#!/usr/bin/env python3 # # Copyright (C) 2021-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os import re import sys import vyos.ipsec from json import loads from pathlib import Path from vyos.logger import getLogger from vyos.utils.process import cmd from vyos.utils.process import process_named_running NHRP_CONFIG: str = '/run/opennhrp/opennhrp.conf' def vici_get_ipsec_uniqueid(conn: str, src_nbma: str, dst_nbma: str) -> list[str]: """ Find and return IKE SAs by src nbma and dst nbma Args: conn (str): a connection name src_nbma (str): an IP address of NBMA source dst_nbma (str): an IP address of NBMA destination Returns: list: a list of IKE connections that match a criteria """ if not conn or not src_nbma or not dst_nbma: logger.error( f'Incomplete input data for resolving IKE unique ids: ' f'conn: {conn}, src_nbma: {src_nbma}, dst_nbma: {dst_nbma}') return [] try: logger.info( f'Resolving IKE unique ids for: conn: {conn}, ' f'src_nbma: {src_nbma}, dst_nbma: {dst_nbma}') list_ikeid: list[str] = [] list_sa: list = vyos.ipsec.get_vici_sas_by_name(conn, None) for sa in list_sa: if sa[conn]['local-host'].decode('ascii') == src_nbma \ and sa[conn]['remote-host'].decode('ascii') == dst_nbma: list_ikeid.append(sa[conn]['uniqueid'].decode('ascii')) return list_ikeid except Exception as err: logger.error(f'Unable to find unique ids for IKE: {err}') return [] def vici_ike_terminate(list_ikeid: list[str]) -> bool: """Terminating IKE SAs by list of IKE IDs Args: list_ikeid (list[str]): a list of IKE ids to terminate Returns: bool: result of termination action """ if not list: logger.warning('An empty list for termination was provided') return False try: vyos.ipsec.terminate_vici_ikeid_list(list_ikeid) return True except Exception as err: logger.error(f'Failed to terminate SA for IKE ids {list_ikeid}: {err}') return False def parse_type_ipsec(interface: str) -> tuple[str, str]: """Get DMVPN Type and NHRP Profile from the configuration Args: interface (str): a name of interface Returns: tuple[str, str]: `peer_type` and `profile_name` """ if not interface: logger.error('Cannot find peer type - no input provided') return '', '' config_file: str = Path(NHRP_CONFIG).read_text() regex: str = rf'^interface {interface} #(?P<peer_type>hub|spoke) ?(?P<profile_name>[^\n]*)$' match = re.search(regex, config_file, re.M) if match: return match.groupdict()['peer_type'], match.groupdict()[ 'profile_name'] return '', '' def add_peer_route(nbma_src: str, nbma_dst: str, mtu: str) -> None: """Add a route to a NBMA peer Args: nbma_src (str): a local IP address nbma_dst (str): a remote IP address mtu (str): a MTU for a route """ logger.info(f'Adding route from {nbma_src} to {nbma_dst} with MTU {mtu}') # Find routes to a peer route_get_cmd: str = f'sudo ip --json route get {nbma_dst} from {nbma_src}' try: route_info_data = loads(cmd(route_get_cmd)) except Exception as err: logger.error(f'Unable to find a route to {nbma_dst}: {err}') return # Check if an output has an expected format if not isinstance(route_info_data, list): logger.error( f'Garbage returned from the "{route_get_cmd}" ' f'command: {route_info_data}') return # Add static routes to a peer for route_item in route_info_data: route_dev = route_item.get('dev') route_dst = route_item.get('dst') route_gateway = route_item.get('gateway') # Prepare a command to add a route route_add_cmd = 'sudo ip route add' if route_dst: route_add_cmd = f'{route_add_cmd} {route_dst}' if route_gateway: route_add_cmd = f'{route_add_cmd} via {route_gateway}' if route_dev: route_add_cmd = f'{route_add_cmd} dev {route_dev}' route_add_cmd = f'{route_add_cmd} proto 42 mtu {mtu}' # Add a route try: cmd(route_add_cmd) except Exception as err: logger.error( f'Unable to add a route using command "{route_add_cmd}": ' f'{err}') def vici_initiate(conn: str, child_sa: str, src_addr: str, dest_addr: str) -> bool: """Initiate IKE SA connection with specific peer Args: conn (str): an IKE connection name child_sa (str): a child SA profile name src_addr (str): NBMA local address dest_addr (str): NBMA address of a peer Returns: bool: a result of initiation command """ logger.info( f'Trying to initiate connection. Name: {conn}, child sa: {child_sa}, ' f'src_addr: {src_addr}, dst_addr: {dest_addr}') try: vyos.ipsec.vici_initiate(conn, child_sa, src_addr, dest_addr) return True except Exception as err: logger.error(f'Unable to initiate connection {err}') return False def vici_terminate(conn: str, src_addr: str, dest_addr: str) -> None: """Find and terminate IKE SAs by local NBMA and remote NBMA addresses Args: conn (str): IKE connection name src_addr (str): NBMA local address dest_addr (str): NBMA address of a peer """ logger.info( f'Terminating IKE connection {conn} between {src_addr} ' f'and {dest_addr}') ikeid_list: list[str] = vici_get_ipsec_uniqueid(conn, src_addr, dest_addr) if not ikeid_list: logger.warning( f'No active sessions found for IKE profile {conn}, ' f'local NBMA {src_addr}, remote NBMA {dest_addr}') else: try: vyos.ipsec.terminate_vici_ikeid_list(ikeid_list) except Exception as err: logger.error( f'Failed to terminate SA for IKE ids {ikeid_list}: {err}') def iface_up(interface: str) -> None: """Proceed tunnel interface UP event Args: interface (str): an interface name """ if not interface: logger.warning('No interface name provided for UP event') logger.info(f'Turning up interface {interface}') try: cmd(f'sudo ip route flush proto 42 dev {interface}') cmd(f'sudo ip neigh flush dev {interface}') except Exception as err: logger.error( f'Unable to flush route on interface "{interface}": {err}') def peer_up(dmvpn_type: str, conn: str) -> None: """Proceed NHRP peer UP event Args: dmvpn_type (str): a type of peer conn (str): an IKE profile name """ logger.info(f'Peer UP event for {dmvpn_type} using IKE profile {conn}') src_nbma = os.getenv('NHRP_SRCNBMA') dest_nbma = os.getenv('NHRP_DESTNBMA') dest_mtu = os.getenv('NHRP_DESTMTU') if not src_nbma or not dest_nbma: logger.error( f'Can not get NHRP NBMA addresses: local {src_nbma}, ' f'remote {dest_nbma}') return logger.info(f'NBMA addresses: local {src_nbma}, remote {dest_nbma}') if dest_mtu: add_peer_route(src_nbma, dest_nbma, dest_mtu) if conn and dmvpn_type == 'spoke' and process_named_running('charon'): vici_terminate(conn, src_nbma, dest_nbma) vici_initiate(conn, 'dmvpn', src_nbma, dest_nbma) def peer_down(dmvpn_type: str, conn: str) -> None: """Proceed NHRP peer DOWN event Args: dmvpn_type (str): a type of peer conn (str): an IKE profile name """ logger.info(f'Peer DOWN event for {dmvpn_type} using IKE profile {conn}') src_nbma = os.getenv('NHRP_SRCNBMA') dest_nbma = os.getenv('NHRP_DESTNBMA') if not src_nbma or not dest_nbma: logger.error( f'Can not get NHRP NBMA addresses: local {src_nbma}, ' f'remote {dest_nbma}') return logger.info(f'NBMA addresses: local {src_nbma}, remote {dest_nbma}') if conn and dmvpn_type == 'spoke' and process_named_running('charon'): vici_terminate(conn, src_nbma, dest_nbma) try: cmd(f'sudo ip route del {dest_nbma} src {src_nbma} proto 42') except Exception as err: logger.error( f'Unable to del route from {src_nbma} to {dest_nbma}: {err}') def route_up(interface: str) -> None: """Proceed NHRP route UP event Args: interface (str): an interface name """ logger.info(f'Route UP event for interface {interface}') dest_addr = os.getenv('NHRP_DESTADDR') dest_prefix = os.getenv('NHRP_DESTPREFIX') next_hop = os.getenv('NHRP_NEXTHOP') if not dest_addr or not dest_prefix or not next_hop: logger.error( f'Can not get route details: dest_addr {dest_addr}, ' f'dest_prefix {dest_prefix}, next_hop {next_hop}') return logger.info( f'Route details: dest_addr {dest_addr}, dest_prefix {dest_prefix}, ' f'next_hop {next_hop}') try: cmd(f'sudo ip route replace {dest_addr}/{dest_prefix} proto 42 \ via {next_hop} dev {interface}') cmd('sudo ip route flush cache') except Exception as err: logger.error( f'Unable replace or flush route to {dest_addr}/{dest_prefix} ' f'via {next_hop} dev {interface}: {err}') def route_down(interface: str) -> None: """Proceed NHRP route DOWN event Args: interface (str): an interface name """ logger.info(f'Route DOWN event for interface {interface}') dest_addr = os.getenv('NHRP_DESTADDR') dest_prefix = os.getenv('NHRP_DESTPREFIX') if not dest_addr or not dest_prefix: logger.error( f'Can not get route details: dest_addr {dest_addr}, ' f'dest_prefix {dest_prefix}') return logger.info( f'Route details: dest_addr {dest_addr}, dest_prefix {dest_prefix}') try: cmd(f'sudo ip route del {dest_addr}/{dest_prefix} proto 42') cmd('sudo ip route flush cache') except Exception as err: logger.error( f'Unable delete or flush route to {dest_addr}/{dest_prefix}: ' f'{err}') if __name__ == '__main__': logger = getLogger('opennhrp-script', syslog=True) logger.debug( f'Running script with arguments: {sys.argv}, ' f'environment: {os.environ}') action = sys.argv[1] interface = os.getenv('NHRP_INTERFACE') if not interface: logger.error('Can not get NHRP interface name') sys.exit(1) dmvpn_type, profile_name = parse_type_ipsec(interface) if not dmvpn_type: logger.info(f'Interface {interface} is not NHRP tunnel') sys.exit() dmvpn_conn: str = '' if profile_name: dmvpn_conn: str = f'dmvpn-{profile_name}-{interface}' if action == 'interface-up': iface_up(interface) elif action == 'peer-register': pass elif action == 'peer-up': peer_up(dmvpn_type, dmvpn_conn) elif action == 'peer-down': peer_down(dmvpn_type, dmvpn_conn) elif action == 'route-up': route_up(interface) elif action == 'route-down': route_down(interface) sys.exit()