diff options
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | data/templates/ids/fastnetmon.j2 | 11 | ||||
| -rw-r--r-- | data/templates/ids/fastnetmon_networks_list.j2 | 2 | ||||
| -rw-r--r-- | interface-definitions/service-ids-ddos-protection.xml.in | 33 | ||||
| -rw-r--r-- | op-mode-definitions/monitor-bridge.xml.in | 4 | ||||
| -rw-r--r-- | op-mode-definitions/monitor-log.xml.in | 107 | ||||
| -rw-r--r-- | op-mode-definitions/monitor-ndp.xml.in | 8 | ||||
| -rw-r--r-- | op-mode-definitions/show-log.xml.in | 102 | ||||
| -rw-r--r-- | python/vyos/configtree.py | 10 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_bgp.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/service_ids_fastnetmon.py | 14 |
11 files changed, 168 insertions, 128 deletions
@@ -61,10 +61,7 @@ op_mode_definitions: $(op_xml_obj) rm -f $(OP_TMPL_DIR)/clear/node.def rm -f $(OP_TMPL_DIR)/delete/node.def rm -f $(OP_TMPL_DIR)/generate/node.def - rm -f $(OP_TMPL_DIR)/monitor/node.def rm -f $(OP_TMPL_DIR)/set/node.def - rm -f $(OP_TMPL_DIR)/show/node.def - rm -f $(OP_TMPL_DIR)/show/system/node.def rm -f $(OP_TMPL_DIR)/show/tech-support/node.def # XXX: ping and traceroute must be able to recursivly call itself as the diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2 index 0340d3c92..f6f03d0db 100644 --- a/data/templates/ids/fastnetmon.j2 +++ b/data/templates/ids/fastnetmon.j2 @@ -29,10 +29,19 @@ unban_only_if_attack_finished = on # For each subnet, list track speed in bps and pps for both directions enable_subnet_counters = off -{% if mode.mirror is vyos_defined %} +{% if mode is vyos_defined('mirror') %} mirror_afpacket = on +{% elif mode is vyos_defined('sflow') %} +sflow = on +{% if sflow.port is vyos_defined %} +sflow_port = {{ sflow.port }} +{% endif %} +{% if sflow.listen_address is vyos_defined %} +sflow_host = {{ sflow.listen_address }} +{% endif %} {% endif %} + process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }} process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2 index 5f1b3ba4d..0a0576d2a 100644 --- a/data/templates/ids/fastnetmon_networks_list.j2 +++ b/data/templates/ids/fastnetmon_networks_list.j2 @@ -1,4 +1,4 @@ -{% if network is vyos_defined() %} +{% if network is vyos_defined %} {% for net in network %} {{ net }} {% endfor %} diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index bb06189bc..78463136b 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -70,17 +70,34 @@ <multi/> </properties> </leafNode> - <node name="mode"> + <leafNode name="mode"> <properties> - <help>Traffic capture modes</help> + <help>Traffic capture mode</help> + <completionHelp> + <list>mirror sflow</list> + </completionHelp> + <valueHelp> + <format>mirror</format> + <description>Listen to mirrored traffic</description> + </valueHelp> + <valueHelp> + <format>sflow</format> + <description>Capture sFlow flows</description> + </valueHelp> + <constraint> + <regex>(mirror|sflow)</regex> + </constraint> + </properties> + </leafNode> + <node name="sflow"> + <properties> + <help>Sflow settings</help> </properties> <children> - <!-- Future modes "mirror" "netflow" "combine (both)" --> - <leafNode name="mirror"> - <properties> - <help>Listen mirrored traffic mode</help> - <valueless/> - </properties> + #include <include/listen-address-ipv4-single.xml.i> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>6343</defaultValue> </leafNode> </children> </node> diff --git a/op-mode-definitions/monitor-bridge.xml.in b/op-mode-definitions/monitor-bridge.xml.in index 712a924f1..a43fa6dd9 100644 --- a/op-mode-definitions/monitor-bridge.xml.in +++ b/op-mode-definitions/monitor-bridge.xml.in @@ -4,14 +4,14 @@ <children> <node name="bridge"> <properties> - <help>Monitoring bridge database generated objects and address changes</help> + <help>Monitor bridge database changes</help> </properties> <command>sudo bridge monitor all</command> <children> <node name="link"> <command>sudo bridge monitor link</command> <properties> - <help>Monitoring bridge database generated connection interface changes</help> + <help>Monitor bridge database generated connection interface