diff options
Diffstat (limited to 'src')
37 files changed, 809 insertions, 1022 deletions
diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index 5c7294296..a3e141a00 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -15,151 +15,84 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os -import fnmatch +from glob import glob +from netifaces import interfaces from sys import exit -from copy import deepcopy from vyos.config import Config -from vyos import ConfigError from vyos.util import call from vyos.template import render - +from vyos import ConfigError from vyos import airbag airbag.enable() -config_file = r'/etc/default/udp-broadcast-relay' - -default_config_data = { - 'disabled': False, - 'instances': [] -} +config_file_base = r'/etc/default/udp-broadcast-relay' def get_config(): - relay = deepcopy(default_config_data) conf = Config() base = ['service', 'broadcast-relay'] - if not conf.exists(base): - return None - else: - conf.set_level(base) - - # Service can be disabled by user - if conf.exists('disable'): - relay['disabled'] = True - return relay - - # Parse configuration of each individual instance - if conf.exists('id'): - for id in conf.list_nodes('id'): - conf.set_level(base + ['id', id]) - config = { - 'id': id, - 'disabled': False, - 'address': '', - 'description': '', - 'interfaces': [], - 'port': '' - } - - # Check if individual broadcast relay service is disabled - if conf.exists(['disable']): - config['disabled'] = True - - # Source IP of forwarded packets, if empty original senders address is used - if conf.exists(['address']): - config['address'] = conf.return_value(['address']) - - # A description for each individual broadcast relay service - if conf.exists(['description']): - config['description'] = conf.return_value(['description']) - - # UDP port to listen on for broadcast frames - if conf.exists(['port']): - config['port'] = conf.return_value(['port']) - - # Network interfaces to listen on for broadcast frames to be relayed - if conf.exists(['interface']): - config['interfaces'] = conf.return_values(['interface']) - - relay['instances'].append(config) - + relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) return relay def verify(relay): - if relay is None: - return None - - if relay['disabled']: + if not relay or 'disabled' in relay: return None - for r in relay['instances']: + for instance, config in relay.get('id', {}).items(): # we don't have to check this instance when it's disabled - if r['disabled']: + if 'disabled' in config: continue # we certainly require a UDP port to listen to - if not r['port']: - raise ConfigError('UDP broadcast relay "{0}" requires a port number'.format(r['id'])) + if 'port' not in config: + raise ConfigError(f'Port number mandatory for udp broadcast relay "{instance}"') + # if only oone interface is given it's a string -> move to list + if isinstance(config.get('interface', []), str): + config['interface'] = [ config['interface'] ] # Relaying data without two interface is kinda senseless ... - if len(r['interfaces']) < 2: - raise ConfigError('UDP broadcast relay "id {0}" requires at least 2 interfaces'.format(r['id'])) + if len(config.get('interface', [])) < 2: + raise ConfigError('At least two interfaces are required for udp broadcast relay "{instance}"') - return None + for interface in config.get('interface', []): + if interface not in interfaces(): + raise ConfigError('Interface "{interface}" does not exist!') + return None def generate(relay): - if relay is None: + if not relay or 'disabled' in relay: return None - config_dir = os.path.dirname(config_file) - config_filename = os.path.basename(config_file) - active_configs = [] - - for config in fnmatch.filter(os.listdir(config_dir), config_filename + '*'): - # determine prefix length to identify service instance - prefix_len = len(config_filename) - active_configs.append(config[prefix_len:]) - - # sort our list - active_configs.sort() + for config in glob(config_file_base + '*'): + os.remove(config) - # delete old configuration files - for id in active_configs[:]: - if os.path.exists(config_file + id): - os.unlink(config_file + id) - - # If the service is disabled, we can bail out here - if relay['disabled']: - print('Warning: UDP broadcast relay service will be deactivated because it is disabled') - return None - - for r in relay['instances']: - # Skip writing instance config when it's disabled - if r['disabled']: + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: continue - # configuration filename contains instance id - file = config_file + str(r['id']) - render(file, 'bcast-relay/udp-broadcast-relay.tmpl', r) + config['instance'] = instance + render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.tmpl', config) return None def apply(relay): # first stop all running services - call('systemctl stop udp-broadcast-relay@{1..99}.service') + call('systemctl stop udp-broadcast-relay@*.service') - if (relay is None) or relay['disabled']: + if not relay or 'disable' in relay: return None # start only required service instances - for r in relay['instances']: - # Don't start individual instance when it's disabled - if r['disabled']: + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: continue - call('systemctl start udp-broadcast-relay@{0}.service'.format(r['id'])) + + call(f'systemctl start udp-broadcast-relay@{instance}.service') return None diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index a9ebab53e..b7e73eaeb 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -84,7 +84,7 @@ def _iptables_get_nflog(): for iptables_variant in ['iptables', 'ip6tables']: # run iptables, save output and split it by lines - iptables_command = "sudo {0} -t {1} -S {2}".format(iptables_variant, iptables_nflog_table, iptables_nflog_chain) + iptables_command = f'{iptables_variant} -t {iptables_nflog_table} -S {iptables_nflog_chain}' tmp = cmd(iptables_command, message='Failed to get flows list') # parse each line and add information to list @@ -118,7 +118,7 @@ def _iptables_config(configured_ifaces): if interface not in configured_ifaces: table = rule['table'] rule = rule['rule_definition'] - iptable_commands.append(f'sudo {iptables} -t {table} -D {rule}') + iptable_commands.append(f'{iptables} -t {table} -D {rule}') else: active_nflog_ifaces.append({ 'iface': interface, @@ -135,7 +135,7 @@ def _iptables_config(configured_ifaces): iface = iface_extended['iface'] iptables = iface_extended['iptables_variant'] rule_definition = f'{iptables_nflog_chain} -i {iface} -m comment --comment FLOW_ACCOUNTING_RULE -j NFLOG --nflog-group 2 --nflog-size {default_captured_packet_size} --nflog-threshold 100' - iptable_commands.append(f'sudo {iptables} -t {iptables_nflog_table} -I {rule_definition}') + iptable_commands.append(f'{iptables} -t {iptables_nflog_table} -I {rule_definition}') # change iptables for command in iptable_commands: diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py index 3e301477d..f2fa64233 100755 --- a/src/conf_mode/host_name.py +++ b/src/conf_mode/host_name.py @@ -97,10 +97,6 @@ def verify(conf, hosts): for host, hostprops in hosts['static_host_mapping'].items(): if not hostprops['address']: raise ConfigError(f'IP address required for static-host-mapping "{host}"') - if hostprops['address'] in all_static_host_mapping_addresses: - raise ConfigError(( - f'static-host-mapping "{host}" address "{hostprops["address"]}"' - f'already used in another static-host-mapping')) all_static_host_mapping_addresses.append(hostprops['address']) for a in hostprops['aliases']: if not hostname_regex.match(a) and len(a) != 0: diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py index 0b2d318fd..742f09a54 100755 --- a/src/conf_mode/intel_qat.py +++ b/src/conf_mode/intel_qat.py @@ -54,8 +54,8 @@ def get_config(): def vpn_control(action): # XXX: Should these commands report failure if action == 'restore' and gl_ipsec_conf: - return run('sudo ipsec start') - return run(f'sudo ipsec {action}') + return run('ipsec start') + return run(f'ipsec {action}') def verify(c): # Check if QAT service installed @@ -66,7 +66,7 @@ def verify(c): return # Check if QAT device exist - output, err = popen('sudo lspci -nn', decode='utf-8') + output, err = popen('lspci -nn', decode='utf-8') if not err: data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output) #If QAT devices found @@ -81,13 +81,13 @@ def apply(c): # Disable QAT service if c['qat_conf'] == None: - run('sudo /etc/init.d/qat_service stop') + run('/etc/init.d/qat_service stop') if c['ipsec_conf']: vpn_control('start') return # Run qat init.d script - run('sudo /etc/init.d/qat_service start') + run('/etc/init.d/qat_service start') if c['ipsec_conf']: # Recovery VPN service vpn_control('start') diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index ec255edd5..2d62420a6 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,98 +16,53 @@ import os -from copy import deepcopy from sys import exit -from netifaces import interfaces -from vyos.ifconfig import DummyIf -from vyos.configdict import list_diff from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.ifconfig import DummyIf from vyos.validate import is_member from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', - 'disable': False, - 'intf': '', - 'is_bridge_member': False, - 'vrf': '' -} - def get_config(): - dummy = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - dummy['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - - # check if we are a member of any bridge - dummy['is_bridge_member'] = is_member(conf, dummy['intf'], 'bridge') + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = ['interfaces', 'dummy', ifname] + dummy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces dummy ' + dummy['intf']): - dummy['deleted'] = True - return dummy - - # set new configuration level - conf.set_level('interfaces dummy ' + dummy['intf']) + if dummy == {}: + dummy.update({'deleted' : ''}) - # retrieve configured interface addresses - if conf.exists('address'): - dummy['address'] = conf.return_values('address') + # store interface instance name in dictionary + dummy.update({'ifname': ifname}) - # retrieve interface description - if conf.exists('description'): - dummy['description'] = conf.return_value('description') - - # Disable this interface - if conf.exists('disable'): - dummy['disable'] = True - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values('address') - act_addr = conf.return_values('address') - dummy['address_remove'] = list_diff(eff_addr, act_addr) - - # retrieve VRF instance - if conf.exists('vrf'): - dummy['vrf'] = conf.return_value('vrf') + # check if we are a member of any bridge + bridge = is_member(conf, ifname, 'bridge') + if bridge: + tmp = {'is_bridge_member' : bridge} + dummy.update(tmp) return dummy def verify(dummy): - if dummy['deleted']: - if dummy['is_bridge_member']: - raise ConfigError(( - f'Interface "{dummy["intf"]}" cannot be deleted as it is a ' - f'member of bridge "{dummy["is_bridge_member"]}"!')) - + if 'deleted' in dummy.keys(): + verify_bridge_delete(dummy) return None - if dummy['vrf']: - if dummy['vrf'] not in interfaces(): - raise ConfigError(f'VRF "{dummy["vrf"]}" does not exist') - - if dummy['is_bridge_member']: - raise ConfigError(( - f'Interface "{dummy["intf"]}" cannot be member of VRF ' - f'"{dummy["vrf"]}" and bridge "{dummy["is_bridge_member"]}" ' - f'at the same time!')) - - if dummy['is_bridge_member'] and dummy['address']: - raise ConfigError(( - f'Cannot assign address to interface "{dummy["intf"]}" ' - f'as it is a member of bridge "{dummy["is_bridge_member"]}"!')) + verify_vrf(dummy) + verify_address(dummy) return None @@ -115,33 +70,13 @@ def generate(dummy): return