diff options
21 files changed, 1964 insertions, 85 deletions
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index beb14ff00..5e55099ca 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -1,5 +1,5 @@ -{% macro zone_chains(zone, family) %} +{% macro zone_chains(zone, family, state_policy=False) %} {% if family == 'ipv6' %} {% set fw_name = 'ipv6_name' %} {% set suffix = '6' %} @@ -10,6 +10,9 @@ chain VYOS_ZONE_FORWARD { type filter hook forward priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} {% for zone_name, zone_conf in zone.items() %} {% if 'local_zone' not in zone_conf %} oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }} @@ -18,6 +21,9 @@ } chain VYOS_ZONE_LOCAL { type filter hook input priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} {% for zone_name, zone_conf in zone.items() %} {% if 'local_zone' in zone_conf %} counter jump VZONE_{{ zone_name }}_IN @@ -26,6 +32,9 @@ } chain VYOS_ZONE_OUTPUT { type filter hook output priority 1; policy accept; +{% if state_policy %} + jump VYOS_STATE_POLICY{{ suffix }} +{% endif %} {% for zone_name, zone_conf in zone.items() %} {% if 'local_zone' in zone_conf %} counter jump VZONE_{{ zone_name }}_OUT diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 63195d25f..e0ad0e00a 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -46,6 +46,9 @@ table ip vyos_filter { {% for prior, conf in ipv4.forward.items() %} chain VYOS_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('FWD', prior, rule_id) }} @@ -63,6 +66,9 @@ table ip vyos_filter { {% for prior, conf in ipv4.input.items() %} chain VYOS_INPUT_{{ prior }} { type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('INP',prior, rule_id) }} @@ -80,6 +86,9 @@ table ip vyos_filter { {% for prior, conf in ipv4.output.items() %} chain VYOS_OUTPUT_{{ prior }} { type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('OUT', prior, rule_id) }} @@ -154,7 +163,21 @@ table ip vyos_filter { {{ group_tmpl.groups(group, False, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv4') }} +{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }} +{% endif %} +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } {% endif %} } @@ -174,6 +197,9 @@ table ip6 vyos_filter { {% for prior, conf in ipv6.forward.items() %} chain VYOS_IPV6_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }} @@ -191,6 +217,9 @@ table ip6 vyos_filter { {% for prior, conf in ipv6.input.items() %} chain VYOS_IPV6_INPUT_{{ prior }} { type filter hook input priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }} @@ -208,6 +237,9 @@ table ip6 vyos_filter { {% for prior, conf in ipv6.output.items() %} chain VYOS_IPV6_OUTPUT_{{ prior }} { type filter hook output priority {{ prior }}; policy accept; +{% if global_options.state_policy is vyos_defined %} + jump VYOS_STATE_POLICY6 +{% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }} @@ -266,7 +298,21 @@ table ip6 vyos_filter { {% endif %} {{ group_tmpl.groups(group, True, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv6') }} +{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }} +{% endif %} +{% if global_options.state_policy is vyos_defined %} + chain VYOS_STATE_POLICY6 { +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } {% endif %} } diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2 index 02a9656da..9623bdec6 100644 --- a/data/templates/telegraf/telegraf.j2 +++ b/data/templates/telegraf/telegraf.j2 @@ -89,6 +89,8 @@ ignore_fs = ["devtmpfs", "devfs"] [[inputs.diskio]] [[inputs.mem]] +[[inputs.net]] + ignore_protocol_stats = true [[inputs.nstat]] [[inputs.system]] [[inputs.netstat]] diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 64c60a780..cd88cf60c 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -21,14 +21,6 @@ if ! grep -q '^openvpn' /etc/passwd; then adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn fi -# Enable 2FA/MFA support for SSH and local logins -for file in /etc/pam.d/sshd /etc/pam.d/login -do - PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n" - grep -qF -- "pam_google_authenticator.so" $file || \ - sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file -done - # We need to have a group for RADIUS service users to use it inside PAM rules if ! grep -q '^radius' /etc/group; then addgroup --firstgid 1000 --quiet radius diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 0bb14a1b3..70afdc995 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -393,7 +393,7 @@ <properties> <help>Zone from which to filter traffic</help> <completionHelp> - <path>zone-policy zone</path> + <path>firewall zone</path> </completionHelp> </properties> <children> diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index e655cd6ac..415d85f05 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -167,6 +167,43 @@ </properties> <defaultValue>disable</defaultValue> </leafNode> + <node name="state-policy"> + <properties> + <help>Global firewall state-policy</help> + </properties> + <children> + <node name="established"> + <properties> + <help>Global firewall policy for packets part of an established connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + #include <include/firewall/rule-log-level.xml.i> + </children> + </node> + <node name="invalid"> + <properties> + <help>Global firewall policy for packets part of an invalid connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + #include <include/firewall/rule-log-level.xml.i> + </children> + </node> + <node name="related"> + <properties> + <help>Global firewall policy for packets part of a related connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + #include <include/firewall/rule-log-level.xml.i> + </children> + </node> + </children> + </node> <leafNode name="syn-cookies"> <properties> <help>Policy for using TCP SYN cookies with IPv4</help> diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in index 6855fe447..9c2e2be76 100644 --- a/op-mode-definitions/dhcp.xml.in +++ b/op-mode-definitions/dhcp.xml.in @@ -42,6 +42,15 @@ </properties> <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet</command> <children> + <tagNode name="origin"> + <properties> + <help>Show DHCP server leases granted by local or remote DHCP server</help> + <completionHelp> + <list>local remote</list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet --origin $6</command> + </tagNode> <tagNode name="pool"> <properties> <help>Show DHCP server leases for a specific pool</help> diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in index 237a13610..868bbcd46 100755 --- a/op-mode-definitions/generate-system-login-user.xml.in +++ b/op-mode-definitions/generate-system-login-user.xml.in @@ -16,7 +16,7 @@ <properties>
