diff options
| -rw-r--r-- | data/templates/high-availability/keepalived.conf.j2 | 3 | ||||
| -rw-r--r-- | data/templates/snmp/etc.snmpd.conf.j2 | 31 | ||||
| -rw-r--r-- | data/templates/snmp/override.conf.j2 | 3 | ||||
| -rw-r--r-- | interface-definitions/high-availability.xml.in | 19 | ||||
| -rw-r--r-- | interface-definitions/include/version/snmp-version.xml.i | 2 | ||||
| -rw-r--r-- | interface-definitions/snmp.xml.in | 25 | ||||
| -rw-r--r-- | interface-definitions/vpn-ipsec.xml.in | 39 | ||||
| -rw-r--r-- | python/vyos/template.py | 2 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_ha_vrrp.py | 9 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_service_snmp.py | 22 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 3 | ||||
| -rwxr-xr-x | src/conf_mode/snmp.py | 4 | ||||
| -rwxr-xr-x | src/migration-scripts/snmp/2-to-3 | 57 |
13 files changed, 203 insertions, 16 deletions
diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index ebff52e1f..828636dc0 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -5,6 +5,9 @@ global_defs { dynamic_interfaces script_user root +{% if vrrp.global_parameters.startup_delay is vyos_defined %} + vrrp_startup_delay {{ vrrp.global_parameters.startup_delay }} +{% endif %} notify_fifo /run/keepalived/keepalived_notify_fifo notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py } diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 index a9bbf68ce..793facc3f 100644 --- a/data/templates/snmp/etc.snmpd.conf.j2 +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -62,28 +62,47 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy {% if comm_config.client is vyos_defined %} {% for client in comm_config.client %} {% if client | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ client }} +{{ comm_config.authorization }}community {{ comm }} {{ client }} -V RESTRICTED {% elif client | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ client }} +{{ comm_config.authorization }}community6 {{ comm }} {{ client }} -V RESTRICTED {% endif %} {% endfor %} {% endif %} {% if comm_config.network is vyos_defined %} {% for network in comm_config.network %} {% if network | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ network }} +{{ comm_config.authorization }}community {{ comm }} {{ network }} -V RESTRICTED {% elif network | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ network }} +{{ comm_config.authorization }}community6 {{ comm }} {{ network }} -V RESTRICTED {% endif %} {% endfor %} {% endif %} {% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %} -{{ comm_config.authorization }}community {{ comm }} -{{ comm_config.authorization }}community6 {{ comm }} +{{ comm_config.authorization }}community {{ comm }} -V RESTRICTED +{{ comm_config.authorization }}community6 {{ comm }} -V RESTRICTED {% endif %} {% endfor %} {% endif %} +# Default RESTRICTED view +view RESTRICTED included .1 80 +{% if 'ip-route-table' not in oid_enable %} +# ipRouteTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.21 +{% endif %} +{% if 'ip-net-to-media-table' not in oid_enable %} +# ipNetToMediaTable oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.22 +{% endif %} +{% if 'ip-net-to-physical-phys-address' not in oid_enable %} +# ipNetToPhysicalPhysAddress oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.35 +{% endif %} +{% if 'ip-forward' not in oid_enable %} +# ipForward oid: excluded +view RESTRICTED excluded .1.3.6.1.2.1.4.24 +{% endif %} + {% if contact is vyos_defined %} # system contact information SysContact {{ contact }} diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2 index 5d787de86..443ee64db 100644 --- a/data/templates/snmp/override.conf.j2 +++ b/data/templates/snmp/override.conf.j2 @@ -1,5 +1,4 @@ {% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} -{% set oid_route_table = ' ' if oid_enable is vyos_defined('route-table') else '-I -ipCidrRouteTable,inetCidrRouteTable' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service @@ -8,7 +7,7 @@ After=vyos-router.service Environment= Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" ExecStart= -ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{ oid_route_table }} -f -p /run/snmpd.pid +ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid Restart=always RestartSec=10 diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index d67a142d1..37cb90a8d 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -11,6 +11,25 @@ <help>Virtual Router Redundancy