changes</help> </properties> </node> <node name="fdb"> diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index 8f3f73478..c7be07aa8 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -1,6 +1,9 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="monitor"> + <properties> + <help>Monitor system information</help> + </properties> <children> <node name="log"> <properties> @@ -27,6 +30,12 @@ </leafNode> </children> </node> + <leafNode name="conntrack-sync"> + <properties> + <help>Monitor last lines of conntrack-sync log</help> + </properties> + <command>journalctl --no-hostname --follow --boot --unit conntrackd.service</command> + </leafNode> <node name="dhcp"> <properties> <help>Monitor last lines of Dynamic Host Control Protocol log</help> @@ -117,6 +126,23 @@ </properties> <command>journalctl --no-hostname --boot --follow --unit chrony.service</command> </leafNode> + <node name="openvpn"> + <properties> + <help>Monitor last lines of OpenVPN log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit openvpn@*.service</command> + <children> + <tagNode name="interface"> + <properties> + <help>Monitor last lines of specific OpenVPN interface log</help> + <completionHelp> + <path>interfaces openvpn</path> + </completionHelp> + </properties> + <command>journalctl --no-hostname --boot --unit openvpn@$5.service</command> + </tagNode> + </children> + </node> <node name="pppoe"> <properties> <help>Monitor last lines of PPPoE interface log</help> @@ -248,9 +274,45 @@ </properties> <command>journalctl --no-hostname --boot --follow --unit ssh.service</command> </leafNode> + <leafNode name="vpn"> + <properties> + <help>Monitor last lines of ALL Virtual Private Network services</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command> + </leafNode> + <leafNode name="ipsec"> + <properties> + <help>Monitor last lines of IPsec log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit strongswan.service</command> + </leafNode> + <leafNode name="l2tp"> + <properties> + <help>Monitor last lines of L2TP log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit accel-ppp@l2tp.service</command> + </leafNode> + <leafNode name="openconnect"> + <properties> + <help>Monitor last lines of OpenConnect log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit ocserv.service</command> + </leafNode> + <leafNode name="pptp"> + <properties> + <help>Monitor last lines of PPTP log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit accel-ppp@pptp.service</command> + </leafNode> + <leafNode name="sstp"> + <properties> + <help>Monitor last lines of Secure Socket Tunneling Protocol server</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit accel-ppp@sstp.service</command> + </leafNode> <node name="sstpc"> <properties> - <help>Monitor last lines of Secure Socket Tunneling Protocol log</help> + <help>Monitor last lines of Secure Socket Tunneling Protocol client</help> </properties> <command>journalctl --no-hostname --boot --follow --unit "ppp@sstpc*.service"</command> <children> @@ -265,49 +327,6 @@ </tagNode> </children> </node> - <node name="vpn"> - <properties> - <help>Monitor Virtual Private Network services</help> - </properties> - <children> - <leafNode name="all"> - <properties> - <help>Monitor last lines of ALL VPNs</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command> - </leafNode> - <leafNode name="ipsec"> - <properties> - <help>Monitor last lines of IPsec log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit strongswan.service</command> - </leafNode> - <leafNode name="l2tp"> - <properties> - <help>Monitor last lines of L2TP log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit accel-ppp@l2tp.service</command> - </leafNode> - <leafNode name="openconnect"> - <properties> - <help>Monitor last lines of OpenConnect log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit ocserv.service</command> - </leafNode> - <leafNode name="pptp"> - <properties> - <help>Monitor last lines of PPTP log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit accel-ppp@pptp.service</command> - </leafNode> - <leafNode name="sstp"> - <properties> - <help>Monitor last lines of SSTP