<help>Username used for authentication</help>
<completionHelp>
- <list><username></list>
+ <path>system login user</path>
</completionHelp>
</properties>
<children>
diff --git a/python/vyos/system/disk.py b/python/vyos/system/disk.py index 49e6b5c5e..f8e0fd1bf 100644 --- a/python/vyos/system/disk.py +++ b/python/vyos/system/disk.py @@ -150,7 +150,7 @@ def filesystem_create(partition: str, fstype: str) -> None: def partition_mount(partition: str, path: str, fsype: str = '', - overlay_params: dict[str, str] = {}) -> None: + overlay_params: dict[str, str] = {}) -> bool: """Mount a partition into a path Args: @@ -159,6 +159,9 @@ def partition_mount(partition: str, fsype (str): optionally, set fstype ('squashfs', 'overlay', 'iso9660') overlay_params (dict): optionally, set overlay parameters. Defaults to None. + + Returns: + bool: True on success """ if fsype in ['squashfs', 'iso9660']: command: str = f'mount -o loop,ro -t {fsype} {partition} {path}' @@ -171,7 +174,11 @@ def partition_mount(partition: str, else: command = f'mount {partition} {path}' - run(command) + rc = run(command) + if rc == 0: + return True + + return False def partition_umount(partition: str = '', path: str = '') -> None: diff --git a/python/vyos/template.py b/python/vyos/template.py index 0e2663258..2d4beeec2 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -602,7 +602,7 @@ def nft_default_rule(fw_conf, fw_name, family): def nft_state_policy(conf, state): out = [f'ct state {state}'] - if 'log' in conf and 'enable' in conf['log']: + if 'log' in conf: log_state = state[:3].upper() log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper() out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"') diff --git a/smoketest/configs/dialup-router-wireguard-ipv6 b/smoketest/configs/dialup-router-wireguard-ipv6 new file mode 100644 index 000000000..33afb9b04 --- /dev/null +++ b/smoketest/configs/dialup-router-wireguard-ipv6 @@ -0,0 +1,1629 @@ +firewall { + all-ping enable + broadcast-ping disable + config-trap disable + group { + address-group DMZ-WEBSERVER { + address 172.16.36.10 + address 172.16.36.40 + address 172.16.36.20 + } + address-group DMZ-RDP-SERVER { + address 172.16.33.40 + } + address-group DOMAIN-CONTROLLER { + address 172.16.100.10 + address 172.16.100.20 + address 172.16.110.30 + } + address-group VIDEO { + address 172.16.33.211 + address 172.16.33.212 + address 172.16.33.213 + address 172.16.33.214 + } + ipv6-network-group LOCAL-ADDRESSES { + network ff02::/64 + network fe80::/10 + } + network-group SSH-IN-ALLOW { + network 100.65.150.0/23 + network 100.64.69.205/32 + network 100.64.8.67/32 + network 100.64.55.1/32 + } + } + ipv6-name ALLOW-ALL-6 { + default-action accept + } + ipv6-name ALLOW-BASIC-6 { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + state { + invalid enable + } + } + rule 10 { + action accept + protocol icmpv6 + } + } + ipv6-name ALLOW-ESTABLISHED-6 { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + state { + invalid enable + } + } + rule 10 { + action accept + destination { + group { + network-group LOCAL-ADDRESSES + } + } + protocol icmpv6 + source { + address fe80::/10 + } + } + rule 20 { + action accept + icmpv6 { + type echo-request + } + protocol icmpv6 + } + rule 21 { + action accept + icmpv6 { + type destination-unreachable + } + protocol icmpv6 + } + rule 22 { + action accept + icmpv6 { + type packet-too-big + } + protocol icmpv6 + } + rule 23 { + action accept + icmpv6 { + type time-exceeded + } + protocol icmpv6 + } + rule 24 { + action accept + icmpv6 { + type parameter-problem + } + protocol icmpv6 + } + } + ipv6-name WAN-LOCAL-6 { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + state { + invalid enable + } + } + rule 10 { + action accept + destination { + address ff02::/64 + } + protocol icmpv6 + source { + address fe80::/10 + } + } + rule 50 { + action accept + destination { + address fe80::/10 + port 546 + } + protocol udp + source { + address fe80::/10 + port 547 + } + } + } + ipv6-receive-redirects disable + ipv6-src-route disable + ip-src-route disable + log-martians enable + name DMZ-GUEST { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + } + name DMZ-LAN { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 100 { + action accept + destination { + group { + address-group DOMAIN-CONTROLLER + } + port 123,389,636 + } + protocol tcp_udp + } + rule 300 { + action accept + destination { + group { + address-group DMZ-RDP-SERVER + } + port 3389 + } + protocol tcp_udp + source { + address 172.16.36.20 + } + } + } + name DMZ-LOCAL { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 50 { + action accept + destination { + address 172.16.254.30 + port 53 + } + protocol tcp_udp + } + rule 123 { + action accept + destination { + port 123 + } + protocol udp + } + } + name DMZ-WAN { + default-action accept + } + name GUEST-DMZ { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + } + name GUEST-LAN { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + } + name GUEST-LOCAL { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 10 { + action accept + destination { + address 172.31.0.254 + port 53 + } + protocol tcp_udp + } + rule 11 { + action accept + destination { + port 67 + } + protocol udp + } + rule 15 { + action accept + destination { + address 172.31.0.254 + } + protocol icmp + } + rule 100 { + action accept + destination { + address 172.31.0.254 + port 80,443 + } + protocol tcp + } + } + name GUEST-WAN { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 25 { + action accept + destination { + port 25,587 + } + protocol tcp + } + rule 53 { + action accept + destination { + port 53 + } + protocol tcp_udp + } + rule 60 { + action accept + source { + address 172.31.0.200 + } + } + rule 80 { + action accept + source { + address 172.31.0.200 + } + } + rule 100 { + action accept + protocol icmp + } + rule 110 { + action accept + destination { + port 110,995 + } + protocol tcp + } + rule 123 { + action accept + destination { + port 123 + } + protocol udp + } + rule 143 { + action accept + destination { + port 143,993 + } + protocol tcp + } + rule 200 { + action accept + destination { + port 80,443 + } + protocol tcp + } + rule 500 { + action accept + destination { + port 500,4500 + } + protocol udp + } + rule 600 { + action accept + destination { + port 5222-5224 + } + protocol tcp + } + rule 601 { + action accept + destination { + port 3478-3497,4500,16384-16387,16393-16402 + } + protocol udp + } + rule 1000 { + action accept + source { + address 172.31.0.184 + } + } + } + name LAN-DMZ { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 22 { + action accept + destination { + port 22 + } + protocol tcp + } + rule 100 { + action accept + destination { + group { + address-group DMZ-WEBSERVER + } + port 22 + } + protocol tcp + } + } + name LAN-GUEST { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + } + name LAN-LOCAL { + default-action accept + } + name LAN-WAN { + default-action accept + rule 90 { + action accept + destination { + address 100.65.150.0/23 + port 25 + } + protocol tcp_udp + source { + group { + address-group VIDEO + } + } + } + rule 100 { + action drop + source { + group { + address-group VIDEO + } + } + } + } + name LOCAL-DMZ { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 100 { + action accept + destination { + address 172.16.36.40 + port 80,443 + } + protocol tcp + } + } + name LOCAL-GUEST { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 5 { + action accept + protocol icmp + } + rule 300 { + action accept + destination { + port 1900 + } + protocol udp + } + } + name LOCAL-LAN { + default-action accept + } + name LOCAL-WAN { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 10 { + action accept + protocol icmp + } + rule 50 { + action accept + destination { + port 53 + } + protocol tcp_udp + } + rule 80 { + action accept + destination { + port 80,443 + } + protocol tcp + } + rule 123 { + action accept + destination { + port 123 + } + protocol udp + } + rule 800 { + action accept + destination { + address 100.65.151.213 + } + protocol udp + } + rule 805 { + action accept + destination { + address 100.65.151.2 + } + protocol all + } + rule 1010 { + action accept + destination { + address 100.64.69.205 + port 7705 + } + protocol udp + source { + port 7705 + } + } + rule 1990 { + action accept + destination { + address 100.64.55.1 + port 10666 + } + protocol udp + } + rule 2000 { + action accept + destination { + address 100.64.39.249 + } + } + rule 10200 { + action accept + destination { + address 100.64.89.98 + port 10200 + } + protocol udp + source { + port 10200 + } + } + } + name WAN-DMZ { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 100 { + action accept + destination { + address 172.16.36.10 + port 80,443 + } + protocol tcp + } + } + name WAN-GUEST { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 1000 { + action accept + destination { + address 172.31.0.184 + } + } + rule 8000 { + action accept + destination { + address 172.31.0.200 + port 10000 + } + protocol udp + } + } + name WAN-LAN { + default-action drop + enable-default-log + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 1000 { + action accept + destination { + address 172.16.33.40 + port 3389 + } + protocol tcp + source { + group { + network-group SSH-IN-ALLOW + } + } + } + } + name WAN-LOCAL { + default-action drop + rule 1 { + action accept + state { + established enable + related enable + } + } + rule 2 { + action drop + log enable + state { + invalid enable + } + } + rule 22 { + action accept + destination { + port 22 + } + protocol tcp + source { + group { + network-group SSH-IN-ALLOW + } + } + } + rule 1990 { + action accept + destination { + port 10666 + } + protocol udp + source { + address 100.64.55.1 + } + } + rule 10000 { + action accept + destination { + port 80,443 + } + protocol tcp + } + rule 10100 { + action accept + destination { + port 10100 + } + protocol udp + source { + port 10100 + } + } + rule 10200 { + action accept + destination { + port 10200 + } + protocol udp + source { + address 100.64.89.98 + port 10200 + } + } + } + options { + interface pppoe0 { + adjust-mss 1452 + adjust-mss6 1432 + } + } + receive-redirects disable + send-redirects enable + source-validation disable + syn-cookies enable + twa-hazards-protection disable +} +interfaces { + dummy dum0 { + address 172.16.254.30/32 + } + ethernet eth0 { + duplex auto + offload { + gro + gso + sg + tso + } + ring-buffer { + rx 256 + tx 256 + } + speed auto + vif 5 { + address 172.16.37.254/24 + ip { + ospf { + authentication { + md5 { + key-id 10 { + md5-key ospf + } + } + } + dead-interval 40 + hello-interval 10 + priority 1 + retransmit-interval 5 + transmit-delay 1 + } + } + } + vif 10 { + address 172.16.33.254/24 + address 172.16.40.254/24 + } + vif 50 { + address 