From 4ef110fd2c501b718344c72d495ad7e16d2bd465 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 23:25:20 +0100 Subject: T5474: establish common file name pattern for XML conf mode commands We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in --- src/conf_mode/arp.py | 74 --- src/conf_mode/bcast_relay.py | 111 ---- src/conf_mode/config_mgmt.py | 96 --- src/conf_mode/conntrack.py | 243 ------- src/conf_mode/conntrack_sync.py | 141 ---- src/conf_mode/dhcp_relay.py | 104 --- src/conf_mode/dhcp_server.py | 385 ----------- src/conf_mode/dhcpv6_relay.py | 106 --- src/conf_mode/dhcpv6_server.py | 222 ------- src/conf_mode/dns_dynamic.py | 187 ------ src/conf_mode/dns_forwarding.py | 358 ---------- src/conf_mode/firewall.py | 3 - src/conf_mode/flow_accounting_conf.py | 320 --------- src/conf_mode/host_name.py | 188 ------ src/conf_mode/https.py | 335 ---------- src/conf_mode/igmp_proxy.py | 113 ---- src/conf_mode/intel_qat.py | 106 --- src/conf_mode/interfaces-bonding.py | 294 --------- src/conf_mode/interfaces-bridge.py | 186 ------ src/conf_mode/interfaces-dummy.py | 76 --- src/conf_mode/interfaces-ethernet.py | 400 ----------- src/conf_mode/interfaces-geneve.py | 102 --- src/conf_mode/interfaces-input.py | 70 -- src/conf_mode/interfaces-l2tpv3.py | 112 ---- src/conf_mode/interfaces-loopback.py | 66 -- src/conf_mode/interfaces-macsec.py | 207 ------ src/conf_mode/interfaces-openvpn.py | 732 --------------------- src/conf_mode/interfaces-pppoe.py | 148 ----- src/conf_mode/interfaces-pseudo-ethernet.py | 107 --- src/conf_mode/interfaces-sstpc.py | 145 ---- src/conf_mode/interfaces-tunnel.py | 224 ------- src/conf_mode/interfaces-virtual-ethernet.py | 114 ---- src/conf_mode/interfaces-vti.py | 68 -- src/conf_mode/interfaces-vxlan.py | 236 ------- src/conf_mode/interfaces-wireguard.py | 133 ---- src/conf_mode/interfaces-wireless.py | 275 -------- src/conf_mode/interfaces-wwan.py | 189 ------ src/conf_mode/interfaces_bonding.py | 294 +++++++++ src/conf_mode/interfaces_bridge.py | 186 ++++++ src/conf_mode/interfaces_dummy.py | 76 +++ src/conf_mode/interfaces_ethernet.py | 400 +++++++++++ src/conf_mode/interfaces_geneve.py | 102 +++ src/conf_mode/interfaces_input.py | 70 ++ src/conf_mode/interfaces_l2tpv3.py | 112 ++++ src/conf_mode/interfaces_loopback.py | 66 ++ src/conf_mode/interfaces_macsec.py | 207 ++++++ src/conf_mode/interfaces_openvpn.py | 732 +++++++++++++++++++++ src/conf_mode/interfaces_pppoe.py | 148 +++++ src/conf_mode/interfaces_pseudo-ethernet.py | 107 +++ src/conf_mode/interfaces_sstpc.py | 145 ++++ src/conf_mode/interfaces_tunnel.py | 224 +++++++ src/conf_mode/interfaces_virtual-ethernet.py | 114 ++++ src/conf_mode/interfaces_vti.py | 68 ++ src/conf_mode/interfaces_vxlan.py | 236 +++++++ src/conf_mode/interfaces_wireguard.py | 133 ++++ src/conf_mode/interfaces_wireless.py | 275 ++++++++ src/conf_mode/interfaces_wwan.py | 189 ++++++ src/conf_mode/le_cert.py | 115 ---- src/conf_mode/lldp.py | 123 ---- src/conf_mode/load-balancing-haproxy.py | 169 ----- src/conf_mode/load-balancing-wan.py | 151 ----- src/conf_mode/load-balancing_reverse-proxy.py | 169 +++++ src/conf_mode/load-balancing_wan.py | 151 +++++ src/conf_mode/ntp.py | 136 ---- src/conf_mode/pki.py | 8 +- src/conf_mode/policy-local-route.py | 315 --------- src/conf_mode/policy-route.py | 195 ------ src/conf_mode/policy_local-route.py | 315 +++++++++ src/conf_mode/policy_route.py | 195 ++++++ src/conf_mode/protocols_igmp-proxy.py | 113 ++++ src/conf_mode/protocols_segment-routing.py | 118 ++++ src/conf_mode/protocols_segment_routing.py | 118 ---- src/conf_mode/protocols_static_arp.py | 74 +++ src/conf_mode/salt-minion.py | 118 ---- src/conf_mode/service_broadcast-relay.py | 111 ++++ src/conf_mode/service_config-sync.py | 105 +++ src/conf_mode/service_config_sync.py | 105 --- src/conf_mode/service_conntrack-sync.py | 141 ++++ src/conf_mode/service_dhcp-relay.py | 104 +++ src/conf_mode/service_dhcp-server.py | 385 +++++++++++ src/conf_mode/service_dhcpv6-relay.py | 106 +++ src/conf_mode/service_dhcpv6-server.py | 222 +++++++ src/conf_mode/service_dns_dynamic.py | 187 ++++++ src/conf_mode/service_dns_forwarding.py | 358 ++++++++++ src/conf_mode/service_event-handler.py | 92 +++ src/conf_mode/service_event_handler.py | 92 --- src/conf_mode/service_https.py | 335 ++++++++++ .../service_https_certificates_certbot.py | 114 ++++ src/conf_mode/service_ids_ddos-protection.py | 104 +++ src/conf_mode/service_ids_fastnetmon.py | 104 --- src/conf_mode/service_lldp.py | 123 ++++ src/conf_mode/service_mdns-repeater.py | 146 ---- src/conf_mode/service_mdns_repeater.py | 146 ++++ src/conf_mode/service_ntp.py | 136 ++++ src/conf_mode/service_salt-minion.py | 118 ++++ src/conf_mode/service_snmp.py | 269 ++++++++ src/conf_mode/service_ssh.py | 142 ++++ src/conf_mode/service_tftp-server.py | 142 ++++ src/conf_mode/snmp.py | 269 -------- src/conf_mode/ssh.py | 142 ---- src/conf_mode/system-ip.py | 143 ---- src/conf_mode/system-ipv6.py | 120 ---- src/conf_mode/system-login-banner.py | 107 --- src/conf_mode/system-login.py | 423 ------------ src/conf_mode/system-logs.py | 79 --- src/conf_mode/system-option.py | 159 ----- src/conf_mode/system-proxy.py | 71 -- src/conf_mode/system-syslog.py | 103 --- src/conf_mode/system-timezone.py | 61 -- src/conf_mode/system_acceleration.py | 106 +++ src/conf_mode/system_config-management.py | 96 +++ src/conf_mode/system_conntrack.py | 243 +++++++ src/conf_mode/system_flow-accounting.py | 320 +++++++++ src/conf_mode/system_host-name.py | 188 ++++++ src/conf_mode/system_ip.py | 143 ++++ src/conf_mode/system_ipv6.py | 120 ++++ src/conf_mode/system_login.py | 423 ++++++++++++ src/conf_mode/system_login_banner.py | 107 +++ src/conf_mode/system_logs.py | 79 +++ src/conf_mode/system_option.py | 159 +++++ src/conf_mode/system_proxy.py | 71 ++ src/conf_mode/system_syslog.py | 103 +++ src/conf_mode/system_task-scheduler.py | 153 +++++ src/conf_mode/system_timezone.py | 61 ++ src/conf_mode/system_update-check.py | 93 +++ src/conf_mode/system_update_check.py | 93 --- src/conf_mode/task_scheduler.py | 153 ----- src/conf_mode/tftp_server.py | 142 ---- 128 files changed, 10928 insertions(+), 10932 deletions(-) delete mode 100755 src/conf_mode/arp.py delete mode 100755 src/conf_mode/bcast_relay.py delete mode 100755 src/conf_mode/config_mgmt.py delete mode 100755 src/conf_mode/conntrack.py delete mode 100755 src/conf_mode/conntrack_sync.py delete mode 100755 src/conf_mode/dhcp_relay.py delete mode 100755 src/conf_mode/dhcp_server.py delete mode 100755 src/conf_mode/dhcpv6_relay.py delete mode 100755 src/conf_mode/dhcpv6_server.py delete mode 100755 src/conf_mode/dns_dynamic.py delete mode 100755 src/conf_mode/dns_forwarding.py delete mode 100755 src/conf_mode/flow_accounting_conf.py delete mode 100755 src/conf_mode/host_name.py delete mode 100755 src/conf_mode/https.py delete mode 100755 src/conf_mode/igmp_proxy.py delete mode 100755 src/conf_mode/intel_qat.py delete mode 100755 src/conf_mode/interfaces-bonding.py delete mode 100755 src/conf_mode/interfaces-bridge.py delete mode 100755 src/conf_mode/interfaces-dummy.py delete mode 100755 src/conf_mode/interfaces-ethernet.py delete mode 100755 src/conf_mode/interfaces-geneve.py delete mode 100755 src/conf_mode/interfaces-input.py delete mode 100755 src/conf_mode/interfaces-l2tpv3.py delete mode 100755 src/conf_mode/interfaces-loopback.py delete mode 100755 src/conf_mode/interfaces-macsec.py delete mode 100755 src/conf_mode/interfaces-openvpn.py delete mode 100755 src/conf_mode/interfaces-pppoe.py delete mode 100755 src/conf_mode/interfaces-pseudo-ethernet.py delete mode 100755 src/conf_mode/interfaces-sstpc.py delete mode 100755 src/conf_mode/interfaces-tunnel.py delete mode 100755 src/conf_mode/interfaces-virtual-ethernet.py delete mode 100755 src/conf_mode/interfaces-vti.py delete mode 100755 src/conf_mode/interfaces-vxlan.py delete mode 100755 src/conf_mode/interfaces-wireguard.py delete mode 100755 src/conf_mode/interfaces-wireless.py delete mode 100755 src/conf_mode/interfaces-wwan.py create mode 100755 src/conf_mode/interfaces_bonding.py create mode 100755 src/conf_mode/interfaces_bridge.py create mode 100755 src/conf_mode/interfaces_dummy.py create mode 100755 src/conf_mode/interfaces_ethernet.py create mode 100755 src/conf_mode/interfaces_geneve.py create mode 100755 src/conf_mode/interfaces_input.py create mode 100755 src/conf_mode/interfaces_l2tpv3.py create mode 100755 src/conf_mode/interfaces_loopback.py create mode 100755 src/conf_mode/interfaces_macsec.py create mode 100755 src/conf_mode/interfaces_openvpn.py create mode 100755 src/conf_mode/interfaces_pppoe.py create mode 100755 src/conf_mode/interfaces_pseudo-ethernet.py create mode 100755 src/conf_mode/interfaces_sstpc.py create mode 100755 src/conf_mode/interfaces_tunnel.py create mode 100755 src/conf_mode/interfaces_virtual-ethernet.py create mode 100755 src/conf_mode/interfaces_vti.py create mode 100755 src/conf_mode/interfaces_vxlan.py create mode 100755 src/conf_mode/interfaces_wireguard.py create mode 100755 src/conf_mode/interfaces_wireless.py create mode 100755 src/conf_mode/interfaces_wwan.py delete mode 100755 src/conf_mode/le_cert.py delete mode 100755 src/conf_mode/lldp.py delete mode 100755 src/conf_mode/load-balancing-haproxy.py delete mode 100755 src/conf_mode/load-balancing-wan.py create mode 100755 src/conf_mode/load-balancing_reverse-proxy.py create mode 100755 src/conf_mode/load-balancing_wan.py delete mode 100755 src/conf_mode/ntp.py delete mode 100755 src/conf_mode/policy-local-route.py delete mode 100755 src/conf_mode/policy-route.py create mode 100755 src/conf_mode/policy_local-route.py create mode 100755 src/conf_mode/policy_route.py create mode 100755 src/conf_mode/protocols_igmp-proxy.py create mode 100755 src/conf_mode/protocols_segment-routing.py delete mode 100755 src/conf_mode/protocols_segment_routing.py create mode 100755 src/conf_mode/protocols_static_arp.py delete mode 100755 src/conf_mode/salt-minion.py create mode 100755 src/conf_mode/service_broadcast-relay.py create mode 100755 src/conf_mode/service_config-sync.py delete mode 100755 src/conf_mode/service_config_sync.py create mode 100755 src/conf_mode/service_conntrack-sync.py create mode 100755 src/conf_mode/service_dhcp-relay.py create mode 100755 src/conf_mode/service_dhcp-server.py create mode 100755 src/conf_mode/service_dhcpv6-relay.py create mode 100755 src/conf_mode/service_dhcpv6-server.py create mode 100755 src/conf_mode/service_dns_dynamic.py create mode 100755 src/conf_mode/service_dns_forwarding.py create mode 100755 src/conf_mode/service_event-handler.py delete mode 100755 src/conf_mode/service_event_handler.py create mode 100755 src/conf_mode/service_https.py create mode 100755 src/conf_mode/service_https_certificates_certbot.py create mode 100755 src/conf_mode/service_ids_ddos-protection.py delete mode 100755 src/conf_mode/service_ids_fastnetmon.py create mode 100755 src/conf_mode/service_lldp.py delete mode 100755 src/conf_mode/service_mdns-repeater.py create mode 100755 src/conf_mode/service_mdns_repeater.py create mode 100755 src/conf_mode/service_ntp.py create mode 100755 src/conf_mode/service_salt-minion.py create mode 100755 src/conf_mode/service_snmp.py create mode 100755 src/conf_mode/service_ssh.py create mode 100755 src/conf_mode/service_tftp-server.py delete mode 100755 src/conf_mode/snmp.py delete mode 100755 src/conf_mode/ssh.py delete mode 100755 src/conf_mode/system-ip.py delete mode 100755 src/conf_mode/system-ipv6.py delete mode 100755 src/conf_mode/system-login-banner.py delete mode 100755 src/conf_mode/system-login.py delete mode 100755 src/conf_mode/system-logs.py delete mode 100755 src/conf_mode/system-option.py delete mode 100755 src/conf_mode/system-proxy.py delete mode 100755 src/conf_mode/system-syslog.py delete mode 100755 src/conf_mode/system-timezone.py create mode 100755 src/conf_mode/system_acceleration.py create mode 100755 src/conf_mode/system_config-management.py create mode 100755 src/conf_mode/system_conntrack.py create mode 100755 src/conf_mode/system_flow-accounting.py create mode 100755 src/conf_mode/system_host-name.py create mode 100755 src/conf_mode/system_ip.py create mode 100755 src/conf_mode/system_ipv6.py create mode 100755 src/conf_mode/system_login.py create mode 100755 src/conf_mode/system_login_banner.py create mode 100755 src/conf_mode/system_logs.py create mode 100755 src/conf_mode/system_option.py create mode 100755 src/conf_mode/system_proxy.py create mode 100755 src/conf_mode/system_syslog.py create mode 100755 src/conf_mode/system_task-scheduler.py create mode 100755 src/conf_mode/system_timezone.py create mode 100755 src/conf_mode/system_update-check.py delete mode 100755 src/conf_mode/system_update_check.py delete mode 100755 src/conf_mode/task_scheduler.py delete mode 100755 src/conf_mode/tftp_server.py (limited to 'src/conf_mode') diff --git a/src/conf_mode/arp.py b/src/conf_mode/arp.py deleted file mode 100755 index b141f1141..000000000 --- a/src/conf_mode/arp.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import node_changed -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['protocols', 'static', 'arp'] - arp = conf.get_config_dict(base, get_first_key=True) - - if 'interface' in arp: - for interface in arp['interface']: - tmp = node_changed(conf, base + ['interface', interface, 'address'], recursive=True) - if tmp: arp['interface'][interface].update({'address_old' : tmp}) - - return arp - -def verify(arp): - pass - -def generate(arp): - pass - -def apply(arp): - if not arp: - return None - - if 'interface' in arp: - for interface, interface_config in arp['interface'].items(): - # Delete old static ARP assignments first - if 'address_old' in interface_config: - for address in interface_config['address_old']: - call(f'ip neigh del {address} dev {interface}') - - # Add new static ARP entries to interface - if 'address' not in interface_config: - continue - for address, address_config in interface_config['address'].items(): - mac = address_config['mac'] - call(f'ip neigh replace {address} lladdr {mac} dev {interface}') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py deleted file mode 100755 index 31c552f5a..000000000 --- a/src/conf_mode/bcast_relay.py +++ /dev/null @@ -1,111 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2017-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from glob import glob -from netifaces import AF_INET -from sys import exit - -from vyos.config import Config -from vyos.configverify import verify_interface_exists -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.network import is_afi_configured -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file_base = r'/etc/default/udp-broadcast-relay' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'broadcast-relay'] - - relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - return relay - -def verify(relay): - if not relay or 'disabled' in relay: - return None - - for instance, config in relay.get('id', {}).items(): - # we don't have to check this instance when it's disabled - if 'disabled' in config: - continue - - # we certainly require a UDP port to listen to - if 'port' not in config: - raise ConfigError(f'Port number is mandatory for UDP broadcast relay "{instance}"') - - # Relaying data without two interface is kinda senseless ... - if len(config.get('interface', [])) < 2: - raise ConfigError('At least two interfaces are required for UDP broadcast relay "{instance}"') - - for interface in config.get('interface', []): - verify_interface_exists(interface) - if not is_afi_configured(interface, AF_INET): - raise ConfigError(f'Interface "{interface}" has no IPv4 address configured!') - - return None - -def generate(relay): - if not relay or 'disabled' in relay: - return None - - for config in glob(config_file_base + '*'): - os.remove(config) - - for instance, config in relay.get('id').items(): - # we don't have to check this instance when it's disabled - if 'disabled' in config: - continue - - config['instance'] = instance - render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.j2', - config) - - return None - -def apply(relay): - # first stop all running services - call('systemctl stop udp-broadcast-relay@*.service') - - if not relay or 'disable' in relay: - return None - - # start only required service instances - for instance, config in relay.get('id').items(): - # we don't have to check this instance when it's disabled - if 'disabled' in config: - continue - - call(f'systemctl start udp-broadcast-relay@{instance}.service') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/config_mgmt.py b/src/conf_mode/config_mgmt.py deleted file mode 100755 index c681a8405..000000000 --- a/src/conf_mode/config_mgmt.py +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import sys - -from vyos import ConfigError -from vyos.config import Config -from vyos.config_mgmt import ConfigMgmt -from vyos.config_mgmt import commit_post_hook_dir, commit_hooks - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['system', 'config-management'] - if not conf.exists(base): - return None - - mgmt = ConfigMgmt(config=conf) - - return mgmt - -def verify(_mgmt): - return - -def generate(mgmt): - if mgmt is None: - return - - mgmt.initialize_revision() - -def apply(mgmt): - if mgmt is None: - return - - locations = mgmt.locations - archive_target = os.path.join(commit_post_hook_dir, - commit_hooks['commit_archive']) - if locations: - try: - os.symlink('/usr/bin/config-mgmt', archive_target) - except FileExistsError: - pass - except OSError as exc: - raise ConfigError from exc - else: - try: - os.unlink(archive_target) - except FileNotFoundError: - pass - except OSError as exc: - raise ConfigError from exc - - revisions = mgmt.max_revisions - revision_target = os.path.join(commit_post_hook_dir, - commit_hooks['commit_revision']) - if revisions > 0: - try: - os.symlink('/usr/bin/config-mgmt', revision_target) - except FileExistsError: - pass - except OSError as exc: - raise ConfigError from exc - else: - try: - os.unlink(revision_target) - except FileNotFoundError: - pass - except OSError as exc: - raise ConfigError from exc - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py deleted file mode 100755 index 7f6c71440..000000000 --- a/src/conf_mode/conntrack.py +++ /dev/null @@ -1,243 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from sys import exit - -from vyos.config import Config -from vyos.configdep import set_dependents, call_dependents -from vyos.utils.process import process_named_running -from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_search_args -from vyos.utils.dict import dict_search_recursive -from vyos.utils.process import cmd -from vyos.utils.process import rc_cmd -from vyos.utils.process import run -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' -sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' -nftables_ct_file = r'/run/nftables-ct.conf' - -# Every ALG (Application Layer Gateway) consists of either a Kernel Object -# also called a Kernel Module/Driver or some rules present in iptables -module_map = { - 'ftp': { - 'ko': ['nf_nat_ftp', 'nf_conntrack_ftp'], - 'nftables': ['ct helper set "ftp_tcp" tcp dport {21} return'] - }, - 'h323': { - 'ko': ['nf_nat_h323', 'nf_conntrack_h323'], - 'nftables': ['ct helper set "ras_udp" udp dport {1719} return', - 'ct helper set "q931_tcp" tcp dport {1720} return'] - }, - 'nfs': { - 'nftables': ['ct helper set "rpc_tcp" tcp dport {111} return', - 'ct helper set "rpc_udp" udp dport {111} return'] - }, - 'pptp': { - 'ko': ['nf_nat_pptp', 'nf_conntrack_pptp'], - 'nftables': ['ct helper set "pptp_tcp" tcp dport {1723} return'], - 'ipv4': True - }, - 'sip': { - 'ko': ['nf_nat_sip', 'nf_conntrack_sip'], - 'nftables': ['ct helper set "sip_tcp" tcp dport {5060,5061} return', - 'ct helper set "sip_udp" udp dport {5060,5061} return'] - }, - 'sqlnet': { - 'nftables': ['ct helper set "tns_tcp" tcp dport {1521,1525,1536} return'] - }, - 'tftp': { - 'ko': ['nf_nat_tftp', 'nf_conntrack_tftp'], - 'nftables': ['ct helper set "tftp_udp" udp dport {69} return'] - }, -} - -valid_groups = [ - 'address_group', - 'domain_group', - 'network_group', - 'port_group' -] - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'conntrack'] - - conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - conntrack['firewall'] = conf.get_config_dict(['firewall'], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - - conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return' - conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return' - conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return' - conntrack['wlb_local_action'] = conf.exists(['load-balancing', 'wan', 'enable-local-traffic']) - - conntrack['module_map'] = module_map - - if conf.exists(['service', 'conntrack-sync']): - set_dependents('conntrack_sync', conf) - - return conntrack - -def verify(conntrack): - for inet in ['ipv4', 'ipv6']: - if dict_search_args(conntrack, 'ignore', inet, 'rule') != None: - for rule, rule_config in conntrack['ignore'][inet]['rule'].items(): - if dict_search('destination.port', rule_config) or \ - dict_search('destination.group.port_group', rule_config) or \ - dict_search('source.port', rule_config) or \ - dict_search('source.group.port_group', rule_config): - if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']: - raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}') - - tcp_flags = dict_search_args(rule_config, 'tcp', 'flags') - if tcp_flags: - if dict_search_args(rule_config, 'protocol') != 'tcp': - raise ConfigError('Protocol must be tcp when specifying tcp flags') - - not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not') - if not_flags: - duplicates = [flag for flag in tcp_flags if flag in not_flags] - if duplicates: - raise ConfigError(f'Cannot match a tcp flag as set and not set') - - for side in ['destination', 'source']: - if side in rule_config: - side_conf = rule_config[side] - - if 'group' in side_conf: - if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1: - raise ConfigError('Only one address-group, network-group or domain-group can be specified') - - for group in valid_groups: - if group in side_conf['group']: - group_name = side_conf['group'][group] - error_group = group.replace("_", "-") - - if group in ['address_group', 'network_group', 'domain_group']: - if 'address' in side_conf: - raise ConfigError(f'{error_group} and address cannot both be defined') - - if group_name and group_name[0] == '!': - group_name = group_name[1:] - - if inet == 'ipv6': - group = f'ipv6_{group}' - - group_obj = dict_search_args(conntrack['firewall'], 'group', group, group_name) - - if group_obj is None: - raise ConfigError(f'Invalid {error_group} "{group_name}" on ignore rule') - - if not group_obj: - Warning(f'{error_group} "{group_name}" has no members!') - - if dict_search_args(conntrack, 'timeout', 'custom', inet, 'rule') != None: - for rule, rule_config in conntrack['timeout']['custom'][inet]['rule'].items(): - if 'protocol' not in rule_config: - raise ConfigError(f'Conntrack custom timeout rule {rule} requires protocol tcp or udp') - else: - if 'tcp' in rule_config['protocol'] and 'udp' in rule_config['protocol']: - raise ConfigError(f'conntrack custom timeout rule {rule} - Cant use both tcp and udp protocol') - return None - -def generate(conntrack): - if not os.path.exists(nftables_ct_file): - conntrack['first_install'] = True - - # Determine if conntrack is needed - conntrack['ipv4_firewall_action'] = 'return' - conntrack['ipv6_firewall_action'] = 'return' - - for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): - if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()): - if path[0] == 'ipv4': - conntrack['ipv4_firewall_action'] = 'accept' - elif path[0] == 'ipv6': - conntrack['ipv6_firewall_action'] = 'accept' - - render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) - render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) - render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack) - return None - -def apply(conntrack): - # Depending on the enable/disable state of the ALG (Application Layer Gateway) - # modules we need to either insmod or rmmod the helpers. - - add_modules = [] - rm_modules = [] - - for module, module_config in module_map.items(): - if dict_search_args(conntrack, 'modules', module) is None: - if 'ko' in module_config: - unloaded = [mod for mod in module_config['ko'] if os.path.exists(f'/sys/module/{mod}')] - rm_modules.extend(unloaded) - else: - if 'ko' in module_config: - add_modules.extend(module_config['ko']) - - # Add modules before nftables uses them - if add_modules: - module_str = ' '.join(add_modules) - cmd(f'modprobe -a {module_str}') - - # Load new nftables ruleset - install_result, output = rc_cmd(f'nft -f {nftables_ct_file}') - if install_result == 1: - raise ConfigError(f'Failed to apply configuration: {output}') - - # Remove modules after nftables stops using them - if rm_modules: - module_str = ' '.join(rm_modules) - cmd(f'rmmod {module_str}') - - try: - call_dependents() - except ConfigError: - # Ignore config errors on dependent due to being called too early. Example: - # ConfigError("ConfigError('Interface ethN requires an IP address!')") - pass - - # We silently ignore all errors - # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 - cmd(f'sysctl -f {sysctl_file}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py deleted file mode 100755 index 4fb2ce27f..000000000 --- a/src/conf_mode/conntrack_sync.py +++ /dev/null @@ -1,141 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from vyos.config import Config -from vyos.configverify import verify_interface_exists -from vyos.utils.dict import dict_search -from vyos.utils.process import process_named_running -from vyos.utils.file import read_file -from vyos.utils.process import call -from vyos.utils.process import run -from vyos.template import render -from vyos.template import get_ipv4 -from vyos.utils.network import is_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = '/run/conntrackd/conntrackd.conf' - -def resync_vrrp(): - tmp = run('/usr/libexec/vyos/conf_mode/high-availability.py') - if tmp > 0: - print('ERROR: error restarting VRRP daemon!') - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'conntrack-sync'] - if not conf.exists(base): - return None - - conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, with_defaults=True) - - conntrack['hash_size'] = read_file('/sys/module/nf_conntrack/parameters/hashsize') - conntrack['table_size'] = read_file('/proc/sys/net/netfilter/nf_conntrack_max') - - conntrack['vrrp'] = conf.get_config_dict(['high-availability', 'vrrp', 'sync-group'], - get_first_key=True) - - return conntrack - -def verify(conntrack): - if not conntrack: - return None - - if 'interface' not in conntrack: - raise ConfigError('Interface not defined!') - - has_peer = False - for interface, interface_config in conntrack['interface'].items(): - verify_interface_exists(interface) - # Interface must not only exist, it must also carry an IP address - if len(get_ipv4(interface)) < 1: - raise ConfigError(f'Interface {interface} requires an IP address!') - if 'peer' in interface_config: - has_peer = True - - # If one interface runs in unicast mode instead of multicast, so must all the - # others, else conntrackd will error out with: "cannot use UDP with other - # dedicated link protocols" - if has_peer: - for interface, interface_config in conntrack['interface'].items(): - if 'peer' not in interface_config: - raise ConfigError('Can not mix unicast and multicast mode!') - - if 'expect_sync' in conntrack: - if len(conntrack['expect_sync']) > 1 and 'all' in conntrack['expect_sync']: - raise ConfigError('Can not configure expect-sync "all" with other protocols!') - - if 'listen_address' in conntrack: - for address in conntrack['listen_address']: - if not is_addr_assigned(address): - raise ConfigError(f'Specified listen-address {address} not assigned to any interface!') - - vrrp_group = dict_search('failover_mechanism.vrrp.sync_group', conntrack) - if vrrp_group == None: - raise ConfigError(f'No VRRP sync-group defined!') - if vrrp_group not in conntrack['vrrp']: - raise ConfigError(f'VRRP sync-group {vrrp_group} not configured!') - - return None - -def generate(conntrack): - if not conntrack: - if os.path.isfile(config_file): - os.unlink(config_file) - return None - - render(config_file, 'conntrackd/conntrackd.conf.j2', conntrack) - - return None - -def apply(conntrack): - systemd_service = 'conntrackd.service' - if not conntrack: - # Failover mechanism daemon should be indicated that it no longer needs - # to execute conntrackd actions on transition. This is only required - # once when conntrackd is stopped and taken out of service! - if process_named_running('conntrackd'): - resync_vrrp() - - call(f'systemctl stop {systemd_service}') - return None - - # Failover mechanism daemon should be indicated that it needs to execute - # conntrackd actions on transition. This is only required once when conntrackd - # is started the first time! - if not process_named_running('conntrackd'): - resync_vrrp() - - call(f'systemctl reload-or-restart {systemd_service}') - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py deleted file mode 100755 index 37d708847..000000000 --- a/src/conf_mode/dhcp_relay.py +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.template import render -from vyos.base import Warning -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/run/dhcp-relay/dhcrelay.conf' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'dhcp-relay'] - if not conf.exists(base): - return None - - relay = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - return relay - -def verify(relay): - # bail out early - looks like removal from running config - if not relay or 'disable' in relay: - return None - - if 'lo' in (dict_search('interface', relay) or []): - raise ConfigError('DHCP relay does not support the loopback interface.') - - if 'server' not in relay : - raise ConfigError('No DHCP relay server(s) configured.