summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/service_ipoe-server.py8
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py10
-rwxr-xr-xsrc/conf_mode/system_ip.py1
-rwxr-xr-xsrc/conf_mode/system_ipv6.py1
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py12
-rwxr-xr-xsrc/conf_mode/vpn_pptp.py12
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py88
-rwxr-xr-xsrc/migration-scripts/dhcpv6-server/4-to-528
-rwxr-xr-xsrc/migration-scripts/l2tp/8-to-949
-rwxr-xr-xsrc/op_mode/vpn_ike_sa.py4
10 files changed, 150 insertions, 63 deletions
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 5f72b983c..852b714eb 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -25,8 +25,10 @@ from vyos.template import render
from vyos.utils.process import call
from vyos.utils.dict import dict_search
from vyos.accel_ppp_util import get_pools_in_order
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -69,8 +71,10 @@ def verify(ipoe):
raise ConfigError('Option "client-subnet" incompatible with "vlan"!'
'Use "ipoe client-ip-pool" instead.')
- verify_accel_ppp_base_service(ipoe, local_users=False)
+ verify_accel_ppp_authentication(ipoe, local_users=False)
verify_accel_ppp_ip_pool(ipoe)
+ verify_accel_ppp_name_servers(ipoe)
+ verify_accel_ppp_wins_servers(ipoe)
return None
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index c2dfbdb44..c9d1e805f 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -25,7 +25,9 @@ from vyos.configverify import verify_interface_exists
from vyos.template import render
from vyos.utils.process import call
from vyos.utils.dict import dict_search
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
from vyos.accel_ppp_util import get_pools_in_order
from vyos import ConfigError
@@ -67,11 +69,11 @@ def verify(pppoe):
if not pppoe:
return None
- verify_accel_ppp_base_service(pppoe)
+ verify_accel_ppp_authentication(pppoe)
verify_accel_ppp_ip_pool(pppoe)
+ verify_accel_ppp_name_servers(pppoe)
+ verify_accel_ppp_wins_servers(pppoe)
- if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
- raise ConfigError('Not more then two WINS name-servers can be configured')
if 'interface' not in pppoe:
raise ConfigError('At least one listen interface must be defined!')
diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py
index 7612e2c0d..833f89554 100755
--- a/src/conf_mode/system_ip.py
+++ b/src/conf_mode/system_ip.py
@@ -127,6 +127,7 @@ def apply(opt):
# The route-map used for the FIB (zebra) is part of the zebra daemon
frr_cfg.load_configuration(zebra_daemon)
+ frr_cfg.modify_section(r'no ip nht resolve-via-default')
frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
if 'frr_zebra_config' in opt:
frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
diff --git a/src/conf_mode/system_ipv6.py b/src/conf_mode/system_ipv6.py
index 90a1a8087..00d440e35 100755
--- a/src/conf_mode/system_ipv6.py
+++ b/src/conf_mode/system_ipv6.py
@@ -104,6 +104,7 @@ def apply(opt):
# The route-map used for the FIB (zebra) is part of the zebra daemon
frr_cfg.load_configuration(zebra_daemon)
+ frr_cfg.modify_section(r'no ipv6 nht resolve-via-default')
frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
if 'frr_zebra_config' in opt:
frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config'])
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 266381754..04ccbcec3 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -24,7 +24,9 @@ from vyos.configdict import get_accel_dict
from vyos.template import render
from vyos.utils.process import call
from vyos.utils.dict import dict_search
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
from vyos.accel_ppp_util import get_pools_in_order
from vyos import ConfigError
@@ -62,12 +64,10 @@ def verify(l2tp):
if not l2tp:
return None
- verify_accel_ppp_base_service(l2tp)
+ verify_accel_ppp_authentication(l2tp)
verify_accel_ppp_ip_pool(l2tp)
-
- if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2:
