGURE=ok + newgrp vyattacfg + unset _OFR_CONFIGURE + _vyatta_op_do_key_bindings + history -r +fi -- cgit v1.2.3 From 3e657ba2acf68c9adc1426cc1fcfeefb848cc8d2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 16:41:21 +0200 Subject: T2546: rename op-mode scripts for bandwidth --- op-mode-definitions/bandwidth-monitor.xml | 23 -------------------- op-mode-definitions/bandwidth-test.xml | 29 -------------------------- op-mode-definitions/monitor-bandwidth-test.xml | 29 ++++++++++++++++++++++++++ op-mode-definitions/monitor-bandwidth.xml | 23 ++++++++++++++++++++ 4 files changed, 52 insertions(+), 52 deletions(-) delete mode 100644 op-mode-definitions/bandwidth-monitor.xml delete mode 100644 op-mode-definitions/bandwidth-test.xml create mode 100644 op-mode-definitions/monitor-bandwidth-test.xml create mode 100644 op-mode-definitions/monitor-bandwidth.xml (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/bandwidth-monitor.xml b/op-mode-definitions/bandwidth-monitor.xml deleted file mode 100644 index 9af0a9e70..000000000 --- a/op-mode-definitions/bandwidth-monitor.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - - Monitor interface bandwidth in real time - - - - bmon -b -p $4 - - Monitor bandwidth usage on specified interface - - - - - - - - - - diff --git a/op-mode-definitions/bandwidth-test.xml b/op-mode-definitions/bandwidth-test.xml deleted file mode 100644 index d1e459b17..000000000 --- a/op-mode-definitions/bandwidth-test.xml +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - - Initiate or wait for bandwidth test - - - - - Wait for bandwidth test connections (port TCP/5001) - - iperf -s - - - - Initiate a bandwidth test to specified host (port TCP/5001) - - <hostname> <x.x.x.x> <h:h:h:h:h:h:h:h> - - - iperf -c $4 - - - - - - diff --git a/op-mode-definitions/monitor-bandwidth-test.xml b/op-mode-definitions/monitor-bandwidth-test.xml new file mode 100644 index 000000000..d1e459b17 --- /dev/null +++ b/op-mode-definitions/monitor-bandwidth-test.xml @@ -0,0 +1,29 @@ + + + + + + + Initiate or wait for bandwidth test + + + + + Wait for bandwidth test connections (port TCP/5001) + + iperf -s + + + + Initiate a bandwidth test to specified host (port TCP/5001) + + <hostname> <x.x.x.x> <h:h:h:h:h:h:h:h> + + + iperf -c $4 + + + + + + diff --git a/op-mode-definitions/monitor-bandwidth.xml b/op-mode-definitions/monitor-bandwidth.xml new file mode 100644 index 000000000..9af0a9e70 --- /dev/null +++ b/op-mode-definitions/monitor-bandwidth.xml @@ -0,0 +1,23 @@ + + + + + + + Monitor interface bandwidth in real time + + + + bmon -b -p $4 + + Monitor bandwidth usage on specified interface + + + + + + + + + + -- cgit v1.2.3 From ee45fcf5f5342d40b5dcd39429a4201c93a49b4c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 17:08:47 +0200 Subject: lldp: op-mode: T2323: "show lldp neighbors detail" only works when service runs The problem exists when LLDP is not configured but one wants to run the detail command. Running "show lldp neighbors" is not possible when LLDP is not running. This case is already handled for "show lldp neighbors" and has been extended for "show lldp neighbors detail". --- op-mode-definitions/lldp.xml | 2 +- src/op_mode/lldp_op.py | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/lldp.xml b/op-mode-definitions/lldp.xml index 105bfe237..e954fb8cf 100644 --- a/op-mode-definitions/lldp.xml +++ b/op-mode-definitions/lldp.xml @@ -17,7 +17,7 @@ Show LLDP neighbor details - /usr/sbin/lldpctl -f plain + ${vyos_op_scripts_dir}/lldp_op.py --detail diff --git a/src/op_mode/lldp_op.py b/src/op_mode/lldp_op.py index 5d48e3210..0df6749aa 100755 --- a/src/op_mode/lldp_op.py +++ b/src/op_mode/lldp_op.py @@ -14,19 +14,19 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import argparse import jinja2 -from xml.dom import minidom from sys import exit from tabulate import tabulate +from xml.dom import minidom -from vyos.util import popen +from vyos.util import cmd from vyos.config import Config parser = argparse.ArgumentParser() parser.add_argument("-a", "--all", action="store_true", help="Show LLDP neighbors on all interfaces") +parser.add_argument("-d", "--detail", action="store_true", help="Show detailes LLDP neighbor information on all interfaces") parser.add_argument("-i", "--interface", action="store", help="Show LLDP neighbors on specific interface") # Please be careful if you edit the template. @@ -40,10 +40,8 @@ Device ID Local Proto Cap Platform Port ID {% endfor -%} """ -def _get_neighbors(): - command = '/usr/sbin/lldpcli -f xml