summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/config-mode-dependencies/vyos-1x.json22
-rw-r--r--data/op-mode-standardized.json3
-rw-r--r--data/templates/conntrack/nftables-ct.j251
-rw-r--r--data/templates/conntrack/nftables-helpers.j270
-rw-r--r--data/templates/conntrack/vyos_nf_conntrack.conf.j23
-rw-r--r--data/templates/mdns-repeater/avahi-daemon.conf.j2 (renamed from data/templates/mdns-repeater/avahi-daemon.j2)6
-rw-r--r--debian/vyos-1x.postinst25
-rw-r--r--debian/vyos-1x.preinst2
-rw-r--r--interface-definitions/include/firewall/action-forward.xml.i8
-rw-r--r--interface-definitions/include/firewall/action.xml.i8
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i5
-rw-r--r--interface-definitions/include/firewall/conntrack-helper.xml.i42
-rw-r--r--interface-definitions/include/firewall/firewall-mark.xml.i26
-rw-r--r--interface-definitions/include/firewall/synproxy.xml.i40
-rw-r--r--interface-definitions/include/policy/local-route_rule_protocol.xml.i21
-rw-r--r--interface-definitions/include/policy/route-common.xml.i1
-rw-r--r--interface-definitions/include/radius-server-ipv4-ipv6.xml.i20
-rw-r--r--interface-definitions/policy-local-route.xml.in1
-rw-r--r--interface-definitions/service-mdns-repeater.xml.in25
-rw-r--r--interface-definitions/system-login.xml.in20
-rw-r--r--op-mode-definitions/generate_firewall_rule-resequence.xml.in42
-rw-r--r--op-mode-definitions/zone-policy.xml.in24
-rw-r--r--python/vyos/firewall.py35
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py44
-rwxr-xr-xsmoketest/scripts/cli/test_policy.py22
-rwxr-xr-xsmoketest/scripts/cli/test_policy_route.py12
-rwxr-xr-xsmoketest/scripts/cli/test_service_mdns-repeater.py74
-rwxr-xr-xsmoketest/scripts/cli/test_system_conntrack.py37
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py120
-rwxr-xr-xsrc/conf_mode/conntrack.py81
-rwxr-xr-xsrc/conf_mode/firewall.py12
-rwxr-xr-xsrc/conf_mode/policy-local-route.py103
-rwxr-xr-xsrc/conf_mode/service_mdns-repeater.py24
-rwxr-xr-xsrc/conf_mode/system-login.py27
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py15
-rwxr-xr-xsrc/op_mode/generate_firewall_rule-resequence.py144
-rwxr-xr-xsrc/op_mode/zone.py215
-rw-r--r--src/pam-configs/radius20
-rw-r--r--src/pam-configs/radius-mandatory19
-rw-r--r--src/pam-configs/radius-optional19
-rw-r--r--src/pam-configs/tacplus17
-rw-r--r--src/pam-configs/tacplus-mandatory17
-rw-r--r--src/pam-configs/tacplus-optional17
-rw-r--r--src/validators/numeric-exclude8
44 files changed, 1003 insertions, 544 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index a433c2522..6c86642c7 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,9 +1,23 @@
{
- "firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
+ "conntrack": {"conntrack_sync": ["conntrack_sync"]},
+ "firewall": {
+ "conntrack": ["conntrack"],
+ "conntrack_sync": ["conntrack_sync"],
+ "group_resync": ["conntrack", "nat", "policy-route"]
+ },
"http_api": {"https": ["https"]},
- "load_balancing_wan": {"conntrack": ["conntrack"]},
- "nat": {"conntrack": ["conntrack"]},
- "nat66": {"conntrack": ["conntrack"]},
+ "load_balancing_wan": {
+ "conntrack": ["conntrack"],
+ "conntrack_sync": ["conntrack_sync"]
+ },
+ "nat": {
+ "conntrack": ["conntrack"],
+ "conntrack_sync": ["conntrack_sync"]
+ },
+ "nat66": {
+ "conntrack": ["conntrack"],
+ "conntrack_sync": ["conntrack_sync"]
+ },
"pki": {
"ethernet": ["interfaces-ethernet"],
"openvpn": ["interfaces-openvpn"],
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ded934bff..ed9bb6cad 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -26,6 +26,5 @@
"storage.py",
"uptime.py",
"version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
]
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 895f61a55..1e0fc8065 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,6 @@
#!/usr/sbin/nft -f
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
@@ -52,30 +53,7 @@ table ip vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
chain FW_CONNTRACK {
{{ ipv4_firewall_action }}
@@ -140,30 +118,7 @@ table ip6 vyos_conntrack {
notrack
}
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{% if modules[module] is vyos_defined %}
-{% if 'nftables' in module_conf %}
-{% for rule in module_conf.nftables %}
- {{ rule }}
-{% endfor %}
-{% endif %}
-{% endif %}
-{% endfor %}
- return
- }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
chain FW_CONNTRACK {
{{ ipv6_firewall_action }}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+ ct helper ftp_tcp {
+ type "ftp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+ ct helper ras_udp {
+ type "RAS" protocol udp;
+ }
+
+ ct helper q931_tcp {
+ type "Q.931" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+ ct helper pptp_tcp {
+ type "pptp" protocol tcp;
+ }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+ ct helper sip_tcp {
+ type "sip" protocol tcp;
+ }
+
+ ct helper sip_udp {
+ type "sip" protocol udp;
+ }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+ ct helper tftp_udp {
+ type "tftp" protocol udp;
+ }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+{% endif %}
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+{% endmacro %}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..197155d96 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
# Autogenerated by conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
+options nf_conntrack hashsize={{ hash_size }}
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..d562c048f 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
### Autogenerated by service_mdns-repeater.py ###
[server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
allow-interfaces={{ interface | join(', ') }}
{% if browse_domain is vyos_defined and browse_domain | length %}
browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
publish-addresses=no
publish-hinfo=no
publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
[reflector]
enable-reflector=yes
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index b43416152..860319edf 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,14 +29,9 @@ do
sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
-# We do not make use of a TACACS UNIX group - drop it
-if grep -q '^tacacs' /etc/group; then
- delgroup tacacs
-fi
-
-# Both RADIUS and TACACS users belong to aaa group - this must be added first
-if ! grep -q '^aaa' /etc/group; then
- addgroup --firstgid 1000 --quiet aaa
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+ addgroup --firstgid 1000 --quiet radius
fi
# Remove TACACS user added by base package - we use our own UID range and group
@@ -53,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then
fi
fi
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+ rm /usr/share/pam-configs/tacplus
+fi
+
# Add TACACS system users required for TACACS based system authentication
if ! grep -q '^tacacs' /etc/passwd; then
# Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -64,14 +64,13 @@ if ! grep -q '^tacacs' /etc/passwd; then
level=0
vyos_group=vyattaop
while [ $level -lt 16 ]; do
- adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+ adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
--no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
--shell /bin/vbash tacacs${level}
adduser --quiet tacacs${level} frrvty
adduser --quiet tacacs${level} adm
adduser --quiet tacacs${level} dip
adduser --quiet tacacs${level} users
- adduser --quiet tacacs${level} aaa
if [ $level -lt 15 ]; then
adduser --quiet tacacs${level} vyattaop
adduser --quiet tacacs${level} operator
@@ -87,7 +86,7 @@ fi
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
--no-create-home --gecos "RADIUS mapped user at privilege level operator" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
@@ -96,12 +95,11 @@ if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
- adduser --quiet radius_user aaa
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
--no-create-home --gecos "RADIUS mapped user at privilege level admin" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
@@ -112,7 +110,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
- adduser --quiet radius_priv_user aaa
fi
# add hostsd group for vyos-hostsd
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index 16c118cb7..9bd6331a8 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,8 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
index f61e51887..4e59f3c6f 100644
--- a/interface-definitions/include/firewall/action-forward.xml.i
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept continue jump reject return drop queue offload</list>
+ <list>accept continue jump reject return drop queue offload synproxy</list>
</completionHelp>
<valueHelp>
<format>accept</format>
@@ -37,8 +37,12 @@
<format>offload</format>
<description>Offload packet via flowtable</description>
</valueHelp>
+ <valueHelp>
+ <format>synproxy</format>
+ <description>Synproxy connections</description>
+ </valueHelp>
<constraint>
- <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+ <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 9391a7bee..954e4f23e 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept continue jump reject return drop queue</list>