None def apply(dummy): - d = DummyIf(dummy['intf']) + d = DummyIf(dummy['ifname']) # Remove dummy interface - if dummy['deleted']: + if 'deleted' in dummy.keys(): d.remove() else: - # update interface description used e.g. within SNMP - d.set_alias(dummy['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in dummy['address_remove']: - d.del_addr(addr) - for addr in dummy['address']: - d.add_addr(addr) - - # assign/remove VRF (ONLY when not a member of a bridge, - # otherwise 'nomaster' removes it from it) - if not dummy['is_bridge_member']: - d.set_vrf(dummy['vrf']) - - # disable interface on demand - if dummy['disable']: - d.set_admin_state('down') - else: - d.set_admin_state('up') + d.update(dummy) return None diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 4ff0bcb57..866419f2c 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -24,11 +24,14 @@ from vyos.config import Config from vyos.ifconfig import L2TPv3If, Interface from vyos import ConfigError from vyos.util import call +from vyos.util import check_kmod from vyos.validate import is_member, is_addr_assigned from vyos import airbag airbag.enable() +k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] + default_config_data = { 'address': [], 'deleted': False, @@ -53,13 +56,6 @@ default_config_data = { 'tunnel_id': '' } -def check_kmod(): - modules = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - def get_config(): l2tpv3 = deepcopy(default_config_data) conf = Config() @@ -283,7 +279,7 @@ def apply(l2tpv3): if __name__ == '__main__': try: - check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index df268cec2..2368f88a9 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -17,54 +17,31 @@ import os from sys import exit -from copy import deepcopy from vyos.ifconfig import LoopbackIf -from vyos.configdict import list_diff from vyos.config import Config -from vyos import ConfigError - -from vyos import airbag +from vyos import ConfigError, airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', -} - - def get_config(): - loopback = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - loopback['intf'] = os.environ['VYOS_TAGNODE_VALUE'] + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = ['interfaces', 'loopback', ifname] + loopback = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces loopback ' + loopback['intf']): - loopback['deleted'] = True - - # set new configuration level - conf.set_level('interfaces loopback ' + loopback['intf']) + if loopback == {}: + loopback.update({'deleted' : ''}) - # retrieve configured interface addresses - if conf.exists('address'): - loopback['address'] = conf.return_values('address') - - # retrieve interface description - if conf.exists('description'): - loopback['description'] = conf.return_value('description') - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values('address') - act_addr = conf.return_values('address') - loopback['address_remove'] = list_diff(eff_addr, act_addr) + # store interface instance name in dictionary + loopback.update({'ifname': ifname}) return loopback @@ -75,20 +52,11 @@ def generate(loopback): return None def apply(loopback): - l = LoopbackIf(loopback['intf']) - if loopback['deleted']: + l = LoopbackIf(loopback['ifname']) + if 'deleted' in loopback.keys(): l.remove() else: - # update interface description used e.g. within SNMP - l.set_alias(loopback['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in loopback['address_remove']: - l.del_addr(addr) - for addr in loopback['address']: - l.add_addr(addr) + l.update(loopback) return None diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index a8966148f..56273f71a 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -18,177 +18,108 @@ import os from copy import deepcopy from sys import exit -from netifaces import interfaces from vyos.config import Config -from vyos.configdict import list_diff +from vyos.configdict import dict_merge from vyos.ifconfig import MACsecIf from vyos.template import render from vyos.util import call from vyos.validate import is_member +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_source_interface +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'address': [], - 'address_remove': [], - 'deleted': False, - 'description': '', - 'disable': False, - 'security_cipher': '', - 'security_encrypt': False, - 'security_mka_cak': '', - 'security_mka_ckn': '', - 'security_mka_priority': '255', - 'security_replay_window': '', - 'intf': '', - 'source_interface': '', - 'is_bridge_member': False, - 'vrf': '' -} - # XXX: wpa_supplicant works on the source interface wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf' - def get_config(): - macsec = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - macsec['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - base_path = ['interfaces', 'macsec', macsec['intf']] + # retrieve interface default values + base = ['interfaces', 'macsec'] + default_values = defaults(base) - # check if we are a member of any bridge - macsec['is_bridge_member'] = is_member(conf, macsec['intf'], 'bridge') + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] + macsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists(base_path): - macsec['deleted'] = True - # When stopping wpa_supplicant we need to stop it via the physical - # interface - thus we need to retrieve ir from the effective config - if conf.exists_effective(base_path + ['source-interface']): - macsec['source_interface'] = conf.return_effective_value( - base_path + ['source-interface']) - - return macsec - - # set new configuration level - conf.set_level(base_path) - - # retrieve configured interface addresses - if conf.exists(['address']): - macsec['address'] = conf.return_values(['address']) - - # retrieve interface description - if conf.exists(['description']): - macsec['description'] = conf.return_value(['description']) - - # Disable this interface - if conf.exists(['disable']): - macsec['disable'] = True - - # retrieve interface cipher - if conf.exists(['security', 'cipher']): - macsec['security_cipher'] = conf.return_value(['security', 'cipher']) - - # Enable optional MACsec encryption - if conf.exists(['security', 'encrypt']): - macsec['security_encrypt'] = True - - # Secure Connectivity Association Key - if conf.exists(['security', 'mka', 'cak']): - macsec['security_mka_cak'] = conf.return_value( - ['security', 'mka', 'cak']) - - # Secure Connectivity Association Name - if conf.exists(['security', 'mka', 'ckn']): - macsec['security_mka_ckn'] = conf.return_value( - ['security', 'mka', 'ckn']) - - # MACsec Key Agreement protocol (MKA) actor priority - if conf.exists(['security', 'mka', 'priority']): - macsec['security_mka_priority'] = conf.return_value( - ['security', 'mka', 'priority']) - - # IEEE 802.1X/MACsec replay protection - if conf.exists(['security', 'replay-window']): - macsec['security_replay_window'] = conf.return_value( - ['security', 'replay-window']) - - # Physical interface - if conf.exists(['source-interface']): - macsec['source_interface'] = conf.return_value(['source-interface']) - - # Determine interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed from the interface - eff_addr = conf.return_effective_values(['address']) - act_addr = conf.return_values(['address']) - macsec['address_remove'] = list_diff(eff_addr, act_addr) - - # retrieve VRF instance - if conf.exists(['vrf']): - macsec['vrf'] = conf.return_value(['vrf']) + if macsec == {}: + tmp = { + 'deleted' : '', + 'source_interface' : conf.return_effective_value( + base + ['source-interface']) + } + macsec.update(tmp) + + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + macsec = dict_merge(default_values, macsec) + + # Add interface instance name into dictionary + macsec.update({'ifname': ifname}) + + # Check if we are a member of any bridge + bridge = is_member(conf, ifname, 'bridge') + if bridge: + tmp = {'is_bridge_member' : bridge} + macsec.update(tmp) return macsec def verify(macsec): - if macsec['deleted']: - if macsec['is_bridge_member']: - raise ConfigError( - 'Interface "{intf}" cannot be deleted as it is a ' - 'member of bridge "{is_bridge_member}"!'.format(**macsec)) - + if 'deleted' in macsec.keys(): + verify_bridge_delete(macsec) return None - if not macsec['source_interface']: - raise ConfigError('Physical source interface must be set for ' - 'MACsec "{intf}"'.format(**macsec)) + verify_source_interface(macsec) + verify_vrf(macsec) + verify_address(macsec) - if not macsec['security_cipher']: + if not (('security' in macsec.keys()) and + ('cipher' in macsec['security'].keys())): raise ConfigError( - 'Cipher suite must be set for MACsec "{intf}"'.format(**macsec)) - - if macsec['security_encrypt']: - if not (macsec['security_mka_cak'] and macsec['security_mka_ckn']): - raise ConfigError( - 'MACsec security keys mandartory when encryption is enabled') + 'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec)) - if macsec['vrf']: - if macsec['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**macsec)) + if (('security' in macsec.keys()) and + ('encrypt' in macsec['security'].keys())): + tmp = macsec.get('security') - if macsec['is_bridge_member']: - raise ConfigError('Interface "{intf}" cannot be member of VRF ' - '"{vrf}" and bridge "{is_bridge_member}" at ' - 'the same time!'.format(**macsec)) - - if macsec['is_bridge_member'] and macsec['address']: - raise ConfigError( - 'Cannot assign address to interface "{intf}" as it is' - 'a member of bridge "{is_bridge_member}"!'.format(**macsec)) + if not (('mka' in tmp.keys()) and + ('cak' in tmp['mka'].keys()) and + ('ckn' in tmp['mka'].keys())): + raise ConfigError('Missing mandatory MACsec security ' + 'keys as encryption is enabled!') return None def generate(macsec): render(wpa_suppl_conf.format(**macsec), - 'macsec/wpa_supplicant.conf.tmpl', macsec, permission=0o640) + 'macsec/wpa_supplicant.conf.tmpl', macsec) return None def apply(macsec): # Remove macsec interface - if macsec['deleted']: + if 'deleted' in macsec.keys(): call('systemctl stop wpa_supplicant-macsec@{source_interface}' .format(**macsec)) - MACsecIf(macsec['intf']).remove() + + MACsecIf(macsec['ifname']).remove() # delete configuration on interface removal if os.path.isfile(wpa_suppl_conf.format(**macsec)): @@ -198,35 +129,16 @@ def apply(macsec): # MACsec interfaces require a configuration when they are added using # iproute2. This static method will provide the configuration # dictionary used by this class. - conf = deepcopy(MACsecIf.get_config()) - # Assign MACsec instance configuration parameters to config dict + # XXX: subject of removal after completing T2653 + conf = deepcopy(MACsecIf.get_config()) conf['source_interface'] = macsec['source_interface'] - conf['security_cipher'] = macsec['security_cipher'] + conf['security_cipher'] = macsec['security']['cipher'] # It is safe to "re-create" the interface always, there is a sanity # check that the interface will only be create if its non existent - i = MACsecIf(macsec['intf'], **conf) - - # update interface description used e.g. within SNMP - i.set_alias(macsec['description']) - - # Configure interface address(es) - # - not longer required addresses get removed first - # - newly addresses will be added second - for addr in macsec['address_remove']: - i.del_addr(addr) - for addr in macsec['address']: - i.add_addr(addr) - - # assign/remove VRF (ONLY when not a member of a bridge, - # otherwise 'nomaster' removes it from it) - if not macsec['is_bridge_member']: - i.set_vrf(macsec['vrf']) - - # Interface is administratively down by default, enable if desired - if not macsec['disable']: - i.set_admin_state('up') + i = MACsecIf(macsec['ifname'], **conf) + i.update(macsec) call('systemctl restart wpa_supplicant-macsec@{source_interface}' .format(**macsec)) diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index 611206d84..3ee57e83c 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,179 +15,65 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import jmespath from sys import exit from copy import deepcopy from netifaces import interfaces from vyos.config import Config -from vyos.configdict import dhcpv6_pd_default_data -from vyos.ifconfig import Interface +from vyos.configdict import dict_merge +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_vrf from vyos.template import render -from vyos.util import chown, chmod_755, call +from vyos.util import call +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - **dhcpv6_pd_default_data, - 'access_concentrator': '', - 'auth_username': '', - 'auth_password': '', - 'on_demand': False, - 'default_route': 'auto', - 'deleted': False, - 'description': '\0', - 'disable': False, - 'intf': '', - 'idle_timeout': '', - 'ipv6_autoconf': False, - 'ipv6_enable': False, - 'local_address': '', - 'mtu': '1492', - 'name_server': True, - 'remote_address': '', - 'service_name': '', - 'source_interface': '', - 'vrf': '' -} - def get_config(): - pppoe = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() - base_path = ['interfaces', 'pppoe'] # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - pppoe['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - - # Check if interface has been removed - if not conf.exists(base_path + [pppoe['intf']]): - pppoe['deleted'] = True - return pppoe - - # set new configuration level - conf.set_level(base_path + [pppoe['intf']]) - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['access-concentrator']): - pppoe['access_concentrator'] = conf.return_values(['access-concentrator']) - - # Authentication name supplied to PPPoE server - if conf.exists(['authentication', 'user']): - pppoe['auth_username'] = conf.return_value(['authentication', 'user']) - - # Password for authenticating local machine to PPPoE server - if conf.exists(['authentication', 'password']): - pppoe['auth_password'] = conf.return_value(['authentication', 'password']) - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['connect-on-demand']): - pppoe['on_demand'] = True - - # Enable/Disable default route to peer when link comes up - if conf.exists(['default-route']): - pppoe['default_route'] = conf.return_value(['default-route']) - - # Retrieve interface description - if conf.exists(['description']): - pppoe['description'] = conf.return_value(['description']) - - # Disable this interface - if conf.exists(['disable']): - pppoe['disable'] = True - - # Delay before disconnecting idle session (in seconds) - if conf.exists(['idle-timeout']): - pppoe['idle_timeout'] = conf.return_value(['idle-timeout']) - - # Enable Stateless Address Autoconfiguration (SLAAC) - if conf.exists(['ipv6', 'address', 'autoconf']): - pppoe['ipv6_autoconf'] = True + # retrieve interface default values + base = ['interfaces', 'pppoe'] + default_values = defaults(base) + # PPPoE is "special" the default MTU is 1492 - update accordingly + default_values['mtu'] = '1492' - # Activate IPv6 support on this connection - if conf.exists(['ipv6', 'enable']): - pppoe['ipv6_enable'] = True + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] - # IPv4 address of local end of PPPoE link - if conf.exists(['local-address']): - pppoe['local_address'] = conf.return_value(['local-address']) - - # Physical Interface used for this PPPoE session - if conf.exists(['source-interface']): - pppoe['source_interface'] = conf.return_value(['source-interface']) - - # Maximum Transmission Unit (MTU) - if conf.exists(['mtu']): - pppoe['mtu'] = conf.return_value(['mtu']) - - # Do not use DNS servers provided by the peer - if conf.exists(['no-peer-dns']): - pppoe['name_server'] = False - - # IPv4 address for remote end of PPPoE session - if conf.exists(['remote-address']): - pppoe['remote_address'] = conf.return_value(['remote-address']) - - # Service name, only connect to access concentrators advertising this - if conf.exists(['service-name']): - pppoe['service_name'] = conf.return_value(['service-name']) - - # retrieve VRF instance - if conf.exists('vrf'): - pppoe['vrf'] = conf.return_value(['vrf']) - - if conf.exists(['dhcpv6-options', 'prefix-delegation']): - dhcpv6_pd_path = base_path + [pppoe['intf'], - 'dhcpv6-options', 'prefix-delegation'] - conf.set_level(dhcpv6_pd_path) - - # Retrieve DHCPv6-PD prefix helper length as some ISPs only hand out a - # /64 by default (https://phabricator.vyos.net/T2506) - if conf.exists(['length']): - pppoe['dhcpv6_pd_length'] = conf.return_value(['length']) - - for interface in conf.list_nodes(['interface']): - conf.set_level(dhcpv6_pd_path + ['interface', interface]) - pd = { - 'ifname': interface, - 'sla_id': '', - 'sla_len': '', - 'if_id': '' - } - - if conf.exists(['sla-id']): - pd['sla_id'] = conf.return_value(['sla-id']) - - if conf.exists(['sla-len']): - pd['sla_len'] = conf.return_value(['sla-len']) + pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # Check if interface has been removed + if pppoe == {}: + pppoe.update({'deleted' : ''}) - if conf.exists(['address']): - pd['if_id'] = conf.return_value(['address']) + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + pppoe = dict_merge(default_values, pppoe) - pppoe['dhcpv6_pd_interfaces'].append(pd) + # Add interface instance name into dictionary + pppoe.update({'ifname': ifname}) return pppoe def verify(pppoe): - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # bail out early return None - if not pppoe['source_interface']: - raise ConfigError('PPPoE source interface missing') - - if not pppoe['source_interface'] in interfaces(): - raise ConfigError(f"PPPoE source interface {pppoe['source_interface']} does not exist") - - vrf_name = pppoe['vrf'] - if vrf_name and vrf_name not in interfaces(): - raise ConfigError(f'VRF {vrf_name} does not exist') + verify_source_interface(pppoe) + verify_vrf(pppoe) - if pppoe['on_demand'] and pppoe['vrf']: + if {'connect_on_demand', 'vrf'} <= set(pppoe): raise ConfigError('On-demand dialing and VRF can not be used at the same time') return None @@ -195,22 +81,22 @@ def verify(pppoe): def generate(pppoe): # set up configuration file path variables where our templates will be # rendered into - intf = pppoe['intf'] - config_pppoe = f'/etc/ppp/peers/{intf}' - script_pppoe_pre_up = f'/etc/ppp/ip-pre-up.d/1000-vyos-pppoe-{intf}' - script_pppoe_ip_up = f'/etc/ppp/ip-up.d/1000-vyos-pppoe-{intf}' - script_pppoe_ip_down = f'/etc/ppp/ip-down.d/1000-vyos-pppoe-{intf}' - script_pppoe_ipv6_up = f'/etc/ppp/ipv6-up.d/1000-vyos-pppoe-{intf}' - config_wide_dhcp6c = f'/run/dhcp6c/dhcp6c.{intf}.conf' + ifname = pppoe['ifname'] + config_pppoe = f'/etc/ppp/peers/{ifname}' + script_pppoe_pre_up = f'/etc/ppp/ip-pre-up.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ip_up = f'/etc/ppp/ip-up.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ip_down = f'/etc/ppp/ip-down.d/1000-vyos-pppoe-{ifname}' + script_pppoe_ipv6_up = f'/etc/ppp/ipv6-up.d/1000-vyos-pppoe-{ifname}' + config_wide_dhcp6c = f'/run/dhcp6c/dhcp6c.{ifname}.conf' config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up, script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c] - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # stop DHCPv6-PD client - call(f'systemctl stop dhcp6c@{intf}.service') + call(f'systemctl stop dhcp6c@{ifname}.service') # Hang-up PPPoE connection - call(f'systemctl stop ppp@{intf}.service') + call(f'systemctl stop ppp@{ifname}.service') # Delete PPP configuration files for file in config_files: @@ -235,22 +121,22 @@ def generate(pppoe): render(script_pppoe_ipv6_up, 'pppoe/ipv6-up.script.tmpl', pppoe, trim_blocks=True, permission=0o755) - if len(pppoe['dhcpv6_pd_interfaces']) > 0: + tmp = jmespath.search('dhcpv6_options.prefix_delegation.interface', pppoe) + if tmp and len(tmp) > 0: # ipv6.tmpl relies on ifname - this should be made consitent in the # future better then double key-ing the same value - pppoe['ifname'] = intf - render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe, trim_blocks=True) + render(config_wide_dhcp6c, 'dhcp-client/ipv6_new.tmpl', pppoe, trim_blocks=True) return None def apply(pppoe): - if pppoe['deleted']: + if 'deleted' in pppoe.keys(): # bail out early return None - if not pppoe['disable']: + if 'disable' not in pppoe.keys(): # Dial PPPoE connection - call('systemctl restart ppp@{intf}.service'.format(**pppoe)) + call('systemctl restart ppp@{ifname}.service'.format(**pppoe)) return None diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index 70710e97c..fb8237bee 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -36,7 +36,7 @@ default_config_data = { 'ip_arp_cache_tmo': 30, 'ip_proxy_arp_pvlan': 0, 'source_interface': '', - 'source_interface_changed': False, + 'recreating_required': False, 'mode': 'private', 'vif_s': {}, 'vif_s_remove': [], @@ -79,11 +79,14 @@ def get_config(): peth['source_interface'] = conf.return_value(['source-interface']) tmp = conf.return_effective_value(['source-interface']) if tmp != peth['source_interface']: - peth['source_interface_changed'] = True + peth['recreating_required'] = True # MACvlan mode if conf.exists(['mode']): peth['mode'] = conf.return_value(['mode']) + tmp = conf.return_effective_value(['mode']) + if tmp != peth['mode']: + peth['recreating_required'] = True add_to_dict(conf, disabled, peth, 'vif', 'vif') add_to_dict(conf, disabled, peth, 'vif-s', 'vif_s') @@ -139,10 +142,10 @@ def apply(peth): return None # Check if MACVLAN interface already exists. Parameters like the underlaying - # source-interface device can not be changed on the fly and the interface + # source-interface device or mode can not be changed on the fly and the interface # needs to be recreated from the bottom. if peth['intf'] in interfaces(): - if peth['source_interface_changed']: + if peth['recreating_required']: MACVLANIf(peth['intf']).remove() # MACVLAN interface needs to be created on-block instead of passing a ton diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index c13f77d91..ea15a7fb7 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -32,7 +32,8 @@ from vyos.dicts import FixedDict from vyos import airbag airbag.enable() -class ConfigurationState(Config): + +class ConfigurationState(object): """ The current API require a dict to be generated by get_config() which is then consumed by verify(), generate() and apply() @@ -40,7 +41,7 @@ class ConfigurationState(Config): ConfiguartionState is an helper class wrapping Config and providing an common API to this dictionary structure - Its to_dict() function return a dictionary containing three fields, + Its to_api() function return a dictionary containing three fields, each a dict, called options, changes, actions. options: @@ -84,16 +85,16 @@ class ConfigurationState(Config): which for each field represent how it was modified since the last commit """ - def __init__ (self, section, default): + def __init__(self, configuration, section, default): """ initialise the class for a given configuration path: - >>> conf = ConfigurationState('interfaces ethernet eth1') + >>> conf = ConfigurationState(conf, 'interfaces ethernet eth1') all further references to get_value(s) and get_effective(s) will be for this part of the configuration (eth1) """ - super().