diff options
21 files changed, 305 insertions, 111 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 72a3d1153..6c86642c7 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -1,10 +1,23 @@ { "conntrack": {"conntrack_sync": ["conntrack_sync"]}, - "firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]}, + "firewall": { + "conntrack": ["conntrack"], + "conntrack_sync": ["conntrack_sync"], + "group_resync": ["conntrack", "nat", "policy-route"] + }, "http_api": {"https": ["https"]}, - "load_balancing_wan": {"conntrack": ["conntrack"]}, - "nat": {"conntrack": ["conntrack"]}, - "nat66": {"conntrack": ["conntrack"]}, + "load_balancing_wan": { + "conntrack": ["conntrack"], + "conntrack_sync": ["conntrack_sync"] + }, + "nat": { + "conntrack": ["conntrack"], + "conntrack_sync": ["conntrack_sync"] + }, + "nat66": { + "conntrack": ["conntrack"], + "conntrack_sync": ["conntrack_sync"] + }, "pki": { "ethernet": ["interfaces-ethernet"], "openvpn": ["interfaces-openvpn"], diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 index 421daf1df..5905b19ea 100644 --- a/data/templates/dns-dynamic/ddclient.conf.j2 +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -28,19 +28,21 @@ syslog=yes ssl=yes pid={{ config_file | replace('.conf', '.pid') }} cache={{ config_file | replace('.conf', '.cache') }} -{# Explicitly override global options for reliability #} -web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #} -use=no {# ddclient default ('ip') results in confusing warning message in log #} +{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #} +web=googledomains +{# ddclient default (use=ip) results in confusing warning message in log #} +use=no {% if address is vyos_defined %} {% for address, service_cfg in address.items() %} {% if service_cfg.rfc2136 is vyos_defined %} {% for name, config in service_cfg.rfc2136.items() %} {% if config.description is vyos_defined %} -# {{ config.description }} +# {{ config.description }} {% endif %} {% for host in config.host_name if config.host_name is vyos_defined %} + # RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}] {# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.) to the properties since 'nsupdate' doesn't support that yet. #} @@ -54,16 +56,17 @@ use=no {# ddclient default ('ip') results in confusing warning messag {% if service_cfg.service is vyos_defined %} {% for name, config in service_cfg.service.items() %} {% if config.description is vyos_defined %} -# {{ config.description }} +# {{ config.description }} {% endif %} {% for host in config.host_name if config.host_name is vyos_defined %} {% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both' - else [config.ip_version[2:]] %} {# 'ipvX' -> 'vX' #} + else [config.ip_version[2:]] %} + # Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}] {{ render_config(host, address, service_cfg.web_options, ip_suffixes, protocol=config.protocol, server=config.server, zone=config.zone, - login=config.username, password=config.password) }} + login=config.username, password=config.password, ttl=config.ttl) }} {% endfor %} {% endfor %} diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2 index 6ca1b8a45..4a6851cef 100644 --- a/data/templates/dns-dynamic/override.conf.j2 +++ b/data/templates/dns-dynamic/override.conf.j2 @@ -7,4 +7,4 @@ After=vyos-router.service PIDFile={{ config_file | replace('.conf', '.pid') }} EnvironmentFile= ExecStart= -ExecStart=/usr/bin/ddclient -file {{ config_file }} +ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }} diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index a0720f3aa..ba7f426c1 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -74,18 +74,7 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> - <leafNode name="zone"> - <properties> - <help>Forwarding zone to be updated</help> - <valueHelp> - <format>txt</format> - <description>RFC2136 Zone to be updated</description> - </valueHelp> - <constraint> - <validator name="fqdn"/> - </constraint> - </properties> - </leafNode> + #include <include/dns/dynamic-service-zone.xml.i> </children> </tagNode> <tagNode name="service"> @@ -101,6 +90,7 @@ #include <include/dns/dynamic-service-host-name-server.xml.i> #include <include/generic-username.xml.i> #include <include/generic-password.xml.i> + #include <include/dns/time-to-live.xml.i> <leafNode name="protocol"> <properties> <help>ddclient protocol used for Dynamic DNS service</help> @@ -112,15 +102,7 @@ </constraint> </properties> </leafNode> - <leafNode