diff options
| -rw-r--r-- | interface-definitions/service-upnp.xml.in | 12 | ||||
| -rwxr-xr-x | src/conf_mode/arp.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-ethernet.py | 23 | ||||
| -rwxr-xr-x | src/conf_mode/service_upnp.py | 19 | ||||
| -rw-r--r-- | src/etc/systemd/system/wpa_supplicant-wired@.service.d/override.conf | 11 | 
5 files changed, 45 insertions, 22 deletions
| diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service-upnp.xml.in index 50cb47f39..ec23d87df 100644 --- a/interface-definitions/service-upnp.xml.in +++ b/interface-definitions/service-upnp.xml.in @@ -103,19 +103,19 @@                </valueHelp>                <valueHelp>                  <format>ipv4</format> -                <description>IP address to listen for incoming connections</description> +                <description>IPv4 address to listen for incoming connections</description>                </valueHelp>                <valueHelp> -                <format>ipv4-prefix</format> -                <description>IP prefix to listen for incoming connections</description> +                <format>ipv4net</format> +                <description>IPv4 prefix to listen for incoming connections</description>                </valueHelp>                <valueHelp>                  <format>ipv6</format> -                <description>IP address to listen for incoming connections</description> +                <description>IPv6 address to listen for incoming connections</description>                </valueHelp>                <valueHelp> -                <format>ipv6-prefix</format> -                <description>IP prefix to listen for incoming connections</description> +                <format>ipv6net</format> +                <description>IPv6 prefix to listen for incoming connections</description>                </valueHelp>                <multi/>                <constraint> diff --git a/src/conf_mode/arp.py b/src/conf_mode/arp.py index 1cd8f5451..7dc5206e0 100755 --- a/src/conf_mode/arp.py +++ b/src/conf_mode/arp.py @@ -61,7 +61,7 @@ def apply(arp):                  continue              for address, address_config in interface_config['address'].items():                  mac = address_config['mac'] -                call(f'ip neigh add {address} lladdr {mac} dev {interface}') +                call(f'ip neigh replace {address} lladdr {mac} dev {interface}')  if __name__ == '__main__':      try: diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 30e7a2af7..e02841831 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -153,11 +153,20 @@ def verify(ethernet):      return None  def generate(ethernet): -    if 'eapol' in ethernet: -        render(wpa_suppl_conf.format(**ethernet), -               'ethernet/wpa_supplicant.conf.j2', ethernet) +    # render real configuration file once +    wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet) + +    if 'deleted' in ethernet: +        # delete configuration on interface removal +        if os.path.isfile(wpa_supplicant_conf): +            os.unlink(wpa_supplicant_conf) +        return None +    if 'eapol' in ethernet:          ifname = ethernet['ifname'] + +        render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet) +          cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')          cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key') @@ -184,10 +193,6 @@ def generate(ethernet):              write_file(ca_cert_file_path,                         '\n'.join(encode_certificate(c) for c in ca_full_chain)) -    else: -        # delete configuration on interface removal -        if os.path.isfile(wpa_suppl_conf.format(**ethernet)): -            os.unlink(wpa_suppl_conf.format(**ethernet))      return None @@ -203,9 +208,9 @@ def apply(ethernet):      else:          e.update(ethernet)          if 'eapol' in ethernet: -            eapol_action='restart' +            eapol_action='reload-or-restart' -    call(f'systemctl {eapol_action} wpa_supplicant-macsec@{ifname}') +    call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}')  if __name__ == '__main__':      try: diff --git a/src/conf_mode/service_upnp.py b/src/conf_mode/service_upnp.py index 36f3e18a7..c798fd515 100755 --- a/src/conf_mode/service_upnp.py +++ b/src/conf_mode/service_upnp.py @@ -24,8 +24,6 @@ from ipaddress import IPv6Network  from vyos.config import Config  from vyos.configdict import dict_merge -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_vrf  from vyos.util import call  from vyos.template import render  from vyos.template import is_ipv4 @@ -113,19 +111,28 @@ def verify(upnpd):      listen_dev = []      system_addrs_cidr = get_all_interface_addr(True, [], [netifaces.AF_INET, netifaces.AF_INET6])      system_addrs = get_all_interface_addr(False, [], [netifaces.AF_INET, netifaces.AF_INET6]) +    if 'listen' not in upnpd: +        raise ConfigError(f'Listen address or interface is required!')      for listen_if_or_addr in upnpd['listen']:          if listen_if_or_addr not in netifaces.interfaces():              listen_dev.append(listen_if_or_addr) -        if (listen_if_or_addr not in system_addrs) and (listen_if_or_addr not in system_addrs_cidr) and (listen_if_or_addr not in netifaces.interfaces()): +        if (listen_if_or_addr not in system_addrs) and (listen_if_or_addr not in system_addrs_cidr) and \ +                (listen_if_or_addr not in netifaces.interfaces()):              if is_ipv4(listen_if_or_addr) and IPv4Network(listen_if_or_addr).is_multicast: -                raise ConfigError(f'The address "{listen_if_or_addr}" is an address that is not allowed to listen on. It is not an interface address nor a multicast address!') +                raise ConfigError(f'The address "{listen_if_or_addr}" is an address that is not allowed' +                                  f'to listen on. It is not an interface address nor a multicast address!')              if is_ipv6(listen_if_or_addr) and IPv6Network(listen_if_or_addr).is_multicast: -                raise ConfigError(f'The address "{listen_if_or_addr}" is an address that is not allowed to listen on. It is not an interface address nor a multicast address!') +                raise ConfigError(f'The address "{listen_if_or_addr}" is an address that is not allowed' +                                  f'to listen on. It is not an interface address nor a multicast address!')      system_listening_dev_addrs_cidr = get_all_interface_addr(True, listen_dev, [netifaces.AF_INET6])      system_listening_dev_addrs = get_all_interface_addr(False, listen_dev, [netifaces.AF_INET6])      for listen_if_or_addr in upnpd['listen']: -        if listen_if_or_addr not in netifaces.interfaces() and (listen_if_or_addr not in system_listening_dev_addrs_cidr) and (listen_if_or_addr not in system_listening_dev_addrs) and is_ipv6(listen_if_or_addr) and (not IPv6Network(listen_if_or_addr).is_multicast): +        if listen_if_or_addr not in netifaces.interfaces() and \ +                (listen_if_or_addr not in system_listening_dev_addrs_cidr) and \ +                (listen_if_or_addr not in system_listening_dev_addrs) and \ +                is_ipv6(listen_if_or_addr) and \ +                (not IPv6Network(listen_if_or_addr).is_multicast):              raise ConfigError(f'{listen_if_or_addr} must listen on the interface of the network card')  def generate(upnpd): diff --git a/src/etc/systemd/system/wpa_supplicant-wired@.service.d/override.conf b/src/etc/systemd/system/wpa_supplicant-wired@.service.d/override.conf new file mode 100644 index 000000000..030b89a2b --- /dev/null +++ b/src/etc/systemd/system/wpa_supplicant-wired@.service.d/override.conf @@ -0,0 +1,11 @@ +[Unit] +After= +After=vyos-router.service + +[Service] +WorkingDirectory= +WorkingDirectory=/run/wpa_supplicant +PIDFile=/run/wpa_supplicant/%I.pid +ExecStart= +ExecStart=/sbin/wpa_supplicant -c/run/wpa_supplicant/%I.conf -Dwired -P/run/wpa_supplicant/%I.pid -i%I +ExecReload=/bin/kill -HUP $MAINPID | 
