diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-02-02 10:07:09 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-02 10:07:09 +0100 | 
| commit | eb41a9a96f5284d49156df9120316f46a6ad2f97 (patch) | |
| tree | a4d4940464c07fd73fac6b0d0f541dcb342acc99 /src | |
| parent | 4b0a78b0d2e4e0ea813e93b0842ae3aed15d1a43 (diff) | |
| parent | dca220d515e6c1009b316400174382b88837df6c (diff) | |
| download | vyos-1x-eb41a9a96f5284d49156df9120316f46a6ad2f97.tar.gz vyos-1x-eb41a9a96f5284d49156df9120316f46a6ad2f97.zip | |
Merge pull request #2889 from sarthurdev/kea-hooks
dhcpv6: T3771: Installation of routes for delegated prefixes, add excluded-prefix to PD
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/service_dhcpv6-server.py | 17 | ||||
| -rw-r--r-- | src/etc/sudoers.d/vyos | 3 | ||||
| -rwxr-xr-x | src/system/on-dhcp-event.sh | 24 | ||||
| -rwxr-xr-x | src/system/on-dhcpv6-event.sh | 87 | 
4 files changed, 123 insertions, 8 deletions
| diff --git a/src/conf_mode/service_dhcpv6-server.py b/src/conf_mode/service_dhcpv6-server.py index 214531904..add83eb0d 100755 --- a/src/conf_mode/service_dhcpv6-server.py +++ b/src/conf_mode/service_dhcpv6-server.py @@ -144,6 +144,23 @@ def verify(dhcpv6):                      if prefix_config['prefix_length'] > prefix_config['delegated_length']:                          raise ConfigError('Length of delegated IPv6 prefix must be within parent prefix') +                    if 'excluded_prefix' in prefix_config: +                        if 'excluded_prefix_length' not in prefix_config: +                            raise ConfigError('Length of excluded IPv6 prefix must be configured') + +                        prefix_len = prefix_config['prefix_length'] +                        prefix_obj = ip_network(f'{prefix}/{prefix_len}') + +                        excluded_prefix = prefix_config['excluded_prefix'] +                        excluded_len = prefix_config['excluded_prefix_length'] +                        excluded_obj = ip_network(f'{excluded_prefix}/{excluded_len}') + +                        if excluded_len <= prefix_config['delegated_length']: +                            raise ConfigError('Excluded IPv6 prefix must be smaller than delegated prefix') + +                        if not excluded_obj.subnet_of(prefix_obj): +                            raise ConfigError(f'Excluded prefix "{excluded_prefix}" does not exist in the prefix') +              # Static mappings don't require anything (but check if IP is in subnet if it's set)              if 'static_mapping' in subnet_config:                  for mapping, mapping_config in subnet_config['static_mapping'].items(): diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos index c099446ba..63a944f41 100644 --- a/src/etc/sudoers.d/vyos +++ b/src/etc/sudoers.d/vyos @@ -44,6 +44,8 @@ Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \                           /bin/ip vrf exec * /bin/traceroute *, \                           /bin/ip vrf exec * /usr/bin/mtr *, \                           /usr/libexec/vyos/op_mode/* +Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\ +                           /sbin/ip -6 route del *  %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \  			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \                          DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \ @@ -55,3 +57,4 @@ Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \  # Allow members of group sudo to execute any command  %sudo ALL=NOPASSWD: ALL +_kea ALL=NOPASSWD: KEA_IP6_ROUTES diff --git a/src/system/on-dhcp-event.sh b/src/system/on-dhcp-event.sh index 52fadd428..47c276270 100755 --- a/src/system/on-dhcp-event.sh +++ b/src/system/on-dhcp-event.sh @@ -1,12 +1,20 @@  #!/bin/bash - -# This script came from ubnt.com forum user "bradd" in the following post -# http://community.ubnt.com/t5/EdgeMAX/Automatic-DNS-resolution-of-DHCP-client-names/td-p/651311 -# It has been modified by Ubiquiti to update the /etc/host file -# instead of adding to the CLI. -# Thanks to forum user "itsmarcos" for bug fix & improvements -# Thanks to forum user "ruudboon" for multiple domain fix -# Thanks to forum user "chibby85" for expire patch and static-mapping +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# +#  if [ $# -lt 1 ]; then    echo Invalid args diff --git a/src/system/on-dhcpv6-event.sh b/src/system/on-dhcpv6-event.sh new file mode 100755 index 000000000..cbb370999 --- /dev/null +++ b/src/system/on-dhcpv6-event.sh @@ -0,0 +1,87 @@ +#!/bin/bash +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. +# +# + +if [ $# -lt 1 ]; then +  echo Invalid args +  logger -s -t on-dhcpv6-event "Invalid args \"$@\"" +  exit 1 +fi + +action=$1 + +case "$action" in +  lease6_renew|lease6_recover) +    exit 0 +    ;; + +  lease6_release|lease6_expire|lease6_decline) +    ifname=$QUERY6_IFACE_NAME +    lease_addr=$LEASE6_ADDRESS +    lease_prefix_len=$LEASE6_PREFIX_LEN + +    if [[ "$LEASE6_TYPE" != "IA_PD" ]]; then +      exit 0 +    fi + +    logger -s -t on-dhcpv6-event "Processing route deletion for ${lease_addr}/${lease_prefix_len}" +    route_cmd="sudo -n /sbin/ip -6 route del ${lease_addr}/${lease_prefix_len}" + +    # the ifname is not always present, like in LEASE6_VALID_LIFETIME=0 updates, +    # but 'route del' works either way. Use interface only if there is one. +    if [[ "$ifname" != "" ]]; then +        route_cmd+=" dev ${ifname}" +    fi +    route_cmd+=" proto static" +    eval "$route_cmd" + +    exit 0 +    ;; + +  leases6_committed) +    for ((i = 0; i < $LEASES6_SIZE; i++)); do +      ifname=$QUERY6_IFACE_NAME +      requester_link_local=$QUERY6_REMOTE_ADDR +      lease_type_var="LEASES6_AT${i}_TYPE" +      lease_ip_var="LEASES6_AT${i}_ADDRESS" +      lease_prefix_len_var="LEASES6_AT${i}_PREFIX_LEN" + +      lease_type=${!lease_type_var} + +      if [[ "$lease_type" != "IA_PD" ]]; then +        continue +      fi + +      lease_ip=${!lease_ip_var} +      lease_prefix_len=${!lease_prefix_len_var} + +      logger -s -t on-dhcpv6-event "Processing PD route for ${lease_addr}/${lease_prefix_len}. Link local: ${requester_link_local} ifname: ${ifname}" +       +      sudo -n /sbin/ip -6 route replace ${lease_ip}/${lease_prefix_len} \ +        via ${requester_link_local} \ +        dev ${ifname} \ +        proto static +    done + +    exit 0 +    ;; + +  *) +    logger -s -t on-dhcpv6-event "Invalid command \"$1\"" +    exit 1 +    ;; +esac | 
