diff options
Diffstat (limited to 'src/conf_mode/dhcpv6_server.py')
-rwxr-xr-x | src/conf_mode/dhcpv6_server.py | 406 |
1 files changed, 89 insertions, 317 deletions
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index db248de50..175300bb0 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -15,31 +15,24 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import ipaddress +from ipaddress import ip_address +from ipaddress import ip_network from sys import exit -from copy import deepcopy from vyos.config import Config from vyos.template import render from vyos.template import is_ipv6 from vyos.util import call +from vyos.util import dict_search from vyos.validate import is_subnet_connected - from vyos import ConfigError from vyos import airbag airbag.enable() -config_file = r'/run/dhcp-server/dhcpdv6.conf' - -default_config_data = { - 'preference': '', - 'disabled': False, - 'shared_network': [] -} +config_file = '/run/dhcp-server/dhcpdv6.conf' def get_config(config=None): - dhcpv6 = deepcopy(default_config_data) if config: conf = config else: @@ -47,333 +40,110 @@ def get_config(config=None): base = ['service', 'dhcpv6-server'] if not conf.exists(base): return None - else: - conf.set_level(base) - - # Check for global disable of DHCPv6 service - if conf.exists(['disable']): - dhcpv6['disabled'] = True - return dhcpv6 - - # Preference of this DHCPv6 server compared with others - if conf.exists(['preference']): - dhcpv6['preference'] = conf.return_value(['preference']) - - # check for multiple, shared networks served with DHCPv6 addresses - if conf.exists(['shared-network-name']): - for network in conf.list_nodes(['shared-network-name']): - conf.set_level(base + ['shared-network-name', network]) - config = { - 'name': network, - 'disabled': False, - 'common': {}, - 'subnet': [] - } - - # If disabled, the shared-network configuration becomes inactive - if conf.exists(['disable']): - config['disabled'] = True - - # Common options shared among subnets. These can be overridden if - # the same option is specified on a per-subnet or per-host - # basis. These are the only options that can be handed out to - # stateless clients via an information-request message. - if conf.exists(['common-options']): - conf.set_level(base + ['shared-network-name', network, 'common-options']) - - # How often stateless clients should refresh their information. This is - # mostly taken as a hint by clients, and only if they request it. - # (if not specified, the server does not supply this to the client) - if conf.exists(['info-refresh-time']): - config['common']['info_refresh_time'] = conf.return_value(['info-refresh-time']) - - # The domain-search option specifies a 'search list' of Domain Names to be used - # by the client to locate not-fully-qualified domain names. - if conf.exists(['domain-search']): - config['common']['domain_search'] = conf.return_values(['domain-search']) - - # Specifies a list of Domain Name System name servers available to the client. - # Servers should be listed in order of preference. - if conf.exists(['name-server']): - config['common']['dns_server'] = conf.return_values(['name-server']) - - conf.set_level(base + ['shared-network-name', network]) - - # check for multiple subnet configurations in a shared network - if conf.exists(['subnet']): - for net in conf.list_nodes(['subnet']): - conf.set_level(base + ['shared-network-name', network, 'subnet', net]) - subnet = { - 'network': net, - 'range6_prefix': [], - 'range6': [], - 'default_router': '', - 'dns_server': [], - 'domain_name': '', - 'domain_search': [], - 'lease_def': '', - 'lease_min': '', - 'lease_max': '', - 'nis_domain': '', - 'nis_server': [], - 'nisp_domain': '', - 'nisp_server': [], - 'prefix_delegation': [], - 'sip_address': [], - 'sip_hostname': [], - 'sntp_server': [], - 'static_mapping': [] - } - - # For any subnet on which addresses will be assigned dynamically, there must be at - # least one address range statement. The range statement gives the lowest and highest - # IP addresses in a range. All IP addresses in the range should be in the subnet in - # which the range statement is declared. - if conf.exists(['address-range', 'prefix']): - for prefix in conf.list_nodes(['address-range', 'prefix']): - range = { - 'prefix': prefix, - 'temporary': False - } - - # Address range will be used for temporary addresses - if conf.exists(['address-range' 'prefix', prefix, 'temporary']): - range['temporary'] = True - - # Append to subnet temporary range6 list - subnet['range6_prefix'].append(range) - - if conf.exists(['address-range', 