diff options
103 files changed, 2707 insertions, 1467 deletions
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.tmpl b/data/templates/bcast-relay/udp-broadcast-relay.tmpl index 3d8c3fe94..d0c7d8bf9 100644 --- a/data/templates/bcast-relay/udp-broadcast-relay.tmpl +++ b/data/templates/bcast-relay/udp-broadcast-relay.tmpl @@ -4,4 +4,4 @@ {%- if description %} # Comment: {{ description }} {% endif %} -DAEMON_ARGS="{% if address %}-s {{ address }} {% endif %}{{ id }} {{ port }} {{ interfaces | join(' ') }}" +DAEMON_ARGS="{{ '-s ' + address if address is defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" diff --git a/data/templates/dhcp-client/ipv6_new.tmpl b/data/templates/dhcp-client/ipv6_new.tmpl new file mode 100644 index 000000000..112431c5f --- /dev/null +++ b/data/templates/dhcp-client/ipv6_new.tmpl @@ -0,0 +1,47 @@ +# generated by dhcp.py +# man https://www.unix.com/man-page/debian/5/dhcp6c.conf/ + +interface {{ ifname }} { + request domain-name-servers; + request domain-name; +{% if dhcpv6_options is defined %} +{% if dhcpv6_options.parameters_only is defined %} + information-only; +{% endif %} +{% if dhcpv6_options.temporary is not defined %} + send ia-na 1; # non-temporary address +{% endif %} +{% if dhcpv6_options.prefix_delegation is defined %} + send ia-pd 2; # prefix delegation +{% endif %} +{% endif %} +}; + +{% if dhcpv6_options is defined %} +{% if dhcpv6_options.temporary is not defined %} +id-assoc na 1 { + # Identity association NA +}; +{% endif %} + +{% if dhcpv6_options.prefix_delegation is defined %} +id-assoc pd 2 { +{% if dhcpv6_options.prefix_delegation.length is defined %} + prefix ::/{{ dhcpv6_options.prefix_delegation.length }} infinity; +{% endif %} +{% for interface in dhcpv6_options.prefix_delegation.interface %} + prefix-interface {{ interface }} { +{% if dhcpv6_options.prefix_delegation.interface[interface].sla_id is defined %} + sla-id {{ dhcpv6_options.prefix_delegation.interface[interface].sla_id }}; +{% endif %} +{% if dhcpv6_options.prefix_delegation.interface[interface].sla_len is defined %} + sla-len {{ dhcpv6_options.prefix_delegation.interface[interface].sla_len }}; +{% endif %} +{% if dhcpv6_options.prefix_delegation.interface[interface].address is defined %} + ifid {{ dhcpv6_options.prefix_delegation.interface[interface].address }}; +{% endif %} + }; +{% endfor %} +}; +{% endif %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl index 6d1760199..b0d99d9ae 100644 --- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl @@ -17,7 +17,7 @@ addNTA("{{ a }}.", "{{ tag }} alias") -- from 'service dns forwarding domain' {%- for zone, zonedata in forward_zones.items() %} {%- if zonedata['addNTA'] %} -addNTA("{{ zone }}.", "static") +addNTA("{{ zone }}", "static") {%- endif %} {%- endfor %} {%- endif %} diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 8108d5e0f..0c29f536b 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -6,7 +6,7 @@ flush table nat {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip raw" %} +{% set base_command = "delete rule ip raw" %} {{ base_command }} PREROUTING handle {{ pre_ct_ignore }} {{ base_command }} OUTPUT handle {{ out_ct_ignore }} {{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} @@ -19,7 +19,7 @@ delete chain ip raw NAT_CONNTRACK add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip raw" %} +{% set base_command = "add rule ip raw" %} {{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER {{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER @@ -48,10 +48,11 @@ add rule ip raw NAT_CONNTRACK counter accept {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} -{% set interface = " iifname \"" + rule.interface_in + "\"" %} +{% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %} {% set trns_addr = "dnat to " + rule.translation_address %} + {% elif chain == "POSTROUTING" %} -{% set interface = " oifname \"" + rule.interface_out + "\"" %} +{% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %} {% if rule.translation_address == 'masquerade' %} {% set trns_addr = rule.translation_address %} {% if rule.translation_port %} diff --git a/data/templates/ids/fastnetmon.tmpl b/data/templates/ids/fastnetmon.tmpl new file mode 100644 index 000000000..71a1b2bd7 --- /dev/null +++ b/data/templates/ids/fastnetmon.tmpl @@ -0,0 +1,60 @@ +# enable this option if you want to send logs to local syslog facility +logging:local_syslog_logging = on + +# list of all your networks in CIDR format +networks_list_path = /etc/networks_list + +# list networks in CIDR format which will be not monitored for attacks +white_list_path = /etc/networks_whitelist + +# Enable/Disable any actions in case of attack +enable_ban = on + +## How many packets will be collected from attack traffic +ban_details_records_count = 500 + +## How long (in seconds) we should keep an IP in blocked state +## If you set 0 here it completely disables unban capability +ban_time = 1900 + +# Check if the attack is still active, before triggering an unban callback with this option +# If the attack is still active, check each run of the unban watchdog +unban_only_if_attack_finished = on + +# enable per subnet speed meters +# For each subnet, list track speed in bps and pps for both directions +enable_subnet_counters = off + +{% if "mirror" in mode %} +mirror_afpacket = on +{% endif -%} + +{% if "in" in direction %} +process_incoming_traffic = on +{% endif -%} +{% if "out" in direction %} +process_outgoing_traffic = on +{% endif -%} +{% for th in threshold %} +{% if th == "fps" %} +ban_for_flows = on +threshold_flows = {{ threshold[th] }} +{% endif -%} +{% if th == "mbps" %} +ban_for_bandwidth = on +threshold_mbps = {{ threshold[th] }} +{% endif -%} +{% if th == "pps" %} +ban_for_pps = on +threshold_pps = {{ threshold[th] }} +{% endif -%} +{% endfor -%} + +{% if listen_interface %} +{% set value = listen_interface if listen_interface is string else listen_interface | join(',') %} +interfaces = {{ value }} +{% endif -%} + +{% if alert_script %} +notify_script_path = {{ alert_script }} +{% endif -%} diff --git a/data/templates/ids/fastnetmon_networks_list.tmpl b/data/templates/ids/fastnetmon_networks_list.tmpl new file mode 100644 index 000000000..d58990053 --- /dev/null +++ b/data/templates/ids/fastnetmon_networks_list.tmpl @@ -0,0 +1,7 @@ +{% if network is string %} +{{ network }} +{% else %} +{% for net in network %} +{{ net }} +{% endfor %} +{% endif %} diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index a614d23f5..1731bf160 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -45,9 +45,10 @@ network={ # - the key server has decided to enable MACsec # 0: Encrypt traffic (default) # 1: Integrity only - macsec_integ_only={{ '0' if security_encrypt else '1' }} + macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }} -{% if security_encrypt %} +{% if security is defined %} +{% if security.encrypt is defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer @@ -56,21 +57,22 @@ network={ # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string # (2..64 hex-digits) - mka_cak={{ security_mka_cak }} - mka_ckn={{ security_mka_ckn }} + mka_cak={{ security.mka.cak }} + mka_ckn={{ security.mka.ckn }} # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority - mka_priority={{ security_mka_priority }} -{% endif %} -{% if security_replay_window %} + mka_priority={{ security.mka.priority }} +{% endif %} + +{% if security.replay_window is defined %} # macsec_replay_protect: IEEE 802.1X/MACsec replay protection # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled # - the key server has decided to enable MACsec # 0: Replay protection disabled (default) # 1: Replay protection enabled - macsec_replay_protect={{ '1' if security_replay_window else '0' }} + macsec_replay_protect=1 # macsec_replay_window: IEEE 802.1X/MACsec replay protection window # This determines a window in which replay is tolerated, to allow receipt @@ -80,7 +82,8 @@ network={ # - the key server has decided to enable MACsec # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered - macsec_replay_window={{ security_replay_window }} + macsec_replay_window={{ security.replay_window }} +{% endif %} {% endif %} } diff --git a/data/templates/ntp/ntp.conf.tmpl b/data/templates/ntp/ntp.conf.tmpl index 52042d218..6ef0c0f2c 100644 --- a/data/templates/ntp/ntp.conf.tmpl +++ b/data/templates/ntp/ntp.conf.tmpl @@ -13,26 +13,35 @@ restrict -6 ::1 # # Configurable section # - -{% if servers -%} -{% for s in servers -%} -# Server configuration for: {{ s.name }} -server {{ s.name }} iburst {{ s.options | join(" ") }} -{% endfor -%} +{% if server %} +{% for srv in server %} +{% set options = '' %} +{% set options = options + 'noselect ' if server[srv].noselect is defined else '' %} +{% set options = options + 'preempt ' if server[srv].preempt is defined else '' %} +{% set options = options + 'prefer ' if server[srv].prefer is defined else '' %} +server {{ srv | replace('_', '-') }} iburst {{ options }} +{% endfor %} {% endif %} -{% if allowed_networks -%} -{% for n in allowed_networks -%} -# Client configuration for network: {{ n.network }} -restrict {{ n.address }} mask {{ n.netmask }} nomodify notrap nopeer - -{% endfor -%} +{% if allow_clients is defined and allow_clients.address is defined %} +# Allowed clients configuration +{% if allow_clients.address is string %} +restrict {{ allow_clients.address|address_from_cidr }} mask {{ allow_clients.address|netmask_from_cidr }} nomodify notrap nopeer +{% else %} +{% for address in allow_clients.address %} +restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer +{% endfor %} +{% endif %} {% endif %} -{% if listen_address -%} +{% if listen_address %} # NTP should listen on configured addresses only interface ignore wildcard -{% for a in listen_address -%} -interface listen {{ a }} -{% endfor -%} +{% if listen_address is string %} +interface listen {{ listen_address }} +{% else %} +{% for address in listen_address %} +interface listen {{ address }} +{% endfor %} +{% endif %} {% endif %} diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl index 69a73b128..466638e5a 100644 --- a/data/templates/ntp/override.conf.tmpl +++ b/data/templates/ntp/override.conf.tmpl @@ -1,8 +1,11 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/lib/ntp/ntp-systemd-wrapper -{% else %} -ExecStart=/usr/lib/ntp/ntp-systemd-wrapper -{% endif %} +ExecStart={{vrf_command}}/usr/lib/ntp/ntp-systemd-wrapper +Restart=on-failure +RestartSec=10 diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl index 9e6bd2a8e..7b1952a80 100644 --- a/data/templates/pppoe/ip-down.script.tmpl +++ b/data/templates/pppoe/ip-down.script.tmpl @@ -2,21 +2,21 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -{% if not on_demand %} +{% if connect_on_demand is not defined %} # See https://phabricator.vyos.net/T2248. Determine if we are enslaved to a # VRF, this is needed to properly insert the default route. VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # Populate variable to run in VR context @@ -24,13 +24,13 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then fi # Always delete default route when interface goes down -vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" {% if ipv6_enable %} -vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" {% endif %} {% endif %} -{% if dhcpv6_pd_interfaces %} -# Start wide dhcpv6 client -systemctl stop dhcp6c@{{ intf }}.service +{% if dhcpv6_options is defined and dhcpv6_options.prefix_delegation is defined %} +# Stop wide dhcpv6 client +systemctl stop dhcp6c@{{ ifname }}.service {% endif %} diff --git a/data/templates/pppoe/ip-pre-up.script.tmpl b/data/templates/pppoe/ip-pre-up.script.tmpl index 6a2d2af94..cf85ed067 100644 --- a/data/templates/pppoe/ip-pre-up.script.tmpl +++ b/data/templates/pppoe/ip-pre-up.script.tmpl @@ -2,17 +2,17 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -echo "{{ description }}" > /sys/class/net/{{ intf }}/ifalias +echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias {% if vrf -%} logger -t pppd[$DIALER_PID] "configuring dialer interface $6 for VRF {{ vrf }}" -ip link set dev {{ intf }} master {{ vrf }} +ip link set dev {{ ifname }} master {{ vrf }} {% endif %} diff --git a/data/templates/pppoe/ip-up.script.tmpl b/data/templates/pppoe/ip-up.script.tmpl index a274296b6..568e21c4e 100644 --- a/data/templates/pppoe/ip-up.script.tmpl +++ b/data/templates/pppoe/ip-up.script.tmpl @@ -2,13 +2,13 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi -{% if not on_demand %} +{% if connect_on_demand is not defined %} # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" {% if default_route != 'none' -%} @@ -17,9 +17,9 @@ logger -t pppd[$DIALER_PID] "executing $0" SED_OPT="^ip route" VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # generate new SED command @@ -43,7 +43,7 @@ done {% endif %} # Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}" +vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" {% endif %} {% endif %} diff --git a/data/templates/pppoe/ipv6-up.script.tmpl b/data/templates/pppoe/ipv6-up.script.tmpl index 097f1d4c3..3dee3d011 100644 --- a/data/templates/pppoe/ipv6-up.script.tmpl +++ b/data/templates/pppoe/ipv6-up.script.tmpl @@ -3,17 +3,15 @@ # As PPPoE is an "on demand" interface we need to re-configure it when it # becomes up -if [ "$6" != "{{ intf }}" ]; then +if [ "$6" != "{{ ifname }}" ]; then exit fi -set -x - -{% if ipv6_autoconf -%} +{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined -%} # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} via {{ source_interface }}" +logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} via {{ source_interface }}" # Configure interface-specific Host/Router behaviour. # Note: It is recommended to have the same setting on all interfaces; mixed @@ -22,7 +20,7 @@ logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} via {{ source_inte # 0 Forwarding disabled # 1 Forwarding enabled # -echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/forwarding +echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/forwarding # Accept Router Advertisements; autoconfigure using them. # @@ -36,27 +34,27 @@ echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/forwarding # 2 Overrule forwarding behaviour. Accept Router Advertisements # even if forwarding is enabled. # -echo 2 > /proc/sys/net/ipv6/conf/{{ intf }}/accept_ra +echo 2 > /proc/sys/net/ipv6/conf/{{ ifname }}/accept_ra # Autoconfigure addresses using Prefix Information in Router Advertisements. -echo 1 > /proc/sys/net/ipv6/conf/{{ intf }}/autoconf +echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/autoconf {% endif %} -{% if dhcpv6_pd_interfaces %} +{% if dhcpv6_options is defined and dhcpv6_options.prefix_delegation is defined %} # Start wide dhcpv6 client -systemctl start dhcp6c@{{ intf }}.service +systemctl start dhcp6c@{{ ifname }}.service {% endif %} -{% if default_route != 'none' -%} +{% if default_route != 'none' -%} # See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved # to a VRF, this is needed to properly insert the default route. SED_OPT="^ipv6 route" VRF_NAME="" -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF=${VRF#"upper_"} # generate new SED command @@ -65,23 +63,22 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then VRF_NAME="vrf ${VRF}" fi -{% if default_route == 'auto' -%} +{% if default_route == 'auto' -%} # Only insert a new default route if there is no default route configured routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | wc -l) if [ "$routes" -ne 0 ]; then exit 1 fi -{% elif default_route == 'force' -%} +{% elif default_route == 'force' -%} # Retrieve current static default routes and remove it from the routing table vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | while read route ; do vtysh -c "conf t" ${VTY_OPT} -c "no ${route} ${VRF_NAME}" done -{% endif %} - -# Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ipv6 route ::/0 {{ intf }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}" {% endif %} +# Add default route to default or VRF routing table +vtysh -c "conf t" ${VTY_OPT} -c "ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" +{% endif %} diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.tmpl index fb85265b2..e909843a5 100644 --- a/data/templates/pppoe/peer.tmpl +++ b/data/templates/pppoe/peer.tmpl @@ -40,32 +40,37 @@ maxfail 0 plugin rp-pppoe.so {{ source_interface }} persist -ifname {{ intf }} -ipparam {{ intf }} +ifname {{ ifname }} +ipparam {{ ifname }} debug mtu {{ mtu }} mru {{ mtu }} -user "{{ auth_username }}" -password "{{ auth_password }}" -{% if name_server -%} -usepeerdns + +{% if authentication is defined %} +{{ "user " + authentication.user if authentication.user is defined }} +{{ "password " + authentication.password if authentication.password is defined }} {% endif %} -{% if ipv6_enable -%} + +{{ "usepeerdns" if no_peer_dns is not defined }} + +{% if ipv6 is defined and ipv6.enable is defined -%} +ipv6 ipv6cp-use-ipaddr {% endif %} -{% if service_name -%} + +{% if service_name is defined -%} rp_pppoe_service "{{ service_name }}" {% endif %} -{% if on_demand %} + +{% if connect_on_demand is defined %} demand # See T2249. PPP default route options should only be set when in on-demand # mode. As soon as we are not in on-demand mode the default-route handling is # passed to the ip-up.d/ip-down.s scripts which is required for VRF support. -{% if 'auto' in default_route -%} +{% if 'auto' in default_route -%} defaultroute -{% elif 'force' in default_route -%} +{% elif 'force' in default_route -%} defaultroute replacedefaultroute -{% endif %} +{% endif %} {% endif %} diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.tmpl index 159578906..6e4c6f063 100644 --- a/data/templates/snmp/etc.snmp.conf.tmpl +++ b/data/templates/snmp/etc.snmp.conf.tmpl @@ -1,4 +1,4 @@ ### Autogenerated by snmp.py ### -{% if trap_source -%} +{% if trap_source %} clientaddr {{ trap_source }} {% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl index 1659abf93..278506350 100644 --- a/data/templates/snmp/etc.snmpd.conf.tmpl +++ b/data/templates/snmp/etc.snmpd.conf.tmpl @@ -32,87 +32,84 @@ sysDescr VyOS {{ version }} {% if description %} # Description SysDescr {{ description }} -{%- endif %} +{% endif %} # Listen agentaddress unix:/run/snmpd.socket{% if listen_on %}{% for li in listen_on %},{{ li }}{% endfor %}{% else %},udp:161{% if ipv6_enabled %},udp6:161{% endif %}{% endif %} # SNMP communities -{%- for c in communities %} - -{%- if c.network_v4 %} -{%- for network in c.network_v4 %} +{% for c in communities %} +{% if c.network_v4 %} +{% for network in c.network_v4 %} {{ c.authorization }}community {{ c.name }} {{ network }} -{%- endfor %} -{%- elif not c.has_source %} +{% endfor %} +{% elif not c.has_source %} {{ c.authorization }}community {{ c.name }} -{%- endif %} - -{%- if c.network_v6 %} -{%- for network in c.network_v6 %} +{% endif %} +{% if c.network_v6 %} +{% for network in c.network_v6 %} {{ c.authorization }}community6 {{ c.name }} {{ network }} -{%- endfor %} -{%- elif not c.has_source %} +{% endfor %} +{% elif not c.has_source %} {{ c.authorization }}community6 {{ c.name }} -{%- endif %} - -{%- endfor %} +{% endif %} +{% endfor %} {% if contact %} # system contact information SysContact {{ contact }} -{%- endif %} +{% endif %} {% if location %} # system location information SysLocation {{ location }} -{%- endif %} +{% endif %} -{% if smux_peers -%} +{% if smux_peers %} # additional smux peers -{%- for sp in smux_peers %} +{% for sp in smux_peers %} smuxpeer {{ sp }} -{%- endfor %} -{%- endif %} +{% endfor %} +{% endif %} -{% if trap_targets -%} +{% if trap_targets %} # if there is a problem - tell someone! -{%- for t in trap_targets %} -trap2sink {{ t.target }}{% if t.port -%}:{{ t.port }}{% endif %} {{ t.community }} -{%- endfor %} -{%- endif %} +{% for trap in trap_targets %} +trap2sink {{ trap.target }}{{ ":" + trap.port if trap.port is defined }} {{ trap.community }} +{% endfor %} +{% endif %} -{%- if v3_enabled %} +{% if v3_enabled %} # # SNMPv3 stuff goes here # # views -{%- for v in v3_views %} -{%- for oid in v.oids %} -view {{ v.name }} included .{{ oid.oid }} -{%- endfor %} -{%- endfor %} +{% for view in v3_views %} +{% for oid in view.oids %} +view {{ view.name }} included .{{ oid.oid }} +{% endfor %} +{% endfor %} # access # context sec.model sec.level match read write notif -{%- for g in v3_groups %} -access {{ g.name }} "" usm {{ g.seclevel }} exact {{ g.view }} {% if g.mode == 'ro' %}none{% else %}{{ g.view }}{% endif %} none -{%- endfor %} +{% for group in v3_groups %} +access {{ group.name }} "" usm {{ group.seclevel }} exact {{ group.view }} {% if group.mode == 'ro' %}none{% else %}{{ group.view }}{% endif %} none +{% endfor %} # trap-target -{%- for t in v3_traps %} +{% for t in v3_traps %} trapsess -v 3 {{ '-Ci' if t.type == 'inform' }} -e {{ v3_engineid }} -u {{ t.secName }} -l {{ t.secLevel }} -a {{ t.authProtocol }} {% if t.authPassword %}-A {{ t.authPassword }}{% elif t.authMasterKey %}-3m {{ t.authMasterKey }}{% endif %} -x {{ t.privProtocol }} {% if t.privPassword %}-X {{ t.privPassword }}{% elif t.privMasterKey %}-3M {{ t.privMasterKey }}{% endif %} {{ t.ipProto }}:{{ t.ipAddr }}:{{ t.ipPort }} -{%- endfor %} +{% endfor %} # group -{%- for u in v3_users %} +{% for u in v3_users %} group {{ u.group }} usm {{ u.name }} -{% endfor %} -{%- endif %} +{% endfor %} +{% endif %} {% if script_ext %} # extension scripts -{%- for ext in script_ext|sort(attribute='name') %} +{% for ext in script_ext|sort(attribute='name') %} extend {{ ext.name }} {{ ext.script }} -{%- endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl index 1eb8f20a9..e6302a9e1 100644 --- a/data/templates/snmp/override.conf.tmpl +++ b/data/templates/snmp/override.conf.tmpl @@ -1,9 +1,13 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] Environment= Environment="MIBSDIR=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp" ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% else %} -ExecStart=/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -ipCidrRouteTable,inetCidrRouteTable -f -p /run/snmpd.pid +Restart=on-failure +RestartSec=10 + diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.tmpl index 0b8e9f291..6cbc687ef 100644 --- a/data/templates/snmp/var.snmpd.conf.tmpl +++ b/data/templates/snmp/var.snmpd.conf.tmpl @@ -3,14 +3,12 @@ {%- for u in v3_users %} {%- if u.authOID == 'none' %} createUser {{ u.name }} -{%- elif u.authPassword %} -createUser {{ u.name }} {{ u.authProtocol | upper }} "{{ u.authPassword }}" {{ u.privProtocol | upper }} {{ u.privPassword }} {%- else %} -usmUser 1 3 {{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} {{ u.authMasterKey }} {{ u.privOID }} {{ u.privMasterKey }} 0x +usmUser 1 3 0x{{ v3_engineid }} "{{ u.name }}" "{{ u.name }}" NULL {{ u.authOID }} 0x{{ u.authMasterKey }} {{ u.privOID }} 0x{{ u.privMasterKey }} 0x {%- endif %} {%- endfor %} createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES {%- if v3_engineid %} -oldEngineID {{ v3_engineid }} +oldEngineID 0x{{ v3_engineid }} {%- endif %} diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl index 1013d4b48..4276366ae 100644 --- a/data/templates/ssh/override.conf.tmpl +++ b/data/templates/ssh/override.conf.tmpl @@ -1,8 +1,10 @@ +{% set vrf_command = '/sbin/ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + [Service] ExecStart= -{% if vrf %} -ExecStart=/sbin/ip vrf exec {{ vrf }} /usr/sbin/sshd -D $SSHD_OPTS -{% else %} -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -{% endif %} +ExecStart={{vrf_command}}/usr/sbin/sshd -D $SSHD_OPTS +RestartSec=10 diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.tmpl index 1c136bb23..4fde24255 100644 --- a/data/templates/ssh/sshd_config.tmpl +++ b/data/templates/ssh/sshd_config.tmpl @@ -46,7 +46,7 @@ Port {{ value }} {% endif %} # Gives the verbosity level that is used when logging messages from sshd -LogLevel {{ loglevel }} +LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }} @@ -57,7 +57,7 @@ PasswordAuthentication {{ "no" if disable_password_authentication is defined els ListenAddress {{ listen_address }} {% else %} {% for address in listen_address %} -ListenAddress {{ value }} +ListenAddress {{ address }} {% endfor %} {% endif %} {% endif %} diff --git a/data/templates/system/curlrc.tmpl b/data/templates/system/curlrc.tmpl new file mode 100644 index 000000000..675e35a0c --- /dev/null +++ b/data/templates/system/curlrc.tmpl @@ -0,0 +1,8 @@ +{% if http_client is defined %}
+{% if http_client.source_interface is defined %}
+--interface "{{ http_client.source_interface }}"
+{% endif %}
+{% if http_client.source_address is defined %}
+--interface "{{ http_client.source_address }}"
