From 0e982a55a93e383326f6d92699778d55712343ef Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 16 Dec 2018 16:18:50 +0100 Subject: T1093: syntax correction for FRR's "no set community". --- .../policy/route-map/node.tag/rule/node.tag/set/community/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/community/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/community/node.def index 41029366..ccb033fc 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/community/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/community/node.def @@ -17,4 +17,4 @@ update: vtysh -c "configure terminal" \ delete: vtysh -c "configure terminal" \ -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ - -c "no set community " + -c "no set community $VAR(@)" -- cgit v1.2.3 From e663ba7c320132ee21ad6ef3d6141700428f057c Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 16 Dec 2018 16:30:49 +0100 Subject: T1072: allow named community-list in route-map rules. --- .../node.tag/rule/node.tag/match/community/community-list/node.def | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/community/community-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/community/community-list/node.def index 17037274..af997b3b 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/community/community-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/community/community-list/node.def @@ -1,6 +1,4 @@ -type: u32 +type: txt help: BGP community-list to match -val_help: u32:1-99; BGP community list (standard) -val_help: u32:100-500; BGP community list (expanded) commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy community-list $VAR(@)\" "; "community-list $VAR(@) doesn't exist" -- cgit v1.2.3 From 6d49b646a1cd4840621e9d07a0431c87eeec2482 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 16 Dec 2018 23:39:23 +0100 Subject: T865: prototype RPKI implementation. --- Makefile.am | 1 + scripts/vyos-update-rpki-cache.py | 88 ++++++++++++++++++++++ .../node.tag/rule/node.tag/match/rpki/node.def | 15 ++++ templates/protocols/rpki/cache/node.def | 3 + .../protocols/rpki/cache/node.tag/address/node.def | 2 + .../protocols/rpki/cache/node.tag/port/node.def | 3 + .../cache/node.tag/ssh/known-hosts-file/node.def | 5 ++ .../protocols/rpki/cache/node.tag/ssh/node.def | 1 + .../cache/node.tag/ssh/private-key-file/node.def | 5 ++ .../cache/node.tag/ssh/public-key-file/node.def | 4 + .../rpki/cache/node.tag/ssh/username/node.def | 2 + .../rpki/initial-synchronization-timeout/node.def | 7 ++ templates/protocols/rpki/node.def | 3 + templates/protocols/rpki/polling-period/node.def | 7 ++ templates/protocols/rpki/preference/node.def | 2 + templates/protocols/rpki/timeout/node.def | 6 ++ 16 files changed, 154 insertions(+) create mode 100644 scripts/vyos-update-rpki-cache.py create mode 100644 templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def create mode 100644 templates/protocols/rpki/cache/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/address/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/port/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/ssh/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def create mode 100644 templates/protocols/rpki/cache/node.tag/ssh/username/node.def create mode 100644 templates/protocols/rpki/initial-synchronization-timeout/node.def create mode 100644 templates/protocols/rpki/node.def create mode 100644 templates/protocols/rpki/polling-period/node.def create mode 100644 templates/protocols/rpki/preference/node.def create mode 100644 templates/protocols/rpki/timeout/node.def diff --git a/Makefile.am b/Makefile.am index ec9ca5fc..434de372 100644 --- a/Makefile.am +++ b/Makefile.am @@ -13,6 +13,7 @@ sbin_SCRIPTS += scripts/vyatta-gateway-static_route-check.pl sbin_SCRIPTS += scripts/vyatta-link-detect sbin_SCRIPTS += scripts/vyatta-next-hop-check sbin_SCRIPTS += scripts/vyatta-update-static-route.pl +sbin_SCRIPTS += scripts/vyos-update-rpki-cache.py bin_sudo_users_SCRIPTS = scripts/vyatta-static-dhcp.pl diff --git a/scripts/vyos-update-rpki-cache.py b/scripts/vyos-update-rpki-cache.py new file mode 100644 index 00000000..1b5bee96 --- /dev/null +++ b/scripts/vyos-update-rpki-cache.