diff options
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/dhcp_server.py | 13 | ||||
| -rwxr-xr-x | src/conf_mode/dhcpv6_server.py | 5 | ||||
| -rwxr-xr-x | src/conf_mode/dns_dynamic.py | 12 | ||||
| -rwxr-xr-x | src/conf_mode/firewall.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/https.py | 6 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-bridge.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/lldp.py | 5 | ||||
| -rwxr-xr-x | src/conf_mode/nat64.py | 7 | ||||
| -rwxr-xr-x | src/conf_mode/nat66.py | 12 | ||||
| -rwxr-xr-x | src/conf_mode/netns.py | 5 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_nhrp.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/protocols_segment_routing.py | 66 | ||||
| -rwxr-xr-x | src/conf_mode/service_ndp-proxy.py | 91 | ||||
| -rwxr-xr-x | src/conf_mode/snmp.py | 16 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_pptp.py | 273 | ||||
| -rwxr-xr-x | src/conf_mode/vrf.py | 12 |
16 files changed, 254 insertions, 277 deletions
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 958e90014..c1308cda7 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -18,7 +18,6 @@ import os from ipaddress import ip_address from ipaddress import ip_network -from netaddr import IPAddress from netaddr import IPRange from sys import exit @@ -41,6 +40,7 @@ ctrl_config_file = '/run/kea/kea-ctrl-agent.conf' ctrl_socket = '/run/kea/dhcp4-ctrl-socket' config_file = '/run/kea/kea-dhcp4.conf' lease_file = '/config/dhcp4.leases' +systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf' ca_cert_file = '/run/kea/kea-failover-ca.pem' cert_file = '/run/kea/kea-failover.pem' @@ -141,7 +141,7 @@ def get_config(config=None): {'range' : new_range_dict}) if dict_search('failover.certificate', dhcp): - dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) return dhcp @@ -226,9 +226,10 @@ def verify(dhcp): raise ConfigError(f'Configured static lease address for mapping "{mapping}" is\n' \ f'not within shared-network "{network}, {subnet}"!') - if 'mac_address' not in mapping_config: - raise ConfigError(f'MAC address required for static mapping "{mapping}"\n' \ - f'within shared-network "{network}, {subnet}"!') + if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ + ('mac' in mapping_config and 'duid' in mapping_config): + raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' + f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') # There must be one subnet connected to a listen interface. # This only counts if the network itself is not disabled! @@ -332,6 +333,8 @@ def generate(dhcp): dhcp['failover']['ca_cert_file'] = ca_cert_file + render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp) + render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp) render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp) diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index b01f510e5..f9da3d84a 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -135,6 +135,11 @@ def verify(dhcpv6): if ip_address(mapping_config['ipv6_address']) not in ip_network(subnet): raise ConfigError(f'static-mapping address for mapping "{mapping}" is not in subnet "{subnet}"!') + if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ + ('mac' in mapping_config and 'duid' in mapping_config): + raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' + f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') + if 'vendor_option' in subnet_config: if len(dict_search('vendor_option.cisco.tftp_server', subnet_config)) > 2: raise ConfigError(f'No more then two Cisco tftp-servers should be defined for subnet "{subnet}"!') diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py index 809c650d9..99fa8feee 100755 --- a/src/conf_mode/dns_dynamic.py +++ b/src/conf_mode/dns_dynamic.py @@ -15,7 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os - +import re from sys import exit from vyos.base import Warning @@ -103,6 +103,16 @@ def verify(dyndns): raise ConfigError(f'"web-options" is applicable