\n' \ - 'At least one DHCP relay server required.') - - if 'interface' in relay: - Warning('DHCP relay interface is DEPRECATED - please use upstream-interface and listen-interface instead!') - if 'upstream_interface' in relay or 'listen_interface' in relay: - raise ConfigError(' configuration is not compatible with upstream/listen interface') - else: - Warning(' is going to be deprecated.\n' \ - 'Please use and ') - - if 'upstream_interface' in relay and 'listen_interface' not in relay: - raise ConfigError('No listen-interface configured') - if 'listen_interface' in relay and 'upstream_interface' not in relay: - raise ConfigError('No upstream-interface configured') - - return None - -def generate(relay): - # bail out early - looks like removal from running config - if not relay or 'disable' in relay: - return None - - render(config_file, 'dhcp-relay/dhcrelay.conf.j2', relay) - return None - -def apply(relay): - # bail out early - looks like removal from running config - service_name = 'isc-dhcp-relay.service' - if not relay or 'disable' in relay: - call(f'systemctl stop {service_name}') - if os.path.exists(config_file): - os.unlink(config_file) - return None - - call(f'systemctl restart {service_name}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py deleted file mode 100755 index 7ebc560ba..000000000 --- a/src/conf_mode/dhcp_server.py +++ /dev/null @@ -1,385 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from ipaddress import ip_address -from ipaddress import ip_network -from netaddr import IPRange -from sys import exit - -from vyos.config import Config -from vyos.pki import wrap_certificate -from vyos.pki import wrap_private_key -from vyos.template import render -from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_search_args -from vyos.utils.file import chmod_775 -from vyos.utils.file import makedir -from vyos.utils.file import write_file -from vyos.utils.process import call -from vyos.utils.network import is_subnet_connected -from vyos.utils.network import is_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -ctrl_config_file = '/run/kea/kea-ctrl-agent.conf' -ctrl_socket = '/run/kea/dhcp4-ctrl-socket' -config_file = '/run/kea/kea-dhcp4.conf' -lease_file = '/config/dhcp/dhcp4-leases.csv' -systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf' -user_group = '_kea' - -ca_cert_file = '/run/kea/kea-failover-ca.pem' -cert_file = '/run/kea/kea-failover.pem' -cert_key_file = '/run/kea/kea-failover-key.pem' - -def dhcp_slice_range(exclude_list, range_dict): - """ - This function is intended to slice a DHCP range. What does it mean? - - Lets assume we have a DHCP range from '192.0.2.1' to '192.0.2.100' - but want to exclude address '192.0.2.74' and '192.0.2.75'. We will - pass an input 'range_dict' in the format: - {'start' : '192.0.2.1', 'stop' : '192.0.2.100' } - and we will receive an output list of: - [{'start' : '192.0.2.1' , 'stop' : '192.0.2.73' }, - {'start' : '192.0.2.76', 'stop' : '192.0.2.100' }] - The resulting list can then be used in turn to build the proper dhcpd - configuration file. - """ - output = [] - # exclude list must be sorted for this to work - exclude_list = sorted(exclude_list) - range_start = range_dict['start'] - range_stop = range_dict['stop'] - range_last_exclude = '' - - for e in exclude_list: - if (ip_address(e) >= ip_address(range_start)) and \ - (ip_address(e) <= ip_address(range_stop)): - range_last_exclude = e - - for e in exclude_list: - if (ip_address(e) >= ip_address(range_start)) and \ - (ip_address(e) <= ip_address(range_stop)): - - # Build new address range ending one address before exclude address - r = { - 'start' : range_start, - 'stop' : str(ip_address(e) -1) - } - # On the next run our address range will start one address after - # the exclude address - range_start = str(ip_address(e) + 1) - - # on subsequent exclude addresses we can not - # append them to our output - if not (ip_address(r['start']) > ip_address(r['stop'])): - # Everything is fine, add range to result - output.append(r) - - # Take care of last IP address range spanning from the last exclude - # address (+1) to the end of the initial configured range - if ip_address(e) == ip_address(range_last_exclude): - r = { - 'start': str(ip_address(e) + 1), - 'stop': str(range_stop) - } - if not (ip_address(r['start']) > ip_address(r['stop'])): - output.append(r) - else: - # if the excluded address was not part of the range, we simply return - # the entire ranga again - if not range_last_exclude: - if range_dict not in output: - output.append(range_dict) - - return output - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'dhcp-server'] - if not conf.exists(base): - return None - - dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - if 'shared_network_name' in dhcp: - for network, network_config in dhcp['shared_network_name'].items(): - if 'subnet' in network_config: - for subnet, subnet_config in network_config['subnet'].items(): - # If exclude IP addresses are defined we need to slice them out of - # the defined ranges - if {'exclude', 'range'} <= set(subnet_config): - new_range_id = 0 - new_range_dict = {} - for r, r_config in subnet_config['range'].items(): - for slice in dhcp_slice_range(subnet_config['exclude'], r_config): - new_range_dict.update({new_range_id : slice}) - new_range_id +=1 - - dhcp['shared_network_name'][network]['subnet'][subnet].update( - {'range' : new_range_dict}) - - if dict_search('failover.certificate', dhcp): - dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - - return dhcp - -def verify(dhcp): - # bail out early - looks like removal from running config - if not dhcp or 'disable' in dhcp: - return None - - # If DHCP is enabled we need one share-network - if 'shared_network_name' not in dhcp: - raise ConfigError('No DHCP shared networks configured.\n' \ - 'At least one DHCP shared network must be configured.') - - # Inspect shared-network/subnet - listen_ok = False - subnets = [] - failover_ok = False - shared_networks = len(dhcp['shared_network_name']) - disabled_shared_networks = 0 - - - # A shared-network requires a subnet definition - for network, network_config in dhcp['shared_network_name'].items(): - if 'disable' in network_config: - disabled_shared_networks += 1 - - if 'subnet' not in network_config: - raise ConfigError(f'No subnets defined for {network}. At least one\n' \ - 'lease subnet must be configured.') - - for subnet, subnet_config in network_config['subnet'].items(): - # All delivered static routes require a next-hop to be set - if 'static_route' in subnet_config: - for route, route_option in subnet_config['static_route'].items(): - if 'next_hop' not in route_option: - raise ConfigError(f'DHCP static-route "{route}" requires router to be defined!') - - # Check if DHCP address range is inside configured subnet declaration - if 'range' in subnet_config: - networks = [] - for range, range_config in subnet_config['range'].items(): - if not {'start', 'stop'} <= set(range_config): - raise ConfigError(f'DHCP range "{range}" start and stop address must be defined!') - - # Start/Stop address must be inside network - for key in ['start', 'stop']: - if ip_address(range_config[key]) not in ip_network(subnet): - raise ConfigError(f'DHCP range "{range}" {key} address not within shared-network "{network}, {subnet}"!') - - # Stop address must be greater or equal to start address - if ip_address(range_config['stop']) < ip_address(range_config['start']): - raise ConfigError(f'DHCP range "{range}" stop address must be greater or equal\n' \ - 'to the ranges start address!') - - for network in networks: - start = range_config['start'] - stop = range_config['stop'] - if start in network: - raise ConfigError(f'Range "{range}" start address "{start}" already part of another range!') - if stop in network: - raise ConfigError(f'Range "{range}" stop address "{stop}" already part of another range!') - - tmp = IPRange(range_config['start'], range_config['stop']) - networks.append(tmp) - - # Exclude addresses must be in bound - if 'exclude' in subnet_config: - for exclude in subnet_config['exclude']: - if ip_address(exclude) not in ip_network(subnet): - raise ConfigError(f'Excluded IP address "{exclude}" not within shared-network "{network}, {subnet}"!') - - # At least one DHCP address range or static-mapping required - if 'range' not in subnet_config and 'static_mapping' not in subnet_config: - raise ConfigError(f'No DHCP address range or active static-mapping configured\n' \ - f'within shared-network "{network}, {subnet}"!') - - if 'static_mapping' in subnet_config: - # Static mappings require just a MAC address (will use an IP from the dynamic pool if IP is not set) - for mapping, mapping_config in subnet_config['static_mapping'].items(): - if 'ip_address' in mapping_config: - if ip_address(mapping_config['ip_address']) not in ip_network(subnet): - raise ConfigError(f'Configured static lease address for mapping "{mapping}" is\n' \ - f'not within shared-network "{network}, {subnet}"!') - - if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ - ('mac' in mapping_config and 'duid' in mapping_config): - raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' - f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') - - # There must be one subnet connected to a listen interface. - # This only counts if the network itself is not disabled! - if 'disable' not in network_config: - if is_subnet_connected(subnet, primary=False): - listen_ok = True - - # Subnets must be non overlapping - if subnet in subnets: - raise ConfigError(f'Configured subnets must be unique! Subnet "{subnet}"\n' - 'defined multiple times!') - subnets.append(subnet) - - # Check for overlapping subnets - net = ip_network(subnet) - for n in subnets: - net2 = ip_network(n) - if (net != net2): - if net.overlaps(net2): - raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!') - - # Prevent 'disable' for shared-network if only one network is configured - if (shared_networks - disabled_shared_networks) < 1: - raise ConfigError(f'At least one shared network must be active!') - - if 'failover' in dhcp: - for key in ['name', 'remote', 'source_address', 'status']: - if key not in dhcp['failover']: - tmp = key.replace('_', '-') - raise ConfigError(f'DHCP failover requires "{tmp}" to be specified!') - - if len({'certificate', 'ca_certificate'} & set(dhcp['failover'])) == 1: - raise ConfigError(f'DHCP secured failover requires both certificate and CA certificate') - - if 'certificate' in dhcp['failover']: - cert_name = dhcp['failover']['certificate'] - - if cert_name not in dhcp['pki']['certificate']: - raise ConfigError(f'Invalid certificate specified for DHCP failover') - - if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'certificate'): - raise ConfigError(f'Invalid certificate specified for DHCP failover') - - if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'private', 'key'): - raise ConfigError(f'Missing private key on certificate specified for DHCP failover') - - if 'ca_certificate' in dhcp['failover']: - ca_cert_name = dhcp['failover']['ca_certificate'] - if ca_cert_name not in dhcp['pki']['ca']: - raise ConfigError(f'Invalid CA certificate specified for DHCP failover') - - if not dict_search_args(dhcp['pki']['ca'], ca_cert_name, 'certificate'): - raise ConfigError(f'Invalid CA certificate specified for DHCP failover') - - for address in (dict_search('listen_address', dhcp) or []): - if is_addr_assigned(address): - listen_ok = True - # no need to probe further networks, we have one that is valid - continue - else: - raise ConfigError(f'listen-address "{address}" not configured on any interface') - - - if not listen_ok: - raise ConfigError('None of the configured subnets have an appropriate primary IP address on any\n' - 'broadcast interface configured, nor was there an explicit listen-address\n' - 'configured for serving DHCP relay packets!') - - return None - -def generate(dhcp): - # bail out early - looks like removal from running config - if not dhcp or 'disable' in dhcp: - return None - - dhcp['lease_file'] = lease_file - dhcp['machine'] = os.uname().machine - - # Create directory for lease file if necessary - lease_dir = os.path.dirname(lease_file) - if not os.path.isdir(lease_dir): - makedir(lease_dir, group='vyattacfg') - chmod_775(lease_dir) - - # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way - if not os.path.exists(lease_file): - write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) - - for f in [cert_file, cert_key_file, ca_cert_file]: - if os.path.exists(f): - os.unlink(f) - - if 'failover' in dhcp: - if 'certificate' in dhcp['failover']: - cert_name = dhcp['failover']['certificate'] - cert_data = dhcp['pki']['certificate'][cert_name]['certificate'] - key_data = dhcp['pki']['certificate'][cert_name]['private']['key'] - write_file(cert_file, wrap_certificate(cert_data), user=user_group, mode=0o600) - write_file(cert_key_file, wrap_private_key(key_data), user=user_group, mode=0o600) - - dhcp['failover']['cert_file'] = cert_file - dhcp['failover']['cert_key_file'] = cert_key_file - - if 'ca_certificate' in dhcp['failover']: - ca_cert_name = dhcp['failover']['ca_certificate'] - ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate'] - write_file(ca_cert_file, wrap_certificate(ca_cert_data), user=user_group, mode=0o600) - - dhcp['failover']['ca_cert_file'] = ca_cert_file - - render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp) - - render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp, user=user_group, group=user_group) - render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp, user=user_group, group=user_group) - - return None - -def apply(dhcp): - services = ['kea-ctrl-agent', 'kea-dhcp4-server', 'kea-dhcp-ddns-server'] - - if not dhcp or 'disable' in dhcp: - for service in services: - call(f'systemctl stop {service}.service') - - if os.path.exists(config_file): - os.unlink(config_file) - - return None - - for service in services: - action = 'restart' - - if service == 'kea-dhcp-ddns-server' and 'dynamic_dns_update' not in dhcp: - action = 'stop' - - if service == 'kea-ctrl-agent' and 'failover' not in dhcp: - action = 'stop' - - call(f'systemctl {action} {service}.service') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py deleted file mode 100755 index 6537ca3c2..000000000 --- a/src/conf_mode/dhcpv6_relay.py +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.ifconfig import Interface -from vyos.template import render -from vyos.template import is_ipv6 -from vyos.utils.process import call -from vyos.utils.network import is_ipv6_link_local -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = '/run/dhcp-relay/dhcrelay6.conf' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'dhcpv6-relay'] - if not conf.exists(base): - return None - - relay = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - return relay - -def verify(relay): - # bail out early - looks like removal from running config - if not relay or 'disable' in relay: - return None - - if 'upstream_interface' not in relay: - raise ConfigError('At least one upstream interface required!') - for interface, config in relay['upstream_interface'].items(): - if 'address' not in config: - raise ConfigError('DHCPv6 server required for upstream ' \ - f'interface {interface}!') - - if 'listen_interface' not in relay: - raise ConfigError('At least one listen interface required!') - - # DHCPv6 relay requires at least one global unicat address assigned to the - # interface - for interface in relay['listen_interface']: - has_global = False - for addr in Interface(interface).get_addr(): - if is_ipv6(addr) and not is_ipv6_link_local(addr): - has_global = True - if not has_global: - raise ConfigError(f'Interface {interface} does not have global '\ - 'IPv6 address assigned!') - - return None - -def generate(relay): - # bail out early - looks like removal from running config - if not relay or 'disable' in relay: - return None - - render(config_file, 'dhcp-relay/dhcrelay6.conf.j2', relay) - return None - -def apply(relay): - # bail out early - looks like removal from running config - service_name = 'isc-dhcp-relay6.service' - if not relay or 'disable' in relay: - # DHCPv6 relay support is removed in the commit - call(f'systemctl stop {service_name}') - if os.path.exists(config_file): - os.unlink(config_file) - return None - - call(f'systemctl restart {service_name}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py deleted file mode 100755 index 9cc57dbcf..000000000 --- a/src/conf_mode/dhcpv6_server.py +++ /dev/null @@ -1,222 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from ipaddress import ip_address -from ipaddress import ip_network -from sys import exit - -from vyos.config import Config -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.file import chmod_775 -from vyos.utils.file import makedir -from vyos.utils.file import write_file -from vyos.utils.dict import dict_search -from vyos.utils.network import is_subnet_connected -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = '/run/kea/kea-dhcp6.conf' -ctrl_socket = '/run/kea/dhcp6-ctrl-socket' -lease_file = '/config/dhcp/dhcp6-leases.csv' -user_group = '_kea' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'dhcpv6-server'] - if not conf.exists(base): - return None - - dhcpv6 = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - return dhcpv6 - -def verify(dhcpv6): - # bail out early - looks like removal from running config - if not dhcpv6 or 'disable' in dhcpv6: - return None - - # If DHCP is enabled we need one share-network - if 'shared_network_name' not in dhcpv6: - raise ConfigError('No DHCPv6 shared networks configured. At least '\ - 'one DHCPv6 shared network must be configured.') - - # Inspect shared-network/subnet - subnets = [] - listen_ok = False - for network, network_config in dhcpv6['shared_network_name'].items(): - # A shared-network requires a subnet definition - if 'subnet' not in network_config: - raise ConfigError(f'No DHCPv6 lease subnets configured for "{network}". '\ - 'At least one lease subnet must be configured for '\ - 'each shared network!') - - for subnet, subnet_config in network_config['subnet'].items(): - if 'address_range' in subnet_config: - if 'start' in subnet_config['address_range']: - range6_start = [] - range6_stop = [] - for start, start_config in subnet_config['address_range']['start'].items(): - if 'stop' not in start_config: - raise ConfigError(f'address-range stop address for start "{start}" is not defined!') - stop = start_config['stop'] - - # Start address must be inside network - if not ip_address(start) in ip_network(subnet): - raise ConfigError(f'address-range start address "{start}" is not in subnet "{subnet}"!') - - # Stop address must be inside network - if not ip_address(stop) in ip_network(subnet): - raise ConfigError(f'address-range stop address "{stop}" is not in subnet "{subnet}"!') - - # Stop address must be greater or equal to start address - if not ip_address(stop) >= ip_address(start): - raise ConfigError(f'address-range stop address "{stop}" must be greater then or equal ' \ - f'to the range start address "{start}"!') - - # DHCPv6 range start address must be unique - two ranges can't - # start with the same address - makes no sense - if start in range6_start: - raise ConfigError(f'Conflicting DHCPv6 lease range: '\ - f'Pool start address "{start}" defined multipe times!') - range6_start.append(start) - - # DHCPv6 range stop address must be unique - two ranges can't - # end with the same address - makes no sense - if stop in range6_stop: - raise ConfigError(f'Conflicting DHCPv6 lease range: '\ - f'Pool stop address "{stop}" defined multipe times!') - range6_stop.append(stop) - - if 'prefix' in subnet_config: - for prefix in subnet_config['prefix']: - if ip_network(prefix) not in ip_network(subnet): - raise ConfigError(f'address-range prefix "{prefix}" is not in subnet "{subnet}""') - - # Prefix delegation sanity checks - if 'prefix_delegation' in subnet_config: - if 'prefix' not in subnet_config['prefix_delegation']: - raise ConfigError('prefix-delegation prefix not defined!') - - for prefix, prefix_config in subnet_config['prefix_delegation']['prefix'].items(): - if 'delegated_length' not in prefix_config: - raise ConfigError(f'Delegated IPv6 prefix length for "{prefix}" '\ - f'must be configured') - - if 'prefix_length' not in prefix_config: - raise ConfigError('Length of delegated IPv6 prefix must be configured') - - if prefix_config['prefix_length'] > prefix_config['delegated_length']: - raise ConfigError('Length of delegated IPv6 prefix must be within parent prefix') - - # Static mappings don't require anything (but check if IP is in subnet if it's set) - if 'static_mapping' in subnet_config: - for mapping, mapping_config in subnet_config['static_mapping'].items(): - if 'ipv6_address' in mapping_config: - # Static address must be in subnet - if ip_address(mapping_config['ipv6_address']) not in ip_network(subnet): - raise ConfigError(f'static-mapping address for mapping "{mapping}" is not in subnet "{subnet}"!') - - if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ - ('mac' in mapping_config and 'duid' in mapping_config): - raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' - f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') - - if 'vendor_option' in subnet_config: - if len(dict_search('vendor_option.cisco.tftp_server', subnet_config)) > 2: - raise ConfigError(f'No more then two Cisco tftp-servers should be defined for subnet "{subnet}"!') - - # Subnets must be unique - if subnet in subnets: - raise ConfigError(f'DHCPv6 subnets must be unique! Subnet {subnet} defined multiple times!') - subnets.append(subnet) - - # DHCPv6 requires at least one configured address range or one static mapping - # (FIXME: is not actually checked right now?) - - # There must be one subnet connected to a listen interface if network is not disabled. - if 'disable' not in network_config: - if is_subnet_connected(subnet): - listen_ok = True - - # DHCPv6 subnet must not overlap. ISC DHCP also complains about overlapping - # subnets: "Warning: subnet 2001:db8::/32 overlaps subnet 2001:db8:1::/32" - net = ip_network(subnet) - for n in subnets: - net2 = ip_network(n) - if (net != net2): - if net.overlaps(net2): - raise ConfigError('DHCPv6 conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) - - if not listen_ok: - raise ConfigError('None of the DHCPv6 subnets are connected to a subnet6 on '\ - 'this machine. At least one subnet6 must be connected such that '\ - 'DHCPv6 listens on an interface!') - - - return None - -def generate(dhcpv6): - # bail out early - looks like removal from running config - if not dhcpv6 or 'disable' in dhcpv6: - return None - - dhcpv6['lease_file'] = lease_file - dhcpv6['machine'] = os.uname().machine - - # Create directory for lease file if necessary - lease_dir = os.path.dirname(lease_file) - if not os.path.isdir(lease_dir): - makedir(lease_dir, group='vyattacfg') - chmod_775(lease_dir) - - # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way - if not os.path.exists(lease_file): - write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) - - render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6, user=user_group, group=user_group) - return None - -def apply(dhcpv6): - # bail out early - looks like removal from running config - service_name = 'kea-dhcp6-server.service' - if not dhcpv6 or 'disable' in dhcpv6: - # DHCP server is removed in the commit - call(f'systemctl stop {service_name}') - if os.path.exists(config_file): - os.unlink(config_file) - return None - - call(f'systemctl restart {service_name}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py deleted file mode 100755 index 99fa8feee..000000000 --- a/src/conf_mode/dns_dynamic.py +++ /dev/null @@ -1,187 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.configverify import verify_interface_exists -from vyos.template import render -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/run/ddclient/ddclient.conf' -systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf' - -# Dynamic interfaces that might not exist when the configuration is loaded -dynamic_interfaces = ('pppoe', 'sstpc') - -# Protocols that require zone -zone_necessary = ['cloudflare', 'digitalocean', 'godaddy', 'hetzner', 'gandi', - 'nfsn', 'nsupdate'] -zone_supported = zone_necessary + ['dnsexit2', 'zoneedit1'] - -# Protocols that do not require username -username_unnecessary = ['1984', 'cloudflare', 'cloudns', 'digitalocean', 'dnsexit2', - 'duckdns', 'freemyip', 'hetzner', 'keysystems', 'njalla', - 'nsupdate', 'regfishde'] - -# Protocols that support TTL -ttl_supported = ['cloudflare', 'dnsexit2', 'gandi', 'hetzner', 'godaddy', 'nfsn', - 'nsupdate'] - -# Protocols that support both IPv4 and IPv6 -dualstack_supported = ['cloudflare', 'digitalocean', 'dnsexit2', 'duckdns', - 'dyndns2', 'easydns', 'freedns', 'hetzner', 'infomaniak', - 'njalla'] - -# dyndns2 protocol in ddclient honors dual stack for selective servers -# because of the way it is implemented in ddclient -dyndns_dualstack_servers = ['members.dyndns.org', 'dynv6.com'] - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'dns', 'dynamic'] - if not conf.exists(base): - return None - - dyndns = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - dyndns['config_file'] = config_file - return dyndns - -def verify(dyndns): - # bail out early - looks like removal from running config - if not dyndns or 'name' not in dyndns: - return None - - # Dynamic DNS service provider - configuration validation - for service, config in dyndns['name'].items(): - - error_msg_req = f'is