diff options
21 files changed, 457 insertions, 120 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 034328400..a35143870 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -382,6 +382,7 @@ table bridge vyos_filter { {% if 'invalid_connections' in global_options.apply_to_bridged_traffic %} ct state invalid udp sport 67 udp dport 68 counter accept ct state invalid ether type arp counter accept + ct state invalid ether type 0x8864 counter accept {% endif %} {% endif %} {% if global_options.state_policy is vyos_defined %} @@ -445,4 +446,4 @@ table bridge vyos_filter { return } {% endif %} -}
\ No newline at end of file +} diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2 index e6dcef872..b8df2d177 100644 --- a/data/templates/zabbix-agent/zabbix-agent.conf.j2 +++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2 @@ -75,3 +75,16 @@ Include={{ directory }}/*.conf Timeout={{ timeout }} {% endif %} +{% if authentication is vyos_defined and authentication.mode is vyos_defined %} +{% if authentication.mode == "pre-shared-secret" %} +TLSConnect=psk +TLSAccept=psk +{% endif %} +{% if authentication.psk.secret is vyos_defined %} +TLSPSKFile={{ service_psk_file }} +{% endif %} +{% if authentication.psk.id is vyos_defined %} +TLSPSKIdentity={{ authentication.psk.id }} +{% endif %} +{% endif %} + diff --git a/interface-definitions/include/auth-mode-pre-shared-secret.xml.i b/interface-definitions/include/auth-mode-pre-shared-secret.xml.i new file mode 100644 index 000000000..cf1003917 --- /dev/null +++ b/interface-definitions/include/auth-mode-pre-shared-secret.xml.i @@ -0,0 +1,14 @@ +<!-- include start from auth-mode-pre-shared-secret.xml.i --> +<leafNode name="mode"> + <properties> + <help>Authentication mode</help> + <completionHelp> + <list>pre-shared-secret</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>Use a pre-shared secret key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/auth-psk-id.xml.i b/interface-definitions/include/auth-psk-id.xml.i new file mode 100644 index 000000000..ab2451045 --- /dev/null +++ b/interface-definitions/include/auth-psk-id.xml.i @@ -0,0 +1,11 @@ +<!-- include start from auth-psk-id.xml.i --> +<leafNode name="id"> + <properties> + <help>ID for authentication</help> + <valueHelp> + <format>txt</format> + <description>ID used for authentication</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/auth-psk-secret.xml.i b/interface-definitions/include/auth-psk-secret.xml.i new file mode 100644 index 000000000..24257dcab --- /dev/null +++ b/interface-definitions/include/auth-psk-secret.xml.i @@ -0,0 +1,15 @@ +<!-- include start from auth-psk-secret.xml.i --> +<leafNode name="secret"> + <properties> + <help>pre-shared secret key</help> + <valueHelp> + <format>txt</format> + <description>16byte pre-shared-secret key (32 character hexadecimal key)</description> + </valueHelp> + <constraint> + <validator name="psk-secret"/> + </constraint> + <constraintErrorMessage>Pre-Shared-Keys must be at leas 16 bytes long, which implies at least 32 characterss</constraintErrorMessage> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index 05fdd75cb..355b41fde 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -51,7 +51,7 @@ <children> <leafNode name="invalid-connections"> <properties> - <help>Accept ARP and DHCP despite they are marked as invalid connection</help> + <help>Accept ARP, DHCP and PPPoE despite they are marked as invalid connection</help> <valueless/> </properties> </leafNode> diff --git a/interface-definitions/include/qos/class-match.xml.i b/interface-definitions/include/qos/class-match.xml.i index 77d1933a3..3ad5547f2 100644 --- a/interface-definitions/include/qos/class-match.xml.i +++ b/interface-definitions/include/qos/class-match.xml.i @@ -29,12 +29,12 @@ <leafNode name="protocol"> <properties> <help>Ethernet protocol for this match</help> - <!-- this refers to /etc/protocols --> + <!