From 4c61fa82f59e26023993be56be1ff9bf0cb5251e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 19 Jul 2023 14:25:55 +0000 Subject: T4899: NAT Redirect: adddestination nat redirection (to local host) feature. --- interface-definitions/nat.xml.in | 8 ++++++++ python/vyos/nat.py | 42 +++++++++++++++++++++------------------ smoketest/scripts/cli/test_nat.py | 21 ++++++++++++++++++++ src/conf_mode/nat.py | 3 ++- 4 files changed, 54 insertions(+), 20 deletions(-) diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 501ff05d3..a06ceefb6 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -44,6 +44,14 @@ #include #include + + + Redirect to local host + + + #include + + diff --git a/python/vyos/nat.py b/python/vyos/nat.py index 5b8d5d1a3..603fedb9b 100644 --- a/python/vyos/nat.py +++ b/python/vyos/nat.py @@ -54,28 +54,32 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False): translation_str = 'return' log_suffix = '-EXCL' elif 'translation' in rule_conf: - translation_prefix = nat_type[:1] - translation_output = [f'{translation_prefix}nat'] addr = dict_search_args(rule_conf, 'translation', 'address') port = dict_search_args(rule_conf, 'translation', 'port') - - if addr and is_ip_network(addr): - if not ipv6: - map_addr = dict_search_args(rule_conf, nat_type, 'address') - translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}') - ignore_type_addr = True - else: - translation_output.append(f'prefix to {addr}') - elif addr == 'masquerade': - if port: - addr = f'{addr} to ' - translation_output = [addr] - log_suffix = '-MASQ' + redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port') + if redirect_port: + translation_output = [f'redirect to {redirect_port}'] else: - translation_output.append('to') - if addr: - addr = bracketize_ipv6(addr) - translation_output.append(addr) + translation_prefix = nat_type[:1] + translation_output = [f'{translation_prefix}nat'] + + if addr and is_ip_network(addr): + if not ipv6: + map_addr = dict_search_args(rule_conf, nat_type, 'address') + translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}') + ignore_type_addr = True + else: + translation_output.append(f'prefix to {addr}') + elif addr == 'masquerade': + if port: + addr = f'{addr} to ' + translation_output = [addr] + log_suffix = '-MASQ' + else: + translation_output.append('to') + if addr: + addr = bracketize_ipv6(addr) + translation_output.append(addr) options = [] addr_mapping = dict_search_args(rule_conf, 'translation', 'options', 'address_mapping') diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index 02fa03f7b..28d566eba 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -231,5 +231,26 @@ class TestNAT(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip vyos_static_nat') + def test_dnat_redirect(self): + dst_addr_1 = '10.0.1.1' + dest_port = '5122' + protocol = 'tcp' + redirected_port = '22' + ifname = 'eth0' + + self.cli_set(dst_path + ['rule', '10', 'destination', 'address', dst_addr_1]) + self.cli_set(dst_path + ['rule', '10', 'destination', 'port', dest_port]) + self.cli_set(dst_path + ['rule', '10', 'protocol', protocol]) + self.cli_set(dst_path + ['rule', '10', 'inbound-interface', ifname]) + self.cli_set(dst_path + ['rule', '10', 'translation', 'redirect', 'port', redirected_port]) + + self.cli_commit() + + nftables_search = [ + [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect to :{redirected_port}'] + ] + + self.verify_nftables(nftables_search, 'ip vyos_nat') + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 5f4b658f8..e19b12937 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -72,6 +72,7 @@ def verify_rule(config, err_msg, groups_dict): """ Common verify steps used for both source and destination NAT """ if (dict_search('translation.port', config) != None or + dict_search('translation.redirect.port', config) != None or dict_search('destination.port', config) != None or dict_search('source.port', config)): @@ -221,7 +222,7 @@ def verify(nat): elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') - if not dict_search('translation.address', config) and not dict_search('translation.port', config): + if not dict_search('translation.address', config) and not dict_search('translation.port', config) and not dict_search('translation.redirect.port', config): if 'exclude' not in config: raise ConfigError(f'{err_msg} translation requires address and/or port') -- cgit v1.2.3 From 9cdfbd77f7414ea8a13ae66df41035d2f6edef32 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 20 Jul 2023 21:07:40 +0200 Subject: ospf: T5377: add graceful restart FRR feature (RFC 3623) New CLI commands: * set protocols ospf graceful-restart grace-period 300 * set protocols ospf graceful-restart helper planned-only * set protocols ospf graceful-restart helper no-strict-lsa-checking * set protocols ospf graceful-restart helper supported-grace-time 400 * set protocols ospf graceful-restart helper enable router-id 192.0.2.1 * set protocols ospf graceful-restart helper enable router-id 192.0.2.2 * set protocols ospfv3 graceful-restart grace-period 300 * set protocols ospfv3 graceful-restart helper planned-only * set protocols ospfv3 graceful-restart helper lsa-check-disable * set protocols ospfv3 graceful-restart helper supported-grace-time 400 * set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.1 * set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.2 --- data/templates/frr/ospf6d.frr.j2 | 21 +++++++ data/templates/frr/ospfd.frr.j2 | 21 +++++++ .../include/ospf/graceful-restart.xml.i | 67 ++++++++++++++++++++++ .../include/ospf/protocol-common-config.xml.i | 17 +++++- .../include/ospfv3/protocol-common-config.xml.i | 15 +++++ smoketest/scripts/cli/test_protocols_ospf.py | 25 ++++++++ smoketest/scripts/cli/test_protocols_ospfv3.py | 26 +++++++++ src/conf_mode/protocols_ospf.py | 2 + src/conf_mode/protocols_ospfv3.py | 2 + 9 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 interface-definitions/include/ospf/graceful-restart.xml.i diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2 index 84394ed1a..b0b5663dd 100644 --- a/data/templates/frr/ospf6d.frr.j2 +++ b/data/templates/frr/ospf6d.frr.j2 @@ -80,6 +80,27 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if distance.ospfv3 is vyos_defined %} distance ospf6 {{ 'intra-area ' ~ distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' ~ distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' ~ distance.ospfv3.external if distance.ospfv3.external is vyos_defined }} {% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.lsa_check_disable is vyos_defined %} + graceful-restart helper lsa-check-disable +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} {% if log_adjacency_changes is vyos_defined %} log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} {% endif %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 1ee8d8752..121ecf677 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -153,6 +153,27 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if distance.ospf is vyos_defined %} distance ospf {{ 'intra-area ' + distance.ospf.intra_area if distance.ospf.intra_area is vyos_defined }} {{ 'inter-area ' + distance.ospf.inter_area if distance.ospf.inter_area is vyos_defined }} {{ 'external ' + distance.ospf.external if distance.ospf.external is vyos_defined }} {% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.no_strict_lsa_checking is vyos_defined %} + no graceful-restart helper strict-lsa-checking +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} {% if log_adjacency_changes is vyos_defined %} log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} {% endif %} diff --git a/interface-definitions/include/ospf/graceful-restart.xml.i b/interface-definitions/include/ospf/graceful-restart.xml.i new file mode 100644 index 000000000..37d9a7f13 --- /dev/null +++ b/interface-definitions/include/ospf/graceful-restart.xml.i @@ -0,0 +1,67 @@ + + + + Graceful Restart + + + + + Maximum length of the grace period + + u32:1-1800 + Maximum length of the grace period in seconds + + + + + + 120 + + + + OSPF graceful-restart helpers + + + + + Enable helper support + + + + + Advertising Router-ID + + ipv4 + Router-ID in IP address format + + + + + + + + + + + + Supported only planned restart + + + + + + Supported grace timer + + u32:10-1800 + Grace interval in seconds + + + + + + + + + + + diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 3492b873f..438093222 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -339,6 +339,21 @@ +#include + + + + + + + Disable strict LSA check + + + + + + + Maximum multiple paths (ECMP) @@ -928,4 +943,4 @@ - \ No newline at end of file + diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index a7de50638..4c3ca68e1 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -107,6 +107,21 @@ +#include + + + + + + + Disable strict LSA check + + + + + + + Enable routing on an IPv6 interface diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index 977376bdd..f4b540694 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -479,5 +479,30 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertIn(f' ip ospf dead-interval 40', config) self.assertIn(f' no ip ospf mpls ldp-sync', config) + def test_ospf_16_graceful_restart(self): + period = '300' + supported_grace_time = '400' + router_ids = ['192.0.2.1', '192.0.2.2'] + + self.cli_set(base_path + ['graceful-restart', 'grace-period', period]) + self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'no-strict-lsa-checking']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time]) + for router_id in router_ids: + self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf') + self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' graceful-restart grace-period {period}', frrconfig) + self.assertIn(f' graceful-restart helper planned-only', frrconfig) + self.assertIn(f' no graceful-restart helper strict-lsa-checking', frrconfig) + self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig) + for router_id in router_ids: + self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py index b67bfaac7..64dfa18db 100755 --- a/smoketest/scripts/cli/test_protocols_ospfv3.py +++ b/smoketest/scripts/cli/test_protocols_ospfv3.py @@ -281,5 +281,31 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): self.cli_delete(['vrf', 'name', vrf]) self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf']) + + def test_ospfv3_09_graceful_restart(self): + period = '300' + supported_grace_time = '400' + router_ids = ['192.0.2.1', '192.0.2.2'] + + self.cli_set(base_path + ['graceful-restart', 'grace-period', period]) + self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'lsa-check-disable']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time]) + for router_id in router_ids: + self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf6') + self.assertIn(f'router ospf6', frrconfig) + self.assertIn(f' graceful-restart grace-period {period}', frrconfig) + self.assertIn(f' graceful-restart helper planned-only', frrconfig) + self.assertIn(f' graceful-restart helper lsa-check-disable', frrconfig) + self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig) + for router_id in router_ids: + self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 509d4f501..f2075d25b 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -88,6 +88,8 @@ def get_config(config=None): del default_values['area']['area_type']['nssa'] if 'mpls_te' not in ospf: del default_values['mpls_te'] + if 'graceful_restart' not in ospf: + del default_values['graceful_restart'] for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: # table is a tagNode thus we need to clean out all occurances for the diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py index 7f50d8624..fbea51f56 100755 --- a/src/conf_mode/protocols_ospfv3.py +++ b/src/conf_mode/protocols_ospfv3.py @@ -83,6 +83,8 @@ def get_config(config=None): # need to check this first and probably drop that key. if dict_search('default_information.originate', ospfv3) is None: del default_values['default_information'] + if 'graceful_restart' not in ospfv3: + del default_values['graceful_restart'] # XXX: T2665: we currently have no nice way for defaults under tag nodes, # clean them out and add them manually :( -- cgit v1.2.3 From a684ab26c5ebdefb13ca870c0bfd5ef60fb9c6fc Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Sat, 10 Sep 2022 21:32:49 +0800 Subject: T4659: op-mode: Display bridge interface detail --- op-mode-definitions/show-bridge.xml.in | 12 ++++++++++++ src/op_mode/bridge.py | 32 +++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/op-mode-definitions/show-bridge.xml.in b/op-mode-definitions/show-bridge.xml.in index acf3a00c7..a272ea204 100644 --- a/op-mode-definitions/show-bridge.xml.in +++ b/op-mode-definitions/show-bridge.xml.in @@ -42,6 +42,18 @@ ${vyos_op_scripts_dir}/bridge.py show_fdb --interface=$3 + + + Display bridge interface details + + ${vyos_op_scripts_dir}/bridge.py show_detail --interface=$3 + + + + Display bridge interface nexthop-group + + ${vyos_op_scripts_dir}/bridge.py show_detail --nexthop_group --interface=$3 + diff --git a/src/op_mode/bridge.py b/src/op_mode/bridge.py index 5531c41d0..1834b9cc9 100755 --- a/src/op_mode/bridge.py +++ b/src/op_mode/bridge.py @@ -24,6 +24,7 @@ from tabulate import tabulate from vyos.utils.process import cmd from vyos.utils.process import rc_cmd +from vyos.utils.process import call from vyos.utils.dict import dict_search import vyos.opmode @@ -129,7 +130,8 @@ def _get_formatted_output_vlan(data): if vlan_entry.get('vlanEnd'): vlan_end = vlan_entry.get('vlanEnd') vlan = f'{vlan}-{vlan_end}' - flags = ', '.join(vlan_entry.get('flags')).lower() + flags_raw = vlan_entry.get('flags') + flags = ', '.join(flags_raw if isinstance(flags_raw,list) else "").lower() data_entries.append([interface, vlan, flags]) headers = ["Interface", "Vlan", "Flags"] @@ -164,6 +166,23 @@ def _get_formatted_output_mdb(data): output = tabulate(data_entries, headers) return output +def _get_bridge_detail(iface): + """Get interface detail statistics""" + return call(f'vtysh -c "show interface {iface}"') + +def _get_bridge_detail_nexthop_group(iface): + """Get interface detail nexthop_group statistics""" + return call(f'vtysh -c "show interface {iface} nexthop-group"') + +def _get_bridge_detail_nexthop_group_raw(iface): + out = cmd(f'vtysh -c "show interface {iface} nexthop-group"') + return out + +def _get_bridge_detail_raw(iface): + """Get interface detail json statistics""" + data = cmd(f'vtysh -c "show interface {iface} json"') + data_dict = json.loads(data) + return data_dict def show(raw: bool): bridge_data = _get_raw_data_summary() @@ -196,6 +215,17 @@ def show_mdb(raw: bool, interface: str): else: return _get_formatted_output_mdb(mdb_data) +def show_detail(raw: bool, nexthop_group: typing.Optional[bool], interface: str): + if raw: + if nexthop_group: + return _get_bridge_detail_nexthop_group_raw(interface) + else: + return _get_bridge_detail_raw(interface) + else: + if nexthop_group: + return _get_bridge_detail_nexthop_group(interface) + else: + return _get_bridge_detail(interface) if __name__ == '__main__': try: -- cgit v1.2.3 From bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Fri, 21 Jul 2023 10:35:34 +0000 Subject: T5368: service ids ddos-protection add support sflow mode sFlow mode requires fewer resources then mode "mirror" Integrate it into configuration mode set service ids ddos-protection mode 'sflow' set service ids ddos-protection sflow listen-address '127.0.0.1' set service ids ddos-protection sflow port '6343' --- data/templates/ids/fastnetmon.j2 | 11 +++++++- data/templates/ids/fastnetmon_networks_list.j2 | 2 +- .../service-ids-ddos-protection.xml.in | 33 ++++++++++++++++------ src/conf_mode/service_ids_fastnetmon.py | 14 +++++++-- 4 files changed, 47 insertions(+), 13 deletions(-) diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2 index 0340d3c92..f6f03d0db 100644 --- a/data/templates/ids/fastnetmon.j2 +++ b/data/templates/ids/fastnetmon.j2 @@ -29,10 +29,19 @@ unban_only_if_attack_finished = on # For each subnet, list track speed in bps and pps for both directions enable_subnet_counters = off -{% if mode.mirror is vyos_defined %} +{% if mode is vyos_defined('mirror') %} mirror_afpacket = on +{% elif mode is vyos_defined('sflow') %} +sflow = on +{% if sflow.port is vyos_defined %} +sflow_port = {{ sflow.port }} +{% endif %} +{% if sflow.listen_address is vyos_defined %} +sflow_host = {{ sflow.listen_address }} +{% endif %} {% endif %} + process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }} process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2 index 5f1b3ba4d..0a0576d2a 100644 --- a/data/templates/ids/fastnetmon_networks_list.j2 +++ b/data/templates/ids/fastnetmon_networks_list.j2 @@ -1,4 +1,4 @@ -{% if network is vyos_defined() %} +{% if network is vyos_defined %} {% for net in network %} {{ net }} {% endfor %} diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index bb06189bc..78463136b 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -70,17 +70,34 @@ - + - Traffic capture modes + Traffic capture mode + + mirror sflow + + + mirror + Listen to mirrored traffic + + + sflow + Capture sFlow flows + + + (mirror|sflow) + + + + + + Sflow settings - - - - Listen mirrored traffic mode - - + #include + #include + + 6343 diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index 2e678cf0b..f6b80552b 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -30,6 +30,7 @@ airbag.enable() config_file = r'/run/fastnetmon/fastnetmon.conf' networks_list = r'/run/fastnetmon/networks_list' excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' +attack_dir = '/var/log/fastnetmon_attacks' def get_config(config=None): if config: @@ -55,8 +56,11 @@ def verify(fastnetmon): if 'mode' not in fastnetmon: raise ConfigError('Specify operating mode!') - if 'listen_interface' not in fastnetmon: - raise ConfigError('Specify interface(s) for traffic capture') + if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: + raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") + + if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): + raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") if 'alert_script' in fastnetmon: if os.path.isfile(fastnetmon['alert_script']): @@ -74,6 +78,10 @@ def generate(fastnetmon): return None + # Create dir for log attack details + if not os.path.exists(attack_dir): + os.mkdir(attack_dir) + render(config_file, 'ids/fastnetmon.j2', fastnetmon) render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) -- cgit v1.2.3 From 52830ddfad973ff8acac48cc1ce57af655d9ed5a Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 21 Jul 2023 21:23:18 +0200 Subject: ospf: T5377: add op-mode commands to display GR status --- op-mode-definitions/include/ospf-common.xml.i | 559 --------------------- op-mode-definitions/include/ospf/common.xml.i | 559 +++++++++++++++++++++ .../include/ospf/graceful-restart.xml.i | 13 + op-mode-definitions/show-ip-ospf.xml.in | 4 +- op-mode-definitions/show-ipv6-ospfv3.xml.in | 2 + 5 files changed, 576 insertions(+), 561 deletions(-) delete mode 100644 op-mode-definitions/include/ospf-common.xml.i create mode 100644 op-mode-definitions/include/ospf/common.xml.i create mode 100644 op-mode-definitions/include/ospf/graceful-restart.xml.i diff --git a/op-mode-definitions/include/ospf-common.xml.i b/op-mode-definitions/include/ospf-common.xml.i deleted file mode 100644 index 979ffb07e..000000000 --- a/op-mode-definitions/include/ospf-common.xml.i +++ /dev/null @@ -1,559 +0,0 @@ - - - - Show IPv4 OSPF border-routers information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF database information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF ASBR summary database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF ASBR summary database for given address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF ASBR summary database for given address of advertised router - - - - - - - Show IPv4 OSPF ASBR summary database information of given address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF ASBR summary database of given address for given advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show summary of self-originate IPv4 OSPF ASBR database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF external database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF external database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF external database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF external database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF external database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF external database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF max-age database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF network database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF network database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF network database for given address of advertised router - - - - - - - Show IPv4 OSPF network database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF network database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF network database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF NSSA external database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF NSSA external database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF NSSA external database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF NSSA external database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF NSSA external database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF NSSA external database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF opaque-area database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-area database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-area database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF opaque-area database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF opaque-area database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF opaque-area database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF opaque-as database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-as database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-as database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF opaque-as database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF opaque-as database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF opaque-as database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF opaque-link database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-link database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF opaque-link database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF opaque-link database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF opaque-link database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF opaque-link database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF router database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF router database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF router database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF router database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF router database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF router database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF self-originate database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show summary of IPv4 OSPF database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF summary database for specified IP address of advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF summary database for specified IP address of advertised router - - - - - - - Show IPv4 OSPF summary database information of specified IP address - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show advertising router link states - - - - - Show IPv4 OSPF summary database of specified IP address for specified advertised router - - <x.x.x.x> - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show self-originate IPv4 OSPF summary database - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - - - Show IPv4 OSPF interface information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - -#include - - - Show MPLS information - - - #include - - - - - Show IPv4 OSPF neighbor information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show detailed IPv4 OSPF neighbor information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - - Show IPv4 OSPF neighbor information for specified IP address or interface - - <x.x.x.x> - - - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show IPv4 OSPF route information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - Show detailed IPv4 OSPF route information - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - - - diff --git a/op-mode-definitions/include/ospf/common.xml.i b/op-mode-definitions/include/ospf/common.xml.i new file mode 100644 index 000000000..c8341bd3e --- /dev/null +++ b/op-mode-definitions/include/ospf/common.xml.i @@ -0,0 +1,559 @@ + + + + Show IPv4 OSPF border-routers information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF database information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF ASBR summary database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF ASBR summary database for given address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF ASBR summary database for given address of