required for Dynamic DNS service "{service}"' - error_msg_uns = f'is not supported for Dynamic DNS service "{service}"' - - for field in ['protocol', 'address', 'host_name']: - if field not in config: - raise ConfigError(f'"{field.replace("_", "-")}" {error_msg_req}') - - # If dyndns address is an interface, ensure - # that the interface exists (or just warn if dynamic interface) - # and that web-options are not set - if config['address'] != 'web': - # exclude check interface for dynamic interfaces - if config['address'].startswith(dynamic_interfaces): - Warning(f'Interface "{config["address"]}" does not exist yet and cannot ' - f'be used for Dynamic DNS service "{service}" until it is up!') - else: - verify_interface_exists(config['address']) - if 'web_options' in config: - raise ConfigError(f'"web-options" is applicable only when using HTTP(S) ' - f'web request to obtain the IP address') - - # Warn if using checkip.dyndns.org, as it does not support HTTPS - # See: https://github.com/ddclient/ddclient/issues/597 - if 'web_options' in config: - if 'url' not in config['web_options']: - raise ConfigError(f'"url" in "web-options" {error_msg_req} ' - f'with protocol "{config["protocol"]}"') - elif re.search("^(https?://)?checkip\.dyndns\.org", config['web_options']['url']): - Warning(f'"checkip.dyndns.org" does not support HTTPS requests for IP address ' - f'lookup. Please use a different IP address lookup service.') - - # RFC2136 uses 'key' instead of 'password' - if config['protocol'] != 'nsupdate' and 'password' not in config: - raise ConfigError(f'"password" {error_msg_req}') - - # Other RFC2136 specific configuration validation - if config['protocol'] == 'nsupdate': - if 'password' in config: - raise ConfigError(f'"password" {error_msg_uns} with protocol "{config["protocol"]}"') - for field in ['server', 'key']: - if field not in config: - raise ConfigError(f'"{field}" {error_msg_req} with protocol "{config["protocol"]}"') - - if config['protocol'] in zone_necessary and 'zone' not in config: - raise ConfigError(f'"zone" {error_msg_req} with protocol "{config["protocol"]}"') - - if config['protocol'] not in zone_supported and 'zone' in config: - raise ConfigError(f'"zone" {error_msg_uns} with protocol "{config["protocol"]}"') - - if config['protocol'] not in username_unnecessary and 'username' not in config: - raise ConfigError(f'"username" {error_msg_req} with protocol "{config["protocol"]}"') - - if config['protocol'] not in ttl_supported and 'ttl' in config: - raise ConfigError(f'"ttl" {error_msg_uns} with protocol "{config["protocol"]}"') - - if config['ip_version'] == 'both': - if config['protocol'] not in dualstack_supported: - raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} ' - f'with protocol "{config["protocol"]}"') - # dyndns2 protocol in ddclient honors dual stack only for dyn.com (dyndns.org) - if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] not in dyndns_dualstack_servers: - raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} ' - f'for "{config["server"]}" with protocol "{config["protocol"]}"') - - if {'wait_time', 'expiry_time'} <= config.keys() and int(config['expiry_time']) < int(config['wait_time']): - raise ConfigError(f'"expiry-time" must be greater than "wait-time" for ' - f'Dynamic DNS service "{service}"') - - return None - -def generate(dyndns): - # bail out early - looks like removal from running config - if not dyndns or 'name' not in dyndns: - return None - - render(config_file, 'dns-dynamic/ddclient.conf.j2', dyndns, permission=0o600) - render(systemd_override, 'dns-dynamic/override.conf.j2', dyndns) - return None - -def apply(dyndns): - systemd_service = 'ddclient.service' - # Reload systemd manager configuration - call('systemctl daemon-reload') - - # bail out early - looks like removal from running config - if not dyndns or 'name' not in dyndns: - call(f'systemctl stop {systemd_service}') - if os.path.exists(config_file): - os.unlink(config_file) - else: - call(f'systemctl reload-or-restart {systemd_service}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py deleted file mode 100755 index c186f47af..000000000 --- a/src/conf_mode/dns_forwarding.py +++ /dev/null @@ -1,358 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from netifaces import interfaces -from sys import exit -from glob import glob - -from vyos.config import Config -from vyos.hostsd_client import Client as hostsd_client -from vyos.template import render -from vyos.template import bracketize_ipv6 -from vyos.utils.process import call -from vyos.utils.permission import chown -from vyos.utils.dict import dict_search - -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -pdns_rec_user = pdns_rec_group = 'pdns' -pdns_rec_run_dir = '/run/powerdns' -pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua' -pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua' -pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf' -pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf' - -hostsd_tag = 'static' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'dns', 'forwarding'] - if not conf.exists(base): - return None - - dns = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - # some additions to the default dictionary - if 'system' in dns: - base_nameservers = ['system', 'name-server'] - if conf.exists(base_nameservers): - dns.update({'system_name_server': conf.return_values(base_nameservers)}) - - if 'authoritative_domain' in dns: - dns['authoritative_zones'] = [] - dns['authoritative_zone_errors'] = [] - for node in dns['authoritative_domain']: - zonedata = dns['authoritative_domain'][node] - if ('disable' in zonedata) or (not 'records' in zonedata): - continue - zone = { - 'name': node, - 'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node), - 'records': [], - } - - recorddata = zonedata['records'] - - for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]: - if rtype not in recorddata: - continue - for subnode in recorddata[rtype]: - if 'disable' in recorddata[rtype][subnode]: - continue - - rdata = recorddata[rtype][subnode] - - if rtype in [ 'a', 'aaaa' ]: - if not 'address' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required') - continue - - if subnode == 'any': - subnode = '*' - - for address in rdata['address']: - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': address - }) - elif rtype in ['cname', 'ptr', 'ns']: - if not 'target' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required') - continue - - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': '{}.'.format(rdata['target']) - }) - elif rtype == 'mx': - if not 'server' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required') - continue - - for servername in rdata['server']: - serverdata = rdata['server'][servername] - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': '{} {}.'.format(serverdata['priority'], servername) - }) - elif rtype == 'txt': - if not 'value' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required') - continue - - for value in rdata['value']: - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': "\"{}\"".format(value.replace("\"", "\\\"")) - }) - elif rtype == 'spf': - if not 'value' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required') - continue - - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': '"{}"'.format(rdata['value'].replace("\"", "\\\"")) - }) - elif rtype == 'srv': - if not 'entry' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required') - continue - - for entryno in rdata['entry']: - entrydata = rdata['entry'][entryno] - if not 'hostname' in entrydata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}') - continue - - if not 'port' in entrydata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}') - continue - - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname']) - }) - elif rtype == 'naptr': - if not 'rule' in rdata: - dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required') - continue - - for ruleno in rdata['rule']: - ruledata = rdata['rule'][ruleno] - flags = "" - if 'lookup-srv' in ruledata: - flags += "S" - if 'lookup-a' in ruledata: - flags += "A" - if 'resolve-uri' in ruledata: - flags += "U" - if 'protocol-specific' in ruledata: - flags += "P" - - if 'order' in ruledata: - order = ruledata['order'] - else: - order = ruleno - - if 'regexp' in ruledata: - regexp= ruledata['regexp'].replace("\"", "\\\"") - else: - regexp = '' - - if ruledata['replacement']: - replacement = '{}.'.format(ruledata['replacement']) - else: - replacement = '' - - zone['records'].append({ - 'name': subnode, - 'type': rtype.upper(), - 'ttl': rdata['ttl'], - 'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement) - }) - - dns['authoritative_zones'].append(zone) - - return dns - -def verify(dns): - # bail out early - looks like removal from running config - if not dns: - return None - - if 'listen_address' not in dns: - raise ConfigError('DNS forwarding requires a listen-address') - - if 'allow_from' not in dns: - raise ConfigError('DNS forwarding requires an allow-from network') - - # we can not use dict_search() when testing for domain servers - # as a domain will contains dot's which is out dictionary delimiter. - if 'domain' in dns: - for domain in dns['domain']: - if 'name_server' not in dns['domain'][domain]: - raise ConfigError(f'No server configured for domain {domain}!') - - if 'dns64_prefix' in dns: - dns_prefix = dns['dns64_prefix'].split('/')[1] - # RFC 6147 requires prefix /96 - if int(dns_prefix) != 96: - raise ConfigError('DNS 6to4 prefix must be of length /96') - - if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']: - for error in dns['authoritative_zone_errors']: - print(error) - raise ConfigError('Invalid authoritative records have been defined') - - if 'system' in dns: - if not 'system_name_server' in dns: - print('Warning: No "system name-server" configured') - - return None - -def generate(dns): - # bail out early - looks like removal from running config - if not dns: - return None - - render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', - dns, user=pdns_rec_user, group=pdns_rec_group) - - render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', - dns, user=pdns_rec_user, group=pdns_rec_group) - - for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): - os.unlink(zone_filename) - - if 'authoritative_zones' in dns: - for zone in dns['authoritative_zones']: - render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2', - zone, user=pdns_rec_user, group=pdns_rec_group) - - - # if vyos-hostsd didn't create its files yet, create them (empty) - for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]: - with open(file, 'a'): - pass - chown(file, user=pdns_rec_user, group=pdns_rec_group) - - return None - -def apply(dns): - if not dns: - # DNS forwarding is removed in the commit - call('systemctl stop pdns-recursor.service') - - if os.path.isfile(pdns_rec_config_file): - os.unlink(pdns_rec_config_file) - - for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): - os.unlink(zone_filename) - else: - ### first apply vyos-hostsd config - hc = hostsd_client() - - # add static nameservers to hostsd so they can be joined with other - # sources - hc.delete_name_servers([hostsd_tag]) - if 'name_server' in dns: - # 'name_server' is of the form - # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} - # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] - nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) - for (h, p) in dns['name_server'].items()] - hc.add_name_servers({hostsd_tag: nslist}) - - # delete all nameserver tags - hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor()) - - ## add nameserver tags - the order determines the nameserver order! - # our own tag (static) - hc.add_name_server_tags_recursor([hostsd_tag]) - - if 'system' in dns: - hc.add_name_server_tags_recursor(['system']) - else: - hc.delete_name_server_tags_recursor(['system']) - - # add dhcp nameserver tags for configured interfaces - if 'system_name_server' in dns: - for interface in dns['system_name_server']: - # system_name_server key contains both IP addresses and interface - # names (DHCP) to use DNS servers. We need to check if the - # value is an interface name - only if this is the case, add the - # interface based DNS forwarder. - if interface in interfaces(): - hc.add_name_server_tags_recursor(['dhcp-' + interface, - 'dhcpv6-' + interface ]) - - # hostsd will generate the forward-zones file - # the list and keys() are required as get returns a dict, not list - hc.delete_forward_zones(list(hc.get_forward_zones().keys())) - if 'domain' in dns: - zones = dns['domain'] - for domain in zones.keys(): - # 'name_server' is of the form - # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} - # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] - zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) - for (h, p) in zones[domain]['name_server'].items()] - hc.add_forward_zones(zones) - - # hostsd generates NTAs for the authoritative zones - # the list and keys() are required as get returns a dict, not list - hc.delete_authoritative_zones(list(hc.get_authoritative_zones())) - if 'authoritative_zones' in dns: - hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones']))) - - # call hostsd to generate forward-zones and its lua-config-file - hc.apply() - - ### finally (re)start pdns-recursor - call('systemctl restart pdns-recursor.service') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index da6724fde..acb7dfa41 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -42,9 +42,6 @@ from vyos import airbag airbag.enable() -nat_conf_script = 'nat.py' -policy_route_conf_script = 'policy-route.py' - nftables_conf = '/run/nftables.conf' sysfs_config = { diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py deleted file mode 100755 index 206f513c8..000000000 --- a/src/conf_mode/flow_accounting_conf.py +++ /dev/null @@ -1,320 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from sys import exit -from ipaddress import ip_address - -from vyos.base import Warning -from vyos.config import Config -from vyos.config import config_dict_merge -from vyos.configverify import verify_vrf -from vyos.ifconfig import Section -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.process import cmd -from vyos.utils.process import run -from vyos.utils.network import is_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -uacctd_conf_path = '/run/pmacct/uacctd.conf' -systemd_service = 'uacctd.service' -systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf' -nftables_nflog_table = 'raw' -nftables_nflog_chain = 'VYOS_PREROUTING_HOOK' -egress_nftables_nflog_table = 'inet mangle' -egress_nftables_nflog_chain = 'FORWARD' - -# get nftables rule dict for chain in table -def _nftables_get_nflog(chain, table): - # define list with rules - rules = [] - - # prepare regex for parsing rules - rule_pattern = '[io]ifname "(?P[\w\.\*\-]+)".*handle (?P[\d]+)' - rule_re = re.compile(rule_pattern) - - # run nftables, save output and split it by lines - nftables_command = f'nft -a list chain {table} {chain}' - tmp = cmd(nftables_command, message='Failed to get flows list') - # parse each line and add information to list - for current_rule in tmp.splitlines(): - if 'FLOW_ACCOUNTING_RULE' not in current_rule: - continue - current_rule_parsed = rule_re.search(current_rule) - if current_rule_parsed: - groups = current_rule_parsed.groupdict() - rules.append({ 'interface': groups["interface"], 'table': table, 'handle': groups["handle"] }) - - # return list with rules - return rules - -def _nftables_config(configured_ifaces, direction, length=None): - # define list of nftables commands to modify settings - nftable_commands = [] - nftables_chain = nftables_nflog_chain - nftables_table = nftables_nflog_table - - if direction == "egress": - nftables_chain = egress_nftables_nflog_chain - nftables_table = egress_nftables_nflog_table - - # prepare extended list with configured interfaces - configured_ifaces_extended = [] - for iface in configured_ifaces: - configured_ifaces_extended.append({ 'iface': iface }) - - # get currently configured interfaces with nftables rules - active_nflog_rules = _nftables_get_nflog(nftables_chain, nftables_table) - - # compare current active list with configured one and delete excessive interfaces, add missed - active_nflog_ifaces = [] - for rule in active_nflog_rules: - interface = rule['interface'] - if interface not in configured_ifaces: - table = rule['table'] - handle = rule['handle'] - nftable_commands.append(f'nft delete rule {table} {nftables_chain} handle {handle}') - else: - active_nflog_ifaces.append({ - 'iface': interface, - }) - - # do not create new rules for already configured interfaces - for iface in active_nflog_ifaces: - if iface in active_nflog_ifaces and iface in configured_ifaces_extended: - configured_ifaces_extended.remove(iface) - - # create missed rules - for iface_extended in configured_ifaces_extended: - iface = iface_extended['iface'] - iface_prefix = "o" if direction == "egress" else "i" - rule_definition = f'{iface_prefix}ifname "{iface}" counter log group 2 snaplen {length} queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"' - nftable_commands.append(f'nft insert rule {nftables_table} {nftables_chain} {rule_definition}') - # Also add IPv6 ingres logging - if nftables_table == nftables_nflog_table: - nftable_commands.append(f'nft insert rule ip6 {nftables_table} {nftables_chain} {rule_definition}') - - # change nftables - for command in nftable_commands: - cmd(command, raising=ConfigError) - - -def _nftables_trigger_setup(operation: str) -> None: - """Add a dummy rule to unlock the main pmacct loop with a packet-trigger - - Args: - operation (str): 'add' or 'delete' a trigger - """ - # check if a chain exists - table_exists = False - if run('nft -snj list table ip pmacct') == 0: - table_exists = True - - if operation == 'delete' and table_exists: - nft_cmd: str = 'nft delete table ip pmacct' - cmd(nft_cmd, raising=ConfigError) - if operation == 'add' and not table_exists: - nft_cmds: list[str] = [ - 'nft add table ip pmacct', - 'nft add chain ip pmacct pmacct_out { type filter hook output priority raw - 50 \\; policy accept \\; }', - 'nft add rule ip pmacct pmacct_out oif lo ip daddr 127.0.254.0 counter log group 2 snaplen 1 queue-threshold 0 comment NFLOG_TRIGGER' - ] - for nft_cmd in nft_cmds: - cmd(nft_cmd, raising=ConfigError) - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'flow-accounting'] - if not conf.exists(base): - return None - - flow_accounting = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are - # default values which we need to conditionally update into the - # dictionary retrieved. - default_values = conf.get_config_defaults(**flow_accounting.kwargs, - recursive=True) - - # delete individual flow type defaults - should only be added if user - # sets this feature - for flow_type in ['sflow', 'netflow']: - if flow_type not in flow_accounting and flow_type in default_values: - del default_values[flow_type] - - flow_accounting = config_dict_merge(default_values, flow_accounting) - - return flow_accounting - -def verify(flow_config): - if not flow_config: - return None - - # check if at least one collector is enabled - if 'sflow' not in flow_config and 'netflow' not in flow_config and 'disable_imt' in flow_config: - raise ConfigError('You need to configure at least sFlow or NetFlow, ' \ - 'or not set "disable-imt" for flow-accounting!') - - # Check if at least one interface is configured - if 'interface' not in flow_config: - raise ConfigError('Flow accounting requires at least one interface to ' \ - 'be configured!') - - # check that all configured interfaces exists in the system - for interface in flow_config['interface']: - if interface not in Section.interfaces(): - # Changed from error to warning to allow adding dynamic interfaces - # and interface templates - Warning(f'Interface "{interface}" is not presented in the system') - - # check sFlow configuration - if 'sflow' in flow_config: - # check if at least one sFlow collector is configured - if 'server' not in flow_config['sflow']: - raise ConfigError('You need to configure at least one sFlow server!') - - # check that all sFlow collectors use the same IP protocol version - sflow_collector_ipver = None - for server in flow_config['sflow']['server']: - if sflow_collector_ipver: - if sflow_collector_ipver != ip_address(server).version: - raise ConfigError("All sFlow servers must use the same IP protocol") - else: - sflow_collector_ipver = ip_address(server).version - - # check if vrf is defined for Sflow - verify_vrf(flow_config) - sflow_vrf = None - if 'vrf' in flow_config: - sflow_vrf = flow_config['vrf'] - - # check agent-id for sFlow: we should avoid mixing IPv4 agent-id with IPv6 collectors and vice-versa - for server in flow_config['sflow']['server']: - if 'agent_address' in flow_config['sflow']: - if ip_address(server).version != ip_address(flow_config['sflow']['agent_address']).version: - raise ConfigError('IPv4 and IPv6 addresses can not be mixed in "sflow agent-address" and "sflow '\ - 'server". You need to set the same IP version for both "agent-address" and '\ - 'all sFlow servers') - - if 'agent_address' in flow_config['sflow']: - tmp = flow_config['sflow']['agent_address'] - if not is_addr_assigned(tmp, sflow_vrf): - raise ConfigError(f'Configured "sflow agent-address {tmp}" does not exist in the system!') - - # Check if configured sflow source-address exist in the system - if 'source_address' in flow_config['sflow']: - if not is_addr_assigned(flow_config['sflow']['source_address'], sflow_vrf): - tmp = flow_config['sflow']['source_address'] - raise ConfigError(f'Configured "sflow source-address {tmp}" does not exist on the system!') - - # check NetFlow configuration - if 'netflow' in flow_config: - # check if vrf is defined for netflow - netflow_vrf = None - if 'vrf' in flow_config: - netflow_vrf = flow_config['vrf'] - - # check if at least one NetFlow collector is configured if NetFlow configuration is presented - if 'server' not in flow_config['netflow']: - raise ConfigError('You need to configure at least one NetFlow server!') - - # Check if configured netflow source-address exist in the system - if 'source_address' in flow_config['netflow']: - if not is_addr_assigned(flow_config['netflow']['source_address'], netflow_vrf): - tmp = flow_config['netflow']['source_address'] - raise ConfigError(f'Configured "netflow source-address {tmp}" does not exist on the system!') - - # Check if engine-id compatible with selected protocol version - if 'engine_id' in flow_config['netflow']: - v5_filter = '^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])$' - v9v10_filter = '^(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$' - engine_id = flow_config['netflow']['engine_id'] - version = flow_config['netflow']['version'] - - if flow_config['netflow']['version'] == '5': - regex_filter = re.compile(v5_filter) - if not regex_filter.search(engine_id): - raise ConfigError(f'You cannot use NetFlow engine-id "{engine_id}" '\ - f'together with NetFlow protocol version "{version}"!') - else: - regex_filter = re.compile(v9v10_filter) - if not regex_filter.search(flow_config['netflow']['engine_id']): - raise ConfigError(f'Can not use NetFlow engine-id "{engine_id}" together '\ - f'with NetFlow protocol version "{version}"!') - - # return True if all checks were passed - return True - -def generate(flow_config): - if not flow_config: - return None - - render(uacctd_conf_path, 'pmacct/uacctd.conf.j2', flow_config) - render(systemd_override, 'pmacct/override.conf.j2', flow_config) - # Reload systemd manager configuration - call('systemctl daemon-reload') - -def apply(flow_config): - # Check if flow-accounting was removed and define command - if not flow_config: - _nftables_config([], 'ingress') - _nftables_config([], 'egress') - - # Stop flow-accounting daemon and remove configuration file - call(f'systemctl stop {systemd_service}') - if os.path.exists(uacctd_conf_path): - os.unlink(uacctd_conf_path) - - # must be done after systemctl - _nftables_trigger_setup('delete') - - return - - # Start/reload flow-accounting daemon - call(f'systemctl restart {systemd_service}') - - # configure nftables rules for defined interfaces - if 'interface' in flow_config: - _nftables_config(flow_config['interface'], 'ingress', flow_config['packet_length']) - - # configure egress the same way if configured otherwise remove it - if 'enable_egress' in flow_config: - _nftables_config(flow_config['interface'], 'egress', flow_config['packet_length']) - else: - _nftables_config([], 'egress') - - # add a trigger for signal processing - _nftables_trigger_setup('add') - - -if __name__ == '__main__': - try: - config = get_config() - verify(config) - generate(config) - apply(config) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py deleted file mode 100755 index 6204cf247..000000000 --- a/src/conf_mode/host_name.py +++ /dev/null @@ -1,188 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import re -import sys -import copy - -import vyos.hostsd_client - -from vyos.base import Warning -from vyos.config import Config -from vyos.ifconfig import Section -from vyos.template import is_ip -from vyos.utils.process import cmd -from vyos.utils.process import call -from vyos.utils.process import process_named_running -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -default_config_data = { - 'hostname': 'vyos', - 'domain_name': '', - 'domain_search': [], - 'nameserver': [], - 'nameservers_dhcp_interfaces': {}, - 'static_host_mapping': {} -} - -hostsd_tag = 'system' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - hosts = copy.deepcopy(default_config_data) - - hosts['hostname'] = conf.return_value(['system', 'host-name']) - - # This may happen if the config is not loaded yet, - # e.g. if run by cloud-init - if not hosts['hostname']: - hosts['hostname'] = default_config_data['hostname'] - - if conf.exists(['system', 'domain-name']): - hosts['domain_name'] = conf.return_value(['system', 'domain-name']) - hosts['domain_search'].append(hosts['domain_name']) - - if conf.exists(['system', 'domain-search']): - for search in conf.return_values(['system', 'domain-search']): - hosts['domain_search'].append(search) - - if conf.exists(['system', 'name-server']): - for ns in conf.return_values(['system', 'name-server']): - if is_ip(ns): - hosts['nameserver'].append(ns) - else: - tmp = '' - if_type = Section.section(ns) - if conf.exists(['interfaces', if_type, ns, 'address']): - tmp = conf.return_values(['interfaces', if_type, ns, 'address']) - - hosts['nameservers_dhcp_interfaces'].update({ ns : tmp }) - - # system static-host-mapping - for hn in conf.list_nodes(['system', 'static-host-mapping', 'host-name']): - hosts['static_host_mapping'][hn] = {} - hosts['static_host_mapping'][hn]['address'] = conf.return_values(['system', 'static-host-mapping', 'host-name', hn, 'inet']) - hosts['static_host_mapping'][hn]['aliases'] = conf.return_values(['system', 'static-host-mapping', 'host-name', hn, 'alias']) - - return hosts - - -def verify(hosts): - if hosts is None: - return None - - # pattern $VAR(@) "^[[:alnum:]][-.[:alnum:]]*[[:alnum:]]$" ; "invalid host name $VAR(@)" - hostname_regex = re.compile("^[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]$") - if not hostname_regex.match(hosts['hostname']): - raise ConfigError('Invalid host name ' + hosts["hostname"]) - - # pattern $VAR(@) "^.