diff options
44 files changed, 607 insertions, 128 deletions
diff --git a/.github/workflows/mergifyio_backport.yml b/.github/workflows/mergifyio_backport.yml index f1f4312c4..d9f863d9a 100644 --- a/.github/workflows/mergifyio_backport.yml +++ b/.github/workflows/mergifyio_backport.yml @@ -13,7 +13,7 @@ jobs: id: regex-match with: text: ${{ github.event.comment.body }} - regex: '[Mm]ergifyio backport ' + regex: '@[Mm][Ee][Rr][Gg][Ii][Ff][Yy][Ii][Oo] backport ' - uses: actions-ecosystem/action-add-labels@v1 if: ${{ steps.regex-match.outputs.match != '' }} diff --git a/.github/workflows/pull-request-labels.yml b/.github/workflows/pull-request-labels.yml index 3398af5b0..43856beaa 100644 --- a/.github/workflows/pull-request-labels.yml +++ b/.github/workflows/pull-request-labels.yml @@ -12,9 +12,9 @@ on: jobs: add-pr-label: name: Add PR Labels - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: contents: read pull-requests: write steps: - - uses: actions/labeler@v5.0.0 + - uses: actions/labeler@v5 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index ddf0da518..42bc8440c 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -67,7 +67,7 @@ service-name={{ service_name | join(',') }} {% set delay_without_sessions = pado_delay.delays_without_sessions[0] | default('0') %} {% set pado_delay_param = namespace(value=delay_without_sessions) %} {% for delay, sessions in pado_delay.delays_with_sessions | sort(attribute='1') %} -{% if not loop.last %} +{% if not delay == 'disable' %} {% set pado_delay_param.value = pado_delay_param.value + ',' + delay + ':' + sessions | string %} {% else %} {% set pado_delay_param.value = pado_delay_param.value + ',-1:' + sessions | string %} diff --git a/data/templates/iproute2/static.conf.j2 b/data/templates/iproute2/static.conf.j2 index 10c9bdab7..249483ab3 100644 --- a/data/templates/iproute2/static.conf.j2 +++ b/data/templates/iproute2/static.conf.j2 @@ -2,7 +2,7 @@ {% if table is vyos_defined %} {% for t, t_options in table.items() %} {% if t_options.description is vyos_defined %} -{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description) }} +{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description | replace(" ", "_")) }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index dd93afba5..7917c8257 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -69,11 +69,23 @@ frontend {{ front }} {% endif %} {% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} +{% if front_config.tcp_request.inspect_delay is vyos_defined %} + tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }} +{% endif %} +{# add tcp-request related directive if ssl is configed #} +{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} + tcp-request content accept if { req_ssl_hello_type 1 } +{% break %} +{% endif %} +{% endfor %} +{% endif %} {% endif %} {% if front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} # rule {{ rule }} -{% if rule_config.domain_name is vyos_defined and rule_config.set.backend is vyos_defined %} +{% if rule_config.domain_name is vyos_defined %} {% set rule_options = 'hdr(host)' %} {% if rule_config.ssl is vyos_defined %} {% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %} @@ -82,16 +94,20 @@ frontend {{ front }} {% for domain in rule_config.domain_name %} acl {{ rule }} {{ rule_options }} -i {{ domain }} {% endfor %} - use_backend {{ rule_config.set.backend }} if {{ rule }} {% endif %} {# path url #} -{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %} +{% if rule_config.url_path is vyos_defined %} {% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %} {% for path, path_config in rule_config.url_path.items() %} {% for url in path_config %} acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }} {% endfor %} {% endfor %} +{% endif %} +{% if rule_config.set.backend is vyos_defined %} + use_backend {{ rule_config.set.backend }} if {{ rule }} +{% endif %} +{% if rule_config.set.redirect_location is vyos_defined %} http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }} {% endif %} {# endpath #} diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index b5e890c32..81f777031 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -61,7 +61,15 @@ keepalive = 300 dpd = 60 mobile-dpd = 300 switch-to-tcp-timeout = 30 +{% if tls_version_min == '1.0' %} tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" +{% elif tls_version_min == '1.1' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0" +{% elif tls_version_min == '1.2' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1" +{% elif tls_version_min == '1.3' %} +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2" +{% endif %} auth-timeout = 240 idle-timeout = 1200 mobile-idle-timeout = 1800 diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index cdd0bf300..3c2eb09eb 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -122,7 +122,7 @@ </constraint> <valueHelp> <format>ipv4</format> - <description>IPv4 address for aynamic authorization server</description> + <description>IPv4 address for dynamic authorization server</description> </valueHelp> </properties> </leafNode> diff --git a/interface-definitions/include/haproxy/tcp-request.xml.i b/interface-definitions/include/haproxy/tcp-request.xml.i new file mode 100644 index 000000000..3d60bd8ad --- /dev/null +++ b/interface-definitions/include/haproxy/tcp-request.xml.i @@ -0,0 +1,22 @@ +<!-- include start from haproxy/tcp-request.xml.i --> +<node name="tcp-request"> + <properties> + <help>TCP request directive</help> + </properties> + <children> + <leafNode name="inspect-delay"> + <properties> + <help>Set the maximum allowed time to wait for data during content inspection</help> + <valueHelp> + <format>u32:1-65535</format> + <description>The timeout value specified in milliseconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + <constraintErrorMessage>The timeout value must be in range 1 to 65535 milliseconds</constraintErrorMessage> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/interface/base-reachable-time.xml.i b/interface-definitions/include/interface/base-reachable-time.xml.i new file mode 100644 index 000000000..fb0d70101 --- /dev/null +++ b/interface-definitions/include/interface/base-reachable-time.xml.i @@ -0,0 +1,16 @@ +<!