172.16.36.254/24 + } + } + ethernet eth1 { + duplex auto + offload { + gro + gso + sg + tso + } + speed auto + vif 20 { + address 172.31.0.254/24 + } + } + ethernet eth2 { + disable + duplex auto + offload { + gro + gso + sg + tso + } + speed auto + } + ethernet eth3 { + duplex auto + offload { + gro + gso + sg + tso + } + ring-buffer { + rx 256 + tx 256 + } + speed auto + vif 7 { + } + } + loopback lo { + address 172.16.254.30/32 + } + pppoe pppoe0 { + authentication { + password vyos + user vyos + } + default-route force + dhcpv6-options { + pd 0 { + interface eth0.10 { + address 1 + sla-id 10 + } + interface eth1.20 { + address 1 + sla-id 20 + } + length 56 + } + } + ipv6 { + address { + autoconf + } + } + no-peer-dns + source-interface eth3.7 + } + wireguard wg100 { + address 172.16.252.128/31 + mtu 1500 + peer HR6 { + address 100.65.151.213 + allowed-ips 0.0.0.0/0 + port 10100 + pubkey yLpi+UZuI019bmWH2h5fX3gStbpPPPLgEoYMyrdkOnQ= + } + port 10100 + } + wireguard wg200 { + address 172.16.252.130/31 + mtu 1500 + peer WH56 { + address 80.151.69.205 + allowed-ips 0.0.0.0/0 + port 10200 + pubkey XQbkj6vnKKBJfJQyThXysU0iGxCvEOEb31kpaZgkrD8= + } + port 10200 + } + wireguard wg666 { + address 172.29.0.1/31 + mtu 1500 + peer WH34 { + address 100.65.55.1 + allowed-ips 0.0.0.0/0 + port 10666 + pubkey yaTN4+xAafKM04D+Baeg5GWfbdaw35TE9HQivwRgAk0= + } + port 10666 + } +} +nat { + destination { + rule 8000 { + destination { + port 10000 + } + inbound-interface pppoe0 + protocol udp + translation { + address 172.31.0.200 + } + } + } + source { + rule 50 { + outbound-interface pppoe0 + source { + address 100.64.0.0/24 + } + translation { + address masquerade + } + } + rule 100 { + outbound-interface pppoe0 + source { + address 172.16.32.0/21 + } + translation { + address masquerade + } + } + rule 200 { + outbound-interface pppoe0 + source { + address 172.16.100.0/24 + } + translation { + address masquerade + } + } + rule 300 { + outbound-interface pppoe0 + source { + address 172.31.0.0/24 + } + translation { + address masquerade + } + } + rule 400 { + outbound-interface pppoe0 + source { + address 172.18.200.0/21 + } + translation { + address masquerade + } + } + rule 1000 { + destination { + address 192.168.189.0/24 + } + outbound-interface wg666 + source { + address 172.16.32.0/21 + } + translation { + address 172.29.0.1 + } + } + rule 1001 { + destination { + address 192.168.189.0/24 + } + outbound-interface wg666 + source { + address 172.16.100.0/24 + } + translation { + address 172.29.0.1 + } + } + } +} +policy { + route-map MAP-OSPF-CONNECTED { + rule 1 { + action deny + match { + interface eth1.20 + } + } + rule 20 { + action permit + match { + interface eth0.10 + } + } + rule 40 { + action permit + match { + interface eth0.50 + } + } + } +} +protocols { + bfd { + peer 172.16.252.129 { + } + peer 172.16.252.131 { + } + peer 172.18.254.201 { + } + } + bgp 64503 { + address-family { + ipv4-unicast { + network 172.16.32.0/21 { + } + network 172.16.100.0/24 { + } + network 172.16.252.128/31 { + } + network 172.16.252.130/31 { + } + network 172.16.254.30/32 { + } + network 172.18.0.0/16 { + } + } + } + neighbor 172.16.252.129 { + peer-group WIREGUARD + } + neighbor 172.16.252.131 { + peer-group WIREGUARD + } + neighbor 172.18.254.201 { + address-family { + ipv4-unicast { + nexthop-self { + } + } + } + bfd { + } + remote-as 64503 + update-source dum0 + } + parameters { + default { + no-ipv4-unicast + } + log-neighbor-changes + } + peer-group WIREGUARD { + address-family { + ipv4-unicast { + soft-reconfiguration { + inbound + } + } + } + bfd + remote-as external + } + timers { + holdtime 30 + keepalive 10 + } + } + ospf { + area 0 { + network 172.16.254.30/32 + network 172.16.37.0/24 + network 172.18.201.0/24 + network 172.18.202.0/24 + network 172.18.203.0/24 + network 172.18.204.0/24 + } + default-information { + originate { + always + metric-type 2 + } + } + log-adjacency-changes { + detail + } + parameters { + abr-type cisco + router-id 172.16.254.30 + } + passive-interface default + passive-interface-exclude eth0.5 + redistribute { + connected { + metric-type 2 + route-map MAP-OSPF-CONNECTED + } + } + } + static { + interface-route6 2000::/3 { + next-hop-interface pppoe0 { + } + } + route 10.0.0.0/8 { + blackhole { + distance 254 + } + } + route 169.254.0.0/16 { + blackhole { + distance 254 + } + } + route 172.16.0.0/12 { + blackhole { + distance 254 + } + } + route 172.16.32.0/21 { + blackhole { + } + } + route 172.18.0.0/16 { + blackhole { + } + } + route 172.29.0.2/31 { + next-hop 172.29.0.0 { + } + } + route 192.168.0.0/16 { + blackhole { + distance 254 + } + } + route 192.168.189.0/24 { + next-hop 172.29.0.0 { + } + } + } +} +service { + dhcp-server { + shared-network-name BACKBONE { + authoritative + subnet 172.16.37.0/24 { + default-router 172.16.37.254 + domain-name vyos.net + domain-search vyos.net + lease 86400 + name-server 172.16.254.30 + ntp-server 172.16.254.30 + range 0 { + start 172.16.37.120 + stop 172.16.37.149 + } + static-mapping AP1 { + ip-address 172.16.37.231 + mac-address 02:00:00:00:ee:18 + } + static-mapping AP2 { + ip-address 172.16.37.232 + mac-address 02:00:00:00:52:84 + } + static-mapping AP3 { + ip-address 172.16.37.233 + mac-address 02:00:00:00:51:c0 + } + static-mapping AP4 { + ip-address 172.16.37.234 + mac-address 02:00:00:00:e6:fc + } + static-mapping AP5 { + ip-address 172.16.37.235 + mac-address 02:00:00:00:c3:50 + } + } + } + shared-network-name GUEST { + authoritative + subnet 172.31.0.0/24 { + default-router 172.31.0.254 + domain-name vyos.net + domain-search vyos.net + lease 86400 + name-server 172.31.0.254 + range 0 { + start 172.31.0.101 + stop 172.31.0.199 + } + } + } + shared-network-name LAN { + authoritative + subnet 172.16.33.0/24 { + default-router 172.16.33.254 + domain-name vyos.net + domain-search vyos.net + lease 86400 + name-server 172.16.254.30 + ntp-server 172.16.254.30 + range 0 { + start 172.16.33.100 + stop 172.16.33.189 + } + static-mapping one { + ip-address 172.16.33.221 + mac-address 02:00:00:00:eb:a6 + } + static-mapping two { + ip-address 172.16.33.211 + mac-address 02:00:00:00:58:90 + } + static-mapping three { + ip-address 172.16.33.212 + mac-address 02:00:00:00:12:c7 + } + static-mapping four { + ip-address 172.16.33.214 + mac-address 02:00:00:00:c4:33 + } + } + } + } + dns { + dynamic { + interface pppoe0 { + service vyos { + host-name r1.vyos.net + login vyos-vyos + password vyos + protocol dyndns2 + server dyndns.vyos.io + } + } + } + forwarding { + allow-from 172.16.0.0/12 + domain 16.172.in-addr.arpa { + addnta + recursion-desired + server 172.16.100.10 + server 172.16.100.20 + } + domain 18.172.in-addr.arpa { + addnta + recursion-desired + server 172.16.100.10 + server 172.16.100.20 + } + domain vyos.net { + addnta + recursion-desired + server 172.16.100.20 + server 172.16.100.10 + } + ignore-hosts-file + listen-address 172.16.254.30 + listen-address 172.31.0.254 + negative-ttl 60 + } + } + lldp { + legacy-protocols { + cdp + edp + fdp + sonmp + } + snmp { + enable + } + } + router-advert { + interface eth0.10 { + prefix ::/64 { + preferred-lifetime 2700 + valid-lifetime 5400 + } + } + interface eth1.20 { + prefix ::/64 { + preferred-lifetime 2700 + valid-lifetime 5400 + } + } + } + snmp { + community ro-community { + authorization ro + network 172.16.100.0/24 + } + contact "VyOS" + listen-address 172.16.254.30 { + port 161 + } + location "CLOUD" + } + ssh { + disable-host-validation + port 22 + } +} +system { + config-management { + commit-revisions 200 + } + conntrack { + expect-table-size 2048 + hash-size 32768 + modules { + ftp + h323 + nfs + pptp + sqlnet + tftp + } + table-size 262144 + timeout { + icmp 30 + other 600 + udp { + other 300 + stream 300 + } + } + } + console { + device ttyS0 { + speed 115200 + } + } + domain-name vyos.net + host-name r1 + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + name-server 172.16.254.30 + ntp { + allow-clients { + address 172.16.0.0/12 + } + server time1.vyos.net { + } + server time2.vyos.net { + } + } + option { + ctrl-alt-delete ignore + performance latency + reboot-on-panic + startup-beep + } + syslog { + global { + facility all { + level debug + } + facility protocols { + level debug + } + } + host 172.16.100.1 { + facility all { + level warning + } + } + } + time-zone Europe/Berlin +} +traffic-policy { + shaper QoS { + bandwidth 50mbit + default { + bandwidth 100% + burst 15k + queue-limit 1000 + queue-type fq-codel + } + } +} +zone-policy { + zone DMZ { + default-action drop + from GUEST { + firewall { + name GUEST-DMZ + } + } + from LAN { + firewall { + name LAN-DMZ + } + } + from LOCAL { + firewall { + name LOCAL-DMZ + } + } + from WAN { + firewall { + name WAN-DMZ + } + } + interface eth0.50 + } + zone GUEST { + default-action drop + from DMZ { + firewall { + name DMZ-GUEST + } + } + from LAN { + firewall { + name LAN-GUEST + } + } + from LOCAL { + firewall { + ipv6-name ALLOW-ALL-6 + name LOCAL-GUEST + } + } + from WAN { + firewall { + ipv6-name ALLOW-ESTABLISHED-6 + name WAN-GUEST + } + } + interface eth1.20 + } + zone LAN { + default-action drop + from DMZ { + firewall { + name DMZ-LAN + } + } + from GUEST { + firewall { + name GUEST-LAN + } + } + from LOCAL { + firewall { + ipv6-name ALLOW-ALL-6 + name LOCAL-LAN + } + } + from WAN { + firewall { + ipv6-name ALLOW-ESTABLISHED-6 + name WAN-LAN + } + } + interface eth0.5 + interface eth0.10 + interface wg100 + interface wg200 + } + zone LOCAL { + default-action drop + from DMZ { + firewall { + name DMZ-LOCAL + } + } + from GUEST { + firewall { + ipv6-name ALLOW-ESTABLISHED-6 + name GUEST-LOCAL + } + } + from LAN { + firewall { + ipv6-name ALLOW-ALL-6 + name LAN-LOCAL + } + } + from WAN { + firewall { + ipv6-name WAN-LOCAL-6 + name WAN-LOCAL + } + } + local-zone + } + zone WAN { + default-action drop + from DMZ { + firewall { + name DMZ-WAN + } + } + from GUEST { + firewall { + ipv6-name ALLOW-ALL-6 + name GUEST-WAN + } + } + from LAN { + firewall { + ipv6-name ALLOW-ALL-6 + name LAN-WAN + } + } + from LOCAL { + firewall { + ipv6-name ALLOW-ALL-6 + name LOCAL-WAN + } + } + interface pppoe0 + interface wg666 + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.3.4 diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index cffa1c0be..066ed707b 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -408,6 +408,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name = 'v6-smoketest' interface = 'eth0' + self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop']) self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log']) @@ -452,7 +456,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['log prefix "[ipv6-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'], [f'chain NAME6_{name}'], ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], - [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'] + [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'], + ['jump VYOS_STATE_POLICY6'], + ['chain VYOS_STATE_POLICY6'], + ['ct state established', 'accept'], + ['ct state invalid', 'drop'], + ['ct state related', 'accept'] ] self.verify_nftables(nftables_search, 'ip6 vyos_filter') @@ -535,6 +544,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name = 'smoketest-state' interface = 'eth0' + self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established']) @@ -561,7 +574,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['ct state new', 'ct status dnat', 'accept'], ['ct state { established, new }', 'ct status snat', 'accept'], ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'], - ['drop', f'comment "{name} default-action