summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--data/op-mode-standardized.json3
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i1
-rw-r--r--interface-definitions/include/firewall/conntrack-helper.xml.i42
-rw-r--r--interface-definitions/include/policy/local-route_rule_protocol.xml.i21
-rw-r--r--interface-definitions/policy-local-route.xml.in1
-rw-r--r--op-mode-definitions/generate_firewall_rule-resequence.xml.in42
-rw-r--r--op-mode-definitions/zone-policy.xml.in24
-rw-r--r--python/vyos/firewall.py14
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py6
-rwxr-xr-xsmoketest/scripts/cli/test_policy.py22
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py120
-rwxr-xr-xsrc/conf_mode/policy-local-route.py103
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py15
-rwxr-xr-xsrc/op_mode/generate_firewall_rule-resequence.py135
-rwxr-xr-xsrc/op_mode/zone.py215
15 files changed, 413 insertions, 351 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ded934bff..ed9bb6cad 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -26,6 +26,5 @@
"storage.py",
"uptime.py",
"version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
]
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index e51dd0056..3dbfbb65c 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -4,6 +4,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-options.xml.i>
#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/conntrack-helper.xml.i>
#include <include/firewall/nft-queue.xml.i>
<leafNode name="disable">
<properties>
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
new file mode 100644
index 000000000..ee17f2c61
--- /dev/null
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/conntrack-helper.xml.i -->
+<leafNode name="conntrack-helper">
+ <properties>
+ <help>Match related traffic from conntrack helpers</help>
+ <completionHelp>
+ <list>ftp h323 pptp nfs sip tftp sqlnet</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ftp</format>
+ <description>Related traffic from FTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>h323</format>
+ <description>Related traffic from H.323 helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pptp</format>
+ <description>Related traffic from PPTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>nfs</format>
+ <description>Related traffic from NFS helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sip</format>
+ <description>Related traffic from SIP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tftp</format>
+ <description>Related traffic from TFTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sqlnet</format>
+ <description>Related traffic from SQLNet helper</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/local-route_rule_protocol.xml.i b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
new file mode 100644
index 000000000..57582eb37
--- /dev/null
+++ b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from policy/local-route_rule_protocol.xml.i -->
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name or number)</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ </completionHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;protocol&gt;</format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in
index 8619e839e..0a5b81dfa 100644
--- a/interface-definitions/policy-local-route.xml.in
+++ b/interface-definitions/policy-local-route.xml.in
@@ -53,6 +53,7 @@
</constraint>
</properties>
</leafNode>
+ #include <include/policy/local-route_rule_protocol.xml.i>
<leafNode name="source">
<properties>
<help>Source address or prefix</help>
diff --git a/op-mode-definitions/generate_firewall_rule-resequence.xml.in b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
new file mode 100644
index 000000000..66078deb9