__init__() - self.section = section + self._conf = configuration + self.default = deepcopy(default) self.options = FixedDict(**default) self.actions = { @@ -104,13 +105,19 @@ class ConfigurationState(Config): 'delete': [], # the key was present and was deleted } self.changes = {} - if not self.exists(section): + if not self._conf.exists(section): self.changes['section'] = 'delete' - elif self.exists_effective(section): + elif self._conf.exists_effective(section): self.changes['section'] = 'modify' else: self.changes['section'] = 'create' + self.set_level(section) + + def set_level(self, lpath): + self.section = lpath + self._conf.set_level(lpath) + def _act(self, section): """ Returns for a given configuration field determine what happened to it @@ -121,18 +128,18 @@ class ConfigurationState(Config): 'delete': it was present but was removed from the configuration 'absent': it was not and is not present """ - if self.exists(section): - if self.exists_effective(section): - if self.return_value(section) != self.return_effective_value(section): + if self._conf.exists(section): + if self._conf.exists_effective(section): + if self._conf.return_value(section) != self._conf.return_effective_value(section): return 'modify' return 'static' return 'create' else: - if self.exists_effective(section): + if self._conf.exists_effective(section): return 'delete' return 'absent' - def _action (self, name, key): + def _action(self, name, key): action = self._act(key) self.changes[name] = action self.actions[action].append(name) @@ -157,18 +164,28 @@ class ConfigurationState(Config): """ if self._action(name, key) in ('delete', 'absent'): return - return self._get(name, key, default, self.return_value) + return self._get(name, key, default, self._conf.return_value) def get_values(self, name, key, default=None): """ - >>> conf.get_values('addresses-add', 'address') - will place a list made of the IP present in 'interface dummy dum1 address' - into the dictionnary entry 'addr' using Config.return_values - (the data in the configuration to apply) + >>> conf.get_values('addresses', 'address') + will place a list of the new IP present in 'interface dummy dum1 address' + into the dictionnary entry "-add" (here 'addresses-add') using + Config.return_values and will add the the one which were removed in into + the entry "-del" (here addresses-del') """ - if self._action(name, key) in ('delete', 'absent'): + add_name = f'{name}-add' + + if self._action(add_name, key) in ('delete', 'absent'): return - return self._get(name, key, default, self.return_values) + + self._get(add_name, key, default, self._conf.return_values) + + # get the effective values to determine which data is no longer valid + self.options['addresses-del'] = list_diff( + self._conf.return_effective_values('address'), + self.options['addresses-add'] + ) def get_effective(self, name, key, default=None): """ @@ -178,7 +195,7 @@ class ConfigurationState(Config): (the data in the configuration to apply) """ self._action(name, key) - return self._get(name, key, default, self.return_effective_value) + return self._get(name, key, default, self._conf.return_effective_value) def get_effectives(self, name, key, default=None): """ @@ -188,7 +205,7 @@ class ConfigurationState(Config): (the data in the un-modified configuration) """ self._action(name, key) - return self._get(name, key, default, self.return_effectives_value) + return self._get(name, key, default, self._conf.return_effectives_value) def load(self, mapping): """ @@ -220,16 +237,35 @@ class ConfigurationState(Config): else: self.get_value(local_name, config_name, default) - def remove_default (self,*options): + def remove_default(self,*options): """ remove all the values which were not changed from the default """ for option in options: - if self.exists(option) and self.self_return_value(option) != self.default[option]: + if not self._conf.exists(option): + del self.options[option] continue - del self.options[option] - def to_dict (self): + if self._conf.return_value(option) == self.default[option]: + del self.options[option] + continue + + if self._conf.return_values(option) == self.default[option]: + del self.options[option] + continue + + def as_dict(self, lpath): + l = self._conf.get_level() + self._conf.set_level([]) + d = self._conf.get_config_dict(lpath) + # XXX: that not what I would have expected from get_config_dict + if lpath: + d = d[lpath[-1]] + # XXX: it should have provided me the content and not the key + self._conf.set_level(l) + return d + + def to_api(self): """ provide a dictionary with the generated data for the configuration options: the configuration value for the key @@ -243,6 +279,7 @@ class ConfigurationState(Config): 'actions': self.actions, } + default_config_data = { # interface definition 'vrf': '', @@ -288,6 +325,7 @@ default_config_data = { '6rd-relay-prefix': '', } + # dict name -> config name, multiple values, default mapping = { 'type': ('encapsulation', False, None), @@ -310,7 +348,7 @@ mapping = { 'state': ('disable', False, 'down'), 'link_detect': ('disable-link-detect', False, 2), 'vrf': ('vrf', False, None), - 'addresses-add': ('address', True, None), + 'addresses': ('address', True, None), 'arp_filter': ('ip disable-arp-filter', False, 0), 'arp_accept': ('ip enable-arp-accept', False, 1), 'arp_announce': ('ip enable-arp-announce', False, 1), @@ -320,6 +358,7 @@ mapping = { 'ipv6_dad_transmits:': ('ipv6 dup-addr-detect-transmits', False, None) } + def get_class (options): dispatch = { 'gre': GREIf, @@ -363,19 +402,17 @@ def get_config(): if not ifname: raise ConfigError('Interface not specified') - conf = ConfigurationState('interfaces tunnel ' + ifname, default_config_data) + config = Config() + conf = ConfigurationState(config, ['interfaces', 'tunnel ', ifname], default_config_data) options = conf.options changes = conf.changes options['ifname'] = ifname - # set new configuration level - conf.set_level(conf.section) - if changes['section'] == 'delete': conf.get_effective('type', mapping['type'][0]) - conf.set_level('protocols nhrp tunnel') - options['nhrp'] = conf.list_nodes('') - return conf.to_dict() + config.set_level(['protocols', 'nhrp', 'tunnel']) + options['nhrp'] = config.list_nodes('') + return conf.to_api() # load all the configuration option according to the mapping conf.load(mapping) @@ -407,12 +444,6 @@ def get_config(): options['local'] = picked options['dhcp-interface'] = '' - # get interface addresses (currently effective) - to determine which - # address is no longer valid and needs to be removed - # could be done within ConfigurationState - eff_addr = conf.return_effective_values('address') - options['addresses-del'] = list_diff(eff_addr, options['addresses-add']) - # to make IPv6 SLAAC and DHCPv6 work with forwarding=1, # accept_ra must be 2 if options['ipv6_autoconf'] or 'dhcpv6' in options['addresses-add']: @@ -422,12 +453,11 @@ def get_config(): options['allmulticast'] = options['multicast'] # check that per encapsulation all local-remote pairs are unique - conf.set_level('interfaces tunnel') - ct = conf.get_config_dict()['tunnel'] + ct = conf.as_dict(['interfaces', 'tunnel']) options['tunnel'] = {} # check for bridges - options['bridge'] = is_member(conf, ifname, 'bridge') + options['bridge'] = is_member(config, ifname, 'bridge') options['interfaces'] = interfaces() for name in ct: @@ -440,7 +470,7 @@ def get_config(): pair = f'{local}-{remote}' options['tunnel'][encap][pair] = options['tunnel'].setdefault(encap, {}).get(pair, 0) + 1 - return conf.to_dict() + return conf.to_api() def verify(conf): diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index c24c9a7ce..982aefa5f 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -25,6 +25,7 @@ from vyos.config import Config from vyos.configdict import list_diff from vyos.ifconfig import WireGuardIf from vyos.util import chown, chmod_750, call +from vyos.util import check_kmod from vyos.validate import is_member, is_ipv6 from vyos import ConfigError @@ -32,6 +33,7 @@ from vyos import airbag airbag.enable() kdir = r'/config/auth/wireguard' +k_mod = 'wireguard' default_config_data = { 'intfc': '', @@ -50,14 +52,6 @@ default_config_data = { 'vrf': '' } -def _check_kmod(): - modules = ['wireguard'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - - def _migrate_default_keys(): if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'): location = f'{kdir}/default' @@ -315,7 +309,7 @@ def apply(wg): if __name__ == '__main__': try: - _check_kmod() + check_kmod(k_mod) _migrate_default_keys() c = get_config() verify(c) diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py index 35e3c583c..0964a8f4d 100755 --- a/src/conf_mode/interfaces-wirelessmodem.py +++ b/src/conf_mode/interfaces-wirelessmodem.py @@ -16,44 +16,20 @@ import os -from copy import deepcopy from fnmatch import fnmatch -from netifaces import interfaces from sys import exit from vyos.config import Config -from vyos.ifconfig import BridgeIf, Section +from vyos.configdict import dict_merge +from vyos.configverify import verify_vrf from vyos.template import render from vyos.util import call -from vyos.validate import is_member +from vyos.xml import defaults from vyos import ConfigError - from vyos import airbag airbag.enable() -default_config_data = { - 'apn': '', - 'chat_script': '', - 'deleted': False, - 'description': '', - 'device': '', - 'disable': False, - 'disable_link_detect': 1, - 'on_demand': False, - 'metric': '10', - 'mtu': '1500', - 'name_server': True, - 'is_bridge_member': False, - 'intf': '', - 'vrf': '' -} - -def check_kmod(): - modules = ['option', 'usb_wwan', 'usbserial'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') +k_mod = ['option', 'usb_wwan', 'usbserial'] def find_device_file(device): """ Recurively search /dev for the given device file and return its full path. @@ -66,115 +42,80 @@ def find_device_file(device): return None def get_config(): - wwan = deepcopy(default_config_data) + """ Retrive CLI config as dictionary. Dictionary can never be empty, + as at least the interface name will be added or a deleted flag """ conf = Config() # determine tagNode instance if 'VYOS_TAGNODE_VALUE' not in os.environ: raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified') - wwan['intf'] = os.environ['VYOS_TAGNODE_VALUE'] - wwan['chat_script'] = f"/etc/ppp/peers/chat.