'start']): - for range in conf.list_nodes(['address-range', 'start']): - range = { - 'start': range, - 'stop': conf.return_value(['address-range', 'start', range, 'stop']) - } - - # Append to subnet range6 list - subnet['range6'].append(range) - - # The domain-search option specifies a 'search list' of Domain Names to be used - # by the client to locate not-fully-qualified domain names. - if conf.exists(['domain-search']): - subnet['domain_search'] = conf.return_values(['domain-search']) - - # IPv6 address valid lifetime - # (at the end the address is no longer usable by the client) - # (set to 30 days, the usual IPv6 default) - if conf.exists(['lease-time', 'default']): - subnet['lease_def'] = conf.return_value(['lease-time', 'default']) - - # Time should be the maximum length in seconds that will be assigned to a lease. - # The only exception to this is that Dynamic BOOTP lease lengths, which are not - # specified by the client, are not limited by this maximum. - if conf.exists(['lease-time', 'maximum']): - subnet['lease_max'] = conf.return_value(['lease-time', 'maximum']) - - # Time should be the minimum length in seconds that will be assigned to a lease - if conf.exists(['lease-time', 'minimum']): - subnet['lease_min'] = conf.return_value(['lease-time', 'minimum']) - - # Specifies a list of Domain Name System name servers available to the client. - # Servers should be listed in order of preference. - if conf.exists(['name-server']): - subnet['dns_server'] = conf.return_values(['name-server']) - - # Ancient NIS (Network Information Service) domain name - if conf.exists(['nis-domain']): - subnet['nis_domain'] = conf.return_value(['nis-domain']) - - # Ancient NIS (Network Information Service) servers - if conf.exists(['nis-server']): - subnet['nis_server'] = conf.return_values(['nis-server']) - - # Ancient NIS+ (Network Information Service) domain name - if conf.exists(['nisplus-domain']): - subnet['nisp_domain'] = conf.return_value(['nisplus-domain']) - - # Ancient NIS+ (Network Information Service) servers - if conf.exists(['nisplus-server']): - subnet['nisp_server'] = conf.return_values(['nisplus-server']) - - # Local SIP server that is to be used for all outbound SIP requests - IPv6 address - if conf.exists(['sip-server']): - for value in conf.return_values(['sip-server']): - if is_ipv6(value): - subnet['sip_address'].append(value) - else: - subnet['sip_hostname'].append(value) - - # List of local SNTP servers available for the client to synchronize their clocks - if conf.exists(['sntp-server']): - subnet['sntp_server'] = conf.return_values(['sntp-server']) - - # Prefix Delegation (RFC 3633) - if conf.exists(['prefix-delegation', 'start']): - for address in conf.list_nodes(['prefix-delegation', 'start']): - conf.set_level(base + ['shared-network-name', network, 'subnet', net, 'prefix-delegation', 'start', address]) - prefix = { - 'start' : address, - 'stop' : '', - 'length' : '' - } - - if conf.exists(['prefix-length']): - prefix['length'] = conf.return_value(['prefix-length']) - - if conf.exists(['stop']): - prefix['stop'] = conf.return_value(['stop']) - - subnet['prefix_delegation'].append(prefix) - - # - # Static DHCP v6 leases - # - conf.set_level(base + ['shared-network-name', network, 'subnet', net]) - if conf.exists(['static-mapping']): - for mapping in conf.list_nodes(['static-mapping']): - conf.set_level(base + ['shared-network-name', network, 'subnet', net, 'static-mapping', mapping]) - mapping = { - 'name': mapping, - 'disabled': False, - 'ipv6_address': '', - 'client_identifier': '', - } - - # This static lease is disabled - if conf.exists(['disable']): - mapping['disabled'] = True - - # IPv6 address used for this DHCP client - if conf.exists(['ipv6-address']): - mapping['ipv6_address'] = conf.return_value(['ipv6-address']) - - # This option specifies the client’s DUID identifier. DUIDs are similar but different from DHCPv4 client identifiers - if conf.exists(['identifier']): - mapping['client_identifier'] = conf.return_value(['identifier']) - - # append static mapping configuration tu subnet list - subnet['static_mapping'].append(mapping) - - # append subnet configuration to shared network subnet list - config['subnet'].append(subnet) - - # append shared network configuration to config dictionary - dhcpv6['shared_network'].append(config) - - # If all shared-networks are disabled, there's nothing to do. - if all(net['disabled'] for net in dhcpv6['shared_network']): - return None + dhcpv6 = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) return dhcpv6 def verify(dhcpv6): - if not dhcpv6 or dhcpv6['disabled']: + # bail out early - looks like removal from running config + if not dhcpv6 or 'disable' in dhcpv6: return None # If DHCP is enabled we need one share-network - if len(dhcpv6['shared_network']) == 0: - raise ConfigError('No DHCPv6 shared networks configured.