drop"'] + ['drop', f'comment "{name} default-action drop"'], + ['jump VYOS_STATE_POLICY'], + ['chain VYOS_STATE_POLICY'], + ['ct state established', 'accept'], + ['ct state invalid', 'drop'], + ['ct state related', 'accept'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -657,6 +675,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest']) self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone']) self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'log']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept']) + self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop']) self.cli_commit() @@ -674,7 +696,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['jump VZONE_smoketest-local_IN'], ['jump VZONE_smoketest-local_OUT'], ['iifname "eth0"', 'jump NAME_smoketest'], - ['oifname "eth0"', 'jump NAME_smoketest'] + ['oifname "eth0"', 'jump NAME_smoketest'], + ['jump VYOS_STATE_POLICY'], + ['chain VYOS_STATE_POLICY'], + ['ct state established', 'log prefix "[STATE-POLICY-EST-A]"', 'accept'], + ['ct state invalid', 'drop'], + ['ct state related', 'accept'] ] nftables_output = cmd('sudo nft list table ip vyos_filter') diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py index cb3d90593..3c7303f32 100755 --- a/smoketest/scripts/cli/test_service_dns_dynamic.py +++ b/smoketest/scripts/cli/test_service_dns_dynamic.py @@ -294,7 +294,7 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): def test_07_dyndns_vrf(self): # Table number randomized, but should be within range 100-65535 - vrf_table = "".join(random.choices(string.digits, k=4)) + vrf_table = '58710' vrf_name = f'vyos-test-{vrf_table}' svc_path = name_path + ['cloudflare'] proto = 'cloudflare' diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 87a269499..cd85a5066 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -306,6 +306,7 @@ def generate(login): def apply(login): + enable_otp = False if 'user' in login: for user, user_config in login['user'].items(): # make new user using vyatta shell and make home directory (-m), @@ -350,6 +351,7 @@ def apply(login): # Generate 2FA/MFA One-Time-Pad configuration if dict_search('authentication.otp.key', user_config): + enable_otp = True render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2', user_config, permission=0o400, user=user, group='users') else: @@ -398,6 +400,11 @@ def apply(login): pam_profile = 'tacplus-optional' cmd(f'pam-auth-update --enable {pam_profile}') + # Enable/disable Google authenticator + cmd('pam-auth-update --disable mfa-google-authenticator') + if enable_otp: + cmd(f'pam-auth-update --enable mfa-google-authenticator') + return None diff --git a/src/init/vyos-router b/src/init/vyos-router index 35095afe4..711681a8e 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -260,6 +260,8 @@ EOF rm -f /etc/pam_radius_auth.conf pam-auth-update --disable tacplus-mandatory tacplus-optional rm -f /etc/tacplus_nss.conf /etc/tacplus_servers + # and no Google authenticator for 2FA/MFA + pam-auth-update --disable mfa-google-authenticator # Certain configuration files are re-generated by the configuration # subsystem and must reside under /etc and can not easily be moved to /run. diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 index b739fb139..e14ea0e51 100755 --- a/src/migration-scripts/firewall/10-to-11 +++ b/src/migration-scripts/firewall/10-to-11 @@ -63,19 +63,11 @@ if not config.exists(base): ### Migration of state policies if config.exists(base + ['state-policy']): - for family in ['ipv4', 'ipv6']: - for hook in ['forward', 'input', 'output']: - for priority in ['filter']: - # Add default-action== accept for compatibility reasons: - config.set(base + [family, hook, priority, 'default-action'], value='accept') - position = 1 - for state in config.list_nodes(base + ['state-policy']): - action = config.return_value(base + ['state-policy', state, 'action']) - config.set(base + [family, hook, priority, 'rule']) - config.set_tag(base + [family, hook, priority, 'rule']) - config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable') - config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action) - position = position + 1 + for state in config.list_nodes(base + ['state-policy']): + action = config.return_value(base + ['state-policy', state, 'action']) + config.set(base + ['global-options', 'state-policy', state, 'action'], value=action) + if config.exists(base + ['state-policy', state, 'log']): + config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable') config.delete(base + ['state-policy']) ## migration of global options: diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13 index 4eaae779b..8396dd9d1 100755 --- a/src/migration-scripts/firewall/12-to-13 +++ b/src/migration-scripts/firewall/12-to-13 @@ -49,6 +49,15 @@ if not config.exists(base): # Nothing to do exit(0) +# State Policy logs: +if config.exists(base + ['global-options', 'state-policy']): + for state in config.list_nodes(base + ['global-options', 'state-policy']): + if config.exists(base + ['global-options', 'state-policy', state, 'log']): + log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log']) + config.delete(base + ['global-options', 'state-policy', state, 'log']) + if log_value == 'enable': + config.set(base + ['global-options', 'state-policy', state, 'log']) + for family in ['ipv4', 'ipv6', 'bridge']: if config.exists(base + [family]): for hook in ['forward', 'input', 'output', 'name']: diff --git a/src/migration-scripts/interfaces/29-to-30 b/src/migration-scripts/interfaces/29-to-30 index 97e1b329c..04e023e77 100755 --- a/src/migration-scripts/interfaces/29-to-30 +++ b/src/migration-scripts/interfaces/29-to-30 @@ -35,16 +35,19 @@ if __name__ == '__main__': # Nothing to do sys.exit(0) for interface in config.list_nodes(base): + if not config.exists(base + [interface, 'private-key']): + continue