advertised router + + + + + + + Show IPv4 OSPF ASBR summary database information of given address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF ASBR summary database of given address for given advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show summary of self-originate IPv4 OSPF ASBR database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF external database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF external database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF external database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF external database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF external database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF external database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF max-age database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF network database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF network database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF network database for given address of advertised router + + + + + + + Show IPv4 OSPF network database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF network database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF network database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF NSSA external database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF NSSA external database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF NSSA external database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF NSSA external database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF NSSA external database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF NSSA external database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF opaque-area database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-area database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-area database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF opaque-area database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF opaque-area database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF opaque-area database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF opaque-as database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-as database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-as database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF opaque-as database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF opaque-as database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF opaque-as database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF opaque-link database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-link database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF opaque-link database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF opaque-link database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF opaque-link database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF opaque-link database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF router database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF router database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF router database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF router database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF router database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF router database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF self-originate database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show summary of IPv4 OSPF database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF summary database for specified IP address of advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF summary database for specified IP address of advertised router + + + + + + + Show IPv4 OSPF summary database information of specified IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show advertising router link states + + + + + Show IPv4 OSPF summary database of specified IP address for specified advertised router + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show self-originate IPv4 OSPF summary database + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + +#include + + + Show IPv4 OSPF interface information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + +#include + + + Show MPLS information + + + #include + + + + + Show IPv4 OSPF neighbor information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show detailed IPv4 OSPF neighbor information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + Show IPv4 OSPF neighbor information for specified IP address or interface + + <x.x.x.x> + + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show IPv4 OSPF route information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show detailed IPv4 OSPF route information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + diff --git a/op-mode-definitions/include/ospf/graceful-restart.xml.i b/op-mode-definitions/include/ospf/graceful-restart.xml.i new file mode 100644 index 000000000..736d8f951 --- /dev/null +++ b/op-mode-definitions/include/ospf/graceful-restart.xml.i @@ -0,0 +1,13 @@ + + + Show IPv4 OSPF Graceful Restart + + + + + OSPF Graceful Restart helper details + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + diff --git a/op-mode-definitions/show-ip-ospf.xml.in b/op-mode-definitions/show-ip-ospf.xml.in index 704ed984f..f3b9da90c 100644 --- a/op-mode-definitions/show-ip-ospf.xml.in +++ b/op-mode-definitions/show-ip-ospf.xml.in @@ -13,7 +13,7 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - #include + #include Show OSPF routing protocol for given VRF @@ -24,7 +24,7 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - #include + #include diff --git a/op-mode-definitions/show-ipv6-ospfv3.xml.in b/op-mode-definitions/show-ipv6-ospfv3.xml.in index a63465472..e1fcf470f 100644 --- a/op-mode-definitions/show-ipv6-ospfv3.xml.in +++ b/op-mode-definitions/show-ipv6-ospfv3.xml.in @@ -41,6 +41,7 @@ #include #include + #include #include #include #include @@ -94,6 +95,7 @@ #include #include + #include #include #include #include -- cgit v1.2.3 From 9e5d0384a0b25949edfd0dfc065b6fe572f943e7 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 21 Jul 2023 21:23:49 +0200 Subject: ospf: T5377: add "capability opaque" support --- data/templates/frr/ospfd.frr.j2 | 3 +++ .../include/ospf/protocol-common-config.xml.i | 13 +++++++++++++ smoketest/scripts/cli/test_protocols_ospf.py | 2 ++ 3 files changed, 18 insertions(+) diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 121ecf677..040628e82 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -133,6 +133,9 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if auto_cost.reference_bandwidth is vyos_defined %} auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} {% endif %} +{% if capability.opaque is vyos_defined %} + capability opaque +{% endif %} {% if default_information.originate is vyos_defined %} default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is vyos_defined }} {% endif %} diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 438093222..c4778e126 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -326,6 +326,19 @@ #include + + + Enable specific OSPF features + + + + + Opaque LSA + + + + + #include diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index f4b540694..80befbfd6 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -484,6 +484,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): supported_grace_time = '400' router_ids = ['192.0.2.1', '192.0.2.2'] + self.cli_set(base_path + ['capability', 'opaque']) self.cli_set(base_path + ['graceful-restart', 'grace-period', period]) self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only']) self.cli_set(base_path + ['graceful-restart', 'helper', 'no-strict-lsa-checking']) @@ -497,6 +498,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): # Verify FRR ospfd configuration frrconfig = self.getFRRconfig('router ospf') self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' capability opaque', frrconfig) self.assertIn(f' graceful-restart grace-period {period}', frrconfig) self.assertIn(f' graceful-restart helper planned-only', frrconfig) self.assertIn(f' no graceful-restart helper strict-lsa-checking', frrconfig) -- cgit v1.2.3 From e9153730c76f96fb585df6276b6505a00b14b17b Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 21 Jul 2023 22:20:06 +0200 Subject: login: T5363: keep home when user is deleted Comply with the code comment and not remove the users home directory. This also fixes the issue that user homes get cleaned on system reboot --- src/conf_mode/system-login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 273475c18..afd75913e 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -389,7 +389,7 @@ def apply(login): # command until user is removed - userdel might return 8 as # SSH sessions are not all yet properly cleaned away, thus we # simply re-run the command until the account wen't away - while run(f'userdel --remove {user}', stderr=DEVNULL): + while run(f'userdel {user}', stderr=DEVNULL): sleep(0.250) except Exception as e: -- cgit v1.2.3 From b805b9950b63a43591799804cc2cacb0fbfb568a Mon Sep 17 00:00:00 2001 From: fett0 Date: Fri, 21 Jul 2023 21:23:25 +0000 Subject: T4974:add/fixed enable ovpn-dco by default --- data/templates/openvpn/server.conf.j2 | 4 ++++ interface-definitions/interfaces-openvpn.xml.in | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 6332ed9c2..525605240 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -48,6 +48,10 @@ push "redirect-gateway def1" {% if use_lzo_compression is vyos_defined %} compress lzo {% endif %} +{% if enable_dco is not vyos_defined %} +disable-dco +{% endif %} + {% if mode is vyos_defined('client') %} # diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 4e061c3e6..ca6d80f8b 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -793,6 +793,12 @@ + + + Use to enable OpenVPN data channel offload on this TUN interface + + + #include #include -- cgit v1.2.3 From c67db6bc118bba219f9cc41a3a0192f772e795e8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 22 Jul 2023 20:52:17 +0200 Subject: Revert "Debian: T4974: add openvpn-dco dependency" This reverts commit 9f7b51370732606611253e2e6a16692bf706659b. --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index 7880bd317..8e9aaa702 100644 --- a/debian/control +++ b/debian/control @@ -116,7 +116,6 @@ Depends: openvpn, openvpn-auth-ldap, openvpn-auth-radius, - openvpn-dco, openvpn-otp, owamp-client, owamp-server, -- cgit v1.2.3 From e4f3bcc7083c554866cdb0b625ea4991ed0d7f32 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 22 Jul 2023 20:52:56 +0200 Subject: smoketest: T4947: check for OpenVPN DCO Kernel module --- smoketest/scripts/system/test_module_load.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/smoketest/scripts/system/test_module_load.py b/smoketest/scripts/system/test_module_load.py index 69365761f..9d94f01e6 100755 --- a/smoketest/scripts/system/test_module_load.py +++ b/smoketest/scripts/system/test_module_load.py @@ -23,7 +23,8 @@ modules = { "intel_qat": ["qat_200xx", "qat_200xxvf", "qat_c3xxx", "qat_c3xxxvf", "qat_c62x", "qat_c62xvf", "qat_d15xx", "qat_d15xxvf", "qat_dh895xcc", "qat_dh895xccvf"], - "accel_ppp": ["ipoe", "vlan_mon"] + "accel_ppp": ["ipoe", "vlan_mon"], + "openvpn": ["ovpn-dco-v2"] } class TestKernelModules(unittest.TestCase): -- cgit v1.2.3 From 5f2e9cb81d89a5cfecbac01bec054b3ba4e8dff5 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 6 Jul 2023 17:40:37 +0000 Subject: T5154: NTP: allow maximum of one ipv4 and one ipv6 address on parameter . Also allow only one single value . --- data/templates/chrony/chrony.conf.j2 | 4 +- .../include/version/ntp-version.xml.i | 2 +- interface-definitions/ntp.xml.in | 2 +- smoketest/scripts/cli/test_service_ntp.py | 2 +- src/conf_mode/ntp.py | 34 ++++++++---- src/migration-scripts/ntp/2-to-3 | 62 ++++++++++++++++++++++ 6 files changed, 90 insertions(+), 16 deletions(-) create mode 100755 src/migration-scripts/ntp/2-to-3 diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 index 7a36fe69d..0daec8fb8 100644 --- a/data/templates/chrony/chrony.conf.j2 +++ b/data/templates/chrony/chrony.conf.j2 @@ -53,8 +53,6 @@ bindaddress {{ address }} {% endfor %} {% endif %} {% if interface is vyos_defined %} -{% for ifname in interface %} -binddevice {{ ifname }} -{% endfor %} +binddevice {{ interface }} {% endif %} {% endif %} diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i index 9eafbf7f0..155c824dc 100644 --- a/interface-definitions/include/version/ntp-version.xml.i +++ b/interface-definitions/include/version/ntp-version.xml.i @@ -1,3 +1,3 @@ - + diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index 2275dd61c..4e874434b 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -57,7 +57,7 @@ #include - #include + #include #include #include diff --git a/smoketest/scripts/cli/test_service_ntp.py b/smoketest/scripts/cli/test_service_ntp.py index 046e5eea6..47e012913 100755 --- a/smoketest/scripts/cli/test_service_ntp.py +++ b/smoketest/scripts/cli/test_service_ntp.py @@ -108,7 +108,7 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase): self.assertIn(f'bindaddress {listen}', config) def test_03_ntp_interface(self): - interfaces = ['eth0', 'eth1'] + interfaces = ['eth0'] for interface in interfaces: self.cli_set(base_path + ['interface', interface]) diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 92cb73aab..95766c44c 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -24,6 +24,7 @@ from vyos.util import call from vyos.util import chmod_750 from vyos.util import get_interface_config from vyos.template import render +from vyos.template import is_ipv4 from vyos import ConfigError from vyos import airbag airbag.enable() @@ -62,16 +63,29 @@ def verify(ntp): if 'interface' in ntp: # If ntpd should listen on a given interface, ensure it exists - for interface in ntp['interface']: - verify_interface_exists(interface) - - # If we run in a VRF, our interface must belong to this VRF, too - if 'vrf' in ntp: - tmp = get_interface_config(interface) - vrf_name = ntp['vrf'] - if 'master' not in tmp or tmp['master'] != vrf_name: - raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ - f'does not belong to this VRF!') + interface = ntp['interface'] + verify_interface_exists(interface) + + # If we run in a VRF, our interface must belong to this VRF, too + if 'vrf' in ntp: + tmp = get_interface_config(interface) + vrf_name = ntp['vrf'] + if 'master' not in tmp or tmp['master'] != vrf_name: + raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ + f'does not belong to this VRF!') + + if 'listen_address' in ntp: + ipv4_addresses = 0 + ipv6_addresses = 0 + for address in ntp['listen_address']: + if is_ipv4(address): + ipv4_addresses += 1 + else: + ipv6_addresses += 1 + if ipv4_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv4 value for listen-address parameter ') + if ipv6_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv6 value for listen-address parameter ') return None diff --git a/src/migration-scripts/ntp/2-to-3 b/src/migration-scripts/ntp/2-to-3 new file mode 100755 index 000000000..7d4e0bd83 --- /dev/null +++ b/src/migration-scripts/ntp/2-to-3 @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 + +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5154: allow only one ip address per family for parameter 'listen-address' +# Allow only one interface for parameter 'interface' +# If more than one are specified, remove such entries + +import sys + +from vyos.configtree import ConfigTree +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base_path = ['service', 'ntp'] +if not config.exists(base_path): + # Nothing to do + sys.exit(0) + +if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv4(addr)]) > 1): + for addr in config.return_values(base_path + ['listen-address']): + if is_ipv4(addr): + config.delete_value(base_path + ['listen-address'], addr) + +if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv6(addr)]) > 1): + for addr in config.return_values(base_path + ['listen-address']): + if is_ipv6(addr): + config.delete_value(base_path + ['listen-address'], addr) + +if config.exists(base_path + ['interface']): + if len(config.return_values(base_path + ['interface'])) > 1: + config.delete(base_path + ['interface']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From 494729145397b42fb10c5be472df5d757005a573 Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 25 Jul 2023 12:47:31 +0300 Subject: remote: T4412: Improved error handling for uploads/downloads - added ability to set a timeout, with default value 10s - added exceptions handling to show nicer messages for users - denied to use untrusted SSH hosts in non-interactive mode --- python/vyos/remote.py | 72 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 15 deletions(-) diff --git a/python/vyos/remote.py b/python/vyos/remote.py index 16fe2b2c2..cf731c881 100644 --- a/python/vyos/remote.py +++ b/python/vyos/remote.py @@ -25,7 +25,7 @@ import urllib.parse from ftplib import FTP from ftplib import FTP_TLS -from paramiko import SSHClient +from paramiko import SSHClient, SSHException from paramiko import MissingHostKeyPolicy from requests import Session @@ -50,7 +50,7 @@ class InteractivePolicy(MissingHostKeyPolicy): def missing_host_key(self, client, hostname, key): print_error(f"Host '{hostname}' not found in known hosts.") print_error('Fingerprint: ' + key.get_fingerprint().hex()) - if ask_yes_no('Do you wish to continue?'): + if sys.stdout.isatty() and ask_yes_no('Do you wish to continue?'): if client._host_keys_filename\ and ask_yes_no('Do you wish to permanently add this host/key pair to known hosts?'): client._host_keys.add(hostname, key.get_name(), key) @@ -96,7 +96,13 @@ def check_storage(path, size): class FtpC: - def __init__(self, url, progressbar=False, check_space=False, source_host='', source_port=0): + def __init__(self, + url, + progressbar=False, + check_space=False, + source_host='', + source_port=0, + timeout=10): self.secure = url.scheme == 'ftps' self.hostname = url.hostname self.path = url.path @@ -106,12 +112,15 @@ class FtpC: self.source = (source_host, source_port) self.progressbar = progressbar self.check_space = check_space + self.timeout = timeout def _establish(self): if self.secure: - return FTP_TLS(source_address=self.source, context=ssl.create_default_context()) + return FTP_TLS(source_address=self.source, + context=ssl.create_default_context(), + timeout=self.timeout) else: - return FTP(source_address=self.source) + return FTP(source_address=self.source, timeout=self.timeout) def download(self, location: str): # Open the file upfront before establishing connection. @@ -150,7 +159,13 @@ class FtpC: class SshC: known_hosts = os.path.expanduser('~/.ssh/known_hosts') - def __init__(self, url, progressbar=False, check_space=False, source_host='', source_port=0): + def __init__(self, + url, + progressbar=False, + check_space=False, + source_host='', + source_port=0, + timeout=10.0): self.hostname = url.hostname self.path = url.path self.username = url.username or os.getenv('REMOTE_USERNAME') @@ -159,6 +174,7 @@ class SshC: self.source = (source_host, source_port) self.progressbar = progressbar self.check_space = check_space + self.timeout = timeout def _establish(self): ssh = SSHClient() @@ -169,7 +185,7 @@ class SshC: ssh.set_missing_host_key_policy(InteractivePolicy()) # `socket.create_connection()` automatically picks a NIC and an IPv4/IPv6 address family # for us on dual-stack systems. - sock = socket.create_connection((self.hostname, self.port), socket.getdefaulttimeout(), self.source) + sock = socket.create_connection((self.hostname, self.port), self.timeout, self.source) ssh.connect(self.hostname, self.port, self.username, self.password, sock=sock) return ssh @@ -198,13 +214,20 @@ class SshC: class HttpC: - def __init__(self, url, progressbar=False, check_space=False, source_host='', source_port=0): + def __init__(self, + url, + progressbar=False, + check_space=False, + source_host='', + source_port=0, + timeout=10.0): self.urlstring = urllib.parse.urlunsplit(url) self.progressbar = progressbar self.check_space = check_space self.source_pair = (source_host, source_port) self.username = url.username or os.getenv('REMOTE_USERNAME') self.password = url.password or os.getenv('REMOTE_PASSWORD') + self.timeout = timeout def _establish(self): session = Session() @@ -220,8 +243,11 @@ class HttpC: # Not only would it potentially mess up with the progress bar but # `shutil.copyfileobj(request.raw, file)` does not handle automatic decoding. s.headers.update({'Accept-Encoding': 'identity'}) - with s.head(self.urlstring, allow_redirects=True) as r: + with s.head(self.urlstring, + allow_redirects=True, + timeout=self.timeout) as r: # Abort early if the destination is inaccessible. + print('pre-3') r.raise_for_status() # If the request got redirected, keep the last URL we ended up with. final_urlstring = r.url @@ -235,7 +261,8 @@ class HttpC: size = None if self.check_space: check_storage(location, size) - with s.get(final_urlstring, stream=True) as r, open(location, 'wb') as f: + with s.get(final_urlstring, stream=True, + timeout=self.timeout) as r, open(location, 'wb') as f: if self.progressbar and size: progress = make_incremental_progressbar(CHUNK_SIZE / size) next(progress) @@ -249,7 +276,10 @@ class HttpC: def upload(self, location: str): # Does not yet support progressbars. with self._establish() as s, open(location, 'rb') as f: - s.post(self.urlstring, data=f, allow_redirects=True) + s.post(self.urlstring, + data=f, + allow_redirects=True, + timeout=self.timeout) class TftpC: @@ -258,10 +288,16 @@ class TftpC: # 2. Since there's no concept authentication, we don't need to deal with keys/passwords. # 3. It would be a waste to import, audit and maintain a third-party library for TFTP. # 4. I'd rather not implement the entire protocol here, no matter how simple it is. - def __init__(self, url, progressbar=False, check_space=False, source_host=None, source_port=0): + def __init__(self, + url, + progressbar=False, + check_space=False, + source_host=None, + source_port=0, + timeout=10): source_option = f'--interface {source_host} --local-port {source_port}' if source_host else '' progress_flag = '--progress-bar' if progressbar else '-s' - self.command = f'curl {source_option} {progress_flag}' + self.command = f'curl {source_option} {progress_flag} --connect-timeout {timeout}' self.urlstring = urllib.parse.urlunsplit(url) def download(self, location: str): @@ -286,10 +322,16 @@ def urlc(urlstring, *args, **kwargs): raise ValueError(f'Unsupported URL scheme: "{url.scheme}"') def download(local_path, urlstring, *args, **kwargs): - urlc(urlstring, *args, **kwargs).download(local_path) + try: + urlc(urlstring, *args, **kwargs).download(local_path) + except Exception as err: + print_error(f'Unable to download "{urlstring}": {err}') def upload(local_path, urlstring, *args, **kwargs): - urlc(urlstring, *args, **kwargs).upload(local_path) + try: + urlc(urlstring, *args, **kwargs).upload(local_path) + except Exception as err: + print_error(f'Unable to upload "{urlstring}": {err}') def get_remote_config(urlstring, source_host='', source_port=0): """ -- cgit v1.2.3 From c473f6475f90d17529cc9e4da939560c04b60bda Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 25 Jul 2023 22:21:11 +0200 Subject: container: T5365: ensure container mogration systemd steps are run with sudo --- src/migration-scripts/container/0-to-1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1 index 9fcf295e8..86f89ee04 100755 --- a/src/migration-scripts/container/0-to-1 +++ b/src/migration-scripts/container/0-to-1 @@ -39,12 +39,12 @@ config = ConfigTree(config_file) if config.exists(base): for container in config.list_nodes(base): # Stop any given container first - call(f'systemctl stop vyos-container-{container}.service') + call(f'sudo systemctl stop vyos-container-{container}.service') # Export container image for later re-import to new filesystem. We store # the backup on a real disk as a tmpfs (like /tmp) could probably lack # memory if a host has too many containers stored. image_name = config.return_value(base + [container, 'image']) - call(f'podman image save --quiet --output /root/{container}.tar --format oci-archive {image_name}') + call(f'sudo podman image save --quiet --output /root/{container}.tar --format oci-archive {image_name}') # No need to adjust the strage driver online (this is only used for testing and # debugging on a live system) - it is already overlay2 when the migration script @@ -66,10 +66,10 @@ if config.exists(base): # Export container image for later re-import to new filesystem image_name = config.return_value(base + [container, 'image']) image_path = f'/root/{container}.tar' - call(f'podman image load --quiet --input {image_path}') + call(f'sudo podman image load --quiet --input {image_path}') # Start any given container first - call(f'systemctl start vyos-container-{container}.service') + call(f'sudo systemctl start vyos-container-{container}.service') # Delete temporary container image if os.path.exists(image_path): -- cgit v1.2.3 From 20ac831df73aa89da4eb172bfb4d5f4256071983 Mon Sep 17 00:00:00 2001 From: Jonathan Voss Date: Tue, 25 Jul 2023 14:25:42 -0500 Subject: static: T5398: do not mangle interface names in FRR --- src/conf_mode/protocols_static.