Protocol settings</help> </properties> <children> + <node name="global-parameters"> + <properties> + <help>VRRP global parameters</help> + </properties> + <children> + <leafNode name="startup-delay"> + <properties> + <help>Time VRRP startup process (in seconds)</help> + <valueHelp> + <format>u32:1-600</format> + <description>Interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-600"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <tagNode name="group"> <properties> <help>VRRP group</help> diff --git a/interface-definitions/include/version/snmp-version.xml.i b/interface-definitions/include/version/snmp-version.xml.i index 0416288f0..fa58672a5 100644 --- a/interface-definitions/include/version/snmp-version.xml.i +++ b/interface-definitions/include/version/snmp-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/snmp-version.xml.i --> -<syntaxVersion component='snmp' version='2'></syntaxVersion> +<syntaxVersion component='snmp' version='3'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index 7ec60b2e7..10dd828a5 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -123,18 +123,31 @@ </leafNode> <leafNode name="oid-enable"> <properties> - <help>Enable specific OIDs</help> + <help>Enable specific OIDs that by default are disable</help> <completionHelp> - <list>route-table</list> + <list>ip-forward ip-route-table ip-net-to-media-table ip-net-to-physical-phys-address</list> </completionHelp> <valueHelp> - <format>route-table</format> - <description>Enable routing table OIDs (ipCidrRouteTable inetCidrRouteTable)</description> + <format>ip-forward</format> + <description>Enable ipForward: .1.3.6.1.2.1.4.24</description> + </valueHelp> + <valueHelp> + <format>ip-route-table</format> + <description>Enable ipRouteTable: .1.3.6.1.2.1.4.21</description> + </valueHelp> + <valueHelp> + <format>ip-net-to-media-table</format> + <description>Enable ipNetToMediaTable: .1.3.6.1.2.1.4.22</description> + </valueHelp> + <valueHelp> + <format>ip-net-to-physical-phys-address</format> + <description>Enable ipNetToPhysicalPhysAddress: .1.3.6.1.2.1.4.35</description> </valueHelp> <constraint> - <regex>(route-table)</regex> + <regex>(ip-forward|ip-route-table|ip-net-to-media-table|ip-net-to-physical-phys-address)</regex> </constraint> - <constraintErrorMessage>OID must be 'route-table'</constraintErrorMessage> + <constraintErrorMessage>OID must be one of the liste options</constraintErrorMessage> + <multi/> </properties> </leafNode> #include <include/snmp/protocol.xml.i> diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in index fd74a51d7..fa12d999c 100644 --- a/interface-definitions/vpn-ipsec.xml.in +++ b/interface-definitions/vpn-ipsec.xml.in @@ -465,6 +465,45 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="prf"> + <properties> + <help>Pseudo-Random Functions</help> + <completionHelp> + <list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list> + </completionHelp> + <valueHelp> + <format>prfmd5</format> + <description>MD5 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha1</format> + <description>SHA1 PRF</description> + </valueHelp> + <valueHelp> + <format>prfaesxcbc</format> + <description>AES XCBC PRF</description> + </valueHelp> + <valueHelp> + <format>prfaescmac</format> + <description>AES CMAC PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha256</format> + <description>SHA2_256 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha384</format> + <description>SHA2_384 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha512</format> + <description>SHA2_512 PRF</description> + </valueHelp> + <constraint> + <regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex> + </constraint> + </properties> + </leafNode> #include <include/vpn-ipsec-encryption.xml.i> #include <include/vpn-ipsec-hash.xml.i> </children> diff --git a/python/vyos/template.py b/python/vyos/template.py index 2a4135f9e..ce9983958 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -476,6 +476,8 @@ def get_esp_ike_cipher(group_config, ike_group=None): continue tmp = '{encryption}-{hash}'.format(**proposal) + if 'prf' in proposal: + tmp += '-' + proposal['prf'] if 'dh_group' in proposal: tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ] elif 'pfs' in group_config and group_config['pfs'] != 'disable': diff --git a/smoketest/scripts/cli/test_ha_vrrp.py b/smoketest/scripts/cli/test_ha_vrrp.py index 68905e447..f18a4ab86 100755 --- a/smoketest/scripts/cli/test_ha_vrrp.py +++ b/smoketest/scripts/cli/test_ha_vrrp.py @@ -87,11 +87,13 @@ class TestVRRP(VyOSUnitTestSHIM.TestCase): advertise_interval = '77' priority = '123' preempt_delay = '400' + startup_delay = '120' for group in groups: vlan_id = group.lstrip('VLAN') vip = f'100.64.