diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 12 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-vxlan.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 18 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireless.py | 19 | ||||
| -rwxr-xr-x | src/conf_mode/nat.py | 7 | ||||
| -rwxr-xr-x | src/conf_mode/service_ipoe-server.py | 5 | ||||
| -rwxr-xr-x | src/conf_mode/service_pppoe-server.py | 476 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_pptp.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_sstp.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/vrrp.py | 1 | ||||
| -rwxr-xr-x | src/migration-scripts/sstp/2-to-3 | 47 | ||||
| -rwxr-xr-x | src/migration-scripts/system/11-to-12 | 41 | ||||
| -rwxr-xr-x | src/services/vyos-configd | 26 |
14 files changed, 241 insertions, 425 deletions
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 0a20a121b..2c8367ff3 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -16,6 +16,7 @@ import os +from netifaces import interfaces from sys import exit from vyos.config import Config @@ -58,8 +59,7 @@ def get_config(config=None): # Check if interface has been removed if 'deleted' in macsec: - source_interface = conf.return_effective_value( - base + ['source-interface']) + source_interface = conf.return_effective_value(['source-interface']) macsec.update({'source_interface': source_interface}) return macsec @@ -97,7 +97,7 @@ def verify(macsec): lower_mtu = Interface(macsec['source_interface']).get_mtu() if lower_mtu < (int(macsec['mtu']) + 40): raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \ - f'{underlay_mtu} bytes is too small!') + f'{lower_mtu} bytes is too small!') return None @@ -110,11 +110,13 @@ def generate(macsec): def apply(macsec): # Remove macsec interface - if 'deleted' in macsec.keys(): + if 'deleted' in macsec: call('systemctl stop wpa_supplicant-macsec@{source_interface}' .format(**macsec)) - MACsecIf(macsec['ifname']).remove() + if macsec['ifname'] in interfaces(): + tmp = MACsecIf(macsec['ifname']) + tmp.remove() # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**macsec)): diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 002f40aef..04e258fcf 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -76,7 +76,7 @@ def verify(vxlan): lower_mtu = Interface(vxlan['source_interface']).get_mtu() if lower_mtu < (int(vxlan['mtu']) + 50): raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \ - f'MTU is to small ({underlay_mtu} bytes)') + f'MTU is to small ({lower_mtu} bytes)') verify_mtu_ipv6(vxlan) verify_address(vxlan) diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index d5800264f..9bda35d0a 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -57,13 +57,13 @@ def get_config(config=None): # Determine which Wireguard peer has been removed. # Peers can only be removed with their public key! + dict = {} tmp = node_changed(conf, ['peer']) - if tmp: - dict = {} - for peer in tmp: - peer_config = leaf_node_changed(conf, ['peer', peer, 'pubkey']) - dict = dict_merge({'peer_remove' : {peer : {'pubkey' : peer_config}}}, dict) - wireguard.update(dict) + for peer in (tmp or []): + pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey']) + if pubkey: + dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict) + wireguard.update(dict) return wireguard @@ -101,12 +101,12 @@ def verify(wireguard): f'for peer "{tmp}" if either one of them is set!') def apply(wireguard): + tmp = WireGuardIf(wireguard['ifname']) if 'deleted' in wireguard: - WireGuardIf(wireguard['ifname']).remove() + tmp.remove() return None - w = WireGuardIf(wireguard['ifname']) - w.update(wireguard) + tmp.update(wireguard) return None if __name__ == '__main__': diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index f8520aecf..ad8aee168 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -74,7 +74,18 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'wireless'] + wifi = get_interface_dict(conf, base) + # defaults include RADIUS server specifics per TAG node which need to be + # added to individual RADIUS servers instead - so we can simply delete them + if vyos_dict_search('security.wpa.radius.server.port', wifi): + del wifi['security']['wpa']['radius']['server']['port'] + if not len(wifi['security']['wpa']['radius']['server']): + del wifi['security']['wpa']['radius'] + if not len(wifi['security']['wpa']): + del