- raise ConfigError(
- 'Not more then two WINS name-servers can be configured')
+ verify_accel_ppp_name_servers(l2tp)
+ verify_accel_ppp_wins_servers(l2tp)
return None
diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py
index b1d5067d5..c0d8330bd 100755
--- a/src/conf_mode/vpn_pptp.py
+++ b/src/conf_mode/vpn_pptp.py
@@ -22,7 +22,9 @@ from vyos.config import Config
from vyos.template import render
from vyos.utils.process import call
from vyos.utils.dict import dict_search
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
from vyos.accel_ppp_util import get_pools_in_order
from vyos import ConfigError
@@ -60,12 +62,10 @@ def verify(pptp):
if not pptp:
return None
- verify_accel_ppp_base_service(pptp)
+ verify_accel_ppp_authentication(pptp)
verify_accel_ppp_ip_pool(pptp)
-
- if 'wins_server' in pptp and len(pptp['wins_server']) > 2:
- raise ConfigError(
- 'Not more then two WINS name-servers can be configured')
+ verify_accel_ppp_name_servers(pptp)
+ verify_accel_ppp_wins_servers(pptp)
def generate(pptp):
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 5c229fe62..8661a8aff 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -26,7 +26,9 @@ from vyos.template import render
from vyos.utils.process import call
from vyos.utils.network import check_port_availability
from vyos.utils.dict import dict_search
-from vyos.accel_ppp_util import verify_accel_ppp_base_service
+from vyos.accel_ppp_util import verify_accel_ppp_name_servers
+from vyos.accel_ppp_util import verify_accel_ppp_wins_servers
+from vyos.accel_ppp_util import verify_accel_ppp_authentication
from vyos.accel_ppp_util import verify_accel_ppp_ip_pool
from vyos.accel_ppp_util import get_pools_in_order
from vyos.utils.network import is_listen_port_bind_service
@@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem')
cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key')
ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem')
-def get_config(config=None):
- if config:
- conf = config
- else:
- conf = Config()
- base = ['vpn', 'sstp']
- if not conf.exists(base):
- return None
-
- # retrieve common dictionary keys
- sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True)
- if dict_search('client_ip_pool', sstp):
- # Multiple named pools require ordered values T5099
- sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp))
-
- sstp['server_type'] = 'sstp'
- return sstp
-
-
-def verify(sstp):
- if not sstp:
- return None
-
- port = sstp.get('port')
- proto = 'tcp'
- if check_port_availability('0.0.0.0', int(port), proto) is not True and \
- not is_listen_port_bind_service(int(port), 'accel-pppd'):
- raise ConfigError(f'"{proto}" port "{port}" is used by another service')
-
- verify_accel_ppp_base_service(sstp)
- verify_accel_ppp_ip_pool(sstp)
+def verify_certificate(config):
#
# SSL certificate checks
#
- if not sstp['pki']:
+ if not config['pki']:
raise ConfigError('PKI is not configured')
- if 'ssl' not in sstp:
+ if 'ssl' not in config:
raise ConfigError('SSL missing on SSTP config')
- ssl = sstp['ssl']
+ ssl = config['ssl']
# CA
if 'ca_certificate' not in ssl:
@@ -92,10 +64,10 @@ def verify(sstp):
ca_name = ssl['ca_certificate']
- if ca_name not in sstp['pki']['ca']:
+ if ca_name not in config['pki']['ca']:
raise ConfigError('Invalid CA certificate on SSTP config')
- if 'certificate' not in sstp['pki']['ca'][ca_name]:
+ if 'certificate' not in config['pki']['ca'][ca_name]:
raise ConfigError('Missing certificate data for CA certificate on SSTP config')
# Certificate
@@ -104,10 +76,10 @@ def verify(sstp):
cert_name = ssl['certificate']
- if cert_name not in sstp['pki']['certificate']:
+ if cert_name not in config['pki']['certificate']:
raise ConfigError('Invalid certificate on SSTP config')
- pki_cert = sstp['pki']['certificate'][cert_name]
+ pki_cert = config['pki']['certificate'][cert_name]
if 'certificate' not in pki_cert:
raise ConfigError('Missing certificate data for certificate on SSTP config')