show neighbors' - out,_ = popen(command) - return out +def get_neighbors(): + return cmd('/usr/sbin/lldpcli -f xml show neighbors') def extract_neighbor(neighbor): """ @@ -148,12 +146,17 @@ if __name__ == '__main__': exit(0) if args.all: - neighbors = minidom.parseString(_get_neighbors()) + neighbors = minidom.parseString(get_neighbors()) for neighbor in neighbors.getElementsByTagName('interface'): tmp['neighbors'].append( extract_neighbor(neighbor) ) + elif args.detail: + out = cmd('/usr/sbin/lldpctl -f plain') + print(out) + exit(0) + elif args.interface: - neighbors = minidom.parseString(_get_neighbors()) + neighbors = minidom.parseString(get_neighbors()) for neighbor in neighbors.getElementsByTagName('interface'): # check if neighbor appeared on proper interface if neighbor.getAttribute('name') == args.interface: -- cgit v1.2.3 From e9eeaeb0e974e90168b0ce87b4f5553132af01a2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 17:16:22 +0200 Subject: op-mode: T2546: add "monitor log" command --- op-mode-definitions/monitor-log.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 op-mode-definitions/monitor-log.xml (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/monitor-log.xml b/op-mode-definitions/monitor-log.xml new file mode 100644 index 000000000..99efe5306 --- /dev/null +++ b/op-mode-definitions/monitor-log.xml @@ -0,0 +1,13 @@ + + + + + + + Monitor last lines of messages file + + tail --follow=name /var/log/messages + + + + -- cgit v1.2.3 From 6539f908e17c17a4a931e9638af9487e341bdcae Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 18:00:12 +0200 Subject: op-mode: ping: T1600: initial XML implementation --- Makefile | 4 ++++ op-mode-definitions/ping.xml | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 op-mode-definitions/ping.xml (limited to 'op-mode-definitions') diff --git a/Makefile b/Makefile index 2773642d0..5b7e4da63 100644 --- a/Makefile +++ b/Makefile @@ -105,6 +105,10 @@ op_mode_definitions: rm -f $(OP_TMPL_DIR)/delete/node.def rm -f $(OP_TMPL_DIR)/reset/vpn/node.def + # XXX: ping must be able to recursivly call itself as the + # options are provided from the script itself + ln -s ../node.tag $(OP_TMPL_DIR)/ping/node.tag/node.tag/ + .PHONY: component_versions .ONESHELL: component_versions: $(BUILD_DIR) $(obj) diff --git a/op-mode-definitions/ping.xml b/op-mode-definitions/ping.xml new file mode 100644 index 000000000..4c25a59ab --- /dev/null +++ b/op-mode-definitions/ping.xml @@ -0,0 +1,23 @@ + + + + + Send Internet Control Message Protocol (ICMP) echo request + + <hostname> <x.x.x.x> <h:h:h:h:h:h:h:h> + + + ${vyos_op_scripts_dir}/ping.py ${@:2} + + + + Ping options + + + + + ${vyos_op_scripts_dir}/ping.py ${@:2} + + + + -- cgit v1.2.3 From 6301c560df544ddac9838d0489941d84748cced3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 19:10:10 +0200 Subject: ipv6-tool: op-mode: T2724: use full path to binary and quote arguments --- op-mode-definitions/force-ipv6-nd.xml | 8 ++++---- op-mode-definitions/force-ipv6-rd.xml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/force-ipv6-nd.xml b/op-mode-definitions/force-ipv6-nd.xml index 64c8347ea..49de097f6 100644 --- a/op-mode-definitions/force-ipv6-nd.xml +++ b/op-mode-definitions/force-ipv6-nd.xml @@ -4,12 +4,12 @@ - ICMPv6 Neighbor Discovery tool + IPv6 Neighbor Discovery - IPv6 Neighbor Discovery on a specific interface + IPv6 Neighbor Discovery on specified interface @@ -17,12 +17,12 @@ - The IP address of the target + IPv6 address of node to lookup <h:h:h:h:h:h:h:h> - ndisc6 $6 $4 -m + /usr/bin/ndisc6 -m "$6" "$4" diff --git a/op-mode-definitions/force-ipv6-rd.xml b/op-mode-definitions/force-ipv6-rd.xml index 722cb67bf..8c901af25 100644 --- a/op-mode-definitions/force-ipv6-rd.xml +++ b/op-mode-definitions/force-ipv6-rd.xml @@ -4,26 +4,26 @@ - IPv6 Router Discovery tool + IPv6 Router Discovery - IPv6 Router Discovery tool on a specific interface + IPv6 Router Discovery on specified interface - rdisc6 $4 + /usr/bin/rdisc6 "$4" - The IP address of the target + IPv6 address of target <h:h:h:h:h:h:h:h> - rdisc6 $6 $4 -m + /usr/bin/rdisc6 -m "$6" "$4" -- cgit v1.2.3 From 9e6cd018464fcf03a6930116ff5570f68a7c6c45 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 3 Aug 2020 21:18:25 +0200 Subject: op-mode: T2546: use inline shell code for "configure" Commit 787879ba ("configure: op-mode: move XML here") migrated the op-mode command "configure" to vyos-1x. The used shell snipped in turn sometimes complained about: "_vyatta_op_do_key_bindings: command not found". This