+{% endif %}
+{% endif %}
diff --git a/data/templates/wwan/ip-down.script.tmpl b/data/templates/wwan/ip-down.script.tmpl index f7b38cbc5..9dc15ea99 100644 --- a/data/templates/wwan/ip-down.script.tmpl +++ b/data/templates/wwan/ip-down.script.tmpl @@ -11,17 +11,17 @@ fi # Determine if we are running inside a VRF or not, required for proper routing table # NOTE: the down script can not be properly templated as we need the VRF name, # which is not present on deletion, thus we read it from the operating system. -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF_NAME=${VRF#"upper_"} # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ intf }}" + vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "no ip route 0.0.0.0/0 {{ ifname }}" else # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ intf }}" + vtysh -c "conf t" -c "no ip route 0.0.0.0/0 {{ ifname }}" fi -DIALER_PID=$(cat /var/run/{{ intf }}.pid) -logger -t pppd[$DIALER_PID] "removed default route via {{ intf }} metric {{ metric }}" +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) +logger -t pppd[$DIALER_PID] "removed default route via {{ ifname }} metric {{ backup.distance }}" diff --git a/data/templates/wwan/ip-pre-up.script.tmpl b/data/templates/wwan/ip-pre-up.script.tmpl index 7a17a1c71..efc065bad 100644 --- a/data/templates/wwan/ip-pre-up.script.tmpl +++ b/data/templates/wwan/ip-pre-up.script.tmpl @@ -7,17 +7,17 @@ ipparam=$6 # device name and metric are received using ipparam device=`echo "$ipparam"|awk '{ print $1 }'` -if [ "$device" != "{{ intf }}" ]; then +if [ "$device" != "{{ ifname }}" ]; then exit fi # add some info to syslog -DIALER_PID=$(cat /var/run/{{ intf }}.pid) +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -echo "{{ description }}" > /sys/class/net/{{ intf }}/ifalias +echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias {% if vrf -%} -logger -t pppd[$DIALER_PID] "configuring interface {{ intf }} for VRF {{ vrf }}" -ip link set dev {{ intf }} master {{ vrf }} +logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} for VRF {{ vrf }}" +ip link set dev {{ ifname }} master {{ vrf }} {% endif %} diff --git a/data/templates/wwan/ip-up.script.tmpl b/data/templates/wwan/ip-up.script.tmpl index 3a7eec800..2603a0286 100644 --- a/data/templates/wwan/ip-up.script.tmpl +++ b/data/templates/wwan/ip-up.script.tmpl @@ -9,17 +9,17 @@ if [ -z $(echo $2 | egrep "(ttyS[0-9]+|usb[0-9]+b.*)$") ]; then fi # Determine if we are running inside a VRF or not, required for proper routing table -if [ -d /sys/class/net/{{ intf }}/upper_* ]; then +if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ intf }}/upper_*)) + VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) # Remove upper_ prefix from result string VRF_NAME=${VRF#"upper_"} # Remove default route from VRF routing table - vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}" + vtysh -c "conf t" -c "vrf ${VRF_NAME}" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" else # Remove default route from GRT (global routing table) - vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ intf }} {{ metric }}" + vtysh -c "conf t" -c "ip route 0.0.0.0/0 {{ ifname }} {{ backup.distance }}" fi -DIALER_PID=$(cat /var/run/{{ intf }}.pid) -logger -t pppd[$DIALER_PID] "added default route via {{ intf }} metric {{ metric }} ${VRF_NAME}" +DIALER_PID=$(cat /var/run/{{ ifname }}.pid) +logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} metric {{ backup.distance }} ${VRF_NAME}" diff --git a/data/templates/wwan/peer.tmpl b/data/templates/wwan/peer.tmpl index 0168283fd..aa759f741 100644 --- a/data/templates/wwan/peer.tmpl +++ b/data/templates/wwan/peer.tmpl @@ -1,19 +1,18 @@ ### Autogenerated by interfaces-wirelessmodem.py ### -{% if description %} -# {{ description }} -{% endif %} -ifname {{ intf }} -ipparam {{ intf }} -linkname {{ intf }} -{% if name_server -%} -usepeerdns -{%- endif %} +{{ "# description: " + description if description is defined }} +ifname {{ ifname }} +ipparam {{ ifname }} +linkname {{ ifname }} +{{ "usepeerdns" if no_peer_dns is defined }} # physical device {{ device }} lcp-echo-failure 0 115200 debug +debug +mtu {{ mtu }} +mru {{ mtu }} nodefaultroute ipcp-max-failure 4 ipcp-accept-local @@ -22,8 +21,7 @@ noauth crtscts lock persist -{% if on_demand -%} -demand -{%- endif %} +{{ "demand" if ondemand is defined }} + +connect '/usr/sbin/chat -v -t6 -f /etc/ppp/peers/chat.{{ ifname }}' -connect '/usr/sbin/chat -v -t6 -f {{ chat_script }}' diff --git a/debian/control b/debian/control index aaf8fa1e7..089b2d6e2 100644 --- a/debian/control +++ b/debian/control @@ -89,6 +89,7 @@ Depends: python3, iperf, iperf3, frr, + frr-pythontools, radvd, dbus, usb-modeswitch, @@ -103,7 +104,10 @@ Depends: python3, salt-minion, vyos-utils, nftables (>= 0.9.3), - conntrack + conntrack, + libatomic1, + fastnetmon, + libndp-tools Description: VyOS configuration scripts and data VyOS configuration scripts, interface definitions, and everything diff --git a/interface-definitions/include/interface-mtu-1200-9000.xml.i b/interface-definitions/include/interface-mtu-1200-9000.xml.i index 336845b77..de48db65e 100644 --- a/interface-definitions/include/interface-mtu-1200-9000.xml.i +++ b/interface-definitions/include/interface-mtu-1200-9000.xml.i @@ -10,4 +10,5 @@ </constraint> <constraintErrorMessage>MTU must be between 1200 and 9000</constraintErrorMessage> </properties> + <defaultValue>1500</defaultValue> </leafNode> diff --git a/interface-definitions/include/interface-mtu-1450-9000.xml.i b/interface-definitions/include/interface-mtu-1450-9000.xml.i index 87296a050..d15987394 100644 --- a/interface-definitions/include/interface-mtu-1450-9000.xml.i +++ b/interface-definitions/include/interface-mtu-1450-9000.xml.i @@ -10,4 +10,5 @@ </constraint> <constraintErrorMessage>MTU must be between 1450 and 9000</constraintErrorMessage> </properties> + <defaultValue>1500</defaultValue> </leafNode> diff --git a/interface-definitions/include/interface-mtu-64-8024.xml.i b/interface-definitions/include/interface-mtu-64-8024.xml.i index e917c816f..e60867e35 100644 --- a/interface-definitions/include/interface-mtu-64-8024.xml.i +++ b/interface-definitions/include/interface-mtu-64-8024.xml.i @@ -10,4 +10,5 @@ </constraint> <constraintErrorMessage>MTU must be between 64 and 8024</constraintErrorMessage> </properties> + <defaultValue>1500</defaultValue> </leafNode> diff --git a/interface-definitions/include/interface-mtu-68-1500.xml.i b/interface-definitions/include/interface-mtu-68-1500.xml.i index 81223c332..d47efd2c9 100644 --- a/interface-definitions/include/interface-mtu-68-1500.xml.i +++ b/interface-definitions/include/interface-mtu-68-1500.xml.i @@ -10,4 +10,5 @@ </constraint> <constraintErrorMessage>MTU must be between 68 and 1500</constraintErrorMessage> </properties> + <defaultValue>1500</defaultValue> </leafNode> diff --git a/interface-definitions/include/interface-mtu-68-9000.xml.i b/interface-definitions/include/interface-mtu-68-9000.xml.i index ad11afa80..8fae2043c 100644 --- a/interface-definitions/include/interface-mtu-68-9000.xml.i +++ b/interface-definitions/include/interface-mtu-68-9000.xml.i @@ -10,4 +10,5 @@ </constraint> <constraintErrorMessage>MTU must be between 68 and 9000</constraintErrorMessage> </properties> + <defaultValue>1500</defaultValue> </leafNode> diff --git a/interface-definitions/include/nat-outbound-interface.xml.i b/interface-definitions/include/nat-interface.xml.i index d562f7f03..c49483297 100644 --- a/interface-definitions/include/nat-outbound-interface.xml.i +++ b/interface-definitions/include/nat-interface.xml.i @@ -2,6 +2,7 @@ <properties> <help>Outbound interface of NAT traffic</help> <completionHelp> + <list>any</list> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> </properties> diff --git a/interface-definitions/include/source-address-ipv4-ipv6.xml.i b/interface-definitions/include/source-address-ipv4-ipv6.xml.i new file mode 100644 index 000000000..6d2d77c95 --- /dev/null +++ b/interface-definitions/include/source-address-ipv4-ipv6.xml.i @@ -0,0 +1,17 @@ +<leafNode name="source-address"> + <properties> + <help>IPv4/IPv6 source address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 source-address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 source-address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + </constraint> + </properties> +</leafNode> diff --git a/interface-definitions/include/source-interface.xml.i b/interface-definitions/include/source-interface.xml.i new file mode 100644 index 000000000..ae579c2a6 --- /dev/null +++ b/interface-definitions/include/source-interface.xml.i @@ -0,0 +1,12 @@ +<leafNode name="source-interface"> + <properties> + <help>Physical interface used for connection</help> + <valueHelp> + <format>interface</format> + <description>Physical interface used for connection</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> +</leafNode> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 36605ab59..dfef387d2 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -83,6 +83,7 @@ <validator name="numeric" argument="--range 0-255" /> </constraint> </properties> + <defaultValue>255</defaultValue> </leafNode> </children> </node> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 0092f9ce5..8a6c61312 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -71,6 +71,7 @@ <description>Replace existing default route</description> </valueHelp> </properties> + <defaultValue>auto</defaultValue> </leafNode> #include <include/dhcpv6-options.xml.i> #include <include/interface-description.xml.i> @@ -128,19 +129,7 @@ </constraint> </properties> </leafNode> - <leafNode name="mtu"> - <properties> - <help>Maximum Transmission Unit (MTU)</help> - <valueHelp> - <format>68-1500</format> - <description>Maximum Transmission Unit (default 1492)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 68-1500"/> - </constraint> - <constraintErrorMessage>MTU must be between 68 and 1500</constraintErrorMessage> - </properties> - </leafNode> + #include <include/interface-mtu-68-1500.xml.i> <leafNode name="no-peer-dns"> <properties> <help>Do not use DNS servers provided by the peer</help> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index fdde57525..bd3ab4022 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -64,18 +64,7 @@ </constraint> </properties> </leafNode> - <leafNode name="source-interface"> - <properties> - <help>Physical Interface used for this connection</help> - <valueHelp> - <format>interface</format> - <description>Interface used for VXLAN underlay</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/source-interface.xml.i> #include <include/interface-mtu-1200-9000.xml.i> <leafNode name="remote"> <properties> diff --git a/interface-definitions/interfaces-wirelessmodem.xml.in b/interface-definitions/interfaces-wirelessmodem.xml.in index 8b68594da..d375b808d 100644 --- a/interface-definitions/interfaces-wirelessmodem.xml.in +++ b/interface-definitions/interfaces-wirelessmodem.xml.in @@ -38,6 +38,7 @@ </constraint> <constraintErrorMessage>Must be between (1-255)</constraintErrorMessage> </properties> + <defaultValue>10</defaultValue> </leafNode> </children> </node> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 7998bd660..f8415b7c0 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -81,7 +81,7 @@ <valueless/> </properties> </leafNode> - #include <include/nat-outbound-interface.xml.i> + #include <include/nat-interface.xml.i> <node name="source"> <properties> <help>IPv6 source prefix options</help> @@ -132,7 +132,7 @@ #include <include/nat-rule.xml.i> <tagNode name="rule"> <children> - #include <include/nat-outbound-interface.xml.i> + #include <include/nat-interface.xml.i> <node name="translation"> <properties> <help>Outside NAT IP (source NAT only)</help> diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in new file mode 100644 index 000000000..93d4cc682 --- /dev/null +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -0,0 +1,118 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="service"> + <children> + <node name="ids"> + <properties> + <help>Intrusion Detection System</help> + </properties> + <children> + <node name="ddos-protection" owner="${vyos_conf_scripts_dir}/service_ids_fastnetmon.py"> + <properties> + <help>FastNetMon detection and protection parameters</help> + <priority>731</priority> + </properties> + <children> + <leafNode name="alert-script"> + <properties> + <help>Path to fastnetmon alert script</help> + </properties> + </leafNode> + <leafNode name="direction"> + <properties> + <help>Direction for processing traffic</help> + <completionHelp> + <list>in out</list> + </completionHelp> + <constraint> + <regex>(in|out)</regex> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="listen-interface"> + <properties> + <help>Listen interface for mirroring traffic</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> + </properties> + </leafNode> + <node name="mode"> + <properties> + <help>Traffic capture modes</help> + </properties> + <children> + <!-- Future modes "mirror" "netflow" "combine (both)" --> + <leafNode name="mirror"> + <properties> + <help>Listen mirrored traffic mode</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="network"> + <properties> + <help>Define monitoring networks</help> + <valueHelp> + <format>ipv4net</format> + <description>Processed network</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + <node name="threshold"> + <properties> + <help>Attack limits thresholds</help> + </properties> + <children> + <leafNode name="fps"> + <properties> + <help>Flows per second</help> + <valueHelp> + <format><0-4294967294></format> + <description>Flows per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> + </leafNode> + <leafNode name="mbps"> + <properties> + <help>Megabits per second</help> + <valueHelp> + <format><0-4294967294></format> + <description>Megabits per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> + </leafNode> + <leafNode name="pps"> + <properties> + <help>Packets per second</help> + <valueHelp> + <format><0-4294967294></format> + <description>Packets per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index 31428092f..2fe8ce583 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -11,9 +11,9 @@ <children> <tagNode name="community"> <properties> - <help>Community name [REQUIRED]</help> + <help>Community name</help> <constraint> - <regex>[a-zA-Z0-9\-_]{1,100}</regex> + <regex>^[a-zA-Z0-9\-_]{1,100}$</regex> </constraint> <constraintErrorMessage>Community string is limited to alphanumerical characters only with a total lenght of 100</constraintErrorMessage> </properties> @@ -33,7 +33,7 @@ <description>read write</description> </valueHelp> <constraint> - <regex>(ro|rw)</regex> + <regex>^(ro|rw)$</regex> </constraint> <constraintErrorMessage>Authorization type must be either 'rw' or 'ro'</constraintErrorMessage> </properties> @@ -71,7 +71,7 @@ <properties> <help>Contact information</help> <constraint> - <regex>.{1,255}</regex> + <regex>^.{1,255}$</regex> </constraint> <constraintErrorMessage>Contact information is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -80,7 +80,7 @@ <properties> <help>Description information</help> <constraint> - <regex>.{1,255}</regex> + <regex>^.{1,255}$</regex> </constraint> <constraintErrorMessage>Description is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -121,7 +121,7 @@ <properties> <help>Location information</help> <constraint> - <regex>.{1,255}</regex> + <regex>^.{1,255}$</regex> </constraint> <constraintErrorMessage>Location is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -197,9 +197,9 @@ <children> <leafNode name="engineid"> <properties> - <help>Specifies the EngineID that uniquely identify an agent (e.g. 0xff42)</help> + <help>Specifies the EngineID that uniquely identify an agent (e.g. 000000000000000000000002)</help> <constraint> - <regex>(0x){0,1}([0-9a-f][0-9a-f]){1,18}$</regex> + <regex>^([0-9a-f][0-9a-f]){1,18}$</regex> </constraint> <constraintErrorMessage>ID must contain an even number (from 2 to 36) of hex digits</constraintErrorMessage> </properties> @@ -224,7 +224,7 @@ <description>read write</description> </valueHelp> <constraint> - <regex>(ro|rw)</regex> + <regex>^(ro|rw)$</regex> </constraint> <constraintErrorMessage>Authorization type must be either 'rw' or 'ro'</constraintErrorMessage> </properties> @@ -233,7 +233,7 @@ <properties> <help>Security levels</help> <completionHelp> - <list>noauth auth priv2</list> + <list>noauth auth priv</list> </completionHelp> <valueHelp> <format>noauth</format> @@ -248,7 +248,7 @@ <description>Messages are authenticated and encrypted (authPriv)</description> </valueHelp> <constraint> - <regex>(noauth|auth|priv)</regex> + <regex>^(noauth|auth|priv)$</regex> </constraint> </properties> </leafNode> @@ -284,20 +284,20 @@ <help>Defines the privacy</help> </properties> <children> - <leafNode name="encrypted-key"> + <leafNode name="encrypted-password"> <properties> <help>Defines the encrypted key for authentication</help> <constraint> - <regex>0x[0-9a-f]*$</regex> + <regex>^[0-9a-f]*$</regex> </constraint> - <constraintErrorMessage>Key must start from '0x' and contain hex digits</constraintErrorMessage> + <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> </leafNode> - <leafNode name="plaintext-key"> + <leafNode name="plaintext-password"> <properties> <help>Defines the clear text key for authentication</help> <constraint> - <regex>.{8,}$</regex> + <regex>^.{8,}$</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -317,7 +317,7 @@ <description>Secure Hash Algorithm</description> </valueHelp> <constraint> - <regex>(md5|sha)</regex> + <regex>^(md5|sha)$</regex> </constraint> </properties> </leafNode> @@ -341,20 +341,20 @@ <help>Defines the privacy</help> </properties> <children> - <leafNode name="encrypted-key"> + <leafNode name="encrypted-password"> <properties> <help>Defines the encrypted key for privacy protocol</help> <constraint> - <regex>0x[0-9a-f]*$</regex> + <regex>^[0-9a-f]*$</regex> </constraint> - <constraintErrorMessage>Key must start from '0x' and contain hex digits</constraintErrorMessage> + <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> </leafNode> - <leafNode name="plaintext-key"> + <leafNode name="plaintext-password"> <properties> <help>Defines the clear text key for privacy protocol</help> <constraint> - <regex>.{8,}$</regex> + <regex>^.{8,}$</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -374,7 +374,7 @@ <description>Advanced Encryption Standard</description> </valueHelp> <constraint> - <regex>(des|aes)</regex> + <regex>^(des|aes)$</regex> </constraint> </properties> </leafNode> @@ -395,7 +395,7 @@ <description>Use User Datagram Protocol for notifications</description> </valueHelp> <constraint> - <regex>(tcp|udp)</regex> + <regex>^(tcp|udp)$</regex> </constraint> </properties> </leafNode> @@ -414,7 +414,7 @@ <description>Use TRAP</description> </valueHelp> <constraint> - <regex>(inform|trap)</regex> + <regex>^(inform|trap)$</regex> </constraint> </properties> </leafNode> @@ -442,20 +442,20 @@ <help>Specifies the auth</help> </properties> <children> - <leafNode name="encrypted-key"> + <leafNode name="encrypted-password"> <properties> <help>Defines the encrypted key for authentication</help> <constraint> - <regex>0x[0-9a-f]*$</regex> + <regex>^[0-9a-f]*$</regex> </constraint> - <constraintErrorMessage>Key must start from '0x' and contain hex digits</constraintErrorMessage> + <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> </leafNode> - <leafNode name="plaintext-key"> + <leafNode name="plaintext-password"> <properties> <help>Defines the clear text key for authentication</help> <constraint> - <regex>.{8,}$</regex> + <regex>^.{8,}$</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -475,7 +475,7 @@ <description>Secure Hash Algorithm</description> </valueHelp> <constraint> - <regex>(md5|sha)</regex> + <regex>^(md5|sha)$</regex> </constraint> </properties> </leafNode> @@ -504,7 +504,7 @@ <description>read write</description> </valueHelp> <constraint> - <regex>(ro|rw)</regex> + <regex>^(ro|rw)$</regex> </constraint> <constraintErrorMessage>Authorization type must be either 'rw' or 'ro'</constraintErrorMessage> </properties> @@ -514,20 +514,20 @@ <help>Defines the privacy</help> </properties> <children> - <leafNode name="encrypted-key"> + <leafNode name="encrypted-password"> <properties> <help>Defines the encrypted key for privacy protocol</help> <constraint> - <regex>0x[0-9a-f]*$</regex> + <regex>^[0-9a-f]*$</regex> </constraint> - <constraintErrorMessage>Key must start from '0x' and contain hex digits</constraintErrorMessage> + <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> </leafNode> - <leafNode name="plaintext-key"> + <leafNode name="plaintext-password"> <properties> <help>Defines the clear text key for privacy protocol</help> <constraint> - <regex>.{8,}$</regex> + <regex>^.{8,}$</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -547,7 +547,7 @@ <description>Advanced Encryption Standard</description> </valueHelp> <constraint> - <regex>(des|aes)</regex> + <regex>^(des|aes)$</regex> </constraint> </properties> </leafNode> @@ -568,7 +568,7 @@ <properties> <help>Specifies the oid</help> <constraint> - <regex>[0-9]+(\.[0-9]+)*$</regex> + <regex>^[0-9]+(\.[0-9]+)*$</regex> </constraint> <constraintErrorMessage>OID must start from a number</constraintErrorMessage> </properties> @@ -582,7 +582,7 @@ <properties> <help>Defines a bit-mask that is indicating which subidentifiers of the associated subtree OID should be regarded as significant</help> <constraint> - <regex>[0-9a-f]{2}([\.:][0-9a-f]{2})*$</regex> + <regex>^[0-9a-f]{2}([\.:][0-9a-f]{2})*$</regex> </constraint> <constraintErrorMessage>MASK is a list of hex octets, separated by '.' or ':'</constraintErrorMessage> </properties> diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 1b20f5776..d253c2f34 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -132,30 +132,30 @@ <properties> <help>Log level</help> <completionHelp> - <list>QUIET FATAL ERROR INFO VERBOSE</list> + <list>quiet fatal error info verbose</list> </completionHelp> <valueHelp> - <format>QUIET</format> + <format>quiet</format> <description>stay silent</description> </valueHelp> <valueHelp> - <format>FATAL</format> + <format>fatal</format> <description>log fatals only</description> </valueHelp> <valueHelp> - <format>ERROR</format> + <format>error</format> <description>log errors and fatals only</description> </valueHelp> <valueHelp> - <format>INFO</format> + <format>info</format> <description>default log level</description> </valueHelp> <valueHelp> - <format>VERBOSE</format> + <format>verbose</format> <description>enable logging of failed login attempts</description> </valueHelp> <constraint> - <regex>^(QUIET|FATAL|ERROR|INFO|VERBOSE)$</regex> + <regex>^(quiet|fatal|error|info|verbose)$</regex> </constraint> </properties> <defaultValue>INFO</defaultValue> diff --git a/interface-definitions/system-options.xml.in b/interface-definitions/system-options.xml.in index 48bc353ab..194773329 100644 --- a/interface-definitions/system-options.xml.in +++ b/interface-definitions/system-options.xml.in @@ -33,7 +33,7 @@ <description>Poweroff VyOS</description> </valueHelp> <constraint> - <regex>(ignore|reboot|poweroff)</regex> + <regex>^(ignore|reboot|poweroff)$</regex> </constraint> <constraintErrorMessage>Must be ignore, reboot, or poweroff</constraintErrorMessage> </properties> @@ -44,6 +44,15 @@ <valueless/> </properties> </leafNode> + <node name="http-client"> + <properties> + <help>Global options used for HTTP based commands</help> + </properties> + <children> + #include <include/source-interface.xml.i> + #include <include/source-address-ipv4-ipv6.xml.i> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 9b9828ddd..159f4ea3e 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -4,7 +4,7 @@ <properties> <help>Virtual Routing and Forwarding</help> <!