-- this refers to /etc/ethertypes --> <completionHelp> <list>all 802.1Q 802_2 802_3 aarp aoe arp atalk dec ip ipv6 ipx lat localtalk rarp snap x25</list> </completionHelp> <valueHelp> - <format>u32:0-65535</format> + <format>u32:1-65535</format> <description>Ethernet protocol number</description> </valueHelp> <valueHelp> @@ -50,7 +50,7 @@ <description>Internet IP (IPv4)</description> </valueHelp> <valueHelp> - <format>ipv6</format> + <format>_ipv6</format> <description>Internet IP (IPv6)</description> </valueHelp> <valueHelp> @@ -59,7 +59,7 @@ </valueHelp> <valueHelp> <format>atalk</format> - <description>Appletalk</description> + <description>AppleTalk</description> </valueHelp> <valueHelp> <format>ipx</format> @@ -69,8 +69,48 @@ <format>802.1Q</format> <description>802.1Q VLAN tag</description> </valueHelp> + <valueHelp> + <format>802_2</format> + <description>IEEE 802.2</description> + </valueHelp> + <valueHelp> + <format>802_3</format> + <description>IEEE 802.3</description> + </valueHelp> + <valueHelp> + <format>aarp</format> + <description>AppleTalk Address Resolution Protocol</description> + </valueHelp> + <valueHelp> + <format>aoe</format> + <description>ATA over Ethernet</description> + </valueHelp> + <valueHelp> + <format>dec</format> + <description>DECnet Protocol</description> + </valueHelp> + <valueHelp> + <format>lat</format> + <description>Local Area Transport</description> + </valueHelp> + <valueHelp> + <format>localtalk</format> + <description>Apple LocalTalk</description> + </valueHelp> + <valueHelp> + <format>rarp</format> + <description>Reverse Address Resolution Protocol</description> + </valueHelp> + <valueHelp> + <format>snap</format> + <description>Subnetwork Access Protocol</description> + </valueHelp> + <valueHelp> + <format>x25</format> + <description>X.25 Packet-Switching Protocol</description> + </valueHelp> <constraint> - <validator name="ip-protocol"/> + <validator name="ether-type"/> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/stunnel/psk.xml.i b/interface-definitions/include/stunnel/psk.xml.i index db11a93d3..a8226c866 100644 --- a/interface-definitions/include/stunnel/psk.xml.i +++ b/interface-definitions/include/stunnel/psk.xml.i @@ -4,27 +4,8 @@ <help>Pre-shared key name</help> </properties> <children> - <leafNode name="id"> - <properties> - <help>ID for authentication</help> - <valueHelp> - <format>txt</format> - <description>ID used for authentication</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="secret"> - <properties> - <help>pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>pre-shared secret key are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal key</description> - </valueHelp> - <constraint> - <validator name="psk-secret"/> - </constraint> - </properties> - </leafNode> + #include <include/auth-psk-id.xml.i> + #include <include/auth-psk-secret.xml.i> </children> </tagNode> <!-- include end --> diff --git a/interface-definitions/service_monitoring_zabbix-agent.xml.in b/interface-definitions/service_monitoring_zabbix-agent.xml.in index e44b31312..122e61e8b 100644 --- a/interface-definitions/service_monitoring_zabbix-agent.xml.in +++ b/interface-definitions/service_monitoring_zabbix-agent.xml.in @@ -10,6 +10,23 @@ <priority>1280</priority> </properties> <children> + <node name="authentication"> + <properties> + <help>Authentication</help> + </properties> + <children> + #include <include/auth-mode-pre-shared-secret.xml.i> + <node name="psk"> + <properties> + <help>Pre-shared key</help> + </properties> + <children> + #include <include/auth-psk-id.xml.i> + #include <include/auth-psk-secret.xml.i> + </children> + </node> + </children> + </node> <leafNode name="directory"> <properties> <help>Folder containing individual Zabbix-agent configuration files</help> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 5540021e2..0cf526fad 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -722,18 +722,7 @@ <help>Authentication</help> </properties> <children> - <leafNode name="mode"> - <properties> - <help>Authentication