-- include start from interface/base-reachable-time.xml.i --> +<leafNode name="base-reachable-time"> + <properties> + <help>Base reachable time in seconds</help> + <valueHelp> + <format>u32:1-86400</format> + <description>Base reachable time in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-86400"/> + </constraint> + <constraintErrorMessage>Base reachable time must be between 1 and 86400 seconds</constraintErrorMessage> + </properties> + <defaultValue>30</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-options.xml.i b/interface-definitions/include/interface/ipv6-options.xml.i index edb4a74f9..ec6ec64ee 100644 --- a/interface-definitions/include/interface/ipv6-options.xml.i +++ b/interface-definitions/include/interface/ipv6-options.xml.i @@ -5,6 +5,7 @@ </properties> <children> #include <include/interface/adjust-mss.xml.i> + #include <include/interface/base-reachable-time.xml.i> #include <include/interface/disable-forwarding.xml.i> #include <include/interface/ipv6-accept-dad.xml.i> #include <include/interface/ipv6-address.xml.i> diff --git a/interface-definitions/include/pppoe-access-concentrator.xml.i b/interface-definitions/include/pppoe-access-concentrator.xml.i index ccfcc1c49..8a75dae08 100644 --- a/interface-definitions/include/pppoe-access-concentrator.xml.i +++ b/interface-definitions/include/pppoe-access-concentrator.xml.i @@ -3,9 +3,9 @@ <properties> <help>Access concentrator name</help> <constraint> - <regex>[a-zA-Z0-9]{1,100}</regex> + #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i> </constraint> - <constraintErrorMessage>Access-concentrator name must be alphanumerical only (max. 100 characters)</constraintErrorMessage> + <constraintErrorMessage>Access-concentrator name can only contain alpha-numeric letters, hyphen and underscores(max. 100 characters)</constraintErrorMessage> </properties> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/tls-version-min.xml.i b/interface-definitions/include/tls-version-min.xml.i new file mode 100644 index 000000000..b3dcbad49 --- /dev/null +++ b/interface-definitions/include/tls-version-min.xml.i @@ -0,0 +1,29 @@ +<!-- include start from tls-version-min.xml.i --> +<leafNode name="tls-version-min"> + <properties> + <help>Specify the minimum required TLS version</help> + <completionHelp> + <list>1.0 1.1 1.2 1.3</list> + </completionHelp> + <valueHelp> + <format>1.0</format> + <description>TLS v1.0</description> + </valueHelp> + <valueHelp> + <format>1.1</format> + <description>TLS v1.1</description> + </valueHelp> + <valueHelp> + <format>1.2</format> + <description>TLS v1.2</description> + </valueHelp> + <valueHelp> + <format>1.3</format> + <description>TLS v1.3</description> + </valueHelp> + <constraint> + <regex>(1.0|1.1|1.2|1.3)</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/version/openconnect-version.xml.i b/interface-definitions/include/version/openconnect-version.xml.i index 654806278..15097eebe 100644 --- a/interface-definitions/include/version/openconnect-version.xml.i +++ b/interface-definitions/include/version/openconnect-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/openconnect-version.xml.i --> -<syntaxVersion component='openconnect' version='2'></syntaxVersion> +<syntaxVersion component='openconnect' version='3'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/pppoe-server-version.xml.i b/interface-definitions/include/version/pppoe-server-version.xml.i index c253c58d9..61de1277a 100644 --- a/interface-definitions/include/version/pppoe-server-version.xml.i +++ b/interface-definitions/include/version/pppoe-server-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/pppoe-server-version.xml.i --> -<syntaxVersion component='pppoe-server' version='9'></syntaxVersion> +<syntaxVersion component='pppoe-server' version='10'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in index 389b5b5c9..7b46f32b3 100644 --- a/interface-definitions/interfaces_openvpn.xml.in +++ b/interface-definitions/interfaces_openvpn.xml.in @@ -739,33 +739,7 @@ <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage> </properties> </leafNode> - <leafNode name="tls-version-min"> - <properties> - <help>Specify the minimum required TLS version</help> - <completionHelp> - <list>1.0 1.1 1.2 1.3</list> - </completionHelp> - <valueHelp> - <format>1.0</format> - <description>TLS v1.0</description> - </valueHelp> - <valueHelp> - <format>1.1</format> - <description>TLS v1.1</description> - </valueHelp> - <valueHelp> - <format>1.2</format> - <description>TLS v1.2</description> - </valueHelp> - <valueHelp> - <format>1.3</format> - <description>TLS v1.3</description> - </valueHelp> - <constraint> - <regex>(1.0|1.1|1.2|1.3)</regex> - </constraint> - </properties> - </leafNode> + #include <include/tls-version-min.xml.i> <leafNode name="role"> <properties> <help>TLS negotiation role</help> diff --git a/interface-definitions/load-balancing_reverse-proxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in index eb01580da..6a3b3cef1 100644 --- a/interface-definitions/load-balancing_reverse-proxy.xml.in +++ b/interface-definitions/load-balancing_reverse-proxy.xml.in @@ -38,6 +38,7 @@ #include <include/haproxy/mode.xml.i> #include <include/port-number.xml.i> #include <include/haproxy/rule-frontend.xml.i> + #include <include/haproxy/tcp-request.xml.i> <leafNode name="redirect-http-to-https"> <properties> <help>Redirect HTTP to HTTPS</help> diff --git a/interface-definitions/service_config-sync.xml.in b/interface-definitions/service_config-sync.xml.in index e9ea9aa4b..648c14aee 100644 --- a/interface-definitions/service_config-sync.xml.in +++ b/interface-definitions/service_config-sync.xml.in @@ -34,6 +34,10 @@ </constraint> </properties> </leafNode> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>443</defaultValue> + </leafNode> <leafNode name="timeout"> <properties> <help>Connection API timeout</help> diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in index a54618e82..b52b4bda3 100644 --- a/interface-definitions/service_dns_forwarding.xml.in +++ b/interface-definitions/service_dns_forwarding.xml.in @@ -115,7 +115,7 @@ <description>An absolute DNS domain name</description> </valueHelp> <constraint> - <validator name="fqdn"/> + <regex>((?!