wifi['security']['wpa'] + if not len(wifi['security']): + del wifi['security'] if 'security' in wifi and 'wpa' in wifi['security']: wpa_cipher = wifi['security']['wpa'].get('cipher') @@ -99,6 +110,14 @@ def get_config(config=None): tmp = find_other_stations(conf, base, wifi['ifname']) if tmp: wifi['station_interfaces'] = tmp + # Add individual RADIUS server default values + if vyos_dict_search('security.wpa.radius.server', wifi): + default_values = defaults(base + ['security', 'wpa', 'radius', 'server']) + + for server in vyos_dict_search('security.wpa.radius.server', wifi): + wifi['security']['wpa']['radius']['server'][server] = dict_merge( + default_values, wifi['security']['wpa']['radius']['server'][server]) + return wifi def verify(wifi): diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index eb634fd78..b66cd370a 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -238,8 +238,11 @@ def verify(nat): if rule['translation_address']: addr = rule['translation_address'] - if addr != 'masquerade' and not is_addr_assigned(addr): - print(f'Warning: IP address {addr} does not exist on the system!') + if addr != 'masquerade': + for ip in addr.split('-'): + if not is_addr_assigned(ip): + print(f'Warning: IP address {ip} does not exist on the system!') + elif not rule['exclude']: raise ConfigError(f'{err_msg} translation address not specified') diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 96cf932d1..87c7754f3 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -43,6 +43,7 @@ default_config_data = { 'client_ipv6_pool': [], 'client_ipv6_delegate_prefix': [], 'radius_server': [], + 'radius_acct_inter_jitter': '', 'radius_acct_tmo': '3', 'radius_max_try': '3', 'radius_timeout': '3', @@ -174,6 +175,10 @@ def get_config(config=None): # # advanced radius-setting conf.set_level(base_path + ['authentication', 'radius']) + + if conf.exists(['acct-interim-jitter']): + ipoe['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter']) + if conf.exists(['acct-timeout']): ipoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 45d3806d5..65a7f93b0 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -15,372 +15,82 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import re -from copy import deepcopy -from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit from vyos.config import Config -from vyos.template import render -from vyos.util import call, get_half_cpus +from vyos.configdict import dict_merge from vyos.validate import is_ipv4 +from vyos.template import render +from vyos.util import call +from vyos.util import get_half_cpus +from vyos.util import vyos_dict_search +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() pppoe_conf = r'/run/accel-pppd/pppoe.conf' pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets' -default_config_data = { - 'auth_mode': 'local', - 'auth_proto': ['auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5', 'auth_pap'], - 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template - 'client_ip_pool': '', - 'client_ip_subnets': [], - 'client_ipv6_pool': [], - 'client_ipv6_delegate_prefix': [], - 'concentrator': 'vyos-ac', - 'interfaces': [], - 'local_users' : [], - - 'svc_name': [], - 'dnsv4': [], - 'dnsv6': [], - 'wins': [], - 'mtu': '1492', - - 'limits_burst': '', - 'limits_connections': '', - 'limits_timeout': '', - - 'pado_delay': '', - 'ppp_ccp': False, - 'ppp_gw': '', - 'ppp_ipv4': '', - 'ppp_ipv6': '', - 'ppp_ipv6_accept_peer_intf_id': False, - 'ppp_ipv6_intf_id': '', - 'ppp_ipv6_peer_intf_id': '', - 'ppp_echo_failure': '3', - 'ppp_echo_interval': '30', - 'ppp_echo_timeout': '0', - 'ppp_min_mtu': '', - 'ppp_mppe': 'prefer', - 'ppp_mru': '', - - 'radius_server': [], - 'radius_acct_tmo': '3', - 'radius_max_try': '3', - 'radius_timeout': '3', - 'radius_nas_id': '', - 'radius_nas_ip': '', - 'radius_source_address': '', - 'radius_shaper_attr': '', - 'radius_shaper_vendor': '', - 'radius_dynamic_author': '', - 'sesscrtl': 'replace', - 'snmp': False, - 'thread_cnt': get_half_cpus() -} - def get_config(config=None): if config: conf = config else: conf = Config() - base_path = ['service', 'pppoe-server'] - if not conf.exists(base_path): + base = ['service', 'pppoe-server'] + if not conf.exists(base): return None - conf.set_level(base_path) - pppoe = deepcopy(default_config_data) - - # general options - if