name="zone"> - <properties> - <help>DNS zone to update (not used by all protocols)</help> - <valueHelp> - <format>txt</format> - <description>Name of DNS zone</description> - </valueHelp> - </properties> - </leafNode> + #include <include/dns/dynamic-service-zone.xml.i> <leafNode name="ip-version"> <properties> <help>IP address version to use</help> @@ -164,6 +146,7 @@ </properties> <defaultValue>300</defaultValue> </leafNode> + #include <include/interface/vrf.xml.i> </children> </node> </children> diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 86dc47a47..c4295317a 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -158,6 +158,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -195,6 +198,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -227,6 +233,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -274,6 +283,9 @@ </children> </tagNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -302,6 +314,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -334,6 +349,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -364,6 +382,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -393,6 +414,9 @@ </properties> </leafNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -477,6 +501,9 @@ </children> </tagNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> @@ -585,6 +612,9 @@ </children> </tagNode> #include <include/dns/time-to-live.xml.i> + <leafNode name="ttl"> + <defaultValue>300</defaultValue> + </leafNode> #include <include/generic-disable-node.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i b/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i index ee1af2a36..9dd14f97c 100644 --- a/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i +++ b/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i @@ -4,8 +4,9 @@ <help>Hostname to register with Dynamic DNS service</help> <constraint> #include <include/constraint/host-name.xml.i> + <regex>(\@|\*)[-.A-Za-z0-9]*</regex> </constraint> - <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> + <constraintErrorMessage>Host-name must be alphanumeric, can contain hyphens and can be prefixed with '@' or '*'</constraintErrorMessage> <multi/> </properties> </leafNode> diff --git a/interface-definitions/include/dns/dynamic-service-zone.xml.i b/interface-definitions/include/dns/dynamic-service-zone.xml.i new file mode 100644 index 000000000..0cc00468f --- /dev/null +++ b/interface-definitions/include/dns/dynamic-service-zone.xml.i @@ -0,0 +1,14 @@ +<!-- include start from dns/dynamic-service-zone.xml.i --> +<leafNode name="zone"> + <properties> + <help>DNS zone to be updated</help> + <valueHelp> + <format>txt</format> + <description>Name of DNS zone</description> + </valueHelp> + <constraint> + <validator name="fqdn"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/dns/time-to-live.xml.i b/interface-definitions/include/dns/time-to-live.xml.i index 5c1a1472d..000eea108 100644 --- a/interface-definitions/include/dns/time-to-live.xml.i +++ b/interface-definitions/include/dns/time-to-live.xml.i @@ -10,6 +10,5 @@ <validator name="numeric" argument="--range 0-2147483647"/> </constraint> </properties> - <defaultValue>300</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index 872abe6cc..a55a1a551 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -3,6 +3,7 @@ #include <include/generic-description.xml.i> #include <include/firewall/dscp.xml.i> #include <include/firewall/packet-options.xml.i> +#include <include/firewall/firewall-mark.xml.i> #include <include/firewall/connection-mark.xml.i> #include <include/firewall/conntrack-helper.xml.i> #include <include/firewall/nft-queue.xml.i> diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i new file mode 100644 index 000000000..36a939ba3 --- /dev/null +++ b/interface-definitions/include/firewall/firewall-mark.xml.i @@ -0,0 +1,26 @@ +<!-- include start from firewall/firewall-mark.xml.i --> +<leafNode name="mark"> + <properties> + <help>Firewall mark</help> + <valueHelp> + <format>u32:0-2147483647</format> + <description>Firewall mark to match</description> + </valueHelp> + <valueHelp> + <format>!u32:0-2147483647</format> + <description>Inverted Firewall mark to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Firewall mark range to match</description> + </valueHelp> + <valueHelp> + <format>!<start-end></format> + <description>Firewall mark inverted range to match</description> + </valueHelp> + <constraint> + <validator name="numeric-exclude" argument="--allow-range --range 0-2147483647"/> + </constraint> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i index 6551d23ab..8eab04d4a 100644 --- a/interface-definitions/include/policy/route-common.xml.i +++ b/interface-definitions/include/policy/route-common.xml.i @@ -1,6 +1,7 @@ <!-- include start from policy/route-common.xml.i -->