only when using HTTP(S) ' f'web request to obtain the IP address') + # Warn if using checkip.dyndns.org, as it does not support HTTPS + # See: https://github.com/ddclient/ddclient/issues/597 + if 'web_options' in config: + if 'url' not in config['web_options']: + raise ConfigError(f'"url" in "web-options" {error_msg_req} ' + f'with protocol "{config["protocol"]}"') + elif re.search("^(https?://)?checkip\.dyndns\.org", config['web_options']['url']): + Warning(f'"checkip.dyndns.org" does not support HTTPS requests for IP address ' + f'lookup. Please use a different IP address lookup service.') + # RFC2136 uses 'key' instead of 'password' if config['protocol'] != 'nsupdate' and 'password' not in config: raise ConfigError(f'"password" {error_msg_req}') diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index ceed0cf31..da6724fde 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -23,7 +23,7 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import node_changed +from vyos.configdict import is_node_changed from vyos.configdiff import get_config_diff, Diff from vyos.configdep import set_dependents, call_dependents from vyos.configverify import verify_interface_exists @@ -133,7 +133,7 @@ def get_config(config=None): with_recursive_defaults=True) - firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group'])) + firewall['group_resync'] = bool('group' in firewall or is_node_changed(conf, base + ['group'])) if firewall['group_resync']: # Update nat and policy-route as firewall groups were updated set_dependents('group_resync', conf) diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 40b7de557..3dc5dfc01 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2022 VyOS maintainers and contributors +# Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -24,6 +24,7 @@ from time import sleep import vyos.defaults import vyos.certbot_util +from vyos.base import Warning from vyos.config import Config from vyos.configdiff import get_config_diff from vyos.configverify import verify_vrf @@ -193,6 +194,9 @@ def verify(https): if (not valid_keys_exist) and (not jwt_auth): raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + if (not valid_keys_exist) and jwt_auth: + Warning(f'API keys are not configured: the classic (non-GraphQL) API will be unavailable.') + return None def generate(https): diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py index 31508a3c5..29991e2da 100755 --- a/src/conf_mode/interfaces-bridge.py +++ b/src/conf_mode/interfaces-bridge.py @@ -49,7 +49,7 @@ def get_config(config=None): ifname, bridge = get_interface_dict(conf, base) # determine which members have been removed - tmp = node_changed(conf, base + [ifname, 'member', 'interface'], key_mangling=('-', '_')) + tmp = node_changed(conf, base + [ifname, 'member', 'interface']) if tmp: if 'member' in bridge: bridge['member'].update({'interface_remove' : tmp }) diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index c2e87d171..3c647a0e8 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -86,9 +86,9 @@ def verify(lldp): raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!') # check options - if 'snmp' in lldp and 'enable' in lldp['snmp']: + if 'snmp' in lldp: if 'system_snmp_enabled' not in lldp: - raise ConfigError('SNMP must be configured to enable LLDP SNMP') + raise ConfigError('SNMP must be configured to enable LLDP SNMP!') def generate(lldp): @@ -121,4 +121,3 @@ if __name__ == '__main__': except ConfigError as e: print(e) exit(1) - diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py index a8b90fb11..6026c61d0 100755 --- a/src/conf_mode/nat64.py +++ b/src/conf_mode/nat64.py @@ -148,6 +148,11 @@ def generate(nat64) -> None: if dict_search("translation.pool", instance): pool4 = [] + # mark + mark = '' + if dict_search("match.mark", instance): + mark = instance["match"]["mark"] + for pool in instance["translation"]["pool"].values(): if "disable" in pool: continue @@ -159,6 +164,8 @@ def generate(nat64) -> None: "prefix": pool["address"], "port range": pool["port"], } + if mark: + obj["mark"] = int(mark) if "description" in pool: obj["comment"] = pool["description"] diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index 0ba08aef3..dee1551fe 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2021 VyOS maintainers and contributors +# Copyright (C) 2020-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -36,7 +36,6 @@ airbag.enable() k_mod = ['nft_nat', 'nft_chain_nat'] nftables_nat66_config = '/run/nftables_nat66.nft' -ndppd_config = '/run/ndppd/ndppd.conf' def get_config(config=None): if config: @@ -101,7 +100,6 @@ def generate(nat): nat['first_install'] = True render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755) - render(ndppd_config, 'ndppd/ndppd.conf.j2', nat, permission=0o755) return None def apply(nat): @@ -109,14 +107,6 @@ def apply(nat): return None cmd(f'nft -f {nftables_nat66_config}') - - if 'deleted' in nat or not dict_search('source.rule', nat): - cmd('systemctl stop ndppd') - if os.path.isfile(ndppd_config): - os.unlink(ndppd_config) - else: - cmd('systemctl restart ndppd') - call_dependents() return None diff --git a/src/conf_mode/netns.py b/src/conf_mode/netns.py index 95ab83dbc..7cee33bc6 100755 --- a/src/conf_mode/netns.py +++ b/src/conf_mode/netns.py @@ -77,8 +77,8 @@ def verify(netns): if 'netns_remove' in netns: for name, config in netns['netns_remove'].items(): if 'interface' in config: - raise ConfigError(f'Can not remove NETNS "{name}", it still has '\ - f'member interfaces!') + raise ConfigError(f'Can not remove network namespace "{name}", it '\ + f'still has member interfaces!') if 'name' in netns: for name, config in netns['name'].items(): @@ -87,7 +87,6 @@ def verify(netns): return None - def generate(netns): if not netns: return None diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py index 5ec0bc9e5..c339c6391 100755 --- a/src/conf_mode/protocols_nhrp.py +++ b/src/conf_mode/protocols_nhrp.py @@ -37,7 +37,7 @@ def get_config(config=None): nhrp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'], key_mangling=('-', '_')) + nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel']) if not conf.exists(base): return nhrp diff --git a/src/conf_mode/protocols_segment_routing.py b/src/conf_mode/protocols_segment_routing.py index eb1653212..d865c2ac0 100755 --- a/src/conf_mode/protocols_segment_routing.py +++ b/src/conf_mode/protocols_segment_routing.py @@ -19,7 +19,10 @@ import os from sys import exit from vyos.config import Config +from vyos.configdict import node_changed from vyos.template import render_to_string +from vyos.utils.dict import dict_search +from vyos.utils.system import sysctl_write from vyos import ConfigError from vyos import frr from vyos import airbag @@ -32,33 +35,74 @@ def get_config(config=None): conf = Config() base = ['protocols', 'segment-routing'] - sr = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + sr = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_recursive_defaults=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - sr = conf.merge_defaults(sr, recursive=True) + # FRR has VRF support for different routing daemons. As interfaces belong + # to VRFs - or the global VRF, we need to check for changed interfaces so + # that they will be properly rendered for the FRR config. Also this eases + # removal of interfaces from the running configuration. + interfaces_removed = node_changed(conf, base + ['interface']) + if interfaces_removed: + sr['interface_removed'] = list(interfaces_removed) + import pprint + pprint.pprint(sr) return sr -def verify(static): +def verify(sr): + if 'srv6' in sr: + srv6_enable = False + if 'interface' in sr: + for interface, interface_config in sr['interface'].items(): + if 'srv6' in interface_config: + srv6_enable = True + break + if not srv6_enable: + raise ConfigError('SRv6 should be enabled on at least one interface!') return None -def generate(static): - if not static: +def generate(sr): + if not sr: return