private_key = config.return_value(base + [interface, 'private-key']) interface_base = base + [interface] if config.exists(interface_base + ['peer']): for peer in config.list_nodes(interface_base + ['peer']): peer_base = interface_base + ['peer', peer] + if not config.exists(peer_base + ['public-key']): + continue peer_public_key = config.return_value(peer_base + ['public-key']) - if config.exists(peer_base + ['public-key']): - if not config.exists(peer_base + ['disable']) \ - and is_wireguard_key_pair(private_key, peer_public_key): - config.set(peer_base + ['disable']) + if not config.exists(peer_base + ['disable']) \ + and is_wireguard_key_pair(private_key, peer_public_key): + config.set(peer_base + ['disable']) try: with open(file_name, 'w') as f: diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 77f38992b..d6b8aa0b8 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -43,6 +43,7 @@ sort_valid_inet6 = ['end', 'iaid_duid', 'ip', 'last_communication', 'pool', 'rem ArgFamily = typing.Literal['inet', 'inet6'] ArgState = typing.Literal['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup'] +ArgOrigin = typing.Literal['local', 'remote'] def _utc_to_local(utc_dt): return datetime.fromtimestamp((datetime.fromtimestamp(utc_dt) - datetime(1970, 1, 1)).total_seconds()) @@ -71,7 +72,7 @@ def _find_list_of_dict_index(lst, key='ip', value='') -> int: return idx -def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[]) -> list: +def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[], origin=None) -> list: """ Get DHCP server leases :return list @@ -82,51 +83,61 @@ def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[]) -> l if pool is None: pool = _get_dhcp_pools(family=family) + aux = False else: pool = [pool] - - for lease in leases: - data_lease = {} - data_lease['ip'] = lease.ip - data_lease['state'] = lease.binding_state - data_lease['pool'] = lease.sets.get('shared-networkname', '') - data_lease['end'] = lease.end.timestamp() if lease.end else None - - if family == 'inet': - data_lease['mac'] = lease.ethernet - data_lease['start'] = lease.start.timestamp() - data_lease['hostname'] = lease.hostname - - if family == 'inet6': - data_lease['last_communication'] = lease.last_communication.timestamp() - data_lease['iaid_duid'] = _format_hex_string(lease.host_identifier_string) - lease_types_long = {'na': 'non-temporary', 'ta': 'temporary', 'pd': 'prefix delegation'} - data_lease['type'] = lease_types_long[lease.type] - - data_lease['remaining'] = '-' - - if lease.end: - data_lease['remaining'] = lease.end - datetime.utcnow() - - if data_lease['remaining'].days >= 0: - # substraction gives us a timedelta object which can't be formatted with strftime - # so we use str(), split gets rid of the microseconds - data_lease['remaining'] = str(data_lease["remaining"]).split('.')[0] - - # Do not add old leases - if data_lease['remaining'] != '' and data_lease['pool'] in pool and data_lease['state'] != 'free': - if not state or data_lease['state'] in state: - data.append(data_lease) - - # deduplicate - checked = [] - for entry in data: - addr = entry.get('ip') - if addr not in checked: - checked.append(addr) - else: - idx = _find_list_of_dict_index(data, key='ip', value=addr) - data.pop(idx) + aux = True + + ## Search leases for every pool + for pool_name in pool: + for lease in leases: + if lease.sets.get('shared-networkname', '') == pool_name or lease.sets.get('shared-networkname', '') == '': + #if lease.sets.get('shared-networkname', '') == pool_name: + data_lease = {} + data_lease['ip'] = lease.ip + data_lease['state'] = lease.binding_state + #data_lease['pool'] = pool_name if lease.sets.get('shared-networkname', '') != '' else 'Fail-Over Server' + data_lease['pool'] = lease.sets.get('shared-networkname', '') + data_lease['end'] = lease.end.timestamp() if lease.end else None + data_lease['origin'] = 'local' if data_lease['pool'] != '' else 'remote' + + if family == 'inet': + data_lease['mac'] = lease.ethernet + data_lease['start'] = lease.start.timestamp() + data_lease['hostname'] = lease.hostname + + if family == 'inet6': + data_lease['last_communication'] = lease.last_communication.timestamp() + data_lease['iaid_duid'] = _format_hex_string(lease.host_identifier_string) + lease_types_long = {'na': 'non-temporary', 'ta': 'temporary', 'pd': 'prefix delegation'} + data_lease['type'] = lease_types_long[lease.type] + + data_lease['remaining'] = '-' + + if lease.end: + data_lease['remaining'] = lease.end - datetime.utcnow() + + if data_lease['remaining'].days >= 0: + # substraction gives us a timedelta object which can't be formatted with strftime + # so we use str(), split gets rid of the microseconds + data_lease['remaining'] = str(data_lease["remaining"]).split('.')[0] + + # Do not add old leases + if data_lease['remaining'] != '' and data_lease['state'] != 'free': + if not state or data_lease['state'] in state or state == 'all': + if not origin or data_lease['origin'] in origin: + if not aux or (aux and data_lease['pool'] == pool_name): + data.append(data_lease) + + # deduplicate + checked = [] + for entry in data: + addr = entry.get('ip') + if addr not in checked: + checked.append(addr) + else: + idx = _find_list_of_dict_index(data, key='ip', value=addr) + data.pop(idx) if sorted: if sorted == 'ip': @@ -150,10 +161,11 @@ def _get_formatted_server_leases(raw_data, family='inet'): remain = lease.get('remaining') pool = lease.get('pool') hostname = lease.get('hostname') - data_entries.append([ipaddr, hw_addr, state, start, end, remain, pool, hostname]) + origin = lease.get('origin') + data_entries.append([ipaddr, hw_addr, state, start, end, remain, pool, hostname, origin]) headers = ['IP Address', 'MAC address', 'State', 'Lease start', 'Lease expiration', 'Remaining', 'Pool', - 'Hostname'] + 'Hostname', 