{vlan_id}.1/24' group_base = base_path + ['vrrp', 'group', group] + global_param_base = base_path + ['vrrp', 'global-parameters'] self.cli_set(['interfaces', 'ethernet', vrrp_interface, 'vif', vlan_id, 'address', inc_ip(vip, 1) + '/' + vip.split('/')[-1]]) @@ -110,6 +112,10 @@ class TestVRRP(VyOSUnitTestSHIM.TestCase): self.cli_set(group_base + ['authentication', 'type', 'plaintext-password']) self.cli_set(group_base + ['authentication', 'password', f'{group}']) + # Global parameters + config = getConfig(f'global_defs') + self.cli_set(global_param_base + ['startup-delay', f'{startup_delay}']) + # commit changes self.cli_commit() @@ -131,6 +137,9 @@ class TestVRRP(VyOSUnitTestSHIM.TestCase): # Authentication self.assertIn(f'auth_pass "{group}"', config) self.assertIn(f'auth_type PASS', config) + # Global parameters + config = getConfig(f'global_defs') + self.assertIn(f'vrrp_startup_delay {startup_delay}', config) def test_03_sync_group(self): sync_group = 'VyOS' diff --git a/smoketest/scripts/cli/test_service_snmp.py b/smoketest/scripts/cli/test_service_snmp.py index e80c689cc..b18b9e7a1 100755 --- a/smoketest/scripts/cli/test_service_snmp.py +++ b/smoketest/scripts/cli/test_service_snmp.py @@ -123,6 +123,28 @@ class TestSNMPService(VyOSUnitTestSHIM.TestCase): self.assertTrue(process_named_running(PROCESS_NAME)) self.cli_delete(['interfaces', 'dummy', dummy_if]) + ## Check communities and default view RESTRICTED + for auth in ['ro', 'rw']: + community = 'VyOS' + auth + for addr in clients: + if is_ipv4(addr): + entry = auth + 'community ' + community + ' ' + addr + ' -V' + else: + entry = auth + 'community6 ' + community + ' ' + addr + ' -V' + config = get_config_value(entry) + expected = 'RESTRICTED' + self.assertIn(expected, config) + for addr in networks: + if is_ipv4(addr): + entry = auth + 'community ' + community + ' ' + addr + ' -V' + else: + entry = auth + 'community6 ' + community + ' ' + addr + ' -V' + config = get_config_value(entry) + expected = 'RESTRICTED' + self.assertIn(expected, config) + # And finally check global entry for RESTRICTED view + config = get_config_value('view RESTRICTED included .1') + self.assertIn('80', config) def test_snmpv3_sha(self): # Check if SNMPv3 can be configured with SHA authentication diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 46db0bbf5..03780c465 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -337,6 +337,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2']) self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256']) self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'prf', 'prfsha1']) # Profile self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret']) @@ -349,7 +350,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): swanctl_conf = read_file(swanctl_file) swanctl_lines = [ - f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024', + f'proposals = aes128-sha1-modp1024,aes256-sha1-prfsha1-modp1024', f'version = 1', f'rekey_time = {ike_lifetime}s', f'rekey_time = {esp_lifetime}s', diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 914ec245c..ab2ccf99e 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -166,6 +166,10 @@ def verify(snmp): if 'community' not in trap_config: raise ConfigError(f'Trap target "{trap}" requires a community to be set!') + if 'oid_enable' in snmp: + Warning(f'Custom OIDs are enabled and may lead to system instability and high resource consumption') + + verify_vrf(snmp) # bail out early if SNMP v3 is not configured diff --git a/src/migration-scripts/snmp/2-to-3 b/src/migration-scripts/snmp/2-to-3 new file mode 100755 index 000000000..5f8d9c88d --- /dev/null +++ b/src/migration-scripts/snmp/2-to-3 @@ -0,0 +1,57 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# T4857: Implement FRR SNMP recomendations +# cli changes from: +# set service snmp oid-enable route-table +# To +# set service snmp oid-enable ip-forward + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['service snmp'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +if config.exists(base + ['oid-enable']): + config.delete(base + ['oid-enable']) + config.set(base + ['oid-enable'], 'ip-forward') + + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) |