--- /dev/null
+++ b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="generate">
+ <children>
+ <node name="firewall">
+ <properties>
+ <help>Firewall</help>
+ </properties>
+ <children>
+ <node name="rule-resequence">
+ <properties>
+ <help>Resequence the firewall rules</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py</command>
+ <children>
+ <tagNode name="start">
+ <properties>
+ <help>Set the first sequence number</help>
+ <completionHelp>
+ <list>1-1000</list>
+ </completionHelp>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5</command>
+ <children>
+ <tagNode name="step">
+ <properties>
+ <help>Step between rules</help>
+ <completionHelp>
+ <list>1-1000</list>
+ </completionHelp>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5 --step $7</command>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/zone-policy.xml.in b/op-mode-definitions/zone-policy.xml.in
deleted file mode 100644
index 9d65ddd3d..000000000
--- a/op-mode-definitions/zone-policy.xml.in
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="show">
- <children>
- <node name="zone-policy">
- <properties>
- <help>Show zone policy information</help>
- </properties>
- <children>
- <tagNode name="zone">
- <properties>
- <help>Show summary of zone policy for a specific zone</help>
- <completionHelp>
- <path>firewall zone</path>
- </completionHelp>
- </properties>
- <command>sudo ${vyos_op_scripts_dir}/zone.py show --zone $4</command>
- </tagNode>
- </children>
- <command>sudo ${vyos_op_scripts_dir}/zone.py show</command>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 3ca7a25b9..7e43b815a 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -102,6 +102,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if states:
output.append(f'ct state {{{states}}}')
+ if 'conntrack_helper' in rule_conf:
+ helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']}
+ helper_out = []
+
+ for helper in rule_conf['conntrack_helper']:
+ if helper in helper_map:
+ helper_out.extend(helper_map[helper])
+ else:
+ helper_out.append(helper)
+
+ if helper_out:
+ helper_str = ','.join(f'"{s}"' for s in helper_out)
+ output.append(f'ct helper {{{helper_str}}}')
+
if 'connection_status' in rule_conf and rule_conf['connection_status']:
status = rule_conf['connection_status']
if status['nat'] == 'destination':
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 676be5305..4a577562d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -503,12 +503,15 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'ftp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'pptp'])
self.cli_commit()
@@ -517,6 +520,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['ct state invalid', 'reject'],
['ct state new', 'ct status dnat', 'accept'],
['ct state { established, new }', 'ct status snat', 'accept'],
+ ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
['drop', f'comment "{name} default-action drop"']
]
diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py
index 354f791bd..e868895ce 100755
--- a/smoketest/scripts/cli/test_policy.py
+++ b/smoketest/scripts/cli/test_policy.py
@@ -1519,6 +1519,28 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
self.assertEqual(sort_ip(tmp), sort_ip(original))
+ # Test set table for destination and protocol
+ def test_protocol_destination_table_id(self):
+ path = base_path + ['local-route']
+
+ dst = '203.0.113.12'
+ rule = '85'
+ table = '104'
+ proto = 'tcp'
+
+ self.cli_set(path + ['rule', rule, 'set', 'table', table])
+ self.cli_set(path + ['rule', rule, 'destination', dst])
+ self.cli_set(path + ['rule', rule, 'protocol', proto])
+
+ self.cli_commit()
+
+ original = """
+ 85: from all to 203.0.113.12 ipproto tcp lookup 104
+ """
+ tmp = cmd('ip rule show prio 85')
+
+ self.assertEqual(sort_ip(tmp), sort_ip(original))
+
# Test set table for sources with fwmark
def test_fwmark_sources_table_id(self):
path = base_path + ['local-route']
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 01b0406bf..17b1b395c 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -45,77 +45,62 @@ PROCESS_NAME = 'charon-systemd'
regex_uuid4 = '[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}'
ca_pem = """
-MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MTk0NTI3WhcNMzEw
-NjEyMTk0NTI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKCAzpatA8yywXhGunWD//6Qg9EMJMb+7didNr10
-DuYPPGyTOXwG4Xicbr0FJ6cNkWg4wj3ZXEqqBzgS1Z9u78yuYPt5LE9eM8Wtawp7
-qIUCMTlSu4uD3/4A3c1xfHDpTOEl1BDvxMtQxQZcMNQVUG5ZMdcWQvqvQG6F7Nak
-+jgkaQ+Gyhwq++KVTEHJsA6+POuD0uaqAJv3tLGrRf4y4zdOn4thuTQ9swIBjKW6
-ci78Dk0F4u24YYV2BHKsPEPIyCQxKSRrMvqVWWljX9HmNsGawyEhLvW34aphj0aD
-JL/n1kWm+DnGyM+Rp6pXQz5y3xAnmKeYziaQNnvHoQi+gY0CAwEAAaOBkDCBjTAd
-BgNVHQ4EFgQUy43jkjE+CORrxeddqofQztZ9UxYwUQYDVR0jBEowSIAUy43jkjE+
-CORrxeddqofQztZ9UxahGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRAcr5m
-BNRhmSy9djb8zJb4mJ6WzjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
-hkiG9w0BAQsFAAOCAQEALHdd1JXq6EUF9dSUijPLEiDVwn2TTIBIxvQqFzpWDDHg
-EWLzRJESyNUbIiwuUGwvqcVki0TmQcFR9XwmcDFDotlXz9OQISBlCW+Twuf4/XAL
-11njH8qXSaWF/wPbF35NOPhV5xOOCZ6K7Vilp3tK6LeOWvz2AUtwiVE1prNV3cIA
-B2ham0JASS0HIkfrcjpZNcx4NlSBaFf4MK5A11p13zPqMqzdEqn6n8fbYEADfVzy
-TfdqX1dPVc9zaM8uwyh5VyYBMDV7DoL384ZHJZYLENK/pT4kbl+sM/Cnhvyu0UCe
-RVqJGQtCdChZpDAVkzJRQYw3/FR8Mj+M+8GrgOrJ0w==
+MIICMDCCAdegAwIBAgIUBCzIjYvD7SPbx5oU18IYg7NVxQ0wCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwMzQxWhcNMzMwOTIxMTIwMzQxWjBnMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSAwHgYDVQQDDBdJUFNlYyBTbW9rZXRlc3QgUm9vdCBD
+QTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEh8/yU572B3zmFxrGgHk+H7grYt
+EHUJodY3gXNWMHz0gySrbGhsGtECDfP/G+T4Suk7cuVzB1wnLocSafD8TcqjYTBf
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
+AQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUTYoQJNlk7X87/gRegHnCnPef39Aw
+CgYIKoZIzj0EAwIDRwAwRAIgX1spXjrUc10r3g/Zm4O31LU5O08J2vVqFo94zHE5
+0VgCIG4JK9Zg5O/yn4mYksZux7efiHRUzL2y2TXQ9IqrqM8W
+"""
+
+int_ca_pem = """
+MIICYDCCAgWgAwIBAgIUcFx2BVYErHI+SneyPYHijxXt1cgwCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwNTE5WhcNMzMwOTIwMTIwNTE5WjBvMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSgwJgYDVQQDDB9JUFNlYyBTbW9rZXRlc3QgSW50ZXJt
+ZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIHw2G5dq3c715AcA
+tzR++dYu1fLRFmHzRGTZOT7hLrh2Fg4hnKFPLOeUA5Qi50xCvjJ9JnonTyy2RfRH
+axYizKOBhjCBgzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFC9KrFYtA+hO
+l7vdMbWxTMAyLB7BMB8GA1UdIwQYMBaAFE2KECTZZO1/O/4EXoB5wpz3n9/QMAoG
+CCqGSM49BAMCA0kAMEYCIQCnqWbElgOL9dGO3iLxasFNq/hM7vM/DzaiHi4BowxW
+0gIhAMohefNj+QgLfPhvyODHIPE9LMyfp7lJEaCC2K8PCSFD
"""
peer_cert = """
-MIIDZjCCAk6gAwIBAgIRAKHpoE0rTcB/YXhnFpeckngwDQYJKoZIhvcNAQELBQAw
-FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MjAwNDQ3WhcNMjQwNTI5
-MjAwNDQ3WjAQMQ4wDAYDVQQDDAVwZWVyMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALNwjDC1Lj2ojfCi1TESsyD0MLuqUVLTBZaXCXFtQdB/Aw3b3eBc
-J8+FUYQ6xMplmklXcjJEyXSMvqENpLX6xEDNWWvqTf22eEWt36QTfBeyFyDKtXnm
-4Y+ufXAHl3sLtyZN/7q+Xl4ubYvtAHVRLYzkXAtj1tVdaYEZQy8x/F3ZFFUsCfxR
-RqJBKTxcENP8STpIz9X8dS9iif9SBA42C0eHqMWv1tYW1IHO9gQxYFS3cvoPDPlD
-AJ3ihu5x3fO892S7FtZLVN/GsN1TKRKL217eVPyW0+QcnUwbrXWc7fnmm1btXVmh
-9YKPdtX8WnEeOtMCVZGKqdydnI3iAqvPmd0CAwEAAaOBtDCBsTAJBgNVHRMEAjAA
-MB0GA1UdDgQWBBQGsAPY4cHnTNUv7l+l8OYRSqcX8jBRBgNVHSMESjBIgBTLjeOS
-MT4I5GvF512qh9DO1n1TFqEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFEBy
-vmYE1GGZLL12NvzMlviYnpbOMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE
-AwIFoDAQBgNVHREECTAHggVwZWVyMTANBgkqhkiG9w0BAQsFAAOCAQEAdJr+11eG
-FvChxu/LkwsXe2V+OZzGRq+hmQlaK3kG/AyI5hVA/IVHJkDe281wbBNKBWYxeSMn
-lAKbwuhPluO99oldzY9ZVkSiRmLh3r27wy/y+1plvoNxyTN7644Hvtk/8P/LV67R
-amXvVgkhpvIQSBfgifXzqUs+BV/x7TSeN3isxNOB8FP6imODsw8lF0Ir1Ze34emr
-TMNo5wNR5xp2dUa9OkzjRpgpifh20zM3UeVOixIPoq78IDjT0aZP8Lve2/g4Ccc6
-RHNF31r/2UL8rZfQRUAMijVdAvIINCk0kRBhNcr9MCi3czmmgiXXMGwLWLvSkfnE
-W06wKX1lpPSptg==
+MIICSTCCAfCgAwIBAgIUPxYleUgCo/glVVePze3QmAFgi6MwCgYIKoZIzj0EAwIw
+bzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEoMCYGA1UEAwwfSVBTZWMgU21va2V0ZXN0
+IEludGVybWVkaWF0ZSBDQTAeFw0yMzA5MjQxMjA2NDJaFw0yODA5MjIxMjA2NDJa
+MGQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlT
+b21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxHTAbBgNVBAMMFElQU2VjIFNtb2tldGVz
+dCBQZWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZJtuTDu84uy++GMwRNLl
+10JAXZxXQSDl+CdTWwjbQZURcdY+ia7BoaoYX/0VKPel3Se64rIUQQLQoY/9MJb9
+UKN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwHQYDVR0OBBYEFNJCdnkm3cAmf04UwOKL7IqMJ6OXMB8GA1UdIwQY
+MBaAFC9KrFYtA+hOl7vdMbWxTMAyLB7BMAoGCCqGSM49BAMCA0cAMEQCIGVnDRUy
+UJ0U/deDvrBo1+AakZndkNAMN/XNo5a5GzhEAiBCY7E/3b0BIO8FiIbVB3iDcaxg
+g7ET2RgWxvhEoN3ZRw==
"""
peer_key = """
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzcIwwtS49qI3w
-otUxErMg9DC7qlFS0wWWlwlxbUHQfwMN293gXCfPhVGEOsTKZZpJV3IyRMl0jL6h
-DaS1+sRAzVlr6k39tnhFrd+kE3wXshcgyrV55uGPrn1wB5d7C7cmTf+6vl5eLm2L
-7QB1US2M5FwLY9bVXWmBGUMvMfxd2RRVLAn8UUaiQSk8XBDT/Ek6SM/V/HUvYon/
-UgQONgtHh6jFr9bWFtSBzvYEMWBUt3L6Dwz5QwCd4obucd3zvPdkuxbWS1TfxrDd
-UykSi9te3lT8ltPkHJ1MG611nO355ptW7V1ZofWCj3bV/FpxHjrTAlWRiqncnZyN
-4gKrz5ndAgMBAAECggEACvAya4mv3uxWcrPKYSptpvWbvuTb/juE3LAqUDLDz0ze
-x8p+VP3pI1pSJMhcVKYq6IufF3df/G3T9Qda4gj+S6D48X4f8PZdkInP1zWk2+Ds
-TgBtXZf4agTN+rVLw6FsMbaRfzW5lO4pmV0CKSSgrTUCc2NLpkgCdW8vzEG0y5ek
-15uBOyvuydWM4CFgZT/cUvnu4UtPFL1vaTdD4Lw0FfZq4iS8SWsGbbMoTPKkJRlS
-k9oMEOvhA1WIfSgiG0FyaidoNEormB6J1SKVo27P8SOYu2etiFdF9SJUYg9cBzM3
-z3HcAsXeSh2kpc8Fc2yOS6zI5AsC0Len2SQmKQD8YQKBgQDlgg5cZV5AY2Ji6b+T
-nTHjna7dg/kzUOYs0AmK9DHHziZJ2SKucJlB9smynPLjY/MQbKcNWQ1Cad+olDNP
-Ts4lLhs4kbITkmgPQME3it1fGstHy/sGcF0m+YRsSxfwt5bxLXH86+d067C0XMhg
-URMgGv9ZBTe/P1LuhIUTEjYzlQKBgQDIJvl7sSXHRRB0k7NU/uV3Tut3NTqIzXiz
-pq9hMyF+3aIqaA7kdjIIJczv1grVYz+RUdX3Gu1FyHMl8ynoEz5NNWsbe+Ay/moa
-ztijak3UH3M+d6WsxSRehdYl6DaMstHwWfKZvWNJCGyl7ckz9gGjc3DY/qYqZDrx
-p3LlZsY7KQKBgQCj3ur2GgLkIpI7Yf9CHPlkNlCHJhYnB9pxoNFPf/CTY6R/EiTr
-PMaRDO8TM3FR3ynMTmgw5abMBuCFc9v3AqO6dGNHTvBBfUYDrg7H48UQhQckaocA
-H/bDP2HIGQ4s+Ek0R2ieWKpZF3iCL8V60CjBwcUVAN6/FS3X1JNX/KbqyQKBgQDA
-8dlk5PN/MlPXnZ6t2/7G0bxpsVVZFYI65P+CGvE6RFuUt7VLhalbc10pAtR0unVI
-GHTD/iAnOkHOnqeSQiK3+TvkRbluTxVn/GiYt9yJFTxaRqrebzlNKYW0CzOy1JtP
-MNaOYCS6/bUHC7//KDKSJ7HsbScwDGlKFVrMTBPiaQKBgQCjkIJDZ4pC3er7QiC3
-RXWPyxIG5iTjn4fizphaBt6+pkBAlBh0V6inmleAWa5DJSpgU4jQv4mZsAQs6ctq
-usmoy47ke8pTXPHgQ8ZUwsfM4IztqOm+w0X6mSZi6HdJCnMdxCZBBpO225UvonSR
-rgiyCHemtMepq57Pl1Nmj49eEA==
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVDEZDK7q/T+tiJUV
+WLKS3ZYDfZ4lZv0C1gJpYq0gWP2hRANCAARkm25MO7zi7L74YzBE0uXXQkBdnFdB
+IOX4J1NbCNtBlRFx1j6JrsGhqhhf/RUo96XdJ7rishRBAtChj/0wlv1Q
"""
+swanctl_dir = '/etc/swanctl'
+CERT_PATH = f'{swanctl_dir}/x509/'
+CA_PATH = f'{swanctl_dir}/x509ca/'
+
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
skip_process_check = False
@@ -400,7 +385,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
# Enable PKI
peer_name = 'peer1'
ca_name = 'MyVyOS-CA'
+ int_ca_name = 'MyVyOS-IntCA'
self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')])
+ self.cli_set(['pki', 'ca', int_ca_name, 'certificate', int_ca_pem.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')])
@@ -415,7 +402,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(peer_base_path + ['authentication', 'local-id', peer_name])
self.cli_set(peer_base_path + ['authentication', 'mode', 'x509'])