-)[-_a-zA-Z0-9.]{1,63}|@|any)(?<!\.)</regex> </constraint> </properties> <children> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 9b5e4d3fb..5d357c2f9 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -74,11 +74,19 @@ <properties> <help>PADO delays</help> <valueHelp> + <format>disable</format> + <description>Disable new connections</description> + </valueHelp> + <completionHelp> + <list>disable</list> + </completionHelp> + <valueHelp> <format>u32:1-999999</format> <description>Number in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> + <regex>disable</regex> </constraint> <constraintErrorMessage>Invalid PADO delay</constraintErrorMessage> </properties> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 736084f8b..7849d6886 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -266,6 +266,10 @@ <valueless/> </properties> </leafNode> + #include <include/tls-version-min.xml.i> + <leafNode name="tls-version-min"> + <defaultValue>1.2</defaultValue> + </leafNode> <node name="ssl"> <properties> <help>SSL Certificate, SSL Key and CA</help> diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 1b86982c4..f0897bc21 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -1,4 +1,4 @@ -# Copyright 2019-2023 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2019-2024 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -193,6 +193,9 @@ class Interface(Control): 'validate': assert_positive, 'location': '/proc/sys/net/ipv6/conf/{ifname}/dad_transmits', }, + 'ipv6_cache_tmo': { + 'location': '/proc/sys/net/ipv6/neigh/{ifname}/base_reachable_time_ms', + }, 'path_cost': { # XXX: we should set a maximum 'validate': assert_positive, @@ -261,6 +264,9 @@ class Interface(Control): 'ipv6_dad_transmits': { 'location': '/proc/sys/net/ipv6/conf/{ifname}/dad_transmits', }, + 'ipv6_cache_tmo': { + 'location': '/proc/sys/net/ipv6/neigh/{ifname}/base_reachable_time_ms', + }, 'proxy_arp': { 'location': '/proc/sys/net/ipv4/conf/{ifname}/proxy_arp', }, @@ -613,6 +619,21 @@ class Interface(Control): return None return self.set_interface('arp_cache_tmo', tmo) + def set_ipv6_cache_tmo(self, tmo): + """ + Set IPv6 cache timeout value in seconds. Internal Kernel representation + is in milliseconds. + + Example: + >>> from vyos.ifconfig import Interface + >>> Interface('eth0').set_ipv6_cache_tmo(40) + """ + tmo = str(int(tmo) * 1000) + tmp = self.get_interface('ipv6_cache_tmo') + if tmp == tmo: + return None + return self.set_interface('ipv6_cache_tmo', tmo) + def _cleanup_mss_rules(self, table, ifname): commands = [] results = self._cmd(f'nft -a list chain {table} VYOS_TCP_MSS').split("\n") @@ -1698,6 +1719,11 @@ class Interface(Control): for addr in tmp: self.add_ipv6_eui64_address(addr) + # Configure IPv6 base time in milliseconds - has default value + tmp = dict_search('ipv6.base_reachable_time', config) + value = tmp if (tmp != None) else '30' + self.set_ipv6_cache_tmo(value) + # re-add ourselves to any bridge we might have fallen out of if 'is_bridge_member' in config: tmp = config.get('is_bridge_member') diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 3c577db4d..27fe793a8 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -146,7 +146,7 @@ def create_certificate_request(subject, private_key, subject_alt_names=[]): if isinstance(obj, ipaddress.IPv4Address) or isinstance(obj, ipaddress.IPv6Address): alt_names.append(x509.IPAddress(obj)) elif isinstance(obj, str): - alt_names.append(x509.DNSName(obj)) + alt_names.append(x509.RFC822Name(obj) if '@' in obj else x509.DNSName(obj)) if alt_names: builder = builder.add_extension(x509.SubjectAlternativeName(alt_names), critical=False) diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py index f9366c6b1..4173a1a43 100644 --- a/python/vyos/qos/base.py +++ b/python/vyos/qos/base.py @@ -246,6 +246,7 @@ class QoSBase: filter_cmd_base += ' protocol all' if 'match' in cls_config: + is_filtered = False for index, (match, match_config) in enumerate(cls_config['match'].items(), start=1): filter_cmd = filter_cmd_base if self.qostype == 'shaper' and 'prio ' not in filter_cmd: @@ -330,11 +331,13 @@ class QoSBase: cls = int(cls) filter_cmd += f' flowid {self._parent:x}:{cls:x}' self._cmd(filter_cmd) + is_filtered = True vlan_expression = "match.*.vif" match_vlan = jmespath.search(vlan_expression, cls_config) - if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in cls_config): + if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in cls_config) \ + and is_filtered: # For "vif" "basic match" is used instead of "action police" T5961 if not match_vlan: filter_cmd += f' action police' diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index 737c07401..c8b17316f 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -180,6 +180,7 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): mode = 'http' rule_ten = '10' rule_twenty = '20' + rule_thirty = '30' send_proxy = 'send-proxy' max_connections = '1000' @@ -192,6 +193,8 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['service', frontend, 'rule', rule_ten, 'set', 'backend', bk_first_name]) self.cli_set(base_path + ['service', frontend, 'rule', rule_twenty, 'domain-name', domain_bk_second]) self.cli_set(base_path + ['service', frontend, 'rule', rule_twenty, 'set', 'backend', bk_second_name]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'url-path', 'end', '/test']) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'set', 'backend', bk_second_name]) self.cli_set(back_base + [bk_first_name, 'mode', mode]) self.cli_set(back_base + [bk_first_name, 'server', bk_first_name, 'address', bk_server_first]) @@ -222,6 +225,8 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.assertIn(f'use_backend {bk_first_name} if {rule_ten}', config) self.assertIn(f'acl {rule_twenty} hdr(host) -i {domain_bk_second}', config) self.assertIn(f'use_backend {bk_second_name} if {rule_twenty}', config) + self.assertIn(f'acl {rule_thirty} path -i -m end /test', config) + self.assertIn(f'use_backend {bk_second_name} if {rule_thirty}', config) # Backend self.assertIn(f'backend {bk_first_name}', config) @@ -299,39 +304,86 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): self.cli_commit() def test_05_lb_reverse_proxy_backend_http_check(self): - # Setup base - self.base_config() - - # Set http-check - self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'method', 'get']) - self.cli_commit() - - # Test http-check - config = read_file(HAPROXY_CONF) - self.assertIn('option httpchk', config) - self.assertIn('http-check send meth GET', config) - - # Set http-check with uri and status - self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'uri', '/health']) - self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'status', '200']) - self.cli_commit() - - # Test http-check with uri and status - config = read_file(HAPROXY_CONF) - self.assertIn('option httpchk', config) - self.assertIn('http-check send meth GET uri /health', config) - self.assertIn('http-check expect status 200', config) - - # Set http-check with string - self.cli_delete(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'status', '200']) - self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'string', 'success']) - self.cli_commit() - - # Test http-check with string - config = read_file(HAPROXY_CONF) - self.assertIn('option httpchk', config) - self.assertIn('http-check send meth GET uri /health', config) - self.assertIn('http-check expect string success', config) + # Setup base + self.base_config() + + # Set http-check + self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'method', 'get']) + self.cli_commit() + + # Test http-check + config = read_file(HAPROXY_CONF) + self.assertIn('option httpchk', config) + self.assertIn('http-check send meth GET', config) + + # Set http-check with uri and status + self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'uri', '/health']) + self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'status', '200']) + self.cli_commit() + + # Test http-check with uri and status + config = read_file(HAPROXY_CONF) + self.assertIn('option httpchk', config) + self.assertIn('http-check send meth GET uri /health', config) + self.assertIn('http-check expect status 200', config) + + # Set http-check with string + self.cli_delete(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'status', '200']) + self.cli_set(base_path + ['backend', 'bk-01', 'http-check', 'expect', 'string', 'success']) + self.cli_commit() + + # Test http-check with string + config = read_file(HAPROXY_CONF) + self.assertIn('option httpchk', config) + self.assertIn('http-check send meth GET uri /health', config) + self.assertIn('http-check expect string success', config) + + def test_06_lb_reverse_proxy_tcp_mode(self): + frontend = 'tcp_8443' + mode = 'tcp' + front_port = '8433' + tcp_request_delay = "5000" + rule_thirty = '30' + domain_bk = 'n6.example.com' + ssl_opt = "req-ssl-sni" + bk_name = 'bk-03' + bk_server = '192.0.2.11' + bk_server_port = '9090' + + back_base = base_path + ['backend'] + + self.cli_set(base_path + ['service', frontend, 'mode', mode]) + self.cli_set(base_path + ['service', frontend, 'port', front_port]) + self.cli_set(base_path + ['service', frontend, 'tcp-request', 'inspect-delay', tcp_request_delay]) + + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'domain-name', domain_bk]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'ssl', ssl_opt]) + self.cli_set(base_path + ['service', frontend, 'rule', rule_thirty, 'set', 'backend', bk_name]) + + self.cli_set(back_base + [bk_name, 'mode', mode]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'address', bk_server]) + self.cli_set(back_base + [bk_name, 'server', bk_name, 'port', bk_server_port]) + + # commit changes + self.cli_commit() + + config = read_file(HAPROXY_CONF) + + # Frontend + self.assertIn(f'frontend {frontend}', config) + self.assertIn(f'bind :::{front_port} v4v6', config) + self.assertIn(f'mode {mode}', config) + + self.assertIn(f'tcp-request inspect-delay {tcp_request_delay}', config) + self.assertIn(f"tcp-request content accept if {{ req_ssl_hello_type 1 }}", config) + self.assertIn(f'acl {rule_thirty} req_ssl_sni -i {domain_bk}', config) + self.assertIn(f'use_backend {bk_name} if {rule_thirty}', config) + + # Backend + self.assertIn(f'backend {bk_name}', config) + self.assertIn(f'balance roundrobin', config) + self.assertIn(f'mode {mode}', config) + self.assertIn(f'server {bk_name} {bk_server}:{bk_server_port}', config) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_qos.py b/smoketest/scripts/cli/test_qos.py index 4f41e36cd..fef1ff23a 100755 --- a/smoketest/scripts/cli/test_qos.py +++ b/smoketest/scripts/cli/test_qos.py @@ -697,6 +697,45 @@ class TestQoS(VyOSUnitTestSHIM.TestCase): for config_entry in config_entries: self.assertIn(config_entry, output) + def test_13_shaper_delete_only_rule(self): + default_bandwidth = 100 + default_burst = 100 + interface = self._interfaces[0] + class_bandwidth = 50 + class_ceiling = 5 + src_address = '10.1.1.0/24' + + shaper_name = f'qos-shaper-{interface}' + self.cli_set(base_path + ['interface', interface, 'egress', shaper_name]) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'bandwidth', f'10mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'bandwidth', f'{default_bandwidth}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'burst', f'{default_burst}']) + + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'bandwidth', f'{class_bandwidth}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'ceiling', f'{class_ceiling}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'match', 'ADDRESS30', 'ip', 'source', 'address', src_address]) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'match', 'ADDRESS30', 'description', 'smoketest']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'priority', '5']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'queue-type', 