diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/dhcp_server.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-openvpn.py | 26 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 6 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireless.py | 2 | ||||
| -rwxr-xr-x | src/etc/netplug/linkdown.d/dhclient | 65 | ||||
| -rwxr-xr-x | src/etc/netplug/linkup.d/dhclient | 64 | ||||
| -rwxr-xr-x | src/etc/netplug/linkup.d/vyos-python-helper | 4 | ||||
| -rwxr-xr-x | src/etc/netplug/netplug | 41 | ||||
| -rw-r--r-- | src/etc/netplug/netplugd.conf | 3 | ||||
| -rwxr-xr-x | src/etc/netplug/vyos-netplug-dhcp-client | 62 | 
10 files changed, 134 insertions, 143 deletions
| diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 280057f04..c4c72aae9 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -296,6 +296,10 @@ def generate(dhcp):      render(config_file, 'dhcp-server/dhcpd.conf.j2', dhcp,             formater=lambda _: _.replace(""", '"')) +    # Clean up configuration test file +    if os.path.exists(tmp_file): +        os.unlink(tmp_file) +      return None  def apply(dhcp): diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 26b217d98..1d0feb56f 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -166,17 +166,23 @@ def verify_pki(openvpn):              raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}')      if tls: -        if 'ca_certificate' not in tls: -            raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}') - -        for ca_name in tls['ca_certificate']: -            if ca_name not in pki['ca']: -                raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') +        if (mode in ['server', 'client']) and ('ca_certificate' not in tls): +            raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ +              it is required in server and client modes') +        else: +            if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): +                raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ +                  on openvpn interface {interface} in site-to-site mode') -        if len(tls['ca_certificate']) > 1: -            sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) -            if not verify_ca_chain(sorted_chain, pki['ca']): -                raise ConfigError(f'CA certificates are not a valid chain') +        if 'ca_certificate' in tls: +            for ca_name in tls['ca_certificate']: +                if ca_name not in pki['ca']: +                    raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + +            if len(tls['ca_certificate']) > 1: +                sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) +                if not verify_ca_chain(sorted_chain, pki['ca']): +                    raise ConfigError(f'CA certificates are not a valid chain')          if mode != 'client' and 'auth_key' not in tls:              if 'certificate' not in tls: diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 446399255..122d9589a 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -90,7 +90,6 @@ def verify(wireguard):      # run checks on individual configured WireGuard peer      public_keys = [] -      for tmp in wireguard['peer']:          peer = wireguard['peer'][tmp] @@ -107,8 +106,9 @@ def verify(wireguard):          if peer['public_key'] in public_keys:              raise ConfigError(f'Duplicate public-key defined on peer "{tmp}"') -        if 'disable' not in peer and is_wireguard_key_pair(wireguard['private_key'], peer['public_key']): -            raise ConfigError(f'Peer "{tmp}" has the same public key as the interface "{wireguard["ifname"]}"') +        if 'disable' not in peer: +            if is_wireguard_key_pair(wireguard['private_key'], peer['public_key']): +                raise ConfigError(f'Peer "{tmp}" has the same public key as the interface "{wireguard["ifname"]}"')          public_keys.append(peer['public_key']) diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index e49ad25ac..29ab9713f 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -116,7 +116,7 @@ def verify(wifi):          raise ConfigError('You must specify a WiFi mode')      if 'ssid' not in wifi and wifi['type'] != 'monitor': -        raise ConfigError('SSID must be configured') +        raise ConfigError('SSID must be configured unless type is set to "monitor"!')      if wifi['type'] == 'access-point':          if 'country_code' not in wifi: diff --git a/src/etc/netplug/linkdown.d/dhclient b/src/etc/netplug/linkdown.d/dhclient deleted file mode 100755 index 555ff9134..000000000 --- a/src/etc/netplug/linkdown.d/dhclient +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/perl -# -# Module: dhclient -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU -# General Public License for more details. -# -# A copy of the GNU General Public License is available as -# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution -# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. -# You can also obtain it by writing to the Free Software Foundation, -# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, -# MA 02110-1301, USA. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Mohit Mehta -# Date: November 2008 -# Description: Script to release lease on link down -# -# **** End License **** -# - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use Vyatta::Misc; - -use strict; -use warnings; - -sub stop_dhclient { -    my $intf = shift; -    my $dhcp_daemon = '/sbin/dhclient'; -    my ($intf_config_file, $intf_process_id_file, $intf_leases_file) = Vyatta::Misc::generate_dhclient_intf_files($intf); -    my $release_cmd = "sudo $dhcp_daemon -q -cf $intf_config_file -pf $intf_process_id_file -lf $intf_leases_file -r $intf 2> /dev/null;"; -    $release_cmd .