@@ -118,6 +90,43 @@ def verify(sstp):
if 'password_protected' in pki_cert['private']:
raise ConfigError('Encrypted private key is not supported on SSTP config')
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['vpn', 'sstp']
+ if not conf.exists(base):
+ return None
+
+ # retrieve common dictionary keys
+ sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True)
+ if dict_search('client_ip_pool', sstp):
+ # Multiple named pools require ordered values T5099
+ sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp))
+
+ sstp['server_type'] = 'sstp'
+ return sstp
+
+
+def verify(sstp):
+ if not sstp:
+ return None
+
+ port = sstp.get('port')
+ proto = 'tcp'
+ if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+ not is_listen_port_bind_service(int(port), 'accel-pppd'):
+ raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+
+ verify_accel_ppp_authentication(sstp)
+ verify_accel_ppp_ip_pool(sstp)
+ verify_accel_ppp_name_servers(sstp)
+ verify_accel_ppp_wins_servers(sstp)
+ verify_certificate(sstp)
+
+
def generate(sstp):
if not sstp:
return None
@@ -143,6 +152,7 @@ def generate(sstp):
return sstp
+
def apply(sstp):
if not sstp:
call('systemctl stop accel-ppp@sstp.service')
diff --git a/src/migration-scripts/dhcpv6-server/4-to-5 b/src/migration-scripts/dhcpv6-server/4-to-5
index e808edbe0..ae506b9c5 100755
--- a/src/migration-scripts/dhcpv6-server/4-to-5
+++ b/src/migration-scripts/dhcpv6-server/4-to-5
@@ -39,14 +39,34 @@ if not config.exists(base):
def find_subnet_interface(subnet):
subnet_net = ip_network(subnet)
+ def check_addr(if_path):
+ if config.exists(if_path + ['address']):
+ for addr in config.return_values(if_path + ['address']):
+ if ip_network(addr, strict=False) == subnet_net:
+ return True
+ return None
+
for iftype in config.list_nodes(['interfaces']):
for ifname in config.list_nodes(['interfaces', iftype]):
if_base = ['interfaces', iftype, ifname]
- if config.exists(if_base + ['address']):
- for addr in config.return_values(if_base + ['address']):
- if ip_network(addr, strict=False) == subnet_net:
- return ifname
+ if check_addr(if_base):
+ return ifname
+
+ if config.exists(if_base + ['vif']):
+ for vif in config.list_nodes(if_base + ['vif']):
+ if check_addr(if_base + ['vif', vif]):
+ return f'{ifname}.{vif}'
+
+ if config.exists(if_base + ['vif-s']):
+ for vifs in config.list_nodes(if_base + ['vif-s']):
+ if check_addr(if_base + ['vif-s', vifs]):
+ return f'{ifname}.{vifs}'
+
+ if config.exists(if_base + ['vif-s', vifs, 'vif-c']):
+ for vifc in config.list_nodes(if_base + ['vif-s', vifs, 'vif-c']):
+ if check_addr(if_base + ['vif-s', vifs, 'vif-c', vifc]):
+ return f'{ifname}.{vifs}.{vifc}'
return False
diff --git a/src/migration-scripts/l2tp/8-to-9 b/src/migration-scripts/l2tp/8-to-9
new file mode 100755
index 000000000..e85a3892b
--- /dev/null
+++ b/src/migration-scripts/l2tp/8-to-9
@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Deleted 'dhcp-interface' from l2tp
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'l2tp', 'remote-access']
+if not config.exists(base):
+ exit(0)
+
+#deleting unused dhcp-interface
+if config.exists(base + ['dhcp-interface']):
+ config.delete(base + ['dhcp-interface'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py
index 069c12069..7186bdec2 100755
--- a/src/op_mode/vpn_ike_sa.py
+++ b/src/op_mode/vpn_ike_sa.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -57,7 +57,7 @@ def ike_sa(peer, nat):
dh_group = s(sa['dh-group']) if 'dh-group' in sa else 'n/a'
natt = 'yes' if 'nat-local' in sa and s(sa['nat-local']) == 'yes' else 'no'
atime = s(sa['established']) if 'established' in sa else '0'
- ltime = s(sa['rekey-time']) if 'rekey_time' in sa else '0'
+ ltime = s(sa['rekey-time']) if 'rekey-time' in sa else '0'
print(ike_sa_tunnel_prefix)
print(' %-6s %-6s %-12s %-13s %-14s %-6s %-7s %-7s\n' % (state, version, encryption, integrity, dh_group, natt, atime, ltime))