summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdrian Almenar <adrian@tecnocratica.net>2022-07-25 15:47:51 +0200
committerAdrian Almenar <adrian@tecnocratica.net>2022-07-25 15:47:51 +0200
commitbd119de6fd32480a4b6fd9c3b16cd5191af350af (patch)
tree6ff52e2be7a71bf8e9fca28498fa091c81c8e628
parentdf7348da111668d38796d955bf64fa384eb7a58f (diff)
downloadvyos-1x-bd119de6fd32480a4b6fd9c3b16cd5191af350af.tar.gz
vyos-1x-bd119de6fd32480a4b6fd9c3b16cd5191af350af.zip
fastnetmon: T4556: Allow configure white_list_path and populate with hosts/networks that should be ignored.
-rw-r--r--data/templates/ids/fastnetmon.j23
-rw-r--r--data/templates/ids/fastnetmon_excluded_networks_list.j25
-rw-r--r--interface-definitions/service-ids-ddos-protection.xml.in18
-rwxr-xr-xsmoketest/scripts/cli/test_service_ids.py12
-rwxr-xr-xsrc/conf_mode/service_ids_fastnetmon.py2
5 files changed, 40 insertions, 0 deletions
diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2
index 005338836..b9f77a257 100644
--- a/data/templates/ids/fastnetmon.j2
+++ b/data/templates/ids/fastnetmon.j2
@@ -5,6 +5,9 @@ logging:local_syslog_logging = on
# list of all your networks in CIDR format
networks_list_path = /run/fastnetmon/networks_list
+# list networks in CIDR format which will be not monitored for attacks
+white_list_path = /run/fastnetmon/excluded_networks_list
+
# Enable/Disable any actions in case of attack
enable_ban = on
enable_ban_ipv6 = on
diff --git a/data/templates/ids/fastnetmon_excluded_networks_list.j2 b/data/templates/ids/fastnetmon_excluded_networks_list.j2
new file mode 100644
index 000000000..c88a1c527
--- /dev/null
+++ b/data/templates/ids/fastnetmon_excluded_networks_list.j2
@@ -0,0 +1,5 @@
+{% if excluded_network is vyos_defined %}
+{% for net in excluded_network %}
+{{ net }}
+{% endfor %}
+{% endif %}
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in
index a176d6fff..86fc4dffa 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service-ids-ddos-protection.xml.in
@@ -43,6 +43,24 @@
<multi/>
</properties>
</leafNode>
+ <leafNode name="excluded-network">
+ <properties>
+ <help>Specify IPv4 and IPv6 networks which are going to be excluded from protection</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix(es) to exclude</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 prefix(es) to exclude</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
<leafNode name="listen-interface">
<properties>
<help>Listen interface for mirroring traffic</help>
diff --git a/smoketest/scripts/cli/test_service_ids.py b/smoketest/scripts/cli/test_service_ids.py
index 8720362ba..d471eeaed 100755
--- a/smoketest/scripts/cli/test_service_ids.py
+++ b/smoketest/scripts/cli/test_service_ids.py
@@ -26,6 +26,7 @@ from vyos.util import read_file
PROCESS_NAME = 'fastnetmon'
FASTNETMON_CONF = '/run/fastnetmon/fastnetmon.conf'
NETWORKS_CONF = '/run/fastnetmon/networks_list'
+EXCLUDED_NETWORKS_CONF = '/run/fastnetmon/excluded_networks_list'
base_path = ['service', 'ids', 'ddos-protection']
class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
@@ -50,6 +51,7 @@ class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
def test_fastnetmon(self):
networks = ['10.0.0.0/24', '10.5.5.0/24', '2001:db8:10::/64', '2001:db8:20::/64']
+ excluded_networks = ['10.0.0.1/32', '2001:db8:10::1/128']
interfaces = ['eth0', 'eth1']
fps = '3500'
mbps = '300'
@@ -62,6 +64,12 @@ class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
for tmp in networks:
self.cli_set(base_path + ['network', tmp])
+ # optional excluded-network!
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ for tmp in excluded_networks:
+ self.cli_set(base_path + ['excluded-network', tmp])
+
# Required interface(s)!
with self.assertRaises(ConfigSessionError):
self.cli_commit()
@@ -100,5 +108,9 @@ class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
for tmp in networks:
self.assertIn(f'{tmp}', network_config)
+ excluded_network_config = read_file(EXCLUDED_NETWORKS_CONF)
+ for tmp in excluded_networks:
+ self.assertIn(f'{tmp}', excluded_network_config)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 615658c84..c58f8db9a 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -29,6 +29,7 @@ airbag.enable()
config_file = r'/run/fastnetmon/fastnetmon.conf'
networks_list = r'/run/fastnetmon/networks_list'
+excluded_networks_list = r'/run/fastnetmon/excluded_networks_list'
def get_config(config=None):
if config:
@@ -75,6 +76,7 @@ def generate(fastnetmon):
render(config_file, 'ids/fastnetmon.j2', fastnetmon)
render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon)
+ render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon)
return None
def apply(fastnetmon):