diff options
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/service_ipoe-server.py | 8 | ||||
-rwxr-xr-x | src/conf_mode/service_pppoe-server.py | 10 | ||||
-rwxr-xr-x | src/conf_mode/system_ip.py | 1 | ||||
-rwxr-xr-x | src/conf_mode/system_ipv6.py | 1 | ||||
-rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 12 | ||||
-rwxr-xr-x | src/conf_mode/vpn_pptp.py | 12 | ||||
-rwxr-xr-x | src/conf_mode/vpn_sstp.py | 88 | ||||
-rwxr-xr-x | src/migration-scripts/dhcpv6-server/4-to-5 | 28 | ||||
-rwxr-xr-x | src/migration-scripts/l2tp/8-to-9 | 49 | ||||
-rwxr-xr-x | src/op_mode/vpn_ike_sa.py | 4 |
10 files changed, 150 insertions, 63 deletions
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 5f72b983c..852b714eb 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -25,8 +25,10 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.accel_ppp_util import get_pools_in_order +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers from vyos.accel_ppp_util import verify_accel_ppp_ip_pool -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos import ConfigError from vyos import airbag airbag.enable() @@ -69,8 +71,10 @@ def verify(ipoe): raise ConfigError('Option "client-subnet" incompatible with "vlan"!' 'Use "ipoe client-ip-pool" instead.') - verify_accel_ppp_base_service(ipoe, local_users=False) + verify_accel_ppp_authentication(ipoe, local_users=False) verify_accel_ppp_ip_pool(ipoe) + verify_accel_ppp_name_servers(ipoe) + verify_accel_ppp_wins_servers(ipoe) return None diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index c2dfbdb44..c9d1e805f 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -25,7 +25,9 @@ from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -67,11 +69,11 @@ def verify(pppoe): if not pppoe: return None - verify_accel_ppp_base_service(pppoe) + verify_accel_ppp_authentication(pppoe) verify_accel_ppp_ip_pool(pppoe) + verify_accel_ppp_name_servers(pppoe) + verify_accel_ppp_wins_servers(pppoe) - if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2: - raise ConfigError('Not more then two WINS name-servers can be configured') if 'interface' not in pppoe: raise ConfigError('At least one listen interface must be defined!') diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py index 7612e2c0d..833f89554 100755 --- a/src/conf_mode/system_ip.py +++ b/src/conf_mode/system_ip.py @@ -127,6 +127,7 @@ def apply(opt): # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ip nht resolve-via-default') frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) diff --git a/src/conf_mode/system_ipv6.py b/src/conf_mode/system_ipv6.py index 90a1a8087..00d440e35 100755 --- a/src/conf_mode/system_ipv6.py +++ b/src/conf_mode/system_ipv6.py @@ -104,6 +104,7 @@ def apply(opt): # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ipv6 nht resolve-via-default') frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 266381754..04ccbcec3 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -24,7 +24,9 @@ from vyos.configdict import get_accel_dict from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -62,12 +64,10 @@ def verify(l2tp): if not l2tp: return None - verify_accel_ppp_base_service(l2tp) + verify_accel_ppp_authentication(l2tp) verify_accel_ppp_ip_pool(l2tp) - - if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(l2tp) + verify_accel_ppp_wins_servers(l2tp) return None diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index b1d5067d5..c0d8330bd 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -22,7 +22,9 @@ from vyos.config import Config from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -60,12 +62,10 @@ def verify(pptp): if not pptp: return None - verify_accel_ppp_base_service(pptp) + verify_accel_ppp_authentication(pptp) verify_accel_ppp_ip_pool(pptp) - - if 'wins_server' in pptp and len(pptp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(pptp) + verify_accel_ppp_wins_servers(pptp) def generate(pptp): diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 5c229fe62..8661a8aff 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -26,7 +26,9 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos.utils.network import is_listen_port_bind_service @@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem') cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key') ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem') -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'sstp'] - if not conf.exists(base): - return None - - # retrieve common dictionary keys - sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) - if dict_search('client_ip_pool', sstp): - # Multiple named pools require ordered values T5099 - sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) - - sstp['server_type'] = 'sstp' - return sstp - - -def verify(sstp): - if not sstp: - return None - - port = sstp.get('port') - proto = 'tcp' - if check_port_availability('0.0.0.0', int(port), proto) is not True and \ - not is_listen_port_bind_service(int(port), 'accel-pppd'): - raise ConfigError(f'"{proto}" port "{port}" is used by another service') - - verify_accel_ppp_base_service(sstp) - verify_accel_ppp_ip_pool(sstp) +def