-- must be before any interface creation --> - <priority>210</priority> + <priority>60</priority> </properties> <children> <leafNode name="bind-to-all"> diff --git a/op-mode-definitions/monitor-ndp.xml b/op-mode-definitions/monitor-ndp.xml new file mode 100644 index 000000000..e25eccf3a --- /dev/null +++ b/op-mode-definitions/monitor-ndp.xml @@ -0,0 +1,44 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="monitor"> + <children> + <node name="ndp"> + <properties> + <help>Monitors the NDP information received by the router through the device</help> + </properties> + <command>sudo ndptool monitor</command> + <children> + <tagNode name="interface"> + <command>sudo ndptool monitor --ifname=$4</command> + <properties> + <help>Monitor ndp protocol on specified interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <children> + <tagNode name="type"> + <command>sudo ndptool monitor --ifname=$4 --msg-type=$6</command> + <properties> + <help>Monitor ndp protocol on specified interface</help> + <completionHelp> + <list>rs ra ns na</list> + </completionHelp> + </properties> + </tagNode> + </children> + </tagNode> + <tagNode name="type"> + <command>sudo ndptool monitor --msg-type=$4</command> + <properties> + <help>Monitor ndp protocol on specified interface</help> + <completionHelp> + <list>rs ra ns na</list> + </completionHelp> + </properties> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-interfaces-ethernet.xml b/op-mode-definitions/show-interfaces-ethernet.xml index 80f07c2bd..bdcfa55f1 100644 --- a/op-mode-definitions/show-interfaces-ethernet.xml +++ b/op-mode-definitions/show-interfaces-ethernet.xml @@ -74,6 +74,7 @@ <properties> <help>Show ethernet interface information</help> </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=ethernet --action=show-brief</command> <children> <leafNode name="detail"> <properties> diff --git a/op-mode-definitions/show-interfaces-pppoe.xml b/op-mode-definitions/show-interfaces-pppoe.xml index 01acd4fc6..4263a2f0a 100644 --- a/op-mode-definitions/show-interfaces-pppoe.xml +++ b/op-mode-definitions/show-interfaces-pppoe.xml @@ -30,6 +30,20 @@ </leafNode> </children> </tagNode> + <node name="pppoe"> + <properties> + <help>Show PPPoE interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pppoe --action=show-brief</command> + <children> + <leafNode name="detail"> + <properties> + <help>Show detailed PPPoE interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pppoe --action=show</command> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/op-mode-definitions/show-interfaces-wirelessmodem.xml b/op-mode-definitions/show-interfaces-wirelessmodem.xml index 1f710b3dc..46f872c85 100644 --- a/op-mode-definitions/show-interfaces-wirelessmodem.xml +++ b/op-mode-definitions/show-interfaces-wirelessmodem.xml @@ -30,6 +30,20 @@ </leafNode> </children> </tagNode> + <node name="wirelessmodem"> + <properties> + <help>Show Wireless Modem (WWAN) interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show-brief</command> + <children> + <leafNode name="detail"> + <properties> + <help>Show detailed Wireless Modem (WWAN( interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show</command> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/op-mode-definitions/wireguard.xml b/op-mode-definitions/wireguard.xml index 1795fb820..a7bfa36a3 100644 --- a/op-mode-definitions/wireguard.xml +++ b/op-mode-definitions/wireguard.xml @@ -96,6 +96,20 @@ <!-- more commands upon request --> </children> </tagNode> + <node name="wireguard"> + <properties> + <help>Show wireguard interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show-brief</command> + <children> + <leafNode name="detail"> + <properties> + <help>Show detailed wireguard interface information</help> + </properties> + <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show</command> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/python/vyos/config.py b/python/vyos/config.py index 56353c322..884d6d947 100644 --- a/python/vyos/config.py +++ b/python/vyos/config.py @@ -63,23 +63,13 @@ In operational mode, all functions return values from the running config. """ -import os import re import json -import subprocess +from copy import deepcopy import vyos.util import vyos.configtree - - -class VyOSError(Exception): - """ - Raised on config access errors, most commonly if the type of a config tree node - in the system does not match the type of operation. - - """ - pass - +from vyos.configsource import ConfigSource, ConfigSourceSession class Config(object): """ @@ -89,49 +79,18 @@ class Config(object): the only state it keeps is relative *config path* for convenient access to config subtrees. """ - def __init__(self, session_env=None): - self._cli_shell_api = "/bin/cli-shell-api" - self._level = [] - if session_env: - self.__session_env = session_env - else: - self.__session_env = None - - # Running config can be obtained either from op or conf mode, it always succeeds - # once the config system is initialized during boot; - # before initialization, set to empty string - if os.path.isfile('/tmp/vyos-config-status'): - try: - running_config_text = self._run([self._cli_shell_api, '--show-active-only', '--show-show-defaults', '--show-ignore-edit', 'showConfig']) - except VyOSError: - running_config_text = '' - else: - running_config_text = '' - - # Session config ("active") only exists in conf mode. - # In op mode, we'll just use the same running config for both active and session configs. - if self.in_session(): - try: - session_config_text = self._run([self._cli_shell_api, '--show-working-only', '--show-show-defaults', '--show-ignore-edit', 'showConfig']) - except VyOSError: - session_config_text = '' - else: - session_config_text = running_config_text - - if running_config_text: - self._running_config = vyos.configtree.ConfigTree(running_config_text) - else: - self._running_config = None - - if session_config_text: - self._session_config = vyos.configtree.ConfigTree(session_config_text) + def __init__(self, session_env=None, config_source=None): + if config_source is None: + self._config_source = ConfigSourceSession(session_env) else: - self._session_config = None + if not isinstance(config_source, ConfigSource): + raise TypeError("config_source not of type ConfigSource") + self._config_source = config_source - def _make_command(self, op, path): - args = path.split() - cmd = [self._cli_shell_api, op] + args - return cmd + self._level = [] + self._dict_cache = {} + (self._running_config, + self._session_config) = self._config_source.get_configtree_tuple() def _make_path(self, path): # Backwards-compatibility stuff: original implementation used string paths @@ -147,19 +106,6 @@ class Config(object): raise TypeError("Path must be a whitespace-separated string or a list") return (self._level + path) - def _run(self, cmd): - if self.__session_env: - p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=self.__session_env) - else: - p = subprocess.Popen(cmd, stdout=subprocess.PIPE) - out = p.stdout.read() - p.wait() - p.communicate() - if p.returncode != 0: - raise VyOSError() - else: - return out.decode('ascii') - def set_level(self, path): """ Set the *edit level*, that is, a relative config tree path. @@ -227,22 +173,14 @@ class Config(object): Returns: True if the config session has uncommited changes, False otherwise. """ - try: - self._run(self._make_command('sessionChanged', '')) - return True - except VyOSError: - return False + return self._config_source.session_changed() def in_session(self): """ Returns: True if called from a configuration session, False otherwise. """ - try: - self._run(self._make_command('inSession', '')) - return True - except VyOSError: - return False + return self._config_source.in_session() def show_config(self, path=[], default=None, effective=False): """ @@ -253,52 +191,39 @@ class Config(object): Returns: str: working configuration """ + return self._config_source.show_config(path, default, effective) - # show_config should be independent of CLI edit level. - # Set the CLI edit environment to the top level, and - # restore original on exit. - save_env = self.__session_env + def get_cached_dict(self, effective=False): + cached = self._dict_cache.get(effective, {}) + if cached: + config_dict = cached + else: + config_dict = {} - env_str = self._run(self._make_command('getEditResetEnv', '')) - env_list = re.findall(r'([A-Z_]+)=\'([^;\s]+)\'', env_str) - root_env = os.environ - for k, v in env_list: - root_env[k] = v + if effective: + if self._running_config: + config_dict = json.loads((self._running_config).to_json()) + else: + if self._session_config: + config_dict = json.loads((self._session_config).to_json()) - self.__session_env = root_env + self._dict_cache[effective] = config_dict - # FIXUP: by default, showConfig will give you a diff - # if there are uncommitted changes. - # The config parser obviously cannot work with diffs, - # so we need to supress diff production using appropriate - # options for getting either running (active) - # or proposed (working) config. - if effective: - path = ['--show-active-only'] + path - else: - path = ['--show-working-only'] + path - - if isinstance(path, list): - path = " ".join(path) - try: - out = self._run(self._make_command('showConfig', path)) - self.__session_env = save_env - return out - except VyOSError: - self.__session_env = save_env - return(default) + return config_dict - def get_config_dict(self, path=[], effective=False, key_mangling=None): + def get_config_dict(self, path=[], effective=False, key_mangling=None, get_first_key=False): """ - Args: path (str list): Configuration tree path, can be empty - Returns: a dict representation of the config + Args: + path (str list): Configuration tree path, can be empty + effective=False: effective or session config + key_mangling=None: mangle dict keys according to regex and replacement + get_first_key=False: if k = path[:-1], return sub-dict d[k] instead of {k: d[k]} + + Returns: a dict representation of the config under path """ - res = self.show_config(self._make_path(path), effective=effective) - if res: - config_tree = vyos.configtree.ConfigTree(res) - config_dict = json.loads(config_tree.to_json()) - else: - config_dict = {} + config_dict = self.get_cached_dict(effective) + + config_dict = vyos.util.get_sub_dict(config_dict, self._make_path(path), get_first_key) if key_mangling: if not (isinstance(key_mangling, tuple) and \ @@ -308,6 +233,8 @@ class Config(object): raise ValueError("key_mangling must be a tuple of two strings") else: config_dict = vyos.util.mangle_dict_keys(config_dict, key_mangling[0], key_mangling[1]) + else: + config_dict = deepcopy(config_dict) return config_dict @@ -322,12 +249,8 @@ class Config(object): Note: It also returns False if node doesn't exist. """ - try: - path = " ".join(self._level) + " " + path - self._run(self._make_command('isMulti', path)) - return True - except VyOSError: - return False + self._config_source.set_level(self.get_level) + return self._config_source.is_multi(path) def is_tag(self, path): """ @@ -340,12 +263,8 @@ class Config(object): Note: It also returns False if node doesn't exist. """ - try: - path = " ".join(self._level) + " " + path - self._run(self._make_command('isTag', path)) - return True - except VyOSError: - return False + self._config_source.set_level(self.get_level) + return self._config_source.is_tag(path) def is_leaf(self, path): """ @@ -358,12 +277,8 @@ class Config(object): Note: It also returns False if node doesn't exist. """ - try: - path = " ".join(self._level) + " " + path - self._run(self._make_command('isLeaf', path)) - return True - except VyOSError: - return False + self._config_source.set_level(self.get_level) + return self._config_source.is_leaf(path) def return_value(self, path, default=None): """ @@ -524,9 +439,6 @@ class Config(object): Returns: str list: child node names - - Raises: - VyOSError: if the node is not a tag node """ if self._running_config: try: diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index ce086872e..0dc7578d8 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -22,7 +22,6 @@ from enum import Enum from copy import deepcopy from vyos import ConfigError -from vyos.ifconfig import Interface from vyos.validate import is_member from vyos.util import ifname_from_config @@ -97,6 +96,8 @@ def dict_merge(source, destination): for key, value in source.items(): if key not in tmp.keys(): tmp[key] = value + elif isinstance(source[key], dict): + tmp[key] = dict_merge(source[key], tmp[key]) return tmp @@ -214,6 +215,8 @@ def disable_state(conf, check=[3,5,7]): def intf_to_dict(conf, default): + from vyos.ifconfig import Interface + """ Common used function which will extract VLAN related information from config and represent the result as Python dictionary. diff --git a/python/vyos/configdiff.py b/python/vyos/configdiff.py new file mode 100644 index 000000000..b79893507 --- /dev/null +++ b/python/vyos/configdiff.py @@ -0,0 +1,249 @@ +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +from enum import IntFlag, auto + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.util import get_sub_dict, mangle_dict_keys +from vyos.xml import defaults + +class ConfigDiffError(Exception): + """ + Raised on config dict access errors, for example, calling get_value on + a non-leaf node. + """ + pass + +def enum_to_key(e): + return e.name.lower() + +class Diff(IntFlag): + MERGE = auto() + DELETE = auto() + ADD = auto() + STABLE = auto() + +requires_effective = [enum_to_key(Diff.DELETE)] +target_defaults = [enum_to_key(Diff.MERGE)] + +def _key_sets_from_dicts(session_dict, effective_dict): + session_keys = list(session_dict) + effective_keys = list(effective_dict) + + ret = {} + stable_keys = [k for k in session_keys if k in effective_keys] + + ret[enum_to_key(Diff.MERGE)] = session_keys + ret[enum_to_key(Diff.DELETE)] = [k for k in effective_keys if k not in stable_keys] + ret[enum_to_key(Diff.ADD)] = [k for k in session_keys if k not in stable_keys] + ret[enum_to_key(Diff.STABLE)] = stable_keys + + return ret + +def _dict_from_key_set(key_set, d): + # This will always be applied to a key_set obtained from a get_sub_dict, + # hence there is no possibility of KeyError, as get_sub_dict guarantees + # a return type of dict + ret = {k: d[k] for k in key_set} + + return ret + +def get_config_diff(config, key_mangling=None): + """ + Check type and return ConfigDiff instance. + """ + if not config or not isinstance(config, Config): + raise TypeError("argument must me a Config instance") + if key_mangling and not (isinstance(key_mangling, tuple) and \ + (len(key_mangling) == 2) and \ + isinstance(key_mangling[0], str) and \ + isinstance(key_mangling[1], str)): + raise ValueError("key_mangling must be a tuple of two strings") + + return ConfigDiff(config, key_mangling) + +class ConfigDiff(object): + """ + The class of config changes as represented by comparison between the + session config dict and the effective config dict. + """ + def __init__(self, config, key_mangling=None): + self._level = config.get_level() + self._session_config_dict = config.get_cached_dict() + self._effective_config_dict = config.get_cached_dict(effective=True) + self._key_mangling = key_mangling + + # mirrored from Config; allow path arguments relative to level + def _make_path(self, path): + if isinstance(path, str): + path = path.split() + elif isinstance(path, list): + pass + else: + raise TypeError("Path must be a whitespace-separated string or a list") + + ret = self._level + path + return ret + + def set_level(self, path): + """ + Set the *edit level*, that is, a relative config dict path. + Once set, all operations will be relative to this path, + for example, after ``set_level("system")``, calling + ``get_value("name-server")`` is equivalent to calling + ``get_value("system name-server")`` without ``set_level``. + + Args: + path (str|list): relative config path + """ + if isinstance(path, str): + if path: + self._level = path.split() + else: + self._level = [] + elif isinstance(path, list): + self._level = path.copy() + else: + raise TypeError("Level path must be either a whitespace-separated string or a list") + + def get_level(self): + """ + Gets the current edit level. + + Returns: + str: current edit level + """ + ret = self._level.copy() + return ret + + def _mangle_dict_keys(self, config_dict): + config_dict = mangle_dict_keys(config_dict, self._key_mangling[0], + self._key_mangling[1]) + return config_dict + + def get_child_nodes_diff(self, path=[], expand_nodes=Diff(0), no_defaults=False): + """ + Args: + path (str|list): config path + expand_nodes=Diff(0): bit mask of enum indicating for which nodes + to provide full dict; for example, Diff.MERGE + will expand dict['merge'] into dict under + value + no_detaults=False: if expand_nodes & Diff.MERGE, do not merge default + values to ret['merge'] + + Returns: dict of lists, representing differences between session + and effective config, under path + dict['merge'] = session config values + dict['delete'] = effective config values, not in session + dict['add'] = session config values, not in effective + dict['stable'] = config values in both session and effective + """ + session_dict = get_sub_dict(self._session_config_dict, + self._make_path(path), get_first_key=True) + effective_dict = get_sub_dict(self._effective_config_dict, + self._make_path(path), get_first_key=True) + + ret = _key_sets_from_dicts(session_dict, effective_dict) + + if not expand_nodes: + return ret + + for e in Diff: + if expand_nodes & e: + k = enum_to_key(e) + if k in requires_effective: + ret[k] = _dict_from_key_set(ret[k], effective_dict) + else: + ret[k] = _dict_from_key_set(ret[k], session_dict) + + if self._key_mangling: + ret[k] = self._mangle_dict_keys(ret[k]) + + if k in target_defaults and not no_defaults: + default_values = defaults(self._make_path(path)) + ret[k] = dict_merge(default_values, ret[k]) + + return ret + + def get_node_diff(self, path=[], expand_nodes=Diff(0), no_defaults=False): + """ + Args: + path (str|list): config path + expand_nodes=Diff(0): bit mask of enum indicating for which nodes + to provide full dict; for example, Diff.MERGE + will expand dict['merge'] into dict under + value + no_detaults=False: if expand_nodes & Diff.MERGE, do not merge default + values to ret['merge'] + + Returns: dict of lists, representing differences between session + and effective config, at path + dict['merge'] = session config values + dict['delete'] = effective config values, not in session + dict['add'] = session config values, not in effective + dict['stable'] = config values in both session and effective + """ + session_dict = get_sub_dict(self._session_config_dict, self._make_path(path)) + effective_dict = get_sub_dict(self._effective_config_dict, self._make_path(path)) + + ret = _key_sets_from_dicts(session_dict, effective_dict) + + if not expand_nodes: + return ret + + for e in Diff: + if expand_nodes & e: + k = enum_to_key(e) + if k in requires_effective: + ret[k] = _dict_from_key_set(ret[k], effective_dict) + else: + ret[k] = _dict_from_key_set(ret[k], session_dict) + + if self._key_mangling: + ret[k] = self._mangle_dict_keys(ret[k]) + + if k in target_defaults and not no_defaults: + default_values = defaults(self._make_path(path)) + ret[k] = dict_merge(default_values, ret[k]) + + return ret + + def get_value_diff(self, path=[]): + """ + Args: + path (str|list): config path + + Returns: (new, old) tuple of values in session config/effective config + """ + # one should properly use is_leaf as check; for the moment we will + # deduce from type, which will not catch call on non-leaf node if None + new_value_dict = get_sub_dict(self._session_config_dict, self._make_path(path)) + old_value_dict = get_sub_dict(self._effective_config_dict, self._make_path(path)) + + new_value = None + old_value = None + if new_value_dict: + new_value = next(iter(new_value_dict.values())) + if old_value_dict: + old_value = next(iter(old_value_dict.values())) + + if new_value and isinstance(new_value, dict): + raise ConfigDiffError("get_value_changed called on non-leaf node") + if old_value and isinstance(old_value, dict): + raise ConfigDiffError("get_value_changed called on non-leaf node") + + return new_value, old_value diff --git a/python/vyos/configsource.py b/python/vyos/configsource.py new file mode 100644 index 000000000..50222e385 --- /dev/null +++ b/python/vyos/configsource.py @@ -0,0 +1,318 @@ + +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +import os +import re +import subprocess + +from vyos.configtree import ConfigTree + +class VyOSError(Exception): + """ + Raised on config access errors. + """ + pass + +class ConfigSourceError(Exception): + ''' + Raised on error in ConfigSource subclass init. + ''' + pass + +class ConfigSource: + def __init__(self): + self._running_config: ConfigTree = None + self._session_config: ConfigTree = None + + def get_configtree_tuple(self): + return self._running_config, self._session_config + + def session_changed(self): + """ + Returns: + True if the config session has uncommited changes, False otherwise. + """ + raise NotImplementedError(f"function not available for {type(self)}") + + def in_session(self): + """ + Returns: + True if called from a configuration session, False otherwise. + """ + raise NotImplementedError(f"function not available for {type(self)}") + + def show_config(self, path=[], default=None, effective=False): + """ + Args: + path (str|list): Configuration tree path, or empty + default (str): Default value to return + + Returns: + str: working configuration + """ + raise NotImplementedError(f"function not available for {type(self)}") + + def is_multi(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node can have multiple values, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + raise NotImplementedError(f"function not available for {type(self)}") + + def is_tag(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node is a tag node, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + raise NotImplementedError(f"function not available for {type(self)}") + + def is_leaf(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node is a leaf node, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + raise NotImplementedError(f"function not available for {type(self)}") + +class ConfigSourceSession(ConfigSource): + def __init__(self, session_env=None): + super().__init__() + self._cli_shell_api = "/bin/cli-shell-api" + self._level = [] + if session_env: + self.__session_env = session_env + else: + self.__session_env = None + + # Running config can be obtained either from op or conf mode, it always succeeds + # once the config system is initialized during boot; + # before initialization, set to empty string + if os.path.isfile('/tmp/vyos-config-status'): + try: + running_config_text = self._run([self._cli_shell_api, '--show-active-only', '--show-show-defaults', '--show-ignore-edit', 'showConfig']) + except VyOSError: + running_config_text = '' + else: + running_config_text = '' + + # Session config ("active") only exists in conf mode. + # In op mode, we'll just use the same running config for both active and session configs. + if self.in_session(): + try: + session_config_text = self._run([self._cli_shell_api, '--show-working-only', '--show-show-defaults', '--show-ignore-edit', 'showConfig']) + except VyOSError: + session_config_text = '' + else: + session_config_text = running_config_text + + if running_config_text: + self._running_config = ConfigTree(running_config_text) + else: + self._running_config = None + + if session_config_text: + self._session_config = ConfigTree(session_config_text) + else: + self._session_config = None + + def _make_command(self, op, path): + args = path.split() + cmd = [self._cli_shell_api, op] + args + return cmd + + def _run(self, cmd): + if self.__session_env: + p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=self.__session_env) + else: + p = subprocess.Popen(cmd, stdout=subprocess.PIPE) + out = p.stdout.read() + p.wait() + p.communicate() + if p.returncode != 0: + raise VyOSError() + else: + return out.decode('ascii') + + def set_level(self, path): + """ + Set the *edit level*, that is, a relative config tree path. + Once set, all operations will be relative to this path, + for example, after ``set_level("system")``, calling + ``exists("name-server")`` is equivalent to calling + ``exists("system name-server"`` without ``set_level``. + + Args: + path (str|list): relative config path + """ + # Make sure there's always a space between default path (level) + # and path supplied as method argument + # XXX: for small strings in-place concatenation is not a problem + if isinstance(path, str): + if path: + self._level = re.split(r'\s+', path) + else: + self._level = [] + elif isinstance(path, list): + self._level = path.copy() + else: + raise TypeError("Level path must be either a whitespace-separated string or a list") + + def session_changed(self): + """ + Returns: + True if the config session has uncommited changes, False otherwise. + """ + try: + self._run(self._make_command('sessionChanged', '')) + return True + except VyOSError: + return False + + def in_session(self): + """ + Returns: + True if called from a configuration session, False otherwise. + """ + try: + self._run(self._make_command('inSession', '')) + return True + except VyOSError: + return False + + def show_config(self, path=[], default=None, effective=False): + """ + Args: + path (str|list): Configuration tree path, or empty + default (str): Default value to return + + Returns: + str: working configuration + """ + + # show_config should be independent of CLI edit level. + # Set the CLI edit environment to the top level, and + # restore original on exit. + save_env = self.