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 + +import sys +import subprocess + +import vyos.config + + +base_path = "protocols rpki " + +def create_cache(c, cache): + new_port = c.return_value(base_path + "cache {0} port".format(cache)) + new_addr = c.return_value(base_path + "cache {0} address".format(cache)) + new_pref = c.return_value(base_path + "cache {0} preference".format(cache)) + + ssh = False + if c.exists(base_path + "cache {0} ssh".format(cache)): + ssh = True + new_user = c.return_value(base_path + "cache {0} ssh username".format(cache)) + new_pubkey = c.return_value(base_path + "cache {0} ssh public-key-file".format(cache)) + new_privkey = c.return__value(base_path + "cache {0} ssh private-key-file".format(cache)) + new_known_hosts = c.return_value(base_path + "cache {0} ssh known-hosts-file".format(cache)) + + if (not new_user) or (not new_pubkey) or (not new_privkey) or (not new_known_hosts): + print("If SSH is used for RPKI cache, username, public/private keys, and known hosts file must be defined") + sys.exit(1) + + if (not new_addr) or (not new_port): + print("Address and port must be defined for RPKI cache servers") + sys.exit(1) + + if not new_pref: + new_pref = 1 + + if ssh: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'rpki cache {0} {1} {2} {3} {4} {5} preference {6}' """.format(new_addr, new_port, new_user, new_privkey, new_pubkey, new_known_hosts, new_pref), shell=True) + else: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'rpki cache {0} {1} preference {2}' """.format(new_addr, new_port, new_pref), shell=True) + +def delete_cache(c, cache): + ssh = False + if c.exists_effective(base_path + "cache {0} ssh".format(cache)): + ssh = True + user = c.return_effective_value(base_path + "cache {0} ssh username".format(cache)) + pubkey = c.return_effective_value(base_path + "cache {0} ssh public-key-file".format(cache)) + privkey = c.return_effective_value(base_path + "cache {0} ssh private-key-file".format(cache)) + known_hosts = c.return_effective_value(base_path + "cache {0} ssh known-hosts-file".format(cache)) + + port = c.return_effective_value(base_path + "cache {0} port".format(cache)) + addr = c.return_effective_value(base_path + "cache {0} address".format(cache)) + pref = c.return_effective_value(base_path + "cache {0} preference".format(cache)) + + if not pref: + pref = 1 + + if ssh: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'no rpki cache {0} {1} {2} {3} {4} {5} preference {6}' """.format(addr, port, user, privkey, pubkey, known_hosts, pref), shell=True) + else: + subprocess.call(""" vtysh -c 'conf t' -c 'rpki' -c 'no rpki cache {0} {1} preference {2}' """.format(addr, port, pref), shell=True) + + +config = vyos.config.Config() + +caches = config.list_nodes(base_path + "cache") +orig_caches = config.list_effective_nodes(base_path + "cache") + +# RPKI caches can only be manipulated when RPKI is stopped +print("Stopping RPKI") +subprocess.call(""" vtysh -c 'rpki stop' """, shell=True) + +if not caches: + for cache in orig_caches: + delete_cache(config, cache) +else: + for cache in caches: + if cache in orig_caches: + delete_cache(config, cache) + create_cache(config, cache) + + for cache in orig_caches: + if not cache in caches: + # No longer exists + delete_cache(config, cache) + +if caches: + print("Starting RPKI") + subprocess.call(""" vtysh -c 'rpki start' """, shell=True) + diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def new file mode 100644 index 00000000..3b1f8b47 --- /dev/null +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/rpki/node.def @@ -0,0 +1,15 @@ +type: txt +help: Match RPKI validation result + +syntax:expression: $VAR(@) in "notfound", "invalid", "valid"; "Must be either notfound, invalid, or valid" + +commit:expression: $VAR(../../action/) != ""; "You must specify an action" + +update: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "match rpki $VAR(@)" + +delete: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "no match rpki $VAR(@)" + diff --git a/templates/protocols/rpki/cache/node.def b/templates/protocols/rpki/cache/node.def new file mode 100644 index 00000000..f28cf2c6 --- /dev/null +++ b/templates/protocols/rpki/cache/node.def @@ -0,0 +1,3 @@ +tag: +type: txt +help: RPKI cache server instance diff --git a/templates/protocols/rpki/cache/node.tag/address/node.def b/templates/protocols/rpki/cache/node.tag/address/node.def new file mode 100644 index 00000000..de110206 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/address/node.def @@ -0,0 +1,2 @@ +type: txt +help: RPKI cache server address diff --git a/templates/protocols/rpki/cache/node.tag/port/node.def