None - static['new_frr_config'] = render_to_string('frr/zebra.segment_routing.frr.j2', static) + sr['new_frr_config'] = render_to_string('frr/zebra.segment_routing.frr.j2', sr) return None -def apply(static): +def apply(sr): zebra_daemon = 'zebra' + if 'interface_removed' in sr: + for interface in sr['interface_removed']: + # Disable processing of IPv6-SR packets + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') + + if 'interface' in sr: + for interface, interface_config in sr['interface'].items(): + # Accept or drop SR-enabled IPv6 packets on this interface + if 'srv6' in interface_config: + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '1') + # Define HMAC policy for ingress SR-enabled packets on this interface + # It's a redundant check as HMAC has a default value - but better safe + # then sorry + tmp = dict_search('srv6.hmac', interface_config) + if tmp == 'accept': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '0') + elif tmp == 'drop': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '1') + elif tmp == 'ignore': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '-1') + else: + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') + # Save original configuration prior to starting any commit actions frr_cfg = frr.FRRConfig() frr_cfg.load_configuration(zebra_daemon) frr_cfg.modify_section(r'^segment-routing') - if 'new_frr_config' in static: - frr_cfg.add_before(frr.default_add_before, static['new_frr_config']) + if 'new_frr_config' in sr: + frr_cfg.add_before(frr.default_add_before, sr['new_frr_config']) frr_cfg.commit_configuration(zebra_daemon) return None diff --git a/src/conf_mode/service_ndp-proxy.py b/src/conf_mode/service_ndp-proxy.py new file mode 100755 index 000000000..aa2374f4c --- /dev/null +++ b/src/conf_mode/service_ndp-proxy.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configverify import verify_interface_exists +from vyos.utils.process import call +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +systemd_service = 'ndppd.service' +ndppd_config = '/run/ndppd/ndppd.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'ndp-proxy'] + if not conf.exists(base): + return None + + ndpp = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return ndpp + +def verify(ndpp): + if not ndpp: + return None + + if 'interface' in ndpp: + for interface, interface_config in ndpp['interface'].items(): + verify_interface_exists(interface) + + if 'rule' in interface_config: + for rule, rule_config in interface_config['rule'].items(): + if rule_config['mode'] == 'interface' and 'interface' not in rule_config: + raise ConfigError(f'Rule "{rule}" uses interface mode but no interface defined!') + + if rule_config['mode'] != 'interface' and 'interface' in rule_config: + if interface_config['mode'] != 'interface' and 'interface' in interface_config: + raise ConfigError(f'Rule "{rule}" does not use interface mode, thus interface can not be defined!') + + return None + +def generate(ndpp): + if not ndpp: + return None + + render(ndppd_config, 'ndppd/ndppd.conf.j2', ndpp) + return None + +def apply(ndpp): + if not ndpp: + call(f'systemctl stop {systemd_service}') + if os.path.isfile(ndppd_config): + os.unlink(ndppd_config) + return None + + call(f'systemctl reload-or-restart {systemd_service}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index d2ed5414f..6565ffd60 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -54,7 +54,7 @@ def get_config(config=None): if not conf.exists(base): snmp.update({'deleted' : ''}) - if conf.exists(['service', 'lldp', 'snmp', 'enable']): + if conf.exists(['service', 'lldp', 'snmp']): snmp.update({'lldp_snmp' : ''}) if 'deleted' in snmp: @@ -86,7 +86,7 @@ def get_config(config=None): return snmp def verify(snmp): - if not snmp: + if 'deleted' in snmp: return None if {'deleted', 'lldp_snmp'} <= set(snmp): @@ -178,8 +178,6 @@ def verify(snmp): return None def generate(snmp): - - # # As we are manipulating the snmpd user database we have to stop