{wwan['intf']}" + # retrieve interface default values + base = ['interfaces', 'wirelessmodem'] + default_values = defaults(base) + + ifname = os.environ['VYOS_TAGNODE_VALUE'] + base = base + [ifname] + wwan = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # Check if interface has been removed - if not conf.exists('interfaces wirelessmodem ' + wwan['intf']): - wwan['deleted'] = True - return wwan - - # set new configuration level - conf.set_level('interfaces wirelessmodem ' + wwan['intf']) - - # get metrick for backup default route - if conf.exists(['apn']): - wwan['apn'] = conf.return_value(['apn']) - - # get metrick for backup default route - if conf.exists(['backup', 'distance']): - wwan['metric'] = conf.return_value(['backup', 'distance']) - - # Retrieve interface description - if conf.exists(['description']): - wwan['description'] = conf.return_value(['description']) - - # System device name - if conf.exists(['device']): - tmp = conf.return_value(['device']) - wwan['device'] = find_device_file(tmp) - # If device file was not found in /dev we will just re-use - # the plain device name, thus we can trigger the exception - # in verify() as it's a non existent file - if wwan['device'] == None: - wwan['device'] = tmp - - # disable interface - if conf.exists('disable'): - wwan['disable'] = True - - # ignore link state changes - if conf.exists('disable-link-detect'): - wwan['disable_link_detect'] = 2 - - # Do not use DNS servers provided by the peer - if conf.exists(['mtu']): - wwan['mtu'] = conf.return_value(['mtu']) - - # Do not use DNS servers provided by the peer - if conf.exists(['no-peer-dns']): - wwan['name_server'] = False - - # Access concentrator name (only connect to this concentrator) - if conf.exists(['ondemand']): - wwan['on_demand'] = True - - # retrieve VRF instance - if conf.exists('vrf'): - wwan['vrf'] = conf.return_value(['vrf']) + if wwan == {}: + wwan.update({'deleted' : ''}) + + # We have gathered the dict representation of the CLI, but there are + # default options which we need to update into the dictionary + # retrived. + wwan = dict_merge(default_values, wwan) + + # Add interface instance name into dictionary + wwan.update({'ifname': ifname}) return wwan def verify(wwan): - if wwan['deleted']: + if 'deleted' in wwan.keys(): return None - if not wwan['apn']: - raise ConfigError('No APN configured for "{intf}"'.format(**wwan)) + if not 'apn' in wwan.keys(): + raise ConfigError('No APN configured for "{ifname}"'.format(**wwan)) - if not wwan['device']: + if not 'device' in wwan.keys(): raise ConfigError('Physical "device" must be configured') # we can not use isfile() here as Linux device files are no regular files # thus the check will return False - if not os.path.exists('{device}'.format(**wwan)): + if not os.path.exists(find_device_file(wwan['device'])): raise ConfigError('Device "{device}" does not exist'.format(**wwan)) - if wwan['vrf'] and wwan['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**wwan)) + verify_vrf(wwan) return None def generate(wwan): # set up configuration file path variables where our templates will be # rendered into - intf = wwan['intf'] - config_wwan = f'/etc/ppp/peers/{intf}' - config_wwan_chat = wwan['chat_script'] - script_wwan_pre_up = f'/etc/ppp/ip-pre-up.d/1010-vyos-wwan-{intf}' - script_wwan_ip_up = f'/etc/ppp/ip-up.d/1010-vyos-wwan-{intf}' - script_wwan_ip_down = f'/etc/ppp/ip-down.d/1010-vyos-wwan-{intf}' + ifname = wwan['ifname'] + config_wwan = f'/etc/ppp/peers/{ifname}' + config_wwan_chat = f'/etc/ppp/peers/chat.{ifname}' + script_wwan_pre_up = f'/etc/ppp/ip-pre-up.d/1010-vyos-wwan-{ifname}' + script_wwan_ip_up = f'/etc/ppp/ip-up.d/1010-vyos-wwan-{ifname}' + script_wwan_ip_down = f'/etc/ppp/ip-down.d/1010-vyos-wwan-{ifname}' config_files = [config_wwan, config_wwan_chat, script_wwan_pre_up, script_wwan_ip_up, script_wwan_ip_down] # Always hang-up WWAN connection prior generating new configuration file - call(f'systemctl stop ppp@{intf}.service') + call(f'systemctl stop ppp@{ifname}.service') - if wwan['deleted']: + if 'deleted' in wwan: # Delete PPP configuration files for file in config_files: if os.path.exists(file): os.unlink(file) else: + wwan['device'] = find_device_file(wwan['device']) + # Create PPP configuration files render(config_wwan, 'wwan/peer.tmpl', wwan) # Create PPP chat script @@ -195,26 +136,19 @@ def generate(wwan): return None def apply(wwan): - if wwan['deleted']: + if 'deleted' in wwan.keys(): # bail out early return None - if not wwan['disable']: + if not 'disable' in wwan.keys(): # "dial" WWAN connection - intf = wwan['intf'] - call(f'systemctl start ppp@{intf}.service') - - # re-add ourselves to any bridge we might have fallen out of - # FIXME: wwan isn't under vyos.ifconfig so we can't call - # Interfaces.add_to_bridge() so STP settings won't get applied - if wwan['is_bridge_member'] in Section.interfaces('bridge'): - BridgeIf(wwan['is_bridge_member'], create=False).add_port(wwan['intf']) + call('systemctl start ppp@{ifname}.service'.format(**wwan)) return None if __name__ == '__main__': try: - check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index b0a029f2b..dd34dfd66 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -24,13 +24,17 @@ from netifaces import interfaces from vyos.config import Config from vyos.template import render -from vyos.util import call, cmd +from vyos.util import call +from vyos.util import cmd +from vyos.util import check_kmod from vyos.validate import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() +k_mod = ['nft_nat', 'nft_chain_nat_ipv4'] + default_config_data = { 'deleted': False, 'destination': [], @@ -44,15 +48,6 @@ default_config_data = { iptables_nat_config = '/tmp/vyos-nat-rules.nft' -def _check_kmod(): - """ load required Kernel modules """ - modules = ['nft_nat', 'nft_chain_nat_ipv4'] - for module in modules: - if not os.path.exists(f'/sys/module/{module}'): - if call(f'modprobe {module}') != 0: - raise ConfigError(f'Loading Kernel module {module} failed') - - def get_handler(json, chain, target): """ Get nftable rule handler number of given chain/target combination. Handler is required when adding NAT/Conntrack helper targets """ @@ -79,9 +74,6 @@ def verify_rule(rule, err_msg): 'statically maps a whole network of addresses onto another\n' \ 'network of addresses') - if not rule['translation_address']: - raise ConfigError(f'{err_msg} translation address not specified') - def parse_configuration(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ @@ -228,10 +220,10 @@ def verify(nat): for rule in nat['source']: interface = rule['interface_out'] - err_msg = f"Source NAT configuration error in rule {rule['number']}:" + err_msg = f'Source NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_out']: raise ConfigError(f'{err_msg} outbound-interface not specified') @@ -246,10 +238,10 @@ def verify(nat): for rule in nat['destination']: interface = rule['interface_in'] - err_msg = f"Destination NAT configuration error in rule {rule['number']}:" + err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_in']: raise ConfigError(f'{err_msg} inbound-interface not specified') @@ -261,7 +253,6 @@ def verify(nat): def generate(nat): render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755) - return None def apply(nat): @@ -273,7 +264,7 @@ def apply(nat): if __name__ == '__main__': try: - _check_kmod() + check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 9180998aa..bba8f87a4 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -16,77 +16,22 @@ import os -from copy import deepcopy -from ipaddress import ip_network -from netifaces import interfaces -from sys import exit - from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos import ConfigError from vyos.util import call from vyos.template import render -from vyos import ConfigError - from vyos import airbag airbag.enable() config_file = r'/etc/ntp.conf' systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf' -default_config_data = { - 'servers': [], - 'allowed_networks': [], - 'listen_address': [], - 'vrf': '' -} - def get_config(): - ntp = deepcopy(default_config_data) conf = Config() base = ['system', 'ntp'] - if not conf.exists(base): - return None - else: - conf.set_level(base) - - node = ['allow-clients', 'address'] - if conf.exists(node): - networks = conf.return_values(node) - for n in networks: - addr = ip_network(n) - net = { - "network" : n, - "address" : addr.network_address, - "netmask" : addr.netmask - } - - ntp['allowed_networks'].append(net) - - node = ['listen-address'] - if conf.exists(node): - ntp['listen_address'] = conf.return_values(node) - - node = ['server'] - if conf.exists(node): - for node in conf.list_nodes(node): - options = [] - server = { - "name": node, - "options": [] - } - if conf.exists('server {0} noselect'.format(node)): - options.append('noselect') - if conf.exists('server {0} preempt'.format(node)): - options.append('preempt') - if conf.exists('server {0} prefer'.format(node)): - options.append('prefer') - - server['options'] = options - ntp['servers'].append(server) - - node = ['vrf'] - if conf.exists(node): - ntp['vrf'] = conf.return_value(node) + ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) return ntp def verify(ntp): @@ -94,13 +39,10 @@ def verify(ntp): if not ntp: return None - # Configuring allowed clients without a server makes no sense - if len(ntp['allowed_networks']) and not len(ntp['servers']): + if len(ntp.get('allow_clients', {})) and not (len(ntp.get('server', {})) > 0): raise ConfigError('NTP server not configured') - if ntp['vrf'] and ntp['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**ntp)) - + verify_vrf(ntp) return None def generate(ntp): @@ -108,7 +50,7 @@ def generate(ntp): if not ntp: return None - render(config_file, 'ntp/ntp.conf.tmpl', ntp) + render(config_file, 'ntp/ntp.conf.tmpl', ntp, trim_blocks=True) render(systemd_override, 'ntp/override.conf.tmpl', ntp, trim_blocks=True) return None @@ -124,7 +66,6 @@ def apply(ntp): # Reload systemd manager configuration call('systemctl daemon-reload') - if ntp: call('systemctl restart ntp.service') diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py index 6f0e2010f..ca148fd6a 100755 --- a/src/conf_mode/protocols_igmp.py +++ b/src/conf_mode/protocols_igmp.py @@ -97,7 +97,7 @@ def apply(igmp): return None if os.path.exists(config_file): - call("sudo vtysh -d pimd -f " + config_file) + call(f'vtysh -d pimd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py index 15785a801..72208ffa1 100755 --- a/src/conf_mode/protocols_mpls.py +++ b/src/conf_mode/protocols_mpls.py @@ -153,7 +153,7 @@ def apply(mpls): operate_mpls_on_intfc(diactive_ifaces, 0) if os.path.exists(config_file): - call("sudo vtysh -d ldpd -f " + config_file) + call(f'vtysh -d ldpd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index c5ac26806..4f8816d61 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -297,7 +297,7 @@ def apply(rip): return None if os.path.exists(config_file): - call("sudo vtysh -d ripd -f " + config_file) + call(f'vtysh -d ripd -f {config_file}') os.remove(config_file) else: print("File {0} not found".format(config_file)) diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py index eeab26d4d..232d1e181 100755 --- a/src/conf_mode/protocols_static_multicast.py +++ b/src/conf_mode/protocols_static_multicast.py @@ -101,7 +101,7 @@ def apply(mroute): return None if os.path.exists(config_file): - call("sudo vtysh -d staticd -f " + config_file) + call(f'vtysh -d staticd -f {config_file}') os.remove(config_file) return None diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py new file mode 100755 index 000000000..d46f9578e --- /dev/null +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos import ConfigError +from vyos.util import call +from vyos.template import render +from vyos import airbag +airbag.enable() + +config_file = r'/etc/fastnetmon.conf' +networks_list = r'/etc/networks_list' + +def get_config(): + conf = Config() + base = ['service', 'ids', 'ddos-protection'] + fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return fastnetmon + +def verify(fastnetmon): + if not fastnetmon: + return None + + if not "mode" in fastnetmon: + raise ConfigError('ddos-protection mode is mandatory!') + + if not "network" in fastnetmon: + raise ConfigError('Required define network!') + + if not "listen_interface" in fastnetmon: + raise ConfigError('Define listen-interface is mandatory!') + + if "alert_script" in fastnetmon: + if os.path.isfile(fastnetmon["alert_script"]): + # Check script permissions + if not os.access(fastnetmon["alert_script"], os.X_OK): + raise ConfigError('Script {0} does not have permissions for execution'.format(fastnetmon["alert_script"])) + else: + raise ConfigError('File {0} does not exists!'.format(fastnetmon["alert_script"])) + +def generate(fastnetmon): + if not fastnetmon: + if os.path.isfile(config_file): + os.unlink(config_file) + if os.path.isfile(networks_list): + os.unlink(networks_list) + + return + + render(config_file, 'ids/fastnetmon.tmpl', fastnetmon, trim_blocks=True) + render(networks_list, 'ids/fastnetmon_networks_list.tmpl', fastnetmon, trim_blocks=True) + + return None + +def apply(fastnetmon): + if not fastnetmon: + # Stop fastnetmon service if removed + call('systemctl stop fastnetmon.service') + else: + call('systemctl restart fastnetmon.