#include <include/policy/route-rule-action.xml.i>
#include <include/generic-description.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 9122e264e..c07ed1adf 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -381,6 +381,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): conn_mark_str = ','.join(rule_conf['connection_mark']) output.append(f'ct mark {{{conn_mark_str}}}') + if 'mark' in rule_conf: + mark = rule_conf['mark'] + operator = '' + if mark[0] == '!': + operator = '!=' + mark = mark[1:] + output.append(f'meta mark {operator} {{{mark}}}') + if 'vlan' in rule_conf: if 'id' in rule_conf['vlan']: output.append(f'vlan id {rule_conf["vlan"]["id"]}') diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 67e949f95..7b4ba11d0 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -308,10 +308,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'mark', '!98765']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3']) self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp']) @@ -325,11 +327,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy drop;'], - ['ip saddr 198.51.100.1', f'jump NAME_{name}'], + ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'], ['chain VYOS_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], - [f'meta l4proto tcp','queue to 3'], - [f'meta l4proto udp','queue flags bypass,fanout to 0-15'], + ['meta mark != 0x000181cd', 'meta l4proto tcp','queue to 3'], + ['meta l4proto udp','queue flags bypass,fanout to 0-15'], [f'chain NAME_{name}'], ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[ipv4-NAM-{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'], ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'], @@ -466,6 +468,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'default-action', 'accept']) self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'source', 'address', '2001:db8::/64']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'mark', '!6655-7766']) self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'jump-target', name]) @@ -477,7 +480,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'], ['chain VYOS_IPV6_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], - ['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'], + ['ip6 saddr 2001:db8::/64', 'meta mark != 0x000019ff-0x00001e56', f'jump NAME6_{name}'], [f'chain NAME6_{name}'], ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'], [f'log prefix "[{name}-default-D]"', 'drop'] diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index c7ddf873e..72192fb98 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -191,15 +191,18 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): def test_pbr_matching_criteria(self): self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'udp']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'action', 'drop']) + self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'mark', '2020']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'protocol', 'tcp']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack']) + self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'mark', '2-3000']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '2', 'set', 'table', table_id]) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'source', 'address', '198.51.100.0/24']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'protocol', 'tcp']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'destination', 'port', '22']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'state', 'new', 'enable']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'ttl', 'gt', '2']) + self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'mark', '!456']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '3', 'set', 'table', table_id]) self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'protocol', 'icmp']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'icmp', 'type-name', 'echo-request']) @@ -210,6 +213,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): self.cli_set(['policy', 'route', 'smoketest', 'rule', '4', 'set', 