__session_env + + env_str = self._run(self._make_command('getEditResetEnv', '')) + env_list = re.findall(r'([A-Z_]+)=\'([^;\s]+)\'', env_str) + root_env = os.environ + for k, v in env_list: + root_env[k] = v + + self.__session_env = root_env + + # FIXUP: by default, showConfig will give you a diff + # if there are uncommitted changes. + # The config parser obviously cannot work with diffs, + # so we need to supress diff production using appropriate + # options for getting either running (active) + # or proposed (working) config. + if effective: + path = ['--show-active-only'] + path + else: + path = ['--show-working-only'] + path + + if isinstance(path, list): + path = " ".join(path) + try: + out = self._run(self._make_command('showConfig', path)) + self.__session_env = save_env + return out + except VyOSError: + self.__session_env = save_env + return(default) + + def is_multi(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node can have multiple values, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + try: + path = " ".join(self._level) + " " + path + self._run(self._make_command('isMulti', path)) + return True + except VyOSError: + return False + + def is_tag(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node is a tag node, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + try: + path = " ".join(self._level) + " " + path + self._run(self._make_command('isTag', path)) + return True + except VyOSError: + return False + + def is_leaf(self, path): + """ + Args: + path (str): Configuration tree path + + Returns: + True if a node is a leaf node, False otherwise. + + Note: + It also returns False if node doesn't exist. + """ + try: + path = " ".join(self._level) + " " + path + self._run(self._make_command('isLeaf', path)) + return True + except VyOSError: + return False + +class ConfigSourceString(ConfigSource): + def __init__(self, running_config_text=None, session_config_text=None): + super().__init__() + + try: + self._running_config = ConfigTree(running_config_text) if running_config_text else None + self._session_config = ConfigTree(session_config_text) if session_config_text else None + except ValueError: + raise ConfigSourceError(f"Init error in {type(self)}") diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py new file mode 100644 index 000000000..32129a048 --- /dev/null +++ b/python/vyos/configverify.py @@ -0,0 +1,78 @@ +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +# The sole purpose of this module is to hold common functions used in +# all kinds of implementations to verify the CLI configuration. +# It is started by migrating the interfaces to the new get_config_dict() +# approach which will lead to a lot of code that can be reused. + +# NOTE: imports should be as local as possible to the function which +# makes use of it! + +from vyos import ConfigError + +def verify_vrf(config): + """ + Common helper function used by interface implementations to perform + recurring validation of VRF configuration. + """ + from netifaces import interfaces + if 'vrf' in config.keys(): + if config['vrf'] not in interfaces(): + raise ConfigError('VRF "{vrf}" does not exist'.format(**config)) + + if 'is_bridge_member' in config.keys(): + raise ConfigError( + 'Interface "{ifname}" cannot be both a member of VRF "{vrf}" ' + 'and bridge "{is_bridge_member}"!'.format(**config)) + + +def verify_address(config): + """ + Common helper function used by interface implementations to + perform recurring validation of IP address assignmenr + when interface also is part of a bridge. + """ + if {'is_bridge_member', 'address'} <= set(config): + raise ConfigError( + f'Cannot assign address to interface "{ifname}" as it is a ' + f'member of bridge "{is_bridge_member}"!'.format(**config)) + + +def verify_bridge_delete(config): + """ + Common helper function used by interface implementations to + perform recurring validation of IP address assignmenr + when interface also is part of a bridge. + """ + if 'is_bridge_member' in config.keys(): + raise ConfigError( + 'Interface "{ifname}" cannot be deleted as it is a ' + 'member of bridge "{is_bridge_member}"!'.format(**config)) + + +def verify_source_interface(config): + """ + Common helper function used by interface implementations to + perform recurring validation of the existence of a source-interface + required by e.g. peth/MACvlan, MACsec ... + """ + from netifaces import interfaces + if not 'source_interface' in config.keys(): + raise ConfigError('Physical source-interface required for ' + 'interface "{ifname}"'.format(**config)) + if not config['source_interface'] in interfaces(): + raise ConfigError(f'Source interface {source_interface} does not ' + f'exist'.format(**config)) diff --git a/python/vyos/frr.py b/python/vyos/frr.py new file mode 100644 index 000000000..e39b6a914 --- /dev/null +++ b/python/vyos/frr.py @@ -0,0 +1,288 @@ +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +r""" +A Library for interracting with the FRR daemon suite. +It supports simple configuration manipulation and loading using the official tools +supplied with FRR (vtysh and frr-reload) + +All configuration management and manipulation is done using strings and regex. + + +Example Usage +##### + +# Reading configuration from frr: +``` +>>> original_config = get_configuration() +>>> repr(original_config) +'!\nfrr version 7.3.1\nfrr defaults traditional\nhostname debian\n...... +``` + + +# Modify a configuration section: +``` +>>> new_bgp_section = 'router bgp 65000\n neighbor 192.0.2.1 remote-as 65000\n' +>>> modified_config = replace_section(original_config, new_bgp_section, replace_re=r'router bgp \d+') +>>> repr(modified_config) +'............router bgp 65000\n neighbor 192.0.2.1 remote-as 65000\n...........' +``` + +Remove a configuration section: +``` +>>> modified_config = remove_section(original_config, r'router ospf') +``` + +Test the new configuration: +``` +>>> try: +>>> mark_configuration(modified configuration) +>>> except ConfigurationNotValid as e: +>>> print('resulting configuration is not valid') +>>> sys.exit(1) +``` + +Apply the new configuration: +``` +>>> try: +>>> replace_configuration(modified_config) +>>> except CommitError as e: +>>> print('Exception while commiting the supplied configuration') +>>> print(e) +>>> exit(1) +``` +""" + +import tempfile +import re +from vyos import util + +_frr_daemons = ['zebra', 'bgpd', 'fabricd', 'isisd', 'ospf6d', 'ospfd', 'pbrd', + 'pimd', 'ripd', 'ripngd', 'sharpd', 'staticd', 'vrrpd', 'ldpd'] + +path_vtysh = '/usr/bin/vtysh' +path_frr_reload = '/usr/lib/frr/frr-reload.py' + + +class FrrError(Exception): + pass + + +class ConfigurationNotValid(FrrError): + """ + The configuratioin supplied to vtysh is not valid + """ + pass + + +class CommitError(FrrError): + """ + Commiting the supplied configuration failed to commit by a unknown reason + see commit error and/or run mark_configuration on the specified configuration + to se error generated + + used by: reload_configuration() + """ + pass + + +class ConfigSectionNotFound(FrrError): + """ + Removal of configuration failed because it is not existing in the supplied configuration + """ + pass + + +def get_configuration(daemon=None, marked=False): + """ Get current running FRR configuration + daemon: Collect only configuration for the specified FRR daemon, + supplying daemon=None retrieves the complete configuration + marked: Mark the configuration with "end" tags + + return: string containing the running configuration from frr + + """ + if daemon and daemon not in _frr_daemons: + raise ValueError(f'The specified daemon type is not supported {repr(daemon)}') + + cmd = f"{path_vtysh} -c 'show run'" + if daemon: + cmd += f' -d {daemon}' + + output, code = util.popen(cmd, stderr=util.STDOUT) + if code: + raise OSError(code, output) + + config = output.replace('\r', '') + # Remove first header lines from FRR config + config = config.split("\n", 3)[-1] + # Mark the configuration with end tags + if marked: + config = mark_configuration(config) + + return config + + +def mark_configuration(config): + """ Add end marks and Test the configuration for syntax faults + If the configuration is valid a marked version of the configuration is returned, + or else it failes with a ConfigurationNotValid Exception + + config: The configuration string to mark/test + return: The marked configuration from FRR + """ + output, code = util.popen(f"{path_vtysh} -m -f -", stderr=util.STDOUT, input=config) + + if code == 2: + raise ConfigurationNotValid(str(output)) + elif code: + raise OSError(code, output) + + config = output.replace('\r', '') + return config + + +def reload_configuration(config, daemon=None): + """ Execute frr-reload with the new configuration + This will try to reapply the supplied configuration inside FRR. + The configuration needs to be a complete configuration from the integrated config or + from a daemon. + + config: The configuration to apply + daemon: Apply the conigutaion to the specified FRR daemon, + supplying daemon=None applies to the integrated configuration + return: None + """ + if daemon and daemon not in _frr_daemons: + raise ValueError(f'The specified daemon type is not supported {repr(daemon)}') + + f = tempfile.NamedTemporaryFile('w') + f.write(config) + f.flush() + + cmd = f'{path_frr_reload} --reload' + if daemon: + cmd += f' --daemon {daemon}' + cmd += f' {f.name}' + + output, code = util.popen(cmd, stderr=util.STDOUT) + f.close() + if code == 1: + raise CommitError(f'Configuration FRR failed while commiting code: {repr(output)}') + elif code: + raise OSError(code, output) + + return output + + +def execute(command): + """ Run commands inside vtysh + command: str containing commands to execute inside a vtysh session + """ + if not isinstance(command, str): + raise ValueError(f'command needs to be a string: {repr(command)}') + + cmd = f"{path_vtysh} -c '{command}'" + + output, code = util.popen(cmd, stderr=util.STDOUT) + if code: + raise OSError(code, output) + + config = output.replace('\r', '') + return config + + +def configure(lines, daemon=False): + """ run commands inside config mode vtysh + lines: list or str conaining commands to execute inside a configure session + only one command executed on each configure() + Executing commands inside a subcontext uses the list to describe the context + ex: ['router bgp 6500', 'neighbor 192.0.2.1 remote-as 65000'] + return: None + """ + if isinstance(lines, str): + lines = [lines] + elif not isinstance(lines, list): + raise ValueError('lines needs to be string or list of commands') + + if daemon and daemon not in _frr_daemons: + raise ValueError(f'The specified daemon type is not supported {repr(daemon)}') + + cmd = f'{path_vtysh}' + if daemon: + cmd += f' -d {daemon}' + + cmd += " -c 'configure terminal'" + for x in lines: + cmd += f" -c '{x}'" + + output, code = util.popen(cmd, stderr=util.STDOUT) + if code == 1: + raise ConfigurationNotValid(f'Configuration FRR failed: {repr(output)}') + elif code: + raise OSError(code, output) + + config = output.replace('\r', '') + return config + + +def _replace_section(config, replacement, replace_re, before_re): + r"""Replace a section of FRR config + config: full original configuration + replacement: replacement configuration section + replace_re: The regex to replace + example: ^router bgp \d+$.?*^!$ + this will replace everything between ^router bgp X$ and ^!$ + before_re: When replace_re is not existant, the config will be added before this tag + example: ^line vty$ + + return: modified configuration as a text file + """ + # Check if block is configured, remove the existing instance else add a new one + if re.findall(replace_re, config, flags=re.MULTILINE | re.DOTALL): + # Section is in the configration, replace it + return re.sub(replace_re, replacement, config, count=1, + flags=re.MULTILINE | re.DOTALL) + if before_re: + if not re.findall(before_re, config, flags=re.MULTILINE | re.DOTALL): + raise ConfigSectionNotFound(f"Config section {before_re} not found in config") + + # If no section is in the configuration, add it before the line vty line + return re.sub(before_re, rf'{replacement}\n\g<1>', config, count=1, + flags=re.MULTILINE | re.DOTALL) + + raise ConfigSectionNotFound(f"Config section {replacement} not found in config") + + +def replace_section(config, replacement, from_re, to_re=r'!', before_re=r'line vty'): + r"""Replace a section of FRR config + config: full original configuration + replacement: replacement configuration section + from_re: Regex for the start of section matching + example: 'router bgp \d+' + to_re: Regex for stop of section matching + default: '!' + example: '!' or 'end' + before_re: When from_re/to_re does not return a match, the config will + be added before this tag + default: ^line vty$ + + startline and endline tags will be automatically added to the resulting from_re/to_re and before_re regex'es + """ + return _replace_section(config, replacement, replace_re=rf'^{from_re}$.*?^{to_re}$', before_re=rf'^{before_re}$') + + +def remove_section(config, from_re, to_re='!'): + return _replace_section(config, '', replace_re=rf'^{from_re}$.*?^{to_re}$', before_re=None) diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 2c2396440..8d7b247fc 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -27,6 +27,7 @@ from netifaces import AF_INET from netifaces import AF_INET6 from vyos import ConfigError +from vyos.configdict import list_diff from vyos.util import mac2eui64 from vyos.validate import is_ipv4 from vyos.validate import is_ipv6 @@ -321,7 +322,11 @@ class Interface(Control): self.set_admin_state('down') self.set_interface('mac', mac) - + + # Turn an interface to the 'up' state if it was changed to 'down' by this fucntion + if prev_state == 'up': + self.set_admin_state('up') + def set_vrf(self, vrf=''): """ Add/Remove interface from given VRF instance. @@ -662,10 +667,12 @@ class Interface(Control): if addr in self._addr: return False + addr_is_v4 = is_ipv4(addr) + # we can't have both DHCP and static IPv4 addresses assigned for a in self._addr: if ( ( addr == 'dhcp' and a != 'dhcpv6' and is_ipv4(a) ) or - ( a == 'dhcp' and addr != 'dhcpv6' and is_ipv4(addr) ) ): + ( a == 'dhcp' and addr != 'dhcpv6' and addr_is_v4 ) ): raise ConfigError(( "Can't configure both static IPv4 and DHCP address " "on the same interface")) @@ -676,7 +683,8 @@ class Interface(Control): elif addr == 'dhcpv6': self.dhcp.v6.set() elif not is_intf_addr_assigned(self.ifname, addr): - self._cmd(f'ip addr add "{addr}" dev "{self.ifname}"') + self._cmd(f'ip addr add "{addr}" ' + f'{"brd + " if addr_is_v4 else ""}dev "{self.ifname}"') else: return False @@ -757,3 +765,41 @@ class Interface(Control): # TODO: port config (STP) return True + + def update(self, config): + """ General helper function which works on a dictionary retrived by + get_config_dict(). It's main intention is to consolidate the scattered + interface setup code and provide a single point of entry when workin + on any interface. """ + + # Update interface description + self.set_alias(config.get('description', None)) + + # Configure assigned interface IP addresses. No longer + # configured addresses will be removed first + new_addr = config.get('address', []) + + # XXX workaround for T2636, convert IP address string to a list + # with one element + if isinstance(new_addr, str): + new_addr = [new_addr] + + # determine IP addresses which are assigned to the interface and build a + # list of addresses which are no longer in the dict so they can be removed + cur_addr = self.get_addr() + for addr in list_diff(cur_addr, new_addr): + self.del_addr(addr) + + for addr in new_addr: + self.add_addr(addr) + + # There are some items in the configuration which can only be applied + # if this instance is not bound to a bridge. This should be checked + # by the caller but better save then sorry! + if not config.get('is_bridge_member', False): + # Bind interface instance into VRF + self.set_vrf(config.get('vrf', '')) + + # Interface administrative state + state = 'down' if 'disable' in config.keys() else 'up' + self.set_admin_state(state) diff --git a/python/vyos/ifconfig/loopback.py b/python/vyos/ifconfig/loopback.py index 8e4438662..7ebd13b54 100644 --- a/python/vyos/ifconfig/loopback.py +++ b/python/vyos/ifconfig/loopback.py @@ -23,7 +23,7 @@ class LoopbackIf(Interface): The loopback device is a special, virtual network interface that your router uses to communicate with itself. """ - + _persistent_addresses = ['127.0.0.1/8', '::1/128'] default = { 'type': 'loopback', } @@ -49,10 +49,31 @@ class LoopbackIf(Interface): """ # remove all assigned IP addresses from interface for addr in self.get_addr(): - if addr in ["127.0.0.1/8", "::1/128"]: + if addr in self._persistent_addresses: # Do not allow deletion of the default loopback addresses as # this will cause weird system behavior like snmp/ssh no longer # operating as expected, see https://phabricator.vyos.net/T2034. continue self.del_addr(addr) + + def update(self, config): + """ General helper function which works on a dictionary retrived by + get_config_dict(). It's main intention is to consolidate the scattered + interface setup code and provide a single point of entry when workin + on any interface. """ + + addr = config.get('address', []) + # XXX workaround for T2636, convert IP address string to a list + # with one element + if isinstance(addr, str): + addr = [addr] + + # We must ensure that the loopback addresses are never deleted from the system + addr += self._persistent_addresses + + # Update IP address entry in our dictionary + config.update({'address' : addr}) + + # now call the regular function from within our base class + super().update(config) diff --git a/python/vyos/snmpv3_hashgen.py b/python/vyos/snmpv3_hashgen.py new file mode 100644 index 000000000..324c3274d --- /dev/null +++ b/python/vyos/snmpv3_hashgen.py @@ -0,0 +1,50 @@ +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +# Documentation / Inspiration +# - https://tools.ietf.org/html/rfc3414#appendix-A.3 +# - https://github.com/TheMysteriousX/SNMPv3-Hash-Generator + +key_length = 1048576 + +def random(l): + # os.urandom(8) returns 8 bytes of random data + import os + from binascii import hexlify + return hexlify(os.urandom(l)).decode('utf-8') + +def expand(s, l): + """ repead input string (s) as long as we reach the desired length in bytes """ + from itertools import repeat + reps = l // len(s) + 1 # approximation; worst case: overrun = l + len(s) + return ''.join(list(repeat(s, reps)))[:l].encode('utf-8') + +def plaintext_to_md5(passphrase, engine): + """ Convert input plaintext passphrase to MD5 hashed version usable by net-snmp """ + from hashlib import md5 + tmp = expand(passphrase, key_length) + hash = md5(tmp).digest() + engine = bytearray.fromhex(engine) + out = b''.join([hash, engine, hash]) + return md5(out).digest().hex() + +def plaintext_to_sha1(passphrase, engine): + """ Convert input plaintext passphrase to SHA1hashed version usable by net-snmp """ + from hashlib import sha1 + tmp = expand(passphrase, key_length) + hash = sha1(tmp).digest() + engine = bytearray.fromhex(engine) + out = b''.join([hash, engine, hash]) + return sha1(out).digest().hex() diff --git a/python/vyos/template.py b/python/vyos/template.py index e4b253ed3..d9b0c749d 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -17,11 +17,9 @@ import os from jinja2 import Environment from jinja2 import FileSystemLoader - from vyos.defaults import directories from vyos.util import chmod, chown, makedir - # reuse the same Environment to improve performance _templates_env = { False: Environment(loader=FileSystemLoader(directories['templates'])), @@ -32,6 +30,21 @@ _templates_mem = { True: {}, } +def vyos_address_from_cidr(text): + """ Take an IPv4/IPv6 CIDR prefix and convert the network to an "address". + Example: + 192.0.2.0/24 -> 192.0.2.0, 2001:db8::/48 -> 2001:db8:: + """ + from ipaddress import ip_network + return ip_network(text).network_address + +def vyos_netmask_from_cidr(text): + """ Take an IPv4/IPv6 CIDR prefix and convert the prefix length to a "subnet mask". + Example: + 192.0.2.0/24 -> 255.255.255.0, 2001:db8::/48 -> ffff:ffff:ffff:: + """ + from ipaddress import ip_network + return ip_network(text).netmask def render(destination, template, content, trim_blocks=False, formater=None, permission=None, user=None, group=None): """ @@ -42,8 +55,8 @@ def render(destination, template, content, trim_blocks=False, formater=None, per This classes cache the renderer, so rendering the same file multiple time does not cause as too much overhead. If use everywhere, it could be changed - and load the template from python environement variables from an import - python module generated when the debian package is build + and load the template from python environement variables from an import + python module generated when the debian package is build (recovering the load time and overhead caused by having the file out of the code) """ @@ -54,11 +67,15 @@ def render(destination, template, content, trim_blocks=False, formater=None, per # Setup a renderer for the given template # This is cached and re-used for performance if template not in _templates_mem[trim_blocks]: - _templates_mem[trim_blocks][template] = _templates_env[trim_blocks].get_template(template) + _env = _templates_env[trim_blocks] + _env.filters['address_from_cidr'] = vyos_address_from_cidr + _env.filters['netmask_from_cidr'] = vyos_netmask_from_cidr + _templates_mem[trim_blocks][template] = _env.get_template(template) + template = _templates_mem[trim_blocks][template] # As we are opening the file with 'w', we are performing the rendering - # before calling open() to not accidentally erase the file if the + # before calling open() to not accidentally erase the file if the # templating fails content = template.render(content) diff --git a/python/vyos/util.py b/python/vyos/util.py index 0ddc14963..7234be6cb 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -364,6 +364,46 @@ def mangle_dict_keys(data, regex, replacement): return new_dict +def _get_sub_dict(d, lpath): + k = lpath[0] + if k not in d.keys(): + return {} + c = {k: d[k]} + lpath = lpath[1:] + if not lpath: + return c + elif not isinstance(c[k], dict): + return {} + return _get_sub_dict(c[k], lpath) + +def get_sub_dict(source, lpath, get_first_key=False): + """ Returns the sub-dict of a nested dict, defined by path of keys. + + Args: + source (dict): Source dict to extract from + lpath (list[str]): sequence of keys + + Returns: source, if lpath is empty, else + {key : source[..]..