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index eb0d20654..e9806ef47 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -16,19 +16,16 @@ import os -from binascii import hexlify -from netifaces import interfaces -from time import sleep from sys import exit from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.snmpv3_hashgen import plaintext_to_md5, plaintext_to_sha1, random +from vyos.template import render +from vyos.util import call from vyos.validate import is_ipv4, is_addr_assigned from vyos.version import get_version_data -from vyos import ConfigError -from vyos.util import call -from vyos.template import render - -from vyos import airbag +from vyos import ConfigError, airbag airbag.enable() config_file_client = r'/etc/snmp/snmp.conf' @@ -60,15 +57,14 @@ default_config_data = { 'trap_targets': [], 'vyos_user': '', 'vyos_user_pass': '', - 'version': '999', + 'version': '', 'v3_enabled': 'False', 'v3_engineid': '', 'v3_groups': [], 'v3_traps': [], 'v3_users': [], 'v3_views': [], - 'script_ext': [], - 'vrf': '' + 'script_ext': [] } def rmfile(file): @@ -90,9 +86,8 @@ def get_config(): snmp['version'] = version_data['version'] # create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx' - # os.urandom(8) returns 8 bytes of random data - snmp['vyos_user'] = 'vyos' + hexlify(os.urandom(8)).decode('utf-8') - snmp['vyos_user_pass'] = hexlify(os.urandom(16)).decode('utf-8') + snmp['vyos_user'] = 'vyos' + random(8) + snmp['vyos_user_pass'] = random(16) if conf.exists('community'): for name in conf.list_nodes('community'): @@ -191,6 +186,9 @@ def get_config(): snmp['script_ext'].append(extension) if conf.exists('vrf'): + # Append key to dict but don't place it in the default dictionary. + # This is required to make the override.conf.tmpl work until we + # migrate to get_config_dict(). snmp['vrf'] = conf.return_value('vrf') @@ -260,30 +258,30 @@ def get_config(): # cmdline option '-a' trap_cfg['authProtocol'] = conf.return_value('v3 trap-target {0} auth type'.format(trap)) - if conf.exists('v3 trap-target {0} auth plaintext-key'.format(trap)): + if conf.exists('v3 trap-target {0} auth plaintext-password'.format(trap)): # Set the authentication pass phrase used for authenticated SNMPv3 messages. # cmdline option '-A' - trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-key'.format(trap)) + trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-password'.format(trap)) - if conf.exists('v3 trap-target {0} auth encrypted-key'.format(trap)): + if conf.exists('v3 trap-target {0} auth encrypted-password'.format(trap)): # Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master authentication keys. # cmdline option '-3m' - trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-key'.format(trap)) + trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-password'.format(trap)) if conf.exists('v3 trap-target {0} privacy type'.format(trap)): # Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages. # cmdline option '-x' trap_cfg['privProtocol'] = conf.return_value('v3 trap-target {0} privacy type'.format(trap)) - if conf.exists('v3 trap-target {0} privacy plaintext-key'.format(trap)): + if conf.exists('v3 trap-target {0} privacy plaintext-password'.format(trap)): # Set the privacy pass phrase used for encrypted SNMPv3 messages. # cmdline option '-X' - trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-key'.format(trap)) + trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-password'.format(trap)) - if conf.exists('v3 trap-target {0} privacy encrypted-key'.format(trap)): + if conf.exists('v3 trap-target {0} privacy encrypted-password'.format(trap)): # Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master encryption keys. # cmdline option '-3M' - trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-key'.format(trap)) + trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-password'.format(trap)) if conf.exists('v3 trap-target {0} protocol'.format(trap)): trap_cfg['ipProto'] = conf.return_value('v3 trap-target {0} protocol'.format(trap)) @@ -322,11 +320,11 @@ def get_config(): } # v3 user {0} auth - if conf.exists('v3 user {0} auth encrypted-key'.format(user)): - user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-key'.format(user)) + if conf.exists('v3 user {0} auth encrypted-password'.format(user)): + user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-password'.format(user)) - if conf.exists('v3 user {0} auth plaintext-key'.format(user)): - user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-key'.format(user)) + if conf.exists('v3 user {0} auth plaintext-password'.format(user)): + user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-password'.format(user)) # load default value type = user_cfg['authProtocol'] @@ -346,11 +344,11 @@ def get_config(): user_cfg['mode'] = conf.return_value('v3 user {0} mode'.format(user)) # v3 user {0} privacy - if conf.exists('v3 user {0} privacy encrypted-key'.format(user)): - user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-key'.format(user)) + if conf.exists('v3 user {0} privacy encrypted-password'.format(user)): + user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-password'.format(user)) - if conf.exists('v3 user {0} privacy plaintext-key'.format(user)): - user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-key'.format(user)) + if conf.exists('v3 user {0} privacy plaintext-password'.format(user)): + user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-password'.format(user)) # load default value type = user_cfg['privProtocol'] @@ -416,8 +414,7 @@ def verify(snmp): else: print('WARNING: SNMP listen address {0} not configured!'.format(addr)) - if snmp['vrf'] and snmp['vrf'] not in interfaces(): - raise ConfigError('VRF "{vrf}" does not exist'.format(**snmp)) + verify_vrf(snmp) # bail out early if SNMP v3 is not configured if not snmp['v3_enabled']: @@ -448,16 +445,16 @@ def verify(snmp): if 'v3_traps' in snmp.keys(): for trap in snmp['v3_traps']: if trap['authPassword'] and trap['authMasterKey']: - raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap auth') + raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap auth') if trap['authPassword'] == '' and trap['authMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for trap auth') + raise ConfigError('Must specify encrypted-password or plaintext-key for trap auth') if trap['privPassword'] and trap['privMasterKey']: - raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap privacy') + raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap privacy') if trap['privPassword'] == '' and trap['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for trap privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for trap privacy') if not 'type' in trap.keys(): raise ConfigError('v3 trap: "type" must be specified') @@ -488,19 +485,12 @@ def verify(snmp): if error: raise ConfigError('You must create group "{0}" first'.format(user['group'])) - # Depending on the configured security level - # the user has to provide additional info - if user['authPassword'] and user['authMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth') - + # Depending on the configured security level the user has to provide additional info if (not user['authPassword'] and not user['authMasterKey']): - raise ConfigError('Must specify encrypted-key or plaintext-key for user auth') - - if user['privPassword'] and user['privMasterKey']: - raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for user auth') if user['privPassword'] == '' and user['privMasterKey'] == '': - raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy') + raise ConfigError('Must specify encrypted-password or plaintext-key for user privacy') if user['mode'] == '': raise ConfigError('Must specify user mode ro/rw') @@ -522,12 +512,36 @@ def generate(snmp): for file in config_files: rmfile(file) - # Reload systemd manager configuration - call('systemctl daemon-reload') - if not snmp: return None + if 'v3_users' in snmp.keys(): + # net-snmp is now regenerating the configuration file in the background + # thus we need to re-open and re-read the file as the content changed. + # After that we can no read the encrypted password from the config and + # replace the CLI plaintext password with its encrypted version. + os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" + + for user in snmp['v3_users']: + if user['authProtocol'] == 'sha': + hash = plaintext_to_sha1 + else: + hash = plaintext_to_md5 + + if user['authPassword']: + user['authMasterKey'] = hash(user['authPassword'], snmp['v3_engineid']) + user['authPassword'] = '' + + call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" auth encrypted-password "{authMasterKey}" > /dev/null'.format(**user)) + call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" auth plaintext-password > /dev/null'.format(**user)) + + if user['privPassword']: + user['privMasterKey'] = hash(user['privPassword'], snmp['v3_engineid']) + user['privPassword'] = '' + + call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" privacy encrypted-password "{privMasterKey}" > /dev/null'.format(**user)) + call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" privacy plaintext-password > /dev/null'.format(**user)) + # Write client config file render(config_file_client, 'snmp/etc.snmp.conf.tmpl', snmp) # Write server config file @@ -542,45 +556,14 @@ def generate(snmp): return None def apply(snmp): + # Always reload systemd manager configuration + call('systemctl daemon-reload') + if not snmp: return None - # Reload systemd manager configuration - call('systemctl daemon-reload') # start SNMP daemon - call("systemctl restart snmpd.service") - - while (call('systemctl -q is-active snmpd.service') != 0): - print("service not yet started") - sleep(0.5) - - # net-snmp is now regenerating the configuration file in the background - # thus we need to re-open and re-read the file as the content changed. - # After that we can no read the encrypted password from the config and - # replace the CLI plaintext password with its encrypted version. - os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos" - with open(config_file_user, 'r') as f: - engineID = '' - for line in f: - if line.startswith('usmUser'): - string = line.split(' ') - cfg = { - 'user': string[4].replace(r'"', ''), - 'auth_pw': string[8], - 'priv_pw': string[10] - } - # No need to take care about the VyOS internal user - if cfg['user'] == snmp['vyos_user']: - continue - - # Now update the running configuration - # - # Currently when executing call() the environment does not - # have the vyos_libexec_dir variable set, see Phabricator T685. - call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['auth_pw'])) - call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['priv_pw'])) - call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user'])) - call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" privacy plaintext-key > /dev/null'.format(cfg['user'])) + call('systemctl restart snmpd.service') # Enable AgentX in FRR call('vtysh -c "configure terminal" -c "agentx" >/dev/null') diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 1ca2c8b4c..ffb0b700d 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -37,7 +37,7 @@ def get_config(): if not conf.exists(base): return None - ssh = conf.get_config_dict(base, key_mangling=('-', '_')) + ssh = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. default_values = defaults(base) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 93d4cc679..b1dd583b5 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -72,7 +72,7 @@ def get_config(): user = { 'name': username, 'password_plaintext': '', - 'password_encred': '!', + 'password_encrypted': '!', 'public_keys': [], 'full_name': '', 'home_dir': '/home/' + username, diff --git a/src/conf_mode/system-options.py b/src/conf_mode/system-options.py index 8de3b6fa2..d7c5c0443 100755 --- a/src/conf_mode/system-options.py +++ b/src/conf_mode/system-options.