diff options
-rw-r--r-- | data/templates/ipsec/ipsec.conf.tmpl | 9 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 57 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 23 | ||||
-rwxr-xr-x | src/migration-scripts/ipsec/5-to-6 | 14 |
4 files changed, 65 insertions, 38 deletions
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index 6550ea419..a9ea1aac7 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -1,6 +1,15 @@ # Created by VyOS - manual changes will be overwritten config setup +{% set charondebug = '' %} +{% if log is defined and log.subsystem is defined and log.subsystem is not none %} +{% set subsystem = log.subsystem %} +{% if 'any' in log.subsystem %} +{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', + 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %} +{% endif %} +{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} +{% endif %} charondebug = "{{ charondebug }}" uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index a2e9a7a5a..fdd091dd9 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -525,100 +525,109 @@ </leafNode> </children> </node> - <node name="logging"> + <node name="log"> <properties> <help>IPsec logging</help> </properties> <children> - <leafNode name="log-level"> + <leafNode name="level"> <properties> <help>strongSwan Logger Level</help> <valueHelp> - <format>u32:0-2</format> - <description>Logger Verbosity Level (default 0)</description> + <format>u32:0</format> + <description>Very basic auditing logs e.g. SA up/SA down (default)</description> + </valueHelp> + <valueHelp> + <format>u32:1</format> + <description>Generic control flow with errors, a good default to see whats going on</description> + </valueHelp> + <valueHelp> + <format>u32:2</format> + <description>More detailed debugging control flow</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-2"/> </constraint> </properties> + <defaultValue>0</defaultValue> </leafNode> - <leafNode name="log-modes"> + <leafNode name="subsystem"> <properties> - <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help> + <help>Subsystem in the daemon the log comes from</help> <completionHelp> <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list> </completionHelp> <valueHelp> <format>dmn</format> - <description>Debug log option for strongSwan</description> + <description>Main daemon setup/cleanup/signal handling</description> </valueHelp> <valueHelp> <format>mgr</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA manager, handling synchronization for IKE_SA access</description> </valueHelp> <valueHelp> <format>ike</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA/ISAKMP SA</description> </valueHelp> <valueHelp> <format>chd</format> - <description>Debug log option for strongSwan</description> + <description>CHILD_SA/IPsec SA</description> </valueHelp> <valueHelp> <format>job</format> - <description>Debug log option for strongSwan</description> + <description>Jobs queuing/processing and thread pool management</description> </valueHelp> <valueHelp> <format>cfg</format> - <description>Debug log option for strongSwan</description> + <description>Configuration management and plugins</description> </valueHelp> <valueHelp> <format>knl</format> - <description>Debug log option for strongSwan</description> + <description>IPsec/Networking kernel interface</description> </valueHelp> <valueHelp> <format>net</format> - <description>Debug log option for strongSwan</description> + <description>IKE network communication</description> </valueHelp> <valueHelp> <format>asn</format> - <description>Debug log option for strongSwan</description> + <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description> </valueHelp> <valueHelp> <format>enc</format> - <description>Debug log option for strongSwan</description> + <description>Packet encoding/decoding encryption/decryption operations</description> </valueHelp> <valueHelp> <format>lib</format> - <description>Debug log option for strongSwan</description> + <description>libstrongswan library messages</description> </valueHelp> <valueHelp> <format>esp</format> - <description>Debug log option for strongSwan</description> + <description>libipsec library messages</description> </valueHelp> <valueHelp> <format>tls</format> - <description>Debug log option for strongSwan</description> + <description> libtls library messages</description> </valueHelp> <valueHelp> <format>tnc</format> - <description>Debug log option for strongSwan</description> + <description>Trusted Network Connect</description> </valueHelp> <valueHelp> <format>imc</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Collector</description> </valueHelp> <valueHelp> <format>imv</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Verifier</description> </valueHelp> <valueHelp> <format>pts</format> - <description>Debug log option for strongSwan</description> + <description> Platform Trust Service</description> </valueHelp> <valueHelp> <format>any</format> - <description>Debug log option for strongSwan</description> + <description>Any subsystem</description> </valueHelp> <constraint> <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 6d5d24e52..ff26f875a 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -41,11 +41,6 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -any_log_modes = [ - 'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', - 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts' -] - dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 @@ -79,6 +74,15 @@ def get_config(config=None): ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + # XXX: T2665: we must safely remove default values for tag nodes, those are + # added in a more fine grained way later on + del default_values['esp_group'] + del default_values['ike_group'] + ipsec = dict_merge(default_values, ipsec) + if 'esp_group' in ipsec: default_values = defaults(base + ['esp-group']) for group in ipsec['esp_group']: @@ -91,7 +95,6 @@ def get_config(config=None): ipsec['ike_group'][group] = dict_merge(default_values, ipsec['ike_group'][group]) - ipsec['dhcp_no_address'] = {} ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface']) @@ -356,14 +359,6 @@ def generate(ipsec): data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough - if 'logging' in ipsec and 'log_modes' in ipsec['logging']: - modes = ipsec['logging']['log_modes'] - level = ipsec['logging']['log_level'] if 'log_level' in ipsec['logging'] else '1' - if isinstance(modes, str): - modes = [modes] - if 'any' in modes: - modes = any_log_modes - data['charondebug'] = f' {level}, '.join(modes) + ' ' + level render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data) render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data) diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6 index 86be55d13..ba5ce0fca 100755 --- a/src/migration-scripts/ipsec/5-to-6 +++ b/src/migration-scripts/ipsec/5-to-6 @@ -60,6 +60,20 @@ if config.exists(base + ['site-to-site', 'peer']): if config.exists(public_networks): config.delete(public_networks) +# Rename "logging log-level" and "logging log-modes" to something more human friendly +log = base + ['logging'] +if config.exists(log): + config.rename(log, 'log') + log = base + ['log'] + +log_level = log + ['log-level'] +if config.exists(log_level): + config.rename(log_level, 'level') + +log_mode = log + ['log-modes'] +if config.exists(log_mode): + config.rename(log_mode, 'subsystem') + try: with open(file_name, 'w') as f: f.write(config.to_string()) |