\n' \ - 'At least one DHCPv6 shared network must be configured.') + if 'shared_network_name' not in dhcpv6: + raise ConfigError('No DHCPv6 shared networks configured. At least\n' \ + 'one DHCPv6 shared network must be configured.') # Inspect shared-network/subnet subnets = [] listen_ok = False - - for network in dhcpv6['shared_network']: + for network, network_config in dhcpv6['shared_network_name'].items(): # A shared-network requires a subnet definition - if len(network['subnet']) == 0: - raise ConfigError('No DHCPv6 lease subnets configured for {0}. At least one\n' \ - 'lease subnet must be configured for each shared network.'.format(network['name'])) - - range6_start = [] - range6_stop = [] - for subnet in network['subnet']: - # Ususal range declaration with a start and stop address - for range6 in subnet['range6']: - # shorten names - start = range6['start'] - stop = range6['stop'] - - # DHCPv6 stop address is required - if start and not stop: - raise ConfigError('DHCPv6 range stop address for start {0} is not defined!'.format(start)) - - # Start address must be inside network - if not ipaddress.ip_address(start) in ipaddress.ip_network(subnet['network']): - raise ConfigError('DHCPv6 range start address {0} is not in subnet {1}\n' \ - 'specified for shared network {2}!'.format(start, subnet['network'], network['name'])) - - # Stop address must be inside network - if not ipaddress.ip_address(stop) in ipaddress.ip_network(subnet['network']): - raise ConfigError('DHCPv6 range stop address {0} is not in subnet {1}\n' \ - 'specified for shared network {2}!'.format(stop, subnet['network'], network['name'])) - - # Stop address must be greater or equal to start address - if not ipaddress.ip_address(stop) >= ipaddress.ip_address(start): - raise ConfigError('DHCPv6 range stop address {0} must be greater or equal\n' \ - 'to the range start address {1}!'.format(stop, start)) - - # DHCPv6 range start address must be unique - two ranges can't - # start with the same address - makes no sense - if start in range6_start: - raise ConfigError('Conflicting DHCPv6 lease range:\n' \ - 'Pool start address {0} defined multipe times!'.format(start)) - else: - range6_start.append(start) - - # DHCPv6 range stop address must be unique - two ranges can't - # end with the same address - makes no sense - if stop in range6_stop: - raise ConfigError('Conflicting DHCPv6 lease range:\n' \ - 'Pool stop address {0} defined multipe times!'.format(stop)) - else: - range6_stop.append(stop) + if 'subnet' not in network_config: + raise ConfigError(f'No DHCPv6 lease subnets configured for "{network}". At least one\n' \ + 'lease subnet must be configured for each shared network!') + + for subnet, subnet_config in network_config['subnet'].items(): + if 'address_range' in subnet_config: + if 'start' in subnet_config['address_range']: + range6_start = [] + range6_stop = [] + for start, start_config in subnet_config['address_range']['start'].items(): + if 'stop' not in start_config: + raise ConfigError(f'address-range stop address for start "{start}" is not defined!') + stop = start_config['stop'] + + # Start address must be inside network + if not ip_address(start) in ip_network(subnet): + raise ConfigError(f'address-range start address "{start}" is not in subnet "{subnet}"!') + + # Stop address must be inside network + if not ip_address(stop) in ip_network(subnet): + raise ConfigError(f'address-range stop address "{stop}" is not in subnet "{subnet}"!') + + # Stop address must be greater or equal to start address + if not ip_address(stop) >= ip_address(start): + raise ConfigError(f'address-range stop address "{stop}" must be greater or equal\n' \ + f'to the range start address "{start}"!') + + # DHCPv6 range start address must be unique - two ranges can't + # start with the same address - makes no sense + if start in range6_start: + raise ConfigError(f'Conflicting DHCPv6 lease range:\n' \ + f'Pool start address "{start}" defined multipe times!') + range6_start.append(start) + + # DHCPv6 range stop address must be unique - two ranges can't + # end with the same address - makes no sense + if stop in range6_stop: + raise ConfigError(f'Conflicting DHCPv6 lease range:\n' \ + f'Pool stop address "{stop}" defined multipe