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index 7b6150696..5def8d645 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -47,7 +47,7 @@ def get_config(config=None): base_path = ['protocols', 'static'] # eqivalent of the C foo ? 'a' : 'b' statement base = vrf and ['vrf', 'name', vrf, 'protocols', 'static'] or base_path - static = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + static = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) # Assign the name of our VRF context if vrf: static['vrf'] = vrf -- cgit v1.2.3 From b3eaa3c11a3754eed11602286baf10320af3b48e Mon Sep 17 00:00:00 2001 From: Apachez Date: Wed, 26 Jul 2023 11:25:42 +0200 Subject: T5399: VRF-support for show ntp --- src/op_mode/show_ntp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/op_mode/show_ntp.sh b/src/op_mode/show_ntp.sh index 85f8eda15..4b59b801e 100755 --- a/src/op_mode/show_ntp.sh +++ b/src/op_mode/show_ntp.sh @@ -18,7 +18,7 @@ if ! ps -C chronyd &>/dev/null; then fi PID=$(pgrep chronyd | head -n1) -VRF_NAME=$(ip vrf identify ) +VRF_NAME=$(ip vrf identify ${PID}) if [ ! -z ${VRF_NAME} ]; then VRF_CMD="sudo ip vrf exec ${VRF_NAME}" -- cgit v1.2.3 From 9e0a9b7df3d7187173feaf922fedbac8f0f0b674 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 26 Jul 2023 22:28:43 +0200 Subject: openvpn: T4974: do not automatically load the DCO module Module should be loaded/unloaded on demand. --- src/etc/modprobe.d/openvpn.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 src/etc/modprobe.d/openvpn.conf diff --git a/src/etc/modprobe.d/openvpn.conf b/src/etc/modprobe.d/openvpn.conf new file mode 100644 index 000000000..a9259fea2 --- /dev/null +++ b/src/etc/modprobe.d/openvpn.conf @@ -0,0 +1 @@ +blacklist ovpn-dco-v2 -- cgit v1.2.3 From fa07179ae7f1dc07e6ccc1b20d2b81384b6efe07 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 26 Jul 2023 23:14:19 +0200 Subject: openvpn: T4974: dynamically load/unload kernel module --- python/vyos/utils/kernel.py | 11 +++++++++++ src/conf_mode/interfaces-openvpn.py | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/python/vyos/utils/kernel.py b/python/vyos/utils/kernel.py index 0eb113174..1f3bbdffe 100644 --- a/python/vyos/utils/kernel.py +++ b/python/vyos/utils/kernel.py @@ -25,3 +25,14 @@ def check_kmod(k_mod): if not os.path.exists(f'/sys/module/{module}'): if call(f'modprobe {module}') != 0: raise ConfigError(f'Loading Kernel module {module} failed') + +def unload_kmod(k_mod): + """ Common utility function to unload required kernel modules on demand """ + from vyos import ConfigError + from vyos.utils.process import call + if isinstance(k_mod, str): + k_mod = k_mod.split() + for module in k_mod: + if os.path.exists(f'/sys/module/{module}'): + if call(f'rmmod {module}') != 0: + raise ConfigError(f'Unloading Kernel module {module} failed') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 607a19385..2e4bea377 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -56,6 +56,8 @@ from vyos.utils.list import is_list_equal from vyos.utils.file import makedir from vyos.utils.file import read_file from vyos.utils.file import write_file +from vyos.utils.kernel import check_kmod +from vyos.utils.kernel import unload_kmod from vyos.utils.process import call from vyos.utils.permission import chown from vyos.utils.process import cmd @@ -95,6 +97,8 @@ def get_config(config=None): openvpn['pki'] = tmp_pki if is_node_changed(conf, base + [ifname, 'openvpn-option']): openvpn.update({'restart_required': {}}) + if is_node_changed(conf, base + [ifname, 'enable-dco']): + openvpn.update({'restart_required': {}}) # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. @@ -679,6 +683,13 @@ def apply(openvpn): if not is_addr_assigned(openvpn['local_host']): cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') + # dynamically load/unload DCO Kernel extension if requested + dco_module = 'ovpn_dco_v2' + if 'enable_dco' in openvpn: + check_kmod(dco_module) + else: + unload_kmod(dco_module) + # No matching OpenVPN process running - maybe it got killed or none # existed - nevertheless, spawn new OpenVPN process action = 'reload-or-restart' -- cgit v1.2.3 From 341a84240e6d85c62ad5500ab2ef6e19dcf63cef Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 09:45:55 +0200 Subject: openvpn: T4974: restructure get_config() Preparation to make the code flow look more intuitive and add room to add parsing of additional OpenVPN interfaces for DCO module load. --- src/conf_mode/interfaces-openvpn.py | 47 +++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 2e4bea377..653474ed0 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -88,32 +88,33 @@ def get_config(config=None): conf = Config() base = ['interfaces', 'openvpn'] - tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - ifname, openvpn = get_interface_dict(conf, base) - - if 'deleted' not in openvpn: - openvpn['pki'] = tmp_pki - if is_node_changed(conf, base + [ifname, 'openvpn-option']): - openvpn.update({'restart_required': {}}) - if is_node_changed(conf, base + [ifname, 'enable-dco']): - openvpn.update({'restart_required': {}}) - - # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' - # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. - tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) - - # We have to cleanup the config dict, as default values could enable features - # which are not explicitly enabled on the CLI. Example: server mfa totp - # originate comes with defaults, which will enable the - # totp plugin, even when not set via CLI so we - # need to check this first and drop those keys - if dict_search('server.mfa.totp', tmp) == None: - del openvpn['server']['mfa'] - openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn) + if 'deleted' in openvpn: + return openvpn + + openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + if is_node_changed(conf, base + [ifname, 'openvpn-option']): + openvpn.update({'restart_required': {}}) + if is_node_changed(conf, base + [ifname, 'enable-dco']): + openvpn.update({'restart_required': {}}) + + # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' + # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. + tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) + + # We have to cleanup the config dict, as default values could enable features + # which are not explicitly enabled on the CLI. Example: server mfa totp + # originate comes with defaults, which will enable the + # totp plugin, even when not set via CLI so we + # need to check this first and drop those keys + if dict_search('server.mfa.totp', tmp) == None: + del openvpn['server']['mfa'] + return openvpn def is_ec_private_key(pki, cert_name): -- cgit v1.2.3 From 32b9ac3653fa27e90c0a6b16c3ab141fd4237cb7 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 11:16:40 +0200 Subject: openvpn: T4974: move CLI node "enable-dco" -> "offload dco" to match other inetfaces Keep a common CLI structure by re-using the already established offload node from ethernet. --- data/templates/openvpn/server.conf.j2 | 3 +-- interface-definitions/interfaces-openvpn.xml.in | 19 +++++++++++------ src/conf_mode/interfaces-openvpn.py | 28 ++++++++++++++++++------- 3 files changed, 35 insertions(+), 15 deletions(-) diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 525605240..d144529f3 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -48,11 +48,10 @@ push "redirect-gateway def1" {% if use_lzo_compression is vyos_defined %} compress lzo {% endif %} -{% if enable_dco is not vyos_defined %} +{% if offload.dco is not vyos_defined %} disable-dco {% endif %} - {% if mode is vyos_defined('client') %} # # OpenVPN Client mode diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index ca6d80f8b..127a8179b 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -285,6 +285,19 @@ + + + Configurable offload options + + + + + Enable data channel offload on this interface + + + + + Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors. @@ -793,12 +806,6 @@ - - - Use to enable OpenVPN data channel offload on this TUN interface - - - #include #include diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 653474ed0..3bef9b8f6 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -115,6 +115,18 @@ def get_config(config=None): if dict_search('server.mfa.totp', tmp) == None: del openvpn['server']['mfa'] + # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all + # OpenVPN interfaces. Check if DCO is used by any other interface instance. + tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + for interface, interface_config in tmp.items(): + # If one interface has DCO configured, enable it. No need to further check + # all other OpenVPN interfaces. We must use a dedicated key to indicate + # the Kernel module must be loaded or not. The per interface "offload.dco" + # key is required per OpenVPN interface instance. + if dict_search('offload.dco', interface_config) != None: + openvpn['module_load_dco'] = {} + break + return openvpn def is_ec_private_key(pki, cert_name): @@ -675,6 +687,15 @@ def apply(openvpn): if interface in interfaces(): VTunIf(interface).remove() + # dynamically load/unload DCO Kernel extension if requested + dco_module = 'ovpn_dco_v2' + if 'module_load_dco' in openvpn: + check_kmod(dco_module) + else: + unload_kmod(dco_module) + + # Now bail out early if interface is disabled or got deleted + if 'deleted' in openvpn or 'disable' in openvpn: return None # verify specified IP address is present on any interface on this system @@ -684,13 +705,6 @@ def apply(openvpn): if not is_addr_assigned(openvpn['local_host']): cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') - # dynamically load/unload DCO Kernel extension if requested - dco_module = 'ovpn_dco_v2' - if 'enable_dco' in openvpn: - check_kmod(dco_module) - else: - unload_kmod(dco_module) - # No matching OpenVPN process running - maybe it got killed or none # existed - nevertheless, spawn new OpenVPN process action = 'reload-or-restart' -- cgit v1.2.3 From 3de59f1365e5b908d3b24748d77dcb0bd9477ca8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 11:18:11 +0200 Subject: wwan: T3795: remove superfluous call to set_level() --- src/conf_mode/interfaces-wwan.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py index 6658ca86a..2515dc838 100755 --- a/src/conf_mode/interfaces-wwan.py +++ b/src/conf_mode/interfaces-wwan.py @@ -75,7 +75,6 @@ def get_config(config=None): # We need to know the amount of other WWAN interfaces as ModemManager needs # to be started or stopped. - conf.set_level(base) wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) -- cgit v1.2.3 From f0a630cce26aa4f99e367bae2b41495c5f740f95 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Tue, 25 Jul 2023 02:36:49 -0400 Subject: T5127: vpnv4/vpnv6 : warning for router-id --- src/conf_mode/protocols_bgp.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index cec025fea..7b9f15505 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -475,6 +475,8 @@ def verify(bgp): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): raise ConfigError( 'Command "import vrf" conflicts with "rd vpn export" command!') + if not dict_search('parameters.router_id', bgp): + Warning(f'BGP "router-id" is required when using "rd" and "route-target"!') if dict_search('route_target.vpn.both', afi_config): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): -- cgit v1.2.3 From 223a6c5cd63fbcf7ff265b2721d0cd9f0aafb369 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 26 Jul 2023 22:24:16 -0500 Subject: xml: T5403: add support for supplemental xml cache --- .gitignore | 1 + debian/vyos-1x.postinst | 3 ++ python/vyos/xml_ref/generate_cache.py | 71 ++++++++++++++++++++++--------- python/vyos/xml_ref/pkg_cache/__init__.py | 0 python/vyos/xml_ref/update_cache.py | 51 ++++++++++++++++++++++ 5 files changed, 105 insertions(+), 21 deletions(-) create mode 100644 python/vyos/xml_ref/pkg_cache/__init__.py create mode 100755 python/vyos/xml_ref/update_cache.py diff --git a/.gitignore b/.gitignore index e766a2c27..7707e94ca 100644 --- a/.gitignore +++ b/.gitignore @@ -144,3 +144,4 @@ debian/*.substvars data/component-versions.json # vyos-1x XML cache python/vyos/xml_ref/cache.py +python/vyos/xml_ref/pkg_cache/*_cache.py diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 93e7ced9b..b1bd23ff2 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -180,6 +180,9 @@ systemctl enable vyos-config-cloud-init.service # Generate API GraphQL schema /usr/libexec/vyos/services/api/graphql/generate/generate_schema.py +# Update XML cache +python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py + # T1797: disable VPP support for rolling release, should be used by developers # only (in the initial phase). If you wan't to enable VPP use the below command # on your VyOS installation: diff --git