[key]} for key the last element of lpath, if exists + {} otherwise + """ + if not isinstance(source, dict): + raise TypeError("source must be of type dict") + if not isinstance(lpath, list): + raise TypeError("path must be of type list") + if not lpath: + return source + + ret = _get_sub_dict(source, lpath) + + if get_first_key and lpath and ret: + tmp = next(iter(ret.values())) + if not isinstance(tmp, dict): + raise TypeError("Data under node is not of type dict") + ret = tmp + + return ret + def process_running(pid_file): """ Checks if a process with PID in pid_file is running """ from psutil import pid_exists @@ -612,3 +652,12 @@ def get_bridge_member_config(conf, br, intf): conf.set_level(old_level) return memberconf + +def check_kmod(k_mod): + """ Common utility function to load required kernel modules on demand """ + if isinstance(k_mod, str): + k_mod = k_mod.split() + for module in k_mod: + if not os.path.exists(f'/sys/module/{module}'): + if call(f'modprobe {module}') != 0: + raise ConfigError(f'Loading Kernel module {module} failed') diff --git a/python/vyos/validate.py b/python/vyos/validate.py index 9072c5817..a0620e4dd 100644 --- a/python/vyos/validate.py +++ b/python/vyos/validate.py @@ -19,6 +19,7 @@ import netifaces import ipaddress from vyos.util import cmd +from vyos import xml # Important note when you are adding new validation functions: # @@ -293,12 +294,12 @@ def is_member(conf, interface, intftype=None): for it in intftype: base = 'interfaces ' + it for intf in conf.list_nodes(base): - memberintf = f'{base} {intf} member interface' - if conf.is_tag(memberintf): + memberintf = [base, intf, 'member', 'interface'] + if xml.is_tag(memberintf): if interface in conf.list_nodes(memberintf): ret_val = intf break - elif conf.is_leaf(memberintf): + elif xml.is_leaf(memberintf): if ( conf.exists(memberintf) and interface in conf.return_values(memberintf) ): ret_val = intf diff --git a/python/vyos/xml/__init__.py b/python/vyos/xml/__init__.py index 52f5bfb38..0f914fed2 100644 --- a/python/vyos/xml/__init__.py +++ b/python/vyos/xml/__init__.py @@ -9,7 +9,7 @@ # See the GNU Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public License along with this library; -# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA from vyos.xml import definition @@ -35,5 +35,25 @@ def load_configuration(cache=[]): return xml -def defaults(lpath): - return load_configuration().defaults(lpath) +# def is_multi(lpath): +# return load_configuration().is_multi(lpath) + + +def is_tag(lpath): + return load_configuration().is_tag(lpath) + + +def is_leaf(lpath, flat=True): + return load_configuration().is_leaf(lpath, flat) + + +def defaults(lpath, flat=False): + return load_configuration().defaults(lpath, flat) + + +if __name__ == '__main__': + print(defaults(['service'], flat=True)) + print(defaults(['service'], flat=False)) + + print(is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) + print(is_tag(['protocols', 'static', 'multicast', 'route', '0.0.0.0/0', 'next-hop'])) diff --git a/python/vyos/xml/definition.py b/python/vyos/xml/definition.py index c5f6b0fc7..098e64f7e 100644 --- a/python/vyos/xml/definition.py +++ b/python/vyos/xml/definition.py @@ -11,7 +11,6 @@ # You should have received a copy of the GNU Lesser General Public License along with this library; # if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - from vyos.xml import kw # As we index by key, the name is first and then the data: @@ -127,10 +126,12 @@ class XML(dict): elif word: if data_node != kw.plainNode or len(passed) == 1: self.options = [_ for _ in self.tree if _.startswith(word)] + self.options.sort() else: self.options = [] else: self.options = named_options + self.options.sort() self.plain = not is_dataNode @@ -144,6 +145,7 @@ class XML(dict): self.word = '' if self.tree.get(kw.node,'') not in (kw.tagNode, kw.leafNode): self.options = [_ for _ in self.tree if not kw.found(_)] + self.options.sort() def checks(self, cmd): # as we move thought the named node twice @@ -228,8 +230,9 @@ class XML(dict): inner = self.tree[option] prefix = '+> ' if inner.get(kw.node, '') != kw.leafNode else ' ' if kw.help in inner: - h = inner[kw.help] - yield (prefix + option, h.get(kw.summary), '') + yield (prefix + option, inner[kw.help].get(kw.summary), '') + else: + yield (prefix + option, '(no help available)', '') def debug(self): print('------') @@ -245,36 +248,48 @@ class XML(dict): # @lru_cache(maxsize=100) # XXX: need to use cachetool instead - for later - def defaults(self, lpath): + def defaults(self, lpath, flat): d = self[kw.default] for k in lpath: - d = d[k] - r = {} + d = d.get(k, {}) + + if not flat: + r = {} + for k in d: + under = k.replace('-','_') + if isinstance(d[k],dict): + r[under] = self.defaults(lpath + [k], flat) + continue + r[under] = d[k] + return r - def _flatten(inside, index, d, r): + def _flatten(inside, index, d): + r = {} local = inside[index:] prefix = '_'.join(_.replace('-','_') for _ in local) + '_' if local else '' for k in d: under = prefix + k.replace('-','_') level = inside + [k] if isinstance(d[k],dict): - _flatten(level, index, d[k], r) + r.update(_flatten(level, index, d[k])) continue - if self.is_multi(level): + if self.is_multi(level, with_tag=False): r[under] = [_.strip() for _ in d[k].split(',')] continue r[under] = d[k] + return r - _flatten(lpath, len(lpath), d, r) - return r + return _flatten(lpath, len(lpath), d) # from functools import lru_cache # @lru_cache(maxsize=100) # XXX: need to use cachetool instead - for later - def _tree(self, lpath): + def _tree(self, lpath, with_tag=True): """ returns the part of the tree searched or None if it does not exists + if with_tag is set, this is a configuration path (with tagNode names) + and tag name will be removed from the path when traversing the tree """ tree = self[kw.tree] spath = lpath.copy() @@ -283,19 +298,33 @@ class XML(dict): if p not in tree: return None tree = tree[p] + if with_tag and spath and tree[kw.node] == kw.tagNode: + spath.pop(0) return tree - def _get(self, lpath, tag): - return self._tree(lpath + [tag]) - - def is_multi(self, lpath): - return self._get(lpath, kw.multi) is True - - def is_tag(self, lpath): - return self._get(lpath, kw.node) == kw.tagNode - - def is_leaf(self, lpath): - return self._get(lpath, kw.node) == kw.leafNode - - def exists(self, lpath): - return self._get(lpath, kw.node) is not None + def _get(self, lpath, tag, with_tag=True): + tree = self._tree(lpath, with_tag) + if tree is None: + return None + return tree.get(tag, None) + + def is_multi(self, lpath, with_tag=True): + tree = self._get(lpath, kw.multi, with_tag) + if tree is None: + return None + return tree is True + + def is_tag(self, lpath, with_tag=True): + tree = self._get(lpath, kw.node, with_tag) + if tree is None: + return None + return tree == kw.tagNode + + def is_leaf(self, lpath, with_tag=True): + tree = self._get(lpath, kw.node, with_tag) + if tree is None: + return None + return tree == kw.leafNode + + def exists(self, lpath, with_tag=True): + return self._get(lpath, kw.node, with_tag) is not None diff --git a/python/vyos/xml/kw.py b/python/vyos/xml/kw.py index c85d9e0fd..64521c51a 100644 --- a/python/vyos/xml/kw.py +++ b/python/vyos/xml/kw.py @@ -27,12 +27,12 @@ def found(word): # root -version = '(version)' -tree = '(tree)' -priorities = '(priorities)' -owners = '(owners)' -tags = '(tags)' -default = '(default)' +version = '[version]' +tree = '[tree]' +priorities = '[priorities]' +owners = '[owners]' +tags = '[tags]' +default = '[default]' # nodes diff --git a/python/vyos/xml/test_xml.py b/python/vyos/xml/test_xml.py index ac0620d99..ff55151d2 100644 --- a/python/vyos/xml/test_xml.py +++ b/python/vyos/xml/test_xml.py @@ -33,7 +33,7 @@ class TestSearch(TestCase): last = self.xml.traverse("") self.assertEqual(last, '') self.assertEqual(self.xml.inside, []) - self.assertEqual(self.xml.options, ['protocols', 'service', 'system', 'firewall', 'interfaces', 'vpn', 'nat', 'vrf', 'high-availability']) + self.assertEqual(self.xml.options, ['firewall', 'high-availability', 'interfaces', 'nat', 'protocols', 'service', 'system', 'vpn', 'vrf']) self.assertEqual(self.xml.filling, False) self.assertEqual(self.xml.word, last) self.assertEqual(self.xml.check, False) diff --git a/scripts/build-command-op-templates b/scripts/build-command-op-templates index 689d19ece..c60b32a1e 100755 --- a/scripts/build-command-op-templates +++ b/scripts/build-command-op-templates @@ -111,7 +111,7 @@ def get_properties(p): for i in lists: comp_exprs.append("echo \"{0}\"".format(i.text)) for i in paths: - comp_exprs.append("/bin/cli-shell-api listActiveNodes {0} | sed -e \"s/'//g\"".format(i.text)) + comp_exprs.append("/bin/cli-shell-api listActiveNodes {0} | sed -e \"s/'//g\" && echo".format(i.text)) for i in scripts: comp_exprs.append("{0}".format(i.text)) comp_help = " && ".join(comp_exprs) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index 5c7294296..a3e141a00 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -15,151 +15,84 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import fnmatch +from glob import glob +from netifaces import interfaces from sys import exit -from copy import deepcopy from vyos.config import Config -from vyos import ConfigError from vyos.util import call from vyos.template import render - +from vyos import ConfigError from vyos import airbag airbag.enable() -config_file = r'/etc/default/udp-broadcast-relay' - -default_config_data = { - 'disabled': False, - 'instances': [] -} +config_file_base = r'/etc/default/udp-broadcast-relay' def get_config(): - relay = deepcopy(default_config_data) conf = Config() base = ['service', 'broadcast-relay'] - if not conf.exists(base): - return None - else: - conf.set_level(base) - - # Service can be disabled by user - if conf.exists('disable'): - relay['disabled'] = True - return relay - - # Parse configuration of each individual instance - if conf.exists('id'): - for id in conf.list_nodes('id'): - conf.set_level(base + ['id', id]) - config = { - 'id': id, - 'disabled': False, - 'address': '', - 'description': '', - 'interfaces': [], - 'port': '' - } - - # Check if individual broadcast relay service is disabled - if conf.exists(['disable']): - config['disabled'] = True - - # Source IP of forwarded packets, if empty original senders address is used - if conf.exists(['address']): - config['address'] = conf.return_value(['address']) - - # A description for each individual broadcast relay service - if conf.exists(['description']): - config['description'] = conf.return_value(['description']) - - # UDP port to listen on for broadcast frames - if conf.exists(['port']): - config['port'] = conf.return_value(['port']) - - # Network interfaces to listen on for broadcast frames to be relayed - if conf.exists(['interface']): - config['interfaces'] = conf.return_values(['interface']) - - relay['instances'].append(config) - + relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) return relay def verify(relay): - if relay is None: - return None - - if relay['disabled']: + if not relay or 'disabled' in relay: return None - for r in relay['instances']: + for instance, config in relay.get('id', {}).items(): # we don't have to check this instance when it's disabled - if r['disabled']: + if 'disabled' in config: continue # we certainly require a UDP port to listen to - if not r['port']: - raise ConfigError('UDP broadcast relay "{0}" requires a port number'.format(r['id'])) + if 'port' not in config: + raise ConfigError(f'Port number mandatory for udp broadcast relay "{instance}"') + # if only oone interface is given it's a string -> move to list + if isinstance(config.get('interface', []), str): + config['interface'] = [ config['interface'] ] # Relaying data without two interface is kinda senseless ... - if len(r['interfaces']) < 2: - raise ConfigError('UDP broadcast relay "id {0}" requires at least 2 interfaces'.format(r['id'])) + if len(config.get('interface', [])) < 2: + raise ConfigError('At least two interfaces are required for udp broadcast relay "{instance}"') - return None + for interface in config.get('interface', []): + if interface not in interfaces(): + raise ConfigError('Interface "{interface}" does not exist!') + return None def generate(relay): - if relay is None: + if not relay or 'disabled' in relay: return None - config_dir = os.path.dirname(config_file) - config_filename = os.path.basename(config_file) - active_configs = [] - - for config in fnmatch.filter(os.listdir(config_dir), config_filename + '*'): - # determine prefix length to identify service instance - prefix_len = len(config_filename) - active_configs.append(config[prefix_len:]) - - # sort our list - active_configs.sort() + for config in glob(config_file_base + '*'): + os.remove(config) - # delete old configuration files - for id in active_configs[:]: - if os.path.exists(config_file + id): - os.unlink(config_file + id) - - # If the service is disabled, we can bail out here - if relay['disabled']: - print('Warning: UDP broadcast relay service will be deactivated because it is disabled') - return None - - for r in relay['instances']: - # Skip writing instance config when it's disabled - if r['disabled']: + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: continue - # configuration filename contains instance id - file = config_file + str(r['id']) - render(file, 'bcast-relay/udp-broadcast-relay.tmpl', r) + config['instance'] = instance + render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.tmpl', config) return None def apply(relay): # first stop all running services - call('systemctl stop udp-broadcast-relay@{1..99}.service') + call('systemctl stop udp-broadcast-relay@*.service') - if (relay is None) or relay['disabled']: + if not relay or 'disable' in relay: return None # start only required service instances - for r in relay['instances']: - # Don't start individual instance when it's disabled - if r['disabled']: + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: continue - call('systemctl start udp-broadcast-relay@{0}.service'.format(r['id'])) + + call(f'systemctl start udp-broadcast-relay@{instance}.service') return None diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index a9ebab53e..b7e73eaeb 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -84,7 +84,7 @@ def _iptables_get_nflog(): for iptables_variant in ['iptables', 'ip6tables']: # run iptables, save output and split it by lines - iptables_command = "sudo {0} -t {1} -S {2}".format(iptables_variant, iptables_nflog_table, iptables_nflog_chain) + iptables_command = f'{iptables_variant} -t {iptables_nflog_table} -S {iptables_nflog_chain}' tmp = cmd(iptables_command, message='Failed to get flows list') # parse each line and add information to list @@ -118,7 +118,7 @@ def _iptables_config(configured_ifaces): if interface not in configured_ifaces: table = rule['table'] rule = rule['rule_definition'] - iptable_commands.append(f'sudo {iptables} -t {table} -D {rule}') + iptable_commands.append(f'{iptables} -t {table} -D {rule}') else: active_nflog_ifaces.append({ 'iface': interface, @@ -135,7 +135,7 @@ def _iptables_config(configured_ifaces): iface = iface_extended['iface'] iptables = iface_extended['iptables_variant'] rule_definition = f'{iptables_nflog_chain} -i {iface} -m comment --comment FLOW_ACCOUNTING_RULE -j NFLOG --nflog-group 2 --nflog-size {default_captured_packet_size} --nflog-threshold 100' - iptable_commands.append(f'sudo {iptables} -t {iptables_nflog_table} -I {rule_definition}') + iptable_commands.append(f'{iptables} -t {iptables_nflog_table} -I {rule_definition}') # change iptables for command in iptable_commands: diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py index 3e301477d..f2fa64233 100755 --- a/src/conf_mode/host_name.py +++ b/src/conf_mode/host_name.py @@ -97,10 +97,6 @@ def verify(conf, hosts): for host, hostprops in hosts['static_host_mapping'].items(): if not hostprops['address']: raise ConfigError(f'IP address required for static-host-mapping "{host}"') - if hostprops['address'] in all_static_host_mapping_addresses: - raise ConfigError(( - f'static-host-mapping "{host}" address "{hostprops["address"]}"' - f'already used in another static-host-mapping')) all_static_host_mapping_addresses.append(hostprops['address']) for a in hostprops['aliases']: if not hostname_regex.match(a) and len(a) != 0: diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py index 0b2d318fd..742f09a54 100755 --- a/src/conf_mode/intel_qat.py +++ b/src/conf_mode/intel_qat.py @@ -54,8 +54,8 @@ def get_config(): def vpn_control(action): # XXX: Should these commands report failure if action == 'restore' and gl_ipsec_conf: - return run('sudo ipsec start') - return run(f'sudo ipsec {action}') + return run('ipsec start') + return run(f'ipsec {action}') def verify(c): # Check if QAT service installed @@ -66,7 +66,7 @@ def verify(c): return # Check if QAT device exist - output, err = popen('sudo lspci -nn', decode='utf-8') + output, err = popen('lspci -nn', decode='utf-8') if not err: data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output) #If QAT devices found @@ -81,13 +81,13 @@ def apply(c): # Disable QAT service if c['qat_conf'] == None: - run('sudo /etc/init.d/qat_service stop') + run('/etc/init.d/qat_service stop') if c['ipsec_conf']: vpn_control('start') return # Run qat init.d script - run('sudo /etc/init.d/qat_service start') + run('/etc/init.d/qat_service start') if c['ipsec_conf']: # Recovery VPN service vpn_control('start') diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index ec255edd5..2d62420a6 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,98 +16,53 @@ import os -from copy import deepcopy from sys import exit -from netifaces import interfaces -from vyos.ifconfig import DummyIf -from vyos.configdict import list_diff from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.ifconfig import DummyIf from vyos.validate import is_member from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', - 'disable': False, - 'intf': '', - 'is_bridge_member': False, - 'vrf': '' -} - def get_config(): - dummy = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - dummy['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - - # check if we are a member of any bridge - dummy['is_bridge_member'] = is_member(conf, dummy['intf'], 'bridge') + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = ['interfaces', 'dummy', ifname] + dummy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces dummy ' + dummy['intf']): - dummy['deleted'] = True - return dummy - - # set new configuration level - conf.set_level('interfaces dummy ' + dummy['intf']) + if dummy == {}: + dummy.update({'deleted' : ''}) - # retrieve configured interface addresses - if conf.exists('address'): - dummy['address'] = conf.return_values('address') + # store interface instance name in dictionary + dummy.update({'ifname': ifname}) - # retrieve interface description - if conf.exists('description'): - dummy['description'] = conf.return_value('description') - - # Disable this interface - if conf.exists('disable'): - dummy['disable'] = True - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values('address') - act_addr = conf.return_values('address') - dummy['address_remove'] = list_diff(eff_addr, act_addr) - - # retrieve VRF instance - if conf.exists('vrf'): - dummy['vrf'] = conf.return_value('vrf') + # check if we are a member of any bridge + bridge = is_member(conf, ifname, 'bridge') + if bridge: + tmp = {'is_bridge_member' : bridge} + dummy.update(tmp) return dummy def verify(dummy): - if dummy['deleted']: - if dummy['is_bridge_member']: - raise ConfigError(( - f'Interface "{dummy["intf"]}" cannot be deleted as it is a ' - f'member of bridge "{dummy["is_bridge_member"]}"!')) - + if 'deleted' in dummy.keys(): + verify_bridge_delete(dummy) return None - if dummy['vrf']: - if dummy['vrf'] not in interfaces(): - raise ConfigError(f'VRF "{dummy["vrf"]}" does not exist') - - if dummy['is_bridge_member']: - raise ConfigError(( - f'Interface "{dummy["intf"]}" cannot be member of VRF ' - f'"{dummy["vrf"]}" and bridge "{dummy["is_bridge_member"]}" ' - f'at the same time!')) - - if dummy['is_bridge_member'] and dummy['address']: - raise ConfigError(( - f'Cannot assign address to interface "{dummy["intf"]}" ' - f'as it is a member of bridge "{dummy["is_bridge_member"]}"!')) + verify_vrf(dummy) + verify_address(dummy) return None @@ -115,33 +70,13 @@ def generate(dummy): return None def apply(dummy): - d = DummyIf(dummy['intf']) + d = DummyIf(dummy['ifname']) # Remove dummy interface - if dummy['deleted']: + if 'deleted' in dummy.keys(): d.remove() else: - # update interface description used e.g. within SNMP - d.set_alias(dummy['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in dummy['address_remove']: - d.del_addr(addr) - for addr in dummy['address']: - d.add_addr(addr) - - # assign/remove VRF (ONLY when not a member of a bridge, - # otherwise 'nomaster' removes it from it) - if not dummy['is_bridge_member']: - d.set_vrf(dummy['vrf']) - - # disable interface on demand - if dummy['disable']: - d.set_admin_state('down') - else: - d.set_admin_state('up') + d.update(dummy) return None diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 4ff0bcb57..866419f2c 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -24,11 +24,14 @@ from vyos.config import Config from vyos.ifconfig import L2TPv3If, Interface from vyos import ConfigError from vyos.util import call +from vyos.util import check_kmod from vyos.validate import is_member, is_addr_assigned from vyos import airbag airbag.enable() +k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] + default_config_data = { 'address': [], 'deleted': False, @@ -53,13 +56,6 @@ default_config_data = { 'tunnel_id': '' } -def check_kmod(): - modules = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - def get_config(): l2tpv3 = deepcopy(default_config_data) conf = Config() @@ -283,7 +279,7 @@ def apply(l2tpv3): if __name__ == '__main__': try: - check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index df268cec2..2368f88a9 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -17,54 +17,31 @@ import os from sys import exit -from copy import deepcopy from vyos.ifconfig import LoopbackIf -from vyos.configdict import list_diff from vyos.config import Config -from vyos import ConfigError - -from vyos import airbag +from vyos import ConfigError, airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', -} - - def get_config(): - loopback = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - loopback['intf'] = os.environ['VYOS_TAGNODE_VALUE'] + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = ['interfaces', 'loopback', ifname] + loopback = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces loopback ' + loopback['intf']): - loopback['deleted'] = True - - # set new configuration level - conf.set_level('interfaces loopback ' + loopback['intf']) + if loopback == {}: + loopback.update({'deleted' : ''}) - # retrieve configured interface addresses - if conf.exists('address'): - loopback['address'] = conf.return_values('address') - - # retrieve interface description - if conf.exists('description'): - loopback['description'] = conf.return_value('description') - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values('address') - act_addr = conf.return_values('address') - loopback['address_remove'] = list_diff(eff_addr, act_addr) + # store interface instance name in dictionary + loopback.update({'ifname': ifname}) return loopback @@ -75,20 +52,11 @@ def generate(loopback): return None def apply(loopback): - l = LoopbackIf(loopback['intf']) - if loopback['deleted']: + l = LoopbackIf(loopback['ifname']) + if 'deleted' in loopback.keys(): l.remove() else: - # update interface description used e.g. within SNMP - l.set_alias(loopback['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in loopback['address_remove']: - l.del_addr(addr) - for addr in loopback['address']: - l.add_addr(addr) + l.update(loopback) return None diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index a8966148f..56273f71a 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -18,177 +18,108 @@ import os from copy import deepcopy from sys import exit -from netifaces import interfaces from vyos.config import Config -from vyos.configdict import list_diff +from vyos.configdict import dict_merge from vyos.ifconfig import MACsecIf from vyos.template import render from vyos.util import call from vyos.validate import is_member +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_source_interface +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', - 'disable': False, - 'security_cipher': '', - 'security_encrypt': False, - 'security_mka_cak': '', - 'security_mka_ckn': '', - 'security_mka_priority': '255', - 'security_replay_window': '', - 'intf': '', - 'source_interface': '', - 'is_bridge_member': False, - 'vrf': '' -} - # XXX: wpa_supplicant works on the source interface wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf' - def get_config(): - macsec = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - macsec['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - base_path = ['interfaces', 'macsec', macsec['intf']] + # retrieve interface default values + base = ['interfaces', 'macsec'] + default_values = defaults(base) - # check if we are a member of any bridge - macsec['is_bridge_member'] = is_member(conf, macsec['intf'], 'bridge') + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] + macsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists(base_path): - macsec['deleted'] = True - # When stopping wpa_supplicant we need to stop it via the physical - # interface - thus we need to retrieve ir from the effective config - if conf.exists_effective(base_path + ['source-interface']): - macsec['source_interface'] = conf.return_effective_value( - base_path + ['source-interface']) - - return macsec - - # set new configuration level - conf.set_level(base_path) - - # retrieve configured interface addresses - if conf.exists(['address']): - macsec['address'] = conf.return_values(['address']) - - # retrieve interface description - if conf.exists(['description']): - macsec['description'] = conf.return_value(['description']) - - # Disable this interface - if conf.exists(['disable']): - macsec['disable'] = True - - # retrieve interface cipher - if conf.exists(['security', 'cipher']): - macsec['security_cipher'] = conf.return_value(['security', 'cipher']) - - # Enable optional MACsec encryption - if conf.exists(['security', 'encrypt']): - macsec['security_encrypt'] = True - - # Secure Connectivity Association Key - if conf.exists(['security', 'mka', 'cak']): - macsec['security_mka_cak'] = conf.return_value( - ['security', 'mka', 'cak']) - - # Secure Connectivity Association Name - if conf.exists(['security', 'mka', 'ckn']): - macsec['security_mka_ckn'] = conf.return_value( - ['security', 'mka', 'ckn']) - - # MACsec Key Agreement protocol (MKA) actor priority - if conf.exists(['security', 'mka', 'priority']): - macsec['security_mka_priority'] = conf.return_value( - ['security', 'mka', 'priority']) - - # IEEE 802.1X/MACsec replay protection - if conf.exists(['security', 'replay-window']): - macsec['security_replay_window'] = conf.return_value( - ['security', 'replay-window']) - - # Physical interface - if conf.exists(['source-interface']): - macsec['source_interface'] = conf.return_value(['source-interface']) - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values(['address']) - act_addr = conf.return_values(['address']) - macsec['address_remove'] = list_diff(eff_addr, act_addr) - - # retrieve VRF instance - if conf.exists(['vrf']): - macsec['vrf'] = conf.return_value(['vrf']) + if macsec == {}: + tmp = { + 'deleted' : '', + 'source_interface' : conf.return_effective_value( + base + ['source-interface']) + } + macsec.update(tmp) + + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + macsec = dict_merge(default_values, macsec) + + # Add interface instance name into dictionary + macsec.update({'ifname': ifname}) + + # Check if we are a member of any bridge + bridge = is_member(conf, ifname, 'bridge') + if bridge: + tmp = {'is_bridge_member' : bridge} + macsec.update(tmp) return macsec def verify(macsec): - if macsec['deleted']: - if macsec['is_bridge_member']: - raise ConfigError( - 'Interface "{intf}" cannot be deleted as it is a ' - 'member of bridge "{is_bridge_member}"!'