is now resolved by moving the code entirely into the node.def file. --- op-mode-definitions/configure.xml | 19 +++++++++++++++++-- src/op_mode/enter_config_mode.sh | 18 ------------------ 2 files changed, 17 insertions(+), 20 deletions(-) delete mode 100755 src/op_mode/enter_config_mode.sh (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/configure.xml b/op-mode-definitions/configure.xml index dc534d586..3dd5a0f45 100644 --- a/op-mode-definitions/configure.xml +++ b/op-mode-definitions/configure.xml @@ -2,8 +2,23 @@ - Enter configure mode + Enter configuration mode - ${vyos_op_scripts_dir}/enter_config_mode.sh + if [ `id -u` == 0 ]; then + echo "You are attempting to enter configuration mode as root." + echo "It may have unintended consequences and render your system" + echo "unusable until restart." + echo "Please do it as an administrator level VyOS user instead." + else + if grep -q -e '^overlay.*/filesystem.squashfs' /proc/mounts; then + echo "WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed" + fi + history -w + export _OFR_CONFIGURE=ok + newgrp vyattacfg + unset _OFR_CONFIGURE + _vyatta_op_do_key_bindings + history -r + fi diff --git a/src/op_mode/enter_config_mode.sh b/src/op_mode/enter_config_mode.sh deleted file mode 100755 index 082800ce4..000000000 --- a/src/op_mode/enter_config_mode.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -if [ `id -u` == 0 ]; then - echo "You are attempting to enter configuration mode as root." - echo "It may have unintended consequences and render your system" - echo "unusable until restart." - echo "Please do it as an administrator level VyOS user instead." -else - if grep -q -e '^overlay.*/filesystem.squashfs' /proc/mounts; then - echo "WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed" - fi - history -w - export _OFR_CONFIGURE=ok - newgrp vyattacfg - unset _OFR_CONFIGURE - _vyatta_op_do_key_bindings - history -r -fi -- cgit v1.2.3 From 909152a69e0844ad0cdd2b05467cd7fe379a5347 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 10 Aug 2020 21:40:57 +0800 Subject: tcptraceroute: T2723: Fix the problem that tcptraceroute6 cannot be executed --- debian/control | 3 ++- op-mode-definitions/traceroute.xml | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) (limited to 'op-mode-definitions') diff --git a/debian/control b/debian/control index 3a441b47b..34ba4be8e 100644 --- a/debian/control +++ b/debian/control @@ -106,7 +106,8 @@ Depends: python3, conntrack, libatomic1, fastnetmon, - libndp-tools + libndp-tools, + tcptraceroute Description: VyOS configuration scripts and data VyOS configuration scripts, interface definitions, and everything diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index efbaaeb2f..b562eb2e6 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -26,7 +26,7 @@ /usr/bin/traceroute -4 "$3" - + Route tracing and port detection using TCP @@ -38,10 +38,10 @@ 0-65535 - sudo /usr/sbin/tcptraceroute "$3" $6 + sudo /usr/bin/tcptraceroute "$3" $6 - + @@ -53,7 +53,7 @@ /usr/bin/traceroute -6 "$3" - + Use TCP/IPv6 packets to perform a traceroute @@ -65,10 +65,10 @@ 0-65535 - sudo /usr/sbin/tcptraceroute6 "$3" $6 + sudo /usr/bin/tcptraceroute6 "$3" $6 - + -- cgit v1.2.3 From b39c21af1de08f87cc5c9131ae4f9afc4e9759a5 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 10 Aug 2020 21:41:43 +0800 Subject: tcptraceroute: T2723: Support VRF --- op-mode-definitions/traceroute.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index b562eb2e6..640f0b90c 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -98,6 +98,24 @@ sudo /usr/sbin/ip vrf exec "$3" /usr/bin/traceroute -4 "$5" + + + + Route tracing and port detection using TCP + + + + + Perform operations on TCP ports + + 0-65535 + + + sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute "$5" $8 + + + + @@ -107,6 +125,24 @@ sudo /usr/sbin/ip vrf exec "$3" /usr/bin/traceroute -6 "$5" + + + + Use TCP/IPv6 packets to perform a traceroute + + + + + Perform operations on TCP ports + + 0-65535 + + + sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" $8 + + + + -- cgit v1.2.3 From 0393bbebeda9d8a610accf15377a3487b4fc1ddc Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 10 Aug 2020 21:45:58 +0800 Subject: tcptraceroute: T2723: Improve command line options, support execution without port Because the ports of tcptraceroute and tcptraceroute6 do not need to be specified in this feature, modify the command line syntax --- op-mode-definitions/traceroute.xml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index 