summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-07-21 20:26:08 +0200
committerChristian Poessinger <christian@poessinger.com>2022-07-21 20:26:08 +0200
commit902586e248dd84883a097a3daca0b1129db25b38 (patch)
tree0242eddb47ada1e9d937cb87fe0786c7be7cfae1
parenta06a2b58cac1559a35d60916628a234359d213d9 (diff)
downloadvyos-1x-902586e248dd84883a097a3daca0b1129db25b38.tar.gz
vyos-1x-902586e248dd84883a097a3daca0b1129db25b38.zip
fastnetmon: T4555: add IPv6 support
-rw-r--r--data/templates/ids/fastnetmon.j27
-rw-r--r--data/templates/ids/fastnetmon_networks_list.j24
-rw-r--r--interface-definitions/service-ids-ddos-protection.xml.in9
-rwxr-xr-xsmoketest/scripts/cli/test_service_ids.py4
-rwxr-xr-xsrc/conf_mode/service_ids_fastnetmon.py21
5 files changed, 24 insertions, 21 deletions
diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2
index e095b0786..005338836 100644
--- a/data/templates/ids/fastnetmon.j2
+++ b/data/templates/ids/fastnetmon.j2
@@ -1,14 +1,13 @@
# enable this option if you want to send logs to local syslog facility
+logging:logging_level = debug
logging:local_syslog_logging = on
# list of all your networks in CIDR format
-networks_list_path = /etc/networks_list
-
-# list networks in CIDR format which will be not monitored for attacks
-white_list_path = /etc/networks_whitelist
+networks_list_path = /run/fastnetmon/networks_list
# Enable/Disable any actions in case of attack
enable_ban = on
+enable_ban_ipv6 = on
## How many packets will be collected from attack traffic
ban_details_records_count = 500
diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2
index 1c81180be..5f1b3ba4d 100644
--- a/data/templates/ids/fastnetmon_networks_list.j2
+++ b/data/templates/ids/fastnetmon_networks_list.j2
@@ -1,6 +1,4 @@
-{% if network is vyos_defined(var_type=str) %}
-{{ network }}
-{% else %}
+{% if network is vyos_defined() %}
{% for net in network %}
{{ net }}
{% endfor %}
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in
index fe22994b5..0a0d78948 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service-ids-ddos-protection.xml.in
@@ -68,13 +68,18 @@
</node>
<leafNode name="network">
<properties>
- <help>Define monitoring networks</help>
+ <help>Specify IPv4 and IPv6 networks which belong to you</help>
<valueHelp>
<format>ipv4net</format>
- <description>Processed network</description>
+ <description>Your IPv4 prefix(es)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Your IPv6 prefix(es)</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
diff --git a/smoketest/scripts/cli/test_service_ids.py b/smoketest/scripts/cli/test_service_ids.py
index 18f1b8ec5..b4a8934e5 100755
--- a/smoketest/scripts/cli/test_service_ids.py
+++ b/smoketest/scripts/cli/test_service_ids.py
@@ -86,6 +86,10 @@ class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
self.assertIn(f'threshold_mbps = {mbps}', config)
self.assertIn(f'ban_for_pps = on', config)
self.assertIn(f'threshold_pps = {pps}', config)
+ # default
+ self.assertIn(f'enable_ban = on', config)
+ self.assertIn(f'enable_ban_ipv6 = on', config)
+ self.assertIn(f'ban_time = 1900', config)
tmp = ','.join(interfaces)
self.assertIn(f'interfaces = {tmp}', config)
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 57e12ddf2..8213d536e 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -49,22 +49,19 @@ def verify(fastnetmon):
if not fastnetmon:
return None
- if not "mode" in fastnetmon:
- raise ConfigError('ddos-protection mode is mandatory!')
+ if 'mode' not in fastnetmon:
+ raise ConfigError('Specify operating mode!')
- if not "network" in fastnetmon:
- raise ConfigError('Required define network!')
+ if 'listen_interface' not in fastnetmon:
+ raise ConfigError('Specify interface(s) for traffic capture')
- if not "listen_interface" in fastnetmon:
- raise ConfigError('Define listen-interface is mandatory!')
-
- if "alert_script" in fastnetmon:
- if os.path.isfile(fastnetmon["alert_script"]):
+ if 'alert_script' in fastnetmon:
+ if os.path.isfile(fastnetmon['alert_script']):
# Check script permissions
- if not os.access(fastnetmon["alert_script"], os.X_OK):
- raise ConfigError('Script {0} does not have permissions for execution'.format(fastnetmon["alert_script"]))
+ if not os.access(fastnetmon['alert_script'], os.X_OK):
+ raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script']))
else:
- raise ConfigError('File {0} does not exists!'.format(fastnetmon["alert_script"]))
+ raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon))
def generate(fastnetmon):
if not fastnetmon: