diff options
| -rw-r--r-- | interface-definitions/interfaces-openvpn.xml | 23 | ||||
| -rwxr-xr-x | src/conf_mode/interface-openvpn.py | 9 | ||||
| -rwxr-xr-x | src/conf_mode/interface-vxlan.py | 16 |
3 files changed, 35 insertions, 13 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml index df9b4026f..fb2564cbd 100644 --- a/interface-definitions/interfaces-openvpn.xml +++ b/interface-definitions/interfaces-openvpn.xml @@ -590,6 +590,29 @@ </constraint> </properties> </leafNode> + <leafNode name="tls-version-min"> + <properties> + <help>Specify the minimum required TLS version</help> + <completionHelp> + <list>1.0 1.1 1.2</list> + </completionHelp> + <valueHelp> + <format>1.0</format> + <description>TLS v1.0</description> + </valueHelp> + <valueHelp> + <format>1.1</format> + <description>TLS v1.1</description> + </valueHelp> + <valueHelp> + <format>1.2</format> + <description>TLS v1.2</description> + </valueHelp> + <constraint> + <regex>(1.0|1.1|1.2)</regex> + </constraint> + </properties> + </leafNode> <leafNode name="role"> <properties> <help>File containing this host's private key</help> diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 7b3e57d7d..35e7928c2 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -167,6 +167,10 @@ key {{ tls_key }} crl-verify {{ tls_crl }} {% endif %} +{%- if tls_version_min %} +tls-version-min {{tls_version_min}} +{% endif %} + {%- if tls_dh %} dh {{ tls_dh }} {% endif %} @@ -288,6 +292,7 @@ default_config_data = { 'tls_dh': '', 'tls_key': '', 'tls_role': '', + 'tls_version_min': '', 'type': 'tun', 'uid': user, 'gid': group, @@ -572,6 +577,10 @@ def get_config(): openvpn['tls_role'] = conf.return_value('tls role') openvpn['tls'] = True + # Minimum required TLS version + if conf.exists('tls tls-version-min'): + openvpn['tls_version_min'] = conf.return_value('tls tls-version-min') + if conf.exists('shared-secret-key-file'): openvpn['shared_secret_file'] = conf.return_value('shared-secret-key-file') diff --git a/src/conf_mode/interface-vxlan.py b/src/conf_mode/interface-vxlan.py index 59022238e..e97b4bf99 100755 --- a/src/conf_mode/interface-vxlan.py +++ b/src/conf_mode/interface-vxlan.py @@ -28,7 +28,6 @@ from netifaces import interfaces default_config_data = { 'address': [], - 'address_remove': [], 'deleted': False, 'description': '', 'disable': False, @@ -43,7 +42,6 @@ default_config_data = { # the IANA's selection of a standard destination port } - def get_config(): vxlan = deepcopy(default_config_data) conf = Config() @@ -66,12 +64,6 @@ def get_config(): if conf.exists('address'): vxlan['address'] = conf.return_values('address') - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values('address') - act_addr = conf.return_values('address') - vxlan['address_remove'] = list_diff(eff_addr, act_addr) - # retrieve interface description if conf.exists('description'): vxlan['description'] = conf.return_value('description') @@ -180,11 +172,9 @@ def apply(vxlan): # Enable proxy-arp on this interface v.proxy_arp = vxlan['ip_proxy_arp'] - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in vxlan['address_remove']: - v.del_addr(addr) + # Configure interface address(es) - no need to implicitly delete the + # old addresses as they have already been removed by deleting the + # interface above for addr in vxlan['address']: v.add_addr(addr) |