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,67 +16,62 @@ import os +from netifaces import interfaces from sys import exit -from copy import deepcopy + from vyos.config import Config +from vyos.template import render +from vyos.util import call from vyos import ConfigError -from vyos.util import run - from vyos import airbag airbag.enable() -systemd_ctrl_alt_del = '/lib/systemd/system/ctrl-alt-del.target' - -default_config_data = { - 'beep_if_fully_booted': False, - 'ctrl_alt_del': 'ignore', - 'reboot_on_panic': True -} +config_file = r'/etc/curlrc' +systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' def get_config(): - opt = deepcopy(default_config_data) conf = Config() - conf.set_level('system options') - if conf.exists(''): - if conf.exists('ctrl-alt-del-action'): - opt['ctrl_alt_del'] = conf.return_value('ctrl-alt-del-action') + base = ['system', 'options'] + options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return options - opt['beep_if_fully_booted'] = conf.exists('beep-if-fully-booted') - opt['reboot_on_panic'] = conf.exists('reboot-on-panic') +def verify(options): + if 'http_client' in options.keys(): + config = options['http_client'] + if 'source_interface' in config.keys(): + if not config['source_interface'] in interfaces(): + raise ConfigError(f'Source interface {source_interface} does not ' + f'exist'.format(**config)) - return opt + if {'source_address', 'source_interface'} <= set(config): + raise ConfigError('Can not define both HTTP source-interface and source-address') -def verify(opt): - pass + return None -def generate(opt): - pass +def generate(options): + render(config_file, 'system/curlrc.tmpl', options, trim_blocks=True) + return None -def apply(opt): +def apply(options): # Beep action - if opt['beep_if_fully_booted']: - run('systemctl enable vyos-beep.service') + if 'beep_if_fully_booted' in options.keys(): + call('systemctl enable vyos-beep.service') else: - run('systemctl disable vyos-beep.service') + call('systemctl disable vyos-beep.service') # Ctrl-Alt-Delete action - if opt['ctrl_alt_del'] == 'ignore': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink('/lib/systemd/system/ctrl-alt-del.target') - - elif opt['ctrl_alt_del'] == 'reboot': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink(systemd_ctrl_alt_del) - os.symlink('/lib/systemd/system/reboot.target', systemd_ctrl_alt_del) + if os.path.exists(systemd_action_file): + os.unlink(systemd_action_file) - elif opt['ctrl_alt_del'] == 'poweroff': - if os.path.exists(systemd_ctrl_alt_del): - os.unlink(systemd_ctrl_alt_del) - os.symlink('/lib/systemd/system/poweroff.target', systemd_ctrl_alt_del) + if 'ctrl_alt_del_action' in options.keys(): + if options['ctrl_alt_del_action'] == 'reboot': + os.symlink('/lib/systemd/system/reboot.target', systemd_action_file) + elif options['ctrl_alt_del_action'] == 'poweroff': + os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file) # Reboot system on kernel panic with open('/proc/sys/kernel/panic', 'w') as f: - if opt['reboot_on_panic']: + if 'reboot_on_panic' in options.keys(): f.write('60') else: f.write('0') diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py index 034cbee63..6f83335f3 100755 --- a/src/conf_mode/system_console.py +++ b/src/conf_mode/system_console.py @@ -31,7 +31,7 @@ def get_config(): base = ['system', 'console'] # retrieve configuration at once - console = conf.get_config_dict(base) + console = conf.get_config_dict(base, get_first_key=True) # bail out early if no serial console is configured if 'device' not in console.keys(): diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index e8f523e36..56ca813ff 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -52,7 +52,7 @@ def vrf_interfaces(c, match): matched = [] old_level = c.get_level() c.set_level(['interfaces']) - section = c.get_config_dict([]) + section = c.get_config_dict([], get_first_key=True) for type in section: interfaces = section[type] for name in interfaces: @@ -201,8 +201,8 @@ def apply(vrf_config): for vrf in vrf_config['vrf_remove']: name = vrf['name'] if os.path.isdir(f'/sys/class/net/{name}'): - _cmd(f'sudo ip -4 route del vrf {name} unreachable default metric 4278198272') - _cmd(f'sudo ip -6 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -4 route del vrf {name} unreachable default metric 4278198272') + _cmd(f'ip -6 route del vrf {name} unreachable default metric 4278198272') _cmd(f'ip link delete dev {name}') for vrf in vrf_config['vrf_add']: diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py index a9fa15778..c2da1bb11 100755 --- a/src/helpers/vyos-load-config.py +++ b/src/helpers/vyos-load-config.py @@ -27,12 +27,12 @@ import sys import tempfile import vyos.defaults import vyos.remote -from vyos.config import Config, VyOSError +from vyos.configsource import ConfigSourceSession, VyOSError from vyos.migrator import Migrator, VirtualMigrator, MigratorError -class LoadConfig(Config): +class LoadConfig(ConfigSourceSession): """A subclass for calling 'loadFile'. - This does not belong in config.py, and only has a single caller. + This does not belong in configsource.py, and only has a single caller. """ def load_config(self, path): return self._run(['/bin/cli-shell-api','loadFile',path]) diff --git a/src/migration-scripts/interfaces/8-to-9 b/src/migration-scripts/interfaces/8-to-9 index e0b9dd375..2d1efd418 100755 --- a/src/migration-scripts/interfaces/8-to-9 +++ b/src/migration-scripts/interfaces/8-to-9 @@ -16,7 +16,7 @@ # Rename link nodes to source-interface for the following interface types: # - vxlan -# - pseudo ethernet +# - pseudo-ethernet from sys import exit, argv from vyos.configtree import ConfigTree @@ -36,7 +36,7 @@ if __name__ == '__main__': base = ['interfaces', if_type] if not config.exists(base): # Nothing to do - exit(0) + continue # list all individual interface isntance for i in config.list_nodes(base): diff --git a/src/migration-scripts/snmp/1-to-2 b/src/migration-scripts/snmp/1-to-2 new file mode 100755 index 000000000..466a624e6 --- /dev/null +++ b/src/migration-scripts/snmp/1-to-2 @@ -0,0 +1,89 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from sys import argv, exit +from vyos.configtree import ConfigTree + +def migrate_keys(config, path): + # authentication: rename node 'encrypted-key' -> 'encrypted-password' + config_path_auth = path + ['auth', 'encrypted-key'] + if config.exists(config_path_auth): + config.rename(config_path_auth, 'encrypted-password') + config_path_auth = path + ['auth', 'encrypted-password'] + + # remove leading '0x' from string if present + tmp = config.return_value(config_path_auth) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_path_auth, value=tmp) + + # privacy: rename node 'encrypted-key' -> 'encrypted-password' + config_path_priv = path + ['privacy', 'encrypted-key'] + if config.exists(config_path_priv): + config.rename(config_path_priv, 'encrypted-password') + config_path_priv = path + ['privacy', 'encrypted-password'] + + # remove leading '0x' from string if present + tmp = config.return_value(config_path_priv) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_path_priv, value=tmp) + +if __name__ == '__main__': + if (len(argv) < 1): + print("Must specify file name!") + exit(1) + + file_name = argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + config_base = ['service', 'snmp', 'v3'] + + if not config.exists(config_base): + # Nothing to do + exit(0) + else: + # We no longer support hashed values prefixed with '0x' to unclutter + # CLI and also calculate the hases in advance instead of retrieving + # them after service startup - which was always a bad idea + prefix = '0x' + + config_engineid = config_base + ['engineid'] + if config.exists(config_engineid): + tmp = config.return_value(config_engineid) + if tmp.startswith(prefix): + tmp = tmp.replace(prefix, '') + config.set(config_engineid, value=tmp) + + config_user = config_base + ['user'] + if config.exists(config_user): + for user in config.list_nodes(config_user): + migrate_keys(config, config_user + [user]) + + config_trap = config_base + ['trap-target'] + if config.exists(config_trap): + for trap in config.list_nodes(config_trap): + migrate_keys(config, config_trap + [trap]) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/ssh/1-to-2 b/src/migration-scripts/ssh/1-to-2 new file mode 100755 index 000000000..bc8815753 --- /dev/null +++ b/src/migration-scripts/ssh/1-to-2 @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# VyOS 1.2 crux allowed configuring a lower or upper case loglevel. This +# is no longer supported as the input data is validated and will lead to +# an error. If user specifies an upper case logleve, make it lowercase + +from sys import argv,exit +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['service', 'ssh', 'loglevel'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) +else: + # red in configured loglevel and convert it to lower case + tmp = config.return_value(base).lower() + + # VyOS 1.2 had no proper value validation on the CLI thus the + # user could use any arbitrary values - sanitize them + if tmp not in ['quiet', 'fatal', 'error', 'info', 'verbose']: + tmp = 'info' + + config.set(base, value=tmp) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/flow_accounting_op.py b/src/op_mode/flow_accounting_op.py index bf8c39fd6..6586cbceb 100755 --- a/src/op_mode/flow_accounting_op.py +++ b/src/op_mode/flow_accounting_op.py @@ -21,58 +21,57 @@ import re import ipaddress import os.path from tabulate import tabulate - +from json import loads from vyos.util import cmd, run +from vyos.logger import syslog # some default values uacctd_pidfile = '/var/run/uacctd.pid' uacctd_pipefile = '/tmp/uacctd.pipe' - -# check if ports argument have correct format -def _is_ports(ports): - # define regex for checking - regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$|^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if not regex_filter.search(ports): - raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports)) - - # check which type nitation is used: single port, ports list, ports range - # single port - regex_filter = re.compile('^(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if regex_filter.search(ports): - filter_ports = { 'type': 'single', 'value': int(ports) } - - # ports list - regex_filter = re.compile('^((\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]),)+(\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])') - if regex_filter.search(ports): - filter_ports = { 'type': 'list', 'value': list(map(int, ports.split(','))) } - - # ports range - regex_filter = re.compile('^(?P<first>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])-(?P<second>\d|[1-9]\d{1,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5])$') - if regex_filter.search(ports): - # check if second number is greater than the first - if int(regex_filter.search(ports).group('first')) >= int(regex_filter.search(ports).group('second')): - raise argparse.ArgumentTypeError("Invalid ports: {}".format(ports)) - filter_ports = { 'type': 'range', 'value': range(int(regex_filter.search(ports).group('first')), int(regex_filter.search(ports).group('second'))) } - - # if all above failed - if not filter_ports: - raise argparse.ArgumentTypeError("Failed to parse: {}".format(ports)) +def parse_port(port): + try: + port_num = int(port) + if (port_num >= 0) and (port_num <= 65535): + return port_num + else: + raise ValueError("out of the 0-65535 range".format(port)) + except ValueError as e: + raise ValueError("Incorrect port number \'{0}\': {1}".format(port, e)) + +def parse_ports(arg): + if re.match(r'^\d+$', arg): + # Single port + port = parse_port(arg) + return {"type": "single", "value": port} + elif re.match(r'^\d+\-\d+$', arg): + # Port range + ports = arg.split("-") + ports = list(map(parse_port, ports)) + if ports[0] > ports[1]: + raise ValueError("Malformed port range \'{0}\': lower end is greater than the higher".format(arg)) + else: + return {"type": "range", "value": (ports[0], ports[1])} + elif re.match(r'^\d+,.