a/python/vyos/xml_ref/generate_cache.py b/python/vyos/xml_ref/generate_cache.py index 792c6eea7..6f08486a8 100755 --- a/python/vyos/xml_ref/generate_cache.py +++ b/python/vyos/xml_ref/generate_cache.py @@ -18,10 +18,14 @@ import sys import json -import argparse +from argparse import ArgumentParser +from argparse import ArgumentTypeError +from os import getcwd +from os import makedirs from os.path import join from os.path import abspath from os.path import dirname +from os.path import basename from xmltodict import parse _here = dirname(__file__) @@ -29,9 +33,10 @@ _here = dirname(__file__) sys.path.append(join(_here, '..')) from configtree import reference_tree_to_json, ConfigTreeError -xml_cache = abspath(join(_here, 'cache.py')) xml_cache_json = 'xml_cache.json' xml_tmp = join('/tmp', xml_cache_json) +pkg_cache = abspath(join(_here, 'pkg_cache')) +ref_cache = abspath(join(_here, 'cache.py')) node_data_fields = ("node_type", "multi", "valueless", "default_value") @@ -45,16 +50,29 @@ def trim_node_data(cache: dict): if isinstance(cache[k], dict): trim_node_data(cache[k]) +def non_trivial(s): + if not s: + raise ArgumentTypeError("Argument must be non empty string") + if s == 'vyos-1x' and basename(getcwd()) != 'vyos-1x': + # builds outside of vyos-1x must specify package name + raise ArgumentTypeError("Specify package name") + return s + def main(): - parser = argparse.ArgumentParser(description='generate and save dict from xml defintions') + parser = ArgumentParser(description='generate and save dict from xml defintions') parser.add_argument('--xml-dir', type=str, required=True, help='transcluded xml interface-definition directory') - parser.add_argument('--save-json-dir', type=str, - help='directory to save json cache if needed') - args = parser.parse_args() - - xml_dir = abspath(args.xml_dir) - save_dir = abspath(args.save_json_dir) if args.save_json_dir else None + parser.add_argument('--package-name', type=non_trivial, default='vyos-1x', + help='name of current package') + parser.add_argument('--output-path', help='path to generated cache') + args = vars(parser.parse_args()) + + xml_dir = abspath(args['xml_dir']) + pkg_name = args['package_name'].replace('-','_') + cache_name = pkg_name + '_cache.py' + out_path = args['output_path'] + path = out_path if out_path is not None else pkg_cache + xml_cache = abspath(join(path, cache_name)) try: reference_tree_to_json(xml_dir, xml_tmp) @@ -67,21 +85,30 @@ def main(): trim_node_data(d) - if save_dir is not None: - save_file = join(save_dir, xml_cache_json) - with open(save_file, 'w') as f: - f.write(json.dumps(d)) - syntax_version = join(xml_dir, 'xml-component-version.xml') - with open(syntax_version) as f: - content = f.read() + try: + with open(syntax_version) as f: + component = f.read() + except FileNotFoundError: + if pkg_name != 'vyos_1x': + component = '' + else: + print("\nWARNING: missing xml-component-version.xml\n") + sys.exit(1) - parsed = parse(content) - converted = parsed['interfaceDefinition']['syntaxVersion'] + if component: + parsed = parse(component) + else: + parsed = None version = {} - for i in converted: - tmp = {i['@component']: i['@version']} - version |= tmp + # addon package definitions may have empty (== 0) version info + if parsed is not None and parsed['interfaceDefinition'] is not None: + converted = parsed['interfaceDefinition']['syntaxVersion'] + if not isinstance(converted, list): + converted = [converted] + for i in converted: + tmp = {i['@component']: i['@version']} + version |= tmp version = {"component_version": version} @@ -90,5 +117,7 @@ def main(): with open(xml_cache, 'w') as f: f.write(f'reference = {str(d)}') + print(cache_name) + if __name__ == '__main__': main() diff --git a/python/vyos/xml_ref/pkg_cache/__init__.py b/python/vyos/xml_ref/pkg_cache/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/python/vyos/xml_ref/update_cache.py b/python/vyos/xml_ref/update_cache.py new file mode 100755 index 000000000..0842bcbe9 --- /dev/null +++ b/python/vyos/xml_ref/update_cache.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# +import os +from copy import deepcopy +from generate_cache import pkg_cache +from generate_cache import ref_cache + +def dict_merge(source, destination): + dest = deepcopy(destination) + + for key, value in source.items(): + if key not in dest: + dest[key] = value + elif isinstance(source[key], dict): + dest[key] = dict_merge(source[key], dest[key]) + + return dest + +def main(): + res = {} + cache_dir = os.path.basename(pkg_cache) + for mod in os.listdir(pkg_cache): + mod = os.path.splitext(mod)[0] + if not mod.endswith('_cache'): + continue + d = getattr(__import__(f'{cache_dir}.{mod}', fromlist=[mod]), 'reference') + if mod == 'vyos_1x_cache': + res = dict_merge(res, d) + else: + res = dict_merge(d, res) + + with open(ref_cache, 'w') as f: + f.write(f'reference = {str(res)}') + +if __name__ == '__main__': + main() -- cgit v1.2.3 From 2015717bdc879e2a598984f60835d8e5710d721e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 21:58:39 +0200 Subject: T5411: add additional monitor log targets --- Makefile | 3 - op-mode-definitions/monitor-bridge.xml.in | 4 +- op-mode-definitions/monitor-log.xml.in | 107 ++++++++++++++++++------------ op-mode-definitions/monitor-ndp.xml.in | 8 +-- op-mode-definitions/show-log.xml.in | 102 ++++++++++++++-------------- 5 files changed, 118 insertions(+), 106 deletions(-) diff --git a/Makefile b/Makefile index 25f2c96d2..fe17ce994 100644 --- a/Makefile +++ b/Makefile @@ -61,10 +61,7 @@ op_mode_definitions: $(op_xml_obj) rm -f $(OP_TMPL_DIR)/clear/node.def rm -f $(OP_TMPL_DIR)/delete/node.def rm -f $(OP_TMPL_DIR)/generate/node.def - rm -f $(OP_TMPL_DIR)/monitor/node.def rm -f $(OP_TMPL_DIR)/set/node.def - rm -f $(OP_TMPL_DIR)/show/node.def - rm -f $(OP_TMPL_DIR)/show/system/node.def rm -f $(OP_TMPL_DIR)/show/tech-support/node.def # XXX: ping and traceroute must be able to recursivly call itself as the diff --git a/op-mode-definitions/monitor-bridge.xml.in b/op-mode-definitions/monitor-bridge.xml.in index 712a924f1..a43fa6dd9 100644 --- a/op-mode-definitions/monitor-bridge.xml.in +++ b/op-mode-definitions/monitor-bridge.xml.in @@ -4,14 +4,14 @@ - Monitoring bridge database generated objects and address changes + Monitor bridge database changes sudo bridge monitor all sudo bridge monitor link - Monitoring bridge database generated connection interface changes + Monitor bridge database generated connection interface changes diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index 8f3f73478..c7be07aa8 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -1,6 +1,9 @@ + + Monitor system information + @@ -27,6 +30,12 @@ + + + Monitor last lines of conntrack-sync log + + journalctl --no-hostname --follow --boot --unit conntrackd.service + Monitor last lines of Dynamic Host Control Protocol log @@ -117,6 +126,23 @@ journalctl --no-hostname --boot --follow --unit chrony.service + + + Monitor last lines of OpenVPN log + + journalctl --no-hostname --boot --follow --unit openvpn@*.service + + + + Monitor last lines of specific OpenVPN interface log + + interfaces openvpn + + + journalctl --no-hostname --boot --unit openvpn@$5.service + + + Monitor last lines of PPPoE interface log @@ -248,9 +274,45 @@ journalctl --no-hostname --boot --follow --unit ssh.service + + + Monitor last lines of ALL Virtual Private Network services + + journalctl --no-hostname --boot --follow --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service + + + + Monitor last lines of IPsec log + + journalctl --no-hostname --boot --follow --unit strongswan.service + + + + Monitor last lines of L2TP log + + journalctl --no-hostname --boot --follow --unit accel-ppp@l2tp.service + + + + Monitor last lines of OpenConnect log + + journalctl --no-hostname --boot --follow --unit ocserv.service + + + + Monitor last lines of PPTP log + + journalctl --no-hostname --boot --follow --unit accel-ppp@pptp.service + + + + Monitor last lines of Secure Socket Tunneling Protocol server + + journalctl --no-hostname --boot --follow --unit accel-ppp@sstp.service + - Monitor last lines of Secure Socket Tunneling Protocol log + Monitor last lines of Secure Socket Tunneling Protocol client journalctl --no-hostname --boot --follow --unit "ppp@sstpc*.service" @@ -265,49 +327,6 @@ - - - Monitor Virtual Private Network services - - - - - Monitor last lines of ALL VPNs - - journalctl --no-hostname --boot --follow --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service - - - - Monitor last lines of IPsec log - - journalctl --no-hostname --boot --follow --unit strongswan.service - - - - Monitor last lines of L2TP log - - journalctl --no-hostname --boot --follow --unit accel-ppp@l2tp.service - - - - Monitor last lines of OpenConnect log - - journalctl --no-hostname --boot --follow --unit ocserv.service - - - - Monitor last lines of PPTP log - - journalctl --no-hostname --boot --follow --unit accel-ppp@pptp.service - - - - Monitor last lines of SSTP log - - journalctl --no-hostname --boot --follow --unit accel-ppp@sstp.service - - - Monitor last lines of Vector Packet Processor log diff --git a/op-mode-definitions/monitor-ndp.xml.in b/op-mode-definitions/monitor-ndp.xml.in index 26d881f1a..3b08f3d73 100644 --- a/op-mode-definitions/monitor-ndp.xml.in +++ b/op-mode-definitions/monitor-ndp.xml.in @@ -4,14 +4,14 @@ - Monitor the NDP information received by the router through the device + Monitor Neighbor Discovery Protocol (NDP) information sudo ndptool monitor sudo ndptool monitor --ifname=$4 - Monitor ndp protocol on specified interface + Monitor Neighbor Discovery Protocol on specified interface @@ -20,7 +20,7 @@ sudo ndptool monitor --ifname=$4 --msg-type=$6 - Monitor specific types of NDP protocols + Monitor specific Neighbor Discovery Protocol type rs ra ns na @@ -31,7 +31,7 @@ sudo ndptool monitor --msg-type=$4 - Monitor specific types of NDP protocols + Monitor specific Neighbor Discovery Protocol type rs ra ns na diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 579e348f7..925a780ac 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -1,6 +1,9 @@ + + Show system information + @@ -395,23 +398,6 @@ journalctl --no-hostname --boot --unit ssh.service - - - Show log for SSTP client - - journalctl --no-hostname --boot --unit "ppp@sstpc*.service" - - - - Show SSTP client log on specific interface - - interfaces sstpc - - - journalctl --no-hostname --boot --unit "ppp@$5.service" - - - Show last n changes to messages @@ -427,47 +413,57 @@ tail -n 10 /var/log/messages - + + + Monitor last lines of ALL Virtual Private Network services + + journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service + + + + Show log for IPsec + + journalctl --no-hostname --boot --unit strongswan.service + + + + Show log for L2TP + + journalctl --no-hostname --boot --unit accel-ppp@l2tp.service + + + + Show log for OpenConnect + + journalctl --no-hostname --boot --unit ocserv.service + + + + Show log for PPTP + + journalctl --no-hostname --boot --unit accel-ppp@pptp.service + + + + Show log for Secure Socket Tunneling Protocol (SSTP) server + + journalctl --no-hostname --boot --unit accel-ppp@sstp.service + + - Show log for Virtual Private Network (VPN) + Show log for Secure Socket Tunneling Protocol (SSTP) client + journalctl --no-hostname --boot --unit "ppp@sstpc*.service" - - - Show log for ALL - - journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service --unit ocserv.service - - - - Show log for IPsec - - journalctl --no-hostname --boot --unit strongswan.service - - - - Show log for L2TP - - journalctl --no-hostname --boot --unit accel-ppp@l2tp.service - - - - Show log for OpenConnect - - journalctl --no-hostname --boot --unit ocserv.service - - - - Show log for PPTP - - journalctl --no-hostname --boot --unit accel-ppp@pptp.service - - + - Show log for SSTP + Show SSTP client log on specific interface + + interfaces sstpc + - journalctl --no-hostname --boot --unit accel-ppp@sstp.service - + journalctl --no-hostname --boot --unit "ppp@$5.service" + -- cgit v1.2.3 From e310cb6e194bdd67d2e3dcf2fb645382f7049a79 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Fri, 28 Jul 2023 11:04:20 -0500 Subject: configtree: T5316: use single-pass to drop trim function --- python/vyos/configtree.py | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py index d0cd87464..e18d9817d 100644 --- a/python/vyos/configtree.py +++ b/python/vyos/configtree.py @@ -418,10 +418,6 @@ class DiffTree: self.__diff_tree.argtypes = [c_char_p, c_void_p, c_void_p] self.__diff_tree.restype = c_void_p - self.__trim_tree = self.__lib.trim_tree - self.__trim_tree.argtypes = [c_void_p, c_void_p] - self.