it first! # This is even save if service is going to be removed call(f'systemctl stop {systemd_service}') @@ -190,7 +188,7 @@ def generate(snmp): if os.path.isfile(file): os.unlink(file) - if not snmp: + if 'deleted' in snmp: return None if 'v3' in snmp: @@ -244,7 +242,7 @@ def apply(snmp): # Always reload systemd manager configuration call('systemctl daemon-reload') - if not snmp: + if 'deleted' in snmp: return None # start SNMP daemon @@ -256,9 +254,7 @@ def apply(snmp): # Following daemons from FRR 9.0/stable have SNMP module compiled in VyOS frr_daemons_list = ['zebra', 'bgpd', 'ospf6d', 'ospfd', 'ripd', 'isisd', 'ldpd'] for frr_daemon in frr_daemons_list: - call( - f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null' - ) + call(f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null') return None diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index 6243c3ed3..f769be39f 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -15,21 +15,17 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import re - -from copy import deepcopy -from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit from vyos.config import Config from vyos.template import render -from vyos.utils.system import get_half_cpus from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError +from vyos.configdict import get_accel_dict from vyos import airbag airbag.enable() @@ -37,213 +33,24 @@ airbag.enable() pptp_conf = '/run/accel-pppd/pptp.conf' pptp_chap_secrets = '/run/accel-pppd/pptp.chap-secrets' -default_pptp = { - 'auth_mode' : 'local', - 'local_users' : [], - 'radius_server' : [], - 'radius_acct_inter_jitter': '', - 'radius_acct_interim_interval': None, - 'radius_acct_tmo' : '30', - 'radius_max_try' : '3', - 'radius_timeout' : '30', - 'radius_nas_id' : '', - 'radius_nas_ip' : '', - 'radius_source_address' : '', - 'radius_shaper_attr' : '', - 'radius_shaper_enable': False, - 'radius_shaper_multiplier': '', - 'radius_shaper_vendor': '', - 'radius_dynamic_author' : '', - 'chap_secrets_file': pptp_chap_secrets, # used in Jinja2 template - 'outside_addr': '', - 'dnsv4': [], - 'wins': [], - 'client_ip_pool': {}, - 'mtu': '1436', - 'auth_proto' : ['auth_mschap_v2'], - 'ppp_mppe' : 'prefer', - 'thread_cnt': get_half_cpus() -} def get_config(config=None): if config: conf = config else: conf = Config() - base_path = ['vpn', 'pptp', 'remote-access'] - if not conf.exists(base_path): + base = ['vpn', 'pptp', 'remote-access'] + if not conf.exists(base): return None - pptp = deepcopy(default_pptp) - conf.set_level(base_path) - - if conf.exists(['name-server']): - pptp['dnsv4'] = conf.return_values(['name-server']) - - if conf.exists(['wins-server']): - pptp['wins'] = conf.return_values(['wins-server']) - - if conf.exists(['outside-address']): - pptp['outside_addr'] = conf.return_value(['outside-address']) - - if conf.exists(['authentication', 'mode']): - pptp['auth_mode'] = conf.return_value(['authentication', 'mode']) - - # - # local auth - if conf.exists(['authentication', 'local-users']): - for username in conf.list_nodes(['authentication', 'local-users', 'username']): - user = { - 'name': username, - 'password' : '', - 'state' : 'enabled', - 'ip' : '*', - } - - conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) - - if conf.exists(['password']): - user['password'] = conf.return_value(['password']) - - if conf.exists(['disable']): - user['state'] = 'disable' - - if conf.exists(['static-ip']): - user['ip'] = conf.return_value(['static-ip']) - - if not conf.exists(['disable']): - pptp['local_users'].append(user) - - # - # RADIUS auth and settings - conf.set_level(base_path + ['authentication', 'radius']) - if conf.exists(['server']): - for server in conf.list_nodes(['server']): - radius = { - 'server' : server, - 'key' : '', - 'fail_time' : 0, - 'port' : '1812', - 'acct_port' : '1813' - } - - conf.set_level(base_path + ['authentication', 'radius', 'server', server]) - - if conf.exists(['disable-accounting']): - radius['acct_port'] = '0' - - if