.format(**macsec)) - + if 'deleted' in macsec.keys(): + verify_bridge_delete(macsec) return None - if not macsec['source_interface']: - raise ConfigError('Physical source interface must be set for ' - 'MACsec "{intf}"'.format(**macsec)) + verify_source_interface(macsec) + verify_vrf(macsec) + verify_address(macsec) - if not macsec['security_cipher']: + if not (('security' in macsec.keys()) and + ('cipher' in macsec['security'].keys())): raise ConfigError( - 'Cipher suite must be set for MACsec "{intf}"'.format(**macsec)) - - if macsec['security_encrypt']: - if not (macsec['security_mka_cak'] and macsec['security_mka_ckn']): - raise ConfigError( - 'MACsec security keys mandartory when encryption is enabled') + 'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec)) - if macsec['vrf']: - if macsec['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**macsec)) + if (('security' in macsec.keys()) and + ('encrypt' in macsec['security'].keys())): + tmp = macsec.get('security') - if macsec['is_bridge_member']: - raise ConfigError('Interface "{intf}" cannot be member of VRF ' - '"{vrf}" and bridge "{is_bridge_member}" at ' - 'the same time!'.format(**macsec)) - - if macsec['is_bridge_member'] and macsec['address']: - raise ConfigError( - 'Cannot assign address to interface "{intf}" as it is' - 'a member of bridge "{is_bridge_member}"!'.format(**macsec)) + if not (('mka' in tmp.keys()) and + ('cak' in tmp['mka'].keys()) and + ('ckn' in tmp['mka'].keys())): + raise ConfigError('Missing mandatory MACsec security ' + 'keys as encryption is enabled!') return None def generate(macsec): render(wpa_suppl_conf.format(**macsec), - 'macsec/wpa_supplicant.conf.tmpl', macsec, permission=0o640) + 'macsec/wpa_supplicant.conf.tmpl', macsec) return None def apply(macsec): # Remove macsec interface - if macsec['deleted']: + if 'deleted' in macsec.keys(): call('systemctl stop wpa_supplicant-macsec@{source_interface}' .format(**macsec)) - MACsecIf(macsec['intf']).remove() + + MACsecIf(macsec['ifname']).remove() # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**macsec)): @@ -198,35 +129,16 @@ def apply(macsec): # MACsec interfaces require a configuration when they are added using # iproute2. This static method will provide the configuration # dictionary used by this class. - conf = deepcopy(MACsecIf.get_config()) - # Assign MACsec instance configuration parameters to config dict + # XXX: subject of removal after completing T2653 + conf = deepcopy(MACsecIf.get_config()) conf['source_interface'] = macsec['source_interface'] - conf['security_cipher'] = macsec['security_cipher'] + conf['security_cipher'] = macsec['security']['cipher'] # It is safe to "re-create" the interface always, there is a sanity # check that the interface will only be create if its non existent - i = MACsecIf(macsec['intf'], **conf) - - # update interface description used e.g. within SNMP - i.set_alias(macsec['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in macsec['address_remove']: - i.del_addr(addr) - for addr in macsec['address']: - i.add_addr(addr) - - # assign/remove VRF (ONLY when not a member of a bridge, - # otherwise 'nomaster' removes it from it) - if not macsec['is_bridge_member']: - i.set_vrf(macsec['vrf']) - - # Interface is administratively down by default, enable if desired - if not macsec['disable']: - i.set_admin_state('up') + i = MACsecIf(macsec['ifname'], **conf) + i.update(macsec) call('systemctl restart wpa_supplicant-macsec@{source_interface}' .format(**macsec)) diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 611206d84..3ee57e83c 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,179 +15,65 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import jmespath from sys import exit from copy import deepcopy from netifaces import interfaces from vyos.config import Config -from vyos.configdict import dhcpv6_pd_default_data -from vyos.ifconfig import Interface +from vyos.configdict import dict_merge +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_vrf from vyos.template import render -from vyos.util import chown, chmod_755, call +from vyos.util import call +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - **dhcpv6_pd_default_data, - 'access_concentrator': '', - 'auth_username': '', - 'auth_password': '', - 'on_demand': False, - 'default_route': 'auto', - 'deleted': False, - 'description': '\0', - 'disable': False, - 'intf': '', - 'idle_timeout': '', - 'ipv6_autoconf': False, - 'ipv6_enable': False, - 'local_address': '', - 'mtu': '1492', - 'name_server': True, - 'remote_address': '', - 'service_name': '', - 'source_interface': '', - 'vrf': '' -} - def get_config(): - pppoe = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() - base_path = ['interfaces', 'pppoe'] # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - pppoe['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - - # Check if interface has been removed - if not conf.exists(base_path + [pppoe['intf']]): - pppoe['deleted'] = True - return pppoe - - # set new configuration level - conf.set_level(base_path + [pppoe['intf']]) - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['access-concentrator']): - pppoe['access_concentrator'] = conf.return_values(['access-concentrator']) - - # Authentication name supplied to PPPoE server - if conf.exists(['authentication', 'user']): - pppoe['auth_username'] = conf.return_value(['authentication', 'user']) - - # Password for authenticating local machine to PPPoE server - if conf.exists(['authentication', 'password']): - pppoe['auth_password'] = conf.return_value(['authentication', 'password']) - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['connect-on-demand']): - pppoe['on_demand'] = True - - # Enable/Disable default route to peer when link comes up - if conf.exists(['default-route']): - pppoe['default_route'] = conf.return_value(['default-route']) - - # Retrieve interface description - if conf.exists(['description']): - pppoe['description'] = conf.return_value(['description']) - - # Disable this interface - if conf.exists(['disable']): - pppoe['disable'] = True - - # Delay before disconnecting idle session (in seconds) - if conf.exists(['idle-timeout']): - pppoe['idle_timeout'] = conf.return_value(['idle-timeout']) - - # Enable Stateless Address Autoconfiguration (SLAAC) - if conf.exists(['ipv6', 'address', 'autoconf']): - pppoe['ipv6_autoconf'] = True + # retrieve interface default values + base = ['interfaces', 'pppoe'] + default_values = defaults(base) + # PPPoE is "special" the default MTU is 1492 - update accordingly + default_values['mtu'] = '1492' - # Activate IPv6 support on this connection - if conf.exists(['ipv6', 'enable']): - pppoe['ipv6_enable'] = True + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] - # IPv4 address of local end of PPPoE link - if conf.exists(['local-address']): - pppoe['local_address'] = conf.return_value(['local-address']) - - # Physical Interface used for this PPPoE session - if conf.exists(['source-interface']): - pppoe['source_interface'] = conf.return_value(['source-interface']) - - # Maximum Transmission Unit (MTU) - if conf.exists(['mtu']): - pppoe['mtu'] = conf.return_value(['mtu']) - - # Do not use DNS servers provided by the peer - if conf.exists(['no-peer-dns']): - pppoe['name_server'] = False - - # IPv4 address for remote end of PPPoE session - if conf.exists(['remote-address']): - pppoe['remote_address'] = conf.return_value(['remote-address']) - - # Service name, only connect to access concentrators advertising this - if conf.exists(['service-name']): - pppoe['service_name'] = conf.return_value(['service-name']) - - # retrieve VRF instance - if conf.exists('vrf'): - pppoe['vrf'] = conf.return_value(['vrf']) - - if conf.exists(['dhcpv6-options', 'prefix-delegation']): - dhcpv6_pd_path = base_path + [pppoe['intf'], - 'dhcpv6-options', 'prefix-delegation'] - conf.set_level(dhcpv6_pd_path) - - # Retrieve DHCPv6-PD prefix helper length as some ISPs only hand out a - # /64 by default (https://phabricator.vyos.net/T2506) - if conf.exists(['length']): - pppoe['dhcpv6_pd_length'] = conf.return_value(['length']) - - for interface in conf.list_nodes(['interface']): - conf.set_level(dhcpv6_pd_path + ['interface', interface]) - pd = { - 'ifname': interface, - 'sla_id': '', - 'sla_len': '', - 'if_id': '' - } - - if conf.exists(['sla-id']): - pd['sla_id'] = conf.return_value(['sla-id']) - - if conf.exists(['sla-len']): - pd['sla_len'] = conf.return_value(['sla-len']) + pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # Check if interface has been removed + if pppoe == {}: + pppoe.update({'deleted' : ''}) - if conf.exists(['address']): - pd['if_id'] = conf.return_value(['address']) + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + pppoe = dict_merge(default_values, pppoe) - pppoe['dhcpv6_pd_interfaces'].append(pd) + # Add interface instance name into dictionary + pppoe.update({'ifname': ifname}) return pppoe def verify(pppoe): - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # bail out early return None - if not pppoe['source_interface']: - raise ConfigError('PPPoE source interface missing') - - if not pppoe['source_interface'] in interfaces(): - raise ConfigError(f"PPPoE source interface {pppoe['source_interface']} does not exist") - - vrf_name = pppoe['vrf'] - if vrf_name and vrf_name not in interfaces(): - raise ConfigError(f'VRF {vrf_name} does not exist') + verify_source_interface(pppoe) + verify_vrf(pppoe) - if pppoe['on_demand'] and pppoe['vrf']: + if {'connect_on_demand', 'vrf'} <= set(pppoe): raise ConfigError('On-demand dialing and VRF can not be used at the same time') return None @@ -195,22 +81,22 @@ def verify(pppoe): def generate(pppoe): # set up configuration file path variables where our templates will be # rendered into - intf = pppoe['intf'] - config_pppoe = f'/etc/ppp/peers/{intf}' - script_pppoe_pre_up = f'/etc/ppp/ip-pre-up.d/1000-vyos-pppoe-{intf}' - script_pppoe_ip_up = f'/etc/ppp/ip-up.d/1000-vyos-pppoe-{intf}' - script_pppoe_ip_down = f'/etc/ppp/ip-down.d/1000-vyos-pppoe-{intf}' - script_pppoe_ipv6_up = f'/etc/ppp/ipv6-up.d/1000-vyos-pppoe-{intf}' - config_wide_dhcp6c = f'/run/dhcp6c/dhcp6c.{intf}.conf' + ifname = pppoe['ifname'] + config_pppoe = f'/etc/ppp/peers/{ifname}' + script_pppoe_pre_up = f'/etc/ppp/ip-pre-up.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ip_up = f'/etc/ppp/ip-up.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ip_down = f'/etc/ppp/ip-down.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ipv6_up = f'/etc/ppp/ipv6-up.d/1000-vyos-pppoe-{ifname}' + config_wide_dhcp6c = f'/run/dhcp6c/dhcp6c.{ifname}.conf' config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up, script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c] - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # stop DHCPv6-PD client - call(f'systemctl stop dhcp6c@{intf}.service') + call(f'systemctl stop dhcp6c@{ifname}.service') # Hang-up PPPoE connection - call(f'systemctl stop ppp@{intf}.service') + call(f'systemctl stop ppp@{ifname}.service') # Delete PPP configuration files for file in config_files: @@ -235,22 +121,22 @@ def generate(pppoe): render(script_pppoe_ipv6_up, 'pppoe/ipv6-up.script.tmpl', pppoe, trim_blocks=True, permission=0o755) - if len(pppoe['dhcpv6_pd_interfaces']) > 0: + tmp = jmespath.search('dhcpv6_options.prefix_delegation.interface', pppoe) + if tmp and len(tmp) > 0: # ipv6.tmpl relies on ifname - this should be made consitent in the # future better then double key-ing the same value - pppoe['ifname'] = intf - render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe, trim_blocks=True) + render(config_wide_dhcp6c, 'dhcp-client/ipv6_new.tmpl', pppoe, trim_blocks=True) return None def apply(pppoe): - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # bail out early return None - if not pppoe['disable']: + if 'disable' not in pppoe.keys(): # Dial PPPoE connection - call('systemctl restart ppp@{intf}.service'.format(**pppoe)) + call('systemctl restart ppp@{ifname}.service'.format(**pppoe)) return None diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 70710e97c..fb8237bee 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -36,7 +36,7 @@ default_config_data = { 'ip_arp_cache_tmo': 30, 'ip_proxy_arp_pvlan': 0, 'source_interface': '', - 'source_interface_changed': False, + 'recreating_required': False, 'mode': 'private', 'vif_s': {}, 'vif_s_remove': [], @@ -79,11 +79,14 @@ def get_config(): peth['source_interface'] = conf.return_value(['source-interface']) tmp = conf.return_effective_value(['source-interface']) if tmp != peth['source_interface']: - peth['source_interface_changed'] = True + peth['recreating_required'] = True # MACvlan mode if conf.exists(['mode']): peth['mode'] = conf.return_value(['mode']) + tmp = conf.return_effective_value(['mode']) + if tmp != peth['mode']: + peth['recreating_required'] = True add_to_dict(conf, disabled, peth, 'vif', 'vif') add_to_dict(conf, disabled, peth, 'vif-s', 'vif_s') @@ -139,10 +142,10 @@ def apply(peth): return None # Check if MACVLAN interface already exists. Parameters like the underlaying - # source-interface device can not be changed on the fly and the interface + # source-interface device or mode can not be changed on the fly and the interface # needs to be recreated from the bottom. if peth['intf'] in interfaces(): - if peth['source_interface_changed']: + if peth['recreating_required']: MACVLANIf(peth['intf']).remove() # MACVLAN interface needs to be created on-block instead of passing a ton diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index c13f77d91..ea15a7fb7 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -32,7 +32,8 @@ from vyos.dicts import FixedDict from vyos import airbag airbag.enable() -class ConfigurationState(Config): + +class ConfigurationState(object): """ The current API require a dict to be generated by get_config() which is then consumed by verify(), generate() and apply() @@ -40,7 +41,7 @@ class ConfigurationState(Config): ConfiguartionState is an helper class wrapping Config and providing an common API to this dictionary structure - Its to_dict() function return a dictionary containing three fields, + Its to_api() function return a dictionary containing three fields, each a dict, called options, changes, actions. options: @@ -84,16 +85,16 @@ class ConfigurationState(Config): which for each field represent how it was modified since the last commit """ - def __init__ (self, section, default): + def __init__(self, configuration, section, default): """ initialise the class for a given configuration path: - >>> conf = ConfigurationState('interfaces ethernet eth1') + >>> conf = ConfigurationState(conf, 'interfaces ethernet eth1') all further references to get_value(s) and get_effective(s) will be for this part of the configuration (eth1) """ - super().__init__() - self.section = section + self._conf = configuration + self.default = deepcopy(default) self.options = FixedDict(**default) self.actions = { @@ -104,13 +105,19 @@ class ConfigurationState(Config): 'delete': [], # the key was present and was deleted } self.changes = {} - if not self.exists(section): + if not self._conf.exists(section): self.changes['section'] = 'delete' - elif self.exists_effective(section): + elif self._conf.exists_effective(section): self.changes['section'] = 'modify' else: self.changes['section'] = 'create' + self.set_level(section) + + def set_level(self, lpath): + self.section = lpath + self._conf.set_level(lpath) + def _act(self, section): """ Returns for a given configuration field determine what happened to it @@ -121,18 +128,18 @@ class ConfigurationState(Config): 'delete': it was present but was removed from the configuration 'absent': it was not and is not present """ - if self.exists(section): - if self.exists_effective(section): - if self.return_value(section) != self.return_effective_value(section): + if self._conf.exists(section): + if self._conf.exists_effective(section): + if self._conf.return_value(section) != self._conf.return_effective_value(section): return 'modify' return 'static' return 'create' else: - if self.exists_effective(section): + if self._conf.exists_effective(section): return 'delete' return 'absent' - def _action (self, name, key): + def _action(self, name, key): action = self._act(key) self.changes[name] = action self.actions[action].append(name) @@ -157,18 +164,28 @@ class ConfigurationState(Config): """ if self._action(name, key) in ('delete', 'absent'): return - return self._get(name, key, default, self.return_value) + return self._get(name, key, default, self._conf.return_value) def get_values(self, name, key, default=None): """ - >>> conf.get_values('addresses-add', 'address') - will place a list made of the IP present in 'interface dummy dum1 address' - into the dictionnary entry 'addr' using Config.return_values - (the data in the configuration to apply) + >>> conf.get_values('addresses', 'address') + will place a list of the new IP present in 'interface dummy dum1 address' + into the dictionnary entry "-add" (here 'addresses-add') using + Config.return_values and will add the the one which were removed in into + the entry "-del" (here addresses-del') """ - if self._action(name, key) in ('delete', 'absent'): + add_name = f'{name}-add' + + if self._action(add_name, key) in ('delete', 'absent'): return - return self._get(name, key, default, self.return_values) + + self._get(add_name, key, default, self._conf.return_values) + + # get the effective values to determine which data is no longer valid + self.options['addresses-del'] = list_diff( + self._conf.return_effective_values('address'), + self.options['addresses-add'] + ) def get_effective(self, name, key, default=None): """ @@ -178,7 +195,7 @@ class ConfigurationState(Config): (the data in the configuration to apply) """ self._action(name, key) - return self._get(name, key, default, self.return_effective_value) + return self._get(name, key, default, self._conf.return_effective_value) def get_effectives(self, name, key, default=None): """ @@ -188,7 +205,7 @@ class ConfigurationState(Config): (the data in the un-modified configuration) """ self._action(name, key) - return self._get(name, key, default, self.return_effectives_value) + return self._get(name, key, default, self._conf.return_effectives_value) def load(self, mapping): """ @@ -220,16 +237,35 @@ class ConfigurationState(Config): else: self.get_value(local_name, config_name, default) - def remove_default (self,*options): + def remove_default(self,*options): """ remove all the values which were not changed from the default """ for option in options: - if self.exists(option) and self.self_return_value(option) != self.default[option]: + if not self._conf.exists(option): + del self.options[option] continue - del self.options[option] - def to_dict (self): + if self._conf.return_value(option) == self.default[option]: + del self.options[option] + continue + + if self._conf.return_values(option) == self.default[option]: + del self.options[option] + continue + + def as_dict(self, lpath): + l = self._conf.get_level() + self._conf.set_level([]) + d = self._conf.get_config_dict(lpath) + # XXX: that not what I would have expected from get_config_dict + if lpath: + d = d[lpath[-1]] + # XXX: it should have provided me the content and not the key + self._conf.set_level(l) + return d + + def to_api(self): """ provide a dictionary with the generated data for the configuration options: the configuration value for the key @@ -243,6 +279,7 @@ class ConfigurationState(Config): 'actions': self.actions, } + default_config_data = { # interface definition 'vrf': '', @@ -288,6 +325,7 @@ default_config_data = { '6rd-relay-prefix': '', } + # dict name -> config name, multiple values, default mapping = { 'type': ('encapsulation', False, None), @@ -310,7 +348,7 @@ mapping = { 'state': ('disable', False, 'down'), 'link_detect': ('disable-link-detect', False, 2), 'vrf': ('vrf', False, None), - 'addresses-add': ('address', True, None), + 'addresses': ('address', True, None), 'arp_filter': ('ip disable-arp-filter', False, 0), 'arp_accept': ('ip enable-arp-accept', False, 1), 'arp_announce': ('ip enable-arp-announce', False, 1), @@ -320,6 +358,7 @@ mapping = { 'ipv6_dad_transmits:': ('ipv6 dup-addr-detect-transmits', False, None) } + def get_class (options): dispatch = { 'gre': GREIf, @@ -363,19 +402,17 @@ def get_config(): if not ifname: raise ConfigError('Interface not specified') - conf = ConfigurationState('interfaces tunnel ' + ifname, default_config_data) + config = Config() + conf = ConfigurationState(config, ['interfaces', 'tunnel ', ifname], default_config_data) options = conf.options changes = conf.changes options['ifname'] = ifname - # set new configuration level - conf.set_level(conf.section) - if changes['section'] == 'delete': conf.get_effective('type', mapping['type'][0]) - conf.set_level('protocols nhrp tunnel') - options['nhrp'] = conf.list_nodes('') - return conf.to_dict() + config.set_level(['protocols', 'nhrp', 'tunnel']) + options['nhrp'] = config.list_nodes('') + return conf.to_api() # load all the configuration option according to the mapping conf.load(mapping) @@ -407,12 +444,6 @@ def get_config(): options['local'] = picked options['dhcp-interface'] = '' - # get interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed - # could be done within ConfigurationState - eff_addr = conf.return_effective_values('address') - options['addresses-del'] = list_diff(eff_addr, options['addresses-add']) - # to make IPv6 SLAAC and DHCPv6 work with forwarding=1, # accept_ra must be 2 if options['ipv6_autoconf'] or 'dhcpv6' in options['addresses-add']: @@ -422,12 +453,11 @@ def get_config(): options['allmulticast'] = options['multicast'] # check that per encapsulation all local-remote pairs are unique - conf.set_level('interfaces tunnel') - ct = conf.get_config_dict()['tunnel'] + ct = conf.as_dict(['interfaces', 'tunnel']) options['tunnel'] = {} # check for bridges - options['bridge'] = is_member(conf, ifname, 'bridge') + options['bridge'] = is_member(config, ifname, 'bridge') options['interfaces'] = interfaces() for name in ct: @@ -440,7 +470,7 @@ def get_config(): pair = f'{local}-{remote}' options['tunnel'][encap][pair] = options['tunnel'].setdefault(encap, {}).get(pair, 0) + 1 - return conf.to_dict() + return conf.to_api() def verify(conf): diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index c24c9a7ce..982aefa5f 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -25,6 +25,7 @@ from vyos.config import Config from vyos.configdict import list_diff from vyos.ifconfig import WireGuardIf from vyos.util import chown, chmod_750, call +from vyos.util import check_kmod from vyos.validate import is_member, is_ipv6 from vyos import ConfigError @@ -32,6 +33,7 @@ from vyos import airbag airbag.enable() kdir = r'/config/auth/wireguard' +k_mod = 'wireguard' default_config_data = { 'intfc': '', @@ -50,14 +52,6 @@ default_config_data = { 'vrf': '' } -def _check_kmod(): - modules = ['wireguard'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - - def _migrate_default_keys(): if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'): location = f'{kdir}/default' @@ -315,7 +309,7 @@ def apply(wg): if __name__ == '__main__': try: - _check_kmod() + check_kmod(k_mod) _migrate_default_keys() c = get_config() verify(c) diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py index 35e3c583c..0964a8f4d 100755 --- a/src/conf_mode/interfaces-wirelessmodem.py +++ b/src/conf_mode/interfaces-wirelessmodem.py @@ -16,44 +16,20 @@ import os -from copy import deepcopy from fnmatch import fnmatch -from netifaces import interfaces from sys import exit from vyos.config import Config -from vyos.ifconfig import BridgeIf, Section +from vyos.configdict import dict_merge +from vyos.configverify import verify_vrf from vyos.template import render from vyos.util import call -from vyos.validate import is_member +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'apn': '', - 'chat_script': '', - 'deleted': False, - 'description': '', - 'device': '', - 'disable': False, - 'disable_link_detect': 1, - 'on_demand': False, - 'metric': '10', - 'mtu': '1500', - 'name_server': True, - 'is_bridge_member': False, - 'intf': '', - 'vrf': '' -} - -def check_kmod(): - modules = ['option', 'usb_wwan', 'usbserial'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') +k_mod = ['option', 'usb_wwan', 'usbserial'] def find_device_file(device): """ Recurively search /dev for the given device file and return its full path. @@ -66,115 +42,80 @@ def find_device_file(device): return None def get_config(): - wwan = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - wwan['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - wwan['chat_script'] = f"/etc/ppp/peers/chat.