b/templates/protocols/rpki/cache/node.tag/port/node.def new file mode 100644 index 00000000..e97c2477 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/port/node.def @@ -0,0 +1,3 @@ +type: u32 +help: TCP port number +val_help: u32:1-65535; TCP port number diff --git a/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def new file mode 100644 index 00000000..40f2c3dc --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/known-hosts-file/node.def @@ -0,0 +1,5 @@ +type: txt +help: RPKI SSH known hosts file + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" + diff --git a/templates/protocols/rpki/cache/node.tag/ssh/node.def b/templates/protocols/rpki/cache/node.tag/ssh/node.def new file mode 100644 index 00000000..2fb48499 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/node.def @@ -0,0 +1 @@ +help: RPKI SSH connection settings diff --git a/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def new file mode 100644 index 00000000..8cfb580f --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/private-key-file/node.def @@ -0,0 +1,5 @@ +type: txt +help: RPKI SSH private key file + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" + diff --git a/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def b/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def new file mode 100644 index 00000000..31de9562 --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/public-key-file/node.def @@ -0,0 +1,4 @@ +type: txt +help: RPKI SSH public key file path + +syntax:expression: exec "test -f $VAR(@)"; "Must be an existing file path" diff --git a/templates/protocols/rpki/cache/node.tag/ssh/username/node.def b/templates/protocols/rpki/cache/node.tag/ssh/username/node.def new file mode 100644 index 00000000..4391509d --- /dev/null +++ b/templates/protocols/rpki/cache/node.tag/ssh/username/node.def @@ -0,0 +1,2 @@ +type: txt +help: RPKI SSH username diff --git a/templates/protocols/rpki/initial-synchronization-timeout/node.def b/templates/protocols/rpki/initial-synchronization-timeout/node.def new file mode 100644 index 00000000..43d2016f --- /dev/null +++ b/templates/protocols/rpki/initial-synchronization-timeout/node.def @@ -0,0 +1,7 @@ +type: u32 +help: Initial RPKI cache synchronization timeout + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki initial-synchronisation-timeout $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki initial-synchronisation-timeout $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki initial-synchronisation-timeout' + diff --git a/templates/protocols/rpki/node.def b/templates/protocols/rpki/node.def new file mode 100644 index 00000000..28d77a9e --- /dev/null +++ b/templates/protocols/rpki/node.def @@ -0,0 +1,3 @@ +help: BGP prefix origin validation + +end: ${vyatta_sbindir}/vyos-update-rpki-cache.py diff --git a/templates/protocols/rpki/polling-period/node.def b/templates/protocols/rpki/polling-period/node.def new file mode 100644 index 00000000..ee8d0a2d --- /dev/null +++ b/templates/protocols/rpki/polling-period/node.def @@ -0,0 +1,7 @@ +type: u32 +help: RPKI cache polling period +val_help: u32:1-1300; Polling period + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki polling_period $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki polling_period $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki polling_period' diff --git a/templates/protocols/rpki/preference/node.def b/templates/protocols/rpki/preference/node.def new file mode 100644 index 00000000..f946fc0b --- /dev/null +++ b/templates/protocols/rpki/preference/node.def @@ -0,0 +1,2 @@ +type: u32 +help: RPKI cache preference diff --git a/templates/protocols/rpki/timeout/node.def b/templates/protocols/rpki/timeout/node.def new file mode 100644 index 00000000..2ea31cbf --- /dev/null +++ b/templates/protocols/rpki/timeout/node.def @@ -0,0 +1,6 @@ +type: u32 +help: RPKI cache reply timeout + +create: vtysh -c 'conf t' -c 'rpki' -c 'rpki timeout $VAR(@)' +update: vtysh -c 'conf t' -c 'rpki' -c 'rpki timeout $VAR(@)' +delete: vtysh -c 'conf t' -c 'rpki' -c 'no rpki timeout' -- cgit v1.2.3 From 206f85c4426821033f5a31fd22c5b8b0cab9e06d Mon Sep 17 00:00:00 2001 From: hagbard Date: Tue, 18 Dec 2018 11:13:47 -0800 Subject: Fixes: T1102: Disabling rp_filter don't work --- debian/changelog | 6 ++++++ interface-templates/ip/source-validation/node.def | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8acdee3f..d2e5012d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-quagga (0.19.1+vyos2+current6) unstable; urgency=low + + * bugfix: T1102 - Disabling rp_filter don't work + + -- hagbard Tue, 18 Dec 2018 11:13:06 -0800 + vyatta-cfg-quagga (0.19.1+vyos2+current5) unstable; urgency=medium * Move IPv4-specific BGP options to "address-family ipv4-unicast" subtrees. diff --git a/interface-templates/ip/source-validation/node.def b/interface-templates/ip/source-validation/node.def index 2c8523d2..89aab874 100644 --- a/interface-templates/ip/source-validation/node.def +++ b/interface-templates/ip/source-validation/node.def @@ -34,12 +34,12 @@ update: fi echo "Global value is $global" fi - if [ -d /sys/class/net/$VAR(../@) ] ; then + if [ -d /sys/class/net/$VAR(../../@) ] ; then sudo sh -c "echo $new > \ /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" fi delete: - if [ -d /sys/class/net/$VAR(../@) ] ; then + if [ -d /sys/class/net/$VAR(../../@) ] ; then sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/$IFNAME/rp_filter" fi -- cgit v1.2.3 From 49c5431359719c7949dd82515b3c321600434292 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 26 Dec 2018 07:34:23 +0100 Subject: T1122: move the misplaced check to where it belonds to allow deleting "set comm-list" statements. --- .../route-map/node.tag/rule/node.tag/set/comm-list/node.def | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def index 9ae67bc2..2438ee51 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def @@ -1,15 +1,18 @@ help: Border Gateway Protocol (BGP) communities matching a community-list delete: touch /tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-set-comm-list.$PPID -end: if [ -z "$VAR(./comm-list/)" ]; then - echo You must configure a comm-list ; - exit 1 ; - fi ; +end: vtysh --noerror -c "configure terminal" \ -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ -c "no set comm-list " ; if [ -f "/tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-set-comm-list.$PPID" ]; then rm -rf /tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-set-comm-list.$PPID; else + if [ -z "$VAR(./comm-list/)" ]; then + echo You must configure a comm-list ; + exit 1 ; + fi ; + + # uncomment this when 2525 is fixed and comment out the subsequent call #if [ -n "$VAR(./delete/)" ]; then # cond="delete" ; -- cgit v1.2.3 From 6ec5b7dbe9154d252e39409b186c083aa272d76e Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Wed, 26 Dec 2018 07:42:14 +0100 Subject: T1138: disallow "set comm-list" statements without "delete" option and allow named community lists there. --- .../node.tag/rule/node.tag/set/comm-list/comm-list/node.def | 5 ++--- .../policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def | 4 ++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def index 474528d6..a9d5b02e 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def @@ -1,6 +1,5 @@ -type: u32 +type: txt help: BGP communities with a community-list -val_help: u32:1-99; BGP community list (standard) -val_help: u32:100-500; BGP community list (expanded) +allowed: cli-shell-api listNodes policy community-list commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy community-list $VAR(@)\""; "community list $VAR(@) does not exist" diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def index 2438ee51..90b22ba4 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def @@ -12,6 +12,10 @@ end: exit 1 ; fi ; + if [ -z "$VAR(./delete/)" ]; then + echo "set comm-list requires the delete option now" ; + exit 1 ; + fi ; # uncomment this when 2525 is fixed and comment out the subsequent call #if [ -n "$VAR(./delete/)" ]; then -- cgit v1.2.3 From 20188e78cd2b06708d6bb9203b4a0479c9e36b45 Mon Sep 17 00:00:00 2001 From: Jameson Finney Date: Wed, 26 Dec 2018 13:32:01 -0500 Subject: Fixed Typo: "Don not" to "Do not" --- templates/protocols/bgp/node.tag/peer-group/node.tag/passive/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/protocols/bgp/node.tag/peer-group/node.tag/passive/node.def b/templates/protocols/bgp/node.tag/peer-group/node.tag/passive/node.def index 24fedd17..9d5eefdc 100644 --- a/templates/protocols/bgp/node.tag/peer-group/node.tag/passive/node.def +++ b/templates/protocols/bgp/node.tag/peer-group/node.tag/passive/node.def @@ -1 +1 @@ -help: Don not intiate a session with this peer-group +help: Do not intiate a session with this peer-group -- cgit v1.2.3