From eecec6b5caeaef14a03ddbb1d09f9c599273b998 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 6 Dec 2020 13:44:56 +0100 Subject: dhcp: T2562: add "listen-address" CLI node for better DHCP relay support Running ISC DHCP server as backend server for multiple pools served to relay agents requires DHCPd to explicitly listen on give interfaces or a "transit" subnet declaration facing the network where we receive the DHCPREQ messages on. This implements a new "listen-address" CLI node, the given address is validated if it is assigned to the system and upon success, a proper "subnet { }" statement is added into dhcpd.conf --- data/templates/dhcp-server/dhcpd.conf.tmpl | 8 ++++++ interface-definitions/dhcp-server.xml.in | 11 ++++---- python/vyos/template.py | 41 +++++++++++++++++++++++++++--- src/conf_mode/dhcp_server.py | 16 +++++++++--- 4 files changed, 64 insertions(+), 12 deletions(-) diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.tmpl index bcf425abd..56a5f4bcd 100644 --- a/data/templates/dhcp-server/dhcpd.conf.tmpl +++ b/data/templates/dhcp-server/dhcpd.conf.tmpl @@ -62,6 +62,14 @@ failover peer "{{ subnet_config.failover.name }}" { {% endif %} {% endfor %} {% endif %} +{% if listen_address is defined and listen_address is not none %} + +# DHCP server serving relay subnet, we need a connector to the real world +{% for address in listen_address %} +# Connected subnet statement for listen-address {{ address }} +subnet {{ address | network_from_ipv4 }} netmask {{ address | netmask_from_ipv4 }} { } +{% endfor %} +{% endif %} # Shared network configration(s) {% if shared_network_name is defined and shared_network_name is not none %} diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 2f78f11ea..161eeed28 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -11,13 +11,13 @@ - Option to disable DHCP server + Disable DHCP server - DHCP server to dynamically update the Domain Name System (DNS) + Dynamically update Domain Name System (RFC4702) @@ -32,19 +32,20 @@ - Enable DHCP server updating /etc/hosts (per client lease) + Updating /etc/hosts file (per client lease) - Instruct server to use host declaration name for forward DNS name + Use host declaration name for forward DNS name + #include - DHCP shared network name [REQUIRED] + Name of DHCP shared network [-_a-zA-Z0-9.]+ diff --git a/python/vyos/template.py b/python/vyos/template.py index 5993ffd95..63d400642 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -123,23 +123,56 @@ def render( ################################## @register_filter('address_from_cidr') -def address_from_cidr(text): +def address_from_cidr(prefix): """ Take an IPv4/IPv6 CIDR prefix and convert the network to an "address". Example: 192.0.2.0/24 -> 192.0.2.0, 2001:db8::/48 -> 2001:db8:: """ from ipaddress import ip_network - return str(ip_network(text).network_address) + return str(ip_network(prefix).network_address) @register_filter('netmask_from_cidr') -def netmask_from_cidr(text): +def netmask_from_cidr(prefix): """ Take CIDR prefix and convert the prefix length to a "subnet mask". Example: - 192.0.2.0/24 -> 255.255.255.0 - 2001:db8::/48 -> ffff:ffff:ffff:: """ from ipaddress import ip_network - return str(ip_network(text).netmask) + return str(ip_network(prefix).netmask) + +@register_filter('netmask_from_ipv4') +def netmask_from_ipv4(address): + """ Take IP address and search all attached interface IP addresses for the + given one. After address has been found, return the associated netmask. + + Example: + - 172.18.201.10 -> 255.255.255.128 + """ + from netifaces import interfaces, ifaddresses, AF_INET + for interface in interfaces(): + tmp = ifaddresses(interface) + if AF_INET in tmp: + for af_addr in tmp[AF_INET]: + if 'addr' in af_addr: + if af_addr['addr'] == address: + return af_addr['netmask'] + + raise ValueError + +@register_filter('network_from_ipv4') +def network_from_ipv4(address): + """ Take IP address and search all attached interface IP addresses for the + given one. After address has been found, return the associated network + address. + + Example: + - 172.18.201.10 has mask 255.255.255.128 -> network is 172.18.201.0 + """ + netmask = netmask_from_ipv4(address) + from ipaddress import ip_interface + cidr_prefix = ip_interface(f'{address}/{netmask}').network + return address_from_cidr(cidr_prefix) @register_filter('is_ip') def is_ip(addr): diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 9be586cdf..1ab2d8d16 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -26,6 +26,7 @@ from vyos.template import render from vyos.util import call from vyos.util import dict_search from vyos.validate import is_subnet_connected +from vyos.validate import is_addr_assigned from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -246,10 +247,19 @@ def verify(dhcp): if net.overlaps(net2): raise ConfigError('Conflicting subnet ranges: "{net}" overlaps "{net2}"!') + for address in (dict_search('listen_address', dhcp) or []): + if is_addr_assigned(address): + listen_ok = True + # no need to probe further networks, we have one that is valid + continue + else: + raise ConfigError(f'listen-address "{address}" not configured on any interface') + + if not listen_ok: - raise ConfigError('DHCP server configuration error! None of the configured\n' \ - 'subnets have an appropriate primary IP address on any\n' - 'broadcast interface.') + raise ConfigError('None of the configured subnets have an appropriate primary IP address on any\n' + 'broadcast interface configured, nor was there an explicit listen-address\n' + 'configured for serving DHCP relay packets!') return None -- cgit v1.2.3