mode</help> - <completionHelp> - <list>pre-shared-secret</list> - </completionHelp> - <valueHelp> - <format>pre-shared-secret</format> - <description>Use a pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> + #include <include/auth-mode-pre-shared-secret.xml.i> #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> </node> diff --git a/op-mode-definitions/generate-psk.xml.in b/op-mode-definitions/generate-psk.xml.in new file mode 100644 index 000000000..69963f5be --- /dev/null +++ b/op-mode-definitions/generate-psk.xml.in @@ -0,0 +1,28 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="psk"> + <properties> + <help>Generate PSK key</help> + </properties> + <children> + <node name="random"> + <properties> + <help>Generate random hex PSK key</help> + </properties> + <command>${vyos_op_scripts_dir}/generate_psk.py</command> + <children> + <tagNode name="size"> + <properties> + <help>Key size in bytes</help> + </properties> + <command>${vyos_op_scripts_dir}/generate_psk.py --hex_size "$5"</command> + </tagNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py index 3da9afe04..66df5d107 100644 --- a/python/vyos/qos/base.py +++ b/python/vyos/qos/base.py @@ -245,8 +245,6 @@ class QoSBase: prio = cls_config['priority'] filter_cmd_base += f' prio {prio}' - filter_cmd_base += ' protocol all' - if 'match' in cls_config: has_filter = False has_action_policy = any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in cls_config) @@ -254,13 +252,17 @@ class QoSBase: for index, (match, match_config) in enumerate(cls_config['match'].items(), start=1): filter_cmd = filter_cmd_base if not has_filter: - for key in ['mark', 'vif', 'ip', 'ipv6', 'interface']: + for key in ['mark', 'vif', 'ip', 'ipv6', 'interface', 'ether']: if key in match_config: has_filter = True break + tmp = dict_search(f'ether.protocol', match_config) or 'all' + filter_cmd += f' protocol {tmp}' + if self.qostype in ['shaper', 'shaper_hfsc'] and 'prio ' not in filter_cmd: filter_cmd += f' prio {index}' + if 'mark' in match_config: mark = match_config['mark'] filter_cmd += f' handle {mark} fw' @@ -273,7 +275,7 @@ class QoSBase: iif = Interface(iif_name).get_ifindex() filter_cmd += f' basic match "meta(rt_iif eq {iif})"' - for af in ['ip', 'ipv6']: + for af in ['ip', 'ipv6', 'ether']: tc_af = af if af == 'ipv6': tc_af = 'ip6' @@ -281,67 +283,77 @@ class QoSBase: if af in match_config: filter_cmd += ' u32' - tmp = dict_search(f'{af}.source.address', match_config) - if tmp: filter_cmd += f' match {tc_af} src {tmp}' - - tmp = dict_search(f'{af}.source.port', match_config) - if tmp: filter_cmd += f' match {tc_af} sport {tmp} 0xffff' - - tmp = dict_search(f'{af}.destination.address', match_config) - if tmp: filter_cmd += f' match {tc_af} dst {tmp}' - - tmp = dict_search(f'{af}.destination.port', match_config) - if tmp: filter_cmd += f' match {tc_af} dport {tmp} 0xffff' - - tmp = dict_search(f'{af}.protocol', match_config) - if tmp: - tmp = get_protocol_by_name(tmp) - filter_cmd += f' match {tc_af} protocol {tmp} 0xff' - - tmp = dict_search(f'{af}.dscp', match_config) - if tmp: - tmp = self._get_dsfield(tmp) - if af == 'ip': - filter_cmd += f' match {tc_af} dsfield {tmp} 0xff' - elif af == 'ipv6': - filter_cmd += f' match u16 {tmp} 0x0ff0 at 0' - - # Will match against total length of an IPv4 packet and - # payload length of an IPv6 packet. - # - # IPv4 : match u16 0x0000 ~MAXLEN at 2 - # IPv6 : match u16 0x0000 ~MAXLEN at 4 - tmp = dict_search(f'{af}.max_length', match_config) - if tmp: - # We need the 16 bit two's complement of the maximum - # packet length - tmp = hex(0xffff & ~int(tmp)) - - if af == 'ip': - filter_cmd += f' match u16 0x0000 {tmp} at 2' - elif af == 'ipv6': - filter_cmd += f' match u16 0x0000 {tmp} at 4' - - # We match against specific TCP flags - we assume the IPv4 - # header length is 20 bytes and assume the IPv6 packet is - # not using extension headers (hence a ip header length of 40 bytes) - # TCP Flags are set on byte 13 of the TCP header. - # IPv4 : match u8 X X at 33 - # IPv6 : match u8 X X at 53 - # with X = 0x02 for