self.cli_set(peer_base_path + ['authentication', 'remote-id', 'peer2'])
- self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', ca_name])
+ self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', int_ca_name])
self.cli_set(peer_base_path + ['authentication', 'x509', 'certificate', peer_name])
self.cli_set(peer_base_path + ['connection-type', 'initiate'])
self.cli_set(peer_base_path + ['ike-group', ike_group])
@@ -466,6 +453,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
+ # Check Root CA, Intermediate CA and Peer cert/key pair is present
+ self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_1.pem')))
+ self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_2.pem')))
+ self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
# There is only one VTI test so no need to delete this globally in tearDown()
self.cli_delete(vti_path)
diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py
index 79526f82a..d3c307cdc 100755
--- a/src/conf_mode/policy-local-route.py
+++ b/src/conf_mode/policy-local-route.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020-2021 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -16,6 +16,7 @@
import os
+from itertools import product
from sys import exit
from netifaces import interfaces
@@ -54,6 +55,7 @@ def get_config(config=None):
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
+ proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
rule_def = {}
if src:
rule_def = dict_merge({'source' : src}, rule_def)
@@ -63,6 +65,8 @@ def get_config(config=None):
rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
if dst:
rule_def = dict_merge({'destination' : dst}, rule_def)
+ if proto:
+ rule_def = dict_merge({'protocol' : proto}, rule_def)
dict = dict_merge({dict_id : {rule : rule_def}}, dict)
pbr.update(dict)
@@ -78,6 +82,7 @@ def get_config(config=None):
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
+ proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
# keep track of changes in configuration
# otherwise we might remove an existing node although nothing else has changed
changed = False
@@ -119,6 +124,13 @@ def get_config(config=None):
changed = True
if len(dst) > 0:
rule_def = dict_merge({'destination' : dst}, rule_def)
+ if proto is None:
+ if 'protocol' in rule_config:
+ rule_def = dict_merge({'protocol': rule_config['protocol']}, rule_def)
+ else:
+ changed = True
+ if len(proto) > 0:
+ rule_def = dict_merge({'protocol' : proto}, rule_def)
if changed:
dict = dict_merge({dict_id : {rule : rule_def}}, dict)
pbr.update(dict)
@@ -137,18 +149,22 @@ def verify(pbr):
pbr_route = pbr[route]
if 'rule' in pbr_route:
for rule in pbr_route['rule']:
- if 'source' not in pbr_route['rule'][rule] \
- and 'destination' not in pbr_route['rule'][rule] \
- and 'fwmark' not in pbr_route['rule'][rule] \
- and 'inbound_interface' not in pbr_route['rule'][rule]:
- raise ConfigError('Source or destination address or fwmark or inbound-interface is required!')
- else:
- if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
- raise ConfigError('Table set is required!')
- if 'inbound_interface' in pbr_route['rule'][rule]:
- interface = pbr_route['rule'][rule]['inbound_interface']
- if interface not in interfaces():
- raise ConfigError(f'Interface "{interface}" does not exist')
+ if (
+ 'source' not in pbr_route['rule'][rule] and
+ 'destination' not in pbr_route['rule'][rule] and
+ 'fwmark' not in pbr_route['rule'][rule] and
+ 'inbound_interface' not in pbr_route['rule'][rule] and
+ 'protocol' not in pbr_route['rule'][rule]
+ ):
+ raise ConfigError('Source or destination address or fwmark or inbound-interface or protocol is required!')
+
+ if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
+ raise ConfigError('Table set is required!')