{wwan['intf']}" + # retrieve interface default values + base = ['interfaces', 'wirelessmodem'] + default_values = defaults(base) + + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] + wwan = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces wirelessmodem ' + wwan['intf']): - wwan['deleted'] = True - return wwan - - # set new configuration level - conf.set_level('interfaces wirelessmodem ' + wwan['intf']) - - # get metrick for backup default route - if conf.exists(['apn']): - wwan['apn'] = conf.return_value(['apn']) - - # get metrick for backup default route - if conf.exists(['backup', 'distance']): - wwan['metric'] = conf.return_value(['backup', 'distance']) - - # Retrieve interface description - if conf.exists(['description']): - wwan['description'] = conf.return_value(['description']) - - # System device name - if conf.exists(['device']): - tmp = conf.return_value(['device']) - wwan['device'] = find_device_file(tmp) - # If device file was not found in /dev we will just re-use - # the plain device name, thus we can trigger the exception - # in verify() as it's a non existent file - if wwan['device'] == None: - wwan['device'] = tmp - - # disable interface - if conf.exists('disable'): - wwan['disable'] = True - - # ignore link state changes - if conf.exists('disable-link-detect'): - wwan['disable_link_detect'] = 2 - - # Do not use DNS servers provided by the peer - if conf.exists(['mtu']): - wwan['mtu'] = conf.return_value(['mtu']) - - # Do not use DNS servers provided by the peer - if conf.exists(['no-peer-dns']): - wwan['name_server'] = False - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['ondemand']): - wwan['on_demand'] = True - - # retrieve VRF instance - if conf.exists('vrf'): - wwan['vrf'] = conf.return_value(['vrf']) + if wwan == {}: + wwan.update({'deleted' : ''}) + + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + wwan = dict_merge(default_values, wwan) + + # Add interface instance name into dictionary + wwan.update({'ifname': ifname}) return wwan def verify(wwan): - if wwan['deleted']: + if 'deleted' in wwan.keys(): return None - if not wwan['apn']: - raise ConfigError('No APN configured for "{intf}"'.format(**wwan)) + if not 'apn' in wwan.keys(): + raise ConfigError('No APN configured for "{ifname}"'.format(**wwan)) - if not wwan['device']: + if not 'device' in wwan.keys(): raise ConfigError('Physical "device" must be configured') # we can not use isfile() here as Linux device files are no regular files # thus the check will return False - if not os.path.exists('{device}'.format(**wwan)): + if not os.path.exists(find_device_file(wwan['device'])): raise ConfigError('Device "{device}" does not exist'.format(**wwan)) - if wwan['vrf'] and wwan['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**wwan)) + verify_vrf(wwan) return None def generate(wwan): # set up configuration file path variables where our templates will be # rendered into - intf = wwan['intf'] - config_wwan = f'/etc/ppp/peers/{intf}' - config_wwan_chat = wwan['chat_script'] - script_wwan_pre_up = f'/etc/ppp/ip-pre-up.d/1010-vyos-wwan-{intf}' - script_wwan_ip_up = f'/etc/ppp/ip-up.d/1010-vyos-wwan-{intf}' - script_wwan_ip_down = f'/etc/ppp/ip-down.d/1010-vyos-wwan-{intf}' + ifname = wwan['ifname'] + config_wwan = f'/etc/ppp/peers/{ifname}' + config_wwan_chat = f'/etc/ppp/peers/chat.{ifname}' + script_wwan_pre_up = f'/etc/ppp/ip-pre-up.d/1010-vyos-wwan-{ifname}' + script_wwan_ip_up = f'/etc/ppp/ip-up.d/1010-vyos-wwan-{ifname}' + script_wwan_ip_down = f'/etc/ppp/ip-down.d/1010-vyos-wwan-{ifname}' config_files = [config_wwan, config_wwan_chat, script_wwan_pre_up, script_wwan_ip_up, script_wwan_ip_down] # Always hang-up WWAN connection prior generating new configuration file - call(f'systemctl stop ppp@{intf}.service') + call(f'systemctl stop ppp@{ifname}.service') - if wwan['deleted']: + if 'deleted' in wwan: # Delete PPP configuration files for file in config_files: if os.path.exists(file): os.unlink(file) else: + wwan['device'] = find_device_file(wwan['device']) + # Create PPP configuration files render(config_wwan, 'wwan/peer.tmpl', wwan) # Create PPP chat script @@ -195,26 +136,19 @@ def generate(wwan): return None def apply(wwan): - if wwan['deleted']: + if 'deleted' in wwan.keys(): # bail out early return None - if not wwan['disable']: + if not 'disable' in wwan.keys(): # "dial" WWAN connection - intf = wwan['intf'] - call(f'systemctl start ppp@{intf}.service') - - # re-add ourselves to any bridge we might have fallen out of - # FIXME: wwan isn't under vyos.ifconfig so we can't call - # Interfaces.add_to_bridge() so STP settings won't get applied - if wwan['is_bridge_member'] in Section.interfaces('bridge'): - BridgeIf(wwan['is_bridge_member'], create=False).add_port(wwan['intf']) + call('systemctl start ppp@{ifname}.service'.format(**wwan)) return None if __name__ == '__main__': try: - check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index b0a029f2b..dd34dfd66 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -24,13 +24,17 @@ from netifaces import interfaces from vyos.config import Config from vyos.template import render -from vyos.util import call, cmd +from vyos.util import call +from vyos.util import cmd +from vyos.util import check_kmod from vyos.validate import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() +k_mod = ['nft_nat', 'nft_chain_nat_ipv4'] + default_config_data = { 'deleted': False, 'destination': [], @@ -44,15 +48,6 @@ default_config_data = { iptables_nat_config = '/tmp/vyos-nat-rules.nft' -def _check_kmod(): - """ load required Kernel modules """ - modules = ['nft_nat', 'nft_chain_nat_ipv4'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - - def get_handler(json, chain, target): """ Get nftable rule handler number of given chain/target combination. Handler is required when adding NAT/Conntrack helper targets """ @@ -79,9 +74,6 @@ def verify_rule(rule, err_msg): 'statically maps a whole network of addresses onto another\n' \ 'network of addresses') - if not rule['translation_address']: - raise ConfigError(f'{err_msg} translation address not specified') - def parse_configuration(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ @@ -228,10 +220,10 @@ def verify(nat): for rule in nat['source']: interface = rule['interface_out'] - err_msg = f"Source NAT configuration error in rule {rule['number']}:" + err_msg = f'Source NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_out']: raise ConfigError(f'{err_msg} outbound-interface not specified') @@ -246,10 +238,10 @@ def verify(nat): for rule in nat['destination']: interface = rule['interface_in'] - err_msg = f"Destination NAT configuration error in rule {rule['number']}:" + err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_in']: raise ConfigError(f'{err_msg} inbound-interface not specified') @@ -261,7 +253,6 @@ def verify(nat): def generate(nat): render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755) - return None def apply(nat): @@ -273,7 +264,7 @@ def apply(nat): if __name__ == '__main__': try: - _check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 9180998aa..bba8f87a4 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -16,77 +16,22 @@ import os -from copy import deepcopy -from ipaddress import ip_network -from netifaces import interfaces -from sys import exit - from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos import ConfigError from vyos.util import call from vyos.template import render -from vyos import ConfigError - from vyos import airbag airbag.enable() config_file = r'/etc/ntp.conf' systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf' -default_config_data = { - 'servers': [], - 'allowed_networks': [], - 'listen_address': [], - 'vrf': '' -} - def get_config(): - ntp = deepcopy(default_config_data) conf = Config() base = ['system', 'ntp'] - if not conf.exists(base): - return None - else: - conf.set_level(base) - - node = ['allow-clients', 'address'] - if conf.exists(node): - networks = conf.return_values(node) - for n in networks: - addr = ip_network(n) - net = { - "network" : n, - "address" : addr.network_address, - "netmask" : addr.netmask - } - - ntp['allowed_networks'].append(net) - - node = ['listen-address'] - if conf.exists(node): - ntp['listen_address'] = conf.return_values(node) - - node = ['server'] - if conf.exists(node): - for node in conf.list_nodes(node): - options = [] - server = { - "name": node, - "options": [] - } - if conf.exists('server {0} noselect'.format(node)): - options.append('noselect') - if conf.exists('server {0} preempt'.format(node)): - options.append('preempt') - if conf.exists('server {0} prefer'.format(node)): - options.append('prefer') - - server['options'] = options - ntp['servers'].append(server) - - node = ['vrf'] - if conf.exists(node): - ntp['vrf'] = conf.return_value(node) + ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) return ntp def verify(ntp): @@ -94,13 +39,10 @@ def verify(ntp): if not ntp: return None - # Configuring allowed clients without a server makes no sense - if len(ntp['allowed_networks']) and not len(ntp['servers']): + if len(ntp.get('allow_clients', {})) and not (len(ntp.get('server', {})) > 0): raise ConfigError('NTP server not configured') - if ntp['vrf'] and ntp['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**ntp)) - + verify_vrf(ntp) return None def generate(ntp): @@ -108,7 +50,7 @@ def generate(ntp): if not ntp: return None - render(config_file, 'ntp/ntp.conf.tmpl', ntp) + render(config_file, 'ntp/ntp.conf.tmpl', ntp, trim_blocks=True) render(systemd_override, 'ntp/override.conf.tmpl', ntp, trim_blocks=True) return None @@ -124,7 +66,6 @@ def apply(ntp): # Reload systemd manager configuration call('systemctl daemon-reload') - if ntp: call('systemctl restart ntp.service') diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py index 6f0e2010f..ca148fd6a 100755 --- a/src/conf_mode/protocols_igmp.py +++ b/src/conf_mode/protocols_igmp.py @@ -97,7 +97,7 @@ def apply(igmp): return None if os.path.exists(config_file): - call("sudo vtysh -d pimd -f " + config_file) + call(f'vtysh -d pimd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py index 15785a801..72208ffa1 100755 --- a/src/conf_mode/protocols_mpls.py +++ b/src/conf_mode/protocols_mpls.py @@ -153,7 +153,7 @@ def apply(mpls): operate_mpls_on_intfc(diactive_ifaces, 0) if os.path.exists(config_file): - call("sudo vtysh -d ldpd -f " + config_file) + call(f'vtysh -d ldpd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index c5ac26806..4f8816d61 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -297,7 +297,7 @@ def apply(rip): return None if os.path.exists(config_file): - call("sudo vtysh -d ripd -f " + config_file) + call(f'vtysh -d ripd -f {config_file}') os.remove(config_file) else: print("File {0} not found".format(config_file)) diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py index eeab26d4d..232d1e181 100755 --- a/src/conf_mode/protocols_static_multicast.py +++ b/src/conf_mode/protocols_static_multicast.py @@ -101,7 +101,7 @@ def apply(mroute): return None if os.path.exists(config_file): - call("sudo vtysh -d staticd -f " + config_file) + call(f'vtysh -d staticd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py new file mode 100755 index 000000000..d46f9578e --- /dev/null +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos import ConfigError +from vyos.util import call +from vyos.template import render +from vyos import airbag +airbag.enable() + +config_file = r'/etc/fastnetmon.conf' +networks_list = r'/etc/networks_list' + +def get_config(): + conf = Config() + base = ['service', 'ids', 'ddos-protection'] + fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return fastnetmon + +def verify(fastnetmon): + if not fastnetmon: + return None + + if not "mode" in fastnetmon: + raise ConfigError('ddos-protection mode is mandatory!') + + if not "network" in fastnetmon: + raise ConfigError('Required define network!') + + if not "listen_interface" in fastnetmon: + raise ConfigError('Define listen-interface is mandatory!') + + if "alert_script" in fastnetmon: + if os.path.isfile(fastnetmon["alert_script"]): + # Check script permissions + if not os.access(fastnetmon["alert_script"], os.X_OK): + raise ConfigError('Script {0} does not have permissions for execution'.format(fastnetmon["alert_script"])) + else: + raise ConfigError('File {0} does not exists!'.format(fastnetmon["alert_script"])) + +def generate(fastnetmon): + if not fastnetmon: + if os.path.isfile(config_file): + os.unlink(config_file) + if os.path.isfile(networks_list): + os.unlink(networks_list) + + return + + render(config_file, 'ids/fastnetmon.tmpl', fastnetmon, trim_blocks=True) + render(networks_list, 'ids/fastnetmon_networks_list.tmpl', fastnetmon, trim_blocks=True) + + return None + +def apply(fastnetmon): + if not fastnetmon: + # Stop fastnetmon service if removed + call('systemctl stop fastnetmon.service') + else: + call('systemctl restart fastnetmon.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index eb0d20654..e9806ef47 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -16,19 +16,16 @@ import os -from binascii import hexlify -from netifaces import interfaces -from time import sleep from sys import exit from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.snmpv3_hashgen import plaintext_to_md5, plaintext_to_sha1, random +from vyos.template import render +from vyos.util import call from vyos.validate import is_ipv4, is_addr_assigned from vyos.version import get_version_data -from vyos import ConfigError -from vyos.util import call -from vyos.template import render - -from vyos import airbag +from vyos import ConfigError, airbag airbag.enable() config_file_client = r'/etc/snmp/snmp.conf' @@ -60,15 +57,14 @@ default_config_data = { 'trap_targets': [], 'vyos_user': '', 'vyos_user_pass': '', - 'version': '999', + 'version': '', 'v3_enabled': 'False', 'v3_engineid': '', 'v3_groups': [], 'v3_traps': [], 'v3_users': [], 'v3_views': [], - 'script_ext': [], - 'vrf': '' + 'script_ext': [] } def rmfile(file): @@ -90,9 +86,8 @@ def get_config(): snmp['version'] = version_data['version'] # create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx' - # os.urandom(8) returns 8 bytes of random data - snmp['vyos_user'] = 'vyos' + hexlify(os.urandom(8)).decode('utf-8') - snmp['vyos_user_pass'] = hexlify(os.urandom(16)).decode('utf-8') + snmp['vyos_user'] = 'vyos' + random(8) + snmp['vyos_user_pass'] = random(16) if conf.exists('community'): for name in conf.list_nodes('community'): @@ -191,6 +186,9 @@ def get_config(): snmp['script_ext'].append(extension) if conf.exists('vrf'): + # Append key to dict but don't place it in the default dictionary. + # This is required to make the override.conf.tmpl work until we + # migrate to get_config_dict(). snmp['vrf'] = conf.return_value('vrf') @@ -260,30 +258,30 @@ def get_config(): # cmdline option '-a' trap_cfg['authProtocol'] = conf.return_value('v3 trap-target {0} auth type'.format(trap)) - if conf.exists('v3 trap-target {0} auth plaintext-key'.format(trap)): + if conf.exists('v3 trap-target {0} auth plaintext-password'.format(trap)): # Set the authentication pass phrase used for authenticated SNMPv3 messages. # cmdline option '-A' - trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-key'.format(trap)) + trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-password'.format(trap)) - if conf.exists('v3 trap-target {0} auth encrypted-key'.format(trap)): + if conf.exists('v3 trap-target {0} auth encrypted-password'.format(trap)): # Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master authentication keys. # cmdline option '-3m' - trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-key'.format(trap)) + trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-password'.format(trap)) if conf.exists('v3 trap-target {0} privacy type'.format(trap)): # Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. # cmdline option '-x' trap_cfg['privProtocol'] = conf.return_value('v3 trap-target {0} privacy type'.format(trap)) - if conf.exists('v3 trap-target {0} privacy plaintext-key'.format(trap)): + if conf.exists('v3 trap-target {0} privacy plaintext-password'.format(trap)): # Set the privacy pass phrase used for encrypted SNMPv3 messages. # cmdline option '-X' - trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-key'.format(trap)) + trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-password'.format(trap)) - if conf.exists('v3 trap-target {0} privacy encrypted-key'.format(trap)): + if conf.exists('v3 trap-target {0} privacy encrypted-password'.format(trap)): # Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master encryption keys. # cmdline option '-3M' - trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-key'.format(trap)) + trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-password'.format(trap)) if conf.exists('v3 trap-target {0} protocol'.format(trap)): trap_cfg['ipProto'] = conf.return_value('v3 trap-target {0} protocol'.format(trap)) @@ -322,11 +320,11 @@ def get_config(): } # v3 user {0} auth - if conf.exists('v3 user {0} auth encrypted-key'.format(user)): - user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-key'.format(user)) + if conf.exists('v3 user {0} auth encrypted-password'.format(user)): + user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-password'.format(user)) - if conf.exists('v3 user {0} auth plaintext-key'.format(user)): - user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-key'.format(user)) + if conf.exists('v3 user {0} auth plaintext-password'.format(user)): + user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-password'.format(user)) # load default value type = user_cfg['authProtocol'] @@ -346,11 +344,11 @@ def get_config(): user_cfg['mode'] = conf.return_value('v3 user {0} mode'.format(user)) # v3 user {0} privacy - if conf.exists('v3 user {0} privacy encrypted-key'.format(user)): - user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-key'.format(user)) + if conf.exists('v3 user {0} privacy encrypted-password'.format(user)): + user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-password'.format(user)) - if conf.exists('v3 user {0} privacy plaintext-key'.format(user)): - user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-key'.format(user)) + if conf.exists('v3 user {0} privacy plaintext-password'.format(user)): + user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-password'.format(user)) # load default value type = user_cfg['privProtocol'] @@ -416,8 +414,7 @@ def verify(snmp): else: print('WARNING: SNMP listen address {0} not configured!'.format(addr)) - if snmp['vrf'] and snmp['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**snmp)) + verify_vrf(snmp) # bail out early if SNMP v3 is not configured if not snmp['v3_enabled']: @@ -448,16 +445,16 @@ def verify(snmp): if 'v3_traps' in snmp.keys(): for trap in snmp['v3_traps']: if trap['authPassword'] and trap['authMasterKey']: - raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap auth') + raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap auth') if trap['authPassword'] == '' and trap['authMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for trap auth') + raise ConfigError('Must specify encrypted-password or plaintext-key for trap auth') if trap['privPassword'] and trap['privMasterKey']: - raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap privacy') + raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap privacy') if trap['privPassword'] == '' and trap['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for trap privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for trap privacy') if not 'type' in trap.keys(): raise ConfigError('v3 trap: "type" must be specified') @@ -488,19 +485,12 @@ def verify(snmp): if error: raise ConfigError('You must create group "{0}" first'.format(user['group'])) - # Depending on the configured security level - # the user has to provide additional info - if user['authPassword'] and user['authMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') - + # Depending on the configured security level the user has to provide additional info if (not user['authPassword'] and not user['authMasterKey']): - raise ConfigError('Must specify encrypted-key or plaintext-key for user auth') - - if user['privPassword'] and user['privMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for user auth') if user['privPassword'] == '' and user['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for user privacy') if user['mode'] == '': raise ConfigError('Must specify user mode ro/rw') @@ -522,12 +512,36 @@ def generate(snmp): for file in config_files: rmfile(file) - # Reload systemd manager configuration - call('systemctl daemon-reload') - if not snmp: return None + if 'v3_users' in snmp.keys(): + # net-snmp is now regenerating the configuration file in the background + # thus we need to re-open and re-read the file as the content changed. + # After that we can no read the encrypted password from the config and + # replace the CLI plaintext password with its encrypted version. + os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" + + for user in snmp['v3_users']: + if user['authProtocol'] == 'sha': + hash = plaintext_to_sha1 + else: + hash = plaintext_to_md5 + + if user['authPassword']: + user['authMasterKey'] = hash(user['authPassword'], snmp['v3_engineid']) + user['authPassword'] = '' + + call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" auth encrypted-password "{authMasterKey}" > /dev/null'.format(**user)) + call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" auth plaintext-password > /dev/null'.format(**user)) + + if user['privPassword']: + user['privMasterKey'] = hash(user['privPassword'], snmp['v3_engineid']) + user['privPassword'] = '' + + call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" privacy encrypted-password "{privMasterKey}" > /dev/null'.format(**user)) + call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" privacy plaintext-password > /dev/null'.format(**user)) + # Write client config file render(config_file_client, 'snmp/etc.snmp.conf.tmpl', snmp) # Write server config file @@ -542,45 +556,14 @@ def generate(snmp): return None def apply(snmp): + # Always reload systemd manager configuration + call('systemctl daemon-reload') + if not snmp: return None - # Reload systemd manager configuration - call('systemctl daemon-reload') # start SNMP daemon - call("systemctl restart snmpd.service") - - while (call('systemctl -q is-active snmpd.service') != 0): - print("service not yet started") - sleep(0.5) - - # net-snmp is now regenerating the configuration file in the background - # thus we need to re-open and re-read the file as the content changed. - # After that we can no read the encrypted password from the config and - # replace the CLI plaintext password with its encrypted version. - os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" - with open(config_file_user, 'r') as f: - engineID = '' - for line in f: - if line.startswith('usmUser'): - string = line.split(' ') - cfg = { - 'user': string[4].replace(r'"', ''), - 'auth_pw': string[8], - 'priv_pw': string[10] - } - # No need to take care about the VyOS internal user - if cfg['user'] == snmp['vyos_user']: - continue - - # Now update the running configuration - # - # Currently when executing call() the environment does not - # have the vyos_libexec_dir variable set, see Phabricator T685. - call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['auth_pw'])) - call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['priv_pw'])) - call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user'])) - call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" privacy plaintext-key > /dev/null'.format(cfg['user'])) + call('systemctl restart snmpd.service') # Enable AgentX in FRR call('vtysh -c "configure terminal" -c "agentx" >/dev/null') diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 1ca2c8b4c..ffb0b700d 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -37,7 +37,7 @@ def get_config(): if not conf.exists(base): return None - ssh = conf.get_config_dict(base, key_mangling=('-', '_')) + ssh = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. default_values = defaults(base) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 93d4cc679..b1dd583b5 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -72,7 +72,7 @@ def get_config(): user = { 'name': username, 'password_plaintext': '', - 'password_encred': '!', + 'password_encrypted': '!', 'public_keys': [], 'full_name': '', 'home_dir': '/home/' + username, diff --git a/src/conf_mode/system-options.py b/src/conf_mode/system-options.py index 8de3b6fa2..d7c5c0443 100755 --- a/src/conf_mode/system-options.py +++ b/src/conf_mode/system-options.