'table', table_id]) self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '41']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'dscp', '57-59']) + self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'mark', '!456-500']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'set', 'table', table_id]) self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'udp']) @@ -247,11 +251,11 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv4 nftables_search = [ ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'], - ['meta l4proto udp', 'drop'], - ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex], - ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex], + ['meta l4proto udp', 'meta mark 0x000007e4', 'drop'], + ['tcp flags syn / syn,ack', 'meta mark 0x00000002-0x00000bb8', 'meta mark set ' + mark_hex], + ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark != 0x000001c8', 'meta mark set ' + mark_hex], ['log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex], - ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark set ' + mark_hex] + ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark != 0x000001c8-0x000001f4', 'meta mark set ' + mark_hex] ] self.verify_nftables(nftables_search, 'ip vyos_mangle') diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py index 357c3dfb1..66dcde434 100755 --- a/smoketest/scripts/cli/test_service_dns_dynamic.py +++ b/smoketest/scripts/cli/test_service_dns_dynamic.py @@ -17,6 +17,8 @@ import os import unittest import tempfile +import random +import string from base_vyostest_shim import VyOSUnitTestSHIM @@ -24,16 +26,25 @@ from vyos.configsession import ConfigSessionError from vyos.utils.process import cmd from vyos.utils.process import process_running +DDCLIENT_SYSTEMD_UNIT = '/run/systemd/system/ddclient.service.d/override.conf' DDCLIENT_CONF = '/run/ddclient/ddclient.conf' DDCLIENT_PID = '/run/ddclient/ddclient.pid' +DDCLIENT_PNAME = 'ddclient' base_path = ['service', 'dns', 'dynamic'] +server = 'ddns.vyos.io' hostname = 'test.ddns.vyos.io' zone = 'vyos.io' +username = 'vyos_user' password = 'paSS_@4ord' +ttl = '300' interface = 'eth0' class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): + def setUp(self): + # Always start with a clean CLI instance + self.cli_delete(base_path) + def tearDown(self): # Check for running process self.assertTrue(process_running(DDCLIENT_PID)) @@ -47,30 +58,38 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): # IPv4 standard DDNS service configuration def test_01_dyndns_service_standard(self): - ddns = ['address', interface, 'service'] + svc_path = ['address', interface, 'service'] services = {'cloudflare': {'protocol': 'cloudflare'}, - 'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}, - 'zoneedit': {'protocol': 'zoneedit1', 'username': 'vyos_user'}} + 'freedns': {'protocol': 'freedns', 'username': username}, + 'zoneedit': {'protocol': 'zoneedit1', 'username': username}} for svc, details in services.items(): - # Always start with a clean CLI instance - self.cli_delete(base_path) - - self.cli_set(base_path + ddns + [svc, 'host-name', hostname]) - self.cli_set(base_path + ddns + [svc, 'password', password]) - self.cli_set(base_path + ddns + [svc, 'zone', zone]) + self.cli_set(base_path + svc_path + [svc, 'host-name', hostname]) + self.cli_set(base_path + svc_path + [svc, 'password', password]) + self.cli_set(base_path + svc_path + [svc, 'zone', zone]) + self.cli_set(base_path + svc_path + [svc, 'ttl', ttl]) for opt, value in details.items(): - self.cli_set(base_path + ddns + [svc, opt, value]) + self.cli_set(base_path + svc_path + [svc, opt, value]) - # commit changes + # 'zone' option is supported and required by 'cloudfare', but not 'freedns' and 'zoneedit' + self.cli_set(base_path + svc_path + [svc, 'zone', zone]) + if details['protocol'] == 'cloudflare': + pass + else: + # exception is raised for unsupported ones + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + svc_path + [svc, 'zone']) + + # 'ttl' option is supported by 'cloudfare', but not 'freedns' and 'zoneedit' + self.cli_set(base_path + svc_path + [svc, 'ttl', ttl]) if details['protocol'] == 'cloudflare': pass else: - # zone option does not work on all protocols, an exception is - # raised for all others + # exception is raised for unsupported ones with self.assertRaises(ConfigSessionError): self.cli_commit() - self.cli_delete(base_path + ddns + [svc, 'zone', zone]) + self.cli_delete(base_path + svc_path + [svc, 'ttl']) # commit changes self.cli_commit() @@ -94,20 +113,17 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): # IPv6 only