conf.exists(['fail-time']): - radius['fail_time'] = conf.return_value(['fail-time']) - - if conf.exists(['port']): - radius['port'] = conf.return_value(['port']) - - if conf.exists(['acct-port']): - radius['acct_port'] = conf.return_value(['acct-port']) - - if conf.exists(['key']): - radius['key'] = conf.return_value(['key']) - - if not conf.exists(['disable']): - pptp['radius_server'].append(radius) - - # - # advanced radius-setting - conf.set_level(base_path + ['authentication', 'radius']) - - if conf.exists(['accounting-interim-interval']): - pptp['radius_acct_interim_interval'] = conf.return_value(['accounting-interim-interval']) - - if conf.exists(['acct-interim-jitter']): - pptp['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter']) - - if conf.exists(['acct-timeout']): - pptp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) - - if conf.exists(['max-try']): - pptp['radius_max_try'] = conf.return_value(['max-try']) - - if conf.exists(['timeout']): - pptp['radius_timeout'] = conf.return_value(['timeout']) - - if conf.exists(['nas-identifier']): - pptp['radius_nas_id'] = conf.return_value(['nas-identifier']) - - if conf.exists(['nas-ip-address']): - pptp['radius_nas_ip'] = conf.return_value(['nas-ip-address']) - - if conf.exists(['source-address']): - pptp['radius_source_address'] = conf.return_value(['source-address']) - - # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) - if conf.exists(['dae-server']): - dae = { - 'port' : '', - 'server' : '', - 'key' : '' - } - - if conf.exists(['dynamic-author', 'ip-address']): - dae['server'] = conf.return_value(['dynamic-author', 'ip-address']) - - if conf.exists(['dynamic-author', 'port']): - dae['port'] = conf.return_value(['dynamic-author', 'port']) - - if conf.exists(['dynamic-author', 'key']): - dae['key'] = conf.return_value(['dynamic-author', 'key']) - - pptp['radius_dynamic_author'] = dae - - # Rate limit - if conf.exists(['rate-limit', 'attribute']): - pptp['radius_shaper_attr'] = conf.return_value(['rate-limit', 'attribute']) - - if conf.exists(['rate-limit', 'enable']): - pptp['radius_shaper_enable'] = True - - if conf.exists(['rate-limit', 'multiplier']): - pptp['radius_shaper_multiplier'] = conf.return_value(['rate-limit', 'multiplier']) - - if conf.exists(['rate-limit', 'vendor']): - pptp['radius_shaper_vendor'] = conf.return_value(['rate-limit', 'vendor']) - - conf.set_level(base_path) - if conf.exists(['client-ip-pool']): - for pool_name in conf.list_nodes(['client-ip-pool']): - pptp['client_ip_pool'][pool_name] = {} - pptp['client_ip_pool'][pool_name]['range'] = conf.return_value(['client-ip-pool', pool_name, 'range']) - pptp['client_ip_pool'][pool_name]['next_pool'] = conf.return_value(['client-ip-pool', pool_name, 'next-pool']) + # retrieve common dictionary keys + pptp = get_accel_dict(conf, base, pptp_chap_secrets) if dict_search('client_ip_pool', pptp): # Multiple named pools require ordered values T5099 - pptp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', pptp)) - - if conf.exists(['default-pool']): - pptp['default_pool'] = conf.return_value(['default-pool']) - - if conf.exists(['mtu']): - pptp['mtu'] = conf.return_value(['mtu']) - - # gateway address - if conf.exists(['gateway-address']): - pptp['gateway_address'] = conf.return_value(['gateway-address']) - - if conf.exists(['authentication', 'require']): - # clear default list content, now populate with actual CLI values - pptp['auth_proto'] = [] - auth_mods = { - 'pap': 'auth_pap', - 'chap': 'auth_chap_md5', - 'mschap': 'auth_mschap_v1', - 'mschap-v2': 'auth_mschap_v2' - } - - for proto in conf.return_values(['authentication', 'require']): - pptp['auth_proto'].append(auth_mods[proto]) - - if conf.exists(['authentication', 'mppe']): - pptp['ppp_mppe'] = conf.return_value(['authentication', 'mppe']) - + pptp['ordered_named_pools'] = get_pools_in_order( + dict_search('client_ip_pool', pptp)) + pptp['chap_secrets_file'] = pptp_chap_secrets