+ <list>accept continue jump reject return drop queue synproxy</list>
</completionHelp>
<valueHelp>
<format>accept</format>
@@ -33,8 +33,12 @@
<format>queue</format>
<description>Enqueue packet to userspace</description>
</valueHelp>
+ <valueHelp>
+ <format>synproxy</format>
+ <description>Synproxy connections</description>
+ </valueHelp>
<constraint>
- <regex>(accept|continue|jump|reject|return|drop|queue)</regex>
+ <regex>(accept|continue|jump|reject|return|drop|queue|synproxy)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index e51dd0056..a55a1a551 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -3,7 +3,9 @@
#include <include/generic-description.xml.i>
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/conntrack-helper.xml.i>
#include <include/firewall/nft-queue.xml.i>
<leafNode name="disable">
<properties>
@@ -219,6 +221,7 @@
</leafNode>
</children>
</node>
+#include <include/firewall/synproxy.xml.i>
<node name="state">
<properties>
<help>Session state</help>
@@ -372,4 +375,4 @@
</leafNode>
</children>
</node>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/conntrack-helper.xml.i b/interface-definitions/include/firewall/conntrack-helper.xml.i
new file mode 100644
index 000000000..ee17f2c61
--- /dev/null
+++ b/interface-definitions/include/firewall/conntrack-helper.xml.i
@@ -0,0 +1,42 @@
+<!-- include start from firewall/conntrack-helper.xml.i -->
+<leafNode name="conntrack-helper">
+ <properties>
+ <help>Match related traffic from conntrack helpers</help>
+ <completionHelp>
+ <list>ftp h323 pptp nfs sip tftp sqlnet</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ftp</format>
+ <description>Related traffic from FTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>h323</format>
+ <description>Related traffic from H.323 helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pptp</format>
+ <description>Related traffic from PPTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>nfs</format>
+ <description>Related traffic from NFS helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sip</format>
+ <description>Related traffic from SIP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tftp</format>
+ <description>Related traffic from TFTP helper</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sqlnet</format>
+ <description>Related traffic from SQLNet helper</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ftp|h323|pptp|nfs|sip|tftp|sqlnet)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i
new file mode 100644
index 000000000..36a939ba3
--- /dev/null
+++ b/interface-definitions/include/firewall/firewall-mark.xml.i
@@ -0,0 +1,26 @@
+<!-- include start from firewall/firewall-mark.xml.i -->
+<leafNode name="mark">
+ <properties>
+ <help>Firewall mark</help>
+ <valueHelp>
+ <format>u32:0-2147483647</format>
+ <description>Firewall mark to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!u32:0-2147483647</format>
+ <description>Inverted Firewall mark to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;start-end&gt;</format>
+ <description>Firewall mark range to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!&lt;start-end&gt;</format>
+ <description>Firewall mark inverted range to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric-exclude" argument="--allow-range --range 0-2147483647"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/synproxy.xml.i b/interface-definitions/include/firewall/synproxy.xml.i
new file mode 100644
index 000000000..a65126ea9
--- /dev/null
+++ b/interface-definitions/include/firewall/synproxy.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/synproxy.xml.i -->
+<node name="synproxy">
+ <properties>
+ <help>Synproxy options</help>
+ </properties>
+ <children>
+ <node name="tcp">
+ <properties>
+ <help>TCP synproxy options</help>
+ </properties>
+ <children>
+ <leafNode name="mss">
+ <properties>
+ <help>TCP Maximum segment size</help>
+ <valueHelp>
+ <format>u32:501-65535</format>
+ <description>Maximum segment size for synproxy connections</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 501-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="window-scale">
+ <properties>
+ <help>TCP window scale for synproxy connections</help>
+ <valueHelp>
+ <format>u32:1-14</format>
+ <description>TCP window scale</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-14"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/local-route_rule_protocol.xml.i b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
new file mode 100644
index 000000000..57582eb37
--- /dev/null
+++ b/interface-definitions/include/policy/local-route_rule_protocol.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from policy/local-route_rule_protocol.xml.i -->
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name or number)</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ </completionHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;protocol&gt;</format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 6551d23ab..8eab04d4a 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -1,6 +1,7 @@
<!-- include start from policy/route-common.xml.i -->
#include <include/policy/route-rule-action.xml.i>
#include <include/generic-description.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
index efd418bb2..a0cdcd7c3 100644
--- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
+++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i
@@ -46,6 +46,26 @@
<multi/>
</properties>
</leafNode>
+ <leafNode name="security-mode">
+ <properties>
+ <help>Security mode for RADIUS authentication</help>
+ <completionHelp>
+ <list>mandatory optional</list>
+ </completionHelp>
+ <valueHelp>
+ <format>mandatory</format>
+ <description>Deny access immediately if RADIUS answers with Access-Reject</description>
+ </valueHelp>
+ <valueHelp>
+ <format>optional</format>
+ <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description>
+ </valueHelp>
+ <constraint>
+ <regex>(mandatory|optional)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>optional</defaultValue>
+ </leafNode>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in
index 8619e839e..0a5b81dfa 100644
--- a/interface-definitions/policy-local-route.xml.in
+++ b/interface-definitions/policy-local-route.xml.in
@@ -53,6 +53,7 @@
</constraint>
</properties>
</leafNode>
+ #include <include/policy/local-route_rule_protocol.xml.i>
<leafNode name="source">
<properties>
<help>Source address or prefix</help>
diff --git a/interface-definitions/service-mdns-repeater.xml.in b/interface-definitions/service-mdns-repeater.xml.in
index 653dbbbe4..67870946c 100644
--- a/interface-definitions/service-mdns-repeater.xml.in
+++ b/interface-definitions/service-mdns-repeater.xml.in
@@ -15,6 +15,31 @@
<children>
#include <include/generic-disable-node.xml.i>
#include <include/generic-interface-multi.xml.i>
+ <leafNode name="ip-version">
+ <properties>
+ <help>IP address version to use</help>
+ <valueHelp>
+ <format>_ipv4</format>
+ <description>Use only IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>_ipv6</format>
+ <description>Use only IPv6 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>both</format>
+ <description>Use both IPv4 and IPv6 address</description>
+ </valueHelp>
+ <completionHelp>
+ <list>ipv4 ipv6 both</list>
+ </completionHelp>
+ <constraint>
+ <regex>(ipv[46]|both)</regex>
+ </constraint>
+ <constraintErrorMessage>IP Version must be literal 'ipv4', 'ipv6' or 'both'</constraintErrorMessage>
+ </properties>
+ <defaultValue>both</defaultValue>
+ </leafNode>
<leafNode name="browse-domain">
<properties>
<help>mDNS browsing domains in addition to the default one</help>
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
index 71db8b1d6..30fea91b0 100644
--- a/interface-definitions/system-login.xml.in
+++ b/interface-definitions/system-login.xml.in
@@ -259,6 +259,26 @@
</constraint>
</properties>
</leafNode>
+ <leafNode name="security-mode">
+ <properties>
+ <help>Security mode for TACACS+ authentication</help>
+ <completionHelp>
+ <list>mandatory optional</list>
+ </completionHelp>
+ <valueHelp>
+ <format>mandatory</format>
+ <description>Deny access immediately if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>optional</format>
+ <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(mandatory|optional)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>optional</defaultValue>
+ </leafNode>
#include <include/radius-timeout.xml.i>
#include <include/interface/vrf.xml.i>
</children>
diff --git a/op-mode-definitions/generate_firewall_rule-resequence.xml.in b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
new file mode 100644
index 000000000..66078deb9
--- /dev/null
+++ b/op-mode-definitions/generate_firewall_rule-resequence.xml.in
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="generate">
+ <children>
+ <node name="firewall">
+ <properties>
+ <help>Firewall</help>
+ </properties>
+ <children>
+ <node name="rule-resequence">
+ <properties>