+
+ if 'inbound_interface' in pbr_route['rule'][rule]:
+ interface = pbr_route['rule'][rule]['inbound_interface']
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist')
return None
@@ -166,20 +182,22 @@ def apply(pbr):
for rule_rm in ['rule_remove', 'rule6_remove']:
if rule_rm in pbr:
v6 = " -6" if rule_rm == 'rule6_remove' else ""
+
for rule, rule_config in pbr[rule_rm].items():
- rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['']
- for src in rule_config['source']:
+ source = rule_config.get('source', [''])
+ destination = rule_config.get('destination', [''])
+ fwmark = rule_config.get('fwmark', [''])
+ inbound_interface = rule_config.get('inbound_interface', [''])
+ protocol = rule_config.get('protocol', [''])
+
+ for src, dst, fwmk, iif, proto in product(source, destination, fwmark, inbound_interface, protocol):
f_src = '' if src == '' else f' from {src} '
- rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['']
- for dst in rule_config['destination']:
- f_dst = '' if dst == '' else f' to {dst} '
- rule_config['fwmark'] = rule_config['fwmark'] if 'fwmark' in rule_config else ['']
- for fwmk in rule_config['fwmark']:
- f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
- rule_config['inbound_interface'] = rule_config['inbound_interface'] if 'inbound_interface' in rule_config else ['']
- for iif in rule_config['inbound_interface']:
- f_iif = '' if iif == '' else f' iif {iif} '
- call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
+ f_dst = '' if dst == '' else f' to {dst} '
+ f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
+ f_iif = '' if iif == '' else f' iif {iif} '
+ f_proto = '' if proto == '' else f' ipproto {proto} '
+
+ call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
# Generate new config
for route in ['local_route', 'local_route6']:
@@ -187,27 +205,26 @@ def apply(pbr):
continue
v6 = " -6" if route == 'local_route6' else ""
-
pbr_route = pbr[route]
+
if 'rule' in pbr_route:
for rule, rule_config in pbr_route['rule'].items():
- table = rule_config['set']['table']
-
- rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['all']
- for src in rule_config['source'] or ['all']:
- f_src = '' if src == '' else f' from {src} '
- rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['all']
- for dst in rule_config['destination']:
- f_dst = '' if dst == '' else f' to {dst} '
- f_fwmk = ''
- if 'fwmark' in rule_config:
- fwmk = rule_config['fwmark']
- f_fwmk = f' fwmark {fwmk} '
- f_iif = ''
- if 'inbound_interface' in rule_config:
- iif = rule_config['inbound_interface']
- f_iif = f' iif {iif} '
- call(f'ip{v6} rule add prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif} lookup {table}')
+ table = rule_config['set'].get('table', '')
+ source = rule_config.get('source', ['all'])
+ destination = rule_config.get('destination', ['all'])
+ fwmark = rule_config.get('fwmark', '')
+ inbound_interface = rule_config.get('inbound_interface', '')
+ protocol = rule_config.get('protocol', '')
+
+ for src in source:
+ f_src = f' from {src} ' if src else ''
+ for dst in destination:
+ f_dst = f' to {dst} ' if dst else ''
+ f_fwmk = f' fwmark {fwmark} ' if fwmark else ''
+ f_iif = f' iif {inbound_interface} ' if inbound_interface else ''
+ f_proto = f' ipproto {protocol} ' if protocol else ''
+
+ call(f'ip{v6} rule add prio {rule}{f_src}{f_dst}{f_proto}{f_fwmk}{f_iif} lookup {table}')
return None
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index fa271cbdb..9e9385ddb 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -29,7 +29,10 @@ from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
from vyos.defaults import directories
from vyos.ifconfig import Interface
+from vyos.pki import encode_certificate
from vyos.pki import encode_public_key
+from vyos.pki import find_chain
+from vyos.pki import load_certificate
from vyos.pki import load_private_key
from vyos.pki import wrap_certificate
from vyos.pki import wrap_crl
@@ -431,15 +434,23 @@ def generate_pki_files_x509(pki, x509_conf):
ca_cert_name = x509_conf['ca_certificate']
ca_cert_data = dict_search_args(pki, 'ca', ca_cert_name, 'certificate')
ca_cert_crls = dict_search_args(pki, 'ca', ca_cert_name, 'crl') or []
+ ca_index = 1
crl_index = 1
+ ca_cert = load_certificate(ca_cert_data)
+ pki_ca_certs = [load_certificate(ca['certificate']) for ca in pki['ca'].values()]
+
+ ca_cert_chain = find_chain(ca_cert, pki_ca_certs)
+
cert_name = x509_conf['certificate']
cert_data = dict_search_args(pki, 'certificate', cert_name, 'certificate')
key_data = dict_search_args(pki, 'certificate', cert_name, 'private', 'key')
protected = 'passphrase' in x509_conf
- with open(os.path.join(CA_PATH, f'{ca_cert_name}.pem'), 'w') as f:
- f.write(wrap_certificate(ca_cert_data))
+ for ca_cert_obj in ca_cert_chain:
+ with open(os.path.join(CA_PATH, f'{ca_cert_name}_{ca_index}.pem'), 'w') as f:
+ f.write(encode_certificate(ca_cert_obj))
+ ca_index += 1
for crl in ca_cert_crls:
with open(os.path.join(CRL_PATH, f'{ca_cert_name}_{crl_index}.pem'), 'w') as f:
diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py
new file mode 100755
index 000000000..b5b625a80
--- /dev/null
+++ b/src/op_mode/generate_firewall_rule-resequence.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import argparse
+from vyos.configquery import ConfigTreeQuery
+
+
+def convert_to_set_commands(config_dict, parent_key=''):
+ """
+ Converts a configuration dictionary into a list of set commands.
+
+ Args:
+ config_dict (dict): The configuration dictionary.
+ parent_key (str): The parent key for nested dictionaries.