conf.exists(['access-concentrator']): - pppoe['concentrator'] = conf.return_value(['access-concentrator']) - - if conf.exists(['service-name']): - pppoe['svc_name'] = conf.return_values(['service-name']) - - if conf.exists(['interface']): - for interface in conf.list_nodes(['interface']): - conf.set_level(base_path + ['interface', interface]) - tmp = { - 'name': interface, - 'vlans': [] - } - - if conf.exists(['vlan-id']): - tmp['vlans'] += conf.return_values(['vlan-id']) - - if conf.exists(['vlan-range']): - tmp['vlans'] += conf.return_values(['vlan-range']) - - pppoe['interfaces'].append(tmp) - - conf.set_level(base_path) - - if conf.exists(['local-ip']): - pppoe['ppp_gw'] = conf.return_value(['local-ip']) - - if conf.exists(['name-server']): - for name_server in conf.return_values(['name-server']): - if is_ipv4(name_server): - pppoe['dnsv4'].append(name_server) - else: - pppoe['dnsv6'].append(name_server) - - if conf.exists(['wins-server']): - pppoe['wins'] = conf.return_values(['wins-server']) - - - if conf.exists(['client-ip-pool']): - if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): - start = conf.return_value(['client-ip-pool', 'start']) - stop = conf.return_value(['client-ip-pool', 'stop']) - pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0) - - if conf.exists(['client-ip-pool', 'subnet']): - pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) - - - if conf.exists(['client-ipv6-pool', 'prefix']): - for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']): - tmp = { - 'prefix': prefix, - 'mask': '64' - } - - if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']): - tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask']) - - pppoe['client_ipv6_pool'].append(tmp) - - - if conf.exists(['client-ipv6-pool', 'delegate']): - for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']): - tmp = { - 'prefix': prefix, - 'mask': '' - } - - if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): - tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) - - pppoe['client_ipv6_delegate_prefix'].append(tmp) - - - if conf.exists(['limits']): - if conf.exists(['limits', 'burst']): - pppoe['limits_burst'] = conf.return_value(['limits', 'burst']) - - if conf.exists(['limits', 'connection-limit']): - pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit']) - - if conf.exists(['limits', 'timeout']): - pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout']) - - - if conf.exists(['snmp']): - pppoe['snmp'] = True - - if conf.exists(['snmp', 'master-agent']): - pppoe['snmp'] = 'enable-ma' - - # authentication mode local - if conf.exists(['authentication', 'mode']): - pppoe['auth_mode'] = conf.return_value(['authentication', 'mode']) - - if conf.exists(['authentication', 'local-users']): - for username in conf.list_nodes(['authentication', 'local-users', 'username']): - user = { - 'name' : username, - 'password' : '', - 'state' : 'enabled', - 'ip' : '*', - 'upload' : None, - 'download' : None - } - conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) - - if conf.exists(['password']): - user['password'] = conf.return_value(['password']) - - if conf.exists(['disable']): - user['state'] = 'disable' - - if conf.exists(['static-ip']): - user['ip'] = conf.return_value(['static-ip']) - - if conf.exists(['rate-limit', 'download']): - user['download'] = conf.return_value(['rate-limit', 'download']) - - if conf.exists(['rate-limit', 'upload']): - user['upload'] = conf.return_value(['rate-limit', 'upload']) - - pppoe['local_users'].append(user) - - conf.set_level(base_path) - - if conf.exists(['authentication', 'protocols']): - auth_mods = { - 'mschap-v2': 'auth_mschap_v2', - 'mschap': 'auth_mschap_v1', - 'chap': 'auth_chap_md5', - 'pap': 'auth_pap' - } - - pppoe['auth_proto'] = [] - for proto in conf.return_values(['authentication', 'protocols']): - pppoe['auth_proto'].append(auth_mods[proto]) - - # - # authentication mode radius servers and settings - if conf.exists(['authentication', 'mode', 'radius']): - - for server in conf.list_nodes(['authentication', 'radius', 'server']): - radius = { - 'server' : server, - 'key' : '', - 'fail_time' : 0, - 'port' : '1812', - 'acct_port' : '1813' - } - - conf.set_level(base_path + ['authentication', 'radius', 'server', server]) - - if conf.exists(['fail-time']): - radius['fail_time'] = conf.return_value(['fail-time']) - - if