+ <help>Resequence the firewall rules</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py</command>
+ <children>
+ <tagNode name="start">
+ <properties>
+ <help>Set the first sequence number</help>
+ <completionHelp>
+ <list>1-1000</list>
+ </completionHelp>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5</command>
+ <children>
+ <tagNode name="step">
+ <properties>
+ <help>Step between rules</help>
+ <completionHelp>
+ <list>1-1000</list>
+ </completionHelp>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5 --step $7</command>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/zone-policy.xml.in b/op-mode-definitions/zone-policy.xml.in
deleted file mode 100644
index 9d65ddd3d..000000000
--- a/op-mode-definitions/zone-policy.xml.in
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="show">
- <children>
- <node name="zone-policy">
- <properties>
- <help>Show zone policy information</help>
- </properties>
- <children>
- <tagNode name="zone">
- <properties>
- <help>Show summary of zone policy for a specific zone</help>
- <completionHelp>
- <path>firewall zone</path>
- </completionHelp>
- </properties>
- <command>sudo ${vyos_op_scripts_dir}/zone.py show --zone $4</command>
- </tagNode>
- </children>
- <command>sudo ${vyos_op_scripts_dir}/zone.py show</command>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 3ca7a25b9..c07ed1adf 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -102,6 +102,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if states:
output.append(f'ct state {{{states}}}')
+ if 'conntrack_helper' in rule_conf:
+ helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']}
+ helper_out = []
+
+ for helper in rule_conf['conntrack_helper']:
+ if helper in helper_map:
+ helper_out.extend(helper_map[helper])
+ else:
+ helper_out.append(helper)
+
+ if helper_out:
+ helper_str = ','.join(f'"{s}"' for s in helper_out)
+ output.append(f'ct helper {{{helper_str}}}')
+
if 'connection_status' in rule_conf and rule_conf['connection_status']:
status = rule_conf['connection_status']
if status['nat'] == 'destination':
@@ -249,6 +263,9 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
+ if dict_search_args(rule_conf, 'action') == 'synproxy':
+ output.append('ct state invalid,untracked')
+
if 'hop_limit' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
for op, operator in operators.items():
@@ -364,6 +381,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
conn_mark_str = ','.join(rule_conf['connection_mark'])
output.append(f'ct mark {{{conn_mark_str}}}')
+ if 'mark' in rule_conf:
+ mark = rule_conf['mark']
+ operator = ''
+ if mark[0] == '!':
+ operator = '!='
+ mark = mark[1:]
+ output.append(f'meta mark {operator} {{{mark}}}')
+
if 'vlan' in rule_conf:
if 'id' in rule_conf['vlan']:
output.append(f'vlan id {rule_conf["vlan"]["id"]}')
@@ -419,6 +444,16 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if 'queue_options' in rule_conf:
queue_opts = ','.join(rule_conf['queue_options'])
output.append(f'{queue_opts}')
+
+ # Synproxy
+ if 'synproxy' in rule_conf:
+ synproxy_mss = dict_search_args(rule_conf, 'synproxy', 'tcp', 'mss')
+ if synproxy_mss:
+ output.append(f'mss {synproxy_mss}')
+ synproxy_ws = dict_search_args(rule_conf, 'synproxy', 'tcp', 'window_scale')
+ if synproxy_ws:
+ output.append(f'wscale {synproxy_ws} timestamp sack-perm')
+
else:
output.append('return')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 676be5305..7b4ba11d0 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -308,10 +308,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'mark', '!98765'])
self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
@@ -325,11 +327,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['chain VYOS_FORWARD_filter'],
['type filter hook forward priority filter; policy drop;'],
- ['ip saddr 198.51.100.1', f'jump NAME_{name}'],
+ ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'],
['chain VYOS_INPUT_filter'],
['type filter hook input priority filter; policy accept;'],
- [f'meta l4proto tcp','queue to 3'],
- [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
+ ['meta mark != 0x000181cd', 'meta l4proto tcp','queue to 3'],
+ ['meta l4proto udp','queue flags bypass,fanout to 0-15'],
[f'chain NAME_{name}'],
['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[ipv4-NAM-{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'],
@@ -338,6 +340,31 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_filter')
+ def test_ipv4_synproxy(self):
+ tcp_mss = '1460'
+ tcp_wscale = '7'
+ dport = '22'
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'destination', 'port', dport])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'synproxy', 'tcp', 'mss', tcp_mss])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'synproxy', 'tcp', 'window-scale', tcp_wscale])
+
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'action', 'synproxy'])
+
+ self.cli_commit()
+
+ nftables_search = [
+ [f'tcp dport {dport} ct state invalid,untracked', f'synproxy mss {tcp_mss} wscale {tcp_wscale} timestamp sack-perm']
+ ]
+
+ self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+
def test_ipv4_mask(self):
name = 'smoketest-mask'
interface = 'eth0'
@@ -441,6 +468,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'default-action', 'accept'])
self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'source', 'address', '2001:db8::/64'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'mark', '!6655-7766'])
self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'action', 'jump'])
self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'jump-target', name])
@@ -452,7 +480,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'],
['chain VYOS_IPV6_INPUT_filter'],
['type filter hook input priority filter; policy accept;'],
- ['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'],
+ ['ip6 saddr 2001:db8::/64', 'meta mark != 0x000019ff-0x00001e56', f'jump NAME6_{name}'],
[f'chain NAME6_{name}'],
['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'],
[f'log prefix "[{name}-default-D]"', 'drop']
@@ -503,12 +531,15 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'ftp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '5', 'conntrack-helper', 'pptp'])
self.cli_commit()
@@ -517,6 +548,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['ct state invalid', 'reject'],
['ct state new', 'ct status dnat', 'accept'],
['ct state { established, new }', 'ct status snat', 'accept'],
+ ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
['drop', f'comment "{name} default-action drop"']
]
diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py
index 354f791bd..e868895ce 100755
--- a/smoketest/scripts/cli/test_policy.py
+++ b/smoketest/scripts/cli/test_policy.py
@@ -1519,6 +1519,28 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase):
self.assertEqual(sort_ip(tmp), sort_ip(original))
+ # Test set table for destination and protocol
+ def test_protocol_destination_table_id(self):
+ path = base_path + ['local-route']
+
+ dst = '203.0.113.12'
+ rule = '85'
+ table = '104'
+ proto = 'tcp'
+
+ self.cli_set(path + ['rule', rule, 'set', 'table', table])
+ self.cli_set(path + ['rule', rule, 'destination', dst])
+ self.cli_set(path + ['rule', rule, 'protocol', proto])
+
+ self.cli_commit()
+
+ original = """
+ 85: from all to 203.0.113.12 ipproto tcp lookup 104
+ """
+ tmp = cmd('ip rule show prio 85')
+
+ self.assertEqual(sort_ip(tmp), sort_ip(original))
+
# Test set table for sources with fwmark
def test_fwmark_sources_table_id(self):
path = base_path + ['local-route']
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index c7ddf873e..72192fb98 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -191,15 +191,18 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
def test_pbr_matching_criteria(self):
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'udp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'mark', '2020'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'protocol', 'tcp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'mark', '2-3000'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'set', 'table', table_id])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'source', 'address', '198.51.100.0/24'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'protocol', 'tcp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'destination', 'port', '22'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'state', 'new', 'enable'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'ttl', 'gt', '2'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'mark', '!456'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'set', 'table', table_id])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'protocol', 'icmp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'icmp', 'type-name', 'echo-request'])
@@ -210,6 +213,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'set', 'table', table_id])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '41'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '57-59'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'mark', '!456-500'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'set', 'table', table_id])
