summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2018-12-16 15:37:51 +0100
committerDaniil Baturin <daniil@baturin.org>2018-12-16 15:37:51 +0100
commite734b846ec53f9950da562ea27676f63ac5c1599 (patch)
tree529ad3c36aa23d37d07a0273c994d42336fb3fbe
parent51f61991092a163f680e4ec8f122e73f4074ddf9 (diff)
downloadvyos-1x-e734b846ec53f9950da562ea27676f63ac5c1599.tar.gz
vyos-1x-e734b846ec53f9950da562ea27676f63ac5c1599.zip
Revert "T1087: Firewall on Wireguard Interface implementation"
This reverts commit 51f61991092a163f680e4ec8f122e73f4074ddf9. It's not how it's done, those templates are generated by a script in vyatta-cfg-firewall. If we are planning a firewall overhaul in 1.3.x, there's no reason to transplant the old approach to new code.
-rw-r--r--debian/changelog5
-rw-r--r--interface-definitions/wireguard.xml76
-rwxr-xr-xsrc/conf_mode/wireguard.py89
3 files changed, 2 insertions, 168 deletions
diff --git a/debian/changelog b/debian/changelog
index f1293e076..7666cfd68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,3 @@
-vyos-1x (1.2.0-8) unstable; urgency=low
-
- * T1087: Firewall on Wireguard Interface
-
- -- hagbard <vyosdev@derith.de> Tue, 11 Dec 2018 14:06:14 -0800
vyos-1x (1.2.0-7) unstable; urgency=low
* T1061: Wireguard: Missing option to administrativly shutdown interface
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index b7a76eedb..8bfffac9d 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -73,82 +73,6 @@
</constraint>
</properties>
</leafNode>
- <node name="firewall" owner="${vyatta_sbindir}/vyatta-firewall-trap.pl --level='interfaces wireguard $VAR(../@) firewall'">
- <properties>
- <help>Firewall options</help>
- </properties>
- <children>
- <node name="in">
- <properties>
- <help>Ruleset for forwarded packets on inbound interface</help>
- </properties>
- <children>
- <leafNode name="name">
- <properties>
- <help>Inbound IPv4 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ipv6-name">
- <properties>
- <help>Inbound IPv6 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="local">
- <properties>
- <help>Ruleset for packets destined for this router</help>
- </properties>
- <children>
- <leafNode name="name">
- <properties>
- <help>Local IPv4 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ipv6-name">
- <properties>
- <help>Local IPv4 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="out">
- <properties>
- <help>Ruleset for forwarded packets on outbound interface</help>
- </properties>
- <children>
- <leafNode name="name">
- <properties>
- <help>Outbound IPv4 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ipv6-name">
- <properties>
- <help>Outbound IPv6 firewall ruleset name for interface</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
<tagNode name="peer">
<properties>
<help>peer alias</help>
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index c46cf7703..f5452579e 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -64,17 +64,7 @@ def get_config():
'status' : 'exists',
'state' : 'enabled',
'mtu' : '1420',
- 'peer' : {},
- 'fw' : {
- 'in' : None,
- 'local' : None,
- 'out' : None
- },
- 'fwv6' : {
- 'in' : None,
- 'local' : None,
- 'out' : None
- }
+ 'peer' : {}
}
}
)
@@ -111,21 +101,6 @@ def get_config():
### mtu
if c.exists(cnf + ' mtu'):
config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu')
- ### firewall name
- if c.exists(cnf + ' firewall in name'):
- config_data['interfaces'][intfc]['fw']['in'] = c.return_value(cnf + ' firewall in name')
- if c.exists(cnf + ' firewall local name'):
- config_data['interfaces'][intfc]['fw']['local'] = c.return_value(cnf + ' firewall local name')
