diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | debian/vyos-1x.postinst | 28 | ||||
| -rw-r--r-- | interface-definitions/dhcp-server.xml.in | 7 | ||||
| -rwxr-xr-x | scripts/override-default | 101 | ||||
| -rw-r--r-- | src/etc/sysctl.d/30-vyos-router.conf | 1 | ||||
| -rw-r--r-- | src/etc/udev/rules.d/42-qemu-usb.rules | 14 | ||||
| -rw-r--r-- | src/etc/udev/rules.d/63-hyperv-vf-net.rules | 5 | ||||
| -rw-r--r-- | src/etc/udev/rules.d/64-vyos-vmware-net.rules | 14 | ||||
| -rw-r--r-- | src/etc/udev/rules.d/65-vyatta-net.rules | 26 |
9 files changed, 196 insertions, 2 deletions
@@ -33,6 +33,8 @@ op_xml_obj = $(op_xml_src:.xml.in=.xml) interface_definitions: $(config_xml_obj) mkdir -p $(TMPL_DIR) + $(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions + find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 # XXX: delete top level node.def's that now live in other packages diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 92948de12..5fadddc86 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -20,6 +20,34 @@ if ! grep -q '^minion' /etc/passwd; then adduser --quiet minion users fi +# OpenVPN should get its own user +if ! grep -q '^openvpn' /etc/passwd; then + adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn +fi + +# Add RADIUS operator user for RADIUS authenticated users to map to +if ! grep -q '^radius_user' /etc/passwd; then + adduser --quiet --firstuid 1001 --disabled-login --ingroup users --gecos "radius user" --shell /bin/vbash radius_user + adduser --quiet radius_user frrvty + adduser --quiet radius_user vyattaop + adduser --quiet radius_user operator + adduser --quiet radius_user adm + adduser --quiet radius_user dip + adduser --quiet radius_user users +fi + +# Add RADIUS admin user for RADIUS authenticated users to map to +if ! grep -q '^radius_priv_user' /etc/passwd; then + adduser --quiet --firstuid 1001 --disabled-login --ingroup vyattacfg --gecos "radius privileged user" --shell /bin/vbash radius_priv_user + adduser --quiet radius_priv_user frrvty + adduser --quiet radius_priv_user vyattacfg + adduser --quiet radius_priv_user sudo + adduser --quiet radius_priv_user adm + adduser --quiet radius_priv_user dip + adduser --quiet radius_priv_user disk + adduser --quiet radius_priv_user users +fi + # add hostsd group for vyos-hostsd if ! grep -q '^hostsd' /etc/group; then addgroup --quiet --system hostsd diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 912e4eaf7..aba2bea8a 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -335,11 +335,14 @@ </leafNode> <leafNode name="mac-address"> <properties> - <help>MAC address of static mapping [REQUIRED]</help> + <help>Media Access Control (MAC) address</help> <valueHelp> <format>h:h:h:h:h:h</format> - <description>MAC address used in static mapping [REQUIRED]</description> + <description>Hardware (MAC) address</description> </valueHelp> + <constraint> + <validator name="mac-address"/> + </constraint> </properties> </leafNode> <leafNode name="static-mapping-parameters"> diff --git a/scripts/override-default b/scripts/override-default new file mode 100755 index 000000000..d91b89426 --- /dev/null +++ b/scripts/override-default @@ -0,0 +1,101 @@ +#!/usr/bin/env python3 +# +# override-default: preprocessor for XML interface definitions to interpret +# redundant entries (relative to path) with tag 'defaultValue' as an override +# directive. Must be called before build-command-templates, as the schema +# disallows redundancy. +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +# Use lxml xpath capability to find multiple elements with tag defaultValue +# relative to path; replace and remove to override the value. + +import sys +import glob +import logging +from lxml import etree + +debug = False + +logger = logging.getLogger(__name__) +logs_handler = logging.StreamHandler() +logger.addHandler(logs_handler) + +if debug: + logger.setLevel(logging.DEBUG) +else: + logger.setLevel(logging.INFO) + +def override_element(l: list): + """ + Allow multiple override elements; use the final one (in document order). + """ + if len(l) < 2: + logger.debug("passing list of single element to override_element") + return + + # assemble list of leafNodes of overriding defaultValues, for later removal + parents = [] + for el in l[1:]: + parents.append(el.getparent()) + + # replace element with final override + l[0].getparent().replace(l[0], l[-1]) + + # remove all but overridden element + for el in parents: + el.getparent().remove(el) + +def collect_and_override(dir_name): + """ + Collect elements with defaultValue tag into dictionary indexed by tuple + of (name, str(ancestor path)); the second component must be immutable for + tuple to act as key, hence str(). + """ + for fname in glob.glob(f'{dir_name}/*.xml'): + tree = etree.parse(fname) + root = tree.getroot() + defv = {} + + xpath_str = f'//defaultValue' + xp = tree.xpath(xpath_str) + + for element in xp: + ap = element.xpath('ancestor::*[@name]') + defv.setdefault((ap[-1].get("name"), str(ap[:-1])), []).append(element) + + for k, v in defv.items(): + if len(v) > 1: + logger.debug(f'overridding default in {k[0]}') + override_element(v) + + revised_str = etree.tostring(root, encoding='unicode', pretty_print=True) + + with open(f'{fname}', 'w') as f: + f.write(revised_str) + +def main(): + if len(sys.argv) < 2: + logger.critical('Must specify XML directory!') + sys.exit(1) + + dir_name = sys.argv[1] + + collect_and_override(dir_name) + +if __name__ == '__main__': + main() diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf index 1946dc31a..8265e12dc 100644 --- a/src/etc/sysctl.d/30-vyos-router.conf +++ b/src/etc/sysctl.d/30-vyos-router.conf @@ -67,6 +67,7 @@ net.ipv6.conf.default.accept_source_route=0 # Enable send_redirects by default net.ipv4.conf.all.send_redirects=1 +net.ipv4.conf.default.send_redirects=1 # Increase size of buffer for netlink net.core.rmem_max=2097152 diff --git a/src/etc/udev/rules.d/42-qemu-usb.rules b/src/etc/udev/rules.d/42-qemu-usb.rules new file mode 100644 index 000000000..a79543df7 --- /dev/null +++ b/src/etc/udev/rules.d/42-qemu-usb.rules @@ -0,0 +1,14 @@ +# +# Enable autosuspend for qemu emulated usb hid devices. +# +# Note that there are buggy qemu versions which advertise remote +# wakeup support but don't actually implement it correctly. This +# is the reason why we need a match for the serial number here. +# The serial number "42" is used to tag the implementations where +# remote wakeup is working. +# +# Gerd Hoffmann <kraxel@xxxxxxxxxx> + +ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Mouse", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto" +ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Tablet", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto" +ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Keyboard", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto" diff --git a/src/etc/udev/rules.d/63-hyperv-vf-net.rules b/src/etc/udev/rules.d/63-hyperv-vf-net.rules new file mode 100644 index 000000000..b4dcb5a39 --- /dev/null +++ b/src/etc/udev/rules.d/63-hyperv-vf-net.rules @@ -0,0 +1,5 @@ +ATTR{[dmi/id]sys_vendor}!="Microsoft Corporation", GOTO="end_hyperv_nic" + +ACTION=="add", SUBSYSTEM=="net", DRIVERS=="hv_pci", NAME="vf_%k" + +LABEL="end_hyperv_nic" diff --git a/src/etc/udev/rules.d/64-vyos-vmware-net.rules b/src/etc/udev/rules.d/64-vyos-vmware-net.rules new file mode 100644 index 000000000..66a4a069b --- /dev/null +++ b/src/etc/udev/rules.d/64-vyos-vmware-net.rules @@ -0,0 +1,14 @@ +ATTR{[dmi/id]sys_vendor}!="VMware, Inc.", GOTO="end_vmware_nic" + +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet0", ENV{VYOS_IFNAME}="eth0" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet1", ENV{VYOS_IFNAME}="eth1" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet2", ENV{VYOS_IFNAME}="eth2" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet3", ENV{VYOS_IFNAME}="eth3" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet4", ENV{VYOS_IFNAME}="eth4" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet5", ENV{VYOS_IFNAME}="eth5" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet6", ENV{VYOS_IFNAME}="eth6" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet7", ENV{VYOS_IFNAME}="eth7" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet8", ENV{VYOS_IFNAME}="eth8" +ACTION=="add", SUBSYSTEM=="net", ATTRS{label}=="Ethernet9", ENV{VYOS_IFNAME}="eth9" + +LABEL="end_vmware_nic" diff --git a/src/etc/udev/rules.d/65-vyatta-net.rules b/src/etc/udev/rules.d/65-vyatta-net.rules new file mode 100644 index 000000000..2b48c1213 --- /dev/null +++ b/src/etc/udev/rules.d/65-vyatta-net.rules @@ -0,0 +1,26 @@ +# These rules use vyatta_net_name to persistently name network interfaces +# per "hwid" association in the Vyatta configuration file. + +ACTION!="add", GOTO="vyatta_net_end" +SUBSYSTEM!="net", GOTO="vyatta_net_end" + +# ignore the interface if a name has already been set +NAME=="?*", GOTO="vyatta_net_end" + +# Do name change for ethernet and wireless devices only +KERNEL!="eth*|wlan*", GOTO="vyatta_net_end" + +# ignore "secondary" monitor interfaces of mac80211 drivers +KERNEL=="wlan*", ATTRS{type}=="803", GOTO="vyatta_net_end" + +# If using VyOS predefined names +ENV{VYOS_IFNAME}!="eth*", GOTO="end_vyos_predef_names" + +DRIVERS=="?*", PROGRAM="vyatta_net_name %k $attr{address} $env{VYOS_IFNAME}", NAME="%c", GOTO="vyatta_net_end" + +LABEL="end_vyos_predef_names" + +# ignore interfaces without a driver link like bridges and VLANs +DRIVERS=="?*", PROGRAM="vyatta_net_name %k $attr{address}", NAME="%c" + +LABEL="vyatta_net_end" |