self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'udp'])
@@ -247,11 +251,11 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
# IPv4
nftables_search = [
['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'],
- ['meta l4proto udp', 'drop'],
- ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
- ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex],
+ ['meta l4proto udp', 'meta mark 0x000007e4', 'drop'],
+ ['tcp flags syn / syn,ack', 'meta mark 0x00000002-0x00000bb8', 'meta mark set ' + mark_hex],
+ ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark != 0x000001c8', 'meta mark set ' + mark_hex],
['log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex],
- ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark set ' + mark_hex]
+ ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark != 0x000001c8-0x000001f4', 'meta mark set ' + mark_hex]
]
self.verify_nftables(nftables_search, 'ip vyos_mangle')
diff --git a/smoketest/scripts/cli/test_service_mdns-repeater.py b/smoketest/scripts/cli/test_service_mdns-repeater.py
index 9a9839025..f2fb3b509 100755
--- a/smoketest/scripts/cli/test_service_mdns-repeater.py
+++ b/smoketest/scripts/cli/test_service_mdns-repeater.py
@@ -19,6 +19,7 @@ import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from configparser import ConfigParser
+from vyos.configsession import ConfigSessionError
from vyos.utils.process import process_named_running
base_path = ['service', 'mdns', 'repeater']
@@ -27,6 +28,20 @@ config_file = '/run/avahi-daemon/avahi-daemon.conf'
class TestServiceMDNSrepeater(VyOSUnitTestSHIM.TestCase):
+ def setUp(self):
+ # Start with a clean CLI instance
+ self.cli_delete(base_path)
+
+ # Service required a configured IP address on the interface
+ self.cli_set(intf_base + ['dum10', 'address', '192.0.2.1/30'])
+ self.cli_set(intf_base + ['dum10', 'ipv6', 'address', 'no-default-link-local'])
+ self.cli_set(intf_base + ['dum20', 'address', '192.0.2.5/30'])
+ self.cli_set(intf_base + ['dum20', 'address', '2001:db8:0:2::5/64'])
+ self.cli_set(intf_base + ['dum30', 'address', '192.0.2.9/30'])
+ self.cli_set(intf_base + ['dum30', 'address', '2001:db8:0:2::9/64'])
+ self.cli_set(intf_base + ['dum40', 'address', '2001:db8:0:2::11/64'])
+ self.cli_commit()
+
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running('avahi-daemon'))
@@ -34,24 +49,23 @@ class TestServiceMDNSrepeater(VyOSUnitTestSHIM.TestCase):
self.cli_delete(base_path)
self.cli_delete(intf_base + ['dum10'])
self.cli_delete(intf_base + ['dum20'])
+ self.cli_delete(intf_base + ['dum30'])
+ self.cli_delete(intf_base + ['dum40'])
self.cli_commit()
# Check that there is no longer a running process
self.assertFalse(process_named_running('avahi-daemon'))
- def test_service(self):
+ def test_service_dual_stack(self):
# mDNS browsing domains in addition to the default one (local)
domains = ['dom1.home.arpa', 'dom2.home.arpa']
# mDNS services to be repeated
services = ['_ipp._tcp', '_smb._tcp', '_ssh._tcp']
- # Service required a configured IP address on the interface
- self.cli_set(intf_base + ['dum10', 'address', '192.0.2.1/30'])
- self.cli_set(intf_base + ['dum20', 'address', '192.0.2.5/30'])
-
- self.cli_set(base_path + ['interface', 'dum10'])
+ self.cli_set(base_path + ['ip-version', 'both'])
self.cli_set(base_path + ['interface', 'dum20'])
+ self.cli_set(base_path + ['interface', 'dum30'])
for domain in domains:
self.cli_set(base_path + ['browse-domain', domain])
@@ -65,10 +79,56 @@ class TestServiceMDNSrepeater(VyOSUnitTestSHIM.TestCase):
conf = ConfigParser(delimiters='=')
conf.read(config_file)
- self.assertEqual(conf['server']['allow-interfaces'], 'dum10, dum20')
+ self.assertEqual(conf['server']['use-ipv4'], 'yes')
+ self.assertEqual(conf['server']['use-ipv6'], 'yes')
+ self.assertEqual(conf['server']['allow-interfaces'], 'dum20, dum30')
self.assertEqual(conf['server']['browse-domains'], ', '.join(domains))
self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
self.assertEqual(conf['reflector']['reflect-filters'], ', '.join(services))
+ def test_service_ipv4(self):
+ # partcipating interfaces should have IPv4 addresses
+ self.cli_set(base_path + ['ip-version', 'ipv4'])
+ self.cli_set(base_path + ['interface', 'dum10'])
+ self.cli_set(base_path + ['interface', 'dum40'])
+
+ # exception is raised if partcipating interfaces do not have IPv4 address
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', 'dum40'])
+ self.cli_set(base_path + ['interface', 'dum20'])
+ self.cli_commit()
+
+ # Validate configuration values
+ conf = ConfigParser(delimiters='=')
+ conf.read(config_file)
+
+ self.assertEqual(conf['server']['use-ipv4'], 'yes')
+ self.assertEqual(conf['server']['use-ipv6'], 'no')
+ self.assertEqual(conf['server']['allow-interfaces'], 'dum10, dum20')
+ self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
+
+ def test_service_ipv6(self):
+ # partcipating interfaces should have IPv6 addresses
+ self.cli_set(base_path + ['ip-version', 'ipv6'])
+ self.cli_set(base_path + ['interface', 'dum10'])
+ self.cli_set(base_path + ['interface', 'dum30'])
+
+ # exception is raised if partcipating interfaces do not have IPv4 address
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', 'dum10'])
+ self.cli_set(base_path + ['interface', 'dum40'])
+ self.cli_commit()
+
+ # Validate configuration values
+ conf = ConfigParser(delimiters='=')
+ conf.read(config_file)
+
+ self.assertEqual(conf['server']['use-ipv4'], 'no')
+ self.assertEqual(conf['server']['use-ipv6'], 'yes')
+ self.assertEqual(conf['server']['allow-interfaces'], 'dum30, dum40')
+ self.assertEqual(conf['reflector']['enable-reflector'], 'yes')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index c9f184558..7657ab724 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -162,27 +162,34 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
def test_conntrack_module_enable(self):
# conntrack helper modules are disabled by default
modules = {
- 'ftp' : {
- 'driver' : ['nf_nat_ftp', 'nf_conntrack_ftp'],
+ 'ftp': {
+ 'driver': ['nf_nat_ftp', 'nf_conntrack_ftp'],
+ 'nftables': ['ct helper set "ftp_tcp"']
},
- 'h323' : {
- 'driver' : ['nf_nat_h323', 'nf_conntrack_h323'],
+ 'h323': {
+ 'driver': ['nf_nat_h323', 'nf_conntrack_h323'],
+ 'nftables': ['ct helper set "ras_udp"',
+ 'ct helper set "q931_tcp"']
},
- 'nfs' : {
- 'nftables' : ['ct helper set "rpc_tcp"',
- 'ct helper set "rpc_udp"']
+ 'nfs': {
+ 'nftables': ['ct helper set "rpc_tcp"',
+ 'ct helper set "rpc_udp"']
},
- 'pptp' : {
- 'driver' : ['nf_nat_pptp', 'nf_conntrack_pptp'],
+ 'pptp': {
+ 'driver': ['nf_nat_pptp', 'nf_conntrack_pptp'],
+ 'nftables': ['ct helper set "pptp_tcp"']
},
- 'sip' : {
- 'driver' : ['nf_nat_sip', 'nf_conntrack_sip'],
+ 'sip': {
+ 'driver': ['nf_nat_sip', 'nf_conntrack_sip'],
+ 'nftables': ['ct helper set "sip_tcp"',
+ 'ct helper set "sip_udp"']
},
- 'sqlnet' : {
- 'nftables' : ['ct helper set "tns_tcp"']
+ 'sqlnet': {
+ 'nftables': ['ct helper set "tns_tcp"']
},
- 'tftp' : {
- 'driver' : ['nf_nat_tftp', 'nf_conntrack_tftp'],
+ 'tftp': {
+ 'driver': ['nf_nat_tftp', 'nf_conntrack_tftp'],
+ 'nftables': ['ct helper set "tftp_udp"']
},
}
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index 01b0406bf..17b1b395c 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -45,77 +45,62 @@ PROCESS_NAME = 'charon-systemd'
regex_uuid4 = '[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}'
ca_pem = """
-MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MTk0NTI3WhcNMzEw
-NjEyMTk0NTI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKCAzpatA8yywXhGunWD//6Qg9EMJMb+7didNr10
-DuYPPGyTOXwG4Xicbr0FJ6cNkWg4wj3ZXEqqBzgS1Z9u78yuYPt5LE9eM8Wtawp7
-qIUCMTlSu4uD3/4A3c1xfHDpTOEl1BDvxMtQxQZcMNQVUG5ZMdcWQvqvQG6F7Nak
-+jgkaQ+Gyhwq++KVTEHJsA6+POuD0uaqAJv3tLGrRf4y4zdOn4thuTQ9swIBjKW6
-ci78Dk0F4u24YYV2BHKsPEPIyCQxKSRrMvqVWWljX9HmNsGawyEhLvW34aphj0aD
-JL/n1kWm+DnGyM+Rp6pXQz5y3xAnmKeYziaQNnvHoQi+gY0CAwEAAaOBkDCBjTAd
-BgNVHQ4EFgQUy43jkjE+CORrxeddqofQztZ9UxYwUQYDVR0jBEowSIAUy43jkjE+
-CORrxeddqofQztZ9UxahGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRAcr5m
-BNRhmSy9djb8zJb4mJ6WzjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
-hkiG9w0BAQsFAAOCAQEALHdd1JXq6EUF9dSUijPLEiDVwn2TTIBIxvQqFzpWDDHg
-EWLzRJESyNUbIiwuUGwvqcVki0TmQcFR9XwmcDFDotlXz9OQISBlCW+Twuf4/XAL
-11njH8qXSaWF/wPbF35NOPhV5xOOCZ6K7Vilp3tK6LeOWvz2AUtwiVE1prNV3cIA
-B2ham0JASS0HIkfrcjpZNcx4NlSBaFf4MK5A11p13zPqMqzdEqn6n8fbYEADfVzy
-TfdqX1dPVc9zaM8uwyh5VyYBMDV7DoL384ZHJZYLENK/pT4kbl+sM/Cnhvyu0UCe
-RVqJGQtCdChZpDAVkzJRQYw3/FR8Mj+M+8GrgOrJ0w==
+MIICMDCCAdegAwIBAgIUBCzIjYvD7SPbx5oU18IYg7NVxQ0wCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwMzQxWhcNMzMwOTIxMTIwMzQxWjBnMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSAwHgYDVQQDDBdJUFNlYyBTbW9rZXRlc3QgUm9vdCBD
+QTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEh8/yU572B3zmFxrGgHk+H7grYt
+EHUJodY3gXNWMHz0gySrbGhsGtECDfP/G+T4Suk7cuVzB1wnLocSafD8TcqjYTBf
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsG
+AQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUTYoQJNlk7X87/gRegHnCnPef39Aw
+CgYIKoZIzj0EAwIDRwAwRAIgX1spXjrUc10r3g/Zm4O31LU5O08J2vVqFo94zHE5
+0VgCIG4JK9Zg5O/yn4mYksZux7efiHRUzL2y2TXQ9IqrqM8W
+"""
+
+int_ca_pem = """
+MIICYDCCAgWgAwIBAgIUcFx2BVYErHI+SneyPYHijxXt1cgwCgYIKoZIzj0EAwIw
+ZzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEgMB4GA1UEAwwXSVBTZWMgU21va2V0ZXN0
+IFJvb3QgQ0EwHhcNMjMwOTI0MTIwNTE5WhcNMzMwOTIwMTIwNTE5WjBvMQswCQYD
+VQQGEwJHQjETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UEBwwJU29tZS1DaXR5
+MQ0wCwYDVQQKDARWeU9TMSgwJgYDVQQDDB9JUFNlYyBTbW9rZXRlc3QgSW50ZXJt
+ZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIHw2G5dq3c715AcA
+tzR++dYu1fLRFmHzRGTZOT7hLrh2Fg4hnKFPLOeUA5Qi50xCvjJ9JnonTyy2RfRH
+axYizKOBhjCBgzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAd
+BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFC9KrFYtA+hO
+l7vdMbWxTMAyLB7BMB8GA1UdIwQYMBaAFE2KECTZZO1/O/4EXoB5wpz3n9/QMAoG
+CCqGSM49BAMCA0kAMEYCIQCnqWbElgOL9dGO3iLxasFNq/hM7vM/DzaiHi4BowxW
+0gIhAMohefNj+QgLfPhvyODHIPE9LMyfp7lJEaCC2K8PCSFD
"""
peer_cert = """
-MIIDZjCCAk6gAwIBAgIRAKHpoE0rTcB/YXhnFpeckngwDQYJKoZIhvcNAQELBQAw
-FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MjAwNDQ3WhcNMjQwNTI5
-MjAwNDQ3WjAQMQ4wDAYDVQQDDAVwZWVyMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALNwjDC1Lj2ojfCi1TESsyD0MLuqUVLTBZaXCXFtQdB/Aw3b3eBc
-J8+FUYQ6xMplmklXcjJEyXSMvqENpLX6xEDNWWvqTf22eEWt36QTfBeyFyDKtXnm
-4Y+ufXAHl3sLtyZN/7q+Xl4ubYvtAHVRLYzkXAtj1tVdaYEZQy8x/F3ZFFUsCfxR
-RqJBKTxcENP8STpIz9X8dS9iif9SBA42C0eHqMWv1tYW1IHO9gQxYFS3cvoPDPlD
-AJ3ihu5x3fO892S7FtZLVN/GsN1TKRKL217eVPyW0+QcnUwbrXWc7fnmm1btXVmh
-9YKPdtX8WnEeOtMCVZGKqdydnI3iAqvPmd0CAwEAAaOBtDCBsTAJBgNVHRMEAjAA
-MB0GA1UdDgQWBBQGsAPY4cHnTNUv7l+l8OYRSqcX8jBRBgNVHSMESjBIgBTLjeOS
-MT4I5GvF512qh9DO1n1TFqEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFEBy
-vmYE1GGZLL12NvzMlviYnpbOMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE
-AwIFoDAQBgNVHREECTAHggVwZWVyMTANBgkqhkiG9w0BAQsFAAOCAQEAdJr+11eG
-FvChxu/LkwsXe2V+OZzGRq+hmQlaK3kG/AyI5hVA/IVHJkDe281wbBNKBWYxeSMn
-lAKbwuhPluO99oldzY9ZVkSiRmLh3r27wy/y+1plvoNxyTN7644Hvtk/8P/LV67R
-amXvVgkhpvIQSBfgifXzqUs+BV/x7TSeN3isxNOB8FP6imODsw8lF0Ir1Ze34emr
-TMNo5wNR5xp2dUa9OkzjRpgpifh20zM3UeVOixIPoq78IDjT0aZP8Lve2/g4Ccc6
-RHNF31r/2UL8rZfQRUAMijVdAvIINCk0kRBhNcr9MCi3czmmgiXXMGwLWLvSkfnE
-W06wKX1lpPSptg==
+MIICSTCCAfCgAwIBAgIUPxYleUgCo/glVVePze3QmAFgi6MwCgYIKoZIzj0EAwIw
+bzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv
+bWUtQ2l0eTENMAsGA1UECgwEVnlPUzEoMCYGA1UEAwwfSVBTZWMgU21va2V0ZXN0
+IEludGVybWVkaWF0ZSBDQTAeFw0yMzA5MjQxMjA2NDJaFw0yODA5MjIxMjA2NDJa
+MGQxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlT
+b21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxHTAbBgNVBAMMFElQU2VjIFNtb2tldGVz
+dCBQZWVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZJtuTDu84uy++GMwRNLl
+10JAXZxXQSDl+CdTWwjbQZURcdY+ia7BoaoYX/0VKPel3Se64rIUQQLQoY/9MJb9
+UKN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
+KwYBBQUHAwEwHQYDVR0OBBYEFNJCdnkm3cAmf04UwOKL7IqMJ6OXMB8GA1UdIwQY
+MBaAFC9KrFYtA+hOl7vdMbWxTMAyLB7BMAoGCCqGSM49BAMCA0cAMEQCIGVnDRUy
+UJ0U/deDvrBo1+AakZndkNAMN/XNo5a5GzhEAiBCY7E/3b0BIO8FiIbVB3iDcaxg
+g7ET2RgWxvhEoN3ZRw==
"""
peer_key = """
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzcIwwtS49qI3w
-otUxErMg9DC7qlFS0wWWlwlxbUHQfwMN293gXCfPhVGEOsTKZZpJV3IyRMl0jL6h
-DaS1+sRAzVlr6k39tnhFrd+kE3wXshcgyrV55uGPrn1wB5d7C7cmTf+6vl5eLm2L
-7QB1US2M5FwLY9bVXWmBGUMvMfxd2RRVLAn8UUaiQSk8XBDT/Ek6SM/V/HUvYon/
-UgQONgtHh6jFr9bWFtSBzvYEMWBUt3L6Dwz5QwCd4obucd3zvPdkuxbWS1TfxrDd
-UykSi9te3lT8ltPkHJ1MG611nO355ptW7V1ZofWCj3bV/FpxHjrTAlWRiqncnZyN
-4gKrz5ndAgMBAAECggEACvAya4mv3uxWcrPKYSptpvWbvuTb/juE3LAqUDLDz0ze
-x8p+VP3pI1pSJMhcVKYq6IufF3df/G3T9Qda4gj+S6D48X4f8PZdkInP1zWk2+Ds
-TgBtXZf4agTN+rVLw6FsMbaRfzW5lO4pmV0CKSSgrTUCc2NLpkgCdW8vzEG0y5ek
-15uBOyvuydWM4CFgZT/cUvnu4UtPFL1vaTdD4Lw0FfZq4iS8SWsGbbMoTPKkJRlS
-k9oMEOvhA1WIfSgiG0FyaidoNEormB6J1SKVo27P8SOYu2etiFdF9SJUYg9cBzM3
-z3HcAsXeSh2kpc8Fc2yOS6zI5AsC0Len2SQmKQD8YQKBgQDlgg5cZV5AY2Ji6b+T
-nTHjna7dg/kzUOYs0AmK9DHHziZJ2SKucJlB9smynPLjY/MQbKcNWQ1Cad+olDNP
-Ts4lLhs4kbITkmgPQME3it1fGstHy/sGcF0m+YRsSxfwt5bxLXH86+d067C0XMhg
-URMgGv9ZBTe/P1LuhIUTEjYzlQKBgQDIJvl7sSXHRRB0k7NU/uV3Tut3NTqIzXiz
-pq9hMyF+3aIqaA7kdjIIJczv1grVYz+RUdX3Gu1FyHMl8ynoEz5NNWsbe+Ay/moa
-ztijak3UH3M+d6WsxSRehdYl6DaMstHwWfKZvWNJCGyl7ckz9gGjc3DY/qYqZDrx
-p3LlZsY7KQKBgQCj3ur2GgLkIpI7Yf9CHPlkNlCHJhYnB9pxoNFPf/CTY6R/EiTr
-PMaRDO8TM3FR3ynMTmgw5abMBuCFc9v3AqO6dGNHTvBBfUYDrg7H48UQhQckaocA
-H/bDP2HIGQ4s+Ek0R2ieWKpZF3iCL8V60CjBwcUVAN6/FS3X1JNX/KbqyQKBgQDA
-8dlk5PN/MlPXnZ6t2/7G0bxpsVVZFYI65P+CGvE6RFuUt7VLhalbc10pAtR0unVI
-GHTD/iAnOkHOnqeSQiK3+TvkRbluTxVn/GiYt9yJFTxaRqrebzlNKYW0CzOy1JtP
-MNaOYCS6/bUHC7//KDKSJ7HsbScwDGlKFVrMTBPiaQKBgQCjkIJDZ4pC3er7QiC3
-RXWPyxIG5iTjn4fizphaBt6+pkBAlBh0V6inmleAWa5DJSpgU4jQv4mZsAQs6ctq
-usmoy47ke8pTXPHgQ8ZUwsfM4IztqOm+w0X6mSZi6HdJCnMdxCZBBpO225UvonSR
-rgiyCHemtMepq57Pl1Nmj49eEA==
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVDEZDK7q/T+tiJUV
+WLKS3ZYDfZ4lZv0C1gJpYq0gWP2hRANCAARkm25MO7zi7L74YzBE0uXXQkBdnFdB
+IOX4J1NbCNtBlRFx1j6JrsGhqhhf/RUo96XdJ7rishRBAtChj/0wlv1Q
"""
+swanctl_dir = '/etc/swanctl'
+CERT_PATH = f'{swanctl_dir}/x509/'
+CA_PATH = f'{swanctl_dir}/x509ca/'
+
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
skip_process_check = False
@@ -400,7 +385,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
# Enable PKI
peer_name = 'peer1'
ca_name = 'MyVyOS-CA'
+ int_ca_name = 'MyVyOS-IntCA'
self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')])
+ self.cli_set(['pki', 'ca', int_ca_name, 'certificate', int_ca_pem.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')])
@@ -415,7 +402,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
self.cli_set(peer_base_path + ['authentication', 'local-id', peer_name])
self.cli_set(peer_base_path + ['authentication', 'mode', 'x509'])
self.cli_set(peer_base_path + ['authentication', 'remote-id', 'peer2'])
- self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', ca_name])
+ self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', int_ca_name])
self.cli_set(peer_base_path + ['authentication', 'x509', 'certificate', peer_name])
self.cli_set(peer_base_path + ['connection-type', 'initiate'])
self.cli_set(peer_base_path + ['ike-group', ike_group])
@@ -466,6 +453,11 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
+ # Check Root CA, Intermediate CA and Peer cert/key pair is present
+ self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_1.pem')))
+ self.assertTrue(os.path.exists(os.path.join(CA_PATH, f'{int_ca_name}_2.pem')))
+ self.assertTrue(os.path.exists(os.path.join(CERT_PATH, f'{peer_name}.pem')))
+
# There is only one VTI test so no need to delete this globally in tearDown()
self.cli_delete(vti_path)
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 50089508a..4cece6921 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -20,6 +20,7 @@ import re
from sys import exit
from vyos.config import Config
+from vyos.configdep import set_dependents, call_dependents
from vyos.utils.process import process_named_running
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_args
@@ -39,27 +40,35 @@ nftables_ct_file = r'/run/nftables-ct.conf'
# Every ALG (Application Layer Gateway) consists of either a Kernel Object
# also called a Kernel Module/Driver or some rules present in iptables
module_map = {
- 'ftp' : {
- 'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'],
+ 'ftp': {
+ 'ko': ['nf_nat_ftp', 'nf_conntrack_ftp'],
+ 'nftables': ['ct helper set "ftp_tcp" tcp dport {21} return']
},
- 'h323' : {
- 'ko' : ['nf_nat_h323', 'nf_conntrack_h323'],
+ 'h323': {
+ 'ko': ['nf_nat_h323', 'nf_conntrack_h323'],
+ 'nftables': ['ct helper set "ras_udp" udp dport {1719} return',
+ 'ct helper set "q931_tcp" tcp dport {1720} return']
},
- 'nfs' : {
- 'nftables' : ['ct helper set "rpc_tcp" tcp dport {111} return',
- 'ct helper set "rpc_udp" udp dport {111} return']
+ 'nfs': {
+ 'nftables': ['ct helper set "rpc_tcp" tcp dport {111} return',
+ 'ct helper set "rpc_udp" udp dport {111} return']
},
- 'pptp' : {
- 'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'],
+ 'pptp': {
+ 'ko': ['nf_nat_pptp', 'nf_conntrack_pptp'],
+ 'nftables': ['ct helper set "pptp_tcp" tcp dport {1723} return'],
+ 'ipv4': True
},
- 'sip' : {
- 'ko' : ['nf_nat_sip', 'nf_conntrack_sip'],
+ 'sip': {
+ 'ko': ['nf_nat_sip', 'nf_conntrack_sip'],
+ 'nftables': ['ct helper set "sip_tcp" tcp dport {5060,5061} return',
+ 'ct helper set "sip_udp" udp dport {5060,5061} return']
},
- 'sqlnet' : {
- 'nftables' : ['ct helper set "tns_tcp" tcp dport {1521,1525,1536} return']
+ 'sqlnet': {
+ 'nftables': ['ct helper set "tns_tcp" tcp dport {1521,1525,1536} return']
},
- 'tftp' : {
- 'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'],
+ 'tftp': {
+ 'ko': ['nf_nat_tftp', 'nf_conntrack_tftp'],
+ 'nftables': ['ct helper set "tftp_udp" udp dport {69} return']
},
}
@@ -70,11 +79,6 @@ valid_groups = [
'port_group'
]
-def resync_conntrackd():
- tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py')
- if tmp > 0:
- print('ERROR: error restarting conntrackd!')
