From 902586e248dd84883a097a3daca0b1129db25b38 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 21 Jul 2022 20:26:08 +0200
Subject: fastnetmon: T4555: add IPv6 support

---
 data/templates/ids/fastnetmon.j2                    |  7 +++----
 data/templates/ids/fastnetmon_networks_list.j2      |  4 +---
 .../service-ids-ddos-protection.xml.in              |  9 +++++++--
 smoketest/scripts/cli/test_service_ids.py           |  4 ++++
 src/conf_mode/service_ids_fastnetmon.py             | 21 +++++++++------------
 5 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2
index e095b0786..005338836 100644
--- a/data/templates/ids/fastnetmon.j2
+++ b/data/templates/ids/fastnetmon.j2
@@ -1,14 +1,13 @@
 # enable this option if you want to send logs to local syslog facility
+logging:logging_level = debug
 logging:local_syslog_logging = on
 
 # list of all your networks in CIDR format
-networks_list_path = /etc/networks_list
-
-# list networks in CIDR format which will be not monitored for attacks
-white_list_path = /etc/networks_whitelist
+networks_list_path = /run/fastnetmon/networks_list
 
 # Enable/Disable any actions in case of attack
 enable_ban = on
+enable_ban_ipv6 = on
 
 ## How many packets will be collected from attack traffic
 ban_details_records_count = 500
diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2
index 1c81180be..5f1b3ba4d 100644
--- a/data/templates/ids/fastnetmon_networks_list.j2
+++ b/data/templates/ids/fastnetmon_networks_list.j2
@@ -1,6 +1,4 @@
-{% if network is vyos_defined(var_type=str) %}
-{{ network }}
-{% else %}
+{% if network is vyos_defined() %}
 {%     for net in network %}
 {{ net }}
 {%     endfor %}
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in
index fe22994b5..0a0d78948 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service-ids-ddos-protection.xml.in
@@ -68,13 +68,18 @@
               </node>
               <leafNode name="network">
                 <properties>
-                  <help>Define monitoring networks</help>
+                  <help>Specify IPv4 and IPv6 networks which belong to you</help>
                   <valueHelp>
                     <format>ipv4net</format>
-                    <description>Processed network</description>
+                    <description>Your IPv4 prefix(es)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>Your IPv6 prefix(es)</description>
                   </valueHelp>
                   <constraint>
                     <validator name="ipv4-prefix"/>
+                    <validator name="ipv6-prefix"/>
                   </constraint>
                   <multi/>
                 </properties>
diff --git a/smoketest/scripts/cli/test_service_ids.py b/smoketest/scripts/cli/test_service_ids.py
index 18f1b8ec5..b4a8934e5 100755
--- a/smoketest/scripts/cli/test_service_ids.py
+++ b/smoketest/scripts/cli/test_service_ids.py
@@ -86,6 +86,10 @@ class TestServiceIDS(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f'threshold_mbps = {mbps}', config)
         self.assertIn(f'ban_for_pps = on', config)
         self.assertIn(f'threshold_pps = {pps}', config)
+        # default
+        self.assertIn(f'enable_ban = on', config)
+        self.assertIn(f'enable_ban_ipv6 = on', config)
+        self.assertIn(f'ban_time = 1900', config)
 
         tmp = ','.join(interfaces)
         self.assertIn(f'interfaces = {tmp}', config)
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 57e12ddf2..8213d536e 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -49,22 +49,19 @@ def verify(fastnetmon):
     if not fastnetmon:
         return None
 
-    if not "mode" in fastnetmon:
-        raise ConfigError('ddos-protection mode is mandatory!')
+    if 'mode' not in fastnetmon:
+        raise ConfigError('Specify operating mode!')
 
-    if not "network" in fastnetmon:
-        raise ConfigError('Required define network!')
+    if 'listen_interface' not in fastnetmon:
+        raise ConfigError('Specify interface(s) for traffic capture')
 
-    if not "listen_interface" in fastnetmon:
-        raise ConfigError('Define listen-interface is mandatory!')
-
-    if "alert_script" in fastnetmon:
-        if os.path.isfile(fastnetmon["alert_script"]):
+    if 'alert_script' in fastnetmon:
+        if os.path.isfile(fastnetmon['alert_script']):
             # Check script permissions
-            if not os.access(fastnetmon["alert_script"], os.X_OK):
-                raise ConfigError('Script {0} does not have permissions for execution'.format(fastnetmon["alert_script"]))
+            if not os.access(fastnetmon['alert_script'], os.X_OK):
+                raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script']))
         else:
-           raise ConfigError('File {0} does not exists!'.format(fastnetmon["alert_script"]))
+           raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon))
 
 def generate(fastnetmon):
     if not fastnetmon:
-- 
cgit v1.2.3