__trim_tree.restype = c_void_p - check_path(path) path_str = " ".join(map(str, path)).encode() @@ -435,11 +431,7 @@ class DiffTree: self.add = self.full.get_subtree(['add']) self.sub = self.full.get_subtree(['sub']) self.inter = self.full.get_subtree(['inter']) - - # trim sub(-tract) tree to get delete tree for commands - ref = self.right.get_subtree(path, with_node=True) if path else self.right - res = self.__trim_tree(self.sub._get_config(), ref._get_config()) - self.delete = ConfigTree(address=res) + self.delete = self.full.get_subtree(['del']) def to_commands(self): add = self.add.to_commands() -- cgit v1.2.3 From 399edb32eb68ce5fa3189ff83f09b307c6e9222d Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 29 Jul 2023 21:10:36 +0200 Subject: vpp: T1797: change dependency to amd64 builds only --- debian/control | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 8e9aaa702..772edb540 100644 --- a/debian/control +++ b/debian/control @@ -91,7 +91,7 @@ Depends: libqmi-utils, libstrongswan-extra-plugins (>=5.9), libstrongswan-standard-plugins (>=5.9), - libvppinfra, + libvppinfra [amd64], libvyosconfig0, linux-cpupower, lldpd, @@ -145,7 +145,7 @@ Depends: python3-tabulate, python3-vici (>= 5.7.2), python3-voluptuous, - python3-vpp-api, + python3-vpp-api [amd64], python3-xmltodict, python3-zmq, qrencode, @@ -180,9 +180,9 @@ Depends: uidmap, usb-modeswitch, usbutils, - vpp, - vpp-plugin-core, - vpp-plugin-dpdk, + vpp [amd64], + vpp-plugin-core [amd64], + vpp-plugin-dpdk [amd64], vyatta-bash, vyatta-cfg, vyos-http-api-tools, -- cgit v1.2.3 From d59c9c35c03799000e91b4c1e12e9e8c02256aeb Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Sat, 29 Jul 2023 15:04:39 -0500 Subject: xml: T5403: fix installation of xml cache --- .gitignore | 1 + Makefile | 5 ++++- debian/rules | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7707e94ca..d781beead 100644 --- a/.gitignore +++ b/.gitignore @@ -109,6 +109,7 @@ ENV/ templates-cfg/* templates-op/* tests/templates/* +xml_cache/* # Debian packaging debian/files diff --git a/Makefile b/Makefile index fe17ce994..ecd610bae 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ OP_TMPL_DIR := templates-op BUILD_DIR := build DATA_DIR := data SHIM_DIR := src/shim +CACHE_DIR := xml_cache LIBS := -lzmq CFLAGS := BUILD_ARCH := $(shell dpkg-architecture -q DEB_BUILD_ARCH) @@ -23,10 +24,11 @@ op_xml_obj = $(op_xml_src:.xml.in=.xml) .ONESHELL: interface_definitions: $(config_xml_obj) mkdir -p $(TMPL_DIR) + mkdir -p $(CACHE_DIR) $(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions - $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions + $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions --output-path $(CACHE_DIR) find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 @@ -96,6 +98,7 @@ clean: rm -rf $(BUILD_DIR) rm -rf $(TMPL_DIR) rm -rf $(OP_TMPL_DIR) + rm -rf $(CACHE_DIR) $(MAKE) -C $(SHIM_DIR) clean .PHONY: test diff --git a/debian/rules b/debian/rules index 9ada2bf87..39185f1e6 100755 --- a/debian/rules +++ b/debian/rules @@ -9,6 +9,7 @@ VYOS_CFG_TMPL_DIR := opt/vyatta/share/vyatta-cfg/templates VYOS_OP_TMPL_DIR := opt/vyatta/share/vyatta-op/templates VYOS_MIBS_DIR := usr/share/snmp/mibs VYOS_LOCALUI_DIR := srv/localui +VYOS_XML_CACHE_DIR := python/vyos/xml_ref/pkg_cache MIGRATION_SCRIPTS_DIR := opt/vyatta/etc/config-migrate/migrate SYSTEM_SCRIPTS_DIR := usr/libexec/vyos/system @@ -35,6 +36,8 @@ override_dh_auto_install: # convert the XML to dictionaries env PYTHONPATH=python python3 python/vyos/xml/generate.py + cp xml_cache/vyos_1x_cache.py python/vyos/xml_ref/pkg_cache + cd python; python3 setup.py install --install-layout=deb --root ../$(DIR); cd .. # Install scripts -- cgit v1.2.3 From e3f0a514d8daa2d8bb2850681d6401dfc668df8d Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Sat, 29 Jul 2023 15:27:01 -0500 Subject: xml: T5403: set explicit package name --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ecd610bae..6dfa516e1 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ interface_definitions: $(config_xml_obj) $(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions - $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions --output-path $(CACHE_DIR) + $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions --package-name vyos-1x --output-path $(CACHE_DIR) find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 -- cgit v1.2.3 From 3fb9cda51a40186640aae32de406edc169b6de22 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Sat, 29 Jul 2023 15:44:51 -0500 Subject: xml: T5403: remove incorrect arg check --- python/vyos/xml_ref/generate_cache.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/python/vyos/xml_ref/generate_cache.py b/python/vyos/xml_ref/generate_cache.py index 6f08486a8..6a05d4608 100755 --- a/python/vyos/xml_ref/generate_cache.py +++ b/python/vyos/xml_ref/generate_cache.py @@ -53,9 +53,6 @@ def trim_node_data(cache: dict): def non_trivial(s): if not s: raise ArgumentTypeError("Argument must be non empty string") - if s == 'vyos-1x' and basename(getcwd()) != 'vyos-1x': - # builds outside of vyos-1x must specify package name - raise ArgumentTypeError("Specify package name") return s def main(): -- cgit v1.2.3 From 7826a0e35e25e3d0e1a782c9507d49352e3dd720 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 29 Jul 2023 22:53:57 +0200 Subject: T3355: migrate "show dhcp client lease" to new op-mode style vyos@vyos# ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 Interface eth0.10 IP address 172.16.33.123 [Active] Subnet Mask 255.255.255.0 Domain Name vyos.net Router 172.16.33.254 Name Server 172.16.254.30 DHCP Server 172.16.33.254 DHCP Server 86400 Last Update Sat Jul 29 21:13:32 CEST 2023 Expiry Sun Jul 30 21:13:31 CEST 2023 vyos@vyos# ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 --raw [ { "last_update": "Sat Jul 29 21:13:32 CEST 2023", "reason": "BOUND", "interface": "eth0.10", "new_expiry": "1690744411", "new_dhcp_lease_time": "86400", "medium": "", "alias_ip_address": "", "new_ip_address": "172.16.33.123", "new_broadcast_address": "172.16.33.255", "new_subnet_mask": "255.255.255.0", "new_domain_name": "vyos.net", "new_network_number": "172.16.33.0", "new_domain_name_servers": "172.16.254.30", "new_routers": "172.16.33.254", "new_static_routes": "", "new_dhcp_server_identifier": "172.16.33.254", "new_dhcp_message_type": "5", "old_ip_address": "", "old_subnet_mask": "", "old_domain_name": "", "old_domain_name_servers": "", "old_routers": "", "old_static_routes": "" } ] --- op-mode-definitions/dhcp.xml.in | 24 +++++++++++++ src/op_mode/dhcp.py | 78 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 101 insertions(+), 1 deletion(-) diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in index 66584efc3..6855fe447 100644 --- a/op-mode-definitions/dhcp.xml.in +++ b/op-mode-definitions/dhcp.xml.in @@ -7,6 +7,30 @@ Show DHCP (Dynamic Host Configuration Protocol) information + + + Show DHCP client information + + + + + Show DHCP client leases + + + + + Show DHCP client information for a given interface + + + + + ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface $6 + + + ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet + + + Show DHCP server information diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 3e51e990b..653e670c5 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -14,10 +14,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os import sys import typing from datetime import datetime +from glob import glob from ipaddress import ip_address from isc_dhcp_leases import IscDhcpLeases from tabulate import tabulate @@ -27,8 +29,9 @@ import vyos.opmode from vyos.base import Warning from vyos.configquery import ConfigTreeQuery -from vyos.utils.process import cmd from vyos.utils.dict import dict_search +from vyos.utils.file import read_file +from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running config = ConfigTreeQuery() @@ -287,6 +290,79 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], return _get_formatted_server_leases(lease_data, family=family) +def _get_raw_client_leases(family='inet', interface=None): + lease_dir = '/var/lib/dhcp' + lease_files = [] + lease_data = [] + + if interface: + tmp = f'{lease_dir}/dhclient_{interface}.lease' + if os.path.exists(tmp): + lease_files.append(tmp) + else: + # All DHCP leases + lease_files = glob(f'{lease_dir}/dhclient_*.lease') + + for lease in lease_files: + tmp = {} + with open(lease, 'r') as f: + for line in f.readlines(): + line = line.rstrip() + if 'last_update' not in tmp: + tmp.update({'last_update' : line}) + continue + + k, v = line.split('=') + tmp.update({k : v.replace("'", "")}) + + lease_data.append(tmp) + + return lease_data + +def _get_formatted_client_leases(lease_data, family): + from time import localtime + from time import strftime + + from vyos.validate import is_intf_addr_assigned + + data_entries = [] + for lease in lease_data: + data_entries.append(["Interface", lease['interface']]) + if 'new_ip_address' in lease: + tmp = '[Active]' if is_intf_addr_assigned(lease['interface'], lease['new_ip_address']) else '[Inactive]' + data_entries.append(["IP address", lease['new_ip_address'], tmp]) + if 'new_subnet_mask' in lease: + data_entries.append(["Subnet Mask", lease['new_subnet_mask']]) + if 'new_domain_name' in lease: + data_entries.append(["Domain Name", lease['new_domain_name']]) + if 'new_routers' in lease: + data_entries.append(["Router", lease['new_routers']]) + if 'new_domain_name_servers' in lease: + data_entries.append(["Name Server", lease['new_domain_name_servers']]) + if 'new_dhcp_server_identifier' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_server_identifier']]) + if 'new_dhcp_lease_time' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_lease_time']]) + if 'last_update' in lease: + data_entries.append(["Last Update", lease['last_update']]) + if 'new_expiry' in lease: + tmp = strftime('%a %b %d %H:%M:%S %Z %Y', localtime(int(lease['new_expiry']))) + data_entries.append(["Expiry", tmp]) + + # Add empty marker + data_entries.append(['']) + + output = tabulate(data_entries, tablefmt='plain') + + return output + +def show_client_leases(raw: bool, family: ArgFamily, interface: typing.Optional[str]): + lease_data = _get_raw_client_leases(family=family, interface=interface) + if raw: + return lease_data + else: + return _get_formatted_client_leases(lease_data, family=family) + if __name__ == '__main__': try: res = vyos.opmode.run(sys.modules[__name__]) -- cgit v1.2.3 From 7568912d483114ef8939246768fabe464af28ca2 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 29 Jul 2023 21:04:25 +0000 Subject: T5411: remove old background monitor implementation --- .../include/monitor-background.xml.i | 21 ----------- op-mode-definitions/monitor-protocol.xml.in | 42 ---------------------- 2 files changed, 63 deletions(-) delete mode 100644 op-mode-definitions/include/monitor-background.xml.i diff --git a/op-mode-definitions/include/monitor-background.xml.i b/op-mode-definitions/include/monitor-background.xml.i deleted file mode 100644 index 9931127e3..000000000 --- a/op-mode-definitions/include/monitor-background.xml.i +++ /dev/null @@ -1,21 +0,0 @@ - - - - Monitor in background - - - - - Start background monitoring - - ${vyatta_bindir}/vyatta-monitor-background ${3^^} ${3} - - - - Stop background monitoring - - ${vyatta_bindir}/vyatta-monitor-background-stop ${3^^} - - - - diff --git a/op-mode-definitions/monitor-protocol.xml.in b/op-mode-definitions/monitor-protocol.xml.in index f3af3575c..f05a1945f 100644 --- a/op-mode-definitions/monitor-protocol.xml.in +++ b/op-mode-definitions/monitor-protocol.xml.in @@ -12,7 +12,6 @@ Monitor the Border Gateway Protocol (BGP) - #include Disable Border Gateway Protocol (BGP) debugging @@ -266,7 +265,6 @@ Monitor Open Shortest Path First (OSPF) protocol - #include Disable Open Shortest Path First (OSPF) debugging @@ -650,25 +648,6 @@ Monitor the IPv6 Open Shortest Path First (OSPFv3) protocol - - - Monitor in background - - - - - Start background monitoring - - ${vyatta_bindir}/vyatta-monitor-background OSPFv3 ospf6 - - - - Stop background monitoring - - ${vyatta_bindir}/vyatta-monitor-background-stop OSPFv3 - - - Disable IPv6 Open Shortest Path First (OSPFv3) protocol debugging @@ -1192,25 +1171,6 @@ Monitor the Routing Information Base (RIB) - - - Monitor in background - - - - - Start background monitoring - - ${vyatta_bindir}/vyatta-monitor-background RIB zebra - - - - Stop background monitoring - - ${vyatta_bindir}/vyatta-monitor-background-stop RIB - - - Disable Route Information Base (RIB) debugging @@ -1360,7 +1320,6 @@ Monitor the Routing Information Protocol (RIP) - #include Disable Routing Information Protocol (RIP) debugging @@ -1452,7 +1411,6 @@ Monitor the Routing Information Protocol Next Generation (RIPng) protocol - #include Disable Routing Information Protocol Next Generation (RIPNG) debugging -- cgit v1.2.3 From 019f90fb65cb243a3ab01ef3e06a39396750cbbd Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 29 Jul 2023 23:07:39 +0200 Subject: T5411: remove old background monitor implementation for webproxy --- op-mode-definitions/webproxy.xml.in | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 5ae1577d8..70e3ed608 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -14,25 +14,6 @@ if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi - - - Monitor Webproxy in the background - - - - - Start background monitoring of Webproxy - - ${vyatta_bindir}/vyatta-monitor-background Webproxy squid - - - - Stop background monitoring of Webproxy - - ${vyatta_bindir}/vyatta-monitor-background-stop Webproxy - - - Monitor the last lines of the squid cache log -- cgit v1.2.3 From 78bb41eacb79ab3a359adcf3bd37af81ddc9aaa1 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 30 Jul 2023 21:55:09 +0200 Subject: T3355: migrate webproxy log to proper "monitor log" tree --- op-mode-definitions/monitor-log.xml.in | 6 ------ op-mode-definitions/webproxy.xml.in | 32 ++++++++++++++++++-------------- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index c7be07aa8..ee52a7eb8 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -339,12 +339,6 @@ journalctl --no-hostname --boot --follow --unit keepalived.service - - - Monitor last lines of Webproxy log - - journalctl --no-hostname --boot --follow --unit squid.service - diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 70e3ed608..4e555c3d9 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -2,23 +2,27 @@ - - - Monitor WebProxy service - - ${vyatta_bindir}/vyatta-monitor Webproxy squid + - - - Monitor the last lines of the squid access log - - if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi - - + - Monitor the last lines of the squid cache log + Monitor last lines of Webproxy log - if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi + journalctl --no-hostname --boot --follow --unit squid.service + + + + Monitor the last lines of the Webproxy access log + + if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi + + + + Monitor the last lines of the Webproxy cache log + + if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi + + -- cgit v1.2.3 From 1a44d8607f715934f2c03f28a9bf547321b26ed8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 30 Jul 2023 22:03:53 +0200 Subject: T3355: always work with UNIX timestamps for dhcp client lease display ISC dhcp client contains least_update timestamp in human readable format this makes less sense for an API and also the expiry timestamp is provided in UNIX time. Convert string (e.g. Sun Jul 30 18:13:44 CEST 2023) to UNIX time (1690733624) vyos@vyos:~$ ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 Interface eth0.10 IP address 172.16.33.123 [Active] Subnet Mask 255.255.255.0 Domain Name vyos.net Router 172.16.33.254 Name Server 172.16.254.30 DHCP Server 172.16.33.254 DHCP Server 86400 Last Update Sun Jul 30 18:13:44 CEST 2023 Expiry Mon Jul 31 18:13:43 CEST 2023 vyos@vyos:~$ ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 --raw [ { "last_update": 1690733624, "reason": "RENEW", "interface": "eth0.10", "new_expiry": "1690820023", "new_dhcp_lease_time": "86400", "medium": "", "alias_ip_address": "", "new_ip_address": "172.16.33.123", "new_broadcast_address": "172.16.33.255", "new_subnet_mask": "255.255.255.0", "new_domain_name": "vyos.net", "new_network_number": "172.16.33.0", "new_domain_name_servers": "172.16.254.30", "new_routers": "172.16.33.254", "new_static_routes": "", "new_dhcp_server_identifier": "172.16.33.254", "new_dhcp_message_type": "5", "old_ip_address": "172.16.33.123", "old_subnet_mask": "255.255.255.0", "old_domain_name": "vyos.net", "old_domain_name_servers": "172.16.254.30", "old_routers": "172.16.33.254", "old_static_routes": "" } ] --- src/op_mode/dhcp.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 653e670c5..20ef698bd 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -34,6 +34,8 @@ from vyos.utils.file import read_file from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running +time_string = "%a %b %d %H:%M:%S %Z %Y" + config = ConfigTreeQuery() lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup'] sort_valid_inet = ['end', 'mac', 'hostname', 'ip', 'pool', 'remaining', 'start', 'state'] @@ -291,6 +293,9 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], def _get_raw_client_leases(family='inet', interface=None): + from time import mktime + from datetime import datetime + lease_dir = '/var/lib/dhcp' lease_files = [] lease_data = [] @@ -309,7 +314,11 @@ def _get_raw_client_leases(family='inet', interface=None): for line in f.readlines(): line = line.rstrip() if 'last_update' not in tmp: - tmp.update({'last_update' : line}) + # ISC dhcp client contains least_update timestamp in human readable + # format this makes less sense for an API and also the expiry + # timestamp is provided in UNIX time. Convert string (e.g. Sun Jul + # 30 18:13:44 CEST 2023) to UNIX time (1690733624) + tmp.update({'last_update' : int(mktime(datetime.strptime(line, time_string).timetuple()))}) continue k, v = line.split('=') @@ -344,9 +353,10 @@ def _get_formatted_client_leases(lease_data, family): if 'new_dhcp_lease_time' in lease: data_entries.append(["DHCP Server", lease['new_dhcp_lease_time']]) if 'last_update' in lease: - data_entries.append(["Last Update", lease['last_update']]) + tmp = strftime(time_string, localtime(int(lease['last_update']))) + data_entries.append(["Last Update", tmp]) if 'new_expiry' in lease: - tmp = strftime('%a %b %d %H:%M:%S %Z %Y', localtime(int(lease['new_expiry']))) + tmp = strftime(time_string, localtime(int(lease['new_expiry']))) data_entries.append(["Expiry", tmp]) # Add empty marker -- cgit v1.2.3 From 96a89fee625b77d05b2f757f804f189bf486d7ec Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 31 Jul 2023 10:06:56 +0000 Subject: T5416: fix ipsec matcher --- python/vyos/firewall.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 2793b201c..903cc8535 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -304,7 +304,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'ipsec' in rule_conf: if 'match_ipsec' in rule_conf['ipsec']: output.append('meta ipsec == 1') - if 'match_non_ipsec' in rule_conf['ipsec']: + if 'match_none' in rule_conf['ipsec']: output.append('meta ipsec == 0') if 'fragment' in rule_conf: -- cgit v1.2.3 From 230c3f5b9fedf055c15fc1e968b508c0fcaf0c59 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 31 Jul 2023 13:49:24 +0200 Subject: login: T4790: sync number of max RADIUS servers with equuleus branch (8) --- src/conf_mode/system-login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index afd75913e..82941e0c0 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -54,7 +54,7 @@ MAX_USER_UID: int = 59999 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec MAX_RADIUS_TIMEOUT: int = 50 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) -MAX_RADIUS_COUNT: int = 25 +MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 -- cgit v1.2.3 From 1d86092328ef43368fcb0bf348c14a01466e5892 Mon Sep 17 00:00:00 2001 From: 1vivy <1vivy@tutanota.com> Date: Sun, 23 Jul 2023 13:31:00 -0400 Subject: dhcpv6-pd: T5387: add support for no-release flag When no-release is specified, dhcp6c client will not release allocated address or prefix on client exit. vyos.ifconfig: dhcpv6: T5387: re-use options_file for no release flag [WIP] * Todo: render Jinja2 template and fill it vyos.ifconfig: dhcpv6: T5387: finish options_file and no release flag in cli vyos.ifconfig: dhcpv6: T5387: fix missing/wrong end tag vyos.ifconfig: dhcpv6: T5387: fix options, no var for -n dhcpv6-client: T5387: fix missing / from filepaths --- data/templates/dhcp-client/dhcp6c_daemon-options.j2 | 2 ++ interface-definitions/include/interface/dhcpv6-options.xml.i | 6 ++++++ python/vyos/ifconfig/interface.py | 2 ++ src/systemd/dhcp6c@.service | 4 +++- 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 data/templates/dhcp-client/dhcp6c_daemon-options.j2 diff --git a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 b/data/templates/dhcp-client/dhcp6c_daemon-options.j2 new file mode 100644 index 000000000..d33d418fc --- /dev/null +++ b/data/templates/dhcp-client/dhcp6c_daemon-options.j2 @@ -0,0 +1,2 @@ +{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} +DHCP6C_OPTS="-D -k /run/dhcp6c/dhcp6c.{{ ifname }}.sock -c /run/dhcp6c/dhcp6c.{{ ifname }}.conf -p /run/dhcp6c/dhcp6c.{{ ifname }}.pid {{ no_release }} {{ ifname }}" diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i index 609af1a2b..5ca1d525f 100644 --- a/interface-definitions/include/interface/dhcpv6-options.xml.i +++ b/interface-definitions/include/interface/dhcpv6-options.xml.i @@ -95,6 +95,12 @@ + + + Do not send a release message on client exit + + + diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 120f2131b..99ddb2021 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -1288,9 +1288,11 @@ class Interface(Control): ifname = self.ifname config_file = f'/run/dhcp6c/dhcp6c.{ifname}.conf' + options_file = f'/run/dhcp6c/dhcp6c.{ifname}.options' systemd_service = f'dhcp6c@{ifname}.service' if enable and 'disable' not in self._config: + render(options_file, 'dhcp-client/dhcp6c_daemon-options.j2', self._config) render(config_file, 'dhcp-client/ipv6.j2', self._config) # We must ignore any return codes. This is required to enable diff --git a/src/systemd/dhcp6c@.service b/src/systemd/dhcp6c@.service index 9a97ee261..495cb7e26 100644 --- a/src/systemd/dhcp6c@.service +++ b/src/systemd/dhcp6c@.service @@ -2,14 +2,16 @@ Description=WIDE DHCPv6 client on %i Documentation=man:dhcp6c(8) man:dhcp6c.conf(5) ConditionPathExists=/run/dhcp6c/dhcp6c.%i.conf +ConditionPathExists=/run/dhcp6c/dhcp6c.%i.options After=vyos-router.service StartLimitIntervalSec=0 [Service] WorkingDirectory=/run/dhcp6c +EnvironmentFile=-/run/dhcp6c/dhcp6c.%i.options Type=forking PIDFile=/run/dhcp6c/dhcp6c.%i.pid -ExecStart=/usr/sbin/dhcp6c -D -k /run/dhcp6c/dhcp6c.%i.sock -c /run/dhcp6c/dhcp6c.%i.conf -p /run/dhcp6c/dhcp6c.%i.pid %i +ExecStart=/usr/sbin/dhcp6c $DHCP6C_OPTS Restart=on-failure RestartSec=20 -- cgit v1.2.3 From 1ee3801de4fbc78bbb6cbd49719c855ec33f0f31 Mon Sep 17 00:00:00 2001 From: 1vivy <1vivy@tutanota.com> Date: Sun, 23 Jul 2023 21:07:50 -0400 Subject: smoketest: interfaces: T5387: test dhcpv6-pd no-release flag --- smoketest/scripts/cli/base_interfaces_test.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index b4afac0e2..a3868fa70 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -791,6 +791,7 @@ class BasicInterfaceTest: # Enable DHCPv6 client self.cli_set(path + ['address', 'dhcpv6']) + self.cli_set(path + ['dhcpv6-options', 'no-release']) self.cli_set(path + ['dhcpv6-options', 'rapid-commit']) self.cli_set(path + ['dhcpv6-options', 'parameters-only']) self.cli_set(path + ['dhcpv6-options', 'duid', duid]) @@ -798,6 +799,9 @@ class BasicInterfaceTest: self.cli_commit() + dhcp6c_options = read_file(f'/run/dhcp6c/dhcp6c.{interface}.options') + self.assertIn(f'-n', dhcp6c_options) + duid_base = 10 for interface in self._interfaces: duid = '00:01:00:01:27:71:db:f0:00:50:00:00:00:{}'.format(duid_base) -- cgit v1.2.3 From befd4045b59f6182591daa9f19702404791303ae Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 31 Jul 2023 16:51:52 +0000 Subject: T5406: webproxy op-mode command: add vrf support for blacklist update command --- op-mode-definitions/webproxy.xml.in | 11 +++++++++++ src/op_mode/webproxy_update_blacklist.sh | 9 ++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 4e555c3d9..57df44ff8 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -87,6 +87,17 @@ Update the webproxy blacklist database sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist + + + + Update webproxy blacklist database via specified VRF + + vrf name + + + sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" + + diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh index 4fb9a54c6..05ea86f9e 100755 --- a/src/op_mode/webproxy_update_blacklist.sh +++ b/src/op_mode/webproxy_update_blacklist.sh @@ -45,6 +45,9 @@ do --auto-update-blacklist) auto="yes" ;; + --vrf) + vrf="yes" + ;; (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;; (*) break;; esac @@ -76,7 +79,11 @@ fi if [[ -n $update ]] && [[ $update -eq "yes" ]]; then tmp_blacklists='/tmp/blacklists.gz' - curl -o $tmp_blacklists $blacklist_url + if [[ -n $vrf ]] && [[ $vrf -eq "yes" ]]; then + sudo ip vrf exec $1 curl -o $tmp_blacklists $blacklist_url + else + curl -o $tmp_blacklists $blacklist_url + fi if [ $? -ne 0 ]; then echo "Unable to download [$blacklist_url]!" exit 1 -- cgit v1.2.3