conf.exists(['port']): - radius['port'] = conf.return_value(['port']) - - if conf.exists(['acct-port']): - radius['acct_port'] = conf.return_value(['acct-port']) - - if conf.exists(['key']): - radius['key'] = conf.return_value(['key']) - - if not conf.exists(['disable']): - pppoe['radius_server'].append(radius) - - # - # advanced radius-setting - conf.set_level(base_path + ['authentication', 'radius']) - - if conf.exists(['acct-timeout']): - pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) - - if conf.exists(['max-try']): - pppoe['radius_max_try'] = conf.return_value(['max-try']) - - if conf.exists(['timeout']): - pppoe['radius_timeout'] = conf.return_value(['timeout']) - - if conf.exists(['nas-identifier']): - pppoe['radius_nas_id'] = conf.return_value(['nas-identifier']) - - if conf.exists(['nas-ip-address']): - pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address']) - - if conf.exists(['source-address']): - pppoe['radius_source_address'] = conf.return_value(['source-address']) - - # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) - if conf.exists(['dynamic-author']): - dae = { - 'port' : '', - 'server' : '', - 'key' : '' - } - - if conf.exists(['dynamic-author', 'server']): - dae['server'] = conf.return_value(['dynamic-author', 'server']) - - if conf.exists(['dynamic-author', 'port']): - dae['port'] = conf.return_value(['dynamic-author', 'port']) - - if conf.exists(['dynamic-author', 'key']): - dae['key'] = conf.return_value(['dynamic-author', 'key']) - - pppoe['radius_dynamic_author'] = dae - - # RADIUS based rate-limiter - if conf.exists(['rate-limit', 'enable']): - pppoe['radius_shaper_attr'] = 'Filter-Id' - c_attr = ['rate-limit', 'enable', 'attribute'] - if conf.exists(c_attr): - pppoe['radius_shaper_attr'] = conf.return_value(c_attr) - - c_vendor = ['rate-limit', 'enable', 'vendor'] - if conf.exists(c_vendor): - pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor) - - # re-set config level - conf.set_level(base_path) - - if conf.exists(['mtu']): - pppoe['mtu'] = conf.return_value(['mtu']) - - if conf.exists(['session-control']): - pppoe['sesscrtl'] = conf.return_value(['session-control']) - - # ppp_options - if conf.exists(['ppp-options']): - conf.set_level(base_path + ['ppp-options']) - - if conf.exists(['ccp']): - pppoe['ppp_ccp'] = True - - if conf.exists(['ipv4']): - pppoe['ppp_ipv4'] = conf.return_value(['ipv4']) - - if conf.exists(['ipv6']): - pppoe['ppp_ipv6'] = conf.return_value(['ipv6']) - - if conf.exists(['ipv6-accept-peer-intf-id']): - pppoe['ppp_ipv6_peer_intf_id'] = True - - if conf.exists(['ipv6-intf-id']): - pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id']) - - if conf.exists(['ipv6-peer-intf-id']): - pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id']) - - if conf.exists(['lcp-echo-failure']): - pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure']) - - if conf.exists(['lcp-echo-failure']): - pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure']) - - if conf.exists(['lcp-echo-timeout']): - pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout']) - - if conf.exists(['min-mtu']): - pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu']) - - if conf.exists(['mppe']): - pppoe['ppp_mppe'] = conf.return_value(['mppe']) - - if conf.exists(['mru']): - pppoe['ppp_mru'] = conf.return_value(['mru']) - - if conf.exists(['pado-delay']): - pppoe['pado_delay'] = '0' - a = {} - for id in conf.list_nodes(['pado-delay']): - if not conf.return_value(['pado-delay', id, 'sessions']): - a[id] = 0 - else: - a[id] = conf.return_value(['pado-delay', id, 'sessions']) - - for k in sorted(a.keys()): - if k != sorted(a.keys())[-1]: - pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k]) - else: - pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k]) + pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + + # defaults include RADIUS server specifics per TAG node which need to be + # added to individual RADIUS servers instead - so we can simply delete them + if vyos_dict_search('authentication.radius.server', default_values): + del default_values['authentication']['radius']['server'] + # defaults include static-ip address per TAG node which need to be added to + # individual local users instead - so we can simply delete them + if vyos_dict_search('authentication.local_users.username', default_values): + del default_values['authentication']['local_users']['username'] + + pppoe = dict_merge(default_values, pppoe) + + # set CPUs cores to process requests + pppoe.update({'thread_count' : get_half_cpus()}) + # we need to store the path to the secrets file + pppoe.update({'chap_secrets_file' : pppoe_chap_secrets}) + + # We can only have two IPv4 and three IPv6 nameservers - also they are + # configured in a different way in the configuration, this is why we split + # the configuration + if 'name_server' in pppoe: + for ns in pppoe['name_server']: + ns_v4 = [] + ns_v6 = [] + if is_ipv4(ns): ns_v4.append(ns) + else: ns_v6.append(ns) + + pppoe.update({'name_server_ipv4' : ns_v4, 'name_server_ipv6' : ns_v6}) + del pppoe['name_server'] + + # Add individual RADIUS server default values + if vyos_dict_search('authentication.radius.server', pppoe): + default_values = defaults(base + ['authentication', 'radius', 'server']) + + for server in vyos_dict_search('authentication.radius.server', pppoe): + pppoe['authentication']['radius']['server'][server] = dict_merge( + default_values, pppoe['authentication']['radius']['server'][server]) + + # Add individual local-user default values + if vyos_dict_search('authentication.local_users.username', pppoe): + default_values = defaults(base + ['authentication', 'local_users', 'username']) + + for username in vyos_dict_search('authentication.local_users.username', pppoe): + pppoe['authentication']['local_users']['username'][username] = dict_merge( + default_values, pppoe['authentication']['local_users']['username'][username]) return pppoe @@ -390,50 +100,59 @@ def verify(pppoe): return None # vertify auth settings - if pppoe['auth_mode'] == 'local': - if not pppoe['local_users']: + if vyos_dict_search('authentication.mode', pppoe) == 'local': + if not vyos_dict_search('authentication.local_users', pppoe): raise ConfigError('PPPoE local auth mode requires local users to be configured!') - for user in pppoe['local_users']: - username = user['name'] - if not user['password']: - raise ConfigError(f'Password required for local user "{username}"') + for user in vyos_dict_search('authentication.local_users.username', pppoe): + user_config = pppoe['authentication']['local_users']['username'][user] - # if up/download is set, check that both have a value - if user['upload'] and not user['download']: - raise ConfigError(f'Download speed value required for local user "{username}"') + if 'password' not in user_config: + raise ConfigError(f'Password required for local user "{user}"') - if user['download'] and not user['upload']: - raise ConfigError(f'Upload speed value required for local user "{username}"') + if 'rate_limit' in user_config: + # if up/download is set, check that both have a value + if not {'upload', 'download'} <= set(user_config['rate_limit']): + raise ConfigError(f'User "{user}" has rate-limit configured for only one ' \ + 'direction but both upload and download must be given!') - elif pppoe['auth_mode'] == 'radius': - if len(pppoe['radius_server']) == 0: + elif vyos_dict_search('authentication.mode', pppoe) == 'radius': + if not vyos_dict_search('authentication.radius.server', pppoe): raise ConfigError('RADIUS authentication requires at least one server') - for radius in pppoe['radius_server']: - if not radius['key']: - server = radius['server'] - raise ConfigError(f'Missing RADIUS secret key for server "{ server }"') + for server in vyos_dict_search('authentication.radius.server', pppoe): + radius_config = pppoe['authentication']['radius']['server'][server] + if 'key' not in radius_config: + raise ConfigError(f'Missing RADIUS secret key for server "{server}"') - if len(pppoe['wins']) > 2: + if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2: raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') - if len(pppoe['dnsv4']) > 2: - raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + if 'name_server_ipv4' in pppoe: + if len(pppoe['name_server_ipv4']) > 2: + raise ConfigError('Not more then two IPv4 DNS name-servers ' \ + 'can be configured') - if len(pppoe['dnsv6']) > 3: - raise ConfigError('Not more then three IPv6 DNS name-servers can be configured') + if 'name_server_ipv6' in pppoe: + if len(pppoe['name_server_ipv6']) > 2: + raise ConfigError('Not more then three IPv6 DNS name-servers ' \ + 'can be configured') - if not pppoe['interfaces']: + if 'interface' not in pppoe: raise ConfigError('At least one listen interface must be defined!') + if 'local_ip' not in pppoe: + raise ConfigError('PPPoE server requires local-ip to be configured!') + # local ippool and gateway settings config checks - if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']: - if not pppoe['ppp_gw']: - raise ConfigError('PPPoE server requires local IP to be configured') + if not (vyos_dict_search('client_ip_pool.subnet', pppoe) or + (vyos_dict_search('client_ip_pool.start', pppoe) and + vyos_dict_search('client_ip_pool.stop', pppoe))): + print('Warning: No PPPoE client pool defined') - if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']: - print("Warning: No PPPoE client pool defined") + if vyos_dict_search('authentication.radius.dynamic_author.server', pppoe): + if not vyos_dict_search('authentication.radius.dynamic_author.key', pppoe): + raise ConfigError('DA/CoE server key required!') return None @@ -444,12 +163,11 @@ def generate(pppoe): render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe, trim_blocks=True) - if pppoe['local_users']: - render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pppoe, trim_blocks=True) - os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) + if vyos_dict_search('authentication.mode', pppoe) == 'local': + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.pppoe.tmpl', pppoe, trim_blocks=True, permission=0o640) else: if os.path.exists(pppoe_chap_secrets): - os.unlink(pppoe_chap_secrets) + os.unlink(pppoe_chap_secrets) return None diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 13831dcd8..da51b0d06 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -56,6 +56,7 @@ default_config_data = { 'ppp_echo_interval' : '30', 'ppp_echo_timeout': '0', 'radius_server': [], + 'radius_acct_inter_jitter': '', 'radius_acct_tmo': '3', 'radius_max_try': '3', 'radius_timeout': '3', @@ -179,6 +180,9 @@ def get_config(config=None): # advanced radius-setting conf.set_level(base_path + ['authentication', 'radius']) + if conf.exists(['acct-interim-jitter']): + l2tp['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter']) + if conf.exists(['acct-timeout']): l2tp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index 9f3b40534..306d05c60 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -36,6 +36,7 @@ default_pptp = { 'auth_mode' : 'local', 'local_users' : [], 'radius_server' : [], + 'radius_acct_inter_jitter': '', 'radius_acct_tmo' : '30', 'radius_max_try' : '3', 'radius_timeout' : '30', @@ -139,6 +140,9 @@ def get_config(config=None): # advanced radius-setting conf.set_level(base_path + ['authentication', 'radius']) + if conf.exists(['acct-interim-jitter']): + pptp['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter']) + if conf.exists(['acct-timeout']): pptp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 7fc370f99..5d928a945 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -273,9 +273,9 @@ def get_config(config=None): # # read in PPP stuff - conf.set_level(base_path + ['ppp-settings']) + conf.set_level(base_path + ['ppp-options']) if conf.exists('mppe'): - sstp['ppp_mppe'] = conf.return_value(['ppp-settings', 'mppe']) + sstp['ppp_mppe'] = conf.return_value(['mppe']) if conf.exists(['lcp-echo-failure']): sstp['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure']) diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py index f1ceb261b..4510dd3e7 100755 --- a/src/conf_mode/vrrp.py +++ b/src/conf_mode/vrrp.py @@ -62,6 +62,7 @@ def get_config(config=None): group["sync_group"] = config.return_value("sync-group") group["preempt_delay"] = config.return_value("preempt-delay") group["virtual_addresses"] = config.return_values("virtual-address") + group["virtual_addresses_excluded"] = config.return_values("virtual-address-excluded") group["auth_password"] = config.return_value("authentication password") group["auth_type"] = config.return_value("authentication type") diff --git a/src/migration-scripts/sstp/2-to-3 b/src/migration-scripts/sstp/2-to-3 new file mode 100755 index 000000000..51f4effed --- /dev/null +++ b/src/migration-scripts/sstp/2-to-3 @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# - Rename SSTP ppp-settings node to ppp-options to make use of a common +# Jinja Template to render Accel-PPP services + +from vyos.configtree import ConfigTree +from