= "sudo rm -f $intf_process_id_file 2> /dev/null"; -    system ($release_cmd); -} - - -# -# main -# - -my $dev=shift; - -# only do this if interface is configured to use dhcp for getting IP address -if (Vyatta::Misc::is_dhcp_enabled($dev, "outside_cli")) { -   # do a dhcp lease release for interface -   stop_dhclient($dev); -} - -exit 0; - -# end of file - diff --git a/src/etc/netplug/linkup.d/dhclient b/src/etc/netplug/linkup.d/dhclient deleted file mode 100755 index 8e50715fd..000000000 --- a/src/etc/netplug/linkup.d/dhclient +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/perl -# -# Module: dhclient -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU -# General Public License for more details. -# -# A copy of the GNU General Public License is available as -# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution -# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. -# You can also obtain it by writing to the Free Software Foundation, -# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, -# MA 02110-1301, USA. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Mohit Mehta -# Date: November 2008 -# Description: Script to renew lease on link up -# -# **** End License **** -# - -use lib "/opt/vyatta/share/perl5/"; -use Vyatta::Config; -use Vyatta::Misc; - -use strict; -use warnings; - -sub run_dhclient { -    my $intf = shift; -    my $dhcp_daemon = '/sbin/dhclient'; -    my ($intf_config_file, $intf_process_id_file, $intf_leases_file) = Vyatta::Misc::generate_dhclient_intf_files($intf); -    my $cmd = "sudo $dhcp_daemon -pf $intf_process_id_file -x $intf 2> /dev/null; sudo rm -f $intf_process_id_file 2> /dev/null;"; -    $cmd .= "sudo $dhcp_daemon -q -nw -cf $intf_config_file -pf $intf_process_id_file  -lf $intf_leases_file $intf 2> /dev/null &"; -    system ($cmd); -} - -# -# main -# - -my $dev=shift; - -# only do this if interface is configured to use dhcp for getting IP address -if (Vyatta::Misc::is_dhcp_enabled($dev, "outside_cli")) { -   # do a dhcp lease renew for interface -   run_dhclient($dev); -} - -exit 0; - -# end of file - diff --git a/src/etc/netplug/linkup.d/vyos-python-helper b/src/etc/netplug/linkup.d/vyos-python-helper new file mode 100755 index 000000000..9c59c58ad --- /dev/null +++ b/src/etc/netplug/linkup.d/vyos-python-helper @@ -0,0 +1,4 @@ +#!/bin/sh +PYTHON3=$(which python3) +# Call the real python script and forward commandline arguments +$PYTHON3 /etc/netplug/vyos-netplug-dhcp-client "${@:1}" diff --git a/src/etc/netplug/netplug b/src/etc/netplug/netplug new file mode 100755 index 000000000..60b65e8c9 --- /dev/null +++ b/src/etc/netplug/netplug @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library.  If not, see <http://www.gnu.org/licenses/>. + +dev="$1" +action="$2" + +case "$action" in +in) +   run-parts --arg $dev --arg in /etc/netplug/linkup.d +    ;; +out) +   run-parts --arg $dev --arg out /etc/netplug/linkdown.d +    ;; + +# probe loads and initialises the driver for the interface and brings the +# interface into the "up" state, so that it can generate netlink(7) events. +# This interferes with "admin down" for an interface. Thus, commented out. An +# "admin up" is treated as a "link up" and thus, "link up" action is executed. +# To execute "link down" action on "admin down", run appropriate script in +# /etc/netplug/linkdown.d +#probe) +#    ;; + +*) +    exit 1 +    ;; +esac diff --git a/src/etc/netplug/netplugd.conf b/src/etc/netplug/netplugd.conf new file mode 100644 index 000000000..ab4d826d6 --- /dev/null +++ b/src/etc/netplug/netplugd.conf @@ -0,0 +1,3 @@ +eth* +br* +bond* diff --git a/src/etc/netplug/vyos-netplug-dhcp-client b/src/etc/netplug/vyos-netplug-dhcp-client new file mode 100755 index 000000000..55d15a163 --- /dev/null +++ b/src/etc/netplug/vyos-netplug-dhcp-client @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 +# +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library.  If not, see <http://www.gnu.org/licenses/>. + +import sys + +from time import sleep + +from vyos.configquery import ConfigTreeQuery +from vyos.ifconfig import Section +from vyos.utils.boot import boot_configuration_complete +from vyos.utils.commit import commit_in_progress +from vyos.utils.process import call +from vyos import airbag +airbag.enable() + +if len(sys.argv) < 3: +    airbag.noteworthy("Must specify both interface and link status!") +    sys.exit(1) + +if not boot_configuration_complete(): +    airbag.noteworthy("System bootup not yet finished...") +    sys.exit(1) + +while commit_in_progress(): +    sleep(1) + +interface = sys.argv[1] +in_out = sys.argv[2] +config = ConfigTreeQuery() + +interface_path = ['interfaces'] + Section.get_config_path(interface).split() + +for _, interface_config in config.get_config_dict(interface_path).items(): +    # Bail out early if we do not have an IP address configured +    if 'address' not in interface_config: +        continue +    # Bail out early if interface ist administrative down +    if 'disable' in interface_config: +        continue +    systemd_action = 'start' +    if in_out == 'out': +        systemd_action = 'stop' +    # Start/Stop DHCP service +    if 'dhcp' in interface_config['address']: +        call(f'systemctl {systemd_action} dhclient@{interface}.service') +    # Start/Stop DHCPv6 service +    if 'dhcpv6' in interface_config['address']: +        call(f'systemctl {systemd_action} dhcp6c@{interface}.service') | 