verify_certificate(config): # # SSL certificate checks # - if not sstp['pki']: + if not config['pki']: raise ConfigError('PKI is not configured') - if 'ssl' not in sstp: + if 'ssl' not in config: raise ConfigError('SSL missing on SSTP config') - ssl = sstp['ssl'] + ssl = config['ssl'] # CA if 'ca_certificate' not in ssl: @@ -92,10 +64,10 @@ def verify(sstp): ca_name = ssl['ca_certificate'] - if ca_name not in sstp['pki']['ca']: + if ca_name not in config['pki']['ca']: raise ConfigError('Invalid CA certificate on SSTP config') - if 'certificate' not in sstp['pki']['ca'][ca_name]: + if 'certificate' not in config['pki']['ca'][ca_name]: raise ConfigError('Missing certificate data for CA certificate on SSTP config') # Certificate @@ -104,10 +76,10 @@ def verify(sstp): cert_name = ssl['certificate'] - if cert_name not in sstp['pki']['certificate']: + if cert_name not in config['pki']['certificate']: raise ConfigError('Invalid certificate on SSTP config') - pki_cert = sstp['pki']['certificate'][cert_name] + pki_cert = config['pki']['certificate'][cert_name] if 'certificate' not in pki_cert: raise ConfigError('Missing certificate data for certificate on SSTP config') @@ -118,6 +90,43 @@ def verify(sstp): if 'password_protected' in pki_cert['private']: raise ConfigError('Encrypted private key is not supported on SSTP config') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['vpn', 'sstp'] + if not conf.exists(base): + return None + + # retrieve common dictionary keys + sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) + if dict_search('client_ip_pool', sstp): + # Multiple named pools require ordered values T5099 + sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) + + sstp['server_type'] = 'sstp' + return sstp + + +def verify(sstp): + if not sstp: + return None + + port = sstp.get('port') + proto = 'tcp' + if check_port_availability('0.0.0.0', int(port), proto) is not True and \ + not is_listen_port_bind_service(int(port), 'accel-pppd'): + raise ConfigError(f'"{proto}" port "{port}" is used by another service') + + verify_accel_ppp_authentication(sstp) + verify_accel_ppp_ip_pool(sstp) + verify_accel_ppp_name_servers(sstp) + verify_accel_ppp_wins_servers(sstp) + verify_certificate(sstp) + + def generate(sstp): if not sstp: return None @@ -143,6 +152,7 @@ def generate(sstp): return sstp + def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') diff --git a/src/migration-scripts/dhcpv6-server/4-to-5 b/src/migration-scripts/dhcpv6-server/4-to-5 index e808edbe0..ae506b9c5 100755 --- a/src/migration-scripts/dhcpv6-server/4-to-5 +++ b/src/migration-scripts/dhcpv6-server/4-to-5 @@ -39,14 +39,34 @@ if not config.exists(base): def find_subnet_interface(subnet): subnet_net = ip_network(subnet) + def check_addr(if_path): + if config.exists(if_path + ['address']): + for addr in config.return_values(if_path + ['address']): + if ip_network(addr, strict=False) == subnet_net: + return True + return None + for iftype in config.list_nodes(['interfaces']): for ifname in config.list_nodes(['interfaces', iftype]): if_base = ['interfaces', iftype, ifname] - if config.exists(if_base + ['address']): - for addr in config.return_values(if_base + ['address']): - if ip_network(addr, strict=False) == subnet_net: - return ifname + if check_addr(if_base): + return ifname + + if config.exists(if_base + ['vif']): + for vif in config.list_nodes(if_base + ['vif']): + if check_addr(if_base + ['vif', vif]): + return f'{ifname}.{vif}' + + if config.exists(if_base + ['vif-s']): + for vifs in config.list_nodes(if_base + ['vif-s']): + if check_addr(if_base + ['vif-s', vifs]): + return f'{ifname}.{vifs}' + + if config.exists(if_base + ['vif-s', vifs, 'vif-c']): + for vifc in config.list_nodes(if_base + ['vif-s', vifs, 'vif-c']): + if check_addr(if_base + ['vif-s', vifs, 'vif-c', vifc]): + return f'{ifname}.{vifs}.{vifc}' return False diff --git a/src/migration-scripts/l2tp/8-to-9 b/src/migration-scripts/l2tp/8-to-9 new file mode 100755 index 000000000..e85a3892b --- /dev/null +++ b/src/migration-scripts/l2tp/8-to-9 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Deleted 'dhcp-interface' from l2tp + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'l2tp', 'remote-access'] +if not config.exists(base): + exit(0) + +#deleting unused dhcp-interface +if config.exists(base + ['dhcp-interface']): + config.delete(base + ['dhcp-interface']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py index 069c12069..7186bdec2 100755 --- a/src/op_mode/vpn_ike_sa.py +++ b/src/op_mode/vpn_ike_sa.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -57,7 +57,7 @@ def ike_sa(peer, nat): dh_group = s(sa['dh-group']) if 'dh-group' in sa else 'n/a' natt = 'yes' if 'nat-local' in sa and s(sa['nat-local']) == 'yes' else 'no' atime = s(sa['established']) if 'established' in sa else '0' - ltime = s(sa['rekey-time']) if 'rekey_time' in sa else '0' + ltime = s(sa['rekey-time']) if 'rekey-time' in sa else '0' print(ike_sa_tunnel_prefix) print(' %-6s %-6s %-12s %-13s %-14s %-6s %-7s %-7s\n' % (state, version, encryption, integrity, dh_group, natt, atime, ltime)) |