- if c.exists(cnf + ' firewall out name'):
- config_data['interfaces'][intfc]['fw']['out'] = c.return_value(cnf + ' firewall out name')
-
- if c.exists(cnf + ' firewall in ipv6-name'):
- config_data['interfaces'][intfc]['fwv6']['in'] = c.return_value(cnf + ' firewall in ipv6-name')
- if c.exists(cnf + ' firewall local ipv6-name'):
- config_data['interfaces'][intfc]['fwv6']['local'] = c.return_value(cnf + ' firewall local ipv6-name')
- if c.exists(cnf + ' firewall out ipv6-name'):
- config_data['interfaces'][intfc]['fwv6']['out'] = c.return_value(cnf + ' firewall out ipv6-name')
-
### peers
if c.exists(cnf + ' peer'):
for p in c.list_nodes(cnf + ' peer'):
@@ -148,6 +123,7 @@ def get_config():
config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
if c.exists(cnf + ' peer ' + p + ' preshared-key'):
config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key')
+
return config_data
@@ -291,67 +267,6 @@ def apply(c):
with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh:
fh.write(str(cnf_descr))
- ### firewall v4
- fw_eff_in = c_eff.return_effective_value(intf + ' firewall in name')
- fw_eff_loc = c_eff.return_effective_value(intf + ' firewall local name')
- fw_eff_out = c_eff.return_effective_value(intf + ' firewall out name')
-
- if fw_eff_in != c['interfaces'][intf]['fw']['in']:
- if c['interfaces'][intf]['fw']['in'] == None:
- update_firewall(intf, fw_eff_in, 'v4', 'delete', 'in')
- else:
- update_firewall(intf, c['interfaces'][intf]['fw']['in'], 'v4', 'update', 'in')
-
- if fw_eff_loc != c['interfaces'][intf]['fw']['local']:
- if c['interfaces'][intf]['fw']['local'] == None:
- update_firewall(intf, fw_eff_loc, 'v4', 'delete', 'local')
- else:
- update_firewall(intf, c['interfaces'][intf]['fw']['local'], 'v4', 'update', 'local')
-
- if fw_eff_out != c['interfaces'][intf]['fw']['out']:
- if c['interfaces'][intf]['fw']['out'] == None:
- update_firewall(intf, fw_eff_out, 'v4', 'delete', 'out')
- else:
- update_firewall(intf, c['interfaces'][intf]['fw']['out'], 'v4', 'update', 'out')
-
- ### firewall v6
- fwv6_eff_in = c_eff.return_effective_value(intf + ' firewall in ipv6-name')
- fwv6_eff_loc = c_eff.return_effective_value(intf + ' firewall local ipv6-name')
- fwv6_eff_out = c_eff.return_effective_value(intf + ' firewall out ipv6-name')
-
- if fwv6_eff_in != c['interfaces'][intf]['fwv6']['in']:
- if c['interfaces'][intf]['fwv6']['in'] == None:
- update_firewall(intf, fwv6_eff_in, 'v6', 'delete', 'in')
- else:
- update_firewall(intf, c['interfaces'][intf]['fwv6']['in'], 'v6', 'update', 'in')
-
- if fwv6_eff_loc != c['interfaces'][intf]['fwv6']['local']:
- if c['interfaces'][intf]['fwv6']['local'] == None:
- update_firewall(intf, fwv6_eff_loc, 'v6', 'delete', 'local')
- else:
- update_firewall(intf, c['interfaces'][intf]['fwv6']['local'], 'v6', 'update', 'local')
-
- if fwv6_eff_out != c['interfaces'][intf]['fwv6']['out']:
- if c['interfaces'][intf]['fwv6']['out'] == None:
- update_firewall(intf, fwv6_eff_out, 'v6', 'delete', 'out')
- else:
- update_firewall(intf, c['interfaces'][intf]['fwv6']['out'], 'v6', 'update', 'out')
-
- return 0
-
-
-def update_firewall(interf, fw_name, ver, action, table):
- cmd = r'sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces '
- cmd += action + ' ' + interf + ' ' + table + ' ' + fw_name
- if ver == 'v4':
- cmd += ' \"firewall name\"'
- if ver == 'v6':
- cmd += ' \"firewall ipv6-name\"'
-
- sl.syslog(sl.LOG_NOTICE, "fw update executing: " + cmd)
- subprocess.call([cmd], shell=True)
- return 0
-
def configure_interface(c, intf):
for p in c['interfaces'][intf]['peer']:
## config init for wg call