log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit accel-ppp@sstp.service</command> - </leafNode> - </children> - </node> <leafNode name="vpp"> <properties> <help>Monitor last lines of Vector Packet Processor log</help> diff --git a/op-mode-definitions/monitor-ndp.xml.in b/op-mode-definitions/monitor-ndp.xml.in index 26d881f1a..3b08f3d73 100644 --- a/op-mode-definitions/monitor-ndp.xml.in +++ b/op-mode-definitions/monitor-ndp.xml.in @@ -4,14 +4,14 @@ <children> <node name="ndp"> <properties> - <help>Monitor the NDP information received by the router through the device</help> + <help>Monitor Neighbor Discovery Protocol (NDP) information</help> </properties> <command>sudo ndptool monitor</command> <children> <tagNode name="interface"> <command>sudo ndptool monitor --ifname=$4</command> <properties> - <help>Monitor ndp protocol on specified interface</help> + <help>Monitor Neighbor Discovery Protocol on specified interface</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> @@ -20,7 +20,7 @@ <tagNode name="type"> <command>sudo ndptool monitor --ifname=$4 --msg-type=$6</command> <properties> - <help>Monitor specific types of NDP protocols</help> + <help>Monitor specific Neighbor Discovery Protocol type</help> <completionHelp> <list>rs ra ns na</list> </completionHelp> @@ -31,7 +31,7 @@ <tagNode name="type"> <command>sudo ndptool monitor --msg-type=$4</command> <properties> - <help>Monitor specific types of NDP protocols</help> + <help>Monitor specific Neighbor Discovery Protocol type</help> <completionHelp> <list>rs ra ns na</list> </completionHelp> diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 579e348f7..925a780ac 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -1,6 +1,9 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="show"> + <properties> + <help>Show system information</help> + </properties> <children> <tagNode name="log"> <properties> @@ -395,23 +398,6 @@ </properties> <command>journalctl --no-hostname --boot --unit ssh.service</command> </leafNode> - <node name="sstpc"> - <properties> - <help>Show log for SSTP client</help> - </properties> - <command>journalctl --no-hostname --boot --unit "ppp@sstpc*.service"</command> - <children> - <tagNode name="interface"> - <properties> - <help>Show SSTP client log on specific interface</help> - <completionHelp> - <path>interfaces sstpc</path> - </completionHelp> - </properties> - <command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command> - </tagNode> - </children> - </node> <tagNode name="tail"> <properties> <help>Show last n changes to messages</help> @@ -427,47 +413,57 @@ </properties> <command>tail -n 10 /var/log/messages</command> </node> - <node name="vpn"> + <leafNode name="vpn"> + <properties> + <help>Monitor last lines of ALL Virtual Private Network services</help> + </properties> + <command>journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command> + </leafNode> + <leafNode name="ipsec"> + <properties> + <help>Show log for IPsec</help> + </properties> + <command>journalctl --no-hostname --boot --unit strongswan.service</command> + </leafNode> + <leafNode name="l2tp"> + <properties> + <help>Show log for L2TP</help> + </properties> + <command>journalctl --no-hostname --boot --unit accel-ppp@l2tp.service</command> + </leafNode> + <leafNode name="openconnect"> + <properties> + <help>Show log for OpenConnect</help> + </properties> + <command>journalctl --no-hostname --boot --unit ocserv.service</command> + </leafNode> + <leafNode name="pptp"> + <properties> + <help>Show log for PPTP</help> + </properties> + <command>journalctl --no-hostname --boot --unit accel-ppp@pptp.service</command> + </leafNode> + <leafNode name="sstp"> + <properties> + <help>Show log for Secure Socket Tunneling Protocol (SSTP) server</help> + </properties> + <command>journalctl --no-hostname --boot --unit accel-ppp@sstp.service</command> + </leafNode> + <node name="sstpc"> <properties> - <help>Show log for Virtual Private Network (VPN)</help> + <help>Show log for Secure Socket Tunneling Protocol (SSTP) client</help> </properties> + <command>journalctl --no-hostname --boot --unit "ppp@sstpc*.service"</command> <children> - <leafNode name="all"> - <properties> - <help>Show log for ALL</help> - </properties> - <command>journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service</command> - </leafNode> - <leafNode name="ipsec"> - <properties> - <help>Show log for IPsec</help> - </properties> - <command>journalctl --no-hostname --boot --unit strongswan.service</command> - </leafNode> - <leafNode name="l2tp"> - <properties> - <help>Show log for L2TP</help> - </properties> - <command>journalctl --no-hostname --boot --unit accel-ppp@l2tp.service</command> - </leafNode> - <leafNode name="openconnect"> - <properties> - <help>Show log for OpenConnect</help> - </properties> - <command>journalctl --no-hostname --boot --unit ocserv.service</command> - </leafNode> - <leafNode name="pptp"> - <properties> - <help>Show log for PPTP</help> - </properties> - <command>journalctl --no-hostname --boot --unit accel-ppp@pptp.service</command> - </leafNode> - <leafNode name="sstp"> + <tagNode name="interface"> <properties> - <help>Show log for SSTP</help> + <help>Show SSTP client log on specific interface</help> + <completionHelp> + <path>interfaces sstpc</path> + </completionHelp> </properties> - <command>journalctl --no-hostname --boot --unit accel-ppp@sstp.service</command> - </leafNode> + <command>journalctl --no-hostname --boot --unit "ppp@$5.service"</command> + </tagNode> </children> </node> <leafNode name="vpp"> diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py index d0cd87464..e18d9817d 100644 --- a/python/vyos/configtree.py +++ b/python/vyos/configtree.py @@ -418,10 +418,6 @@ class DiffTree: self.__diff_tree.argtypes = [c_char_p, c_void_p, c_void_p] self.__diff_tree.restype = c_void_p - self.__trim_tree = self.__lib.trim_tree - self.__trim_tree.argtypes = [c_void_p, c_void_p] - self.__trim_tree.restype = c_void_p - check_path(path) path_str = " ".join(map(str, path)).encode() @@ -435,11 +431,7 @@ class DiffTree: self.add = self.full.get_subtree(['add']) self.sub = self.full.get_subtree(['sub']) self.inter = self.full.get_subtree(['inter']) - - # trim sub(-tract) tree to get delete tree for commands - ref = self.right.get_subtree(path, with_node=True) if path else self.right - res = self.__trim_tree(self.sub._get_config(), ref._get_config()) - self.delete = ConfigTree(address=res) + self.delete = self.full.get_subtree(['del']) def to_commands(self): add = self.add.to_commands() diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index cec025fea..7b9f15505 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -475,6 +475,8 @@ def verify(bgp): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): raise ConfigError( 'Command "import vrf" conflicts with "rd vpn export" command!') + if not dict_search('parameters.router_id', bgp): + Warning(f'BGP "router-id" is required when using "rd" and "route-target"!') if dict_search('route_target.vpn.both', afi_config): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index 2e678cf0b..f6b80552b 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -30,6 +30,7 @@ airbag.enable() config_file = r'/run/fastnetmon/fastnetmon.conf' networks_list = r'/run/fastnetmon/networks_list' excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' +attack_dir = '/var/log/fastnetmon_attacks' def get_config(config=None): if config: @@ -55,8 +56,11 @@ def verify(fastnetmon): if 'mode' not in fastnetmon: raise ConfigError('Specify operating mode!') - if 'listen_interface' not in fastnetmon: - raise ConfigError('Specify interface(s) for traffic capture') + if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: + raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") + + if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): + raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") if 'alert_script' in fastnetmon: if os.path.isfile(fastnetmon['alert_script']): @@ -74,6 +78,10 @@ def generate(fastnetmon): return None + # Create dir for log attack details + if not os.path.exists(attack_dir): + os.mkdir(attack_dir) + render(config_file, 'ids/fastnetmon.j2', fastnetmon) render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) |