'Origin'] if family == 'inet6': for lease in raw_data: @@ -267,7 +279,8 @@ def show_pool_statistics(raw: bool, family: ArgFamily, pool: typing.Optional[str @_verify def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], - sorted: typing.Optional[str], state: typing.Optional[ArgState]): + sorted: typing.Optional[str], state: typing.Optional[ArgState], + origin: typing.Optional[ArgOrigin] ): # if dhcp server is down, inactive leases may still be shown as active, so warn the user. v = '6' if family == 'inet6' else '' service_name = 'DHCPv6' if family == 'inet6' else 'DHCP' @@ -285,7 +298,7 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], if sorted and sorted not in sort_valid: raise vyos.opmode.IncorrectValue(f'DHCP{v} sort "{sorted}" is invalid!') - lease_data = _get_raw_server_leases(family=family, pool=pool, sorted=sorted, state=state) + lease_data = _get_raw_server_leases(family=family, pool=pool, sorted=sorted, state=state, origin=origin) if raw: return lease_data else: diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index cdb84a152..b3e6e518c 100755 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -60,6 +60,8 @@ MSG_INPUT_PASSWORD: str = 'Please enter a password for the "vyos" user' MSG_INPUT_ROOT_SIZE_ALL: str = 'Would you like to use all the free space on the drive?' MSG_INPUT_ROOT_SIZE_SET: str = 'Please specify the size (in GB) of the root partition (min is 1.5 GB)?' MSG_INPUT_CONSOLE_TYPE: str = 'What console should be used by default? (K: KVM, S: Serial, U: USB-Serial)?' +MSG_INPUT_COPY_DATA: str = 'Would you like to copy data to the new image?' +MSG_INPUT_CHOOSE_COPY_DATA: str = 'From which image would you like to save config information?' MSG_WARN_ISO_SIGN_INVALID: str = 'Signature is not valid. Do you want to continue with installation?' MSG_WARN_ISO_SIGN_UNAVAL: str = 'Signature is not available. Do you want to continue with installation?' MSG_WARN_ROOT_SIZE_TOOBIG: str = 'The size is too big. Try again.' @@ -184,6 +186,83 @@ def create_partitions(target_disk: str, target_size: int, return disk_details +def search_format_selection(image: tuple[str, str]) -> str: + """Format a string for selection of image + + Args: + image (tuple[str, str]): a tuple of image name and drive + + Returns: + str: formatted string + """ + return f'{image[0]} on {image[1]}' + + +def search_previous_installation(disks: list[str]) -> None: + """Search disks for previous installation config and SSH keys + + Args: + disks (list[str]): a list of available disks + """ + mnt_config = '/mnt/config' + mnt_ssh = '/mnt/ssh' + mnt_tmp = '/mnt/tmp' + rmtree(Path(mnt_config), ignore_errors=True) + rmtree(Path(mnt_ssh), ignore_errors=True) + Path(mnt_tmp).mkdir(exist_ok=True) + + print('Searching for data from previous installations') + image_data = [] + for disk_name in disks: + for partition in disk.partition_list(disk_name): + if disk.partition_mount(partition, mnt_tmp): + if Path(mnt_tmp + '/boot').exists(): + for path in Path(mnt_tmp + '/boot').iterdir(): + if path.joinpath('rw/config/.vyatta_config').exists(): + image_data.append((path.name, partition)) + + disk.partition_umount(partition) + + if len(image_data) == 1: + image_name, image_drive = image_data[0] + print('Found data from previous installation:') + print(f'\t{image_name} on {image_drive}') + if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True): + return + + elif len(image_data) > 1: + print('Found data from previous installations') + if not ask_yes_no(MSG_INPUT_COPY_DATA, default=True): + return + + image_name, image_drive = select_entry(image_data, + 'Available versions:', + MSG_INPUT_CHOOSE_COPY_DATA, + search_format_selection) + else: + print('No previous installation found') + return + + disk.partition_mount(image_drive, mnt_tmp) + + copytree(f'{mnt_tmp}/boot/{image_name}/rw/config', mnt_config) + Path(mnt_ssh).mkdir() + host_keys: list[str] = glob(f'{mnt_tmp}/boot/{image_name}/rw/etc/ssh/ssh_host*') + for host_key in host_keys: + copy(host_key, mnt_ssh) + + disk.partition_umount(image_drive) + + +def copy_previous_installation_data(target_dir: str) -> None: + if Path('/mnt/config').exists(): + copytree('/mnt/config', f'{target_dir}/opt/vyatta/etc/config', + dirs_exist_ok=True) + if Path('/mnt/ssh').exists(): + copytree('/mnt/ssh', f'{target_dir}/etc/ssh', + dirs_exist_ok=True) + + def ask_single_disk(disks_available: dict[str, int]) -> str: """Ask user to select a disk for installation @@ -204,6 +283,8 @@ def ask_single_disk(disks_available: dict[str, int]) -> str: print(MSG_INFO_INSTALL_EXIT) exit() + search_previous_installation(list(disks_available)) + disk_details: disk.DiskDetails = create_partitions(disk_selected, disks_available[disk_selected]) @@ -260,6 +341,8 @@ def check_raid_install(disks_available: dict[str, int]) -> Union[str, None]: print(MSG_INFO_INSTALL_EXIT) exit() + search_previous_installation(list(disks_available)) + disks: list[disk.DiskDetails] = [] for disk_selected in list(disks_selected): print(f'Creating partitions on {disk_selected}') @@ -581,6 +664,10 @@ def install_image() -> None: copy(FILE_ROOTFS_SRC, f'{DIR_DST_ROOT}/boot/{image_name}/{image_name}.squashfs') + # copy saved config data and SSH keys + # owner restored on copy of config data by chmod_2775, above + copy_previous_installation_data(f'{DIR_DST_ROOT}/boot/{image_name}/rw') + if is_raid_install(install_target): write_dir: str = f'{DIR_DST_ROOT}/boot/{image_name}/rw' raid.update_default(write_dir) diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator new file mode 100644 index 000000000..9e49e5ef9 --- /dev/null +++ b/src/pam-configs/mfa-google-authenticator @@ -0,0 +1,8 @@ +Name: Google Authenticator PAM module (2FA/MFA) +Default: no +Priority: 384 + +Auth-Type: Primary +Auth: + [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass + |