diff options
| -rw-r--r-- | data/templates/sstp/sstp.config.tmpl | 1 | ||||
| -rw-r--r-- | interface-definitions/vpn-l2tp.xml.in (renamed from interface-definitions/l2tp-server.xml.in) | 0 | ||||
| -rw-r--r-- | op-mode-definitions/ipoe-server.xml | 38 | ||||
| -rw-r--r-- | op-mode-definitions/reset-vpn.xml | 16 | ||||
| -rw-r--r-- | python/vyos/remote.py | 29 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 17 | ||||
| -rwxr-xr-x | src/helpers/vyos-merge-config.py | 12 | ||||
| -rwxr-xr-x | src/op_mode/reset_vpn.py | 69 |
8 files changed, 103 insertions, 79 deletions
diff --git a/data/templates/sstp/sstp.config.tmpl b/data/templates/sstp/sstp.config.tmpl index 19805358e..6c09c52ad 100644 --- a/data/templates/sstp/sstp.config.tmpl +++ b/data/templates/sstp/sstp.config.tmpl @@ -30,6 +30,7 @@ disable [sstp] verbose=1 +ifname=sstp%d accept=ssl ssl-ca-file={{ ssl_ca }} ssl-pemfile={{ ssl_cert }} diff --git a/interface-definitions/l2tp-server.xml.in b/interface-definitions/vpn-l2tp.xml.in index 7fc844054..7fc844054 100644 --- a/interface-definitions/l2tp-server.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in diff --git a/op-mode-definitions/ipoe-server.xml b/op-mode-definitions/ipoe-server.xml index 369ceebea..c05e2d2c1 100644 --- a/op-mode-definitions/ipoe-server.xml +++ b/op-mode-definitions/ipoe-server.xml @@ -1,5 +1,41 @@ <?xml version="1.0"?> <interfaceDefinition> + <node name="reset"> + <children> + <node name="ipoe-server"> + <properties> + <help>Clear ipoe-server sessions or process</help> + </properties> + <children> + <node name="session"> + <properties> + <help>Clear ipoe-server session</help> + </properties> + <children> + <leafNode name="username"> + <properties> + <help>Clear ipoe-server session by username</help> + <completionHelp> + <script>/usr/bin/accel-cmd -p 2002 show sessions username | sed -e 's/ \r//g' | tail -n +3</script> + </completionHelp> + </properties> + <command>/usr/bin/accel-cmd -p 2002 terminate username $5</command> + </leafNode> + <leafNode name="sid"> + <properties> + <help>Clear ipoe-server session by sid</help> + <completionHelp> + <script>/usr/bin/accel-cmd -p 2002 show sessions sid | sed -e 's/ \r//g' | tail -n +3</script> + </completionHelp> + </properties> + <command>/usr/bin/accel-cmd -p 2002 terminate sid $5</command> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> <node name="show"> <children> <node name="ipoe-server"> @@ -11,7 +47,7 @@ <properties> <help>Show active IPoE server sessions</help> </properties> - <command>/usr/bin/accel-cmd -p 2002 show sessions ifname,called-sid,calling-sid,ip,ip6,ip6-dp,rate-limit,state,uptime,sid</command> + <command>/usr/bin/accel-cmd -p 2002 show sessions ifname,username,called-sid,calling-sid,ip,ip6,ip6-dp,rate-limit,state,uptime,sid</command> </leafNode> <leafNode name="statistics"> <properties> diff --git a/op-mode-definitions/reset-vpn.xml b/op-mode-definitions/reset-vpn.xml index c0b0ddeb1..ae553c272 100644 --- a/op-mode-definitions/reset-vpn.xml +++ b/op-mode-definitions/reset-vpn.xml @@ -37,6 +37,12 @@ </properties> <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="pptp"</command> </leafNode> + <leafNode name="sstp"> + <properties> + <help>Terminate all user's current remote access VPN session(s) with SSTP protocol</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="sstp"</command> + </leafNode> </children> </node> </children> @@ -62,13 +68,19 @@ <properties> <help>Terminate all user's current remote access VPN session(s) with L2TP protocol</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="l2tp"</command> + <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="l2tp"</command> </leafNode> <leafNode name="pptp"> <properties> <help>Terminate all user's current remote access VPN session(s) with PPTP protocol</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="pptp"</command> + <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="pptp"</command> + </leafNode> + <leafNode name="sstp"> + <properties> + <help>Terminate all user's current remote access VPN session(s) with SSTP