SYN and X = 0x10 for ACK - tmp = dict_search(f'{af}.tcp', match_config) - if tmp: - mask = 0 - if 'ack' in tmp: - mask |= 0x10 - if 'syn' in tmp: - mask |= 0x02 - mask = hex(mask) - - if af == 'ip': - filter_cmd += f' match u8 {mask} {mask} at 33' - elif af == 'ipv6': - filter_cmd += f' match u8 {mask} {mask} at 53' + if af == 'ether': + src = dict_search(f'{af}.source', match_config) + if src: filter_cmd += f' match {tc_af} src {src}' + + dst = dict_search(f'{af}.destination', match_config) + if dst: filter_cmd += f' match {tc_af} dst {dst}' + + if not src and not dst: + filter_cmd += f' match u32 0 0' + else: + tmp = dict_search(f'{af}.source.address', match_config) + if tmp: filter_cmd += f' match {tc_af} src {tmp}' + + tmp = dict_search(f'{af}.source.port', match_config) + if tmp: filter_cmd += f' match {tc_af} sport {tmp} 0xffff' + + tmp = dict_search(f'{af}.destination.address', match_config) + if tmp: filter_cmd += f' match {tc_af} dst {tmp}' + + tmp = dict_search(f'{af}.destination.port', match_config) + if tmp: filter_cmd += f' match {tc_af} dport {tmp} 0xffff' + ### + tmp = dict_search(f'{af}.protocol', match_config) + if tmp: + tmp = get_protocol_by_name(tmp) + filter_cmd += f' match {tc_af} protocol {tmp} 0xff' + + tmp = dict_search(f'{af}.dscp', match_config) + if tmp: + tmp = self._get_dsfield(tmp) + if af == 'ip': + filter_cmd += f' match {tc_af} dsfield {tmp} 0xff' + elif af == 'ipv6': + filter_cmd += f' match u16 {tmp} 0x0ff0 at 0' + + # Will match against total length of an IPv4 packet and + # payload length of an IPv6 packet. + # + # IPv4 : match u16 0x0000 ~MAXLEN at 2 + # IPv6 : match u16 0x0000 ~MAXLEN at 4 + tmp = dict_search(f'{af}.max_length', match_config) + if tmp: + # We need the 16 bit two's complement of the maximum + # packet length + tmp = hex(0xffff & ~int(tmp)) + + if af == 'ip': + filter_cmd += f' match u16 0x0000 {tmp} at 2' + elif af == 'ipv6': + filter_cmd += f' match u16 0x0000 {tmp} at 4' + + # We match against specific TCP flags - we assume the IPv4 + # header length is 20 bytes and assume the IPv6 packet is + # not using extension headers (hence a ip header length of 40 bytes) + # TCP Flags are set on byte 13 of the TCP header. + # IPv4 : match u8 X X at 33 + # IPv6 : match u8 X X at 53 + # with X = 0x02 for SYN and X = 0x10 for ACK + tmp = dict_search(f'{af}.tcp', match_config) + if tmp: + mask = 0 + if 'ack' in tmp: + mask |= 0x10 + if 'syn' in tmp: + mask |= 0x02 + mask = hex(mask) + + if af == 'ip': + filter_cmd += f' match u8 {mask} {mask} at 33' + elif af == 'ipv6': + filter_cmd += f' match u8 {mask} {mask} at 53' if index != max_index or not has_action_policy: # avoid duplicate last match rule diff --git a/python/vyos/utils/process.py b/python/vyos/utils/process.py index ce880f4a4..d8aabb822 100644 --- a/python/vyos/utils/process.py +++ b/python/vyos/utils/process.py @@ -128,7 +128,7 @@ def run(command, flag='', shell=None, input=None, timeout=None, env=None, def cmd(command, flag='', shell=None, input=None, timeout=None, env=None, stdout=PIPE, stderr=PIPE, decode='utf-8', raising=None, message='', - expect=[0]): + expect=[0], auth=''): """ A wrapper around popen, which returns the stdout and will raise the error code of a command @@ -139,7 +139,7 @@ def cmd(command, flag='', shell=None, input=None, timeout=None, env=None, expect: a list of error codes to consider as normal """ decoded, code = popen( - command, flag, + f'{auth} {command}'.strip(), flag, stdout=stdout, stderr=stderr, input=input, timeout=timeout, env=env, shell=shell, diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 2d18f0495..6420afa38 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -765,6 +765,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['type filter hook output priority filter; policy accept;'], ['ct state invalid', 'udp sport 67', 'udp dport 68', 'accept'], ['ct state invalid', 'ether type arp', 'accept'], + ['ct state invalid', 'ether type 0x8864', 'accept'], ['chain VYOS_PREROUTING_filter'], ['type