diff options
16 files changed, 154 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index ec9ca5fc..434de372 100644 --- a/Makefile.am +++ b/Makefile.am @@ -13,6 +13,7 @@ sbin_SCRIPTS += scripts/vyatta-gateway-static_route-check.pl sbin_SCRIPTS += scripts/vyatta-link-detect sbin_SCRIPTS += scripts/vyatta-next-hop-check sbin_SCRIPTS += scripts/vyatta-update-static-route.pl +sbin_SCRIPTS += scripts/vyos-update-rpki-cache.py bin_sudo_users_SCRIPTS = scripts/vyatta-static-dhcp.pl diff --git a/scripts/vyos-update-rpki-cache.py b/scripts/vyos-update-rpki-cache.py new file mode 100644 index 00000000..1b5bee96 --- /dev/null +++ b/scripts/vyos-update-rpki-cache.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 + +import sys +import subprocess + +import vyos.config + + +base_path = "protocols rpki " + +def create_cache(c, cache): + new_port = c.return_value(base_path + "cache {0} port".format(cache)) + new_addr = c.return_value(base_path + "cache {0} address".format(cache)) + new_pref = c.return_value(base_path + "cache {0} preference".format(cache)) + + ssh = False + if c.exists(base_path + "cache {0} ssh".format(cache)): + ssh = True + new_user = c.return_value(base_path + "cache {0} ssh username".format(cache)) + new_pubkey = c.return_value(base_path + "cache {0} ssh public-key-file".format(cache)) + new_privkey = c.return__value(base_path + "cache {0} ssh private-key-file".format(cache)) + new_known_hosts = c.return_value(base_path + "cache {0} ssh known-hosts-file".format(cache)) + + if (not new_user) or (not new_pubkey) or (not new_privkey) or (not new_known_hosts): + print("If SSH is used for RPKI cache, username, public/private keys, and known hosts file must be defined") + sys.exit(1) + + if (not new_addr) or (not new_port): + print("Address and port must be defined for RPKI cache servers") + sys.exit(1) + + if not new_pref: + new_pref = 1 + + if ssh: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'rpki cache {0} {1} {2} {3} {4} {5} preference {6}' """.format(new_addr, new_port, new_user, new_privkey, new_pubkey, new_known_hosts, new_pref), shell=True) + else: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'rpki cache {0} {1} preference {2}' """.format(new_addr, new_port, new_pref), shell=True) + +def delete_cache(c, cache): + ssh = False + if c.exists_effective(base_path + "cache {0} ssh".format(cache)): + ssh = True + user = c.return_effective_value(base_path + "cache {0} ssh username".format(cache)) + pubkey = c.return_effective_value(base_path + "cache {0} ssh public-key-file".format(cache)) + privkey = c.return_effective_value(base_path + "cache {0} ssh private-key-file".format(cache)) + known_hosts = c.return_effective_value(base_path + "cache {0} ssh known-hosts-file".format(cache)) + + port = c.return_effective_value(base_path + "cache {0} port".format(cache)) + addr = c.return_effective_value(base_path + "cache {0} address".format(cache)) + pref = c.return_effective_value(base_path + "cache {0} preference".format(cache)) + + if not pref: + pref = 1 + + if ssh: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'no rpki cache {0} {1} {2} {3} {4} {5} preference {6}' """.format(addr, port, user, privkey, pubkey, known_hosts, pref), shell=True) + else: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'no rpki cache {0} {1} preference {2}' """.format(addr, port, pref), shell=True) + + +config = vyos.config.Config() + +caches = config.list_nodes(base_path + "cache") +orig_caches = config.list_effective_nodes(base_path + "cache") + +# RPKI caches can only be manipulated when RPKI is stopped +print("Stopping RPKI") +subprocess.call(""" vtysh -c 'rpki stop' """, shell=True) + +if not caches: + for cache in orig_caches: + delete_cache(config, cache) +else: + for cache in caches: + if cache in orig_caches: + delete_cache(config, cache) + create_cache(config, cache) + + for cache in orig_caches: + if not cache in caches: + # No longer exists + delete_cache(config, cache) + +if caches: + print("Starting RPKI") + subprocess.call(""" vtysh -c 'rpki start' """, shell=True) + diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def new file mode 100644 index 00000000..3b1f8b47 --- /dev/null +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def @@ -0,0 +1,15 @@ +type: txt +help: Match RPKI validation result + +syntax:expression: $VAR(@) in "notfound", "invalid", "valid"; "Must be either notfound, invalid, or valid" + +commit:expression: $VAR(../../action/) != ""; "You must specify an action" + +update: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "match rpki $VAR(@)" + +delete: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "no match rpki $VAR(@)" + diff --git a/templates/protocols/rpki/cache/node.def b/templates/protocols/rpki/cache/node.def new file mode 100644 index 00000000..f28cf2c6 --- /dev/null +++ b/templates/protocols/rpki/cache/node.def @@ -0,0 +1,3 @@ +tag: +type: txt +help: RPKI cache server instance diff --git a/templates/protocols/rpki/cache/node.tag/address/node.def b/templates/protocols/rpki/cache/node.tag/address/node.def new file mode 100644 index 00000000..de110206 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/address/node.def @@ -0,0 +1,2 @@ +type: txt +help: RPKI cache server address diff --git a/templates/protocols/rpki/cache/node.tag/port/node.def b/templates/protocols/rpki/cache/node.tag/port/node.def new file mode 100644 index 00000000..e97c2477 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/port/node.def @@ -0,0 +1,3 @@ +type: u32 +help: TCP port number +val_help: u32:1-65535; TCP port number diff --git a/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def new file mode 100644 index 00000000..40f2c3dc --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def @@ -0,0 +1,5 @@ +type: txt +help: RPKI SSH known hosts file + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" + diff --git a/templates/protocols/rpki/cache/node.tag/ssh/node.def b/templates/protocols/rpki/cache/node.tag/ssh/node.def new file mode 100644 index 00000000..2fb48499 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/node.def @@ -0,0 +1 @@ +help: RPKI SSH connection settings diff --git a/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def new file mode 100644 index 00000000..8cfb580f --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def @@ -0,0 +1,5 @@ +type: txt +help: RPKI SSH private key file + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" + diff --git a/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def new file mode 100644 index 00000000..31de9562 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def @@ -0,0 +1,4 @@ +type: txt +help: RPKI SSH public key file path + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" diff --git a/templates/protocols/rpki/cache/node.tag/ssh/username/node.def b/templates/protocols/rpki/cache/node.tag/ssh/username/node.def new file mode 100644 index 00000000..4391509d --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/username/node.def @@ -0,0 +1,2 @@ +type: txt +help: RPKI SSH username diff --git a/templates/protocols/rpki/initial-synchronization-timeout/node.def b/templates/protocols/rpki/initial-synchronization-timeout/node.def new file mode 100644 index 00000000..43d2016f --- /dev/null +++ b/templates/protocols/rpki/initial-synchronization-timeout/node.def @@ -0,0 +1,7 @@ +type: u32 +help: Initial RPKI cache synchronization timeout + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki initial-synchronisation-timeout $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki initial-synchronisation-timeout $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki initial-synchronisation-timeout' + diff --git a/templates/protocols/rpki/node.def b/templates/protocols/rpki/node.def new file mode 100644 index 00000000..28d77a9e --- /dev/null +++ b/templates/protocols/rpki/node.def @@ -0,0 +1,3 @@ +help: BGP prefix origin validation + +end: ${vyatta_sbindir}/vyos-update-rpki-cache.py diff --git a/templates/protocols/rpki/polling-period/node.def b/templates/protocols/rpki/polling-period/node.def new file mode 100644 index 00000000..ee8d0a2d --- /dev/null +++ b/templates/protocols/rpki/polling-period/node.def @@ -0,0 +1,7 @@ +type: u32 +help: RPKI cache polling period +val_help: u32:1-1300; Polling period + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki polling_period $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki polling_period $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki polling_period' diff --git a/templates/protocols/rpki/preference/node.def b/templates/protocols/rpki/preference/node.def new file mode 100644 index 00000000..f946fc0b --- /dev/null +++ b/templates/protocols/rpki/preference/node.def @@ -0,0 +1,2 @@ +type: u32 +help: RPKI cache preference diff --git a/templates/protocols/rpki/timeout/node.def b/templates/protocols/rpki/timeout/node.def new file mode 100644 index 00000000..2ea31cbf --- /dev/null +++ b/templates/protocols/rpki/timeout/node.def @@ -0,0 +1,6 @@ +type: u32 +help: RPKI cache reply timeout + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki timeout $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki timeout $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki timeout' |