'fair-queue']) + + # commit changes + self.cli_commit() + # check root htb config + output = cmd(f'tc class show dev {interface}') + + config_entries = ( + f'prio 5 rate {class_bandwidth}Mbit ceil {class_ceiling}Mbit burst 15Kb', # specified class + f'prio 7 rate {default_bandwidth}Mbit ceil 100Mbit burst {default_burst}b', # default class + ) + for config_entry in config_entries: + self.assertIn(config_entry, output) + + self.assertTrue('' != cmd(f'tc filter show dev {interface}')) + # self.cli_delete(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'match', 'ADDRESS30']) + self.cli_delete(base_path + ['policy', 'shaper', shaper_name, 'class', '30', 'match', 'ADDRESS30', 'ip', 'source', 'address', src_address]) + self.cli_commit() + self.assertEqual('', cmd(f'tc filter show dev {interface}')) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py index 5a48b1f58..97c63d4cb 100755 --- a/smoketest/scripts/cli/test_service_pppoe-server.py +++ b/smoketest/scripts/cli/test_service_pppoe-server.py @@ -168,7 +168,14 @@ class TestServicePPPoEServer(BasicAccelPPPTest.TestCase): conf = ConfigParser(allow_no_value=True, delimiters='=') conf.read(self._config_file) - self.assertEqual(conf['pppoe']['pado-delay'], '10,20:200,-1:300') + self.assertEqual(conf['pppoe']['pado-delay'], '10,20:200,30:300') + + self.set(['pado-delay', 'disable', 'sessions', '400']) + self.cli_commit() + + conf = ConfigParser(allow_no_value=True, delimiters='=') + conf.read(self._config_file) + self.assertEqual(conf['pppoe']['pado-delay'], '10,20:200,30:300,-1:400') if __name__ == '__main__': diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index 96e858fdb..a2e426dc7 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -210,6 +210,9 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): # Verify configuration daemon_config = read_file(config_file) + # Verify TLS string (with default setting) + self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"', daemon_config) + # authentication mode local password-otp self.assertIn(f'auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"', daemon_config) self.assertIn(f'listen-host = {listen_ip_no_cidr}', daemon_config) @@ -253,5 +256,13 @@ class TestVPNOpenConnect(VyOSUnitTestSHIM.TestCase): self.assertIn('included-http-headers = Pragma: no-cache', daemon_config) self.assertIn('included-http-headers = Cache-control: no-store, no-cache', daemon_config) + # Set TLS version to the highest security (v1.3 min) + self.cli_set(base_path + ['tls-version-min', '1.3']) + self.cli_commit() + + # Verify TLS string + daemon_config = read_file(config_file) + self.assertIn('tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"', daemon_config) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/interfaces_wireless.py b/src/conf_mode/interfaces_wireless.py index 02b4a2500..c0a17c0bc 100755 --- a/src/conf_mode/interfaces_wireless.py +++ b/src/conf_mode/interfaces_wireless.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -31,8 +31,9 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_bond_bridge_member from vyos.ifconfig import WiFiIf from vyos.template import render -from vyos.utils.process import call from vyos.utils.dict import dict_search +from vyos.utils.kernel import check_kmod +from vyos.utils.process import call from vyos import ConfigError from vyos import airbag airbag.enable() @@ -118,6 +119,10 @@ def verify(wifi): if 'physical_device' not in wifi: raise ConfigError('You must specify a physical-device "phy"') + physical_device = wifi['physical_device'] + if not os.path.exists(f'/sys/class/ieee80211/{physical_device}'): + raise ConfigError(f'Wirelss interface PHY "{physical_device}" does not exist!') + if 'type' not in wifi: raise ConfigError('You must specify a WiFi mode') @@ -266,6 +271,7 @@ def apply(wifi): if __name__ == '__main__': try: + check_kmod('mac80211') c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 2b16de775..4df97d133 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -473,6 +473,22 @@ def verify(bgp): if peer_group_as is None or (peer_group_as != 'internal' and peer_group_as != bgp['system_as']): raise ConfigError('route-reflector-client only supported for iBGP peers') + # T5833 not all AFIs are supported for VRF + if 'vrf' in bgp and 'address_family' in peer_config: + unsupported_vrf_afi = { + 'ipv4_flowspec', + 'ipv6_flowspec', + 'ipv4_labeled_unicast', + 'ipv6_labeled_unicast', + 'ipv4_vpn', + 'ipv6_vpn', + } + for afi in peer_config['address_family']: + if afi in unsupported_vrf_afi: + raise ConfigError( + f"VRF is not allowed for address-family '{afi.replace('_', '-')}'" + ) + # Throw an error if a peer group is not configured for allow range for prefix in dict_search('listen.range', bgp) or []: # we can not use dict_search() here as prefix contains dots ... diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py index 09c3be8df..d450d11ca 100755 --- a/src/conf_mode/protocols_pim.py +++ b/src/conf_mode/protocols_pim.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2023 VyOS maintainers and contributors +# Copyright (C) 2020-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,6 +16,7 @@ import os +from ipaddress import IPv4Address from ipaddress import IPv4Network from signal import SIGTERM from sys import exit @@ -32,6 +33,9 @@ from vyos import frr from vyos import airbag airbag.enable() +RESERVED_MC_NET = '224.0.0.0/24' + + def get_config(config=None): if config: conf = config @@ -92,9 +96,15 @@ def verify(pim): if 'interface' not in pim: raise ConfigError('PIM require defined interfaces!') - for interface in pim['interface']: + for interface, interface_config in pim['interface'].items(): verify_interface_exists(interface) + # Check join group in reserved net + if 'igmp' in interface_config and 'join' in interface_config['igmp']: + for join_addr in interface_config['igmp']['join']: + if IPv4Address(join_addr) in IPv4Network(RESERVED_MC_NET): + raise ConfigError(f'Groups within {RESERVED_MC_NET} are reserved and cannot be joined!') + if 'rp' in pim: if 'address' not in pim['rp']: raise ConfigError('PIM rendezvous point needs