times!') + range6_stop.append(stop) + + if 'prefix' in subnet_config: + for prefix in subnet_config['prefix']: + if ip_network(prefix) not in ip_network(subnet): + raise ConfigError(f'address-range prefix "{prefix}" is not in subnet "{subnet}""') # Prefix delegation sanity checks - for prefix in subnet['prefix_delegation']: - if not prefix['stop']: - raise ConfigError('Stop address of delegated IPv6 prefix range must be configured') - - if not prefix['length']: - raise ConfigError('Length of delegated IPv6 prefix must be configured') - - # We also have prefixes that require checking - for prefix in subnet['range6_prefix']: - # If configured prefix does not match our subnet, we have to check that it's inside - if ipaddress.ip_network(prefix['prefix']) != ipaddress.ip_network(subnet['network']): - # Configured prefixes must be inside our network - if not ipaddress.ip_network(prefix['prefix']) in ipaddress.ip_network(subnet['network']): - raise ConfigError('DHCPv6 prefix {0} is not in subnet {1}\n' \ - 'specified for shared network {2}!'.format(prefix['prefix'], subnet['network'], network['name'])) + if 'prefix_delegation' in subnet_config: + if 'start' not in subnet_config['prefix_delegation']: + raise ConfigError('prefix-delegation start address not defined!') + + for prefix, prefix_config in subnet_config['prefix_delegation']['start'].items(): + if 'stop' not in prefix_config: + raise ConfigError(f'Stop address of delegated IPv6 prefix range "{prefix}"\n' + f'must be configured') + + if 'prefix_length' not in prefix_config: + raise ConfigError('Length of delegated IPv6 prefix must be configured') # Static mappings don't require anything (but check if IP is in subnet if it's set) - for mapping in subnet['static_mapping']: - if mapping['ipv6_address']: - # Static address must be in subnet - if not ipaddress.ip_address(mapping['ipv6_address']) in ipaddress.ip_network(subnet['network']): - raise ConfigError('DHCPv6 static mapping IPv6 address {0} for static mapping {1}\n' \ - 'in shared network {2} is outside subnet {3}!' \ - .format(mapping['ipv6_address'], mapping['name'], network['name'], subnet['network'])) + if 'static_mapping' in subnet_config: + for mapping, mapping_config in subnet_config['static_mapping'].items(): + if 'ipv6_address' in mapping_config: + # Static address must be in subnet + if ip_address(mapping_config['ipv6_address']) not in ip_network(subnet): + raise ConfigError(f'static-mapping address for mapping "{mapping}" is not in subnet "{subnet}"!') # Subnets must be unique - if subnet['network'] in subnets: + if subnet in subnets: raise ConfigError('DHCPv6 subnets must be unique! Subnet {0} defined multiple times!'.format(subnet['network'])) - else: - subnets.append(subnet['network']) + subnets.append(subnet) - # DHCPv6 requires at least one configured address range or one static mapping - # (FIXME: is not actually checked right now?) + # DHCPv6 requires at least one configured address range or one static mapping + # (FIXME: is not actually checked right now?) - # There must be one subnet connected to a listen interface if network is not disabled. - if not network['disabled']: - if is_subnet_connected(subnet['network']): - listen_ok = True + # There must be one subnet connected to a listen interface if network is not disabled. + if 'disable' not in network_config: + if is_subnet_connected(subnet): + listen_ok = True # DHCPv6 subnet must not overlap. ISC DHCP also complains about overlapping # subnets: "Warning: subnet 2001:db8::/32 overlaps subnet 2001:db8:1::/32" - net = ipaddress.ip_network(subnet['network']) + net = ip_network(subnet) for n in subnets: - net2 = ipaddress.ip_network(n) + net2 = ip_network(n) if (net != net2): if net.overlaps(net2): raise ConfigError('DHCPv6 conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) @@ -387,22 +157,24 @@ def verify(dhcpv6): return None def generate(dhcpv6): - if not dhcpv6 or dhcpv6['disabled']: + # bail out early - looks like removal from running config + if not dhcpv6 or 'disable' in dhcpv6: return None render(config_file, 'dhcp-server/dhcpdv6.conf.tmpl', dhcpv6) return None def apply(dhcpv6): - if not dhcpv6 or dhcpv6['disabled']: + # bail out early - looks like removal from running config + if not dhcpv6 or 'disable' in dhcpv6: # DHCP server is removed in the commit call('systemctl stop isc-dhcp-server6.service') if os.path.exists(config_file): os.unlink(config_file) - else: - call('systemctl restart isc-dhcp-server6.service') + return None + call('systemctl restart isc-dhcp-server6.service') return None if __name__ == '__main__': |