-
def get_config(config=None):
if config:
conf = config
@@ -97,6 +101,9 @@ def get_config(config=None):
conntrack['module_map'] = module_map
+ if conf.exists(['service', 'conntrack-sync']):
+ set_dependents('conntrack_sync', conf)
+
return conntrack
def verify(conntrack):
@@ -177,26 +184,40 @@ def generate(conntrack):
def apply(conntrack):
# Depending on the enable/disable state of the ALG (Application Layer Gateway)
# modules we need to either insmod or rmmod the helpers.
+
+ add_modules = []
+ rm_modules = []
+
for module, module_config in module_map.items():
- if dict_search(f'modules.{module}', conntrack) is None:
+ if dict_search_args(conntrack, 'modules', module) is None:
if 'ko' in module_config:
- for mod in module_config['ko']:
- # Only remove the module if it's loaded
- if os.path.exists(f'/sys/module/{mod}'):
- cmd(f'rmmod {mod}')
+ unloaded = [mod for mod in module_config['ko'] if os.path.exists(f'/sys/module/{mod}')]
+ rm_modules.extend(unloaded)
else:
if 'ko' in module_config:
- for mod in module_config['ko']:
- cmd(f'modprobe {mod}')
+ add_modules.extend(module_config['ko'])
+
+ # Add modules before nftables uses them
+ if add_modules:
+ module_str = ' '.join(add_modules)
+ cmd(f'modprobe -a {module_str}')
# Load new nftables ruleset
install_result, output = rc_cmd(f'nft -f {nftables_ct_file}')
if install_result == 1:
raise ConfigError(f'Failed to apply configuration: {output}')
- if process_named_running('conntrackd'):
- # Reload conntrack-sync daemon to fetch new sysctl values
- resync_conntrackd()
+ # Remove modules after nftables stops using them
+ if rm_modules:
+ module_str = ' '.join(rm_modules)
+ cmd(f'rmmod {module_str}')
+
+ try:
+ call_dependents()
+ except ConfigError:
+ # Ignore config errors on dependent due to being called too early. Example:
+ # ConfigError("ConfigError('Interface ethN requires an IP address!')")
+ pass
# We silently ignore all errors
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3d799318e..f6480ab0a 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -173,6 +173,16 @@ def verify_rule(firewall, rule_conf, ipv6):
if not dict_search_args(firewall, 'flowtable', offload_target):
raise ConfigError(f'Invalid offload-target. Flowtable "{offload_target}" does not exist on the system')
+ if rule_conf['action'] != 'synproxy' and 'synproxy' in rule_conf:
+ raise ConfigError('"synproxy" option allowed only for action synproxy')
+ if rule_conf['action'] == 'synproxy':
+ if 'state' in rule_conf:
+ raise ConfigError('For action "synproxy" state cannot be defined')
+ if not rule_conf.get('synproxy', {}).get('tcp'):
+ raise ConfigError('synproxy TCP MSS is not defined')
+ if rule_conf.get('protocol', {}) != 'tcp':
+ raise ConfigError('For action "synproxy" the protocol must be set to TCP')
+
if 'queue_options' in rule_conf:
if 'queue' not in rule_conf['action']:
raise ConfigError('queue-options defined, but action queue needed and it is not defined')
diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py
index 79526f82a..d3c307cdc 100755
--- a/src/conf_mode/policy-local-route.py
+++ b/src/conf_mode/policy-local-route.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020-2021 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -16,6 +16,7 @@
import os
+from itertools import product
from sys import exit
from netifaces import interfaces
@@ -54,6 +55,7 @@ def get_config(config=None):
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
+ proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
rule_def = {}
if src:
rule_def = dict_merge({'source' : src}, rule_def)
@@ -63,6 +65,8 @@ def get_config(config=None):
rule_def = dict_merge({'inbound_interface' : iif}, rule_def)
if dst:
rule_def = dict_merge({'destination' : dst}, rule_def)
+ if proto:
+ rule_def = dict_merge({'protocol' : proto}, rule_def)
dict = dict_merge({dict_id : {rule : rule_def}}, dict)
pbr.update(dict)
@@ -78,6 +82,7 @@ def get_config(config=None):
fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark'])
iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface'])
dst = leaf_node_changed(conf, base_rule + [rule, 'destination'])
+ proto = leaf_node_changed(conf, base_rule + [rule, 'protocol'])
# keep track of changes in configuration
# otherwise we might remove an existing node although nothing else has changed
changed = False
@@ -119,6 +124,13 @@ def get_config(config=None):
changed = True
if len(dst) > 0:
rule_def = dict_merge({'destination' : dst}, rule_def)
+ if proto is None:
+ if 'protocol' in rule_config:
+ rule_def = dict_merge({'protocol': rule_config['protocol']}, rule_def)
+ else:
+ changed = True
+ if len(proto) > 0:
+ rule_def = dict_merge({'protocol' : proto}, rule_def)
if changed:
dict = dict_merge({dict_id : {rule : rule_def}}, dict)
pbr.update(dict)
@@ -137,18 +149,22 @@ def verify(pbr):
pbr_route = pbr[route]
if 'rule' in pbr_route:
for rule in pbr_route['rule']:
- if 'source' not in pbr_route['rule'][rule] \
- and 'destination' not in pbr_route['rule'][rule] \
- and 'fwmark' not in pbr_route['rule'][rule] \
- and 'inbound_interface' not in pbr_route['rule'][rule]:
- raise ConfigError('Source or destination address or fwmark or inbound-interface is required!')
- else:
- if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
- raise ConfigError('Table set is required!')
- if 'inbound_interface' in pbr_route['rule'][rule]:
- interface = pbr_route['rule'][rule]['inbound_interface']
- if interface not in interfaces():
- raise ConfigError(f'Interface "{interface}" does not exist')
+ if (
+ 'source' not in pbr_route['rule'][rule] and
+ 'destination' not in pbr_route['rule'][rule] and
+ 'fwmark' not in pbr_route['rule'][rule] and
+ 'inbound_interface' not in pbr_route['rule'][rule] and
+ 'protocol' not in pbr_route['rule'][rule]
+ ):
+ raise ConfigError('Source or destination address or fwmark or inbound-interface or protocol is required!')
+
+ if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']:
+ raise ConfigError('Table set is required!')
+
+ if 'inbound_interface' in pbr_route['rule'][rule]:
+ interface = pbr_route['rule'][rule]['inbound_interface']
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist')
return None
@@ -166,20 +182,22 @@ def apply(pbr):
for rule_rm in ['rule_remove', 'rule6_remove']:
if rule_rm in pbr:
v6 = " -6" if rule_rm == 'rule6_remove' else ""
+
for rule, rule_config in pbr[rule_rm].items():
- rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['']
- for src in rule_config['source']:
+ source = rule_config.get('source', [''])
+ destination = rule_config.get('destination', [''])
+ fwmark = rule_config.get('fwmark', [''])
+ inbound_interface = rule_config.get('inbound_interface', [''])
+ protocol = rule_config.get('protocol', [''])
+
+ for src, dst, fwmk, iif, proto in product(source, destination, fwmark, inbound_interface, protocol):
f_src = '' if src == '' else f' from {src} '
- rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['']
- for dst in rule_config['destination']:
- f_dst = '' if dst == '' else f' to {dst} '
- rule_config['fwmark'] = rule_config['fwmark'] if 'fwmark' in rule_config else ['']
- for fwmk in rule_config['fwmark']:
- f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
- rule_config['inbound_interface'] = rule_config['inbound_interface'] if 'inbound_interface' in rule_config else ['']
- for iif in rule_config['inbound_interface']:
- f_iif = '' if iif == '' else f' iif {iif} '
- call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
+ f_dst = '' if dst == '' else f' to {dst} '
+ f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} '
+ f_iif = '' if iif == '' else f' iif {iif} '
+ f_proto = '' if proto == '' else f' ipproto {proto} '
+
+ call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif}')
# Generate new config
for route in ['local_route', 'local_route6']:
@@ -187,27 +205,26 @@ def apply(pbr):
continue
v6 = " -6" if route == 'local_route6' else ""
-
pbr_route = pbr[route]
+
if 'rule' in pbr_route:
for rule, rule_config in pbr_route['rule'].items():
- table = rule_config['set']['table']
-
- rule_config['source'] = rule_config['source'] if 'source' in rule_config else ['all']
- for src in rule_config['source'] or ['all']:
- f_src = '' if src == '' else f' from {src} '
- rule_config['destination'] = rule_config['destination'] if 'destination' in rule_config else ['all']
- for dst in rule_config['destination']:
- f_dst = '' if dst == '' else f' to {dst} '
- f_fwmk = ''
- if 'fwmark' in rule_config:
- fwmk = rule_config['fwmark']
- f_fwmk = f' fwmark {fwmk} '
- f_iif = ''
- if 'inbound_interface' in rule_config:
- iif = rule_config['inbound_interface']
- f_iif = f' iif {iif} '
- call(f'ip{v6} rule add prio {rule} {f_src}{f_dst}{f_fwmk}{f_iif} lookup {table}')
+ table = rule_config['set'].get('table', '')
+ source = rule_config.get('source', ['all'])
+ destination = rule_config.get('destination', ['all'])
+ fwmark = rule_config.get('fwmark', '')
+ inbound_interface = rule_config.get('inbound_interface', '')
+ protocol = rule_config.get('protocol', '')
+
+ for src in source:
+ f_src = f' from {src} ' if src else ''
+ for dst in destination:
+ f_dst = f' to {dst} ' if dst else ''
+ f_fwmk = f' fwmark {fwmark} ' if fwmark else ''
+ f_iif = f' iif {inbound_interface} ' if inbound_interface else ''
+ f_proto = f' ipproto {protocol} ' if protocol else ''
+
+ call(f'ip{v6} rule add prio {rule}{f_src}{f_dst}{f_proto}{f_fwmk}{f_iif} lookup {table}')
return None
diff --git a/src/conf_mode/service_mdns-repeater.py b/src/conf_mode/service_mdns-repeater.py
index a2c90b537..6909731ff 100755
--- a/src/conf_mode/service_mdns-repeater.py
+++ b/src/conf_mode/service_mdns-repeater.py
@@ -18,7 +18,7 @@ import os
from json import loads
from sys import exit
-from netifaces import ifaddresses, interfaces, AF_INET
+from netifaces import ifaddresses, interfaces, AF_INET, AF_INET6
from vyos.config import Config
from vyos.ifconfig.vrrp import VRRP
@@ -36,18 +36,22 @@ def get_config(config=None):
conf = config
else:
conf = Config()
+
base = ['service', 'mdns', 'repeater']
- mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ if not conf.exists(base):
+ return None
+
+ mdns = conf.get_config_dict(base, key_mangling=('-', '_'),
+ no_tag_node_value_mangle=True,
+ get_first_key=True,
+ with_recursive_defaults=True)
if mdns:
mdns['vrrp_exists'] = conf.exists('high-availability vrrp')
return mdns
def verify(mdns):
- if not mdns:
- return None
-
- if 'disable' in mdns:
+ if not mdns or 'disable' in mdns:
return None
# We need at least two interfaces to repeat mDNS advertisments
@@ -60,10 +64,14 @@ def verify(mdns):
if interface not in interfaces():
raise ConfigError(f'Interface "{interface}" does not exist!')