pptp['server_type'] = 'pptp' return pptp @@ -251,34 +58,45 @@ def get_config(config=None): def verify(pptp): if not pptp: return None + auth_mode = dict_search('authentication.mode', pptp) + if auth_mode == 'local': + if not dict_search('authentication.local_users', pptp): + raise ConfigError( + 'PPTP local auth mode requires local users to be configured!') - if pptp['auth_mode'] == 'local': - if not pptp['local_users']: - raise ConfigError('PPTP local auth mode requires local users to be configured!') - for user in pptp['local_users']: - username = user['name'] - if not user['password']: - raise ConfigError(f'Password required for local user "{username}"') - elif pptp['auth_mode'] == 'radius': - if len(pptp['radius_server']) == 0: - raise ConfigError('RADIUS authentication requires at least one server') - for radius in pptp['radius_server']: - if not radius['key']: - server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') + for user in dict_search('authentication.local_users.username', pptp): + user_config = pptp['authentication']['local_users']['username'][ + user] + if 'password' not in user_config: + raise ConfigError(f'Password required for local user "{user}"') - if pptp['auth_mode'] == 'local' or pptp['auth_mode'] == 'noauth': - if not pptp['client_ip_pool']: + elif auth_mode == 'radius': + if not dict_search('authentication.radius.server', pptp): + raise ConfigError( + 'RADIUS authentication requires at least one server') + for server in dict_search('authentication.radius.server', pptp): + radius_config = pptp['authentication']['radius']['server'][server] + if 'key' not in radius_config: + raise ConfigError( + f'Missing RADIUS secret key for server "{server}"') + + if auth_mode == 'local' or auth_mode == 'noauth': + if not dict_search('client_ip_pool', pptp): raise ConfigError( - "PPTP local auth mode requires local client-ip-pool to be configured!") + 'PPTP local auth mode requires local client-ip-pool ' + 'to be configured!') verify_accel_ppp_ip_pool(pptp) - if len(pptp['dnsv4']) > 2: - raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + if 'name_server' in pptp: + if len(pptp['name_server']) > 2: + raise ConfigError( + 'Not more then two IPv4 DNS name-servers can be configured' + ) - if len(pptp['wins']) > 2: - raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') + if 'wins_server' in pptp and len(pptp['wins_server']) > 2: + raise ConfigError( + 'Not more then two WINS name-servers can be configured') def generate(pptp): @@ -287,13 +105,11 @@ def generate(pptp): render(pptp_conf, 'accel-ppp/pptp.config.j2', pptp) - if pptp['local_users']: - render(pptp_chap_secrets, 'accel-ppp/chap-secrets.j2', pptp) - os.chmod(pptp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) - else: - if os.path.exists(pptp_chap_secrets): - os.unlink(pptp_chap_secrets) + if dict_search('authentication.mode', pptp) == 'local': + render(pptp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2', + pptp, permission=0o640) + return None def apply(pptp): if not pptp: @@ -306,6 +122,7 @@ def apply(pptp): call('systemctl restart accel-ppp@pptp.service') + if __name__ == '__main__': try: c = get_config() diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index 37625142c..9b1b6355f 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -214,6 +214,18 @@ def apply(vrf): # Delete the VRF Kernel interface call(f'ip link delete dev {tmp}') + # Enable/Disable VRF strict mode + # When net.vrf.strict_mode=0 (default) it is possible to associate multiple + # VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a + # table can be associated to a single VRF device. + # + # A VRF table can be used by the VyOS CLI only once (ensured by verify()), + # this simply adds an additional Kernel safety net + strict_mode = '0' + # Set to 1 if any VRF is defined + if 'name' in vrf: strict_mode = '1' + sysctl_write('net.vrf.strict_mode', strict_mode) + if 'name' in vrf: # Separate VRFs in conntrack table # check if table already exists |