{1,63}$" ; "invalid host-name length" - length = len(hosts['hostname']) - if length < 1 or length > 63: - raise ConfigError( - 'Invalid host-name length, must be less than 63 characters') - - all_static_host_mapping_addresses = [] - # static mappings alias hostname - for host, hostprops in hosts['static_host_mapping'].items(): - if not hostprops['address']: - raise ConfigError(f'IP address required for static-host-mapping "{host}"') - all_static_host_mapping_addresses.append(hostprops['address']) - for a in hostprops['aliases']: - if not hostname_regex.match(a) and len(a) != 0: - raise ConfigError(f'Invalid alias "{a}" in static-host-mapping "{host}"') - - for interface, interface_config in hosts['nameservers_dhcp_interfaces'].items(): - # Warnin user if interface does not have DHCP or DHCPv6 configured - if not set(interface_config).intersection(['dhcp', 'dhcpv6']): - Warning(f'"{interface}" is not a DHCP interface but uses DHCP name-server option!') - - return None - - -def generate(config): - pass - -def apply(config): - if config is None: - return None - - ## Send the updated data to vyos-hostsd - try: - hc = vyos.hostsd_client.Client() - - hc.set_host_name(config['hostname'], config['domain_name']) - - hc.delete_search_domains([hostsd_tag]) - if config['domain_search']: - hc.add_search_domains({hostsd_tag: config['domain_search']}) - - hc.delete_name_servers([hostsd_tag]) - if config['nameserver']: - hc.add_name_servers({hostsd_tag: config['nameserver']}) - - # add our own tag's (system) nameservers and search to resolv.conf - hc.delete_name_server_tags_system(hc.get_name_server_tags_system()) - hc.add_name_server_tags_system([hostsd_tag]) - - # this will add the dhcp client nameservers to resolv.conf - for intf in config['nameservers_dhcp_interfaces']: - hc.add_name_server_tags_system([f'dhcp-{intf}', f'dhcpv6-{intf}']) - - hc.delete_hosts([hostsd_tag]) - if config['static_host_mapping']: - hc.add_hosts({hostsd_tag: config['static_host_mapping']}) - - hc.apply() - except vyos.hostsd_client.VyOSHostsdError as e: - raise ConfigError(str(e)) - - ## Actually update the hostname -- vyos-hostsd doesn't do that - - # No domain name -- the Debian way. - hostname_new = config['hostname'] - - # rsyslog runs into a race condition at boot time with systemd - # restart rsyslog only if the hostname changed. - hostname_old = cmd('hostnamectl --static') - call(f'hostnamectl set-hostname --static {hostname_new}') - - # Restart services that use the hostname - if hostname_new != hostname_old: - call("systemctl restart rsyslog.service") - - # If SNMP is running, restart it too - if process_named_running('snmpd'): - call('systemctl restart snmpd.service') - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py deleted file mode 100755 index 3dc5dfc01..000000000 --- a/src/conf_mode/https.py +++ /dev/null @@ -1,335 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import sys -import json - -from copy import deepcopy -from time import sleep - -import vyos.defaults -import vyos.certbot_util - -from vyos.base import Warning -from vyos.config import Config -from vyos.configdiff import get_config_diff -from vyos.configverify import verify_vrf -from vyos import ConfigError -from vyos.pki import wrap_certificate -from vyos.pki import wrap_private_key -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.process import is_systemd_service_running -from vyos.utils.process import is_systemd_service_active -from vyos.utils.network import check_port_availability -from vyos.utils.network import is_listen_port_bind_service -from vyos.utils.file import write_file - -from vyos import airbag -airbag.enable() - -config_file = '/etc/nginx/sites-available/default' -systemd_override = r'/run/systemd/system/nginx.service.d/override.conf' -cert_dir = '/etc/ssl/certs' -key_dir = '/etc/ssl/private' -certbot_dir = vyos.defaults.directories['certbot'] - -api_config_state = '/run/http-api-state' -systemd_service = '/run/systemd/system/vyos-http-api.service' - -# https config needs to coordinate several subsystems: api, certbot, -# self-signed certificate, as well as the virtual hosts defined within the -# https config definition itself. Consequently, one needs a general dict, -# encompassing the https and other configs, and a list of such virtual hosts -# (server blocks in nginx terminology) to pass to the jinja2 template. -default_server_block = { - 'id' : '', - 'address' : '*', - 'port' : '443', - 'name' : ['_'], - 'api' : False, - 'vyos_cert' : {}, - 'certbot' : False -} - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'https'] - if not conf.exists(base): - return None - - diff = get_config_diff(conf) - - https = conf.get_config_dict(base, get_first_key=True) - - if https: - https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True) - - https['children_changed'] = diff.node_changed_children(base) - https['api_add_or_delete'] = diff.node_changed_presence(base + ['api']) - - if 'api' not in https: - return https - - http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - if http_api.from_defaults(['graphql']): - del http_api['graphql'] - - # Do we run inside a VRF context? - vrf_path = ['service', 'https', 'vrf'] - if conf.exists(vrf_path): - http_api['vrf'] = conf.return_value(vrf_path) - - https['api'] = http_api - - return https - -def verify(https): - from vyos.utils.dict import dict_search - - if https is None: - return None - - if 'certificates' in https: - certificates = https['certificates'] - - if 'certificate' in certificates: - if not https['pki']: - raise ConfigError("PKI is not configured") - - cert_name = certificates['certificate'] - - if cert_name not in https['pki']['certificate']: - raise ConfigError("Invalid certificate on https configuration") - - pki_cert = https['pki']['certificate'][cert_name] - - if 'certificate' not in pki_cert: - raise ConfigError("Missing certificate on https configuration") - - if 'private' not in pki_cert or 'key' not in pki_cert['private']: - raise ConfigError("Missing certificate private key on https configuration") - - if 'certbot' in https['certificates']: - vhost_names = [] - for _, vh_conf in https.get('virtual-host', {}).items(): - vhost_names += vh_conf.get('server-name', []) - domains = https['certificates']['certbot'].get('domain-name', []) - domains_found = [domain for domain in domains if domain in vhost_names] - if not domains_found: - raise ConfigError("At least one 'virtual-host server-name' " - "matching the 'certbot domain-name' is required.") - - server_block_list = [] - - # organize by vhosts - vhost_dict = https.get('virtual-host', {}) - - if not vhost_dict: - # no specified virtual hosts (server blocks); use default - server_block_list.append(default_server_block) - else: - for vhost in list(vhost_dict): - server_block = deepcopy(default_server_block) - data = vhost_dict.get(vhost, {}) - server_block['address'] = data.get('listen-address', '*') - server_block['port'] = data.get('port', '443') - server_block_list.append(server_block) - - for entry in server_block_list: - _address = entry.get('address') - _address = '0.0.0.0' if _address == '*' else _address - _port = entry.get('port') - proto = 'tcp' - if check_port_availability(_address, int(_port), proto) is not True and \ - not is_listen_port_bind_service(int(_port), 'nginx'): - raise ConfigError(f'"{proto}" port "{_port}" is used by another service') - - verify_vrf(https) - - # Verify API server settings, if present - if 'api' in https: - keys = dict_search('api.keys.id', https) - gql_auth_type = dict_search('api.graphql.authentication.type', https) - - # If "api graphql" is not defined and `gql_auth_type` is None, - # there's certainly no JWT auth option, and keys are required - jwt_auth = (gql_auth_type == "token") - - # Check for incomplete key configurations in every case - valid_keys_exist = False - if keys: - for k in keys: - if 'key' not in keys[k]: - raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') - else: - valid_keys_exist = True - - # If only key-based methods are enabled, - # fail the commit if no valid key configurations are found - if (not valid_keys_exist) and (not jwt_auth): - raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') - - if (not valid_keys_exist) and jwt_auth: - Warning(f'API keys are not configured: the classic (non-GraphQL) API will be unavailable.') - - return None - -def generate(https): - if https is None: - return None - - if 'api' not in https: - if os.path.exists(systemd_service): - os.unlink(systemd_service) - else: - render(systemd_service, 'https/vyos-http-api.service.j2', https['api']) - with open(api_config_state, 'w') as f: - json.dump(https['api'], f, indent=2) - - server_block_list = [] - - # organize by vhosts - - vhost_dict = https.get('virtual-host', {}) - - if not vhost_dict: - # no specified virtual hosts (server blocks); use default - server_block_list.append(default_server_block) - else: - for vhost in list(vhost_dict): - server_block = deepcopy(default_server_block) - server_block['id'] = vhost - data = vhost_dict.get(vhost, {}) - server_block['address'] = data.get('listen-address', '*') - server_block['port'] = data.get('port', '443') - name = data.get('server-name', ['_']) - server_block['name'] = name - allow_client = data.get('allow-client', {}) - server_block['allow_client'] = allow_client.get('address', []) - server_block_list.append(server_block) - - # get certificate data - - cert_dict = https.get('certificates', {}) - - if 'certificate' in cert_dict: - cert_name = cert_dict['certificate'] - pki_cert = https['pki']['certificate'][cert_name] - - cert_path = os.path.join(cert_dir, f'{cert_name}.pem') - key_path = os.path.join(key_dir, f'{cert_name}.pem') - - server_cert = str(wrap_certificate(pki_cert['certificate'])) - if 'ca-certificate' in cert_dict: - ca_cert = cert_dict['ca-certificate'] - server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate'])) - - write_file(cert_path, server_cert) - write_file(key_path, wrap_private_key(pki_cert['private']['key'])) - - vyos_cert_data = { - 'crt': cert_path, - 'key': key_path - } - - for block in server_block_list: - block['vyos_cert'] = vyos_cert_data - - # letsencrypt certificate using certbot - - certbot = False - cert_domains = cert_dict.get('certbot', {}).get('domain-name', []) - if cert_domains: - certbot = True - for domain in cert_domains: - sub_list = vyos.certbot_util.choose_server_block(server_block_list, - domain) - if sub_list: - for sb in sub_list: - sb['certbot'] = True - sb['certbot_dir'] = certbot_dir - # certbot organizes certificates by first domain - sb['certbot_domain_dir'] = cert_domains[0] - - if 'api' in list(https): - vhost_list = https.get('api-restrict', {}).get('virtual-host', []) - if not vhost_list: - for block in server_block_list: - block['api'] = True - else: - for block in server_block_list: - if block['id'] in vhost_list: - block['api'] = True - - data = { - 'server_block_list': server_block_list, - 'certbot': certbot - } - - render(config_file, 'https/nginx.default.j2', data) - render(systemd_override, 'https/override.conf.j2', https) - return None - -def apply(https): - # Reload systemd manager configuration - call('systemctl daemon-reload') - http_api_service_name = 'vyos-http-api.service' - https_service_name = 'nginx.service' - - if https is None: - if is_systemd_service_active(f'{http_api_service_name}'): - call(f'systemctl stop {http_api_service_name}') - call(f'systemctl stop {https_service_name}') - return - - if 'api' in https['children_changed']: - if 'api' in https: - if is_systemd_service_running(f'{http_api_service_name}'): - call(f'systemctl reload {http_api_service_name}') - else: - call(f'systemctl restart {http_api_service_name}') - # Let uvicorn settle before (possibly) restarting nginx - sleep(1) - else: - if is_systemd_service_active(f'{http_api_service_name}'): - call(f'systemctl stop {http_api_service_name}') - - if (not is_systemd_service_running(f'{https_service_name}') or - https['api_add_or_delete'] or - set(https['children_changed']) - set(['api'])): - call(f'systemctl restart {https_service_name}') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/igmp_proxy.py deleted file mode 100755 index 40db417dd..000000000 --- a/src/conf_mode/igmp_proxy.py +++ /dev/null @@ -1,113 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from netifaces import interfaces - -from vyos.base import Warning -from vyos.config import Config -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/etc/igmpproxy.conf' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['protocols', 'igmp-proxy'] - igmp_proxy = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_defaults=True) - - if conf.exists(['protocols', 'igmp']): - igmp_proxy.update({'igmp_configured': ''}) - - if conf.exists(['protocols', 'pim']): - igmp_proxy.update({'pim_configured': ''}) - - return igmp_proxy - -def verify(igmp_proxy): - # bail out early - looks like removal from running config - if not igmp_proxy or 'disable' in igmp_proxy: - return None - - if 'igmp_configured' in igmp_proxy or 'pim_configured' in igmp_proxy: - raise ConfigError('Can not configure both IGMP proxy and PIM '\ - 'at the same time') - - # at least two interfaces are required, one upstream and one downstream - if 'interface' not in igmp_proxy or len(igmp_proxy['interface']) < 2: - raise ConfigError('Must define exactly one upstream and at least one ' \ - 'downstream interface!') - - upstream = 0 - for interface, config in igmp_proxy['interface'].items(): - if interface not in interfaces(): - raise ConfigError(f'Interface "{interface}" does not exist') - if dict_search('role', config) == 'upstream': - upstream += 1 - - if upstream == 0: - raise ConfigError('At least 1 upstream interface is required!') - elif upstream > 1: - raise ConfigError('Only 1 upstream interface allowed!') - - return None - -def generate(igmp_proxy): - # bail out early - looks like removal from running config - if not igmp_proxy: - return None - - # bail out early - service is disabled, but inform user - if 'disable' in igmp_proxy: - Warning('IGMP Proxy will be deactivated because it is disabled') - return None - - render(config_file, 'igmp-proxy/igmpproxy.conf.j2', igmp_proxy) - - return None - -def apply(igmp_proxy): - if not igmp_proxy or 'disable' in igmp_proxy: - # IGMP Proxy support is removed in the commit - call('systemctl stop igmpproxy.service') - if os.path.exists(config_file): - os.unlink(config_file) - else: - call('systemctl restart igmpproxy.service') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py deleted file mode 100755 index e4b248675..000000000 --- a/src/conf_mode/intel_qat.py +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from sys import exit - -from vyos.config import Config -from vyos.utils.process import popen -from vyos.utils.process import run -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -qat_init_script = '/etc/init.d/qat_service' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - data = {} - - if conf.exists(['system', 'acceleration', 'qat']): - data.update({'qat_enable' : ''}) - - if conf.exists(['vpn', 'ipsec']): - data.update({'ipsec' : ''}) - - if conf.exists(['interfaces', 'openvpn']): - data.update({'openvpn' : ''}) - - return data - - -def vpn_control(action, force_ipsec=False): - # XXX: Should these commands report failure? - if action == 'restore' and force_ipsec: - return run('ipsec start') - - return run(f'ipsec {action}') - - -def verify(qat): - if 'qat_enable' not in qat: - return - - # Check if QAT service installed - if not os.path.exists(qat_init_script): - raise ConfigError('QAT init script not found') - - # Check if QAT device exist - output, err = popen('lspci -nn', decode='utf-8') - if not err: - # PCI id | Chipset - # 19e2 -> C3xx - # 37c8 -> C62x - # 0435 -> DH895 - # 6f54 -> D15xx - # 18ee -> QAT_200XX - data = re.findall( - '(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)|(8086:18ee)', output) - # If QAT devices found - if not data: - raise ConfigError('No QAT acceleration device found') - -def apply(qat): - # Shutdown VPN service which can use QAT - if 'ipsec' in qat: - vpn_control('stop') - - # Enable/Disable QAT service - if 'qat_enable' in qat: - run(f'{qat_init_script} start') - else: - run(f'{qat_init_script} stop') - - # Recover VPN service - if 'ipsec' in qat: - vpn_control('start') - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - apply(c) - except ConfigError as e: - print(e) - vpn_control('restore', force_ipsec=('ipsec' in c)) - exit(1) diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py deleted file mode 100755 index 8184d8415..000000000 --- a/src/conf_mode/interfaces-bonding.py +++ /dev/null @@ -1,294 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from netifaces import interfaces -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configdict import leaf_node_changed -from vyos.configdict import is_member -from vyos.configdict import is_source_interface -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_source_interface -from vyos.configverify import verify_vlan_config -from vyos.configverify import verify_vrf -from vyos.ifconfig import BondIf -from vyos.ifconfig.ethernet import EthernetIf -from vyos.ifconfig import Section -from vyos.template import render_to_string -from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_to_paths_values -from vyos.configdict import has_address_configured -from vyos.configdict import has_vrf_configured -from vyos.configdep import set_dependents, call_dependents -from vyos import ConfigError -from vyos import frr -from vyos import airbag -airbag.enable() - -def get_bond_mode(mode): - if mode == 'round-robin': - return 'balance-rr' - elif mode == 'active-backup': - return 'active-backup' - elif mode == 'xor-hash': - return 'balance-xor' - elif mode == 'broadcast': - return 'broadcast' - elif mode == '802.3ad': - return '802.3ad' - elif mode == 'transmit-load-balance': - return 'balance-tlb' - elif mode == 'adaptive-load-balance': - return 'balance-alb' - else: - raise ConfigError(f'invalid bond mode "{mode}"') - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'bonding'] - ifname, bond = get_interface_dict(conf, base) - - # To make our own life easier transfor the list of member interfaces - # into a dictionary - we will use this to add additional information - # later on for each member - if 'member' in bond and 'interface' in bond['member']: - # convert list of member interfaces to a dictionary - bond['member']['interface'] = {k: {} for k in bond['member']['interface']} - - if 'mode' in bond: - bond['mode'] = get_bond_mode(bond['mode']) - - tmp = is_node_changed(conf, base + [ifname, 'mode']) - if tmp: bond['shutdown_required'] = {} - - tmp = is_node_changed(conf, base + [ifname, 'lacp-rate']) - if tmp: bond['shutdown_required'] = {} - - # determine which members have been removed - interfaces_removed = leaf_node_changed(conf, base + [ifname, 'member', 'interface']) - # Reset config level to interfaces - old_level = conf.get_level() - conf.set_level(['interfaces']) - - if interfaces_removed: - bond['shutdown_required'] = {} - if 'member' not in bond: - bond['member'] = {} - - tmp = {} - for interface in interfaces_removed: - # if member is deleted from bond, add dependencies to call - # ethernet commit again in apply function - # to apply options under ethernet section - set_dependents('ethernet', conf, interface) - section = Section.section(interface) # this will be 'ethernet' for 'eth0' - if conf.exists([section, interface, 'disable']): - tmp[interface] = {'disable': ''} - else: - tmp[interface] = {} - - # also present the interfaces to be removed from the bond as dictionary - bond['member']['interface_remove'] = tmp - - # Restore existing config level - conf.set_level(old_level) - - if dict_search('member.interface', bond): - for interface, interface_config in bond['member']['interface'].items(): - - interface_ethernet_config = conf.get_config_dict( - ['interfaces', 'ethernet', interface], - key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True, - with_defaults=False, - with_recursive_defaults=False) - - interface_config['config_paths'] = dict_to_paths_values(interface_ethernet_config) - - # Check if member interface is a new member - if not conf.exists_effective(base + [ifname, 'member', 'interface', interface]): - bond['shutdown_required'] = {} - interface_config['new_added'] = {} - - # Check if member interface is disabled - conf.set_level(['interfaces']) - - section = Section.section(interface) # this will be 'ethernet' for 'eth0' - if conf.exists([section, interface, 'disable']): - interface_config['disable'] = '' - - conf.set_level(old_level) - - # Check if member interface is already member of another bridge - tmp = is_member(conf, interface, 'bridge') - if tmp: interface_config['is_bridge_member'] = tmp - - # Check if member interface is already member of a bond - tmp = is_member(conf, interface, 'bonding') - for tmp in is_member(conf, interface, 'bonding'): - if bond['ifname'] == tmp: - continue - interface_config['is_bond_member'] = tmp - - # Check if member interface is used as source-interface on another interface - tmp = is_source_interface(conf, interface) - if tmp: interface_config['is_source_interface'] = tmp - - # bond members must not have an assigned address - tmp = has_address_configured(conf, interface) - if tmp: interface_config['has_address'] = {} - - # bond members must not have a VRF attached - tmp = has_vrf_configured(conf, interface) - if tmp: interface_config['has_vrf'] = {} - return bond - - -def verify(bond): - if 'deleted' in bond: - verify_bridge_delete(bond) - return None - - if 'arp_monitor' in bond: - if 'target' in bond['arp_monitor'] and len(bond['arp_monitor']['target']) > 16: - raise ConfigError('The maximum number of arp-monitor targets is 16') - - if 'interval' in bond['arp_monitor'] and int(bond['arp_monitor']['interval']) > 0: - if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']: - raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \ - 'transmit-load-balance or adaptive-load-balance') - - if 'primary' in bond: - if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']: - raise ConfigError('Option primary - mode dependency failed, not' - 'supported in mode {mode}!'.format(**bond)) - - verify_mtu_ipv6(bond) - verify_address(bond) - verify_dhcpv6(bond) - verify_vrf(bond) - verify_mirror_redirect(bond) - - # use common function to verify VLAN configuration - verify_vlan_config(bond) - - bond_name = bond['ifname'] - if dict_search('member.interface', bond): - for interface, interface_config in bond['member']['interface'].items(): - error_msg = f'Can not add interface "{interface}" to bond, ' - - if interface == 'lo': - raise ConfigError('Loopback interface "lo" can not be added to a bond') - - if interface not in interfaces(): - raise ConfigError(error_msg + 'it does not exist!') - - if 'is_bridge_member' in interface_config: - tmp = next(iter(interface_config['is_bridge_member'])) - raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!') - - if 'is_bond_member' in interface_config: - tmp = next(iter(interface_config['is_bond_member'])) - raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!') - - if 'is_source_interface' in interface_config: - tmp = interface_config['is_source_interface'] - raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!') - - if 'has_address' in interface_config: - raise ConfigError(error_msg + 'it has an address assigned!') - - if 'has_vrf' in interface_config: - raise ConfigError(error_msg + 'it has a VRF assigned!') - - if 'new_added' in interface_config and 'config_paths' in interface_config: - for option_path, option_value in interface_config['config_paths'].items(): - if option_path in EthernetIf.get_bond_member_allowed_options() : - continue - if option_path in BondIf.get_inherit_bond_options(): - continue - raise ConfigError(error_msg + f'it has a "{option_path.replace(".", " ")}" assigned!') - - if 'primary' in bond: - if bond['primary'] not in bond['member']['interface']: - raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface') - - if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']: - raise ConfigError('primary interface only works for mode active-backup, ' \ - 'transmit-load-balance or adaptive-load-balance') - - return None - -def generate(bond): - bond['frr_zebra_config'] = '' - if 'deleted' not in bond: - bond['frr_zebra_config'] = render_to_string('frr/evpn.mh.frr.j2', bond) - return None - -def apply(bond): - ifname = bond['ifname'] - b = BondIf(ifname) - if 'deleted' in bond: - # delete interface - b.remove() - else: - b.update(bond) - - if dict_search('member.interface_remove', bond): - try: - call_dependents() - except ConfigError: - raise ConfigError('Error in updating ethernet interface ' - 'after deleting it from bond') - - zebra_daemon = 'zebra' - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() - - # The route-map used for the FIB (zebra) is part of the zebra daemon - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(f'^interface {ifname}', stop_pattern='^exit', remove_stop_mark=True) - if 'frr_zebra_config' in bond: - frr_cfg.add_before(frr.default_add_before, bond['frr_zebra_config']) - frr_cfg.commit_configuration(zebra_daemon) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py deleted file mode 100755 index 29991e2da..000000000 --- a/src/conf_mode/interfaces-bridge.py +++ /dev/null @@ -1,186 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import node_changed -from vyos.configdict import is_member -from vyos.configdict import is_source_interface -from vyos.configdict import has_vlan_subinterface_configured -from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_vrf -from vyos.ifconfig import BridgeIf -from vyos.configdict import has_address_configured -from vyos.configdict import has_vrf_configured -from vyos.configdep import set_dependents -from vyos.configdep import call_dependents -from vyos.utils.dict import dict_search -from vyos import ConfigError - -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'bridge'] - ifname, bridge = get_interface_dict(conf, base) - - # determine which members have been removed - tmp = node_changed(conf, base + [ifname, 'member', 'interface']) - if tmp: - if 'member' in bridge: - bridge['member'].update({'interface_remove' : tmp }) - else: - bridge.update({'member' : {'interface_remove' : tmp }}) - - if dict_search('member.interface', bridge) is not None: - for interface in list(bridge['member']['interface']): - # Check if member interface is already member of another bridge - tmp = is_member(conf, interface, 'bridge') - if tmp and bridge['ifname'] not in tmp: - bridge['member']['interface'][interface].update({'is_bridge_member' : tmp}) - - # Check if member interface is already member of a bond - tmp = is_member(conf, interface, 'bonding') - if tmp: bridge['member']['interface'][interface].update({'is_bond_member' : tmp}) - - # Check if member interface is used as source-interface on another interface - tmp = is_source_interface(conf, interface) - if tmp: bridge['member']['interface'][interface].update({'is_source_interface' : tmp}) - - # Bridge members must not have an assigned address - tmp = has_address_configured(conf, interface) - if tmp: bridge['member']['interface'][interface].update({'has_address' : ''}) - - # Bridge members must not have a VRF attached - tmp = has_vrf_configured(conf, interface) - if tmp: bridge['member']['interface'][interface].update({'has_vrf' : ''}) - - # VLAN-aware bridge members must not have VLAN interface configuration - tmp = has_vlan_subinterface_configured(conf,interface) - if 'enable_vlan' in bridge and tmp: - bridge['member']['interface'][interface].update({'has_vlan' : ''}) - - # When using VXLAN member interfaces that are configured for Single - # VXLAN Device (SVD) we need to call the VXLAN conf-mode script to re-create - # VLAN to VNI mappings if required - if interface.startswith('vxlan'): - set_dependents('vxlan', conf, interface) - - # delete empty dictionary keys - no need to run code paths if nothing is there to do - if 'member' in bridge: - if 'interface' in bridge['member'] and len(bridge['member']['interface']) == 0: - del bridge['member']['interface'] - - if len(bridge['member']) == 0: - del bridge['member'] - - return bridge - -def verify(bridge): - if 'deleted' in bridge: - return None - - verify_dhcpv6(bridge) - verify_vrf(bridge) - verify_mirror_redirect(bridge) - - ifname = bridge['ifname'] - - if dict_search('member.interface', bridge): - for interface, interface_config in bridge['member']['interface'].items(): - error_msg = f'Can not add interface "{interface}" to bridge, ' - - if interface == 'lo': - raise ConfigError('Loopback interface "lo" can not be added to a bridge') - - if 'is_bridge_member' in interface_config: - tmp = next(iter(interface_config['is_bridge_member'])) - raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!') - - if 'is_bond_member' in interface_config: - tmp = next(iter(interface_config['is_bond_member'])) - raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!') - - if 'is_source_interface' in interface_config: - tmp = interface_config['is_source_interface'] - raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!') - - if 'has_address' in interface_config: - raise ConfigError(error_msg + 'it has an address assigned!') - - if 'has_vrf' in interface_config: - raise ConfigError(error_msg + 'it has a VRF assigned!') - - if 'enable_vlan' in bridge: - if 'has_vlan' in interface_config: - raise ConfigError(error_msg + 'it has VLAN subinterface(s) assigned!') - - if 'wlan' in interface: - raise ConfigError(error_msg + 'VLAN aware cannot be set!') - else: - for option in ['allowed_vlan', 'native_vlan']: - if option in interface_config: - raise ConfigError('Can not use VLAN options on non VLAN aware bridge') - - if 'enable_vlan' in bridge: - if dict_search('vif.1', bridge): - raise ConfigError(f'VLAN 1 sub interface cannot be set for VLAN aware bridge {ifname}, and VLAN 1 is always the parent interface') - else: - if dict_search('vif', bridge): - raise ConfigError(f'You must first activate "enable-vlan" of {ifname} bridge to use "vif"') - - return None - -def generate(bridge): - return None - -def apply(bridge): - br = BridgeIf(bridge['ifname']) - if 'deleted' in bridge: - # delete interface - br.remove() - else: - br.update(bridge) - - for interface in dict_search('member.interface', bridge) or []: - if interface.startswith('vxlan'): - try: - call_dependents() - except ConfigError: - raise ConfigError('Error in updating VXLAN interface after changing bridge!') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py deleted file mode 100755 index db768b94d..000000000 --- a/src/conf_mode/interfaces-dummy.py +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_vrf -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mirror_redirect -from vyos.ifconfig import DummyIf -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'dummy'] - _, dummy = get_interface_dict(conf, base) - return dummy - -def verify(dummy): - if 'deleted' in dummy: - verify_bridge_delete(dummy) - return None - - verify_vrf(dummy) - verify_address(dummy) - verify_mirror_redirect(dummy) - - return None - -def generate(dummy): - return None - -def apply(dummy): - d = DummyIf(**dummy) - - # Remove dummy interface - if 'deleted' in dummy: - d.remove() - else: - d.update(dummy) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py deleted file mode 100755 index 7374a29f7..000000000 --- a/src/conf_mode/interfaces-ethernet.py +++ /dev/null @@ -1,400 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import pprint - -from glob import glob -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_address -from vyos.configverify import verify_dhcpv6 -from vyos.configverify import verify_eapol -from vyos.configverify import verify_interface_exists -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_mtu -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_vlan_config -from vyos.configverify import verify_vrf -from vyos.configverify import verify_bond_bridge_member -from vyos.ethtool import Ethtool -from vyos.ifconfig import EthernetIf -from vyos.ifconfig import BondIf -from vyos.pki import find_chain -from vyos.pki import encode_certificate -from vyos.pki import load_certificate -from vyos.pki import wrap_private_key -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_to_paths_values -from vyos.utils.dict import dict_set -from vyos.utils.dict import dict_delete -from vyos.utils.file import write_file -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -# XXX: wpa_supplicant works on the source interface -cfg_dir = '/run/wpa_supplicant' -wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf' - -def update_bond_options(conf: Config, eth_conf: dict) -> list: - """ - Return list of blocked options if interface is a bond member - :param conf: Config object - :type conf: Config - :param eth_conf: Ethernet config dictionary - :type eth_conf: dict - :return: List of blocked options - :rtype: list - """ - blocked_list = [] - bond_name = list(eth_conf['is_bond_member'].keys())[0] - config_without_defaults = conf.get_config_dict( - ['interfaces', 'ethernet', eth_conf['ifname']], - key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True, - with_defaults=False, - with_recursive_defaults=False) - config_with_defaults = conf.get_config_dict( - ['interfaces', 'ethernet', eth_conf['ifname']], - key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True, - with_defaults=True, - with_recursive_defaults=True) - bond_config_with_defaults = conf.get_config_dict( - ['interfaces', 'bonding', bond_name], - key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True, - with_defaults=True, - with_recursive_defaults=True) - eth_dict_paths = dict_to_paths_values(config_without_defaults) - eth_path_base = ['interfaces', 'ethernet', eth_conf['ifname']] - - #if option is configured under ethernet section - for option_path, option_value in eth_dict_paths.items(): - bond_option_value = dict_search(option_path, bond_config_with_defaults) - - #If option is allowed for changing then continue - if option_path in EthernetIf.get_bond_member_allowed_options(): - continue - # if option is inherited from bond then set valued from bond interface - if option_path in BondIf.get_inherit_bond_options(): - # If option equals to bond option then do nothing - if option_value == bond_option_value: - continue - else: - # if ethernet has option and bond interface has - # then copy it from bond - if bond_option_value is not None: - if is_node_changed(conf, eth_path_base + option_path.split('.')): - Warning( - f'Cannot apply "{option_path.replace(".", " ")}" to "{option_value}".' \ - f' Interface "{eth_conf["ifname"]}" is a bond member.' \ - f' Option is inherited from bond "{bond_name}"') - dict_set(option_path, bond_option_value, eth_conf) - continue - # if ethernet has option and bond interface does not have - # then delete it form dict and do not apply it - else: - if is_node_changed(conf, eth_path_base + option_path.split('.')): - Warning( - f'Cannot apply "{option_path.replace(".", " ")}".' \ - f' Interface "{eth_conf["ifname"]}" is a bond member.' \ - f' Option is inherited from bond "{bond_name}"') - dict_delete(option_path, eth_conf) - blocked_list.append(option_path) - - # if inherited option is not configured under ethernet section but configured under bond section - for option_path in BondIf.get_inherit_bond_options(): - bond_option_value = dict_search(option_path, bond_config_with_defaults) - if bond_option_value is not None: - if option_path not in eth_dict_paths: - if is_node_changed(conf, eth_path_base + option_path.split('.')): - Warning( - f'Cannot apply "{option_path.replace(".", " ")}" to "{dict_search(option_path, config_with_defaults)}".' \ - f' Interface "{eth_conf["ifname"]}" is a bond member. ' \ - f'Option is inherited from bond "{bond_name}"') - dict_set(option_path, bond_option_value, eth_conf) - eth_conf['bond_blocked_changes'] = blocked_list - return None - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - - # This must be called prior to get_interface_dict(), as this function will - # alter the config level (config.set_level()) - pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - base = ['interfaces', 'ethernet'] - ifname, ethernet = get_interface_dict(conf, base) - if 'is_bond_member' in ethernet: - update_bond_options(conf, ethernet) - - if 'deleted' not in ethernet: - if pki: ethernet['pki'] = pki - - tmp = is_node_changed(conf, base + [ifname, 'speed']) - if tmp: ethernet.update({'speed_duplex_changed': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'duplex']) - if tmp: ethernet.update({'speed_duplex_changed': {}}) - - return ethernet - - - -def verify_speed_duplex(ethernet: dict, ethtool: Ethtool): - """ - Verify speed and duplex - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - :param ethtool: Ethernet object - :type ethtool: Ethtool - """ - if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or - (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')): - raise ConfigError( - 'Speed/Duplex missmatch. Must be both auto or manually configured') - - if ethernet['speed'] != 'auto' and ethernet['duplex'] != 'auto': - # We need to verify if the requested speed and duplex setting is - # supported by the underlaying NIC. - speed = ethernet['speed'] - duplex = ethernet['duplex'] - if not ethtool.check_speed_duplex(speed, duplex): - raise ConfigError( - f'Adapter does not support changing speed ' \ - f'and duplex settings to: {speed}/{duplex}!') - - -def verify_flow_control(ethernet: dict, ethtool: Ethtool): - """ - Verify flow control - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - :param ethtool: Ethernet object - :type ethtool: Ethtool - """ - if 'disable_flow_control' in ethernet: - if not ethtool.check_flow_control(): - raise ConfigError( - 'Adapter does not support changing flow-control settings!') - - -def verify_ring_buffer(ethernet: dict, ethtool: Ethtool): - """ - Verify ring buffer - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - :param ethtool: Ethernet object - :type ethtool: Ethtool - """ - if 'ring_buffer' in ethernet: - max_rx = ethtool.get_ring_buffer_max('rx') - if not max_rx: - raise ConfigError( - 'Driver does not support RX ring-buffer configuration!') - - max_tx = ethtool.get_ring_buffer_max('tx') - if not max_tx: - raise ConfigError( - 'Driver does not support TX ring-buffer configuration!') - - rx = dict_search('ring_buffer.rx', ethernet) - if rx and int(rx) > int(max_rx): - raise ConfigError(f'Driver only supports a maximum RX ring-buffer ' \ - f'size of "{max_rx}" bytes!') - - tx = dict_search('ring_buffer.tx', ethernet) - if tx and int(tx) > int(max_tx): - raise ConfigError(f'Driver only supports a maximum TX ring-buffer ' \ - f'size of "{max_tx}" bytes!') - - -def verify_offload(ethernet: dict, ethtool: Ethtool): - """ - Verify offloading capabilities - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - :param ethtool: Ethernet object - :type ethtool: Ethtool - """ - if dict_search('offload.rps', ethernet) != None: - if not os.path.exists(f'/sys/class/net/{ethernet["ifname"]}/queues/rx-0/rps_cpus'): - raise ConfigError('Interface does not suport RPS!') - driver = ethtool.get_driver_name() - # T3342 - Xen driver requires special treatment - if driver == 'vif': - if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None: - raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\ - 'for MTU size larger then 1500 bytes') - - -def verify_allowedbond_changes(ethernet: dict): - """ - Verify changed options if interface is in bonding - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - """ - if 'bond_blocked_changes' in ethernet: - for option in ethernet['bond_blocked_changes']: - raise ConfigError(f'Cannot configure "{option.replace(".", " ")}"' \ - f' on interface "{ethernet["ifname"]}".' \ - f' Interface is a bond member') - - -def verify(ethernet): - if 'deleted' in ethernet: - return None - if 'is_bond_member' in ethernet: - verify_bond_member(ethernet) - else: - verify_ethernet(ethernet) - - -def verify_bond_member(ethernet): - """ - Verification function for ethernet interface which is in bonding - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - """ - ifname = ethernet['ifname'] - verify_interface_exists(ifname) - verify_eapol(ethernet) - verify_mirror_redirect(ethernet) - ethtool = Ethtool(ifname) - verify_speed_duplex(ethernet, ethtool) - verify_flow_control(ethernet, ethtool) - verify_ring_buffer(ethernet, ethtool) - verify_offload(ethernet, ethtool) - verify_allowedbond_changes(ethernet) - -def verify_ethernet(ethernet): - """ - Verification function for simple ethernet interface - :param ethernet: dictionary which is received from get_interface_dict - :type ethernet: dict - """ - ifname = ethernet['ifname'] - verify_interface_exists(ifname) - verify_mtu(ethernet) - verify_mtu_ipv6(ethernet) - verify_dhcpv6(ethernet) - verify_address(ethernet) - verify_vrf(ethernet) - verify_bond_bridge_member(ethernet) - verify_eapol(ethernet) - verify_mirror_redirect(ethernet) - ethtool = Ethtool(ifname) - # No need to check speed and duplex keys as both have default values. - verify_speed_duplex(ethernet, ethtool) - verify_flow_control(ethernet, ethtool) - verify_ring_buffer(ethernet, ethtool) - verify_offload(ethernet, ethtool) - # use common function to verify VLAN configuration - verify_vlan_config(ethernet) - return None - - -def generate(ethernet): - # render real configuration file once - wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet) - - if 'deleted' in ethernet: - # delete configuration on interface removal - if os.path.isfile(wpa_supplicant_conf): - os.unlink(wpa_supplicant_conf) - return None - - if 'eapol' in ethernet: - ifname = ethernet['ifname'] - - render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet) - - cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') - cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key') - - cert_name = ethernet['eapol']['certificate'] - pki_cert = ethernet['pki']['certificate'][cert_name] - - loaded_pki_cert = load_certificate(pki_cert['certificate']) - loaded_ca_certs = {load_certificate(c['certificate']) - for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {} - - cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) - - write_file(cert_file_path, - '\n'.join(encode_certificate(c) for c in cert_full_chain)) - write_file(cert_key_path, wrap_private_key(pki_cert['private']['key'])) - - if 'ca_certificate' in ethernet['eapol']: - ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem') - ca_chains = [] - - for ca_cert_name in ethernet['eapol']['ca_certificate']: - pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] - loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) - ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) - ca_chains.append( - '\n'.join(encode_certificate(c) for c in ca_full_chain)) - - write_file(ca_cert_file_path, '\n'.join(ca_chains)) - - return None - -def apply(ethernet): - ifname = ethernet['ifname'] - # take care about EAPoL supplicant daemon - eapol_action='stop' - - e = EthernetIf(ifname) - if 'deleted' in ethernet: - # delete interface - e.remove() - else: - e.update(ethernet) - if 'eapol' in ethernet: - eapol_action='reload-or-restart' - - call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py deleted file mode 100755 index f6694ddde..000000000 --- a/src/conf_mode/interfaces-geneve.py +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit -from netifaces import interfaces - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_address -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import GeneveIf -from vyos import ConfigError - -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'geneve'] - ifname, geneve = get_interface_dict(conf, base) - - # GENEVE interfaces are picky and require recreation if certain parameters - # change. But a GENEVE interface should - of course - not be re-created if - # it's description or IP address is adjusted. Feels somehow logic doesn't it? - for cli_option in ['remote', 'vni', 'parameters']: - if is_node_changed(conf, base + [ifname, cli_option]): - geneve.update({'rebuild_required': {}}) - - return geneve - -def verify(geneve): - if 'deleted' in geneve: - verify_bridge_delete(geneve) - return None - - verify_mtu_ipv6(geneve) - verify_address(geneve) - verify_bond_bridge_member(geneve) - verify_mirror_redirect(geneve) - - if 'remote' not in geneve: - raise ConfigError('Remote side must be configured') - - if 'vni' not in geneve: - raise ConfigError('VNI must be configured') - - return None - - -def generate(geneve): - return None - -def apply(geneve): - # Check if GENEVE interface already exists - if 'rebuild_required' in geneve or 'delete' in geneve: - if geneve['ifname'] in interfaces(): - g = GeneveIf(geneve['ifname']) - # GENEVE is super picky and the tunnel always needs to be recreated, - # thus we can simply always delete it first. - g.remove() - - if 'deleted' not in geneve: - # Finally create the new interface - g = GeneveIf(**geneve) - g.update(geneve) - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-input.py b/src/conf_mode/interfaces-input.py deleted file mode 100755 index ad248843d..000000000 --- a/src/conf_mode/interfaces-input.py +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_mirror_redirect -from vyos.ifconfig import InputIf -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at - least the interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'input'] - _, ifb = get_interface_dict(conf, base) - - return ifb - -def verify(ifb): - if 'deleted' in ifb: - return None - - verify_mirror_redirect(ifb) - return None - -def generate(ifb): - return None - -def apply(ifb): - d = InputIf(ifb['ifname']) - - # Remove input interface - if 'deleted' in ifb: - d.remove() - else: - d.update(ifb) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py deleted file mode 100755 index e1db3206e..000000000 --- a/src/conf_mode/interfaces-l2tpv3.py +++ /dev/null @@ -1,112 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from netifaces import interfaces - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import leaf_node_changed -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import L2TPv3If -from vyos.utils.kernel import check_kmod -from vyos.utils.network import is_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'l2tpv3'] - ifname, l2tpv3 = get_interface_dict(conf, base) - - # To delete an l2tpv3 interface we need the current tunnel and session-id - if 'deleted' in l2tpv3: - tmp = leaf_node_changed(conf, base + [ifname, 'tunnel-id']) - # leaf_node_changed() returns a list - l2tpv3.update({'tunnel_id': tmp[0]}) - - tmp = leaf_node_changed(conf, base + [ifname, 'session-id']) - l2tpv3.update({'session_id': tmp[0]}) - - return l2tpv3 - -def verify(l2tpv3): - if 'deleted' in l2tpv3: - verify_bridge_delete(l2tpv3) - return None - - interface = l2tpv3['ifname'] - - for key in ['source_address', 'remote', 'tunnel_id', 'peer_tunnel_id', - 'session_id', 'peer_session_id']: - if key not in l2tpv3: - tmp = key.replace('_', '-') - raise ConfigError(f'Missing mandatory L2TPv3 option: "{tmp}"!') - - if not is_addr_assigned(l2tpv3['source_address']): - raise ConfigError('L2TPv3 source-address address "{source_address}" ' - 'not configured on any interface!'.format(**l2tpv3)) - - verify_mtu_ipv6(l2tpv3) - verify_address(l2tpv3) - verify_bond_bridge_member(l2tpv3) - verify_mirror_redirect(l2tpv3) - return None - -def generate(l2tpv3): - return None - -def apply(l2tpv3): - # Check if L2TPv3 interface already exists - if l2tpv3['ifname'] in interfaces(): - # L2TPv3 is picky when changing tunnels/sessions, thus we can simply - # always delete it first. - l = L2TPv3If(**l2tpv3) - l.remove() - - if 'deleted' not in l2tpv3: - # Finally create the new interface - l = L2TPv3If(**l2tpv3) - l.update(l2tpv3) - - return None - -if __name__ == '__main__': - try: - check_kmod(k_mod) - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py deleted file mode 100755 index 08d34477a..000000000 --- a/src/conf_mode/interfaces-loopback.py +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_mirror_redirect -from vyos.ifconfig import LoopbackIf -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'loopback'] - _, loopback = get_interface_dict(conf, base) - return loopback - -def verify(loopback): - verify_mirror_redirect(loopback) - return None - -def generate(loopback): - return None - -def apply(loopback): - l = LoopbackIf(**loopback) - if 'deleted' in loopback: - l.remove() - else: - l.update(loopback) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py deleted file mode 100755 index 0a927ac88..000000000 --- a/src/conf_mode/interfaces-macsec.py +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from netifaces import interfaces -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configdict import is_source_interface -from vyos.configverify import verify_vrf -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_source_interface -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import MACsecIf -from vyos.ifconfig import Interface -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.utils.process import is_systemd_service_running -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -# XXX: wpa_supplicant works on the source interface -wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf' - -# Constants -## gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit -GCM_AES_128_LEN: int = 32 -GCM_128_KEY_ERROR = 'gcm-aes-128 requires a 128bit long key!' -## gcm-aes-256 requires a 256bit long key - 64 characters (string) = 32byte = 256bit -GCM_AES_256_LEN: int = 64 -GCM_256_KEY_ERROR = 'gcm-aes-256 requires a 256bit long key!' - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'macsec'] - ifname, macsec = get_interface_dict(conf, base) - - # Check if interface has been removed - if 'deleted' in macsec: - source_interface = conf.return_effective_value(base + [ifname, 'source-interface']) - macsec.update({'source_interface': source_interface}) - - if is_node_changed(conf, base + [ifname, 'security']): - macsec.update({'shutdown_required': {}}) - - if is_node_changed(conf, base + [ifname, 'source_interface']): - macsec.update({'shutdown_required': {}}) - - if 'source_interface' in macsec: - tmp = is_source_interface(conf, macsec['source_interface'], ['macsec', 'pseudo-ethernet']) - if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp}) - - return macsec - - -def verify(macsec): - if 'deleted' in macsec: - verify_bridge_delete(macsec) - return None - - verify_source_interface(macsec) - verify_vrf(macsec) - verify_mtu_ipv6(macsec) - verify_address(macsec) - verify_bond_bridge_member(macsec) - verify_mirror_redirect(macsec) - - if dict_search('security.cipher', macsec) == None: - raise ConfigError('Cipher suite must be set for MACsec "{ifname}"'.format(**macsec)) - - if dict_search('security.encrypt', macsec) != None: - # Check that only static or MKA config is present - if dict_search('security.static', macsec) != None and (dict_search('security.mka.cak', macsec) != None or dict_search('security.mka.ckn', macsec) != None): - raise ConfigError('Only static or MKA can be used!') - - # Logic to check static configuration - if dict_search('security.static', macsec) != None: - # tx-key must be defined - if dict_search('security.static.key', macsec) == None: - raise ConfigError('Static MACsec tx-key must be defined.') - - tx_len = len(dict_search('security.static.key', macsec)) - - if dict_search('security.cipher', macsec) == 'gcm-aes-128' and tx_len != GCM_AES_128_LEN: - raise ConfigError(GCM_128_KEY_ERROR) - - if dict_search('security.cipher', macsec) == 'gcm-aes-256' and tx_len != GCM_AES_256_LEN: - raise ConfigError(GCM_256_KEY_ERROR) - - # Make sure at least one peer is defined - if 'peer' not in macsec['security']['static']: - raise ConfigError('Must have at least one peer defined for static MACsec') - - # For every enabled peer, make sure a MAC and rx-key is defined - for peer, peer_config in macsec['security']['static']['peer'].items(): - if 'disable' not in peer_config and ('mac' not in peer_config or 'key' not in peer_config): - raise ConfigError('Every enabled MACsec static peer must have a MAC address and rx-key defined.') - - # check rx-key length against cipher suite - rx_len = len(peer_config['key']) - - if dict_search('security.cipher', macsec) == 'gcm-aes-128' and rx_len != GCM_AES_128_LEN: - raise ConfigError(GCM_128_KEY_ERROR) - - if dict_search('security.cipher', macsec) == 'gcm-aes-256' and rx_len != GCM_AES_256_LEN: - raise ConfigError(GCM_256_KEY_ERROR) - - # Logic to check MKA configuration - else: - if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None: - raise ConfigError('Missing mandatory MACsec security keys as encryption is enabled!') - - cak_len = len(dict_search('security.mka.cak', macsec)) - - if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != GCM_AES_128_LEN: - raise ConfigError(GCM_128_KEY_ERROR) - - elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != GCM_AES_256_LEN: - raise ConfigError(GCM_256_KEY_ERROR) - - if 'source_interface' in macsec: - # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad - # and 802.1q) - we need to check the underlaying MTU if our configured - # MTU is at least 40 bytes less then the MTU of our physical interface. - lower_mtu = Interface(macsec['source_interface']).get_mtu() - if lower_mtu < (int(macsec['mtu']) + 40): - raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \ - f'{lower_mtu} bytes is too small!') - - return None - - -def generate(macsec): - # Only generate wpa_supplicant config if using MKA - if dict_search('security.mka.cak', macsec): - render(wpa_suppl_conf.format(**macsec), 'macsec/wpa_supplicant.conf.j2', macsec) - return None - - -def apply(macsec): - systemd_service = 'wpa_supplicant-macsec@{source_interface}'.format(**macsec) - - # Remove macsec interface on deletion or mandatory parameter change - if 'deleted' in macsec or 'shutdown_required' in macsec: - call(f'systemctl stop {systemd_service}') - - if macsec['ifname'] in interfaces(): - tmp = MACsecIf(macsec['ifname']) - tmp.remove() - - if 'deleted' in macsec: - # delete configuration on interface removal - if os.path.isfile(wpa_suppl_conf.format(**macsec)): - os.unlink(wpa_suppl_conf.format(**macsec)) - - return None - - # It is safe to "re-create" the interface always, there is a sanity - # check that the interface will only be create if its non existent - i = MACsecIf(**macsec) - i.update(macsec) - - # Only reload/restart if using MKA - if dict_search('security.mka.cak', macsec): - if not is_systemd_service_running(systemd_service) or 'shutdown_required' in macsec: - call(f'systemctl reload-or-restart {systemd_service}') - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py deleted file mode 100755 index bdeb44837..000000000 --- a/src/conf_mode/interfaces-openvpn.py +++ /dev/null @@ -1,732 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re -import tempfile - -from cryptography.hazmat.primitives.asymmetric import ec -from glob import glob -from sys import exit -from ipaddress import IPv4Address -from ipaddress import IPv4Network -from ipaddress import IPv6Address -from ipaddress import IPv6Network -from ipaddress import summarize_address_range -from netifaces import interfaces -from secrets import SystemRandom -from shutil import rmtree - -from vyos.base import DeprecationWarning -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import VTunIf -from vyos.pki import load_dh_parameters -from vyos.pki import load_private_key -from vyos.pki import sort_ca_chain -from vyos.pki import verify_ca_chain -from vyos.pki import wrap_certificate -from vyos.pki import wrap_crl -from vyos.pki import wrap_dh_parameters -from vyos.pki import wrap_openvpn_key -from vyos.pki import wrap_private_key -from vyos.template import render -from vyos.template import is_ipv4 -from vyos.template import is_ipv6 -from vyos.utils.dict import dict_search -from vyos.utils.dict import dict_search_args -from vyos.utils.list import is_list_equal -from vyos.utils.file import makedir -from vyos.utils.file import read_file -from vyos.utils.file import write_file -from vyos.utils.kernel import check_kmod -from vyos.utils.kernel import unload_kmod -from vyos.utils.process import call -from vyos.utils.permission import chown -from vyos.utils.process import cmd -from vyos.utils.network import is_addr_assigned - -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -user = 'openvpn' -group = 'openvpn' - -cfg_dir = '/run/openvpn' -cfg_file = '/run/openvpn/{ifname}.conf' -otp_path = '/config/auth/openvpn' -otp_file = '/config/auth/openvpn/{ifname}-otp-secrets' -secret_chars = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567') -service_file = '/run/systemd/system/openvpn@{ifname}.service.d/20-override.conf' - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'openvpn'] - - ifname, openvpn = get_interface_dict(conf, base) - openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn) - - if 'deleted' in openvpn: - return openvpn - - openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - - if is_node_changed(conf, base + [ifname, 'openvpn-option']): - openvpn.update({'restart_required': {}}) - if is_node_changed(conf, base + [ifname, 'enable-dco']): - openvpn.update({'restart_required': {}}) - - # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' - # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. - tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) - - # We have to cleanup the config dict, as default values could enable features - # which are not explicitly enabled on the CLI. Example: server mfa totp - # originate comes with defaults, which will enable the - # totp plugin, even when not set via CLI so we - # need to check this first and drop those keys - if dict_search('server.mfa.totp', tmp) == None: - del openvpn['server']['mfa'] - - # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all - # OpenVPN interfaces. Check if DCO is used by any other interface instance. - tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - for interface, interface_config in tmp.items(): - # If one interface has DCO configured, enable it. No need to further check - # all other OpenVPN interfaces. We must use a dedicated key to indicate - # the Kernel module must be loaded or not. The per interface "offload.dco" - # key is required per OpenVPN interface instance. - if dict_search('offload.dco', interface_config) != None: - openvpn['module_load_dco'] = {} - break - - return openvpn - -def is_ec_private_key(pki, cert_name): - if not pki or 'certificate' not in pki: - return False - if cert_name not in pki['certificate']: - return False - - pki_cert = pki['certificate'][cert_name] - if 'private' not in pki_cert or 'key' not in pki_cert['private']: - return False - - key = load_private_key(pki_cert['private']['key']) - return isinstance(key, ec.EllipticCurvePrivateKey) - -def verify_pki(openvpn): - pki = openvpn['pki'] - interface = openvpn['ifname'] - mode = openvpn['mode'] - shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') - tls = dict_search_args(openvpn, 'tls') - - if not bool(shared_secret_key) ^ bool(tls): # xor check if only one is set - raise ConfigError('Must specify only one of "shared-secret-key" and "tls"') - - if mode in ['server', 'client'] and not tls: - raise ConfigError('Must specify "tls" for server and client modes') - - if not pki: - raise ConfigError('PKI is not configured') - - if shared_secret_key: - if not dict_search_args(pki, 'openvpn', 'shared_secret'): - raise ConfigError('There are no openvpn shared-secrets in PKI configuration') - - if shared_secret_key not in pki['openvpn']['shared_secret']: - raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') - - # If PSK settings are correct, warn about its deprecation - DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\ - Please migrate your site-to-site tunnels to TLS.\n\ - You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.") - - if tls: - if (mode in ['server', 'client']) and ('ca_certificate' not in tls): - raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ - it is required in server and client modes') - else: - if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): - raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ - on openvpn interface {interface} in site-to-site mode') - - if 'ca_certificate' in tls: - for ca_name in tls['ca_certificate']: - if ca_name not in pki['ca']: - raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') - - if len(tls['ca_certificate']) > 1: - sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) - if not verify_ca_chain(sorted_chain, pki['ca']): - raise ConfigError(f'CA certificates are not a valid chain') - - if mode != 'client' and 'auth_key' not in tls: - if 'certificate' not in tls: - raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}') - - if 'certificate' in tls: - if tls['certificate'] not in pki['certificate']: - raise ConfigError(f'Invalid certificate on openvpn interface {interface}') - - if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None: - raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') - - if 'dh_params' in tls: - pki_dh = pki['dh'][tls['dh_params']] - dh_params = load_dh_parameters(pki_dh['parameters']) - dh_numbers = dh_params.parameter_numbers() - dh_bits = dh_numbers.p.bit_length() - - if dh_bits < 2048: - raise ConfigError(f'Minimum DH key-size is 2048 bits') - - - if 'auth_key' in tls or 'crypt_key' in tls: - if not dict_search_args(pki, 'openvpn', 'shared_secret'): - raise ConfigError('There are no openvpn shared-secrets in PKI configuration') - - if 'auth_key' in tls: - if tls['auth_key'] not in pki['openvpn']['shared_secret']: - raise ConfigError(f'Invalid auth-key on openvpn interface {interface}') - - if 'crypt_key' in tls: - if tls['crypt_key'] not in pki['openvpn']['shared_secret']: - raise ConfigError(f'Invalid crypt-key on openvpn interface {interface}') - -def verify(openvpn): - if 'deleted' in openvpn: - # remove totp secrets file if totp is not configured - if os.path.isfile(otp_file.format(**openvpn)): - os.remove(otp_file.format(**openvpn)) - - verify_bridge_delete(openvpn) - return None - - if 'mode' not in openvpn: - raise ConfigError('Must specify OpenVPN operation mode!') - - # - # OpenVPN client mode - VERIFY - # - if openvpn['mode'] == 'client': - if 'local_port' in openvpn: - raise ConfigError('Cannot specify "local-port" in client mode') - - if 'local_host' in openvpn: - raise ConfigError('Cannot specify "local-host" in client mode') - - if 'remote_host' not in openvpn: - raise ConfigError('Must specify "remote-host" in client mode') - - if openvpn['protocol'] == 'tcp-passive': - raise ConfigError('Protocol "tcp-passive" is not valid in client mode') - - if dict_search('tls.dh_params', openvpn): - raise ConfigError('Cannot specify "tls dh-params" in client mode') - - # - # OpenVPN site-to-site - VERIFY - # - elif openvpn['mode'] == 'site-to-site': - if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn: - raise ConfigError('Must specify "local-address" or add interface to bridge') - - if 'local_address' in openvpn: - if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1: - raise ConfigError('Only one IPv4 local-address can be specified') - - if len([addr for addr in openvpn['local_address'] if is_ipv6(addr)]) > 1: - raise ConfigError('Only one IPv6 local-address can be specified') - - if openvpn['device_type'] == 'tun': - if 'remote_address' not in openvpn: - raise ConfigError('Must specify "remote-address"') - - if 'remote_address' in openvpn: - if len([addr for addr in openvpn['remote_address'] if is_ipv4(addr)]) > 1: - raise ConfigError('Only one IPv4 remote-address can be specified') - - if len([addr for addr in openvpn['remote_address'] if is_ipv6(addr)]) > 1: - raise ConfigError('Only one IPv6 remote-address can be specified') - - if not 'local_address' in openvpn: - raise ConfigError('"remote-address" requires "local-address"') - - v4loAddr = [addr for addr in openvpn['local_address'] if is_ipv4(addr)] - v4remAddr = [addr for addr in openvpn['remote_address'] if is_ipv4(addr)] - if v4loAddr and not v4remAddr: - raise ConfigError('IPv4 "local-address" requires IPv4 "remote-address"') - elif v4remAddr and not v4loAddr: - raise ConfigError('IPv4 "remote-address" requires IPv4 "local-address"') - - v6remAddr = [addr for addr in openvpn['remote_address'] if is_ipv6(addr)] - v6loAddr = [addr for addr in openvpn['local_address'] if is_ipv6(addr)] - if v6loAddr and not v6remAddr: - raise ConfigError('IPv6 "local-address" requires IPv6 "remote-address"') - elif v6remAddr and not v6loAddr: - raise ConfigError('IPv6 "remote-address" requires IPv6 "local-address"') - - if is_list_equal(v4loAddr, v4remAddr) or is_list_equal(v6loAddr, v6remAddr): - raise ConfigError('"local-address" and "remote-address" cannot be the same') - - if dict_search('local_host', openvpn) in dict_search('local_address', openvpn): - raise ConfigError('"local-address" cannot be the same as "local-host"') - - if dict_search('remote_host', openvpn) in dict_search('remote_address', openvpn): - raise ConfigError('"remote-address" and "remote-host" can not be the same') - - if openvpn['device_type'] == 'tap' and 'local_address' in openvpn: - # we can only have one local_address, this is ensured above - v4addr = None - for laddr in openvpn['local_address']: - if is_ipv4(laddr): - v4addr = laddr - break - - if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]: - raise ConfigError('Must specify IPv4 "subnet-mask" for local-address') - - if dict_search('encryption.ncp_ciphers', openvpn): - raise ConfigError('NCP ciphers can only be used in client or server mode') - - else: - # checks for client-server or site-to-site bridged - if 'local_address' in openvpn or 'remote_address' in openvpn: - raise ConfigError('Cannot specify "local-address" or "remote-address" ' \ - 'in client/server or bridge mode') - - # - # OpenVPN server mode - VERIFY - # - if openvpn['mode'] == 'server': - if openvpn['protocol'] == 'tcp-active': - raise ConfigError('Protocol "tcp-active" is not valid in server mode') - - if dict_search('authentication.username', openvpn) or dict_search('authentication.password', openvpn): - raise ConfigError('Cannot specify "authentication" in server mode') - - if 'remote_port' in openvpn: - raise ConfigError('Cannot specify "remote-port" in server mode') - - if 'remote_host' in openvpn: - raise ConfigError('Cannot specify "remote-host" in server mode') - - tmp = dict_search('server.subnet', openvpn) - if tmp: - v4_subnets = len([subnet for subnet in tmp if is_ipv4(subnet)]) - v6_subnets = len([subnet for subnet in tmp if is_ipv6(subnet)]) - if v4_subnets > 1: - raise ConfigError('Cannot specify more than 1 IPv4 server subnet') - if v6_subnets > 1: - raise ConfigError('Cannot specify more than 1 IPv6 server subnet') - - for subnet in tmp: - if is_ipv4(subnet): - subnet = IPv4Network(subnet) - - if openvpn['device_type'] == 'tun' and subnet.prefixlen > 29: - raise ConfigError('Server subnets smaller than /29 with device type "tun" are not supported') - elif openvpn['device_type'] == 'tap' and subnet.prefixlen > 30: - raise ConfigError('Server subnets smaller than /30 with device type "tap" are not supported') - - for client in (dict_search('client', openvpn) or []): - if client['ip'] and not IPv4Address(client['ip'][0]) in subnet: - raise ConfigError(f'Client "{client["name"]}" IP {client["ip"][0]} not in server subnet {subnet}') - - else: - if 'is_bridge_member' not in openvpn: - raise ConfigError('Must specify "server subnet" or add interface to bridge in server mode') - - if hasattr(dict_search('server.client', openvpn), '__iter__'): - for client_k, client_v in dict_search('server.client', openvpn).items(): - if (client_v.get('ip') and len(client_v['ip']) > 1) or (client_v.get('ipv6_ip') and len(client_v['ipv6_ip']) > 1): - raise ConfigError(f'Server client "{client_k}": cannot specify more than 1 IPv4 and 1 IPv6 IP') - - if dict_search('server.client_ip_pool', openvpn): - if not (dict_search('server.client_ip_pool.start', openvpn) and dict_search('server.client_ip_pool.stop', openvpn)): - raise ConfigError('Server client-ip-pool requires both start and stop addresses') - else: - v4PoolStart = IPv4Address(dict_search('server.client_ip_pool.start', openvpn)) - v4PoolStop = IPv4Address(dict_search('server.client_ip_pool.stop', openvpn)) - if v4PoolStart > v4PoolStop: - raise ConfigError(f'Server client-ip-pool start address {v4PoolStart} is larger than stop address {v4PoolStop}') - - v4PoolSize = int(v4PoolStop) - int(v4PoolStart) - if v4PoolSize >= 65536: - raise ConfigError(f'Server client-ip-pool is too large [{v4PoolStart} -> {v4PoolStop} = {v4PoolSize}], maximum is 65536 addresses.') - - v4PoolNets = list(summarize_address_range(v4PoolStart, v4PoolStop)) - for client in (dict_search('client', openvpn) or []): - if client['ip']: - for v4PoolNet in v4PoolNets: - if IPv4Address(client['ip'][0]) in v4PoolNet: - print(f'Warning: Client "{client["name"]}" IP {client["ip"][0]} is in server IP pool, it is not reserved for this client.') - # configuring a client_ip_pool will set 'server ... nopool' which is currently incompatible with 'server-ipv6' (probably to be fixed upstream) - for subnet in (dict_search('server.subnet', openvpn) or []): - if is_ipv6(subnet): - raise ConfigError(f'Setting client-ip-pool is incompatible having an IPv6 server subnet.') - - for subnet in (dict_search('server.subnet', openvpn) or []): - if is_ipv6(subnet): - tmp = dict_search('client_ipv6_pool.base', openvpn) - if tmp: - if not dict_search('server.client_ip_pool', openvpn): - raise ConfigError('IPv6 server pool requires an IPv4 server pool') - - if int(tmp.split('/')[1]) >= 112: - raise ConfigError('IPv6 server pool must be larger than /112') - - # - # todo - weird logic - # - v6PoolStart = IPv6Address(tmp) - v6PoolStop = IPv6Network((v6PoolStart, openvpn['server_ipv6_pool_prefixlen']), strict=False)[-1] # don't remove the parentheses, it's a 2-tuple - v6PoolSize = int(v6PoolStop) - int(v6PoolStart) if int(openvpn['server_ipv6_pool_prefixlen']) > 96 else 65536 - if v6PoolSize < v4PoolSize: - raise ConfigError(f'IPv6 server pool must be at least as large as the IPv4 pool (current sizes: IPv6={v6PoolSize} IPv4={v4PoolSize})') - - v6PoolNets = list(summarize_address_range(v6PoolStart, v6PoolStop)) - for client in (dict_search('client', openvpn) or []): - if client['ipv6_ip']: - for v6PoolNet in v6PoolNets: - if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: - print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') - - # add mfa users to the file the mfa plugin uses - if dict_search('server.mfa.totp', openvpn): - user_data = '' - if not os.path.isfile(otp_file.format(**openvpn)): - write_file(otp_file.format(**openvpn), user_data, - user=user, group=group, mode=0o644) - - ovpn_users = read_file(otp_file.format(**openvpn)) - for client in (dict_search('server.client', openvpn) or []): - exists = None - for ovpn_user in ovpn_users.split('\n'): - if re.search('^' + client + ' ', ovpn_user): - user_data += f'{ovpn_user}\n' - exists = 'true' - - if not exists: - random = SystemRandom() - totp_secret = ''.join(random.choice(secret_chars) for _ in range(16)) - user_data += f'{client} otp totp:sha1:base32:{totp_secret}::xxx *\n' - - write_file(otp_file.format(**openvpn), user_data, - user=user, group=group, mode=0o644) - - else: - # checks for both client and site-to-site go here - if dict_search('server.reject_unconfigured_clients', openvpn): - raise ConfigError('Option reject-unconfigured-clients only supported in server mode') - - if 'replace_default_route' in openvpn and 'remote_host' not in openvpn: - raise ConfigError('Cannot set "replace-default-route" without "remote-host"') - - # - # OpenVPN common verification section - # not depending on any operation mode - # - - # verify specified IP address is present on any interface on this system - if 'local_host' in openvpn: - if not is_addr_assigned(openvpn['local_host']): - print('local-host IP address "{local_host}" not assigned' \ - ' to any interface'.format(**openvpn)) - - # TCP active - if openvpn['protocol'] == 'tcp-active': - if 'local_port' in openvpn: - raise ConfigError('Cannot specify "local-port" with "tcp-active"') - - if 'remote_host' not in openvpn: - raise ConfigError('Must specify "remote-host" with "tcp-active"') - - # - # TLS/encryption - # - if 'shared_secret_key' in openvpn: - if dict_search('encryption.cipher', openvpn) in ['aes128gcm', 'aes192gcm', 'aes256gcm']: - raise ConfigError('GCM encryption with shared-secret-key not supported') - - if 'tls' in openvpn: - if {'auth_key', 'crypt_key'} <= set(openvpn['tls']): - raise ConfigError('TLS auth and crypt keys are mutually exclusive') - - tmp = dict_search('tls.role', openvpn) - if tmp: - if openvpn['mode'] in ['client', 'server']: - if not dict_search('tls.auth_key', openvpn): - raise ConfigError('Cannot specify "tls role" in client-server mode') - - if tmp == 'active': - if openvpn['protocol'] == 'tcp-passive': - raise ConfigError('Cannot specify "tcp-passive" when "tls role" is "active"') - - if dict_search('tls.dh_params', openvpn): - raise ConfigError('Cannot specify "tls dh-params" when "tls role" is "active"') - - elif tmp == 'passive': - if openvpn['protocol'] == 'tcp-active': - raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"') - - if 'certificate' in openvpn['tls'] and is_ec_private_key(openvpn['pki'], openvpn['tls']['certificate']): - if 'dh_params' in openvpn['tls']: - print('Warning: using dh-params and EC keys simultaneously will ' \ - 'lead to DH ciphers being used instead of ECDH') - - if dict_search('encryption.cipher', openvpn) == 'none': - print('Warning: "encryption none" was specified!') - print('No encryption will be performed and data is transmitted in ' \ - 'plain text over the network!') - - verify_pki(openvpn) - - # - # Auth user/pass - # - if (dict_search('authentication.username', openvpn) and not - dict_search('authentication.password', openvpn)): - raise ConfigError('Password for authentication is missing') - - if (dict_search('authentication.password', openvpn) and not - dict_search('authentication.username', openvpn)): - raise ConfigError('Username for authentication is missing') - - verify_vrf(openvpn) - verify_bond_bridge_member(openvpn) - verify_mirror_redirect(openvpn) - - return None - -def generate_pki_files(openvpn): - pki = openvpn['pki'] - if not pki: - return None - - interface = openvpn['ifname'] - shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') - tls = dict_search_args(openvpn, 'tls') - - if shared_secret_key: - pki_key = pki['openvpn']['shared_secret'][shared_secret_key] - key_path = os.path.join(cfg_dir, f'{interface}_shared.key') - write_file(key_path, wrap_openvpn_key(pki_key['key']), - user=user, group=group) - - if tls: - if 'ca_certificate' in tls: - cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem') - crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem') - - if os.path.exists(cert_path): - os.unlink(cert_path) - - if os.path.exists(crl_path): - os.unlink(crl_path) - - for cert_name in sort_ca_chain(tls['ca_certificate'], pki['ca']): - pki_ca = pki['ca'][cert_name] - - if 'certificate' in pki_ca: - write_file(cert_path, wrap_certificate(pki_ca['certificate']) + "\n", - user=user, group=group, mode=0o600, append=True) - - if 'crl' in pki_ca: - for crl in pki_ca['crl']: - write_file(crl_path, wrap_crl(crl) + "\n", user=user, group=group, - mode=0o600, append=True) - - openvpn['tls']['crl'] = True - - if 'certificate' in tls: - cert_name = tls['certificate'] - pki_cert = pki['certificate'][cert_name] - - if 'certificate' in pki_cert: - cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem') - write_file(cert_path, wrap_certificate(pki_cert['certificate']), - user=user, group=group, mode=0o600) - - if 'private' in pki_cert and 'key' in pki_cert['private']: - key_path = os.path.join(cfg_dir, f'{interface}_cert.key') - write_file(key_path, wrap_private_key(pki_cert['private']['key']), - user=user, group=group, mode=0o600) - - openvpn['tls']['private_key'] = True - - if 'dh_params' in tls: - dh_name = tls['dh_params'] - pki_dh = pki['dh'][dh_name] - - if 'parameters' in pki_dh: - dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem') - write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']), - user=user, group=group, mode=0o600) - - if 'auth_key' in tls: - key_name = tls['auth_key'] - pki_key = pki['openvpn']['shared_secret'][key_name] - - if 'key' in pki_key: - key_path = os.path.join(cfg_dir, f'{interface}_auth.key') - write_file(key_path, wrap_openvpn_key(pki_key['key']), - user=user, group=group, mode=0o600) - - if 'crypt_key' in tls: - key_name = tls['crypt_key'] - pki_key = pki['openvpn']['shared_secret'][key_name] - - if 'key' in pki_key: - key_path = os.path.join(cfg_dir, f'{interface}_crypt.key') - write_file(key_path, wrap_openvpn_key(pki_key['key']), - user=user, group=group, mode=0o600) - - -def generate(openvpn): - interface = openvpn['ifname'] - directory = os.path.dirname(cfg_file.format(**openvpn)) - openvpn['plugin_dir'] = '/usr/lib/openvpn' - # create base config directory on demand - makedir(directory, user, group) - # enforce proper permissions on /run/openvpn - chown(directory, user, group) - - # we can't know in advance which clients have been removed, - # thus all client configs will be removed and re-added on demand - ccd_dir = os.path.join(directory, 'ccd', interface) - if os.path.isdir(ccd_dir): - rmtree(ccd_dir, ignore_errors=True) - - # Remove systemd directories with overrides - service_dir = os.path.dirname(service_file.format(**openvpn)) - if os.path.isdir(service_dir): - rmtree(service_dir, ignore_errors=True) - - if 'deleted' in openvpn or 'disable' in openvpn: - return None - - # create client config directory on demand - makedir(ccd_dir, user, group) - - # Fix file permissons for keys - generate_pki_files(openvpn) - - # Generate User/Password authentication file - if 'authentication' in openvpn: - render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.j2', openvpn, - user=user, group=group, permission=0o600) - else: - # delete old auth file if present - if os.path.isfile(openvpn['auth_user_pass_file']): - os.remove(openvpn['auth_user_pass_file']) - - # Generate client specific configuration - server_client = dict_search_args(openvpn, 'server', 'client') - if server_client: - for client, client_config in server_client.items(): - client_file = os.path.join(ccd_dir, client) - - # Our client need's to know its subnet mask ... - client_config['server_subnet'] = dict_search('server.subnet', openvpn) - - render(client_file, 'openvpn/client.conf.j2', client_config, - user=user, group=group) - - # we need to support quoting of raw parameters from OpenVPN CLI - # see https://vyos.dev/T1632 - render(cfg_file.format(**openvpn), 'openvpn/server.conf.j2', openvpn, - formater=lambda _: _.replace(""", '"'), user=user, group=group) - - # Render 20-override.conf for OpenVPN service - render(service_file.format(**openvpn), 'openvpn/service-override.conf.j2', openvpn, - formater=lambda _: _.replace(""", '"'), user=user, group=group) - # Reload systemd services config to apply an override - call(f'systemctl daemon-reload') - - return None - -def apply(openvpn): - interface = openvpn['ifname'] - - # Do some cleanup when OpenVPN is disabled/deleted - if 'deleted' in openvpn or 'disable' in openvpn: - call(f'systemctl stop openvpn@{interface}.service') - for cleanup_file in glob(f'/run/openvpn/{interface}.*'): - if os.path.isfile(cleanup_file): - os.unlink(cleanup_file) - - if interface in interfaces(): - VTunIf(interface).remove() - - # dynamically load/unload DCO Kernel extension if requested - dco_module = 'ovpn_dco_v2' - if 'module_load_dco' in openvpn: - check_kmod(dco_module) - else: - unload_kmod(dco_module) - - # Now bail out early if interface is disabled or got deleted - if 'deleted' in openvpn or 'disable' in openvpn: - return None - - # verify specified IP address is present on any interface on this system - # Allow to bind service to nonlocal address, if it virtaual-vrrp address - # or if address will be assign later - if 'local_host' in openvpn: - if not is_addr_assigned(openvpn['local_host']): - cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') - - # No matching OpenVPN process running - maybe it got killed or none - # existed - nevertheless, spawn new OpenVPN process - action = 'reload-or-restart' - if 'restart_required' in openvpn: - action = 'restart' - call(f'systemctl {action} openvpn@{interface}.service') - - o = VTunIf(**openvpn) - o.update(openvpn) - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) - diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py deleted file mode 100755 index 42f084309..000000000 --- a/src/conf_mode/interfaces-pppoe.py +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from copy import deepcopy -from netifaces import interfaces - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configdict import get_pppoe_interfaces -from vyos.configverify import verify_authentication -from vyos.configverify import verify_source_interface -from vyos.configverify import verify_interface_exists -from vyos.configverify import verify_vrf -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.ifconfig import PPPoEIf -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.process import is_systemd_service_running -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'pppoe'] - ifname, pppoe = get_interface_dict(conf, base) - - # We should only terminate the PPPoE session if critical parameters change. - # All parameters that can be changed on-the-fly (like interface description) - # should not lead to a reconnect! - for options in ['access-concentrator', 'connect-on-demand', 'service-name', - 'source-interface', 'vrf', 'no-default-route', - 'authentication', 'host_uniq']: - if is_node_changed(conf, base + [ifname, options]): - pppoe.update({'shutdown_required': {}}) - # bail out early - no need to further process other nodes - break - - if 'deleted' not in pppoe: - # We always set the MRU value to the MTU size. This code path only re-creates - # the old behavior if MRU is not set on the CLI. - if 'mru' not in pppoe: - pppoe['mru'] = pppoe['mtu'] - - return pppoe - -def verify(pppoe): - if 'deleted' in pppoe: - # bail out early - return None - - verify_source_interface(pppoe) - verify_authentication(pppoe) - verify_vrf(pppoe) - verify_mtu_ipv6(pppoe) - verify_mirror_redirect(pppoe) - - if {'connect_on_demand', 'vrf'} <= set(pppoe): - raise ConfigError('On-demand dialing and VRF can not be used at the same time') - - # both MTU and MRU have default values, thus we do not need to check - # if the key exists - if int(pppoe['mru']) > int(pppoe['mtu']): - raise ConfigError('PPPoE MRU needs to be lower then MTU!') - - return None - -def generate(pppoe): - # set up configuration file path variables where our templates will be - # rendered into - ifname = pppoe['ifname'] - config_pppoe = f'/etc/ppp/peers/{ifname}' - - if 'deleted' in pppoe or 'disable' in pppoe: - if os.path.exists(config_pppoe): - os.unlink(config_pppoe) - - return None - - # Create PPP configuration files - render(config_pppoe, 'pppoe/peer.j2', pppoe, permission=0o640) - - return None - -def apply(pppoe): - ifname = pppoe['ifname'] - if 'deleted' in pppoe or 'disable' in pppoe: - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = PPPoEIf(ifname) - p.remove() - call(f'systemctl stop ppp@{ifname}.service') - return None - - # reconnect should only be necessary when certain config options change, - # like ACS name, authentication ... (see get_config() for details) - if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or - 