to be defined!') diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py index 3dfb4bab8..ccfc8f6b8 100755 --- a/src/conf_mode/qos.py +++ b/src/conf_mode/qos.py @@ -70,6 +70,22 @@ def get_shaper(qos, interface_config, direction): return (map_vyops_tc[shaper_type], shaper_config) + +def _clean_conf_dict(conf): + """ + Delete empty nodes from config e.g. + match ADDRESS30 { + ip { + source {} + } + } + """ + if isinstance(conf, dict): + return {node: _clean_conf_dict(val) for node, val in conf.items() if val != {} and _clean_conf_dict(val) != {}} + else: + return conf + + def get_config(config=None): if config: conf = config @@ -120,6 +136,13 @@ def get_config(config=None): if 'queue_limit' not in qos['policy'][policy][p_name]['precedence'][precedence]: qos['policy'][policy][p_name]['precedence'][precedence]['queue_limit'] = \ str(int(4 * max_thr)) + # cleanup empty match config + if 'class' in p_config: + for cls, cls_config in p_config['class'].items(): + if 'match' in cls_config: + cls_config['match'] = _clean_conf_dict(cls_config['match']) + if cls_config['match'] == {}: + del cls_config['match'] return qos diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 11e950782..28b7fb03c 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -66,7 +66,7 @@ def verify(ipoe): raise ConfigError('No IPoE interface configured') for interface, iface_config in ipoe['interface'].items(): - verify_interface_exists(interface) + verify_interface_exists(interface, warning_only=True) if 'client_subnet' in iface_config and 'vlan' in iface_config: raise ConfigError('Option "client-subnet" and "vlan" are mutually exclusive, ' 'use "client-ip-pool" instead!') diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index b9d174933..c95f976d3 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -84,12 +84,29 @@ def verify_pado_delay(pppoe): pado_delay = pppoe['pado_delay'] delays_without_sessions = pado_delay['delays_without_sessions'] + if 'disable' in delays_without_sessions: + raise ConfigError( + 'Number of sessions must be specified for "pado-delay disable"' + ) + if len(delays_without_sessions) > 1: raise ConfigError( f'Cannot add more then ONE pado-delay without sessions, ' f'but {len(delays_without_sessions)} were set' ) + if 'disable' in [delay[0] for delay in pado_delay['delays_with_sessions']]: + # need to sort delays by sessions to verify if there is no delay + # for sessions after disabling + sorted_pado_delay = sorted(pado_delay['delays_with_sessions'], key=lambda k_v: k_v[1]) + last_delay = sorted_pado_delay[-1] + + if last_delay[0] != 'disable': + raise ConfigError( + f'Cannot add pado-delay after disabled sessions, but ' + f'"pado-delay {last_delay[0]} sessions {last_delay[1]}" was set' + ) + def verify(pppoe): if not pppoe: return None @@ -105,7 +122,7 @@ def verify(pppoe): # Check is interface exists in the system for interface in pppoe['interface']: - verify_interface_exists(interface) + verify_interface_exists(interface, warning_only=True) return None diff --git a/src/conf_mode/system_host-name.py b/src/conf_mode/system_host-name.py index 8975cadb6..3f245f166 100755 --- a/src/conf_mode/system_host-name.py +++ b/src/conf_mode/system_host-name.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2023 VyOS maintainers and contributors +# Copyright (C) 2018-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -22,6 +22,7 @@ import vyos.hostsd_client from vyos.base import Warning from vyos.config import Config +from vyos.configdict import leaf_node_changed from vyos.ifconfig import Section from vyos.template import is_ip from vyos.utils.process import cmd @@ -37,6 +38,7 @@ default_config_data = { 'domain_search': [], 'nameserver': [], 'nameservers_dhcp_interfaces': {}, + 'snmpd_restart_reqired': False, 'static_host_mapping': {} } @@ -52,6 +54,10 @@ def get_config(config=None): hosts['hostname'] = conf.return_value(['system', 'host-name']) + base = ['system'] + if leaf_node_changed(conf, base + ['host-name']) or leaf_node_changed(conf, base + ['domain-name']): + hosts['snmpd_restart_reqired'] = True + # This may happen if the config is not loaded yet, # e.g. if run by cloud-init if not hosts['hostname']: @@ -171,7 +177,7 @@ def apply(config): call("systemctl restart rsyslog.service") # If SNMP is running, restart it too - if process_named_running('snmpd'): + if process_named_running('snmpd') and config['snmpd_restart_reqired']: call('systemctl restart snmpd.service') return None diff --git a/src/etc/rsyslog.conf b/src/etc/rsyslog.conf index 9781f0835..b3f41acb6 100644 --- a/src/etc/rsyslog.conf +++ b/src/etc/rsyslog.conf @@ -15,21 +15,6 @@ $KLogPath /proc/kmsg #### GLOBAL DIRECTIVES #### ########################### -# The lines below cause all listed daemons/processes to be logged into -# /var/log/auth.log, then drops the message so it does not also go to the -# regular syslog so that messages are not duplicated - -$outchannel auth_log,/var/log/auth.log -if $programname == 'CRON' or - $programname == 'sudo' or - $programname == 'su' - then :omfile:$auth_log - -if $programname == 'CRON' or - $programname == 'sudo' or - $programname == 'su' - then stop - # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # A modern-style logfile format similar to TraditionalFileFormat, buth with high-precision timestamps and timezone information @@ -60,6 +45,21 @@ $Umask 0022 # $IncludeConfig /etc/rsyslog.d/*.conf +# The lines below cause all listed daemons/processes to be logged into +# /var/log/auth.log, then drops the message so it does not also go to the +# regular syslog so that messages are not duplicated + +$outchannel auth_log,/var/log/auth.log +if $programname == 'CRON' or + $programname == 'sudo' or + $programname == 'su' + then :omfile:$auth_log + +if $programname == 'CRON' or + $programname == 'sudo' or + $programname == 'su' + then stop + ############### #### RULES #### ############### diff --git a/src/helpers/vyos-vrrp-conntracksync.sh b/src/helpers/vyos-vrrp-conntracksync.sh index 0cc718938..90fa77f23 100755 --- a/src/helpers/vyos-vrrp-conntracksync.sh +++ b/src/helpers/vyos-vrrp-conntracksync.sh @@ -25,7 +25,7 @@ LOGCMD="logger -t $TAG -p $FACILITY.