diff options
| -rw-r--r-- | data/templates/frr/daemons.frr.tmpl | 128 | ||||
| -rw-r--r-- | op-mode-definitions/generate_firewall_rule-resequence.xml.in | 42 | ||||
| -rwxr-xr-x | src/op_mode/generate_firewall_rule-resequence.py | 135 |
3 files changed, 271 insertions, 34 deletions
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl index b137ba23a..699909170 100644 --- a/data/templates/frr/daemons.frr.tmpl +++ b/data/templates/frr/daemons.frr.tmpl @@ -1,4 +1,26 @@ -zebra=yes +# +# The watchfrr, zebra, mgmtd and staticd daemons are always started. +# +# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS: +# +# pimd Replaced by package igmpproxy. +# nhrpd Replaced by package opennhrp. +# pbrd Replaced by PBR in nftables. +# vrrpd Replaced by package keepalived. +# +# And these must be disabled aswell since they are currently missing a VyOS CLI: +# +# eigrp +# sharpd +# fabricd +# pathd +# +# The zebra, mgmtd and staticd daemons are always started and can not be disabled +# +#zebra=yes +#mgmtd=yes +#staticd=yes + bgpd=yes ospfd=yes ospf6d=yes @@ -6,6 +28,7 @@ ripd=yes ripngd=yes isisd=yes pimd=no +pim6d=no ldpd=yes nhrpd=no eigrpd=no @@ -13,42 +36,79 @@ babeld=yes sharpd=no pbrd=no bfdd=yes -staticd=yes +fabricd=no +vrrpd=no +pathd=no -vtysh_enable=yes -zebra_options=" -s 90000000 --daemon -A 127.0.0.1 -{%- if irdp is defined %} -M irdp{% endif -%} -{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%} -" -bgpd_options=" --daemon -A 127.0.0.1 -{%- if bmp is defined %} -M bmp{% endif -%} -{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%} -" -ospfd_options=" --daemon -A 127.0.0.1 -{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%} -" -ospf6d_options=" --daemon -A ::1 -{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%} -" -ripd_options=" --daemon -A 127.0.0.1 -{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%} -" +# +# Define defaults for all services even those who shall be kept disabled. +# + +zebra_options=" --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}" +mgmtd_options=" --daemon -A 127.0.0.1" +staticd_options="--daemon -A 127.0.0.1" +bgpd_options=" --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}" +ospfd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}" +ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}" +ripd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}" ripngd_options=" --daemon -A ::1" -isisd_options=" --daemon -A 127.0.0.1 -{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%} -" -pimd_options=" --daemon -A 127.0.0.1" -ldpd_options=" --daemon -A 127.0.0.1 -{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%} -" -mgmtd_options=" --daemon -A 127.0.0.1" +isisd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}" +pimd_options=" --daemon -A 127.0.0.1" +pim6d_options=" --daemon -A ::1" +ldpd_options=" --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}" nhrpd_options=" --daemon -A 127.0.0.1" -eigrpd_options=" --daemon -A 127.0.0.1" -babeld_options=" --daemon -A 127.0.0.1" -sharpd_options=" --daemon -A 127.0.0.1" -pbrd_options=" --daemon -A 127.0.0.1" -staticd_options=" --daemon -A 127.0.0.1" -bfdd_options=" --daemon -A 127.0.0.1" +eigrpd_options=" --daemon -A 127.0.0.1" +babeld_options=" --daemon -A 127.0.0.1" +sharpd_options=" --daemon -A 127.0.0.1" +pbrd_options=" --daemon -A 127.0.0.1" +bfdd_options=" --daemon -A 127.0.0.1" +fabricd_options="--daemon -A 127.0.0.1" +vrrpd_options=" --daemon -A 127.0.0.1" +pathd_options=" --daemon -A 127.0.0.1" + +#frr_global_options="" + +#zebra_wrap="" +#mgmtd_wrap="" +#staticd_wrap="" +#bgpd_wrap="" +#ospfd_wrap="" +#ospf6d_wrap="" +#ripd_wrap="" +#ripngd_wrap="" +#isisd_wrap="" +#pimd_wrap="" +#pim6d_wrap="" +#ldpd_wrap="" +#nhrpd_wrap="" +#eigrpd_wrap="" +#babeld_wrap="" +#sharpd_wrap="" +#pbrd_wrap="" +#bfdd_wrap="" +#fabricd_wrap="" +#vrrpd_wrap="" +#pathd_wrap="" + +#all_wrap="" + +# +# Other options. +# +# For more information see: +# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons +# https://docs.frrouting.org/en/stable-9.0/setup.html +# +vtysh_enable=yes watchfrr_enable=no valgrind_enable=no + +#watchfrr_options="" + +frr_profile="traditional" + +#MAX_FDS=1024 + +#FRR_NO_ROOT="yes" + diff --git a/op-mode-definitions/generate_firewall_rule-resequence.xml.in b/op-mode-definitions/generate_firewall_rule-resequence.xml.in new file mode 100644 index 000000000..66078deb9 --- /dev/null +++ b/op-mode-definitions/generate_firewall_rule-resequence.xml.in @@ -0,0 +1,42 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="firewall"> + <properties> + <help>Firewall</help> + </properties> + <children> + <node name="rule-resequence"> + <properties> + <help>Resequence the firewall rules</help> + </properties> + <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py</command> + <children> + <tagNode name="start"> + <properties> + <help>Set the first sequence number</help> + <completionHelp> + <list>1-1000</list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5</command> + <children> + <tagNode name="step"> + <properties> + <help>Step between rules</help> + <completionHelp> + <list>1-1000</list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/generate_firewall_rule-resequence.py --start $5 --step $7</command> + </tagNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/src/op_mode/generate_firewall_rule-resequence.py b/src/op_mode/generate_firewall_rule-resequence.py new file mode 100755 index 000000000..b5b625a80 --- /dev/null +++ b/src/op_mode/generate_firewall_rule-resequence.py @@ -0,0 +1,135 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import argparse +from vyos.configquery import ConfigTreeQuery + + +def convert_to_set_commands(config_dict, parent_key=''): + """ + Converts a configuration dictionary into a list of set commands. + + Args: + config_dict (dict): The configuration dictionary. + parent_key (str): The parent key for nested dictionaries. + + Returns: + list: A list of set commands. + """ + commands = [] + for key, value in config_dict.items(): + current_key = parent_key + key if parent_key else key + + if isinstance(value, dict): + if not value: + commands.append(f"set {current_key}") + else: + commands.extend( + convert_to_set_commands(value, f"{current_key} ")) + + elif isinstance(value, str): + commands.append(f"set {current_key} '{value}'") + + return commands + + +def change_rule_numbers(config_dict, start, step): + """ + Changes rule numbers in the configuration dictionary. + + Args: + config_dict (dict): The configuration dictionary. + start (int): The starting rule number. + step (int): The step to increment the rule numbers. + + Returns: + None + """ + if 'rule' in config_dict: + rule_dict = config_dict['rule'] + updated_rule_dict = {} + rule_num = start + for rule_key in sorted(rule_dict.keys()): + updated_rule_dict[str(rule_num)] = rule_dict[rule_key] + rule_num += step + config_dict['rule'] = updated_rule_dict + + for key in config_dict: + if isinstance(config_dict[key], dict): + change_rule_numbers(config_dict[key], start, step) + + +def convert_rule_keys_to_int(config_dict): + """ + Converts rule keys in the configuration dictionary to integers. + + Args: + config_dict (dict or list): The configuration dictionary or list. + + Returns: + dict or list: The modified dictionary or list. + """ + if isinstance(config_dict, dict): + new_dict = {} + for key, value in config_dict.items(): + # Convert key to integer if possible + new_key = int(key) if key.isdigit() else key + + # Recur for nested dictionaries + if isinstance(value, dict): + new_value = convert_rule_keys_to_int(value) + else: + new_value = value + + new_dict[new_key] = new_value + + return new_dict + elif isinstance(config_dict, list): + return [convert_rule_keys_to_int(item) for item in config_dict] + else: + return config_dict + + +if __name__ == "__main__": + # Parse command-line arguments + parser = argparse.ArgumentParser(description='Convert dictionary to set commands with rule number modifications.') + parser.add_argument('--start', type=int, default=100, help='Start rule number') + parser.add_argument('--step', type=int, default=10, help='Step for rule numbers (default: 10)') + args = parser.parse_args() + + config = ConfigTreeQuery() + if not config.exists('firewall'): + print('Firewall is not configured') + exit(1) + + #config_dict = config.get_config_dict('firewall') + config_dict = config.get_config_dict('firewall') + + # Convert rule keys to integers, rule "10" -> rule 10 + # This is necessary for sorting the rules + config_dict = convert_rule_keys_to_int(config_dict) + + # Apply rule number modifications + change_rule_numbers(config_dict, start=args.start, step=args.step) + + # Convert to 'set' commands + set_commands = convert_to_set_commands(config_dict) + + print() + for command in set_commands: + print(command) + print() |