+
+ Returns:
+ list: A list of set commands.
+ """
+ commands = []
+ for key, value in config_dict.items():
+ current_key = parent_key + key if parent_key else key
+
+ if isinstance(value, dict):
+ if not value:
+ commands.append(f"set {current_key}")
+ else:
+ commands.extend(
+ convert_to_set_commands(value, f"{current_key} "))
+
+ elif isinstance(value, str):
+ commands.append(f"set {current_key} '{value}'")
+
+ return commands
+
+
+def change_rule_numbers(config_dict, start, step):
+ """
+ Changes rule numbers in the configuration dictionary.
+
+ Args:
+ config_dict (dict): The configuration dictionary.
+ start (int): The starting rule number.
+ step (int): The step to increment the rule numbers.
+
+ Returns:
+ None
+ """
+ if 'rule' in config_dict:
+ rule_dict = config_dict['rule']
+ updated_rule_dict = {}
+ rule_num = start
+ for rule_key in sorted(rule_dict.keys()):
+ updated_rule_dict[str(rule_num)] = rule_dict[rule_key]
+ rule_num += step
+ config_dict['rule'] = updated_rule_dict
+
+ for key in config_dict:
+ if isinstance(config_dict[key], dict):
+ change_rule_numbers(config_dict[key], start, step)
+
+
+def convert_rule_keys_to_int(config_dict):
+ """
+ Converts rule keys in the configuration dictionary to integers.
+
+ Args:
+ config_dict (dict or list): The configuration dictionary or list.
+
+ Returns:
+ dict or list: The modified dictionary or list.
+ """
+ if isinstance(config_dict, dict):
+ new_dict = {}
+ for key, value in config_dict.items():
+ # Convert key to integer if possible
+ new_key = int(key) if key.isdigit() else key
+
+ # Recur for nested dictionaries
+ if isinstance(value, dict):
+ new_value = convert_rule_keys_to_int(value)
+ else:
+ new_value = value
+
+ new_dict[new_key] = new_value
+
+ return new_dict
+ elif isinstance(config_dict, list):
+ return [convert_rule_keys_to_int(item) for item in config_dict]
+ else:
+ return config_dict
+
+
+if __name__ == "__main__":
+ # Parse command-line arguments
+ parser = argparse.ArgumentParser(description='Convert dictionary to set commands with rule number modifications.')
+ parser.add_argument('--start', type=int, default=100, help='Start rule number')
+ parser.add_argument('--step', type=int, default=10, help='Step for rule numbers (default: 10)')
+ args = parser.parse_args()
+
+ config = ConfigTreeQuery()
+ if not config.exists('firewall'):
+ print('Firewall is not configured')
+ exit(1)
+
+ #config_dict = config.get_config_dict('firewall')
+ config_dict = config.get_config_dict('firewall')
+
+ # Convert rule keys to integers, rule "10" -> rule 10
+ # This is necessary for sorting the rules
+ config_dict = convert_rule_keys_to_int(config_dict)
+
+ # Apply rule number modifications
+ change_rule_numbers(config_dict, start=args.start, step=args.step)
+
+ # Convert to 'set' commands
+ set_commands = convert_to_set_commands(config_dict)
+
+ print()
+ for command in set_commands:
+ print(command)
+ print()
diff --git a/src/op_mode/zone.py b/src/op_mode/zone.py
deleted file mode 100755
index 17ce90396..000000000
--- a/src/op_mode/zone.py
+++ /dev/null
@@ -1,215 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import typing
-import sys
-import vyos.opmode
-
-import tabulate
-from vyos.configquery import ConfigTreeQuery
-from vyos.utils.dict import dict_search_args
-from vyos.utils.dict import dict_search
-
-
-def get_config_zone(conf, name=None):
- config_path = ['firewall', 'zone']
- if name:
- config_path += [name]
-
- zone_policy = conf.get_config_dict(config_path, key_mangling=('-', '_'),
- get_first_key=True,
- no_tag_node_value_mangle=True)
- return zone_policy
-
-
-def _convert_one_zone_data(zone: str, zone_config: dict) -> dict:
- """
- Convert config dictionary of one zone to API dictionary
- :param zone: Zone name
- :type zone: str
- :param zone_config: config dictionary
- :type zone_config: dict
- :return: AP dictionary
- :rtype: dict
- """
- list_of_rules = []
- intrazone_dict = {}
- if dict_search('from', zone_config):
- for from_zone, from_zone_config in zone_config['from'].items():
- from_zone_dict = {'name': from_zone}
- if dict_search('firewall.name', from_zone_config):
- from_zone_dict['firewall'] = dict_search('firewall.name',
- from_zone_config)
- if dict_search('firewall.ipv6_name', from_zone_config):