$LEVEL" VRRP_GRP="VRRP sync-group [$2]" FAILOVER_STATE="/var/run/vyatta-conntrackd-failover-state" -$LOGCMD "vyatta-vrrp-conntracksync invoked at `date`" +$LOGCMD "vyos-vrrp-conntracksync invoked at `date`" if ! systemctl is-active --quiet conntrackd.service; then echo "conntrackd service not running" @@ -148,7 +148,7 @@ case "$1" in *) echo UNKNOWN at `date` > $FAILOVER_STATE $LOGCMD "ERROR: `uname -n` unknown state transition for $VRRP_GRP" - echo "Usage: vyatta-vrrp-conntracksync.sh {master|backup|fault}" + echo "Usage: vyos-vrrp-conntracksync.sh {master|backup|fault}" exit 1 ;; esac diff --git a/src/helpers/vyos_config_sync.py b/src/helpers/vyos_config_sync.py index 0604b2837..9d9aec376 100755 --- a/src/helpers/vyos_config_sync.py +++ b/src/helpers/vyos_config_sync.py @@ -93,7 +93,8 @@ def set_remote_config( key: str, op: str, mask: Dict[str, Any], - config: Dict[str, Any]) -> Optional[Dict[str, Any]]: + config: Dict[str, Any], + port: int) -> Optional[Dict[str, Any]]: """Loads the VyOS configuration in JSON format to a remote host. Args: @@ -102,6 +103,7 @@ def set_remote_config( op (str): The operation to perform (set or load). mask (dict): The dict of paths in sections. config (dict): The dict of masked config data. + port (int): The remote API port Returns: Optional[Dict[str, Any]]: The response from the remote host as a @@ -113,7 +115,7 @@ def set_remote_config( # Disable the InsecureRequestWarning urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - url = f'https://{address}/configure-section' + url = f'https://{address}:{port}/configure-section' data = json.dumps({ 'op': op, 'mask': mask, @@ -138,7 +140,8 @@ def is_section_revised(section: List[str]) -> bool: def config_sync(secondary_address: str, secondary_key: str, sections: List[list[str]], - mode: str): + mode: str, + secondary_port: int): """Retrieve a config section from primary router in JSON format and send it to secondary router """ @@ -158,7 +161,8 @@ def config_sync(secondary_address: str, key=secondary_key, op=mode, mask=mask_dict, - config=config_dict) + config=config_dict, + port=secondary_port) logger.debug(f"Set config for sections '{sections}': {set_config}") @@ -178,14 +182,12 @@ if __name__ == '__main__': secondary_address = config.get('secondary', {}).get('address') secondary_address = bracketize_ipv6(secondary_address) secondary_key = config.get('secondary', {}).get('key') + secondary_port = int(config.get('secondary', {}).get('port', 443)) sections = config.get('section') timeout = int(config.get('secondary', {}).get('timeout')) - if not all([ - mode, secondary_address, secondary_key, sections - ]): - logger.error( - "Missing required configuration data for config synchronization.") + if not all([mode, secondary_address, secondary_key, sections]): + logger.error("Missing required configuration data for config synchronization.") exit(0) # Generate list_sections of sections/subsections @@ -200,5 +202,4 @@ if __name__ == '__main__': else: list_sections.append([section]) - config_sync(secondary_address, secondary_key, - list_sections, mode) + config_sync(secondary_address, secondary_key, list_sections, mode, secondary_port) diff --git a/src/migration-scripts/openconnect/2-to-3 b/src/migration-scripts/openconnect/2-to-3 new file mode 100755 index 000000000..e78fc8a91 --- /dev/null +++ b/src/migration-scripts/openconnect/2-to-3 @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# T4982: Retain prior default TLS version (v1.0) when upgrading installations with existing openconnect configurations + +import sys + +from vyos.configtree import ConfigTree + +if len(sys.argv) < 2: + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + + +config = ConfigTree(config_file) +cfg_base = ['vpn', 'openconnect'] + +# bail out early if service is unconfigured +if not config.exists(cfg_base): + sys.exit(0) + +# new default is TLS 1.2 - set explicit old default value of TLS 1.0 for upgraded configurations to keep compatibility +tls_min_path = cfg_base + ['tls-version-min'] +if not config.exists(tls_min_path): + config.set(tls_min_path, value='1.0') + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/pppoe-server/9-to-10 b/src/migration-scripts/pppoe-server/9-to-10 new file mode 100644 index 000000000..e0c782f04 --- /dev/null +++ b/src/migration-scripts/pppoe-server/9-to-10 @@ -0,0 +1,56 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Migration of pado-delay options + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['service', 'pppoe-server', 'pado-delay'] +if not config.exists(base): + exit(0) + +pado_delay = {} +for delay in config.list_nodes(base): + sessions = config.return_value(base + [delay, 'sessions']) + pado_delay[delay] = sessions + +# need to define delay for latest sessions +sorted_delays = dict(sorted(pado_delay.items(), key=lambda k_v: int(k_v[1]))) +last_delay = list(sorted_delays)[-1] + +# Rename last delay -> disable +tmp = base + [last_delay] +if config.exists(tmp): + config.rename(tmp, 'disable') + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/connect_disconnect.py b/src/op_mode/connect_disconnect.py index bd02dc6ea..373f9e953 100755 --- a/src/op_mode/connect_disconnect.py +++ b/src/op_mode/connect_disconnect.py @@ -48,7 +48,7 @@ def connect(interface): if os.path.isdir(f'/sys/class/net/{interface}'): print(f'Interface {interface}: already connected!') elif check_ppp_running(interface): - print(f'Interface {interface}: connection is beeing established!') + print(f'Interface {interface}: connection is being established!') else: print(f'Interface {interface}: connecting...') call(f'systemctl restart ppp@{interface}.service') @@ -58,7 +58,7 @@ def connect(interface): else: call(f'VYOS_TAGNODE_VALUE={interface} /usr/libexec/vyos/conf_mode/interfaces_wwan.py') else: - print(f'Unknown interface {interface}, can not connect. Aborting!') + print(f'Unknown interface {interface}, cannot connect. Aborting!') # Reaply QoS configuration config = ConfigTreeQuery() @@ -90,7 +90,7 @@ def disconnect(interface): modem = interface.lstrip('wwan') call(f'mmcli --modem {modem} --simple-disconnect', stdout=DEVNULL) else: - print(f'Unknown interface {interface}, can not disconnect. Aborting!') + print(f'Unknown interface {interface}, cannot disconnect. Aborting!') def main(): parser = argparse.ArgumentParser() diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 25554b781..442c186cc 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -16,6 +16,7 @@ import argparse import ipaddress +import json import re import tabulate import textwrap @@ -89,10 +90,38 @@ def get_nftables_details(family, hook, priority): out[rule_id] = rule return out -def output_firewall_vertical(rules, headers): +def get_nftables_group_members(family, table, name): + prefix = 'ip6' if family == 'ipv6' else 'ip' + out = [] + + try: + results_str = cmd(f'sudo nft -j list set {prefix} {table} {name}') + results = json.loads(results_str) + except: + return out + + if 'nftables' not in results: + return out + + for obj in results['nftables']: + if 'set' not in obj: + continue + + set_obj = obj['set'] + + if 'elem' in set_obj: + for elem in set_obj['elem']: + if isinstance(elem, str): + out.append(elem) + elif isinstance(elem, dict) and 'elem' in elem: + out.append(elem['elem']) + + return out + +def output_firewall_vertical(rules, headers, adjust=True): for rule in rules: - adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action - transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char + adjusted_rule = rule + [""] * (len(headers) - len(rule)) if adjust else rule # account for different header length, like default-action + transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers) if i < len(adjusted_rule)] # create key-pair list from headers and rules lists; wrap at 100 char print(tabulate.tabulate(transformed_rule, tablefmt="presto")) print() @@ -453,6 +482,7 @@ def show_firewall_group(name=None): return out rows = [] + header_tail = [] for group_type, group_type_conf in firewall['group'].items(): ## @@ -479,21 +509,53 @@ def show_firewall_group(name=None): rows.append(row) else: + if not args.detail: + header_tail = ['Timeout', 'Expires'] + for dynamic_type in ['address_group', 'ipv6_address_group']: + family = 'ipv4' if dynamic_type == 'address_group' else 'ipv6' + prefix = 'DA_' if dynamic_type == 'address_group' else 'DA6_' if dynamic_type in firewall['group']['dynamic_group']: for dynamic_name, dynamic_conf in firewall['group']['dynamic_group'][dynamic_type].items(): references = find_references(dynamic_type, dynamic_name) row = [dynamic_name, textwrap.fill(dynamic_conf.get('description') or '', 50), dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] - row.append('N/D') - rows.append(row) + + members = get_nftables_group_members(family, 'vyos_filter', f'{prefix}{dynamic_name}') + + if not members: + if args.detail: + row.append('N/D') + else: + row += ["N/D"] * 3 + rows.append(row) + continue + + for idx, member in enumerate(members): + val = member.get('val', 'N/D') + timeout = str(member.get('timeout', 'N/D')) + expires = str(member.get('expires', 'N/D')) + + if args.detail: + row.append(f'{val} (timeout: {timeout}, expires: {expires})') + continue + + if idx > 0: + row = [""] * 4 + + row += [val, timeout, expires] + rows.append(row) + + if args.detail: + header_tail += [""] * (len(members) - 1) + rows.append(row) if rows: print('Firewall Groups\n') if args.detail: - header = ['Name', 'Description','Type', 'References', 'Members'] - output_firewall_vertical(rows, header) + header = ['Name', 'Description', 'Type', 'References', 'Members'] + header_tail + output_firewall_vertical(rows, header, adjust=False) else: - header = ['Name', 'Type', 'References', 'Members'] + header = ['Name', 'Type', 'References', 'Members'] + header_tail for i in rows: rows[rows.index(i)].pop(1) print(tabulate.tabulate(rows, header)) diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index b1311b6f9..ba0e3b6db 100755 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -26,6 +26,7 @@ from os import environ from typing import Union from urllib.parse import urlparse from passlib.hosts import linux_context +from errno import ENOSPC from psutil import disk_partitions @@ -939,6 +940,16 @@ def add_image(image_path: str, vrf: str = None, username: str = '', if set_as_default: grub.set_default(image_name, root_dir) + except OSError as e: + # if no space error, remove image dir and cleanup + if e.errno == ENOSPC: + cleanup(mounts=[str(iso_path)], + remove_items=[f'{root_dir}/boot/{image_name}']) + else: + # unmount an ISO and cleanup + cleanup([str(iso_path)]) + exit(f'Error: {e}') + except Exception as err: # unmount an ISO and cleanup cleanup([str(iso_path)]) diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index ad2c1ada0..b1ca6ee29 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -306,7 +306,7 @@ def parse_san_string(san_string): output.append(ipaddress.IPv4Address(value)) elif tag == 'ipv6': output.append(ipaddress.IPv6Address(value)) - elif tag == 'dns': + elif tag == 'dns' or tag == 'rfc822': output.append(value) return output @@ -324,7 +324,7 @@ def generate_certificate_request(private_key=None, key_type=None, return_request subject_alt_names = None if ask_san and ask_yes_no('Do you want to configure Subject Alternative Names?'): - print("Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net") + print("Enter alternative names in a comma separate list, example: ipv4:1.1.1.1,ipv6:fe80::1,dns:vyos.net,rfc822:user@vyos.net") san_string = ask_input('Enter Subject Alternative Names:') subject_alt_names = parse_san_string(san_string) diff --git a/src/services/vyos-configd b/src/services/vyos-configd index 648a017d5..c89c486e5 100755 --- a/src/services/vyos-configd +++ b/src/services/vyos-configd @@ -236,7 +236,7 @@ def process_node_data(config, data, last: bool = False) -> int: with stdout_redirected(session_out, session_mode): result = run_script(conf_mode_scripts[script_name], config, args) - if last: + if last and result == R_SUCCESS: call_dependents(dependent_func=config.dependent_func) return result |