DDNS service configuration def test_02_dyndns_service_ipv6(self): timeout = '60' - ddns = ['address', interface, 'service', 'dynv6'] + svc_path = ['address', interface, 'service', 'dynv6'] proto = 'dyndns2' - user = 'none' - password = 'paSS_4ord' - srv = 'ddns.vyos.io' ip_version = 'ipv6' self.cli_set(base_path + ['timeout', timeout]) - self.cli_set(base_path + ddns + ['ip-version', ip_version]) - self.cli_set(base_path + ddns + ['protocol', proto]) - self.cli_set(base_path + ddns + ['server', srv]) - self.cli_set(base_path + ddns + ['username', user]) - self.cli_set(base_path + ddns + ['password', password]) - self.cli_set(base_path + ddns + ['host-name', hostname]) + self.cli_set(base_path + svc_path + ['ip-version', ip_version]) + self.cli_set(base_path + svc_path + ['protocol', proto]) + self.cli_set(base_path + svc_path + ['server', server]) + self.cli_set(base_path + svc_path + ['username', username]) + self.cli_set(base_path + svc_path + ['password', password]) + self.cli_set(base_path + svc_path + ['host-name', hostname]) # commit changes self.cli_commit() @@ -118,37 +134,45 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): self.assertIn(f'usev6=ifv6', ddclient_conf) self.assertIn(f'ifv6={interface}', ddclient_conf) self.assertIn(f'protocol={proto}', ddclient_conf) - self.assertIn(f'server={srv}', ddclient_conf) - self.assertIn(f'login={user}', ddclient_conf) + self.assertIn(f'server={server}', ddclient_conf) + self.assertIn(f'login={username}', ddclient_conf) self.assertIn(f'password={password}', ddclient_conf) # IPv4+IPv6 dual DDNS service configuration def test_03_dyndns_service_dual_stack(self): - ddns = ['address', interface, 'service'] - services = {'cloudflare': {'protocol': 'cloudflare', 'zone': 'vyos.io'}, - 'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}} - password = 'vyos_pass' + svc_path = ['address', interface, 'service'] + services = {'cloudflare': {'protocol': 'cloudflare', 'zone': zone}, + 'freedns': {'protocol': 'freedns', 'username': username}, + 'google': {'protocol': 'googledomains', 'username': username}} ip_version = 'both' - for svc, details in services.items(): - # Always start with a clean CLI instance - self.cli_delete(base_path) - - self.cli_set(base_path + ddns + [svc, 'host-name', hostname]) - self.cli_set(base_path + ddns + [svc, 'password', password]) - self.cli_set(base_path + ddns + [svc, 'ip-version', ip_version]) + for name, details in services.items(): + self.cli_set(base_path + svc_path + [name, 'host-name', hostname]) + self.cli_set(base_path + svc_path + [name, 'password', password]) for opt, value in details.items(): - self.cli_set(base_path + ddns + [svc, opt, value]) + self.cli_set(base_path + svc_path + [name, opt, value]) + + # Dual stack is supported by 'cloudfare' and 'freedns' but not 'googledomains' + # exception is raised for unsupported ones + self.cli_set(base_path + svc_path + [name, 'ip-version', ip_version]) + if details['protocol'] not in ['cloudflare', 'freedns']: + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + svc_path + [name, 'ip-version']) # commit changes self.cli_commit() # Check the generating config parameters ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') - self.assertIn(f'usev4=ifv4', ddclient_conf) - self.assertIn(f'usev6=ifv6', ddclient_conf) - self.assertIn(f'ifv4={interface}', ddclient_conf) - self.assertIn(f'ifv6={interface}', ddclient_conf) + if details['protocol'] not in ['cloudflare', 'freedns']: + self.assertIn(f'usev4=ifv4', ddclient_conf) + self.assertIn(f'ifv4={interface}', ddclient_conf) + else: + self.assertIn(f'usev4=ifv4', ddclient_conf) + self.assertIn(f'usev6=ifv6', ddclient_conf) + self.assertIn(f'ifv4={interface}', ddclient_conf) + self.assertIn(f'ifv6={interface}', ddclient_conf) self.assertIn(f'password={password}', ddclient_conf) for opt in details.keys(): @@ -161,19 +185,16 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): def test_04_dyndns_rfc2136(self): # Check if DDNS service can be configured and runs - ddns = ['address', interface, 'rfc2136', 'vyos'] - srv = 'ns1.vyos.io' - zone = 'vyos.io' - ttl = '300' + svc_path = ['address', interface, 'rfc2136', 'vyos'] with tempfile.NamedTemporaryFile(prefix='/config/auth/') as key_file: key_file.write(b'S3cretKey') - self.cli_set(base_path + ddns + ['server', srv]) - self.cli_set(base_path + ddns + ['zone', zone]) - self.cli_set(base_path + ddns + ['key', key_file.name]) - self.cli_set(base_path + ddns + ['ttl', ttl]) - self.cli_set(base_path + ddns + ['host-name', hostname]) + self.cli_set(base_path + svc_path + ['server', server]) + self.cli_set(base_path + svc_path + ['zone', zone]) + self.cli_set(base_path + svc_path + ['key', key_file.name]) + self.cli_set(base_path + svc_path + ['ttl', ttl]) + self.cli_set(base_path + svc_path + ['host-name', hostname]) # commit changes self.cli_commit() @@ -183,10 +204,61 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): self.assertIn(f'use=if', ddclient_conf) self.assertIn(f'if={interface}', ddclient_conf) self.assertIn(f'protocol=nsupdate', ddclient_conf) - self.assertIn(f'server={srv}', ddclient_conf) + self.assertIn(f'server={server}', ddclient_conf) self.assertIn(f'zone={zone}', ddclient_conf) self.assertIn(f'password={key_file.name}', ddclient_conf) self.assertIn(f'ttl={ttl}', ddclient_conf) + def test_05_dyndns_hostname(self): + # Check if DDNS service can be configured and runs + svc_path = ['address', interface, 'service', 'namecheap'] + proto = 'namecheap' + hostnames = ['@', 'www', hostname, f'@.{hostname}'] + + for name in hostnames: + self.cli_set(base_path + svc_path + ['protocol', proto]) + self.cli_set(base_path + svc_path + ['server', server]) + self.cli_set(base_path + svc_path + ['username', username]) + self.cli_set(base_path + svc_path + ['password', password]) + self.cli_set(base_path + svc_path + ['host-name', name]) + + # commit changes + self.cli_commit() + + # Check the generating config parameters + ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') + self.assertIn(f'protocol={proto}', ddclient_conf) + self.assertIn(f'server={server}', ddclient_conf) + self.assertIn(f'login={username}', ddclient_conf) + self.assertIn(f'password={password}', ddclient_conf) + self.assertIn(f'{name}', ddclient_conf) + + def test_06_dyndns_vrf(self): + vrf_name = f'vyos-test-{"".join(random.choices(string.ascii_letters + string.digits, k=5))}' + svc_path = ['address', interface, 'service', 'cloudflare'] + + self.cli_set(['vrf', 'name', vrf_name, 'table', '12345']) + self.cli_set(base_path + ['vrf', vrf_name]) + + self.cli_set(base_path + svc_path + ['protocol', 'cloudflare']) + self.cli_set(base_path + svc_path + ['host-name', hostname]) + self.cli_set(base_path + svc_path + ['zone', zone]) + self.cli_set(base_path + svc_path + ['password', password]) + + # commit changes + self.cli_commit() + + # Check for process in VRF + systemd_override = cmd(f'cat {DDCLIENT_SYSTEMD_UNIT}') + self.assertIn(f'ExecStart=ip vrf exec {vrf_name} /usr/bin/ddclient -file {DDCLIENT_CONF}', + systemd_override) + + # Check for process in VRF + proc = cmd(f'ip vrf pids {vrf_name}') + self.assertIn(DDCLIENT_PNAME, proc) + + # Cleanup VRF + self.cli_delete(['vrf', 'name', vrf_name]) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/completion/list_ddclient_protocols.sh b/src/completion/list_ddclient_protocols.sh index 75fb0cf44..3b4eff4d6 100755 --- a/src/completion/list_ddclient_protocols.sh +++ b/src/completion/list_ddclient_protocols.sh @@ -14,4 +14,4 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -echo -n $(ddclient -list-protocols) +echo -n $(ddclient -list-protocols | grep -vE 'nsupdate|cloudns') diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 2c5fa335e..4cece6921 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -212,7 +212,12 @@ def apply(conntrack): module_str = ' '.join(rm_modules) cmd(f'rmmod {module_str}') - call_dependents() + try: + call_dependents() + except ConfigError: + # Ignore config errors on dependent due to being called too early. Example: + # ConfigError("ConfigError('Interface ethN requires an IP address!')") + pass # We silently ignore all errors # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py index 4b1aed742..8a438cf6f 100755 --- a/src/conf_mode/dns_dynamic.py +++ b/src/conf_mode/dns_dynamic.py @@ -19,6 +19,7 @@ import os from sys import exit from vyos.config import Config +from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos import ConfigError @@ -29,25 +30,32 @@ config_file = r'/run/ddclient/ddclient.conf' systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf' # Protocols that require zone -zone_allowed = ['cloudflare', 'godaddy', 'hetzner', 'gandi', 'nfsn'] +zone_necessary = ['cloudflare', 'godaddy', 'hetzner', 'gandi', 'nfsn'] # Protocols that do not require username username_unnecessary = ['1984', 'cloudflare', 'cloudns', 'duckdns', 'freemyip', 'hetzner', 'keysystems', 'njalla'] +# Protocols that support TTL +ttl_supported = ['cloudflare', 'gandi', 'hetzner', 'dnsexit', 'godaddy', 'nfsn'] + # Protocols that support both IPv4 and IPv6 dualstack_supported = ['cloudflare', 'dyndns2', 'freedns', 'njalla'] +# dyndns2 protocol in ddclient honors dual stack for selective servers +# because of the way it is implemented in ddclient +dyndns_dualstack_servers = ['members.dyndns.org', 'dynv6.com'] + def get_config(config=None): if config: conf = config else: conf = Config() - base_level = ['service', 'dns', 'dynamic'] - if not conf.exists(base_level): + base = ['service', 'dns', 'dynamic'] + if not conf.exists(base): return None - dyndns = conf.get_config_dict(base_level, key_mangling=('-', '_'), + dyndns = conf.get_config_dict(base, key_mangling=('-', '_'), no_tag_node_value_mangle=True, get_first_key=True, with_recursive_defaults=True) @@ -61,6 +69,10 @@ def verify(dyndns): return None for address in dyndns['address']: + # If dyndns address is an interface, ensure it exists + if address != 'web': + verify_interface_exists(address) + # RFC2136 - configuration validation if 'rfc2136' in dyndns['address'][address]: for config in dyndns['address'][address]['rfc2136'].values(): @@ -78,22 +90,24 @@ def verify(dyndns): if field not in config: raise ConfigError(f'"{field.replace("_", "-")}" {error_msg}') - if config['protocol'] in zone_allowed and 'zone' not in config: - raise ConfigError(f'"zone" {error_msg}') + if config['protocol'] in zone_necessary and 'zone' not in config: + raise ConfigError(f'"zone" {error_msg}') + + if config['protocol'] not in zone_necessary and 'zone' in config: + raise ConfigError(f'"{config["protocol"]}" does not support "zone"') - if config['protocol'] not in zone_allowed and 'zone' in config: - raise ConfigError(f'"{config["protocol"]}" does not support "zone"') + if config['protocol'] not in username_unnecessary and 'username' not in config: + raise ConfigError(f'"username" {error_msg}') - if config['protocol'] not in username_unnecessary: - if 'username' not in config: - raise ConfigError(f'"username" {error_msg}') + if config['protocol'] not in ttl_supported and 'ttl' in config: + raise ConfigError(f'"{config["protocol"]}" does not support "ttl"') if config['ip_version'] == 'both': if config['protocol'] not in dualstack_supported: raise ConfigError(f'"{config["protocol"]}" does not support ' f'both IPv4 and IPv6 at the same time') # dyndns2 protocol in ddclient honors dual stack only for dyn.com (dyndns.org) - if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] != 'members.dyndns.org': + if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] not in dyndns_dualstack_servers: raise ConfigError(f'"{config["protocol"]}" does not support ' f'both IPv4 and IPv6 at the same time for "{config["server"]}"') diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py index b5b625a80..eb82a1a0a 100755 --- a/src/op_mode/generate_firewall_rule-resequence.py +++ b/src/op_mode/generate_firewall_rule-resequence.py @@ -116,9 +116,18 @@ if __name__ == "__main__": print('Firewall is not configured') exit(1) - #config_dict = config.get_config_dict('firewall') config_dict = config.get_config_dict('firewall') + # Remove global-options, group and flowtable as they don't need sequencing + if 'global-options' in config_dict['firewall']: + del config_dict['firewall']['global-options'] + + if 'group' in config_dict['firewall']: + del config_dict['firewall']['group'] + + if 'flowtable' in config_dict['firewall']: + del config_dict['firewall']['flowtable'] + # Convert rule keys to integers, rule "10" -> rule 10 # This is necessary for sorting the rules config_dict = convert_rule_keys_to_int(config_dict) diff --git a/src/validators/ddclient-protocol b/src/validators/ddclient-protocol index 6f927927b..bc6826120 100755 --- a/src/validators/ddclient-protocol +++ b/src/validators/ddclient-protocol @@ -14,7 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -ddclient -list-protocols | grep -qw $1 +ddclient -list-protocols | grep -vE 'nsupdate|cloudns' | grep -qw $1 if [ $? -gt 0 ]; then echo "Error: $1 is not a valid protocol, please choose from the supported list of protocols" diff --git a/src/validators/numeric-exclude b/src/validators/numeric-exclude new file mode 100644 index 000000000..676a240b6 --- /dev/null +++ b/src/validators/numeric-exclude @@ -0,0 +1,8 @@ +#!/bin/sh +path=$(dirname "$0") +num="${@: -1}" +if [ "${num:0:1}" != "!" ]; then + ${path}/numeric $@ +else + ${path}/numeric ${@:1:$#-1} ${num:1} +fi |