summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-12-04 13:48:43 +0100
committerChristian Poessinger <christian@poessinger.com>2020-12-04 13:48:43 +0100
commitf8c01ef3cf31e9d0fe57a51e32a7352079d0d7e7 (patch)
tree8394b4110091096a34784db26a1e27ba0265ade7 /python
parentf8bb85f9be357d0788117368e44137fd570aa902 (diff)
downloadvyos-1x-f8c01ef3cf31e9d0fe57a51e32a7352079d0d7e7.tar.gz
vyos-1x-f8c01ef3cf31e9d0fe57a51e32a7352079d0d7e7.zip
vyos.ifconfig: T1579: migrate "ip source-validation" option from vyatta-cfg-quagga
Diffstat (limited to 'python')
-rw-r--r--python/vyos/ifconfig/interface.py54
1 files changed, 46 insertions, 8 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 9f067b75e..6837e2d6a 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -36,6 +36,7 @@ from vyos.template import render
from vyos.util import mac2eui64
from vyos.util import dict_search
from vyos.util import cmd
+from vyos.util import read_file
from vyos.template import is_ipv4
from vyos.template import is_ipv6
from vyos.validate import is_intf_addr_assigned
@@ -152,6 +153,10 @@ class Interface(Control):
'validate': assert_boolean,
'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding',
},
+ 'rp_filter': {
+ 'validate': lambda flt: assert_range(flt,0,3),
+ 'location': '/proc/sys/net/ipv4/conf/{ifname}/rp_filter',
+ },
'ipv6_accept_ra': {
'validate': lambda ara: assert_range(ara,0,3),
'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_ra',
@@ -484,6 +489,34 @@ class Interface(Control):
"""
return self.set_interface('ipv4_forwarding', forwarding)
+ def set_ipv4_source_validation(self, value):
+ """
+ Help prevent attacks used by Spoofing IP Addresses. Reverse path
+ filtering is a Kernel feature that, when enabled, is designed to ensure
+ packets that are not routable to be dropped. The easiest example of this
+ would be and IP Address of the range 10.0.0.0/8, a private IP Address,
+ being received on the Internet facing interface of the router.
+
+ As per RFC3074.
+ """
+ if value == 'strict':
+ value = 1
+ elif value == 'loose':
+ value = 2
+ else:
+ value = 0
+
+ all_rp_filter = int(read_file('/proc/sys/net/ipv4/conf/all/rp_filter'))
+ if all_rp_filter > value:
+ global_setting = 'disable'
+ if all_rp_filter == 1: global_setting = 'strict'
+ elif all_rp_filter == 2: global_setting = 'loose'
+
+ print(f'WARNING: Global source-validation is set to "{global_setting}\n"' \
+ 'this overrides per interface setting!')
+
+ return self.set_interface('rp_filter', value)
+
def set_ipv6_accept_ra(self, accept_ra):
"""
Accept Router Advertisements; autoconfigure using them.
@@ -930,13 +963,13 @@ class Interface(Control):
if os.path.isfile(config_file):
os.remove(config_file)
-
+
def get_tc_config(self,objectname):
# Parse configuration
get_tc_cmd = f'tc -j {objectname}'
tmp = cmd(get_tc_cmd, shell=True)
return json.loads(tmp)
-
+
def del_tc_qdisc(self,dev,kind,handle):
tc_qdisc = self.get_tc_config('qdisc')
for rule in tc_qdisc:
@@ -946,15 +979,15 @@ class Interface(Control):
if old_dev == dev and old_handle == handle and old_kind == kind:
delete_tc_cmd = f'tc qdisc del dev {dev} handle {handle} {kind}'
self._cmd(delete_tc_cmd)
-
-
+
+
def apply_mirror(self,config):
ifname = config['ifname']
-
+
# Remove existing mirroring rules
self.del_tc_qdisc(ifname,'ingress','ffff:')
-
+
# Setting up packet mirroring
mirror = dict_search('mirror', config)
if mirror:
@@ -1068,6 +1101,11 @@ class Interface(Control):
value = '0' if (tmp != None) else '1'
self.set_ipv4_forwarding(value)
+ # IPv4 source-validation
+ tmp = dict_search('ip.source_validation', config)
+ value = tmp if (tmp != None) else '0'
+ self.set_ipv4_source_validation(value)
+
# IPv6 forwarding
tmp = dict_search('ipv6.disable_forwarding', config)
value = '0' if (tmp != None) else '1'
@@ -1169,9 +1207,9 @@ class Interface(Control):
vif_config['ifname'] = vif_ifname
vlan = VLANIf(vif_ifname, **tmp)
vlan.update(vif_config)
-
+
self.apply_mirror(config)
-
+
class VLANIf(Interface):