From 66103774a9298452dc323f6eb3908bb657a01b5e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 12:04:20 +0200 Subject: wwan: migrate: fix comment --- src/migration-scripts/interfaces/6-to-7 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/migration-scripts/interfaces/6-to-7 b/src/migration-scripts/interfaces/6-to-7 index b4f59c363..220c7e601 100755 --- a/src/migration-scripts/interfaces/6-to-7 +++ b/src/migration-scripts/interfaces/6-to-7 @@ -35,7 +35,7 @@ if __name__ == '__main__': # Nothing to do sys.exit(0) - # list all individual interface types like dummy, ethernet and so on + # list all individual wwan/wireless modem interfaces for i in config.list_nodes(base): iface = base + [i] -- cgit v1.2.3 From 347606ed319744c5b09161ce736a11f5443d91e2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 13:21:44 +0200 Subject: wireguard: T2206: split endpoint node into address and port WireGuard has been the only subsystem combining a remote ip address and a remote port number into a single node. This is bad as there is no possiblity for the XML based input validation for IP address and port numbers. That's the reason the peer endpoint node goets migrated into a peer address and a peer port node utilizing the embedded syntax node checking for IP addresses and port ranges. --- interface-definitions/interfaces-wireguard.xml.in | 24 ++++++++-- src/conf_mode/interfaces-wireguard.py | 27 ++++++----- src/migration-scripts/interfaces/7-to-8 | 58 +++++++++++++++++++++++ 3 files changed, 94 insertions(+), 15 deletions(-) create mode 100755 src/migration-scripts/interfaces/7-to-8 diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index d461156b3..87b38962d 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -97,10 +97,28 @@ - - + - Remote endpoint (IP:port) + IP address of tunnel remote end + + ipv4 + IP address to listen for incoming connections + + + + + + + + + Port number on tunnel remote end + + 1024-65535 + Numeric IP port + + + + diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index d8c327e19..5c0c07dc4 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2018-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,13 +13,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# -# import sys import os import re import subprocess + from copy import deepcopy from netifaces import interfaces @@ -30,10 +29,9 @@ from vyos.ifconfig import WireGuardIf kdir = r'/config/auth/wireguard' - def _check_kmod(): if not os.path.exists('/sys/module/wireguard'): - if os.system('sudo modprobe wireguard') != 0: + if os.system('modprobe wireguard') != 0: raise ConfigError("modprobe wireguard failed") @@ -135,7 +133,8 @@ def get_config(): { p: { 'allowed-ips': [], - 'endpoint': '', + 'address': '', + 'port': '', 'pubkey': '' } } @@ -144,10 +143,14 @@ def get_config(): if c.exists(['peer', p, 'allowed-ips']): wg['peer'][p]['allowed-ips'] = c.return_values( ['peer', p, 'allowed-ips']) - # peer endpoint - if c.exists(['peer', p, 'endpoint']): - wg['peer'][p]['endpoint'] = c.return_value( - ['peer', p, 'endpoint']) + # peer address + if c.exists(['peer', p, 'address']): + wg['peer'][p]['address'] = c.return_value( + ['peer', p, 'address']) + # peer port + if c.exists(['peer', p, 'port']): + wg['peer'][p]['port'] = c.return_value( + ['peer', p, 'port']) # persistent-keepalive if c.exists(['peer', p, 'persistent-keepalive']): wg['peer'][p]['persistent-keepalive'] = c.return_value( @@ -251,8 +254,8 @@ def apply(c): if c['fwmark']: intfc.config['fwmark'] = c['fwmark'] # endpoint - if c['peer'][p]['endpoint']: - intfc.config['endpoint'] = c['peer'][p]['endpoint'] + if c['peer'][p]['address'] and c['peer'][p]['port']: + intfc.config['endpoint'] = "{}:{}".format(c['peer'][p]['address'], c['peer'][p]['port']) # persistent-keepalive if 'persistent-keepalive' in c['peer'][p]: diff --git a/src/migration-scripts/interfaces/7-to-8 b/src/migration-scripts/interfaces/7-to-8 new file mode 100755 index 000000000..78bd2781b --- /dev/null +++ b/src/migration-scripts/interfaces/7-to-8 @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Remove network provider name from CLI and rather use provider APN from CLI + +from sys import exit, argv +from vyos.configtree import ConfigTree + +if __name__ == '__main__': + if (len(argv) < 1): + print("Must specify file name!") + exit(1) + + file_name = argv[1] + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + base = ['interfaces', 'wireguard'] + + if not config.exists(base): + # Nothing to do + exit(0) + + # list all individual wireguard interface isntance + for i in config.list_nodes(base): + iface = base + [i] + for peer in config.list_nodes(iface + ['peer']): + base_peer = iface + ['peer', peer] + if config.exists(base_peer + ['endpoint']): + endpoint = config.return_value(base_peer + ['endpoint']) + address = endpoint.split(':')[0] + port = endpoint.split(':')[1] + # delete old node + config.delete(base_peer + ['endpoint']) + # setup new nodes + config.set(base_peer + ['address'], value=address) + config.set(base_peer + ['port'], value=port) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3 From 5a02c36939a1dae7a12cea1bfb8cd1c8c32e85e9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 13:23:58 +0200 Subject: wireguard: T2206: add valueHelp for listen port --- interface-definitions/interfaces-wireguard.xml.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 87b38962d..f0b5d8df6 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -21,7 +21,11 @@ #include - Local port number to accept connections + Local port to listen for incoming connections + + 1024-65535 + Numeric IP port + -- cgit v1.2.3 From 792b5dcd5a33785c994065d2c7243c21470b3d29 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 13:31:38 +0200 Subject: wireguard: T2228: support ports less then 1024 --- interface-definitions/interfaces-wireguard.xml.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index f0b5d8df6..d3f084774 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -23,11 +23,11 @@ Local port to listen for incoming connections - 1024-65535 + 1-65535 Numeric IP port - + @@ -117,11 +117,11 @@ Port number on tunnel remote end - 1024-65535 + 1-65535 Numeric IP port - + -- cgit v1.2.3