diff options
-rw-r--r-- | data/configd-include.json | 1 | ||||
-rw-r--r-- | data/templates/accel-ppp/ipoe.config.j2 | 16 | ||||
-rw-r--r-- | data/templates/sflow/hsflowd.conf.j2 | 31 | ||||
-rw-r--r-- | data/templates/sflow/override.conf.j2 | 16 | ||||
-rw-r--r-- | debian/control | 1 | ||||
-rw-r--r-- | interface-definitions/system-sflow.xml.in | 115 | ||||
-rw-r--r-- | op-mode-definitions/show-ip-route.xml.in | 17 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_system_sflow.py | 100 | ||||
-rwxr-xr-x | src/conf_mode/service_ipoe-server.py | 11 | ||||
-rwxr-xr-x | src/conf_mode/system_sflow.py | 124 |
10 files changed, 424 insertions, 8 deletions
diff --git a/data/configd-include.json b/data/configd-include.json index 648655a8b..456211caa 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -74,6 +74,7 @@ "system-logs.py", "system-option.py", "system-proxy.py", +"system_sflow.py", "system_sysctl.py", "system-syslog.py", "system-timezone.py", diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 27621bc9b..ac83c3dbd 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -44,18 +44,18 @@ vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} {% endif %} {% if authentication.mode is vyos_defined('noauth') %} noauth=1 -{% if client_ip_pool.name is vyos_defined %} -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} -ip-pool={{ pool }} -gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} -{% endif %} -{% endfor %} -{% endif %} {% elif authentication.mode is vyos_defined('local') %} username=ifname password=csid {% endif %} +{% if client_ip_pool.name is vyos_defined %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +ip-pool={{ pool }} +gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} +{% endif %} +{% endfor %} +{% endif %} proxy-arp=1 {% if client_ip_pool.name is vyos_defined %} diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2 new file mode 100644 index 000000000..94f5939be --- /dev/null +++ b/data/templates/sflow/hsflowd.conf.j2 @@ -0,0 +1,31 @@ +# Genereated by /usr/libexec/vyos/conf_mode/system_sflow.py +# Parameters http://sflow.net/host-sflow-linux-config.php + +sflow { +{% if polling is vyos_defined %} + polling={{ polling }} +{% endif %} +{% if sampling_rate is vyos_defined %} + sampling={{ sampling_rate }} + sampling.bps_ratio=0 +{% endif %} +{% if agent_address is vyos_defined %} + agentIP={{ agent_address }} +{% endif %} +{% if agent_interface is vyos_defined %} + agent={{ agent_interface }} +{% endif %} +{% if server is vyos_defined %} +{% for server, server_config in server.items() %} + collector { ip = {{ server }} udpport = {{ server_config.port }} } +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for iface in interface %} + pcap { dev={{ iface }} } +{% endfor %} +{% endif %} +{% if drop_monitor_limit is vyos_defined %} + dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off } +{% endif %} +} diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2 new file mode 100644 index 000000000..f2a982528 --- /dev/null +++ b/data/templates/sflow/override.conf.j2 @@ -0,0 +1,16 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/sflow/hsflowd.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf +WorkingDirectory= +WorkingDirectory=/run/sflow +PIDFile= +PIDFile=/run/sflow/hsflowd.pid +Restart=always +RestartSec=10 diff --git a/debian/control b/debian/control index c3854252f..028b7cd43 100644 --- a/debian/control +++ b/debian/control @@ -64,6 +64,7 @@ Depends: libpam-google-authenticator, grc, hostapd, + hsflowd, hvinfo, igmpproxy, ipaddrcheck, diff --git a/interface-definitions/system-sflow.xml.in b/interface-definitions/system-sflow.xml.in new file mode 100644 index 000000000..335181fe1 --- /dev/null +++ b/interface-definitions/system-sflow.xml.in @@ -0,0 +1,115 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- sflow configuration --> +<interfaceDefinition> + <node name="system"> + <children> + <node name="sflow" owner="${vyos_conf_scripts_dir}/system_sflow.py"> + <properties> + <help>sFlow settings</help> + <priority>990</priority> + </properties> + <children> + <leafNode name="agent-address"> + <properties> + <help>sFlow agent IPv4 or IPv6 address</help> + <completionHelp> + <list>auto</list> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>sFlow IPv4 agent address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>sFlow IPv6 agent address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <validator name="ipv6-link-local"/> + </constraint> + </properties> + </leafNode> + <leafNode name="agent-interface"> + <properties> + <help>IP address associated with this interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface name</description> + </valueHelp> + <constraint> + #include <include/constraint/interface-name.xml.in> + </constraint> + </properties> + </leafNode> + <leafNode name="drop-monitor-limit"> + <properties> + <help>Export headers of dropped by kernel packets</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Maximum rate limit of N drops per second send out in the sFlow datagrams</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + #include <include/generic-interface-multi.xml.i> + <leafNode name="polling"> + <properties> + <help>Schedule counter-polling in seconds</help> + <valueHelp> + <format>u32:1-600</format> + <description>Polling rate in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-600"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="sampling-rate"> + <properties> + <help>sFlow sampling-rate</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Sampling rate (1 in N packets)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <defaultValue>1000</defaultValue> + </leafNode> + <tagNode name="server"> + <properties> + <help>sFlow destination server</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 server to export sFlow</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 server to export sFlow</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + </constraint> + </properties> + <children> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>6343</defaultValue> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-ip-route.xml.in b/op-mode-definitions/show-ip-route.xml.in index 681aa089f..c878bf712 100644 --- a/op-mode-definitions/show-ip-route.xml.in +++ b/op-mode-definitions/show-ip-route.xml.in @@ -92,6 +92,23 @@ #include <include/show-route-static.xml.i> #include <include/show-route-supernets-only.xml.i> #include <include/show-route-tag.xml.i> + <node name="node.tag"> + <properties> + <help>Show IP routes of specified IP address or prefix</help> + <completionHelp> + <list><x.x.x.x> <x.x.x.x/x></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + <leafNode name="longer-prefixes"> + <properties> + <help>Show longer prefixes of routes for specified prefix</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> + </node> </children> </tagNode> </children> diff --git a/smoketest/scripts/cli/test_system_sflow.py b/smoketest/scripts/cli/test_system_sflow.py new file mode 100755 index 000000000..fef88b56a --- /dev/null +++ b/smoketest/scripts/cli/test_system_sflow.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.configsession import ConfigSessionError +from vyos.ifconfig import Section +from vyos.util import cmd +from vyos.util import process_named_running +from vyos.util import read_file + +PROCESS_NAME = 'hsflowd' +base_path = ['system', 'sflow'] + +hsflowd_conf = '/run/sflow/hsflowd.conf' + + +class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): + + @classmethod + def setUpClass(cls): + super(TestSystemFlowAccounting, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + def tearDown(self): + # after service removal process must no longer run + self.assertTrue(process_named_running(PROCESS_NAME)) + + self.cli_delete(base_path) + self.cli_commit() + + # after service removal process must no longer run + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_sflow(self): + agent_address = '192.0.2.5' + agent_interface = 'eth0' + polling = '24' + sampling_rate = '128' + server = '192.0.2.254' + local_server = '127.0.0.1' + port = '8192' + default_port = '6343' + mon_limit = '50' + + self.cli_set( + ['interfaces', 'dummy', 'dum0', 'address', f'{agent_address}/24']) + self.cli_set(base_path + ['agent-address', agent_address]) + self.cli_set(base_path + ['agent-interface', agent_interface]) + + # You need to configure at least one interface for sflow + with self.assertRaises(ConfigSessionError): + self.cli_commit() + for interface in Section.interfaces('ethernet'): + self.cli_set(base_path + ['interface', interface]) + + self.cli_set(base_path + ['polling', polling]) + self.cli_set(base_path + ['sampling-rate', sampling_rate]) + self.cli_set(base_path + ['server', server, 'port', port]) + self.cli_set(base_path + ['server', local_server]) + self.cli_set(base_path + ['drop-monitor-limit', mon_limit]) + + # commit changes + self.cli_commit() + + # verify configuration + hsflowd = read_file(hsflowd_conf) + + self.assertIn(f'polling={polling}', hsflowd) + self.assertIn(f'sampling={sampling_rate}', hsflowd) + self.assertIn(f'agentIP={agent_address}', hsflowd) + self.assertIn(f'agent={agent_interface}', hsflowd) + self.assertIn(f'collector {{ ip = {server} udpport = {port} }}', hsflowd) + self.assertIn(f'collector {{ ip = {local_server} udpport = {default_port} }}', hsflowd) + self.assertIn(f'dropmon {{ limit={mon_limit} start=on sw=on hw=off }}', hsflowd) + + for interface in Section.interfaces('ethernet'): + self.assertIn(f'pcap {{ dev={interface} }}', hsflowd) + + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 9cdfa08ef..4fabe170f 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -60,6 +60,17 @@ def verify(ipoe): 'Use "ipoe client-ip-pool" instead.') #verify_accel_ppp_base_service(ipoe, local_users=False) + # IPoE server does not have 'gateway' option in the CLI + # we cannot use configverify.py verify_accel_ppp_base_service for ipoe-server + + if dict_search('authentication.mode', ipoe) == 'radius': + if not dict_search('authentication.radius.server', ipoe): + raise ConfigError('RADIUS authentication requires at least one server') + + for server in dict_search('authentication.radius.server', ipoe): + radius_config = ipoe['authentication']['radius']['server'][server] + if 'key' not in radius_config: + raise ConfigError(f'Missing RADIUS secret key for server "{server}"') if 'client_ipv6_pool' in ipoe: if 'delegate' in ipoe['client_ipv6_pool'] and 'prefix' not in ipoe['client_ipv6_pool']: diff --git a/src/conf_mode/system_sflow.py b/src/conf_mode/system_sflow.py new file mode 100755 index 000000000..a0c3fca7f --- /dev/null +++ b/src/conf_mode/system_sflow.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.template import render +from vyos.util import call +from vyos.validate import is_addr_assigned +from vyos.xml import defaults +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +hsflowd_conf_path = '/run/sflow/hsflowd.conf' +systemd_service = 'hsflowd.service' +systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'sflow'] + if not conf.exists(base): + return None + + sflow = conf.get_config_dict(base, + key_mangling=('-', '_'), + get_first_key=True) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + + sflow = dict_merge(default_values, sflow) + + # Ignore default XML values if config doesn't exists + # Delete key from dict + if 'port' in sflow['server']: + del sflow['server']['port'] + + # Set default values per server + if 'server' in sflow: + for server in sflow['server']: + default_values = defaults(base + ['server']) + sflow['server'][server] = dict_merge(default_values, sflow['server'][server]) + + return sflow + + +def verify(sflow): + if not sflow: + return None + + # Check if configured sflow agent-address exist in the system + if 'agent_address' in sflow: + tmp = sflow['agent_address'] + if not is_addr_assigned(tmp): + raise ConfigError( + f'Configured "sflow agent-address {tmp}" does not exist in the system!' + ) + + # Check if at least one interface is configured + if 'interface' not in sflow: + raise ConfigError( + 'sFlow requires at least one interface to be configured!') + + # Check if at least one server is configured + if 'server' not in sflow: + raise ConfigError('You need to configure at least one sFlow server!') + + # return True if all checks were passed + return True + + +def generate(sflow): + if not sflow: + return None + + render(hsflowd_conf_path, 'sflow/hsflowd.conf.j2', sflow) + render(systemd_override, 'sflow/override.conf.j2', sflow) + # Reload systemd manager configuration + call('systemctl daemon-reload') + + +def apply(sflow): + if not sflow: + # Stop flow-accounting daemon and remove configuration file + call(f'systemctl stop {systemd_service}') + if os.path.exists(hsflowd_conf_path): + os.unlink(hsflowd_conf_path) + return + + # Start/reload flow-accounting daemon + call(f'systemctl restart {systemd_service}') + + +if __name__ == '__main__': + try: + config = get_config() + verify(config) + generate(config) + apply(config) + except ConfigError as e: + print(e) + exit(1) |