640f0b90c..10ee3c07e 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -30,6 +30,7 @@ Route tracing and port detection using TCP + sudo /usr/bin/tcptraceroute "$3" @@ -57,6 +58,7 @@ Use TCP/IPv6 packets to perform a traceroute + sudo /usr/bin/tcptraceroute6 "$3" @@ -103,6 +105,7 @@ Route tracing and port detection using TCP + sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute "$5" @@ -130,6 +133,7 @@ Use TCP/IPv6 packets to perform a traceroute + sudo /usr/sbin/ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" -- cgit v1.2.3 From 81e3f35cfbe860f9c45f109b66aeb7b826cad865 Mon Sep 17 00:00:00 2001 From: sever-sever Date: Mon, 10 Aug 2020 17:06:57 +0000 Subject: op-mode:T2779:Fix lldp neigh interface ethX --- op-mode-definitions/lldp.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/lldp.xml b/op-mode-definitions/lldp.xml index e954fb8cf..297ccf1f4 100644 --- a/op-mode-definitions/lldp.xml +++ b/op-mode-definitions/lldp.xml @@ -26,7 +26,7 @@ - ${vyos_op_scripts_dir}/lldp_op.py --interface $4 + ${vyos_op_scripts_dir}/lldp_op.py --interface $5 -- cgit v1.2.3 From 399bc459b94d4b918364d1e6b168d1842c8445b5 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Tue, 11 Aug 2020 11:45:42 +0800 Subject: tcptraceroute: T2723: Modify port description In response to #522 request, modify `Perform operations on TCP ports` to `TCP port to connect to for path tracing` --- op-mode-definitions/traceroute.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index 10ee3c07e..6a44fc25b 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -34,7 +34,7 @@ - Perform operations on TCP ports + TCP port to connect to for path tracing 0-65535 @@ -62,7 +62,7 @@ - Perform operations on TCP ports + TCP port to connect to for path tracing 0-65535 @@ -109,7 +109,7 @@ - Perform operations on TCP ports + TCP port to connect to for path tracing 0-65535 @@ -137,7 +137,7 @@ - Perform operations on TCP ports + TCP port to connect to for path tracing 0-65535 -- cgit v1.2.3 From add4578ff74f630219b2c1abf0eb122e7cd3eb78 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Sat, 15 Aug 2020 11:58:57 +0800 Subject: monitor-ndp:T2706: Modify the comment of `monitor ndp type` Since the comment was incorrectly applied to the command when writing the command before, modify it here --- op-mode-definitions/monitor-ndp.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/monitor-ndp.xml b/op-mode-definitions/monitor-ndp.xml index e25eccf3a..1ac6ce39b 100644 --- a/op-mode-definitions/monitor-ndp.xml +++ b/op-mode-definitions/monitor-ndp.xml @@ -4,7 +4,7 @@ - Monitors the NDP information received by the router through the device + Monitor the NDP information received by the router through the device sudo ndptool monitor @@ -20,7 +20,7 @@ sudo ndptool monitor --ifname=$4 --msg-type=$6 - Monitor ndp protocol on specified interface + Monitor specific types of NDP protocols rs ra ns na @@ -31,7 +31,7 @@ sudo ndptool monitor --msg-type=$4 - Monitor ndp protocol on specified interface + Monitor specific types of NDP protocols rs ra ns na -- cgit v1.2.3 From ed73f993107d9855f31236267b2b88b680ec8971 Mon Sep 17 00:00:00 2001 From: sever-sever Date: Tue, 18 Aug 2020 09:33:40 +0000 Subject: op-mode: T2791: Add monitor traceroute explicit for ipv4-ipv6 and vrf --- op-mode-definitions/traceroute.xml | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/traceroute.xml b/op-mode-definitions/traceroute.xml index 6a44fc25b..1b619ed43 100644 --- a/op-mode-definitions/traceroute.xml +++ b/op-mode-definitions/traceroute.xml @@ -165,6 +165,24 @@ + + + IPv4 fully qualified domain name (FQDN) + + <fqdn> + + + /usr/bin/mtr -4 "$4" + + + + IPv6 fully qualified domain name (FQDN) + + <fqdn> + + + /usr/bin/mtr -6 "$4" + Monitor path to destination in realtime via given VRF @@ -173,8 +191,24 @@ - + + + IPv4 fully qualified domain name (FQDN) + + <fqdn> + + + sudo /usr/sbin/ip vrf exec "$4" /usr/bin/mtr -4 "$6" + + + + IPv6 fully qualified domain name (FQDN) + + <fqdn> + + + sudo /usr/sbin/ip vrf exec "$4" /usr/bin/mtr -6 "$6" + Track network path to specified node via given VRF -- cgit v1.2.3 From 865cba395223afaa263ff7581fb53ee509f36266 Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Wed, 19 Aug 2020 00:37:00 +0300 Subject: anyconnect: T2036: add anyconnect VPN support --- data/templates/ocserv/ocserv_config.tmpl | 82 +++++++ data/templates/ocserv/ocserv_passwd.tmpl | 6 + data/templates/ocserv/radius_conf.tmpl | 22 ++ data/templates/ocserv/radius_servers.tmpl | 7 + debian/control | 1 + interface-definitions/vpn_anyconnect.xml.in | 258 +++++++++++++++++++++ op-mode-definitions/anyconnect.xml | 20 ++ src/conf_mode/vpn_anyconnect.py | 132 +++++++++++ .../systemd/system/ocserv.service.d/override.conf | 14 ++ src/op_mode/anyconnect-control.py | 67 ++++++ 10 files changed, 609 insertions(+) create mode 100644 data/templates/ocserv/ocserv_config.tmpl create mode 100644 data/templates/ocserv/ocserv_passwd.tmpl create mode 100644 data/templates/ocserv/radius_conf.tmpl create mode 100644 data/templates/ocserv/radius_servers.tmpl create mode 100644 interface-definitions/vpn_anyconnect.xml.in create mode 100644 op-mode-definitions/anyconnect.xml create mode 100755 src/conf_mode/vpn_anyconnect.py create mode 100644 src/etc/systemd/system/ocserv.service.d/override.conf create mode 100755 src/op_mode/anyconnect-control.py (limited to 'op-mode-definitions') diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl new file mode 100644 index 000000000..6aaeff693 --- /dev/null +++ b/data/templates/ocserv/ocserv_config.tmpl @@ -0,0 +1,82 @@ +### generated by vpn_anyconnect.py ### + +tcp-port = {{ listen_ports.tcp }} +udp-port = {{ listen_ports.udp }} + +run-as-user = nobody +run-as-group = daemon + +{% if "radius" in authentication.mode %} +auth = "radius [config=/run/ocserv/radiusclient.conf]" +{% else %} +auth = "plain[/run/ocserv/ocpasswd]" +{% endif %} + +{% if ssl.cert_file %} +server-cert = {{ ssl.cert_file }} +{% endif %} + +{% if ssl.key_file %} +server-key = {{ ssl.key_file }} +{% endif %} + +{% if ssl.ca_cert_file %} +ca-cert = {{ ssl.ca_cert_file }} +{% endif %} + +socket-file = /run/ocserv/ocserv.socket +occtl-socket-file = /run/ocserv/occtl.socket +use-occtl = true +isolate-workers = true +keepalive = 300 +dpd = 60 +mobile-dpd = 300 +switch-to-tcp-timeout = 30 +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +auth-timeout = 240 +idle-timeout = 1200 +mobile-idle-timeout = 1800 +min-reauth-time = 3 +cookie-timeout = 300 +rekey-method = ssl +try-mtu-discovery = true +cisco-client-compat = true +dtls-legacy = true + + +# The name to use for the tun device +device = sslvpn + +# An alternative way of specifying the network: +{% if network_settings %} +# DNS settings +{% if network_settings.name_server is string %} +dns = {{ network_settings.name_server }} +{% else %} +{% for dns in network_settings.name_server %} +dns = {{ dns }} +{% endfor %} +{% endif %} +# IPv4 network pool +{% if network_settings.client_ip_settings %} +{% if network_settings.client_ip_settings.subnet %} +ipv4-network = {{ network_settings.client_ip_settings.subnet }} +{% endif %} +{% endif %} +# IPv6 network pool +{% if network_settings.client_ipv6_pool %} +{% if network_settings.client_ipv6_pool.prefix %} +ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} +ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} +{% endif %} +{% endif %} +{% endif %} + +{% if network_settings.push_route is string %} +route = {{ network_settings.push_route }} +{% else %} +{% for route in network_settings.push_route %} +route = {{ route }} +{% endfor %} +{% endif %} + diff --git a/data/templates/ocserv/ocserv_passwd.tmpl b/data/templates/ocserv/ocserv_passwd.tmpl new file mode 100644 index 000000000..ffadb4860 --- /dev/null +++ b/data/templates/ocserv/ocserv_passwd.tmpl @@ -0,0 +1,6 @@ +#:: +{% for user in username if username is defined %} +{% if not "disable" in username[user] %} +{{ user }}:*:{{ username[user].hash }} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/data/templates/ocserv/radius_conf.tmpl b/data/templates/ocserv/radius_conf.tmpl new file mode 100644 index 000000000..2d19306a0 --- /dev/null +++ b/data/templates/ocserv/radius_conf.tmpl @@ -0,0 +1,22 @@ +### generated by cpn_anyconnect.py ### +nas-identifier VyOS +{% for srv in server %} +{% if not "disable" in server[srv] %} +{% if "port" in server[srv] %} +authserver {{ srv }}:{{server[srv]["port"]}} +{% else %} +authserver {{ srv }} +{% endif %} +{% endif %} +{% endfor %} +radius_timeout {{ timeout }} +{% if source_address %} +bindaddr {{ source_address }} +{% else %} +bindaddr * +{% endif %} +servers /run/ocserv/radius_servers +dictionary /etc/radcli/dictionary +default_realm +radius_retries 3 +# \ No newline at end of file diff --git a/data/templates/ocserv/radius_servers.tmpl b/data/templates/ocserv/radius_servers.tmpl new file mode 100644 index 000000000..ba21fa074 --- /dev/null +++ b/data/templates/ocserv/radius_servers.tmpl @@ -0,0 +1,7 @@ +### generated by cpn_anyconnect.py ### +# server key +{% for srv in server %} +{% if not "disable" in server[srv] %} +{{ srv }} {{ server[srv].key }} +{% endif %} +{% endfor %} diff --git a/debian/control b/debian/control index 34ba4be8e..520401d57 100644 --- a/debian/control +++ b/debian/control @@ -107,6 +107,7 @@ Depends: python3, libatomic1, fastnetmon, libndp-tools, + ocserv, tcptraceroute Description: VyOS configuration scripts and data VyOS configuration scripts, interface definitions, and everything diff --git a/interface-definitions/vpn_anyconnect.xml.in b/interface-definitions/vpn_anyconnect.xml.in new file mode 100644 index 000000000..e74326986 --- /dev/null +++ b/interface-definitions/vpn_anyconnect.xml.in @@ -0,0 +1,258 @@ + + + + + + + SSL VPN AnyConnect + 901 + + + + + Authentication for remote access SSL VPN Server + + + + + Authentication mode used by this server + + local + Use local username/password configuration + + + radius + Use RADIUS server for user autentication + + + (local|radius) + + + local radius + + + + + + Local user authentication for SSL VPN server + + + + + User name for authentication + + + + + Option to disable a SSL VPN Server user + + + + + + Password for authentication + + + + + + + #include + + + + + Session timeout + + 1-30 + Session timeout in seconds (default: 2) + + + + + Timeout must be between 1 and 30 seconds + + 2 + + + + + + + + SSL Certificate, SSL Key and CA (/config/auth) + + + + + tcp port number to accept connections (default: 443) + + 1-65535 + Numeric IP port (default: 443) + + + + + + 443 + + + + udp port number to accept connections (default: 443) + + 1-65535 + Numeric IP port (default: 443) + + + + + + 443 + + + + + + SSL Certificate, SSL Key and CA (/config/auth) + + + + + Certificate Authority certificate + + + + + file + File in /config/auth directory + + + + + + + + + Server Certificate + + file + File in /config/auth directory + + + + + + + + + Privat Key of the Server Certificate + + file + File in /config/auth directory + + + + + + + + + + + Network settings + + + + + Route to be pushed to the client + + ipv4net + IPv4 network and prefix length + + + ipv6net + IPv6 network and prefix length + + + + + + + + + + Client IP pools settings + + + + + Client IP subnet (CIDR notation) + + ipv4net + IPv4 address and prefix length + + + + + Not a valid CIDR formatted prefix + + + + + + + Pool of client IPv6 addresses + + + + + Pool of addresses used to assign to clients + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length used for individual client + + <48-128> + Client prefix length (default: 64) + + + + + + 64 + + + + + + Domain Name Server (DNS) propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + + + + + + + + + + diff --git a/op-mode-definitions/anyconnect.xml b/op-mode-definitions/anyconnect.xml new file mode 100644 index 000000000..7e8cdd35b --- /dev/null +++ b/op-mode-definitions/anyconnect.xml @@ -0,0 +1,20 @@ + + + + + + + show anyconnect-server information + + + + + Show active anyconnect server sessions + + ${vyos_op_scripts_dir}/anyconnect-control.py --action="show_sessions" + + + + + + diff --git a/src/conf_mode/vpn_anyconnect.py b/src/conf_mode/vpn_anyconnect.py new file mode 100755 index 000000000..45c06bffa --- /dev/null +++ b/src/conf_mode/vpn_anyconnect.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.xml import defaults +from vyos.template import render +from vyos.util import call +from vyos import ConfigError +from crypt import crypt, mksalt, METHOD_SHA512 + +from vyos import airbag +airbag.enable() + +cfg_dir = '/run/ocserv' +ocserv_conf = cfg_dir + '/ocserv.conf' +ocserv_passwd = cfg_dir + '/ocpasswd' +radius_cfg = cfg_dir + '/radiusclient.conf' +radius_servers = cfg_dir + '/radius_servers' + + +# Generate hash from user cleartext password +def get_hash(password): + return crypt(password, mksalt(METHOD_SHA512)) + + +def get_config(): + conf = Config() + base = ['vpn', 'anyconnect'] + ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + default_values = defaults(base) + ocserv = dict_merge(default_values, ocserv) + return ocserv + + +def verify(ocserv): + if ocserv is None: + return None + + # Check authentication + if "authentication" in ocserv: + if "mode" in ocserv["authentication"]: + if "local" in ocserv["authentication"]["mode"]: + if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: + raise ConfigError('Anyconect mode local required at leat one user') + else: + for user in ocserv["authentication"]["local_users"]["username"]: + if not "password" in ocserv["authentication"]["local_users"]["username"][user]: + raise ConfigError(f'password required for user {user}') + else: + raise ConfigError('anyconnect authentication mode required') + else: + raise ConfigError('anyconnect authentication credentials required') + + # Check ssl + if "ssl" in ocserv: + req_cert = ['ca_cert_file', 'cert_file', 'key_file'] + for cert in req_cert: + if not cert in ocserv["ssl"]: + raise ConfigError('anyconnect ssl {0} required'.format(cert.replace('_', '-'))) + else: + raise ConfigError('anyconnect ssl required') + + # Check network settings + if "network_settings" in ocserv: + if "push_route" in ocserv["network_settings"]: + # Replace default route + if "0.0.0.0/0" in ocserv["network_settings"]["push_route"]: + ocserv["network_settings"]["push_route"].remove("0.0.0.0/0") + ocserv["network_settings"]["push_route"].append("default") + else: + ocserv["network_settings"]["push_route"] = "default" + else: + raise ConfigError('anyconnect network settings required') + + +def generate(ocserv): + if not ocserv: + return None + + if "radius" in ocserv["authentication"]["mode"]: + # Render radius client configuration + render(radius_cfg, 'ocserv/radius_conf.tmpl', ocserv["authentication"]["radius"], trim_blocks=True) + # Render radius servers + render(radius_servers, 'ocserv/radius_servers.tmpl', ocserv["authentication"]["radius"], trim_blocks=True) + else: + if "local_users" in ocserv["authentication"]: + for user in ocserv["authentication"]["local_users"]["username"]: + ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"]) + # Render local users + render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"], trim_blocks=True) + + # Render config + render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv, trim_blocks=True) + + + +def apply(ocserv): + if not ocserv: + call('systemctl stop ocserv.service') + for file in [ocserv_conf, ocserv_passwd]: + if os.path.exists(file): + os.unlink(file) + else: + call('systemctl restart ocserv.service') + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/etc/systemd/system/ocserv.service.d/override.conf b/src/etc/systemd/system/ocserv.service.d/override.conf new file mode 100644 index 000000000..89dbb153f --- /dev/null +++ b/src/etc/systemd/system/ocserv.service.d/override.conf @@ -0,0 +1,14 @@ +[Unit] +RequiresMountsFor=/run +ConditionPathExists=/run/ocserv/ocserv.conf +After= +After=vyos-router.service +After=dbus.service + +[Service] +WorkingDirectory=/run/ocserv +PIDFile= +PIDFile=/run/ocserv/ocserv.pid +ExecStart= +ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv/ocserv.pid --config /run/ocserv/ocserv.conf + diff --git a/src/op_mode/anyconnect-control.py b/src/op_mode/anyconnect-control.py new file mode 100755 index 000000000..6382016b7 --- /dev/null +++ b/src/op_mode/anyconnect-control.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import sys +import argparse +import json + +from vyos.config import Config +from vyos.util import popen, run, DEVNULL +from tabulate import tabulate + +occtl = '/usr/bin/occtl' +occtl_socket = '/run/ocserv/occtl.socket' + +def show_sessions(): + out, code = popen("sudo {0} -j -s {1} show users".format(occtl, occtl_socket),stderr=DEVNULL) + if code: + sys.exit('Cannot get anyconnect users information') + else: + headers = ["interface", "username", "ip", "remote IP", "RX", "TX", "state", "uptime"] + sessions = json.loads(out) + ses_list = [] + for ses in sessions: + ses_list.append([ses["Device"], ses["Username"], ses["IPv4"], ses["Remote IP"], ses["_RX"], ses["_TX"], ses["State"], ses["_Connected at"]]) + if len(ses_list) > 0: + print(tabulate(ses_list, headers)) + else: + print("No active anyconnect sessions") + +def is_ocserv_configured(): + if not Config().exists_effective('vpn anyconnect'): + print("vpn anyconnect server is not configured") + sys.exit(1) + +def main(): + #parese args + parser = argparse.ArgumentParser() + parser.add_argument('--action', help='Control action', required=True) + parser.add_argument('--selector', help='Selector username|ifname|sid', required=False) + parser.add_argument('--target', help='Target must contain username|ifname|sid', required=False) + args = parser.parse_args() + + + # Check is IPoE configured + is_ocserv_configured() + + if args.action == "restart": + run("systemctl restart ocserv") + sys.exit(0) + elif args.action == "show_sessions": + show_sessions() + +if __name__ == '__main__': + main() -- cgit v1.2.3 From c29ed43a720f0205dbafa26a0048076bba9d7333 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 28 Aug 2020 12:01:29 -0700 Subject: T2836: show system