filter hook prerouting priority filter; policy accept;'], ['ip6 daddr @A6_AGV6', 'notrack'], diff --git a/smoketest/scripts/cli/test_qos.py b/smoketest/scripts/cli/test_qos.py index 7714cd3e0..231743344 100755 --- a/smoketest/scripts/cli/test_qos.py +++ b/smoketest/scripts/cli/test_qos.py @@ -1237,6 +1237,72 @@ class TestQoS(VyOSUnitTestSHIM.TestCase): self.assertIn('filter parent ffff: protocol all pref 255 basic chain 0', tc_filters) self.assertIn('action order 1: police 0x2 rate 1Gbit burst 125000000b mtu 2Kb action drop overhead 0b', tc_filters) + def test_24_policy_shaper_match_ether(self): + interface = self._interfaces[0] + bandwidth = 250 + default_bandwidth = 20 + default_ceil = 30 + class_bandwidth = 50 + class_ceil = 80 + + shaper_name = f'qos-shaper-{interface}' + + self.cli_set(base_path + ['interface', interface, 'egress', shaper_name]) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'bandwidth', f'{bandwidth}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'bandwidth', f'{default_bandwidth}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'ceiling', f'{default_ceil}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'default', 'queue-type', 'fair-queue']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'bandwidth', f'{class_bandwidth}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'ceiling', f'{class_ceil}mbit']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'match', '10', 'ether', 'protocol', 'all']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'match', '10', 'ether', 'destination', '0c:89:0a:2e:00:00']) + self.cli_set(base_path + ['policy', 'shaper', shaper_name, 'class', '23', 'match', '10', 'ether', 'source', '0c:89:0a:2e:00:01']) + + # commit changes + self.cli_commit() + + config_entries = ( + f'root rate {bandwidth}Mbit ceil {bandwidth}Mbit', + f'prio 0 rate {class_bandwidth}Mbit ceil {class_ceil}Mbit', + f'prio 7 rate {default_bandwidth}Mbit ceil {default_ceil}Mbit' + ) + + output = cmd(f'tc class show dev {interface}') + + for config_entry in config_entries: + self.assertIn(config_entry, output) + + filter = get_tc_filter_details(interface) + self.assertIn('match 0c890a2e/ffffffff at -8', filter) + self.assertIn('match 00010000/ffff0000 at -4', filter) + self.assertIn('match 00000c89/0000ffff at -16', filter) + self.assertIn('match 0a2e0000/ffffffff at -12', filter) + + for proto in ['802.1Q', '802_2', '802_3', 'aarp', 'aoe', 'arp', 'atalk', + 'dec', 'ip', 'ipv6', 'ipx', 'lat', 'localtalk', 'rarp', + 'snap', 'x25', 1, 255, 65535]: + self.cli_set( + base_path + ['policy', 'shaper', shaper_name, 'class', '23', + 'match', '10', 'ether', 'protocol', str(proto)]) + self.cli_commit() + + if isinstance(proto, int): + if proto == 1: + self.assertIn(f'filter parent 1: protocol 802_3 pref', + get_tc_filter_details(interface)) + else: + self.assertIn(f'filter parent 1: protocol [{proto}] pref', + get_tc_filter_details(interface)) + + elif proto == '0x000C': + # see other codes in the iproute2 eg https://github.com/iproute2/iproute2/blob/413cf4f03a9b6a219c94b86f41d67992b0a14b82/include/uapi/linux/if_ether.h#L130 + self.assertIn(f'filter parent 1: protocol can pref', + get_tc_filter_details(interface)) + + else: + self.assertIn(f'filter parent 1: protocol {proto} pref', + get_tc_filter_details(interface)) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py index a60dae0a0..522f9df0f 100755 --- a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py +++ b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py @@ -23,6 +23,7 @@ from vyos.utils.file import read_file PROCESS_NAME = 'zabbix_agent2' ZABBIX_AGENT_CONF = '/run/zabbix/zabbix-agent2.conf' +ZABBIX_PSK_FILE = f'/run/zabbix/zabbix-agent2.psk' base_path = ['service', 'monitoring', 'zabbix-agent'] @@ -82,6 +83,26 @@ class TestZabbixAgent(VyOSUnitTestSHIM.TestCase): self.assertIn(f'Timeout={timeout}', config) self.assertIn(f'Hostname={hostname}', config) + def test_02_zabbix_agent_psk_auth(self): + secret = '8703ce4cb3f51279acba895e1421d69d8a7e2a18546d013d564ad87ac3957f29' + self.cli_set(base_path + ['server', '127.0.0.1']) + self.cli_set(base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(base_path + ['authentication', 'psk', 'id', 'smoke_test']) + self.cli_set(base_path + ['authentication', 'psk', 'secret', secret]) + self.cli_commit() + + config = read_file(ZABBIX_AGENT_CONF) + self.assertIn('TLSConnect=psk', config) + self.assertIn('TLSAccept=psk', config) + self.assertIn('TLSPSKIdentity=smoke_test', config) + self.assertIn(f'TLSPSKFile={ZABBIX_PSK_FILE}', config) + self.assertEqual(secret, read_file(ZABBIX_PSK_FILE)) + + secret = '8703ce4cb3f51279acba895e1421d69d8a7e2a18546d013d564ad87ac3957f88' + self.cli_set(base_path + ['authentication', 'psk', 'secret', secret]) + self.cli_commit() + self.assertEqual(secret, read_file(ZABBIX_PSK_FILE)) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/service_monitoring_zabbix-agent.py b/src/conf_mode/service_monitoring_zabbix-agent.py index 98d8a32ca..f17146a8d 100755 --- a/src/conf_mode/service_monitoring_zabbix-agent.py +++ b/src/conf_mode/service_monitoring_zabbix-agent.py @@ -18,6 +18,8 @@ import os from vyos.config import Config from vyos.template import render +from vyos.utils.dict import dict_search +from vyos.utils.file import write_file from vyos.utils.process import call from vyos import ConfigError from vyos import airbag @@ -26,6 +28,7 @@ airbag.enable() service_name = 'zabbix-agent2' service_conf = f'/run/zabbix/{service_name}.conf' +service_psk_file = f'/run/zabbix/{service_name}.psk' systemd_override = r'/run/systemd/system/zabbix-agent2.service.d/10-override.conf' @@ -49,6 +52,8 @@ def get_config(config=None): if 'directory' in config and config['directory'].endswith('/'): config['directory'] = config['directory'][:-1] + config['service_psk_file'] = service_psk_file + return config @@ -60,18 +65,34 @@ def verify(config): if 'server' not in config: raise ConfigError('Server is required!') + if 'authentication' in config and dict_search("authentication.mode", + config) == 'pre_shared_secret': + if 'id' not in config['authentication']['psk']: + raise ConfigError( + 'PSK identity is required for pre-shared-secret authentication mode') + + if 'secret' not in config['authentication']['psk']: + raise ConfigError( + 'PSK secret is required for pre-shared-secret authentication mode') + def generate(config): # bail out early - looks like removal from running config if config is None: # Remove old config and return - config_files = [service_conf, systemd_override] + config_files = [service_conf, systemd_override, service_psk_file] for file in config_files: if os.path.isfile(file): os.unlink(file) return None + if not dict_search("authentication.psk.secret", config): + if os.path.isfile(service_psk_file): + os.unlink(service_psk_file) + else: + write_file(service_psk_file, config["authentication"]["psk"]["secret"]) + # Write configuration file render(service_conf, 'zabbix-agent/zabbix-agent.conf.j2', config) render(systemd_override, 'zabbix-agent/10-override.conf.j2', config) diff --git a/src/helpers/latest-image-url.py b/src/helpers/latest-image-url.py new file mode 100755 index 000000000..ea201ef7c --- /dev/null +++ b/src/helpers/latest-image-url.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 + +import sys + +from vyos.configquery import ConfigTreeQuery +from vyos.version import get_remote_version + + +if __name__ == '__main__': + image_path = '' + + config = ConfigTreeQuery() + if config.exists('system update-check url'): + configured_url_version = config.value('system update-check url') + remote_url_list = get_remote_version(configured_url_version) + if remote_url_list: + image_path = remote_url_list[0].get('url') + else: + sys.exit(1) + + print(image_path) diff --git a/src/op_mode/generate_psk.py b/src/op_mode/generate_psk.py new file mode 100644 index 000000000..d51293712 --- /dev/null +++ b/src/op_mode/generate_psk.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +import argparse + +from vyos.utils.process import cmd + + +def validate_hex_size(value): + """Validate that the hex_size is between 32 and 512.""" + try: + value = int(value) + except ValueError: + raise argparse.ArgumentTypeError("hex_size must be integer.") + + if value < 32 or value > 512: + raise argparse.ArgumentTypeError("hex_size must be between 32 and 512.") + return value + + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument( + "--hex_size", + type=validate_hex_size, + help='PKS value size in hex format. Default is 32 bytes.', + default=32, + + required=False, + ) + args = parser.parse_args() + + print(cmd(f'openssl rand -hex {args.hex_size}'))
\ No newline at end of file diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index bdc16de15..1da112673 100755 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -33,14 +33,13 @@ from errno import ENOSPC from psutil import disk_partitions from vyos.configtree import ConfigTree -from vyos.configquery import ConfigTreeQuery from vyos.remote import download from vyos.system import disk, grub, image, compat, raid, SYSTEM_CFG_VER from vyos.template import render from vyos.utils.io import ask_input, ask_yes_no, select_entry from vyos.utils.file import chmod_2775 -from vyos.utils.process import cmd, run -from vyos.version import get_remote_version, get_version_data +from vyos.utils.process import cmd, run, rc_cmd +from vyos.version import get_version_data # define text messages MSG_ERR_NOT_LIVE: str = 'The system is already installed. Please use "add system image" instead.' @@ -99,6 +98,7 @@ FILE_ROOTFS_SRC: str = '/usr/lib/live/mount/medium/live/filesystem.squashfs' ISO_DOWNLOAD_PATH: str = '/tmp/vyos_installation.iso' external_download_script = '/usr/libexec/vyos/simple-download.py' +external_latest_image_url_script = '/usr/libexec/vyos/latest-image-url.py' # default boot variables DEFAULT_BOOT_VARS: dict[str, str] = { @@ -532,10 +532,10 @@ def download_file(local_file: str, remote_path: str, vrf: str, download(local_file, remote_path, progressbar=progressbar, check_space=check_space, raise_error=True) else: - vrf_cmd = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \ - ip vrf exec {vrf} {external_download_script} \ - --local-file {local_file} --remote-path {remote_path}' - cmd(vrf_cmd) + remote_auth = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password}' + vrf_cmd = f'ip vrf exec {vrf} {external_download_script} \ + --local-file {local_file} --remote-path {remote_path}' + cmd(vrf_cmd, auth=remote_auth) def image_fetch(image_path: str, vrf: str = None, username: str = '', password: str = '', @@ -550,11 +550,15 @@ def image_fetch(image_path: str, vrf: str = None, """ # Latest version gets url from configured "system update-check url" if image_path == 'latest': - config = ConfigTreeQuery() - if config.exists('system update-check url'): - configured_url_version = config.value('system update-check url') - remote_url_list = get_remote_version(configured_url_version) - image_path = remote_url_list[0].get('url') + command = external_latest_image_url_script + if vrf: + command = f'REMOTE_USERNAME={username} REMOTE_PASSWORD={password} \ + ip vrf exec {vrf} ' + command + code, output = rc_cmd(command) + if code: + print(output) + exit(MSG_INFO_INSTALL_EXIT) + image_path = output if output else image_path try: # check a type of path diff --git a/src/validators/ether-type b/src/validators/ether-type new file mode 100644 index 000000000..926db26d3 --- /dev/null +++ b/src/validators/ether-type @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import re +from sys import argv,exit + +if __name__ == '__main__': + if len(argv) != 2: + exit(1) + + input = argv[1] + try: + # ethertype can be in the range 1 - 65535 + if int(input) in range(1, 65536): + exit(0) + except ValueError: + pass + + pattern = "!?\\b(all|ip|ipv6|ipx|802.1Q|802_2|802_3|aarp|aoe|arp|atalk|dec|lat|localtalk|rarp|snap|x25)\\b" + if re.match(pattern, input): + exit(0) + + print(f'Error: {input} is not a valid ether type or protocol.') + exit(1) |