diff options
author | Daniil Baturin <daniil@baturin.org> | 2018-12-16 15:37:51 +0100 |
---|---|---|
committer | Daniil Baturin <daniil@baturin.org> | 2018-12-16 15:37:51 +0100 |
commit | e734b846ec53f9950da562ea27676f63ac5c1599 (patch) | |
tree | 529ad3c36aa23d37d07a0273c994d42336fb3fbe | |
parent | 51f61991092a163f680e4ec8f122e73f4074ddf9 (diff) | |
download | vyos-1x-e734b846ec53f9950da562ea27676f63ac5c1599.tar.gz vyos-1x-e734b846ec53f9950da562ea27676f63ac5c1599.zip |
Revert "T1087: Firewall on Wireguard Interface implementation"
This reverts commit 51f61991092a163f680e4ec8f122e73f4074ddf9.
It's not how it's done, those templates are generated by a script in
vyatta-cfg-firewall.
If we are planning a firewall overhaul in 1.3.x, there's no reason to
transplant the old approach to new code.
-rw-r--r-- | debian/changelog | 5 | ||||
-rw-r--r-- | interface-definitions/wireguard.xml | 76 | ||||
-rwxr-xr-x | src/conf_mode/wireguard.py | 89 |
3 files changed, 2 insertions, 168 deletions
diff --git a/debian/changelog b/debian/changelog index f1293e076..7666cfd68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,3 @@ -vyos-1x (1.2.0-8) unstable; urgency=low - - * T1087: Firewall on Wireguard Interface - - -- hagbard <vyosdev@derith.de> Tue, 11 Dec 2018 14:06:14 -0800 vyos-1x (1.2.0-7) unstable; urgency=low * T1061: Wireguard: Missing option to administrativly shutdown interface diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index b7a76eedb..8bfffac9d 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -73,82 +73,6 @@ </constraint> </properties> </leafNode> - <node name="firewall" owner="${vyatta_sbindir}/vyatta-firewall-trap.pl --level='interfaces wireguard $VAR(../@) firewall'"> - <properties> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>Ruleset for forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>Ruleset for packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>Ruleset for forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> <tagNode name="peer"> <properties> <help>peer alias</help> diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index c46cf7703..f5452579e 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -64,17 +64,7 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : '1420', - 'peer' : {}, - 'fw' : { - 'in' : None, - 'local' : None, - 'out' : None - }, - 'fwv6' : { - 'in' : None, - 'local' : None, - 'out' : None - } + 'peer' : {} } } ) @@ -111,21 +101,6 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') - ### firewall name - if c.exists(cnf + ' firewall in name'): - config_data['interfaces'][intfc]['fw']['in'] = c.return_value(cnf + ' firewall in name') - if c.exists(cnf + ' firewall local name'): - config_data['interfaces'][intfc]['fw']['local'] = c.return_value(cnf + ' firewall local name') - if c.exists(cnf + ' firewall out name'): - config_data['interfaces'][intfc]['fw']['out'] = c.return_value(cnf + ' firewall out name') - - if c.exists(cnf + ' firewall in ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['in'] = c.return_value(cnf + ' firewall in ipv6-name') - if c.exists(cnf + ' firewall local ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['local'] = c.return_value(cnf + ' firewall local ipv6-name') - if c.exists(cnf + ' firewall out ipv6-name'): - config_data['interfaces'][intfc]['fwv6']['out'] = c.return_value(cnf + ' firewall out ipv6-name') - ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -148,6 +123,7 @@ def get_config(): config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data @@ -291,67 +267,6 @@ def apply(c): with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh: fh.write(str(cnf_descr)) - ### firewall v4 - fw_eff_in = c_eff.return_effective_value(intf + ' firewall in name') - fw_eff_loc = c_eff.return_effective_value(intf + ' firewall local name') - fw_eff_out = c_eff.return_effective_value(intf + ' firewall out name') - - if fw_eff_in != c['interfaces'][intf]['fw']['in']: - if c['interfaces'][intf]['fw']['in'] == None: - update_firewall(intf, fw_eff_in, 'v4', 'delete', 'in') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['in'], 'v4', 'update', 'in') - - if fw_eff_loc != c['interfaces'][intf]['fw']['local']: - if c['interfaces'][intf]['fw']['local'] == None: - update_firewall(intf, fw_eff_loc, 'v4', 'delete', 'local') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['local'], 'v4', 'update', 'local') - - if fw_eff_out != c['interfaces'][intf]['fw']['out']: - if c['interfaces'][intf]['fw']['out'] == None: - update_firewall(intf, fw_eff_out, 'v4', 'delete', 'out') - else: - update_firewall(intf, c['interfaces'][intf]['fw']['out'], 'v4', 'update', 'out') - - ### firewall v6 - fwv6_eff_in = c_eff.return_effective_value(intf + ' firewall in ipv6-name') - fwv6_eff_loc = c_eff.return_effective_value(intf + ' firewall local ipv6-name') - fwv6_eff_out = c_eff.return_effective_value(intf + ' firewall out ipv6-name') - - if fwv6_eff_in != c['interfaces'][intf]['fwv6']['in']: - if c['interfaces'][intf]['fwv6']['in'] == None: - update_firewall(intf, fwv6_eff_in, 'v6', 'delete', 'in') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['in'], 'v6', 'update', 'in') - - if fwv6_eff_loc != c['interfaces'][intf]['fwv6']['local']: - if c['interfaces'][intf]['fwv6']['local'] == None: - update_firewall(intf, fwv6_eff_loc, 'v6', 'delete', 'local') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['local'], 'v6', 'update', 'local') - - if fwv6_eff_out != c['interfaces'][intf]['fwv6']['out']: - if c['interfaces'][intf]['fwv6']['out'] == None: - update_firewall(intf, fwv6_eff_out, 'v6', 'delete', 'out') - else: - update_firewall(intf, c['interfaces'][intf]['fwv6']['out'], 'v6', 'update', 'out') - - return 0 - - -def update_firewall(interf, fw_name, ver, action, table): - cmd = r'sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces ' - cmd += action + ' ' + interf + ' ' + table + ' ' + fw_name - if ver == 'v4': - cmd += ' \"firewall name\"' - if ver == 'v6': - cmd += ' \"firewall ipv6-name\"' - - sl.syslog(sl.LOG_NOTICE, "fw update executing: " + cmd) - subprocess.call([cmd], shell=True) - return 0 - def configure_interface(c, intf): for p in c['interfaces'][intf]['peer']: ## config init for wg call |