integrity broken --- op-mode-definitions/show-system.xml | 2 +- src/op_mode/show_system_integrity.py | 70 ++++++++++++++++++++++++++++++++++++ src/op_mode/system_integrity.py | 70 ------------------------------------ 3 files changed, 71 insertions(+), 71 deletions(-) create mode 100755 src/op_mode/show_system_integrity.py delete mode 100755 src/op_mode/system_integrity.py (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-system.xml b/op-mode-definitions/show-system.xml index 1b98b559b..0623e3b62 100644 --- a/op-mode-definitions/show-system.xml +++ b/op-mode-definitions/show-system.xml @@ -59,7 +59,7 @@ Checks overall system integrity - sudo ${vyos_op_scripts_dir}/system_integrity.py + sudo ${vyos_op_scripts_dir}/show_system_integrity.py diff --git a/src/op_mode/show_system_integrity.py b/src/op_mode/show_system_integrity.py new file mode 100755 index 000000000..c34d41e80 --- /dev/null +++ b/src/op_mode/show_system_integrity.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import os +import re +import json +from datetime import datetime, timedelta + +version_file = r'/usr/share/vyos/version.json' + + +def _get_sys_build_version(): + if not os.path.exists(version_file): + return None + buf = open(version_file, 'r').read() + j = json.loads(buf) + if not 'built_on' in j: + return None + return datetime.strptime(j['built_on'], '%a %d %b %Y %H:%M %Z') + + +def _check_pkgs(build_stamp): + pkg_diffs = { + 'buildtime': str(build_stamp), + 'pkg': {} + } + + pkg_info = os.listdir('/var/lib/dpkg/info/') + for file in pkg_info: + if re.search('\.list$', file): + fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime + dt_str = (datetime.utcfromtimestamp( + fts).strftime('%Y-%m-%d %H:%M:%S')) + fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S') + if fdt > build_stamp: + pkg_diffs['pkg'].update( + {str(re.sub('\.list', '', file)): str(fdt)}) + + if len(pkg_diffs['pkg']) != 0: + return pkg_diffs + else: + return None + + +if __name__ == '__main__': + built_date = _get_sys_build_version() + if not built_date: + sys.exit(1) + pkgs = _check_pkgs(built_date) + if pkgs: + print ( + "The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime']) + for k, v in pkgs['pkg'].items(): + print ("installed: " + v + '\t' + k) diff --git a/src/op_mode/system_integrity.py b/src/op_mode/system_integrity.py deleted file mode 100755 index c0e3d1095..000000000 --- a/src/op_mode/system_integrity.py +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# - -import sys -import os -import re -import itertools -from datetime import datetime, timedelta - -from vyos.util import cmd - -verf = r'/usr/libexec/vyos/op_mode/version.py' - -def get_sys_build_version(): - if not os.path.exists(verf): - return None - - a = cmd('/usr/libexec/vyos/op_mode/version.py') - if re.search('^Built on:.+',a, re.M) == None: - return None - - dt = ( re.sub('Built on: +','', re.search('^Built on:.+',a, re.M).group(0)) ) - return datetime.strptime(dt,'%a %d %b %Y %H:%M %Z') - -def check_pkgs(dt): - pkg_diffs = { - 'buildtime' : str(dt), - 'pkg' : {} - } - - pkg_info = os.listdir('/var/lib/dpkg/info/') - for file in pkg_info: - if re.search('\.list$', file): - fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime - dt_str = (datetime.utcfromtimestamp(fts).strftime('%Y-%m-%d %H:%M:%S')) - fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S') - if fdt > dt: - pkg_diffs['pkg'].update( { str(re.sub('\.list','',file)) : str(fdt)}) - - if len(pkg_diffs['pkg']) != 0: - return pkg_diffs - else: - return None - -def main(): - dt = get_sys_build_version() - pkgs = check_pkgs(dt) - if pkgs != None: - print ("The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime']) - for k, v in pkgs['pkg'].items(): - print ("installed: " + v + '\t' + k) - -if __name__ == '__main__': - sys.exit( main() ) - -- cgit v1.2.3 From 2503f720e3c61ba98fdc2fd9296afe79fd5518b8 Mon Sep 17 00:00:00 2001 From: sever-sever Date: Tue, 1 Sep 2020 06:42:36 +0000 Subject: op-mode: T2846: Fix show ip route longer-prefixes --- op-mode-definitions/show-ip-route.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'op-mode-definitions') diff --git a/op-mode-definitions/show-ip-route.xml b/op-mode-definitions/show-ip-route.xml index d12d132c0..48ebbc74a 100644 --- a/op-mode-definitions/show-ip-route.xml +++ b/op-mode-definitions/show-ip-route.xml @@ -149,7 +149,7 @@ Show longer prefixes of routes for specified IP address or prefix - /usr/bin/vtysh -c "show ip route $4" + /usr/bin/vtysh -c "show ip route $4 longer-prefixes" -- cgit v1.2.3