- if AF_INET not in ifaddresses(interface):
+ if mdns['ip_version'] in ['ipv4', 'both'] and AF_INET not in ifaddresses(interface):
raise ConfigError('mDNS repeater requires an IPv4 address to be '
f'configured on interface "{interface}"')
+ if mdns['ip_version'] in ['ipv6', 'both'] and AF_INET6 not in ifaddresses(interface):
+ raise ConfigError('mDNS repeater requires an IPv6 address to be '
+ f'configured on interface "{interface}"')
+
return None
# Get VRRP states from interfaces, returns only interfaces where state is MASTER
@@ -92,7 +100,7 @@ def generate(mdns):
if len(mdns['interface']) < 2:
return None
- render(config_file, 'mdns-repeater/avahi-daemon.j2', mdns)
+ render(config_file, 'mdns-repeater/avahi-daemon.conf.j2', mdns)
return None
def apply(mdns):
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 02c97afaa..87a269499 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -104,6 +104,9 @@ def get_config(config=None):
# prune TACACS global defaults if not set by user
if login.from_defaults(['tacacs']):
del login['tacacs']
+ # same for RADIUS
+ if login.from_defaults(['radius']):
+ del login['radius']
# create a list of all users, cli and users
all_users = list(set(local_users + cli_users))
@@ -377,17 +380,23 @@ def apply(login):
except Exception as e:
raise ConfigError(f'Deleting user "{user}" raised exception: {e}')
- # Enable RADIUS in PAM configuration
- pam_cmd = '--remove'
+ # Enable/disable RADIUS in PAM configuration
+ cmd('pam-auth-update --disable radius-mandatory radius-optional')
if 'radius' in login:
- pam_cmd = '--enable'
- cmd(f'pam-auth-update --package {pam_cmd} radius')
-
- # Enable/Disable TACACS in PAM configuration
- pam_cmd = '--remove'
+ if login['radius'].get('security_mode', '') == 'mandatory':
+ pam_profile = 'radius-mandatory'
+ else:
+ pam_profile = 'radius-optional'
+ cmd(f'pam-auth-update --enable {pam_profile}')
+
+ # Enable/disable TACACS+ in PAM configuration
+ cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional')
if 'tacacs' in login:
- pam_cmd = '--enable'
- cmd(f'pam-auth-update --package {pam_cmd} tacplus')
+ if login['tacacs'].get('security_mode', '') == 'mandatory':
+ pam_profile = 'tacplus-mandatory'
+ else:
+ pam_profile = 'tacplus-optional'
+ cmd(f'pam-auth-update --enable {pam_profile}')
return None
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index fa271cbdb..9e9385ddb 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -29,7 +29,10 @@ from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_interface_exists
from vyos.defaults import directories
from vyos.ifconfig import Interface
+from vyos.pki import encode_certificate
from vyos.pki import encode_public_key
+from vyos.pki import find_chain
+from vyos.pki import load_certificate
from vyos.pki import load_private_key
from vyos.pki import wrap_certificate
from vyos.pki import wrap_crl
@@ -431,15 +434,23 @@ def generate_pki_files_x509(pki, x509_conf):
ca_cert_name = x509_conf['ca_certificate']
ca_cert_data = dict_search_args(pki, 'ca', ca_cert_name, 'certificate')
ca_cert_crls = dict_search_args(pki, 'ca', ca_cert_name, 'crl') or []
+ ca_index = 1
crl_index = 1
+ ca_cert = load_certificate(ca_cert_data)
+ pki_ca_certs = [load_certificate(ca['certificate']) for ca in pki['ca'].values()]
+
+ ca_cert_chain = find_chain(ca_cert, pki_ca_certs)
+
cert_name = x509_conf['certificate']
cert_data = dict_search_args(pki, 'certificate', cert_name, 'certificate')
key_data = dict_search_args(pki, 'certificate', cert_name, 'private', 'key')
protected = 'passphrase' in x509_conf
- with open(os.path.join(CA_PATH, f'{ca_cert_name}.pem'), 'w') as f:
- f.write(wrap_certificate(ca_cert_data))
+ for ca_cert_obj in ca_cert_chain:
+ with open(os.path.join(CA_PATH, f'{ca_cert_name}_{ca_index}.pem'), 'w') as f:
+ f.write(encode_certificate(ca_cert_obj))
+ ca_index += 1
for crl in ca_cert_crls:
with open(os.path.join(CRL_PATH, f'{ca_cert_name}_{crl_index}.pem'), 'w') as f:
diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py
new file mode 100755
index 000000000..eb82a1a0a
--- /dev/null
+++ b/src/op_mode/generate_firewall_rule-resequence.py
@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import argparse
+from vyos.configquery import ConfigTreeQuery
+
+
+def convert_to_set_commands(config_dict, parent_key=''):
+ """
+ Converts a configuration dictionary into a list of set commands.
+
+ Args:
+ config_dict (dict): The configuration dictionary.
+ parent_key (str): The parent key for nested dictionaries.
+
+ Returns:
+ list: A list of set commands.
+ """
+ commands = []
+ for key, value in config_dict.items():
+ current_key = parent_key + key if parent_key else key
+
+ if isinstance(value, dict):
+ if not value:
+ commands.append(f"set {current_key}")
+ else:
+ commands.extend(
+ convert_to_set_commands(value, f"{current_key} "))
+
+ elif isinstance(value, str):
+ commands.append(f"set {current_key} '{value}'")
+
+ return commands
+
+
+def change_rule_numbers(config_dict, start, step):
+ """
+ Changes rule numbers in the configuration dictionary.
+
+ Args:
+ config_dict (dict): The configuration dictionary.
+ start (int): The starting rule number.
+ step (int): The step to increment the rule numbers.
+
+ Returns:
+ None
+ """
+ if 'rule' in config_dict:
+ rule_dict = config_dict['rule']
+ updated_rule_dict = {}
+ rule_num = start
+ for rule_key in sorted(rule_dict.keys()):
+ updated_rule_dict[str(rule_num)] = rule_dict[rule_key]
+ rule_num += step
+ config_dict['rule'] = updated_rule_dict
+
+ for key in config_dict:
+ if isinstance(config_dict[key], dict):
+ change_rule_numbers(config_dict[key], start, step)
+
+
+def convert_rule_keys_to_int(config_dict):
+ """
+ Converts rule keys in the configuration dictionary to integers.
+
+ Args:
+ config_dict (dict or list): The configuration dictionary or list.
+
+ Returns:
+ dict or list: The modified dictionary or list.
+ """
+ if isinstance(config_dict, dict):
+ new_dict = {}
+ for key, value in config_dict.items():
+ # Convert key to integer if possible
+ new_key = int(key) if key.isdigit() else key
+
+ # Recur for nested dictionaries
+ if isinstance(value, dict):
+ new_value = convert_rule_keys_to_int(value)
+ else:
+ new_value = value
+
+ new_dict[new_key] = new_value
+
+ return new_dict
+ elif isinstance(config_dict, list):
+ return [convert_rule_keys_to_int(item) for item in config_dict]
+ else:
+ return config_dict
+
+
+if __name__ == "__main__":
+ # Parse command-line arguments
+ parser = argparse.ArgumentParser(description='Convert dictionary to set commands with rule number modifications.')