sys import argv +from sys import exit + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base_path = ['vpn', 'sstp'] +if not config.exists(base_path): + # Nothing to do + exit(0) +else: + if config.exists(base_path + ['ppp-settings']): + config.rename(base_path + ['ppp-settings'], 'ppp-options') + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/system/11-to-12 b/src/migration-scripts/system/11-to-12 index 1a0233c7d..9cddaa1a7 100755 --- a/src/migration-scripts/system/11-to-12 +++ b/src/migration-scripts/system/11-to-12 @@ -37,31 +37,32 @@ else: # Migrate "system login radius-server" tag node to new # "system login radius server" tag node and also rename the "secret" node to "key" # - for server in config.list_nodes(cfg_base + ['radius-server']): - base_server = cfg_base + ['radius-server', server] - # "key" node is mandatory - key = config.return_value(base_server + ['secret']) - config.set(cfg_base + ['radius', 'server', server, 'key'], value=key) + if config.exists(cfg_base + ['radius-server']): + for server in config.list_nodes(cfg_base + ['radius-server']): + base_server = cfg_base + ['radius-server', server] + # "key" node is mandatory + key = config.return_value(base_server + ['secret']) + config.set(cfg_base + ['radius', 'server', server, 'key'], value=key) - # "port" is optional - if config.exists(base_server + ['port']): - port = config.return_value(base_server + ['port']) - config.set(cfg_base + ['radius', 'server', server, 'port'], value=port) + # "port" is optional + if config.exists(base_server + ['port']): + port = config.return_value(base_server + ['port']) + config.set(cfg_base + ['radius', 'server', server, 'port'], value=port) - # "timeout is optional" - if config.exists(base_server + ['timeout']): - timeout = config.return_value(base_server + ['timeout']) - config.set(cfg_base + ['radius', 'server', server, 'timeout'], value=timeout) + # "timeout is optional" + if config.exists(base_server + ['timeout']): + timeout = config.return_value(base_server + ['timeout']) + config.set(cfg_base + ['radius', 'server', server, 'timeout'], value=timeout) - # format as tag node - config.set_tag(cfg_base + ['radius', 'server']) + # format as tag node + config.set_tag(cfg_base + ['radius', 'server']) - # delete old configuration node - config.delete(base_server) + # delete old configuration node + config.delete(base_server) - # delete top level tag node - if config.exists(cfg_base + ['radius-server']): - config.delete(cfg_base + ['radius-server']) + # delete top level tag node + if config.exists(cfg_base + ['radius-server']): + config.delete(cfg_base + ['radius-server']) try: with open(file_name, 'w') as f: diff --git a/src/services/vyos-configd b/src/services/vyos-configd index 642952936..671a89036 100755 --- a/src/services/vyos-configd +++ b/src/services/vyos-configd @@ -27,7 +27,7 @@ import importlib.util import zmq from vyos.defaults import directories -from vyos.configsource import ConfigSourceString +from vyos.configsource import ConfigSourceString, ConfigSourceError from vyos.config import Config from vyos import ConfigError @@ -59,9 +59,6 @@ configd_env_unset_file = os.path.join(directories['data'], 'vyos-configd-env-uns # sourced on entering config session configd_env_file = '/etc/default/vyos-configd-env' -active_string = '' -session_string = '' - session_tty = None def key_name_from_file_name(f): @@ -137,8 +134,19 @@ def initialization(socket): # Reset config strings: active_string = '' session_string = '' + # check first for resent init msg, in case of client timeout + while True: + msg = socket.recv().decode() + try: + message = json.loads(msg) + if message["type"] == "init": + resp = "init" + socket.send(resp.encode()) + except: + break + # zmq synchronous for ipc from single client: - active_string = socket.recv().decode() + active_string = msg resp = "active" socket.send(resp.encode()) session_string = socket.recv().decode() @@ -154,8 +162,12 @@ def initialization(socket): except FileNotFoundError: session_tty = None - configsource = ConfigSourceString(running_config_text=active_string, - session_config_text=session_string) + try: + configsource = ConfigSourceString(running_config_text=active_string, + session_config_text=session_string) + except ConfigSourceError as e: + logger.debug(e) + return None config = Config(config_source=configsource) |