- from_zone_dict['firewall_v6'] = dict_search(
- 'firewall.ipv6_name', from_zone_config)
- list_of_rules.append(from_zone_dict)
-
- zone_dict = {
- 'name': zone,
- 'interface': dict_search('interface', zone_config),
- 'type': 'LOCAL' if dict_search('local_zone',
- zone_config) is not None else None,
- }
- if list_of_rules:
- zone_dict['from'] = list_of_rules
- if dict_search('intra_zone_filtering.firewall.name', zone_config):
- intrazone_dict['firewall'] = dict_search(
- 'intra_zone_filtering.firewall.name', zone_config)
- if dict_search('intra_zone_filtering.firewall.ipv6_name', zone_config):
- intrazone_dict['firewall_v6'] = dict_search(
- 'intra_zone_filtering.firewall.ipv6_name', zone_config)
- if intrazone_dict:
- zone_dict['intrazone'] = intrazone_dict
- return zone_dict
-
-
-def _convert_zones_data(zone_policies: dict) -> list:
- """
- Convert all config dictionary to API list of zone dictionaries
- :param zone_policies: config dictionary
- :type zone_policies: dict
- :return: API list
- :rtype: list
- """
- zone_list = []
- for zone, zone_config in zone_policies.items():
- zone_list.append(_convert_one_zone_data(zone, zone_config))
- return zone_list
-
-
-def _convert_config(zones_config: dict, zone: str = None) -> list:
- """
- convert config to API list
- :param zones_config: zones config
- :type zones_config:
- :param zone: zone name
- :type zone: str
- :return: API list
- :rtype: list
- """
- if zone:
- if zones_config:
- output = [_convert_one_zone_data(zone, zones_config)]
- else:
- raise vyos.opmode.DataUnavailable(f'Zone {zone} not found')
- else:
- if zones_config:
- output = _convert_zones_data(zones_config)
- else:
- raise vyos.opmode.UnconfiguredSubsystem(
- 'Zone entries are not configured')
- return output
-
-
-def output_zone_list(zone_conf: dict) -> list:
- """
- Format one zone row
- :param zone_conf: zone config
- :type zone_conf: dict
- :return: formatted list of zones
- :rtype: list
- """
- zone_info = [zone_conf['name']]
- if zone_conf['type'] == 'LOCAL':
- zone_info.append('LOCAL')
- else:
- zone_info.append("\n".join(zone_conf['interface']))
-
- from_zone = []
- firewall = []
- firewall_v6 = []
- if 'intrazone' in zone_conf:
- from_zone.append(zone_conf['name'])
-
- v4_name = dict_search_args(zone_conf['intrazone'], 'firewall')
- v6_name = dict_search_args(zone_conf['intrazone'], 'firewall_v6')
- if v4_name:
- firewall.append(v4_name)
- else:
- firewall.append('')
- if v6_name:
- firewall_v6.append(v6_name)
- else:
- firewall_v6.append('')
-
- if 'from' in zone_conf:
- for from_conf in zone_conf['from']:
- from_zone.append(from_conf['name'])
-
- v4_name = dict_search_args(from_conf, 'firewall')
- v6_name = dict_search_args(from_conf, 'firewall_v6')
- if v4_name:
- firewall.append(v4_name)
- else:
- firewall.append('')
- if v6_name:
- firewall_v6.append(v6_name)
- else:
- firewall_v6.append('')
-
- zone_info.append("\n".join(from_zone))
- zone_info.append("\n".join(firewall))
- zone_info.append("\n".join(firewall_v6))
- return zone_info
-
-
-def get_formatted_output(zone_policy: list) -> str:
- """
- Formatted output of all zones
- :param zone_policy: list of zones
- :type zone_policy: list
- :return: formatted table with zones
- :rtype: str
- """
- headers = ["Zone",
- "Interfaces",
- "From Zone",
- "Firewall IPv4",
- "Firewall IPv6"
- ]
- formatted_list = []
- for zone_conf in zone_policy:
- formatted_list.append(output_zone_list(zone_conf))
- tabulate.PRESERVE_WHITESPACE = True
- output = tabulate.tabulate(formatted_list, headers, numalign="left")
- return output
-
-
-def show(raw: bool, zone: typing.Optional[str]):
- """
- Show zone-policy command
- :param raw: if API
- :type raw: bool
- :param zone: zone name
- :type zone: str
- """
- conf: ConfigTreeQuery = ConfigTreeQuery()
- zones_config: dict = get_config_zone(conf, zone)
- zone_policy_api: list = _convert_config(zones_config, zone)
- if raw:
- return zone_policy_api
- else:
- return get_formatted_output(zone_policy_api)
-
-
-if __name__ == '__main__':
- try:
- res = vyos.opmode.run(sys.modules[__name__])
- if res:
- print(res)
- except (ValueError, vyos.opmode.Error) as e:
- print(e)
- sys.exit(1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 17:10:12 +0000