protocol</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="sstp"</command> </leafNode> </children> </node> diff --git a/python/vyos/remote.py b/python/vyos/remote.py index f8a21f068..f918461d1 100644 --- a/python/vyos/remote.py +++ b/python/vyos/remote.py @@ -17,7 +17,8 @@ import sys import os import re import fileinput -import subprocess + +from vyos.util import cmd, DEVNULL def check_and_add_host_key(host_name): @@ -33,10 +34,8 @@ def check_and_add_host_key(host_name): keyscan_cmd = 'ssh-keyscan -t rsa {} 2>/dev/null'.format(host_name) try: - host_key = subprocess.check_output(keyscan_cmd, shell=True, - stderr=subprocess.DEVNULL, - universal_newlines=True) - except subprocess.CalledProcessError as err: + host_key = cmd(keyscan_cmd, shell=True, stderr=DEVNULL) + except OSError: sys.exit("Can not get RSA host key") # libssh2 (jessie; stretch) does not recognize ec host keys, and curl @@ -64,10 +63,8 @@ def check_and_add_host_key(host_name): fingerprint_cmd = 'ssh-keygen -lf /dev/stdin <<< "{}"'.format(host_key) try: - fingerprint = subprocess.check_output(fingerprint_cmd, shell=True, - stderr=subprocess.DEVNULL, - universal_newlines=True) - except subprocess.CalledProcessError as err: + fingerprint = cmd(fingerprint_cmd, shell=True, stderr=DEVNULL) + except OSError: sys.exit("Can not get RSA host key fingerprint.") print("RSA host key fingerprint is {}".format(fingerprint.split()[1])) @@ -128,9 +125,8 @@ def get_remote_config(remote_file): # Try header first, and look for 'OK' or 'Moved' codes: curl_cmd = 'curl {0} -q -I {1}'.format(redirect_opt, remote_file) try: - curl_output = subprocess.check_output(curl_cmd, shell=True, - universal_newlines=True) - except subprocess.CalledProcessError: + curl_output = cmd(curl_cmd, shell=True) + except OSError: sys.exit(1) return_vals = re.findall(r'^HTTP\/\d+\.?\d\s+(\d+)\s+(.*)$', @@ -146,9 +142,6 @@ def get_remote_config(remote_file): curl_cmd = 'curl {0} -# {1}'.format(redirect_opt, remote_file) try: - config_file = subprocess.check_output(curl_cmd, shell=True, - universal_newlines=True) - except subprocess.CalledProcessError: - config_file = None - - return config_file + return cmd(curl_cmd, shell=True, stderr=None) + except OSError: + return None diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index f34e4f7fe..8a615ec62 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -490,7 +490,11 @@ def verify(openvpn): # OpenVPN site-to-site - VERIFY # if openvpn['mode'] == 'site-to-site': - if not (openvpn['local_address'] or openvpn['bridge_member']): + if openvpn['ncp_ciphers']: + raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client') + + if openvpn['mode'] == 'site-to-site' and not openvpn['bridge_member']: + if not openvpn['local_address']: raise ConfigError('Must specify "local-address" or "bridge member interface"') for host in openvpn['remote_host']: @@ -507,15 +511,10 @@ def verify(openvpn): if openvpn['local_address'] == openvpn['local_host']: raise ConfigError('"local-address" cannot be the same as "local-host"') - if openvpn['ncp_ciphers']: - raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client') - else: + # checks for client-server or site-to-site bridged if openvpn['local_address'] or openvpn['remote_address']: - raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode') - - elif openvpn['bridge_member']: - raise ConfigError('Cannot specify "local-address" or "remote-address" in bridge mode') + raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server or bridge mode') # # OpenVPN server mode - VERIFY @@ -538,7 +537,7 @@ def verify(openvpn): if not openvpn['server_subnet']: if not openvpn['bridge_member']: - raise ConfigError('Must specify "server subnet" option in server mode') + raise ConfigError('Must specify "server subnet" or "bridge member interface" in server mode') else: # checks for both client and site-to-site go here diff --git a/src/helpers/vyos-merge-config.py b/src/helpers/vyos-merge-config.py index 10a5ea4bc..14df2734b 100755 --- a/src/helpers/vyos-merge-config.py +++ b/src/helpers/vyos-merge-config.py @@ -17,13 +17,13 @@ import sys import os -import subprocess import tempfile import vyos.defaults import vyos.remote from vyos.config import Config from vyos.configtree import ConfigTree from vyos.migrator import Migrator, VirtualMigrator +from vyos.util import cmd, DEVNULL if (len(sys.argv) < 2): @@ -99,13 +99,11 @@ if (len(sys.argv) > 2): if path: add_cmds = [ cmd for cmd in add_cmds if path in cmd ] -for cmd in add_cmds: - cmd = "/opt/vyatta/sbin/my_" + cmd - +for add in add_cmds: try: - subprocess.check_call(cmd, shell=True) - except subprocess.CalledProcessError as err: - print("Called process error: {}.".format(err)) + cmd(f'/opt/vyatta/sbin/my_{add}', shell=True, stderr=DEVNULL) + except OSError as err: + print(err) if effective_config.session_changed(): print("Merge complete. Use 'commit' to make changes effective.") diff --git a/src/op_mode/reset_vpn.py b/src/op_mode/reset_vpn.py index 8962df212..3a0ad941c 100755 --- a/src/op_mode/reset_vpn.py +++ b/src/op_mode/reset_vpn.py @@ -14,64 +14,49 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# import os import sys import argparse -#import re from vyos.util import run -from vyos.util import DEVNULL -pptp_base = '/usr/bin/accel-cmd -p 2003 terminate {} {}' -l2tp_base = '/usr/bin/accel-cmd -p 2004 terminate {} {}' +cmd_dict = { + 'cmd_base' : '/usr/bin/accel-cmd -p {} terminate {} {}', + 'vpn_types' : { + 'pptp' : 2003, + 'l2tp' : 2004, + 'sstp' : 2005 + } +} def terminate_sessions(username='', interface='', protocol=''): - if username: - if username == "all_users": - if protocol == "pptp": - pptp_cmd = pptp_base.format('all','') - run(pptp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return - elif protocol == "l2tp": - l2tp_cmd = l2tp_base.format('all', '') - run(l2tp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return - else: - pptp_cmd = pptp_base.format('all', '') - run(pptp_cmd, stdout=DEVNULL, stderr=DEVNULL) - l2tp_cmd = l2tp_base.format('all', '') - run(l2tp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return - if protocol == "pptp": - pptp_cmd = pptp_base.format('username', username) - run(pptp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return - elif protocol == "l2tp": - l2tp_cmd = l2tp_base.format('username', username) - run(l2tp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return + # Reset vpn connections by username + if protocol in cmd_dict['vpn_types']: + if username == "all_users": + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'all', '')) else: - pptp_cmd = pptp_base.format('username', username) - run(pptp_cmd, stdout=DEVNULL, stderr=DEVNULL) - l2tp_cmd.append("terminate username {0}".format(username)) - run(l2tp_cmd, stdout=DEVNULL, stderr=DEVNULL) - return + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'username', username)) + + # Reset vpn connections by ifname + elif interface: + for proto in cmd_dict['vpn_types']: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'if', interface)) - # rewrite `terminate by interface` if pptp will have pptp%d interface naming - if interface: - pptp_cmd = pptp_base.format('if', interface) - run(pptp_cmd, stdout=DEVNULL, stderr=DEVNULL) - l2tp_cmd = l2tp_base.format('if', interface) - run(l2tp_cmd, stdout=DEVNULL, stderr=DEVNULL) - + elif username: + # Reset all vpn connections + if username == "all_users": + for proto in cmd_dict['vpn_types']: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'all', '')) + else: + for proto in cmd_dict['vpn_types']: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'username', username)) def main(): #parese args parser = argparse.ArgumentParser() parser.add_argument('--username', help='Terminate by username (all_users used for disconnect all users)', required=False) parser.add_argument('--interface', help='Terminate by interface', required=False) - parser.add_argument('--protocol', help='Set protocol (pptp|l2tp)', required=False) + parser.add_argument('--protocol', help='Set protocol (pptp|l2tp|sstp)', required=False) args = parser.parse_args() if args.username or args.interface: |