+ parser.add_argument('--start', type=int, default=100, help='Start rule number')
+ parser.add_argument('--step', type=int, default=10, help='Step for rule numbers (default: 10)')
+ args = parser.parse_args()
+
+ config = ConfigTreeQuery()
+ if not config.exists('firewall'):
+ print('Firewall is not configured')
+ exit(1)
+
+ config_dict = config.get_config_dict('firewall')
+
+ # Remove global-options, group and flowtable as they don't need sequencing
+ if 'global-options' in config_dict['firewall']:
+ del config_dict['firewall']['global-options']
+
+ if 'group' in config_dict['firewall']:
+ del config_dict['firewall']['group']
+
+ if 'flowtable' in config_dict['firewall']:
+ del config_dict['firewall']['flowtable']
+
+ # Convert rule keys to integers, rule "10" -> rule 10
+ # This is necessary for sorting the rules
+ config_dict = convert_rule_keys_to_int(config_dict)
+
+ # Apply rule number modifications
+ change_rule_numbers(config_dict, start=args.start, step=args.step)
+
+ # Convert to 'set' commands
+ set_commands = convert_to_set_commands(config_dict)
+
+ print()
+ for command in set_commands:
+ print(command)
+ print()
diff --git a/src/op_mode/zone.py b/src/op_mode/zone.py
deleted file mode 100755
index 17ce90396..000000000
--- a/src/op_mode/zone.py
+++ /dev/null
@@ -1,215 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2023 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import typing
-import sys
-import vyos.opmode
-
-import tabulate
-from vyos.configquery import ConfigTreeQuery
-from vyos.utils.dict import dict_search_args
-from vyos.utils.dict import dict_search
-
-
-def get_config_zone(conf, name=None):
- config_path = ['firewall', 'zone']
- if name:
- config_path += [name]
-
- zone_policy = conf.get_config_dict(config_path, key_mangling=('-', '_'),
- get_first_key=True,
- no_tag_node_value_mangle=True)
- return zone_policy
-
-
-def _convert_one_zone_data(zone: str, zone_config: dict) -> dict:
- """
- Convert config dictionary of one zone to API dictionary
- :param zone: Zone name
- :type zone: str
- :param zone_config: config dictionary
- :type zone_config: dict
- :return: AP dictionary
- :rtype: dict
- """
- list_of_rules = []
- intrazone_dict = {}
- if dict_search('from', zone_config):
- for from_zone, from_zone_config in zone_config['from'].items():
- from_zone_dict = {'name': from_zone}
- if dict_search('firewall.name', from_zone_config):
- from_zone_dict['firewall'] = dict_search('firewall.name',
- from_zone_config)
- if dict_search('firewall.ipv6_name', from_zone_config):
- from_zone_dict['firewall_v6'] = dict_search(
- 'firewall.ipv6_name', from_zone_config)
- list_of_rules.append(from_zone_dict)
-
- zone_dict = {
- 'name': zone,
- 'interface': dict_search('interface', zone_config),
- 'type': 'LOCAL' if dict_search('local_zone',
- zone_config) is not None else None,
- }
- if list_of_rules:
- zone_dict['from'] = list_of_rules
- if dict_search('intra_zone_filtering.firewall.name', zone_config):
- intrazone_dict['firewall'] = dict_search(
- 'intra_zone_filtering.firewall.name', zone_config)
- if dict_search('intra_zone_filtering.firewall.ipv6_name', zone_config):
- intrazone_dict['firewall_v6'] = dict_search(
- 'intra_zone_filtering.firewall.ipv6_name', zone_config)
- if intrazone_dict:
- zone_dict['intrazone'] = intrazone_dict
- return zone_dict
-
-
-def _convert_zones_data(zone_policies: dict) -> list:
- """
- Convert all config dictionary to API list of zone dictionaries
- :param zone_policies: config dictionary
- :type zone_policies: dict
- :return: API list
- :rtype: list
- """
- zone_list = []
- for zone, zone_config in zone_policies.items():
- zone_list.append(_convert_one_zone_data(zone, zone_config))
- return zone_list
-
-
-def _convert_config(zones_config: dict, zone: str = None) -> list:
- """
- convert config to API list
- :param zones_config: zones config
- :type zones_config:
- :param zone: zone name
- :type zone: str
- :return: API list
- :rtype: list
- """
- if zone:
- if zones_config:
- output = [_convert_one_zone_data(zone, zones_config)]
- else:
- raise vyos.opmode.DataUnavailable(f'Zone {zone} not found')
- else:
- if zones_config:
- output = _convert_zones_data(zones_config)
- else:
- raise vyos.opmode.UnconfiguredSubsystem(
- 'Zone entries are not configured')
- return output
-
-
-def output_zone_list(zone_conf: dict) -> list:
- """
- Format one zone row
- :param zone_conf: zone config
- :type zone_conf: dict
- :return: formatted list of zones
- :rtype: list
- """
- zone_info = [zone_conf['name']]
- if zone_conf['type'] == 'LOCAL':
- zone_info.append('LOCAL')
- else:
- zone_info.append("\n".join(zone_conf['interface']))
-
- from_zone = []
- firewall = []
- firewall_v6 = []
- if 'intrazone' in zone_conf:
- from_zone.append(zone_conf['name'])
-
- v4_name = dict_search_args(zone_conf['intrazone'], 'firewall')
- v6_name = dict_search_args(zone_conf['intrazone'], 'firewall_v6')
- if v4_name:
- firewall.append(v4_name)
- else:
- firewall.append('')
- if v6_name:
- firewall_v6.append(v6_name)
- else:
- firewall_v6.append('')
-
- if 'from' in zone_conf:
- for from_conf in zone_conf['from']:
- from_zone.append(from_conf['name'])
-
- v4_name = dict_search_args(from_conf, 'firewall')
- v6_name = dict_search_args(from_conf, 'firewall_v6')
- if v4_name:
- firewall.append(v4_name)
- else:
- firewall.append('')
- if v6_name:
- firewall_v6.append(v6_name)
- else:
- firewall_v6.append('')
-
- zone_info.append("\n".join(from_zone))
- zone_info.append("\n".join(firewall))
- zone_info.append("\n".join(firewall_v6))
- return zone_info
-
-
-def get_formatted_output(zone_policy: list) -> str:
- """
- Formatted output of all zones
- :param zone_policy: list of zones
- :type zone_policy: list
- :return: formatted table with zones
- :rtype: str
- """
- headers = ["Zone",
- "Interfaces",
- "From Zone",
- "Firewall IPv4",
- "Firewall IPv6"
- ]
- formatted_list = []
- for zone_conf in zone_policy:
- formatted_list.append(output_zone_list(zone_conf))
- tabulate.PRESERVE_WHITESPACE = True
- output = tabulate.tabulate(formatted_list, headers, numalign="left")
- return output
-
-
-def show(raw: bool, zone: typing.Optional[str]):
- """
- Show zone-policy command
- :param raw: if API
- :type raw: bool
- :param zone: zone name
- :type zone: str
- """
- conf: ConfigTreeQuery = ConfigTreeQuery()
- zones_config: dict = get_config_zone(conf, zone)
- zone_policy_api: list = _convert_config(zones_config, zone)
- if raw:
- return zone_policy_api
- else:
- return get_formatted_output(zone_policy_api)
-
-
-if __name__ == '__main__':
- try:
- res = vyos.opmode.run(sys.modules[__name__])
- if res:
- print(res)
- except (ValueError, vyos.opmode.Error) as e:
- print(e)
- sys.exit(1)
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
deleted file mode 100644
index eee9cb93e..000000000
--- a/src/pam-configs/radius
+++ /dev/null
@@ -1,20 +0,0 @@
-Name: RADIUS authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
-
-Account-Type: Primary
-Account:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
-
-Session-Type: Additional
-Session:
- [default=ignore success=2] pam_succeed_if.so service = sudo
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so
diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory
new file mode 100644
index 000000000..3368fe7ff
--- /dev/null
+++ b/src/pam-configs/radius-mandatory
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
+Auth:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=bad success=ok] pam_radius_auth.so
diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional
new file mode 100644
index 000000000..73085061d
--- /dev/null
+++ b/src/pam-configs/radius-optional
@@ -0,0 +1,19 @@
+Name: RADIUS authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+ [default=ignore success=end] pam_radius_auth.so
+Auth:
+ [default=ignore success=end] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+ [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so
diff --git a/src/pam-configs/tacplus b/src/pam-configs/tacplus
deleted file mode 100644
index 66a1eaa4c..000000000
--- a/src/pam-configs/tacplus
+++ /dev/null
@@ -1,17 +0,0 @@
-Name: TACACS+ authentication
-Default: no
-Priority: 257
-Auth-Type: Primary
-Auth:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Account-Type: Primary
-Account:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
-
-Session-Type: Additional
-Session:
- [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
- [authinfo_unavail=ignore success=ok default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-mandatory b/src/pam-configs/tacplus-mandatory
new file mode 100644
index 000000000..ffccece19
--- /dev/null
+++ b/src/pam-configs/tacplus-mandatory
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+ [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=bad success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=bad success=ok] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/pam-configs/tacplus-optional b/src/pam-configs/tacplus-optional
new file mode 100644
index 000000000..095c3a164
--- /dev/null
+++ b/src/pam-configs/tacplus-optional
@@ -0,0 +1,17 @@
+Name: TACACS+ authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth:
+ [default=ignore success=end] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Account-Type: Primary
+Account:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=end auth_err=bad perm_denied=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
+
+Session-Type: Additional
+Session:
+ [default=ignore success=1] pam_succeed_if.so user notingroup tacacs quiet
+ [default=ignore success=ok session_err=bad user_unknown=bad] pam_tacplus.so include=/etc/tacplus_servers login=login
diff --git a/src/validators/numeric-exclude b/src/validators/numeric-exclude
new file mode 100644
index 000000000..676a240b6
--- /dev/null
+++ b/src/validators/numeric-exclude
@@ -0,0 +1,8 @@
+#!/bin/sh
+path=$(dirname "$0")
+num="${@: -1}"
+if [ "${num:0:1}" != "!" ]; then
+ ${path}/numeric $@
+else
+ ${path}/numeric ${@:1:$#-1} ${num:1}
+fi