From a1b33575a316c36c3d2a1176154c00d68b99b803 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 21 Nov 2018 09:45:11 -0800 Subject: T835: syslog debug message removed (to verbose) --- src/conf_mode/accel_pppoe.py | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py index d110f51e1..7f721f932 100755 --- a/src/conf_mode/accel_pppoe.py +++ b/src/conf_mode/accel_pppoe.py @@ -512,7 +512,6 @@ def generate(c): tmpl = jinja2.Template(pppoe_config, trim_blocks=True) config_text = tmpl.render(c) open(pppoe_conf,'w').write(config_text) - sl.syslog(sl.LOG_NOTICE, pppoe_config + ' written') if c['authentication']['local-users']: write_chap_secrets(c) -- cgit v1.2.3 From b7b45384b4398d1b4fa6ef94664eed600c9d71aa Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 22 Nov 2018 10:35:42 -0800 Subject: T835: accel-ppp: pppoe implementation - verify if an auth mode is set and if its local checking that a user and password for chap-secrets exists. --- src/conf_mode/accel_pppoe.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py index 7f721f932..f0a7fcf96 100755 --- a/src/conf_mode/accel_pppoe.py +++ b/src/conf_mode/accel_pppoe.py @@ -368,7 +368,9 @@ def get_config(): config_data['snmp'] = 'enable-ma' #### authentication mode local - + if not c.exists('authentication mode'): + raise ConfigError('pppoe-server authentication mode required') + if c.exists('authentication mode local'): if c.exists('authentication local-users username'): for usr in c.list_nodes('authentication local-users username'): @@ -478,13 +480,16 @@ def get_config(): def verify(c): if c == None: return None - - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]: - raise ConfigError('user ' + usr + ' has no password set') + if c['authentication']['mode'] == 'local': + if not c['authentication']['local-users']: + raise ConfigError('pppoe-server authentication local-users required') + + for usr in c['authentication']['local-users']: + if not c['authentication']['local-users'][usr]['passwd']: + raise ConfigError('user ' + usr + ' requires a password') if not c['ppp_gw']: - raise ConfigError('pppoe gateway-ip required') + raise ConfigError('pppoe-server local-ip required') if c['authentication']['mode'] == 'radius': if len(c['authentication']['radiussrv']) == 0: -- cgit v1.2.3 From bf55a3a40f1e247b944eea266d4cd384d20087d1 Mon Sep 17 00:00:00 2001 From: arnehaak <45362083+arnehaak@users.noreply.github.com> Date: Thu, 29 Nov 2018 00:01:32 +0100 Subject: T1001: Bugfix: Handle backslashes in values with "show configuration commands" This script is usually called with the output of "cli-shell-api showCfg", which does not escape backslashes. "ConfigTree()" expects escaped backslashes when parsing a config string (and also prints them itself). Therefore this script would fail. Manually escape backslashes here to handle backslashes in any configuration strings properly. The alternative would be to modify the output of "cli-shell-api showCfg", but that may be break other things who rely on that specific output. This fixes https://phabricator.vyos.net/T1001 --- src/utils/vyos-config-to-commands | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/utils/vyos-config-to-commands b/src/utils/vyos-config-to-commands index 8b50f7c5d..7147bc5ff 100755 --- a/src/utils/vyos-config-to-commands +++ b/src/utils/vyos-config-to-commands @@ -19,6 +19,14 @@ else: except OSError as e: print("Could not read config file {0}: {1}".format(file_name, e), file=sys.stderr) +# This script is usually called with the output of "cli-shell-api showCfg", which does not +# escape backslashes. "ConfigTree()" expects escaped backslashes when parsing a config +# string (and also prints them itself). Therefore this script would fail. +# Manually escape backslashes here to handle backslashes in any configuration strings +# properly. The alternative would be to modify the output of "cli-shell-api showCfg", +# but that may be break other things who rely on that specific output. +config_string = config_string.replace("\\", "\\\\") + try: config = ConfigTree(config_string) commands = config.to_commands() -- cgit v1.2.3 From 652c626644d03ccf7d03de8f51ae5a2a6e27fd66 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Thu, 29 Nov 2018 01:49:55 +0100 Subject: T1001: escape backslashes in the input in the commands pipe as well. --- src/helpers/commands-pipe.py | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/helpers/commands-pipe.py b/src/helpers/commands-pipe.py index 1120bb09e..ab68ccade 100755 --- a/src/helpers/commands-pipe.py +++ b/src/helpers/commands-pipe.py @@ -9,6 +9,7 @@ from vyos.configtree import ConfigTree signal(SIGPIPE,SIG_DFL) config_string = sys.stdin.read().strip() +config_string = config_string.replace("\\", "\\\\") if not config_string: sys.exit(0) -- cgit v1.2.3 From a29898b2ea15b7d9cea7fade1b27d38967c52d52 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 30 Nov 2018 10:26:36 -0800 Subject: Fixes: T1061: Wireguard: Missing option to administrativly shutdown interface --- debian/changelog | 6 ++++++ interface-definitions/wireguard.xml | 6 ++++++ src/conf_mode/wireguard.py | 15 ++++++++++++++- 3 files changed, 26 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/debian/changelog b/debian/changelog index 8157d97f8..7666cfd68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyos-1x (1.2.0-7) unstable; urgency=low + + * T1061: Wireguard: Missing option to administrativly shutdown interface + + -- hagbard Fri, 30 Nov 2018 10:22:41 -0800 + vyos-1x (1.2.0-6) unstable; urgency=medium * adding vyos-accel-ppp-ipoe-kmod for T989 diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index b0923bbe0..8bfffac9d 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -39,6 +39,12 @@ interface description is too long (limit 100 characters) + + + disables the wireguard interface + + + Local port number to accept connections diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 353528aba..f5452579e 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -89,6 +89,9 @@ def get_config(): ### addresses if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') + ### interface up/down + if c.exists(cnf + ' disable'): + config_data['interfaces'][intfc]['state'] = 'disable' ### listen port if c.exists(cnf + ' port'): config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port') @@ -121,6 +124,7 @@ def get_config(): if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data def verify(c): @@ -159,12 +163,21 @@ def apply(c): c_eff = Config() c_eff.set_level('interfaces wireguard') + ### link status up/down aka interface disable + + for intf in c['interfaces']: + if c['interfaces'][intf]['state'] == 'disable': + sl.syslog(sl.LOG_NOTICE, "disable interface " + intf) + subprocess.call(['ip l s dev ' + intf + ' down ' + ' &>/dev/null'], shell=True) + else: + sl.syslog(sl.LOG_NOTICE, "enable interface " + intf) + subprocess.call(['ip l s dev ' + intf + ' up ' + ' &>/dev/null'], shell=True) + ### deletion of a specific interface for intf in c['interfaces']: if c['interfaces'][intf]['status'] == 'delete': sl.syslog(sl.LOG_NOTICE, "removing interface " + intf) subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True) - ### peer deletion peer_eff = c_eff.list_effective_nodes( intf + ' peer') -- cgit v1.2.3 From f285e0cba6550b316794bf04f9992e9b471ea562 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 3 Dec 2018 01:29:38 +0100 Subject: T956: correct IKE proposal string parsing for SAs with non-zero counters. --- src/op_mode/show_ipsec_sa.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index c0ef1feef..b03014b2f 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -10,11 +10,15 @@ def parse_conn_spec(s): return re.search(r'.*ESTABLISHED\s+(.*)ago,\s(.*)\[(.*)\]\.\.\.(.*)\[(.*)\].*', s).groups() def parse_ike_line(s): - # Example: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes try: - return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups() + # Example with traffic: AES_CBC_256/HMAC_SHA2_256_128/ECP_521, 2382660 bytes_i (1789 pkts, 2s ago), 2382660 bytes_o ... + return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i\s\(.*pkts,.*\),\s+(\d+)\s+bytes_o', s).groups() except AttributeError: - return (None, None, None, None, None) + try: + # Example without traffic: 3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes + return re.search(r'.*:\s+(.*)\/(.*)\/(.*),\s+(\d+)\s+bytes_i,\s+(\d+)\s+bytes_o,\s+rekeying', s).groups() + except AttributeError: + return (None, None, None, None, None) # Get a list of all configured connections -- cgit v1.2.3 From 44c8175dc975c8a3b73bf14c71dd890d52f00e67 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 3 Dec 2018 01:35:23 +0100 Subject: T956: display SA traffic counters in human-redable units. --- debian/control | 1 + src/op_mode/show_ipsec_sa.py | 6 ++++++ 2 files changed, 7 insertions(+) (limited to 'src') diff --git a/debian/control b/debian/control index 34e95a547..7061d50ef 100644 --- a/debian/control +++ b/debian/control @@ -25,6 +25,7 @@ Depends: python3, python3-tabulate, python3-six, python3-isc-dhcp-leases, + python3-hurry.filesize, ipaddrcheck, tcpdump, tshark, diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index b03014b2f..3c8d678eb 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -4,6 +4,7 @@ import re import subprocess import tabulate +import hurry.filesize def parse_conn_spec(s): # Example: ESTABLISHED 14 seconds ago, 10.0.0.2[foo]...10.0.0.1[10.0.0.1] @@ -39,6 +40,11 @@ for conn in connections: if ip == id: id = None enc, hash, dh, bytes_in, bytes_out = parse_ike_line(status) + + # Convert bytes to human-readable units + bytes_in = hurry.filesize.size(bytes_in) + bytes_out = hurry.filesize.size(bytes_out) + status_line = [conn, "up", time, "{0}/{1}".format(bytes_in, bytes_out), ip, id, "{0}/{1}/{2}".format(enc, hash, dh)] except Exception as e: print(status) -- cgit v1.2.3