From e5ce4222c6e9b24d276625678db7339ada0c54ef Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 11 Jan 2024 08:18:21 +0100 Subject: dns: T5791: use common pattern for exclude check of dynamic interfaces This uses a more common pattern froma base class while the original code from 0a1c9bc38 ("T5791: DNS dynamic exclude check for dynamic interfaces PPPoE") is still retained. --- python/vyos/configverify.py | 7 +++++-- src/conf_mode/service_dns_dynamic.py | 14 +++++++------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 85423142d..5d3723876 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -1,4 +1,4 @@ -# Copyright 2020-2023 VyOS maintainers and contributors +# Copyright 2020-2024 VyOS maintainers and contributors # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -25,6 +25,9 @@ from vyos import ConfigError from vyos.utils.dict import dict_search from vyos.utils.dict import dict_search_recursive +# pattern re-used in ipsec migration script +dynamic_interface_pattern = r'(ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+' + def verify_mtu(config): """ Common helper function used by interface implementations to perform @@ -290,7 +293,7 @@ def verify_source_interface(config): src_ifname = config['source_interface'] # We do not allow sourcing other interfaces (e.g. tunnel) from dynamic interfaces - tmp = re.compile(r'(ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+') + tmp = re.compile(dynamic_interface_pattern) if tmp.match(src_ifname): raise ConfigError(f'Can not source "{ifname}" from dynamic interface "{src_ifname}"!') diff --git a/src/conf_mode/service_dns_dynamic.py b/src/conf_mode/service_dns_dynamic.py index 99fa8feee..845aaa1b5 100755 --- a/src/conf_mode/service_dns_dynamic.py +++ b/src/conf_mode/service_dns_dynamic.py @@ -21,8 +21,10 @@ from sys import exit from vyos.base import Warning from vyos.config import Config from vyos.configverify import verify_interface_exists +from vyos.configverify import dynamic_interface_pattern from vyos.template import render from vyos.utils.process import call +from vyos.utils.network import interface_exists from vyos import ConfigError from vyos import airbag airbag.enable() @@ -30,9 +32,6 @@ airbag.enable() config_file = r'/run/ddclient/ddclient.conf' systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf' -# Dynamic interfaces that might not exist when the configuration is loaded -dynamic_interfaces = ('pppoe', 'sstpc') - # Protocols that require zone zone_necessary = ['cloudflare', 'digitalocean', 'godaddy', 'hetzner', 'gandi', 'nfsn', 'nsupdate'] @@ -81,7 +80,6 @@ def verify(dyndns): # Dynamic DNS service provider - configuration validation for service, config in dyndns['name'].items(): - error_msg_req = f'is required for Dynamic DNS service "{service}"' error_msg_uns = f'is not supported for Dynamic DNS service "{service}"' @@ -93,10 +91,12 @@ def verify(dyndns): # that the interface exists (or just warn if dynamic interface) # and that web-options are not set if config['address'] != 'web': + tmp = re.compile(dynamic_interface_pattern) # exclude check interface for dynamic interfaces - if config['address'].startswith(dynamic_interfaces): - Warning(f'Interface "{config["address"]}" does not exist yet and cannot ' - f'be used for Dynamic DNS service "{service}" until it is up!') + if tmp.match(config["address"]): + if not interface_exists(config["address"]): + Warning(f'Interface "{config["address"]}" does not exist yet and cannot ' + f'be used for Dynamic DNS service "{service}" until it is up!') else: verify_interface_exists(config['address']) if 'web_options' in config: -- cgit v1.2.3 From 8c941e316035e56757d77b782cf39702c73546e0 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 11 Jan 2024 08:20:44 +0100 Subject: ipsec: T5918: warn when dynamic interfaces are used to bind ipsec daemon Fix after commit 8452d8f4921 ("T5918: Fix typo in verify vpn ipsec interface") so that dynamic interfaces can be used by ipsec but a warning is issued that this will only work after they are available on the system. PPPoE interfaces are the best example for this, as they are down during system bootup and will be available anytime after the boot once we've dialed into the BRAS. --- src/conf_mode/vpn_ipsec.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index adbac0405..d074ed159 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -27,6 +27,7 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists +from vyos.configverify import dynamic_interface_pattern from vyos.defaults import directories from vyos.ifconfig import Interface from vyos.pki import encode_certificate @@ -160,8 +161,15 @@ def verify(ipsec): raise ConfigError(f'Authentication psk "{psk}" missing "id" or "secret"') if 'interface' in ipsec: - for ifname in ipsec['interface']: - verify_interface_exists(ifname) + tmp = re.compile(dynamic_interface_pattern) + for interface in ipsec['interface']: + # exclude check interface for dynamic interfaces + if tmp.match(interface): + if not interface_exists(interface): + Warning(f'Interface "{interface}" does not exist yet and cannot be used ' + f'for IPsec until it is up!') + else: + verify_interface_exists(interface) if 'l2tp' in ipsec: if 'esp_group' in ipsec['l2tp']: -- cgit v1.2.3