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,67 +16,62 @@ import os +from netifaces import interfaces from sys import exit -from copy import deepcopy + from vyos.config import Config +from vyos.template import render +from vyos.util import call from vyos import ConfigError -from vyos.util import run - from vyos import airbag airbag.enable() -systemd_ctrl_alt_del = '/lib/systemd/system/ctrl-alt-del.target' - -default_config_data = { - 'beep_if_fully_booted': False, - 'ctrl_alt_del': 'ignore', - 'reboot_on_panic': True -} +config_file = r'/etc/curlrc' +systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' def get_config(): - opt = deepcopy(default_config_data) conf = Config() - conf.set_level('system options') - if conf.exists(''): - if conf.exists('ctrl-alt-del-action'): - opt['ctrl_alt_del'] = conf.return_value('ctrl-alt-del-action') + base = ['system', 'options'] + options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return options - opt['beep_if_fully_booted'] = conf.exists('beep-if-fully-booted') - opt['reboot_on_panic'] = conf.exists('reboot-on-panic') +def verify(options): + if 'http_client' in options.keys(): + config = options['http_client'] + if 'source_interface' in config.keys(): + if not config['source_interface'] in interfaces(): + raise ConfigError(f'Source interface {source_interface} does not ' + f'exist'.format(**config)) - return opt + if {'source_address', 'source_interface'} <= set(config): + raise ConfigError('Can not define both HTTP source-interface and source-address') -def verify(opt): - pass + return None -def generate(opt): - pass +def generate(options): + render(config_file, 'system/curlrc.tmpl', options, trim_blocks=True) + return None -def apply(opt): +def apply(options): # Beep action - if opt['beep_if_fully_booted']: - run('systemctl enable vyos-beep.service') + if 'beep_if_fully_booted' in options.keys(): + call('systemctl enable vyos-beep.service') else: - run('systemctl disable vyos-beep.service') + call('systemctl disable vyos-beep.service') # Ctrl-Alt-Delete action - if opt['ctrl_alt_del'] == 'ignore': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink('/lib/systemd/system/ctrl-alt-del.target') - - elif opt['ctrl_alt_del'] == 'reboot': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink(systemd_ctrl_alt_del) - os.symlink('/lib/systemd/system/reboot.target', systemd_ctrl_alt_del) + if os.path.exists(systemd_action_file): + os.unlink(systemd_action_file) - elif opt['ctrl_alt_del'] == 'poweroff': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink(systemd_ctrl_alt_del) - os.symlink('/lib/systemd/system/poweroff.target', systemd_ctrl_alt_del) + if 'ctrl_alt_del_action' in options.keys(): + if options['ctrl_alt_del_action'] == 'reboot': + os.symlink('/lib/systemd/system/reboot.target', systemd_action_file) + elif options['ctrl_alt_del_action'] == 'poweroff': + os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file) # Reboot system on kernel panic with open('/proc/sys/kernel/panic', 'w') as f: - if opt['reboot_on_panic']: + if 'reboot_on_panic' in options.keys(): f.write('60') else: f.write('0') diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py index 034cbee63..6f83335f3 100755 --- a/src/conf_mode/system_console.py +++ b/src/conf_mode/system_console.py @@ -31,7 +31,7 @@ def get_config(): base = ['system', 'console'] # retrieve configuration at once - console = conf.get_config_dict(base) + console = conf.get_config_dict(base, get_first_key=True) # bail out early if no serial console is configured if 'device' not in console.keys(): diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index e8f523e36..56ca813ff 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -52,7 +52,7 @@ def vrf_interfaces(c, match): matched = [] old_level = c.get_level() c.set_level(['interfaces']) - section = c.get_config_dict([]) + section = c.get_config_dict([], get_first_key=True) for type in section: interfaces = section[type] for name in interfaces: @@ -201,8 +201,8 @@ def apply(vrf_config): for vrf in vrf_config['vrf_remove']: name = vrf['name'] if os.path.isdir(f'/sys/class/net/{name}'): - _cmd(f'sudo ip -4 route del vrf {name} unreachable default metric 4278198272') - _cmd(f'sudo ip -6 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -4 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -6 route del vrf {name} unreachable default metric 4278198272') _cmd(f'ip link delete dev {name}') for vrf in vrf_config['vrf_add']: diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py index a9fa15778..c2da1bb11 100755 --- a/src/helpers/vyos-load-config.py +++ b/src/helpers/vyos-load-config.py @@ -27,12 +27,12 @@ import sys import tempfile import vyos.defaults import vyos.remote -from vyos.config import Config, VyOSError +from vyos.configsource import ConfigSourceSession, VyOSError from vyos.migrator import Migrator, VirtualMigrator, MigratorError -class LoadConfig(Config): +class LoadConfig(ConfigSourceSession): """A subclass for calling 'loadFile'. - This does not belong in config.py, and only has a single caller. + This does not belong in configsource.py, and only has a single caller. """ def load_config(self, path): return self._run(['/bin/cli-shell-api','loadFile',path]) diff --git a/src/migration-scripts/interfaces/8-to-9 b/src/migration-scripts/interfaces/8-to-9 index e0b9dd375..2d1efd418 100755 --- a/src/migration-scripts/interfaces/8-to-9 +++ b/src/migration-scripts/interfaces/8-to-9 @@ -16,7 +16,7 @@ # Rename link nodes to source-interface for the following interface types: # - vxlan -# - pseudo ethernet +# - pseudo-ethernet from sys import exit, argv from vyos.configtree import ConfigTree @@ -36,7 +36,7 @@ if __name__ == '__main__': base = ['interfaces', if_type] if not config.exists(base): # Nothing to do - exit(0) + continue # list all individual interface isntance for i in config.list_nodes(base): diff --git a/src/migration-scripts/snmp/1-to-2 b/src/migration-scripts/snmp/1-to-2 new file mode 100755 index 000000000..466a624e6 --- /dev/null +++ b/src/migration-scripts/snmp/1-to-2 @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from sys import argv, exit +from vyos.configtree import ConfigTree + +def migrate_keys(config, path): + # authentication: rename node 'encrypted-key' -> 'encrypted-password' + config_path_auth = path + ['auth', 'encrypted-key'] + if config.exists(config_path_auth): + config.rename(config_path_auth, 'encrypted-password') + config_path_auth = path + ['auth', 'encrypted-password'] + + # remove leading '0x' from string if present + tmp = config.return_value(config_path_auth) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_path_auth, value=tmp) + + # privacy: rename node 'encrypted-key' -> 'encrypted-password' + config_path_priv = path + ['privacy', 'encrypted-key'] + if config.exists(config_path_priv): + config.rename(config_path_priv, 'encrypted-password') + config_path_priv = path + ['privacy', 'encrypted-password'] + + # remove leading '0x' from string if present + tmp = config.return_value(config_path_priv) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_path_priv, value=tmp) + +if __name__ == '__main__': + if (len(argv) < 1): + print("Must specify file name!") + exit(1) + + file_name = argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + config_base = ['service', 'snmp', 'v3'] + + if not config.exists(config_base): + # Nothing to do + exit(0) + else: + # We no longer support hashed values prefixed with '0x' to unclutter + # CLI and also calculate the hases in advance instead of retrieving + # them after service startup - which was always a bad idea + prefix = '0x' + + config_engineid = config_base + ['engineid'] + if config.exists(config_engineid): + tmp = config.return_value(config_engineid) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_engineid, value=tmp) + + config_user = config_base + ['user'] + if config.exists(config_user): + for user in config.list_nodes(config_user): + migrate_keys(config, config_user + [user]) + + config_trap = config_base + ['trap-target'] + if config.exists(config_trap): + for trap in config.list_nodes(config_trap): + migrate_keys(config, config_trap + [trap]) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/ssh/1-to-2 b/src/migration-scripts/ssh/1-to-2 new file mode 100755 index 000000000..bc8815753 --- /dev/null +++ b/src/migration-scripts/ssh/1-to-2 @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# VyOS 1.2 crux allowed configuring a lower or upper case loglevel. This +# is no longer supported as the input data is validated and will lead to +# an error. If user specifies an upper case logleve, make it lowercase + +from sys import argv,exit +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['service', 'ssh', 'loglevel'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) +else: + # red in configured loglevel and convert it to lower case + tmp = config.return_value(base).lower() + + # VyOS 1.2 had no proper value validation on the CLI thus the + # user could use any arbitrary values - sanitize them + if tmp not in ['quiet', 'fatal', 'error', 'info', 'verbose']: + tmp = 'info' + + config.set(base, value=tmp) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/flow_accounting_op.py b/src/op_mode/flow_accounting_op.py index bf8c39fd6..6586cbceb 100755 --- a/src/op_mode/flow_accounting_op.py +++ b/src/op_mode/flow_accounting_op.py @@ -21,58 +21,57 @@ import re import ipaddress import os.path from tabulate import tabulate - +from json import loads from vyos.util import cmd, run +from vyos.logger import syslog # some default values uacctd_pidfile = '/var/run/uacctd.pid' uacctd_pipefile = '/tmp/uacctd.pipe' - -# check if ports argument have correct format -def _is_ports(ports): - # define regex for checking - regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if not regex_filter.search(ports): - raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports)) - - # check which type nitation is used: single port, ports list, ports range - # single port - regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if regex_filter.search(ports): - filter_ports = { 'type': 'single', 'value': int(ports) } - - # ports list - regex_filter = re.compile('^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])') - if regex_filter.search(ports): - filter_ports = { 'type': 'list', 'value': list(map(int, ports.split(','))) } - - # ports range - regex_filter = re.compile('^(?P<first>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(?P<second>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if regex_filter.search(ports): - # check if second number is greater than the first - if int(regex_filter.search(ports).group('first')) >= int(regex_filter.search(ports).group('second')): - raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports)) - filter_ports = { 'type': 'range', 'value': range(int(regex_filter.search(ports).group('first')), int(regex_filter.search(ports).group('second'))) } - - # if all above failed - if not filter_ports: - raise argparse.ArgumentTypeError("Failed to parse: {}".format(ports)) +def parse_port(port): + try: + port_num = int(port) + if (port_num >= 0) and (port_num <= 65535): + return port_num + else: + raise ValueError("out of the 0-65535 range".format(port)) + except ValueError as e: + raise ValueError("Incorrect port number \'{0}\': {1}".format(port, e)) + +def parse_ports(arg): + if re.match(r'^\d+$', arg): + # Single port + port = parse_port(arg) + return {"type": "single", "value": port} + elif re.match(r'^\d+\-\d+$', arg): + # Port range + ports = arg.split("-") + ports = list(map(parse_port, ports)) + if ports[0] > ports[1]: + raise ValueError("Malformed port range \'{0}\': lower end is greater than the higher".format(arg)) + else: + return {"type": "range", "value": (ports[0], ports[1])} + elif re.match(r'^\d+,.*\d$', arg): + # Port list + ports = re.split(r',+', arg) # This allows duplicate commad like '1,,2,3,4' + ports = list(map(parse_port, ports)) + return {"type": "list", "value": ports} else: - return filter_ports + raise ValueError("Malformed port spec \'{0}\'".format(arg)) # check if host argument have correct format -def _is_host(host): +def check_host(host): # define regex for checking if not ipaddress.ip_address(host): - raise argparse.ArgumentTypeError("Invalid host: {}".format(host)) - return host + raise ValueError("Invalid host \'{}\', must be a valid IP or IPv6 address".format(host)) # check if flow-accounting running def _uacctd_running(): command = 'systemctl status uacctd.service > /dev/null' return run(command) == 0 + # get list of interfaces def _get_ifaces_dict(): # run command to get ifaces list @@ -83,7 +82,7 @@ def _get_ifaces_dict(): # make a dictionary with interfaces and indexes ifaces_dict = {} - regex_filter = re.compile('^(?P<iface_index>\d+):\ (?P<iface_name>[\w\d\.]+)[:@].*$') + regex_filter = re.compile(r'^(?P<iface_index>\d+):\ (?P<iface_name>[\w\d\.]+)[:@].*$') for iface_line in ifaces_out: if regex_filter.search(iface_line): ifaces_dict[int(regex_filter.search(iface_line).group('iface_index'))] = regex_filter.search(iface_line).group('iface_name') @@ -91,11 +90,12 @@ def _get_ifaces_dict(): # return dictioanry return ifaces_dict + # get list of flows def _get_flows_list(): # run command to get flows list out = cmd(f'/usr/bin/pmacct -s -O json -T flows -p {uacctd_pipefile}', - message='Failed to get flows list') + message='Failed to get flows list') # read output flows_out = out.splitlines() @@ -103,11 +103,15 @@ def _get_flows_list(): # make a list with flows flows_list = [] for flow_line in flows_out: - flows_list.append(eval(flow_line)) + try: + flows_list.append(loads(flow_line)) + except Exception as err: + syslog.error('Unable to read flow info: {}'.format(err)) # return list of flows return flows_list + # filter and format flows def _flows_filter(flows, ifaces): # predefine filtered flows list @@ -149,14 +153,29 @@ def _flows_filter(flows, ifaces): # return filtered flows return flows_filtered + # print flow table def _flows_table_print(flows): - #define headers and body - table_headers = [ 'IN_IFACE', 'SRC_MAC', 'DST_MAC', 'SRC_IP', 'DST_IP', 'SRC_PORT', 'DST_PORT', 'PROTOCOL', 'TOS', 'PACKETS', 'FLOWS', 'BYTES' ] + # define headers and body + table_headers = ['IN_IFACE', 'SRC_MAC', 'DST_MAC', 'SRC_IP', 'DST_IP', 'SRC_PORT', 'DST_PORT', 'PROTOCOL', 'TOS', 'PACKETS', 'FLOWS', 'BYTES'] table_body = [] # convert flows to list for flow in flows: - table_body.append([flow['iface_in_name'], flow['mac_src'], flow['mac_dst'], flow['ip_src'], flow['ip_dst'], flow['port_src'], flow['port_dst'], flow['ip_proto'], flow['tos'], flow['packets'], flow['flows'], flow['bytes'] ]) + table_line = [ + flow.get('iface_in_name'), + flow.get('mac_src'), + flow.get('mac_dst'), + flow.get('ip_src'), + flow.get('ip_dst'), + flow.get('port_src'), + flow.get('port_dst'), + flow.get('ip_proto'), + flow.get('tos'), + flow.get('packets'), + flow.get('flows'), + flow.get('bytes') + ] + table_body.append(table_line) # configure and fill table table = tabulate(table_body, table_headers, tablefmt="simple") @@ -168,23 +187,34 @@ def _flows_table_print(flows): except KeyboardInterrupt: sys.exit(0) + # check if in-memory table is active def _check_imt(): if not os.path.exists(uacctd_pipefile): print("In-memory table is not available") sys.exit(1) + # define program arguments cmd_args_parser = argparse.ArgumentParser(description='show flow-accounting') cmd_args_parser.add_argument('--action', choices=['show', 'clear', 'restart'], required=True, help='command to flow-accounting daemon') cmd_args_parser.add_argument('--filter', choices=['interface', 'host', 'ports', 'top'], required=False, nargs='*', help='filter flows to display') cmd_args_parser.add_argument('--interface', required=False, help='interface name for output filtration') -cmd_args_parser.add_argument('--host', type=_is_host, required=False, help='host address for output filtration') -cmd_args_parser.add_argument('--ports', type=_is_ports, required=False, help='ports number for output filtration') -cmd_args_parser.add_argument('--top', type=int, required=False, help='top records for output filtration') +cmd_args_parser.add_argument('--host', type=str, required=False, help='host address for output filtering') +cmd_args_parser.add_argument('--ports', type=str, required=False, help='port number, range or list for output filtering') +cmd_args_parser.add_argument('--top', type=int, required=False, help='top records for output filtering') # parse arguments cmd_args = cmd_args_parser.parse_args() +try: + if cmd_args.host: + check_host(cmd_args.host) + + if cmd_args.ports: + cmd_args.ports = parse_ports(cmd_args.ports) +except ValueError as e: + print(e) + sys.exit(1) # main logic # do nothing if uacctd daemon is not running diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py index f9577e57e..ff1e3cc56 100755 --- a/src/op_mode/show_dhcp.py +++ b/src/op_mode/show_dhcp.py @@ -161,7 +161,8 @@ def get_pool_size(config, pool): start = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} start".format(pool, s, r)) stop = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} stop".format(pool, s, r)) - size += int(ip_address(stop)) - int(ip_address(start)) + # Add +1 because both range boundaries are inclusive + size += int(ip_address(stop)) - int(ip_address(start)) + 1 return size diff --git a/src/op_mode/show_interfaces.py b/src/op_mode/show_interfaces.py index 46571c0c0..d4dae3cd1 100755 --- a/src/op_mode/show_interfaces.py +++ b/src/op_mode/show_interfaces.py @@ -220,8 +220,7 @@ def run_show_intf_brief(ifnames, iftypes, vif, vrrp): oper = ['u', ] if oper_state in ('up', 'unknown') else ['A', ] admin = ['u', ] if oper_state in ('up', 'unknown') else ['D', ] addrs = [_ for _ in interface.get_addr() if not _.startswith('fe80::')] or ['-', ] - # do not ask me why 56, it was the number in the perl code ... - descs = list(split_text(interface.get_alias(),56)) + descs = list(split_text(interface.get_alias(),0)) while intf or oper or admin or addrs or descs: i = intf.pop(0) if intf else '' diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py index 15bf63e81..e08bc983a 100755 --- a/src/op_mode/wireguard.py +++ b/src/op_mode/wireguard.py @@ -21,22 +21,17 @@ import shutil import syslog as sl import re +from vyos.config import Config from vyos.ifconfig import WireGuardIf - +from vyos.util import cmd +from vyos.util import run +from vyos.util import check_kmod from vyos import ConfigError -from vyos.config import Config -from vyos.util import cmd, run dir = r'/config/auth/wireguard' psk = dir + '/preshared.key' -def check_kmod(): - """ check if kmod is loaded, if not load it """ - if not os.path.exists('/sys/module/wireguard'): - sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") - if run('sudo modprobe wireguard') != 0: - sl.syslog(sl.LOG_ERR, "modprobe wireguard failed") - raise ConfigError("modprobe wireguard failed") +k_mod = 'wireguard' def generate_keypair(pk, pub): """ generates a keypair which is stored in /config/auth/wireguard """ @@ -106,7 +101,7 @@ def del_key_dir(kname): if __name__ == '__main__': - check_kmod() + check_kmod(k_mod) parser = argparse.ArgumentParser(description='wireguard key management') parser.add_argument( '--genkey', action="store_true", help='generate key-pair') diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server index 38bf2f8ce..3eecaba5a 100755 --- a/src/services/vyos-http-api-server +++ b/src/services/vyos-http-api-server @@ -33,7 +33,6 @@ import systemd.daemon from functools import wraps from vyos.configsession import ConfigSession, ConfigSessionError -from vyos.config import VyOSError DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf' @@ -232,8 +231,6 @@ def retrieve_op(command): return error(400, "\"{0}\" is not a valid config format".format(config_format)) else: return error(400, "\"{0}\" is not a valid operation".format(op)) - except VyOSError as e: - return error(400, str(e)) except ConfigSessionError as e: return error(400, str(e)) except Exception as e: diff --git a/src/tests/test_initial_setup.py b/src/tests/test_initial_setup.py index c4c59b827..1597025e8 100644 --- a/src/tests/test_initial_setup.py +++ b/src/tests/test_initial_setup.py @@ -21,6 +21,7 @@ import tempfile import unittest from unittest import TestCase, mock +from vyos import xml import vyos.configtree import vyos.initialsetup as vis @@ -30,6 +31,7 @@ class TestInitialSetup(TestCase): with open('tests/data/config.boot.default', 'r') as f: config_string = f.read() self.config = vyos.configtree.ConfigTree(config_string) + self.xml = xml.load_configuration() def test_set_user_password(self): vis.set_user_password(self.config, 'vyos', 'vyosvyos') @@ -56,7 +58,7 @@ class TestInitialSetup(TestCase): self.assertEqual(key_type, 'ssh-rsa') self.assertEqual(key_data, 'fakedata') - self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) + self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) def test_set_ssh_key_without_name(self): # If key file doesn't include a name, the function will use user name for the key name @@ -69,7 +71,7 @@ class TestInitialSetup(TestCase): self.assertEqual(key_type, 'ssh-rsa') self.assertEqual(key_data, 'fakedata') - self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) + self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) def test_create_user(self): vis.create_user(self.config, 'jrandomhacker', password='qwerty', key=" ssh-rsa fakedata jrandomhacker@foovax ") @@ -95,8 +97,8 @@ class TestInitialSetup(TestCase): vis.set_default_gateway(self.config, '192.0.2.1') self.assertTrue(self.config.exists(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop', '192.0.2.1'])) - self.assertTrue(self.config.is_tag(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop'])) - self.assertTrue(self.config.is_tag(['protocols', 'static', 'route'])) + self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route', '0.0.0.0/0', 'next-hop'])) + self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route'])) if __name__ == "__main__": unittest.main() diff --git a/src/validators/dotted-decimal b/src/validators/dotted-decimal new file mode 100755 index 000000000..652110346 --- /dev/null +++ b/src/validators/dotted-decimal @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import re +import sys + +area = sys.argv[1] + +res = re.match(r'^(\d+)\.(\d+)\.(\d+)\.(\d+)$', area) +if not res: + print("\'{0}\' is not a valid dotted decimal value".format(area)) + sys.exit(1) +else: + components = res.groups() + for n in range(0, 4): + if (int(components[n]) > 255): + print("Invalid component of a dotted decimal value: {0} exceeds 255".format(components[n])) + sys.exit(1) + +sys.exit(0) |