*\d$', arg): + # Port list + ports = re.split(r',+', arg) # This allows duplicate commad like '1,,2,3,4' + ports = list(map(parse_port, ports)) + return {"type": "list", "value": ports} else: - return filter_ports + raise ValueError("Malformed port spec \'{0}\'".format(arg)) # check if host argument have correct format -def _is_host(host): +def check_host(host): # define regex for checking if not ipaddress.ip_address(host): - raise argparse.ArgumentTypeError("Invalid host: {}".format(host)) - return host + raise ValueError("Invalid host \'{}\', must be a valid IP or IPv6 address".format(host)) # check if flow-accounting running def _uacctd_running(): command = 'systemctl status uacctd.service > /dev/null' return run(command) == 0 + # get list of interfaces def _get_ifaces_dict(): # run command to get ifaces list @@ -83,7 +82,7 @@ def _get_ifaces_dict(): # make a dictionary with interfaces and indexes ifaces_dict = {} - regex_filter = re.compile('^(?P<iface_index>\d+):\ (?P<iface_name>[\w\d\.]+)[:@].*$') + regex_filter = re.compile(r'^(?P<iface_index>\d+):\ (?P<iface_name>[\w\d\.]+)[:@].*$') for iface_line in ifaces_out: if regex_filter.search(iface_line): ifaces_dict[int(regex_filter.search(iface_line).group('iface_index'))] = regex_filter.search(iface_line).group('iface_name') @@ -91,11 +90,12 @@ def _get_ifaces_dict(): # return dictioanry return ifaces_dict + # get list of flows def _get_flows_list(): # run command to get flows list out = cmd(f'/usr/bin/pmacct -s -O json -T flows -p {uacctd_pipefile}', - message='Failed to get flows list') + message='Failed to get flows list') # read output flows_out = out.splitlines() @@ -103,11 +103,15 @@ def _get_flows_list(): # make a list with flows flows_list = [] for flow_line in flows_out: - flows_list.append(eval(flow_line)) + try: + flows_list.append(loads(flow_line)) + except Exception as err: + syslog.error('Unable to read flow info: {}'.format(err)) # return list of flows return flows_list + # filter and format flows def _flows_filter(flows, ifaces): # predefine filtered flows list @@ -149,14 +153,29 @@ def _flows_filter(flows, ifaces): # return filtered flows return flows_filtered + # print flow table def _flows_table_print(flows): - #define headers and body - table_headers = [ 'IN_IFACE', 'SRC_MAC', 'DST_MAC', 'SRC_IP', 'DST_IP', 'SRC_PORT', 'DST_PORT', 'PROTOCOL', 'TOS', 'PACKETS', 'FLOWS', 'BYTES' ] + # define headers and body + table_headers = ['IN_IFACE', 'SRC_MAC', 'DST_MAC', 'SRC_IP', 'DST_IP', 'SRC_PORT', 'DST_PORT', 'PROTOCOL', 'TOS', 'PACKETS', 'FLOWS', 'BYTES'] table_body = [] # convert flows to list for flow in flows: - table_body.append([flow['iface_in_name'], flow['mac_src'], flow['mac_dst'], flow['ip_src'], flow['ip_dst'], flow['port_src'], flow['port_dst'], flow['ip_proto'], flow['tos'], flow['packets'], flow['flows'], flow['bytes'] ]) + table_line = [ + flow.get('iface_in_name'), + flow.get('mac_src'), + flow.get('mac_dst'), + flow.get('ip_src'), + flow.get('ip_dst'), + flow.get('port_src'), + flow.get('port_dst'), + flow.get('ip_proto'), + flow.get('tos'), + flow.get('packets'), + flow.get('flows'), + flow.get('bytes') + ] + table_body.append(table_line) # configure and fill table table = tabulate(table_body, table_headers, tablefmt="simple") @@ -168,23 +187,34 @@ def _flows_table_print(flows): except KeyboardInterrupt: sys.exit(0) + # check if in-memory table is active def _check_imt(): if not os.path.exists(uacctd_pipefile): print("In-memory table is not available") sys.exit(1) + # define program arguments cmd_args_parser = argparse.ArgumentParser(description='show flow-accounting') cmd_args_parser.add_argument('--action', choices=['show', 'clear', 'restart'], required=True, help='command to flow-accounting daemon') cmd_args_parser.add_argument('--filter', choices=['interface', 'host', 'ports', 'top'], required=False, nargs='*', help='filter flows to display') cmd_args_parser.add_argument('--interface', required=False, help='interface name for output filtration') -cmd_args_parser.add_argument('--host', type=_is_host, required=False, help='host address for output filtration') -cmd_args_parser.add_argument('--ports', type=_is_ports, required=False, help='ports number for output filtration') -cmd_args_parser.add_argument('--top', type=int, required=False, help='top records for output filtration') +cmd_args_parser.add_argument('--host', type=str, required=False, help='host address for output filtering') +cmd_args_parser.add_argument('--ports', type=str, required=False, help='port number, range or list for output filtering') +cmd_args_parser.add_argument('--top', type=int, required=False, help='top records for output filtering') # parse arguments cmd_args = cmd_args_parser.parse_args() +try: + if cmd_args.host: + check_host(cmd_args.host) + + if cmd_args.ports: + cmd_args.ports = parse_ports(cmd_args.ports) +except ValueError as e: + print(e) + sys.exit(1) # main logic # do nothing if uacctd daemon is not running diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py index f9577e57e..ff1e3cc56 100755 --- a/src/op_mode/show_dhcp.py +++ b/src/op_mode/show_dhcp.py @@ -161,7 +161,8 @@ def get_pool_size(config, pool): start = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} start".format(pool, s, r)) stop = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} stop".format(pool, s, r)) - size += int(ip_address(stop)) - int(ip_address(start)) + # Add +1 because both range boundaries are inclusive + size += int(ip_address(stop)) - int(ip_address(start)) + 1 return size diff --git a/src/op_mode/show_interfaces.py b/src/op_mode/show_interfaces.py index 46571c0c0..d4dae3cd1 100755 --- a/src/op_mode/show_interfaces.py +++ b/src/op_mode/show_interfaces.py @@ -220,8 +220,7 @@ def run_show_intf_brief(ifnames, iftypes, vif, vrrp): oper = ['u', ] if oper_state in ('up', 'unknown') else ['A', ] admin = ['u', ] if oper_state in ('up', 'unknown') else ['D', ] addrs = [_ for _ in interface.get_addr() if not _.startswith('fe80::')] or ['-', ] - # do not ask me why 56, it was the number in the perl code ... - descs = list(split_text(interface.get_alias(),56)) + descs = list(split_text(interface.get_alias(),0)) while intf or oper or admin or addrs or descs: i = intf.pop(0) if intf else '' diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py index 15bf63e81..e08bc983a 100755 --- a/src/op_mode/wireguard.py +++ b/src/op_mode/wireguard.py @@ -21,22 +21,17 @@ import shutil import syslog as sl import re +from vyos.config import Config from vyos.ifconfig import WireGuardIf - +from vyos.util import cmd +from vyos.util import run +from vyos.util import check_kmod from vyos import ConfigError -from vyos.config import Config -from vyos.util import cmd, run dir = r'/config/auth/wireguard' psk = dir + '/preshared.key' -def check_kmod(): - """ check if kmod is loaded, if not load it """ - if not os.path.exists('/sys/module/wireguard'): - sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") - if run('sudo modprobe wireguard') != 0: - sl.syslog(sl.LOG_ERR, "modprobe wireguard failed") - raise ConfigError("modprobe wireguard failed") +k_mod = 'wireguard' def generate_keypair(pk, pub): """ generates a keypair which is stored in /config/auth/wireguard """ @@ -106,7 +101,7 @@ def del_key_dir(kname): if __name__ == '__main__': - check_kmod() + check_kmod(k_mod) parser = argparse.ArgumentParser(description='wireguard key management') parser.add_argument( '--genkey', action="store_true", help='generate key-pair') diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server index 38bf2f8ce..3eecaba5a 100755 --- a/src/services/vyos-http-api-server +++ b/src/services/vyos-http-api-server @@ -33,7 +33,6 @@ import systemd.daemon from functools import wraps from vyos.configsession import ConfigSession, ConfigSessionError -from vyos.config import VyOSError DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf' @@ -232,8 +231,6 @@ def retrieve_op(command): return error(400, "\"{0}\" is not a valid config format".format(config_format)) else: return error(400, "\"{0}\" is not a valid operation".format(op)) - except VyOSError as e: - return error(400, str(e)) except ConfigSessionError as e: return error(400, str(e)) except Exception as e: diff --git a/src/tests/test_initial_setup.py b/src/tests/test_initial_setup.py index c4c59b827..1597025e8 100644 --- a/src/tests/test_initial_setup.py +++ b/src/tests/test_initial_setup.py @@ -21,6 +21,7 @@ import tempfile import unittest from unittest import TestCase, mock +from vyos import xml import vyos.configtree import vyos.initialsetup as vis @@ -30,6 +31,7 @@ class TestInitialSetup(TestCase): with open('tests/data/config.boot.default', 'r') as f: config_string = f.read() self.config = vyos.configtree.ConfigTree(config_string) + self.xml = xml.load_configuration() def test_set_user_password(self): vis.set_user_password(self.config, 'vyos', 'vyosvyos') @@ -56,7 +58,7 @@ class TestInitialSetup(TestCase): self.assertEqual(key_type, 'ssh-rsa') self.assertEqual(key_data, 'fakedata') - self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) + self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) def test_set_ssh_key_without_name(self): # If key file doesn't include a name, the function will use user name for the key name @@ -69,7 +71,7 @@ class TestInitialSetup(TestCase): self.assertEqual(key_type, 'ssh-rsa') self.assertEqual(key_data, 'fakedata') - self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) + self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"])) def test_create_user(self): vis.create_user(self.config, 'jrandomhacker', password='qwerty', key=" ssh-rsa fakedata jrandomhacker@foovax ") @@ -95,8 +97,8 @@ class TestInitialSetup(TestCase): vis.set_default_gateway(self.config, '192.0.2.1') self.assertTrue(self.config.exists(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop', '192.0.2.1'])) - self.assertTrue(self.config.is_tag(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop'])) - self.assertTrue(self.config.is_tag(['protocols', 'static', 'route'])) + self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route', '0.0.0.0/0', 'next-hop'])) + self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route'])) if __name__ == "__main__": unittest.main() diff --git a/src/validators/dotted-decimal b/src/validators/dotted-decimal new file mode 100755 index 000000000..652110346 --- /dev/null +++ b/src/validators/dotted-decimal @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import re +import sys + +area = sys.argv[1] + +res = re.match(r'^(\d+)\.(\d+)\.(\d+)\.(\d+)$', area) +if not res: + print("\'{0}\' is not a valid dotted decimal value".format(area)) + sys.exit(1) +else: + components = res.groups() + for n in range(0, 4): + if (int(components[n]) > 255): + print("Invalid component of a dotted decimal value: {0} exceeds 255".format(components[n])) + sys.exit(1) + +sys.exit(0) |