'shutdown_required' in pppoe): - - # cleanup system (e.g. FRR routes first) - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = PPPoEIf(ifname) - p.remove() - - call(f'systemctl restart ppp@{ifname}.service') - # When interface comes "live" a hook is called: - # /etc/ppp/ip-up.d/99-vyos-pppoe-callback - # which triggers PPPoEIf.update() - else: - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = PPPoEIf(ifname) - p.update(pppoe) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py deleted file mode 100755 index dce5c2358..000000000 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit -from netifaces import interfaces - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configdict import is_source_interface -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_source_interface -from vyos.configverify import verify_vlan_config -from vyos.configverify import verify_mtu_parent -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import MACVLANIf -from vyos import ConfigError - -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at - least the interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'pseudo-ethernet'] - ifname, peth = get_interface_dict(conf, base) - - mode = is_node_changed(conf, ['mode']) - if mode: peth.update({'shutdown_required' : {}}) - - if is_node_changed(conf, base + [ifname, 'mode']): - peth.update({'rebuild_required': {}}) - - if 'source_interface' in peth: - _, peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], - peth['source_interface']) - # test if source-interface is maybe already used by another interface - tmp = is_source_interface(conf, peth['source_interface'], ['macsec']) - if tmp and tmp != ifname: peth.update({'is_source_interface' : tmp}) - - return peth - -def verify(peth): - if 'deleted' in peth: - verify_bridge_delete(peth) - return None - - verify_source_interface(peth) - verify_vrf(peth) - verify_address(peth) - verify_mtu_parent(peth, peth['parent']) - verify_mirror_redirect(peth) - # use common function to verify VLAN configuration - verify_vlan_config(peth) - - return None - -def generate(peth): - return None - -def apply(peth): - # Check if the MACVLAN interface already exists - if 'rebuild_required' in peth or 'deleted' in peth: - if peth['ifname'] in interfaces(): - p = MACVLANIf(peth['ifname']) - # MACVLAN is always needs to be recreated, - # thus we can simply always delete it first. - p.remove() - - if 'deleted' not in peth: - p = MACVLANIf(**peth) - p.update(peth) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-sstpc.py b/src/conf_mode/interfaces-sstpc.py deleted file mode 100755 index b588910dc..000000000 --- a/src/conf_mode/interfaces-sstpc.py +++ /dev/null @@ -1,145 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_authentication -from vyos.configverify import verify_vrf -from vyos.ifconfig import SSTPCIf -from vyos.pki import encode_certificate -from vyos.pki import find_chain -from vyos.pki import load_certificate -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.utils.process import is_systemd_service_running -from vyos.utils.file import write_file -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'sstpc'] - ifname, sstpc = get_interface_dict(conf, base) - - # We should only terminate the SSTP client session if critical parameters - # change. All parameters that can be changed on-the-fly (like interface - # description) should not lead to a reconnect! - for options in ['authentication', 'no_peer_dns', 'no_default_route', - 'server', 'ssl']: - if is_node_changed(conf, base + [ifname, options]): - sstpc.update({'shutdown_required': {}}) - # bail out early - no need to further process other nodes - break - - # Load PKI certificates for later processing - sstpc['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - return sstpc - -def verify(sstpc): - if 'deleted' in sstpc: - return None - - verify_authentication(sstpc) - verify_vrf(sstpc) - - if not dict_search('server', sstpc): - raise ConfigError('Remote SSTP server must be specified!') - - if not dict_search('ssl.ca_certificate', sstpc): - raise ConfigError('Missing mandatory CA certificate!') - - return None - -def generate(sstpc): - ifname = sstpc['ifname'] - config_sstpc = f'/etc/ppp/peers/{ifname}' - - sstpc['ca_file_path'] = f'/run/sstpc/{ifname}_ca-cert.pem' - - if 'deleted' in sstpc: - for file in [sstpc['ca_file_path'], config_sstpc]: - if os.path.exists(file): - os.unlink(file) - return None - - ca_name = sstpc['ssl']['ca_certificate'] - pki_ca_cert = sstpc['pki']['ca'][ca_name] - - loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) - loaded_ca_certs = {load_certificate(c['certificate']) - for c in sstpc['pki']['ca'].values()} if 'ca' in sstpc['pki'] else {} - - ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) - - write_file(sstpc['ca_file_path'], '\n'.join(encode_certificate(c) for c in ca_full_chain)) - render(config_sstpc, 'sstp-client/peer.j2', sstpc, permission=0o640) - - return None - -def apply(sstpc): - ifname = sstpc['ifname'] - if 'deleted' in sstpc or 'disable' in sstpc: - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = SSTPCIf(ifname) - p.remove() - call(f'systemctl stop ppp@{ifname}.service') - return None - - # reconnect should only be necessary when specific options change, - # like server, authentication ... (see get_config() for details) - if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or - 'shutdown_required' in sstpc): - - # cleanup system (e.g. FRR routes first) - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = SSTPCIf(ifname) - p.remove() - - call(f'systemctl restart ppp@{ifname}.service') - # When interface comes "live" a hook is called: - # /etc/ppp/ip-up.d/96-vyos-sstpc-callback - # which triggers SSTPCIf.update() - else: - if os.path.isdir(f'/sys/class/net/{ifname}'): - p = SSTPCIf(ifname) - p.update(sstpc) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py deleted file mode 100755 index 91aed9cc3..000000000 --- a/src/conf_mode/interfaces-tunnel.py +++ /dev/null @@ -1,224 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 yOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from netifaces import interfaces - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_interface_exists -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_vrf -from vyos.configverify import verify_tunnel -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import Interface -from vyos.ifconfig import Section -from vyos.ifconfig import TunnelIf -from vyos.utils.network import get_interface_config -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least - the interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'tunnel'] - ifname, tunnel = get_interface_dict(conf, base) - - if 'deleted' not in tunnel: - tmp = is_node_changed(conf, base + [ifname, 'encapsulation']) - if tmp: tunnel.update({'encapsulation_changed': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'parameters', 'ip', 'key']) - if tmp: tunnel.update({'key_changed': {}}) - - # We also need to inspect other configured tunnels as there are Kernel - # restrictions where we need to comply. E.g. GRE tunnel key can't be used - # twice, or with multiple GRE tunnels to the same location we must specify - # a GRE key - conf.set_level(base) - tunnel['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - # delete our own instance from this dict - ifname = tunnel['ifname'] - del tunnel['other_tunnels'][ifname] - # if only one tunnel is present on the system, no need to keep this key - if len(tunnel['other_tunnels']) == 0: - del tunnel['other_tunnels'] - - # We must check if our interface is configured to be a DMVPN member - nhrp_base = ['protocols', 'nhrp', 'tunnel'] - conf.set_level(nhrp_base) - nhrp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True) - if nhrp: tunnel.update({'nhrp' : list(nhrp.keys())}) - - if 'encapsulation' in tunnel and tunnel['encapsulation'] not in ['erspan', 'ip6erspan']: - del tunnel['parameters']['erspan'] - - return tunnel - -def verify(tunnel): - if 'deleted' in tunnel: - verify_bridge_delete(tunnel) - - if 'nhrp' in tunnel and tunnel['ifname'] in tunnel['nhrp']: - raise ConfigError('Tunnel used for NHRP, it can not be deleted!') - - return None - - verify_tunnel(tunnel) - - if tunnel['encapsulation'] in ['erspan', 'ip6erspan']: - if dict_search('parameters.ip.key', tunnel) == None: - raise ConfigError('ERSPAN requires ip key parameter!') - - # this is a default field - ver = int(tunnel['parameters']['erspan']['version']) - if ver == 1: - if 'hw_id' in tunnel['parameters']['erspan']: - raise ConfigError('ERSPAN version 1 does not support hw-id!') - if 'direction' in tunnel['parameters']['erspan']: - raise ConfigError('ERSPAN version 1 does not support direction!') - elif ver == 2: - if 'idx' in tunnel['parameters']['erspan']: - raise ConfigError('ERSPAN version 2 does not index parameter!') - if 'direction' not in tunnel['parameters']['erspan']: - raise ConfigError('ERSPAN version 2 requires direction to be set!') - - # If tunnel source is any and gre key is not set - interface = tunnel['ifname'] - if tunnel['encapsulation'] in ['gre'] and \ - dict_search('source_address', tunnel) == '0.0.0.0' and \ - dict_search('parameters.ip.key', tunnel) == None: - raise ConfigError(f'"parameters ip key" must be set for {interface} when '\ - 'encapsulation is GRE!') - - gre_encapsulations = ['gre', 'gretap'] - if tunnel['encapsulation'] in gre_encapsulations and 'other_tunnels' in tunnel: - # Check pairs tunnel source-address/encapsulation/key with exists tunnels. - # Prevent the same key for 2 tunnels with same source-address/encap. T2920 - for o_tunnel, o_tunnel_conf in tunnel['other_tunnels'].items(): - # no match on encapsulation - bail out - our_encapsulation = tunnel['encapsulation'] - their_encapsulation = o_tunnel_conf['encapsulation'] - if our_encapsulation in gre_encapsulations and their_encapsulation \ - not in gre_encapsulations: - continue - - our_address = dict_search('source_address', tunnel) - our_key = dict_search('parameters.ip.key', tunnel) - their_address = dict_search('source_address', o_tunnel_conf) - their_key = dict_search('parameters.ip.key', o_tunnel_conf) - if our_key != None: - if their_address == our_address and their_key == our_key: - raise ConfigError(f'Key "{our_key}" for source-address "{our_address}" ' \ - f'is already used for tunnel "{o_tunnel}"!') - else: - our_source_if = dict_search('source_interface', tunnel) - their_source_if = dict_search('source_interface', o_tunnel_conf) - our_remote = dict_search('remote', tunnel) - their_remote = dict_search('remote', o_tunnel_conf) - # If no IP GRE key is defined we can not have more then one GRE tunnel - # bound to any one interface/IP address and the same remote. This will - # result in a OS PermissionError: add tunnel "gre0" failed: File exists - if (their_address == our_address or our_source_if == their_source_if) and \ - our_remote == their_remote: - raise ConfigError(f'Missing required "ip key" parameter when '\ - 'running more then one GRE based tunnel on the '\ - 'same source-interface/source-address') - - # Keys are not allowed with ipip and sit tunnels - if tunnel['encapsulation'] in ['ipip', 'sit']: - if dict_search('parameters.ip.key', tunnel) != None: - raise ConfigError('Keys are not allowed with ipip and sit tunnels!') - - verify_mtu_ipv6(tunnel) - verify_address(tunnel) - verify_vrf(tunnel) - verify_bond_bridge_member(tunnel) - verify_mirror_redirect(tunnel) - - if 'source_interface' in tunnel: - verify_interface_exists(tunnel['source_interface']) - - # TTL != 0 and nopmtudisc are incompatible, parameters and ip use default - # values, thus the keys are always present. - if dict_search('parameters.ip.no_pmtu_discovery', tunnel) != None: - if dict_search('parameters.ip.ttl', tunnel) != '0': - raise ConfigError('Disabled PMTU requires TTL set to "0"!') - if tunnel['encapsulation'] in ['ipip6', 'ip6ip6', 'ip6gre']: - raise ConfigError('Can not disable PMTU discovery for given encapsulation') - - if dict_search('parameters.ip.ignore_df', tunnel) != None: - if tunnel['encapsulation'] not in ['gretap']: - raise ConfigError('Option ignore-df can only be used on GRETAP tunnels!') - - if dict_search('parameters.ip.no_pmtu_discovery', tunnel) == None: - raise ConfigError('Option ignore-df requires path MTU discovery to be disabled!') - - -def generate(tunnel): - return None - -def apply(tunnel): - interface = tunnel['ifname'] - # If a gretap tunnel is already existing we can not "simply" change local or - # remote addresses. This returns "Operation not supported" by the Kernel. - # There is no other solution to destroy and recreate the tunnel. - encap = '' - remote = '' - tmp = get_interface_config(interface) - if tmp: - encap = dict_search('linkinfo.info_kind', tmp) - remote = dict_search('linkinfo.info_data.remote', tmp) - - if ('deleted' in tunnel or 'encapsulation_changed' in tunnel or encap in - ['gretap', 'ip6gretap', 'erspan', 'ip6erspan'] or remote in ['any'] or - 'key_changed' in tunnel): - if interface in interfaces(): - tmp = Interface(interface) - tmp.remove() - if 'deleted' in tunnel: - return None - - tun = TunnelIf(**tunnel) - tun.update(tunnel) - - return None - -if __name__ == '__main__': - try: - c = get_config() - generate(c) - verify(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-virtual-ethernet.py b/src/conf_mode/interfaces-virtual-ethernet.py deleted file mode 100755 index 8efe89c41..000000000 --- a/src/conf_mode/interfaces-virtual-ethernet.py +++ /dev/null @@ -1,114 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from netifaces import interfaces -from vyos import ConfigError -from vyos import airbag -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_vrf -from vyos.ifconfig import VethIf - -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at - least the interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'virtual-ethernet'] - ifname, veth = get_interface_dict(conf, base) - - # We need to know all other veth related interfaces as veth requires a 1:1 - # mapping for the peer-names. The Linux kernel automatically creates both - # interfaces, the local one and the peer-name, but VyOS also needs a peer - # interfaces configrued on the CLI so we can assign proper IP addresses etc. - veth['other_interfaces'] = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - return veth - - -def verify(veth): - if 'deleted' in veth: - verify_bridge_delete(veth) - # Prevent to delete veth interface which used for another "vethX peer-name" - for iface, iface_config in veth['other_interfaces'].items(): - if veth['ifname'] in iface_config['peer_name']: - ifname = veth['ifname'] - raise ConfigError( - f'Cannot delete "{ifname}" used for "interface {iface} peer-name"' - ) - return None - - verify_vrf(veth) - verify_address(veth) - - if 'peer_name' not in veth: - raise ConfigError(f'Remote peer name must be set for "{veth["ifname"]}"!') - - peer_name = veth['peer_name'] - ifname = veth['ifname'] - - if veth['peer_name'] not in veth['other_interfaces']: - raise ConfigError(f'Used peer-name "{peer_name}" on interface "{ifname}" ' \ - 'is not configured!') - - if veth['other_interfaces'][peer_name]['peer_name'] != ifname: - raise ConfigError( - f'Configuration mismatch between "{ifname}" and "{peer_name}"!') - - if peer_name == ifname: - raise ConfigError( - f'Peer-name "{peer_name}" cannot be the same as interface "{ifname}"!') - - return None - - -def generate(peth): - return None - -def apply(veth): - # Check if the Veth interface already exists - if 'rebuild_required' in veth or 'deleted' in veth: - if veth['ifname'] in interfaces(): - p = VethIf(veth['ifname']) - p.remove() - - if 'deleted' not in veth: - p = VethIf(**veth) - p.update(veth) - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py deleted file mode 100755 index 9871810ae..000000000 --- a/src/conf_mode/interfaces-vti.py +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from netifaces import interfaces -from sys import exit - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configverify import verify_mirror_redirect -from vyos.ifconfig import VTIIf -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'vti'] - _, vti = get_interface_dict(conf, base) - return vti - -def verify(vti): - verify_mirror_redirect(vti) - return None - -def generate(vti): - return None - -def apply(vti): - # Remove macsec interface - if 'deleted' in vti: - VTIIf(**vti).remove() - return None - - tmp = VTIIf(**vti) - tmp.update(vti) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py deleted file mode 100755 index 4251e611b..000000000 --- a/src/conf_mode/interfaces-vxlan.py +++ /dev/null @@ -1,236 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from netifaces import interfaces - -from vyos.base import Warning -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import leaf_node_changed -from vyos.configdict import is_node_changed -from vyos.configdict import node_changed -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_source_interface -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import Interface -from vyos.ifconfig import VXLANIf -from vyos.template import is_ipv6 -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least - the interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'vxlan'] - ifname, vxlan = get_interface_dict(conf, base) - - # VXLAN interfaces are picky and require recreation if certain parameters - # change. But a VXLAN interface should - of course - not be re-created if - # it's description or IP address is adjusted. Feels somehow logic doesn't it? - for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote', - 'source-address', 'source-interface', 'vni']: - if is_node_changed(conf, base + [ifname, cli_option]): - vxlan.update({'rebuild_required': {}}) - break - - # When dealing with VNI filtering we need to know what VNI was actually removed, - # so build up a dict matching the vlan_to_vni structure but with removed values. - tmp = node_changed(conf, base + [ifname, 'vlan-to-vni'], recursive=True) - if tmp: - vxlan.update({'vlan_to_vni_removed': {}}) - for vlan in tmp: - vni = leaf_node_changed(conf, base + [ifname, 'vlan-to-vni', vlan, 'vni']) - vxlan['vlan_to_vni_removed'].update({vlan : {'vni' : vni[0]}}) - - # We need to verify that no other VXLAN tunnel is configured when external - # mode is in use - Linux Kernel limitation - conf.set_level(base) - vxlan['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - - # This if-clause is just to be sure - it will always evaluate to true - ifname = vxlan['ifname'] - if ifname in vxlan['other_tunnels']: - del vxlan['other_tunnels'][ifname] - if len(vxlan['other_tunnels']) == 0: - del vxlan['other_tunnels'] - - return vxlan - -def verify(vxlan): - if 'deleted' in vxlan: - verify_bridge_delete(vxlan) - return None - - if int(vxlan['mtu']) < 1500: - Warning('RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU') - - if 'group' in vxlan: - if 'source_interface' not in vxlan: - raise ConfigError('Multicast VXLAN requires an underlaying interface') - verify_source_interface(vxlan) - - if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan): - raise ConfigError('Group, remote, source-address or source-interface must be configured') - - if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None: - raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!') - - if dict_search('parameters.external', vxlan) != None: - if 'vni' in vxlan: - raise ConfigError('Can not specify both "external" and "VNI"!') - - if 'other_tunnels' in vxlan: - # When multiple VXLAN interfaces are defined and "external" is used, - # all VXLAN interfaces need to have vni-filter enabled! - # See Linux Kernel commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 - other_vni_filter = False - for tunnel, tunnel_config in vxlan['other_tunnels'].items(): - if dict_search('parameters.vni_filter', tunnel_config) != None: - other_vni_filter = True - break - # eqivalent of the C foo ? 'a' : 'b' statement - vni_filter = True and (dict_search('parameters.vni_filter', vxlan) != None) or False - # If either one is enabled, so must be the other. Both can be off and both can be on - if (vni_filter and not other_vni_filter) or (not vni_filter and other_vni_filter): - raise ConfigError(f'Using multiple VXLAN interfaces with "external" '\ - 'requires all VXLAN interfaces to have "vni-filter" configured!') - - if not vni_filter and not other_vni_filter: - other_tunnels = ', '.join(vxlan['other_tunnels']) - raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\ - f'CLI option is used and "vni-filter" is unset. '\ - f'Additional tunnels: {other_tunnels}') - - if 'gpe' in vxlan and 'external' not in vxlan: - raise ConfigError(f'VXLAN-GPE is only supported when "external" '\ - f'CLI option is used.') - - if 'source_interface' in vxlan: - # VXLAN adds at least an overhead of 50 byte - we need to check the - # underlaying device if our VXLAN package is not going to be fragmented! - vxlan_overhead = 50 - if 'source_address' in vxlan and is_ipv6(vxlan['source_address']): - # IPv6 adds an extra 20 bytes overhead because the IPv6 header is 20 - # bytes larger than the IPv4 header - assuming no extra options are - # in use. - vxlan_overhead += 20 - - # If source_address is not used - check IPv6 'remote' list - elif 'remote' in vxlan: - if any(is_ipv6(a) for a in vxlan['remote']): - vxlan_overhead += 20 - - lower_mtu = Interface(vxlan['source_interface']).get_mtu() - if lower_mtu < (int(vxlan['mtu']) + vxlan_overhead): - raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\ - f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)') - - # Check for mixed IPv4 and IPv6 addresses - protocol = None - if 'source_address' in vxlan: - if is_ipv6(vxlan['source_address']): - protocol = 'ipv6' - else: - protocol = 'ipv4' - - if 'remote' in vxlan: - error_msg = 'Can not mix both IPv4 and IPv6 for VXLAN underlay' - for remote in vxlan['remote']: - if is_ipv6(remote): - if protocol == 'ipv4': - raise ConfigError(error_msg) - protocol = 'ipv6' - else: - if protocol == 'ipv6': - raise ConfigError(error_msg) - protocol = 'ipv4' - - if 'vlan_to_vni' in vxlan: - if 'is_bridge_member' not in vxlan: - raise ConfigError('VLAN to VNI mapping requires that VXLAN interface '\ - 'is member of a bridge interface!') - - vnis_used = [] - for vif, vif_config in vxlan['vlan_to_vni'].items(): - if 'vni' not in vif_config: - raise ConfigError(f'Must define VNI for VLAN "{vif}"!') - vni = vif_config['vni'] - if vni in vnis_used: - raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!') - vnis_used.append(vni) - - if dict_search('parameters.neighbor_suppress', vxlan) != None: - if 'is_bridge_member' not in vxlan: - raise ConfigError('Neighbor suppression requires that VXLAN interface '\ - 'is member of a bridge interface!') - - verify_mtu_ipv6(vxlan) - verify_address(vxlan) - verify_bond_bridge_member(vxlan) - verify_mirror_redirect(vxlan) - - # We use a defaultValue for port, thus it's always safe to use - if vxlan['port'] == '8472': - Warning('Starting from VyOS 1.4, the default port for VXLAN '\ - 'has been changed to 4789. This matches the IANA assigned '\ - 'standard port number!') - - return None - -def generate(vxlan): - return None - -def apply(vxlan): - # Check if the VXLAN interface already exists - if 'rebuild_required' in vxlan or 'delete' in vxlan: - if vxlan['ifname'] in interfaces(): - v = VXLANIf(vxlan['ifname']) - # VXLAN is super picky and the tunnel always needs to be recreated, - # thus we can simply always delete it first. - v.remove() - - if 'deleted' not in vxlan: - # Finally create the new interface - v = VXLANIf(**vxlan) - v.update(vxlan) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py deleted file mode 100755 index 79e5d3f44..000000000 --- a/src/conf_mode/interfaces-wireguard.py +++ /dev/null @@ -1,133 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mtu_ipv6 -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import WireGuardIf -from vyos.utils.kernel import check_kmod -from vyos.utils.network import check_port_availability -from vyos.utils.network import is_wireguard_key_pair -from vyos import ConfigError -from vyos import airbag -airbag.enable() - - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'wireguard'] - ifname, wireguard = get_interface_dict(conf, base) - - # Check if a port was changed - tmp = is_node_changed(conf, base + [ifname, 'port']) - if tmp: wireguard['port_changed'] = {} - - # T4702: If anything on a peer changes we remove the peer first and re-add it - if is_node_changed(conf, base + [ifname, 'peer']): - wireguard.update({'rebuild_required': {}}) - - return wireguard - -def verify(wireguard): - if 'deleted' in wireguard: - verify_bridge_delete(wireguard) - return None - - verify_mtu_ipv6(wireguard) - verify_address(wireguard) - verify_vrf(wireguard) - verify_bond_bridge_member(wireguard) - verify_mirror_redirect(wireguard) - - if 'private_key' not in wireguard: - raise ConfigError('Wireguard private-key not defined') - - if 'peer' not in wireguard: - raise ConfigError('At least one Wireguard peer is required!') - - if 'port' in wireguard and 'port_changed' in wireguard: - listen_port = int(wireguard['port']) - if check_port_availability('0.0.0.0', listen_port, 'udp') is not True: - raise ConfigError(f'UDP port {listen_port} is busy or unavailable and ' - 'cannot be used for the interface!') - - # run checks on individual configured WireGuard peer - public_keys = [] - for tmp in wireguard['peer']: - peer = wireguard['peer'][tmp] - - if 'allowed_ips' not in peer: - raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!') - - if 'public_key' not in peer: - raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!') - - if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer): - raise ConfigError('Both Wireguard port and address must be defined ' - f'for peer "{tmp}" if either one of them is set!') - - if peer['public_key'] in public_keys: - raise ConfigError(f'Duplicate public-key defined on peer "{tmp}"') - - if 'disable' not in peer: - if is_wireguard_key_pair(wireguard['private_key'], peer['public_key']): - raise ConfigError(f'Peer "{tmp}" has the same public key as the interface "{wireguard["ifname"]}"') - - public_keys.append(peer['public_key']) - -def apply(wireguard): - if 'rebuild_required' in wireguard or 'deleted' in wireguard: - wg = WireGuardIf(**wireguard) - # WireGuard only supports peer removal based on the configured public-key, - # by deleting the entire interface this is the shortcut instead of parsing - # out all peers and removing them one by one. - # - # Peer reconfiguration will always come with a short downtime while the - # WireGuard interface is recreated (see below) - wg.remove() - - # Create the new interface if required - if 'deleted' not in wireguard: - wg = WireGuardIf(**wireguard) - wg.update(wireguard) - - return None - -if __name__ == '__main__': - try: - check_kmod('wireguard') - c = get_config() - verify(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py deleted file mode 100755 index 02b4a2500..000000000 --- a/src/conf_mode/interfaces-wireless.py +++ /dev/null @@ -1,275 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from re import findall -from netaddr import EUI, mac_unix_expanded - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import dict_merge -from vyos.configverify import verify_address -from vyos.configverify import verify_bridge_delete -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_vlan_config -from vyos.configverify import verify_vrf -from vyos.configverify import verify_bond_bridge_member -from vyos.ifconfig import WiFiIf -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -# XXX: wpa_supplicant works on the source interface -wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf' -hostapd_conf = '/run/hostapd/{ifname}.conf' -hostapd_accept_station_conf = '/run/hostapd/{ifname}_station_accept.conf' -hostapd_deny_station_conf = '/run/hostapd/{ifname}_station_deny.conf' - -def find_other_stations(conf, base, ifname): - """ - Only one wireless interface per phy can be in station mode - - find all interfaces attached to a phy which run in station mode - """ - old_level = conf.get_level() - conf.set_level(base) - dict = {} - for phy in os.listdir('/sys/class/ieee80211'): - list = [] - for interface in conf.list_nodes([]): - if interface == ifname: - continue - # the following node is mandatory - if conf.exists([interface, 'physical-device', phy]): - tmp = conf.return_value([interface, 'type']) - if tmp == 'station': - list.append(interface) - if list: - dict.update({phy: list}) - conf.set_level(old_level) - return dict - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'wireless'] - - ifname, wifi = get_interface_dict(conf, base) - - if 'deleted' not in wifi: - # then get_interface_dict provides default keys - if wifi.from_defaults(['security', 'wep']): # if not set by user - del wifi['security']['wep'] - if wifi.from_defaults(['security', 'wpa']): # if not set by user - del wifi['security']['wpa'] - - if dict_search('security.wpa', wifi) != None: - wpa_cipher = wifi['security']['wpa'].get('cipher') - wpa_mode = wifi['security']['wpa'].get('mode') - if not wpa_cipher: - tmp = None - if wpa_mode == 'wpa': - tmp = {'security': {'wpa': {'cipher' : ['TKIP', 'CCMP']}}} - elif wpa_mode == 'wpa2': - tmp = {'security': {'wpa': {'cipher' : ['CCMP']}}} - elif wpa_mode == 'both': - tmp = {'security': {'wpa': {'cipher' : ['CCMP', 'TKIP']}}} - - if tmp: wifi = dict_merge(tmp, wifi) - - # Only one wireless interface per phy can be in station mode - tmp = find_other_stations(conf, base, wifi['ifname']) - if tmp: wifi['station_interfaces'] = tmp - - # used in hostapt.conf.j2 - wifi['hostapd_accept_station_conf'] = hostapd_accept_station_conf.format(**wifi) - wifi['hostapd_deny_station_conf'] = hostapd_deny_station_conf.format(**wifi) - - return wifi - -def verify(wifi): - if 'deleted' in wifi: - verify_bridge_delete(wifi) - return None - - if 'physical_device' not in wifi: - raise ConfigError('You must specify a physical-device "phy"') - - if 'type' not in wifi: - raise ConfigError('You must specify a WiFi mode') - - if 'ssid' not in wifi and wifi['type'] != 'monitor': - raise ConfigError('SSID must be configured unless type is set to "monitor"!') - - if wifi['type'] == 'access-point': - if 'country_code' not in wifi: - raise ConfigError('Wireless country-code is mandatory') - - if 'channel' not in wifi: - raise ConfigError('Wireless channel must be configured!') - - if 'security' in wifi: - if {'wep', 'wpa'} <= set(wifi.get('security', {})): - raise ConfigError('Must either use WEP or WPA security!') - - if 'wep' in wifi['security']: - if 'key' in wifi['security']['wep'] and len(wifi['security']['wep']) > 4: - raise ConfigError('No more then 4 WEP keys configurable') - elif 'key' not in wifi['security']['wep']: - raise ConfigError('Security WEP configured - missing WEP keys!') - - elif 'wpa' in wifi['security']: - wpa = wifi['security']['wpa'] - if not any(i in ['passphrase', 'radius'] for i in wpa): - raise ConfigError('Misssing WPA key or RADIUS server') - - if 'radius' in wpa: - if 'server' in wpa['radius']: - for server in wpa['radius']['server']: - if 'key' not in wpa['radius']['server'][server]: - raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}') - - if 'capabilities' in wifi: - capabilities = wifi['capabilities'] - if 'vht' in capabilities: - if 'ht' not in capabilities: - raise ConfigError('Specify HT flags if you want to use VHT!') - - if {'beamform', 'antenna_count'} <= set(capabilities.get('vht', {})): - if capabilities['vht']['antenna_count'] == '1': - raise ConfigError('Cannot use beam forming with just one antenna!') - - if capabilities['vht']['beamform'] == 'single-user-beamformer': - if int(capabilities['vht']['antenna_count']) < 3: - # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705 - raise ConfigError('Single-user beam former requires at least 3 antennas!') - - if 'station_interfaces' in wifi and wifi['type'] == 'station': - phy = wifi['physical_device'] - if phy in wifi['station_interfaces']: - if len(wifi['station_interfaces'][phy]) > 0: - raise ConfigError('Only one station per wireless physical interface possible!') - - verify_address(wifi) - verify_vrf(wifi) - verify_bond_bridge_member(wifi) - verify_mirror_redirect(wifi) - - # use common function to verify VLAN configuration - verify_vlan_config(wifi) - - return None - -def generate(wifi): - interface = wifi['ifname'] - - # always stop hostapd service first before reconfiguring it - call(f'systemctl stop hostapd@{interface}.service') - # always stop wpa_supplicant service first before reconfiguring it - call(f'systemctl stop wpa_supplicant@{interface}.service') - - # Delete config files if interface is removed - if 'deleted' in wifi: - if os.path.isfile(hostapd_conf.format(**wifi)): - os.unlink(hostapd_conf.format(**wifi)) - if os.path.isfile(hostapd_accept_station_conf.format(**wifi)): - os.unlink(hostapd_accept_station_conf.format(**wifi)) - if os.path.isfile(hostapd_deny_station_conf.format(**wifi)): - os.unlink(hostapd_deny_station_conf.format(**wifi)) - if os.path.isfile(wpa_suppl_conf.format(**wifi)): - os.unlink(wpa_suppl_conf.format(**wifi)) - - return None - - if 'mac' not in wifi: - # http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd - # generate locally administered MAC address from used phy interface - with open('/sys/class/ieee80211/{physical_device}/addresses'.format(**wifi), 'r') as f: - # some PHYs tend to have multiple interfaces and thus supply multiple MAC - # addresses - we only need the first one for our calculation - tmp = f.readline().rstrip() - tmp = EUI(tmp).value - # mask last nibble from the MAC address - tmp &= 0xfffffffffff0 - # set locally administered bit in MAC address - tmp |= 0x020000000000 - # we now need to add an offset to our MAC address indicating this - # subinterfaces index - tmp += int(findall(r'\d+', interface)[0]) - - # convert integer to "real" MAC address representation - mac = EUI(hex(tmp).split('x')[-1]) - # change dialect to use : as delimiter instead of - - mac.dialect = mac_unix_expanded - wifi['mac'] = str(mac) - - # XXX: Jinja2 can not operate on a dictionary key when it starts of with a number - if '40mhz_incapable' in (dict_search('capabilities.ht', wifi) or []): - wifi['capabilities']['ht']['fourtymhz_incapable'] = wifi['capabilities']['ht']['40mhz_incapable'] - del wifi['capabilities']['ht']['40mhz_incapable'] - - # render appropriate new config files depending on access-point or station mode - if wifi['type'] == 'access-point': - render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.j2', wifi) - render(hostapd_accept_station_conf.format(**wifi), 'wifi/hostapd_accept_station.conf.j2', wifi) - render(hostapd_deny_station_conf.format(**wifi), 'wifi/hostapd_deny_station.conf.j2', wifi) - - elif wifi['type'] == 'station': - render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.j2', wifi) - - return None - -def apply(wifi): - interface = wifi['ifname'] - if 'deleted' in wifi: - WiFiIf(interface).remove() - else: - # Finally create the new interface - w = WiFiIf(**wifi) - w.update(wifi) - - # Enable/Disable interface - interface is always placed in - # administrative down state in WiFiIf class - if 'disable' not in wifi: - # Physical interface is now configured. Proceed by starting hostapd or - # wpa_supplicant daemon. When type is monitor we can just skip this. - if wifi['type'] == 'access-point': - call(f'systemctl start hostapd@{interface}.service') - - elif wifi['type'] == 'station': - call(f'systemctl start wpa_supplicant@{interface}.service') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py deleted file mode 100755 index 2515dc838..000000000 --- a/src/conf_mode/interfaces-wwan.py +++ /dev/null @@ -1,189 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos.configdict import get_interface_dict -from vyos.configdict import is_node_changed -from vyos.configverify import verify_authentication -from vyos.configverify import verify_interface_exists -from vyos.configverify import verify_mirror_redirect -from vyos.configverify import verify_vrf -from vyos.ifconfig import WWANIf -from vyos.utils.dict import dict_search -from vyos.utils.process import cmd -from vyos.utils.process import call -from vyos.utils.process import DEVNULL -from vyos.utils.process import is_systemd_service_active -from vyos.utils.file import write_file -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -service_name = 'ModemManager.service' -cron_script = '/etc/cron.d/vyos-wwan' - -def get_config(config=None): - """ - Retrive CLI config as dictionary. Dictionary can never be empty, as at least the - interface name will be added or a deleted flag - """ - if config: - conf = config - else: - conf = Config() - base = ['interfaces', 'wwan'] - ifname, wwan = get_interface_dict(conf, base) - - # We should only terminate the WWAN session if critical parameters change. - # All parameters that can be changed on-the-fly (like interface description) - # should not lead to a reconnect! - tmp = is_node_changed(conf, base + [ifname, 'address']) - if tmp: wwan.update({'shutdown_required': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'apn']) - if tmp: wwan.update({'shutdown_required': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'disable']) - if tmp: wwan.update({'shutdown_required': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'vrf']) - if tmp: wwan.update({'shutdown_required': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'authentication']) - if tmp: wwan.update({'shutdown_required': {}}) - - tmp = is_node_changed(conf, base + [ifname, 'ipv6', 'address', 'autoconf']) - if tmp: wwan.update({'shutdown_required': {}}) - - # We need to know the amount of other WWAN interfaces as ModemManager needs - # to be started or stopped. - wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) - - # This if-clause is just to be sure - it will always evaluate to true - if ifname in wwan['other_interfaces']: - del wwan['other_interfaces'][ifname] - if len(wwan['other_interfaces']) == 0: - del wwan['other_interfaces'] - - return wwan - -def verify(wwan): - if 'deleted' in wwan: - return None - - ifname = wwan['ifname'] - if not 'apn' in wwan: - raise ConfigError(f'No APN configured for "{ifname}"!') - - verify_interface_exists(ifname) - verify_authentication(wwan) - verify_vrf(wwan) - verify_mirror_redirect(wwan) - - return None - -def generate(wwan): - if 'deleted' in wwan: - # We are the last WWAN interface - there are no other ones remaining - # thus the cronjob needs to go away, too - if 'other_interfaces' not in wwan: - if os.path.exists(cron_script): - os.unlink(cron_script) - return None - - # Install cron triggered helper script to re-dial WWAN interfaces on - # disconnect - e.g. happens during RF signal loss. The script watches every - # WWAN interface - so there is only one instance. - if not os.path.exists(cron_script): - write_file(cron_script, '*/5 * * * * root /usr/libexec/vyos/vyos-check-wwan.py\n') - - return None - -def apply(wwan): - # ModemManager is required to dial WWAN connections - one instance is - # required to serve all modems. Activate ModemManager on first invocation - # of any WWAN interface. - if not is_systemd_service_active(service_name): - cmd(f'systemctl start {service_name}') - - counter = 100 - # Wait until a modem is detected and then we can continue - while counter > 0: - counter -= 1 - tmp = cmd('mmcli -L') - if tmp != 'No modems were found': - break - sleep(0.250) - - if 'shutdown_required' in wwan: - # we only need the modem number. wwan0 -> 0, wwan1 -> 1 - modem = wwan['ifname'].lstrip('wwan') - base_cmd = f'mmcli --modem {modem}' - # Number of bearers is limited - always disconnect first - cmd(f'{base_cmd} --simple-disconnect') - - w = WWANIf(wwan['ifname']) - if 'deleted' in wwan or 'disable' in wwan: - w.remove() - - # We are the last WWAN interface - there are no other WWAN interfaces - # remaining, thus we can stop ModemManager and free resources. - if 'other_interfaces' not in wwan: - cmd(f'systemctl stop {service_name}') - # Clean CRON helper script which is used for to re-connect when - # RF signal is lost - if os.path.exists(cron_script): - os.unlink(cron_script) - - return None - - if 'shutdown_required' in wwan: - ip_type = 'ipv4' - slaac = dict_search('ipv6.address.autoconf', wwan) != None - if 'address' in wwan: - if 'dhcp' in wwan['address'] and ('dhcpv6' in wwan['address'] or slaac): - ip_type = 'ipv4v6' - elif 'dhcpv6' in wwan['address'] or slaac: - ip_type = 'ipv6' - elif 'dhcp' in wwan['address']: - ip_type = 'ipv4' - - options = f'ip-type={ip_type},apn=' + wwan['apn'] - if 'authentication' in wwan: - options += ',user={username},password={password}'.format(**wwan['authentication']) - - command = f'{base_cmd} --simple-connect="{options}"' - call(command, stdout=DEVNULL) - - w.update(wwan) - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/interfaces_bonding.py b/src/conf_mode/interfaces_bonding.py new file mode 100755 index 000000000..8184d8415 --- /dev/null +++ b/src/conf_mode/interfaces_bonding.py @@ -0,0 +1,294 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from netifaces import interfaces +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configdict import leaf_node_changed +from vyos.configdict import is_member +from vyos.configdict import is_source_interface +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_dhcpv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_vlan_config +from vyos.configverify import verify_vrf +from vyos.ifconfig import BondIf +from vyos.ifconfig.ethernet import EthernetIf +from vyos.ifconfig import Section +from vyos.template import render_to_string +from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_to_paths_values +from vyos.configdict import has_address_configured +from vyos.configdict import has_vrf_configured +from vyos.configdep import set_dependents, call_dependents +from vyos import ConfigError +from vyos import frr +from vyos import airbag +airbag.enable() + +def get_bond_mode(mode): + if mode == 'round-robin': + return 'balance-rr' + elif mode == 'active-backup': + return 'active-backup' + elif mode == 'xor-hash': + return 'balance-xor' + elif mode == 'broadcast': + return 'broadcast' + elif mode == '802.3ad': + return '802.3ad' + elif mode == 'transmit-load-balance': + return 'balance-tlb' + elif mode == 'adaptive-load-balance': + return 'balance-alb' + else: + raise ConfigError(f'invalid bond mode "{mode}"') + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'bonding'] + ifname, bond = get_interface_dict(conf, base) + + # To make our own life easier transfor the list of member interfaces + # into a dictionary - we will use this to add additional information + # later on for each member + if 'member' in bond and 'interface' in bond['member']: + # convert list of member interfaces to a dictionary + bond['member']['interface'] = {k: {} for k in bond['member']['interface']} + + if 'mode' in bond: + bond['mode'] = get_bond_mode(bond['mode']) + + tmp = is_node_changed(conf, base + [ifname, 'mode']) + if tmp: bond['shutdown_required'] = {} + + tmp = is_node_changed(conf, base + [ifname, 'lacp-rate']) + if tmp: bond['shutdown_required'] = {} + + # determine which members have been removed + interfaces_removed = leaf_node_changed(conf, base + [ifname, 'member', 'interface']) + # Reset config level to interfaces + old_level = conf.get_level() + conf.set_level(['interfaces']) + + if interfaces_removed: + bond['shutdown_required'] = {} + if 'member' not in bond: + bond['member'] = {} + + tmp = {} + for interface in interfaces_removed: + # if member is deleted from bond, add dependencies to call + # ethernet commit again in apply function + # to apply options under ethernet section + set_dependents('ethernet', conf, interface) + section = Section.section(interface) # this will be 'ethernet' for 'eth0' + if conf.exists([section, interface, 'disable']): + tmp[interface] = {'disable': ''} + else: + tmp[interface] = {} + + # also present the interfaces to be removed from the bond as dictionary + bond['member']['interface_remove'] = tmp + + # Restore existing config level + conf.set_level(old_level) + + if dict_search('member.interface', bond): + for interface, interface_config in bond['member']['interface'].items(): + + interface_ethernet_config = conf.get_config_dict( + ['interfaces', 'ethernet', interface], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_defaults=False, + with_recursive_defaults=False) + + interface_config['config_paths'] = dict_to_paths_values(interface_ethernet_config) + + # Check if member interface is a new member + if not conf.exists_effective(base + [ifname, 'member', 'interface', interface]): + bond['shutdown_required'] = {} + interface_config['new_added'] = {} + + # Check if member interface is disabled + conf.set_level(['interfaces']) + + section = Section.section(interface) # this will be 'ethernet' for 'eth0' + if conf.exists([section, interface, 'disable']): + interface_config['disable'] = '' + + conf.set_level(old_level) + + # Check if member interface is already member of another bridge + tmp = is_member(conf, interface, 'bridge') + if tmp: interface_config['is_bridge_member'] = tmp + + # Check if member interface is already member of a bond + tmp = is_member(conf, interface, 'bonding') + for tmp in is_member(conf, interface, 'bonding'): + if bond['ifname'] == tmp: + continue + interface_config['is_bond_member'] = tmp + + # Check if member interface is used as source-interface on another interface + tmp = is_source_interface(conf, interface) + if tmp: interface_config['is_source_interface'] = tmp + + # bond members must not have an assigned address + tmp = has_address_configured(conf, interface) + if tmp: interface_config['has_address'] = {} + + # bond members must not have a VRF attached + tmp = has_vrf_configured(conf, interface) + if tmp: interface_config['has_vrf'] = {} + return bond + + +def verify(bond): + if 'deleted' in bond: + verify_bridge_delete(bond) + return None + + if 'arp_monitor' in bond: + if 'target' in bond['arp_monitor'] and len(bond['arp_monitor']['target']) > 16: + raise ConfigError('The maximum number of arp-monitor targets is 16') + + if 'interval' in bond['arp_monitor'] and int(bond['arp_monitor']['interval']) > 0: + if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']: + raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \ + 'transmit-load-balance or adaptive-load-balance') + + if 'primary' in bond: + if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']: + raise ConfigError('Option primary - mode dependency failed, not' + 'supported in mode {mode}!'.format(**bond)) + + verify_mtu_ipv6(bond) + verify_address(bond) + verify_dhcpv6(bond) + verify_vrf(bond) + verify_mirror_redirect(bond) + + # use common function to verify VLAN configuration + verify_vlan_config(bond) + + bond_name = bond['ifname'] + if dict_search('member.interface', bond): + for interface, interface_config in bond['member']['interface'].items(): + error_msg = f'Can not add interface "{interface}" to bond, ' + + if interface == 'lo': + raise ConfigError('Loopback interface "lo" can not be added to a bond') + + if interface not in interfaces(): + raise ConfigError(error_msg + 'it does not exist!') + + if 'is_bridge_member' in interface_config: + tmp = next(iter(interface_config['is_bridge_member'])) + raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!') + + if 'is_bond_member' in interface_config: + tmp = next(iter(interface_config['is_bond_member'])) + raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!') + + if 'is_source_interface' in interface_config: + tmp = interface_config['is_source_interface'] + raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!') + + if 'has_address' in interface_config: + raise ConfigError(error_msg + 'it has an address assigned!') + + if 'has_vrf' in interface_config: + raise ConfigError(error_msg + 'it has a VRF assigned!') + + if 'new_added' in interface_config and 'config_paths' in interface_config: + for option_path, option_value in interface_config['config_paths'].items(): + if option_path in EthernetIf.get_bond_member_allowed_options() : + continue + if option_path in BondIf.get_inherit_bond_options(): + continue + raise ConfigError(error_msg + f'it has a "{option_path.replace(".", " ")}" assigned!') + + if 'primary' in bond: + if bond['primary'] not in bond['member']['interface']: + raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface') + + if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']: + raise ConfigError('primary interface only works for mode active-backup, ' \ + 'transmit-load-balance or adaptive-load-balance') + + return None + +def generate(bond): + bond['frr_zebra_config'] = '' + if 'deleted' not in bond: + bond['frr_zebra_config'] = render_to_string('frr/evpn.mh.frr.j2', bond) + return None + +def apply(bond): + ifname = bond['ifname'] + b = BondIf(ifname) + if 'deleted' in bond: + # delete interface + b.remove() + else: + b.update(bond) + + if dict_search('member.interface_remove', bond): + try: + call_dependents() + except ConfigError: + raise ConfigError('Error in updating ethernet interface ' + 'after deleting it from bond') + + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(f'^interface {ifname}', stop_pattern='^exit', remove_stop_mark=True) + if 'frr_zebra_config' in bond: + frr_cfg.add_before(frr.default_add_before, bond['frr_zebra_config']) + frr_cfg.commit_configuration(zebra_daemon) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_bridge.py b/src/conf_mode/interfaces_bridge.py new file mode 100755 index 000000000..29991e2da --- /dev/null +++ b/src/conf_mode/interfaces_bridge.py @@ -0,0 +1,186 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import node_changed +from vyos.configdict import is_member +from vyos.configdict import is_source_interface +from vyos.configdict import has_vlan_subinterface_configured +from vyos.configverify import verify_dhcpv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_vrf +from vyos.ifconfig import BridgeIf +from vyos.configdict import has_address_configured +from vyos.configdict import has_vrf_configured +from vyos.configdep import set_dependents +from vyos.configdep import call_dependents +from vyos.utils.dict import dict_search +from vyos import ConfigError + +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'bridge'] + ifname, bridge = get_interface_dict(conf, base) + + # determine which members have been removed + tmp = node_changed(conf, base + [ifname, 'member', 'interface']) + if tmp: + if 'member' in bridge: + bridge['member'].update({'interface_remove' : tmp }) + else: + bridge.update({'member' : {'interface_remove' : tmp }}) + + if dict_search('member.interface', bridge) is not None: + for interface in list(bridge['member']['interface']): + # Check if member interface is already member of another bridge + tmp = is_member(conf, interface, 'bridge') + if tmp and bridge['ifname'] not in tmp: + bridge['member']['interface'][interface].update({'is_bridge_member' : tmp}) + + # Check if member interface is already member of a bond + tmp = is_member(conf, interface, 'bonding') + if tmp: bridge['member']['interface'][interface].update({'is_bond_member' : tmp}) + + # Check if member interface is used as source-interface on another interface + tmp = is_source_interface(conf, interface) + if tmp: bridge['member']['interface'][interface].update({'is_source_interface' : tmp}) + + # Bridge members must not have an assigned address + tmp = has_address_configured(conf, interface) + if tmp: bridge['member']['interface'][interface].update({'has_address' : ''}) + + # Bridge members must not have a VRF attached + tmp = has_vrf_configured(conf, interface) + if tmp: bridge['member']['interface'][interface].update({'has_vrf' : ''}) + + # VLAN-aware bridge members must not have VLAN interface configuration + tmp = has_vlan_subinterface_configured(conf,interface) + if 'enable_vlan' in bridge and tmp: + bridge['member']['interface'][interface].update({'has_vlan' : ''}) + + # When using VXLAN member interfaces that are configured for Single + # VXLAN Device (SVD) we need to call the VXLAN conf-mode script to re-create + # VLAN to VNI mappings if required + if interface.startswith('vxlan'): + set_dependents('vxlan', conf, interface) + + # delete empty dictionary keys - no need to run code paths if nothing is there to do + if 'member' in bridge: + if 'interface' in bridge['member'] and len(bridge['member']['interface']) == 0: + del bridge['member']['interface'] + + if len(bridge['member']) == 0: + del bridge['member'] + + return bridge + +def verify(bridge): + if 'deleted' in bridge: + return None + + verify_dhcpv6(bridge) + verify_vrf(bridge) + verify_mirror_redirect(bridge) + + ifname = bridge['ifname'] + + if dict_search('member.interface', bridge): + for interface, interface_config in bridge['member']['interface'].items(): + error_msg = f'Can not add interface "{interface}" to bridge, ' + + if interface == 'lo': + raise ConfigError('Loopback interface "lo" can not be added to a bridge') + + if 'is_bridge_member' in interface_config: + tmp = next(iter(interface_config['is_bridge_member'])) + raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!') + + if 'is_bond_member' in interface_config: + tmp = next(iter(interface_config['is_bond_member'])) + raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!') + + if 'is_source_interface' in interface_config: + tmp = interface_config['is_source_interface'] + raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!') + + if 'has_address' in interface_config: + raise ConfigError(error_msg + 'it has an address assigned!') + + if 'has_vrf' in interface_config: + raise ConfigError(error_msg + 'it has a VRF assigned!') + + if 'enable_vlan' in bridge: + if 'has_vlan' in interface_config: + raise ConfigError(error_msg + 'it has VLAN subinterface(s) assigned!') + + if 'wlan' in interface: + raise ConfigError(error_msg + 'VLAN aware cannot be set!') + else: + for option in ['allowed_vlan', 'native_vlan']: + if option in interface_config: + raise ConfigError('Can not use VLAN options on non VLAN aware bridge') + + if 'enable_vlan' in bridge: + if dict_search('vif.1', bridge): + raise ConfigError(f'VLAN 1 sub interface cannot be set for VLAN aware bridge {ifname}, and VLAN 1 is always the parent interface') + else: + if dict_search('vif', bridge): + raise ConfigError(f'You must first activate "enable-vlan" of {ifname} bridge to use "vif"') + + return None + +def generate(bridge): + return None + +def apply(bridge): + br = BridgeIf(bridge['ifname']) + if 'deleted' in bridge: + # delete interface + br.remove() + else: + br.update(bridge) + + for interface in dict_search('member.interface', bridge) or []: + if interface.startswith('vxlan'): + try: + call_dependents() + except ConfigError: + raise ConfigError('Error in updating VXLAN interface after changing bridge!') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_dummy.py b/src/conf_mode/interfaces_dummy.py new file mode 100755 index 000000000..db768b94d --- /dev/null +++ b/src/conf_mode/interfaces_dummy.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mirror_redirect +from vyos.ifconfig import DummyIf +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'dummy'] + _, dummy = get_interface_dict(conf, base) + return dummy + +def verify(dummy): + if 'deleted' in dummy: + verify_bridge_delete(dummy) + return None + + verify_vrf(dummy) + verify_address(dummy) + verify_mirror_redirect(dummy) + + return None + +def generate(dummy): + return None + +def apply(dummy): + d = DummyIf(**dummy) + + # Remove dummy interface + if 'deleted' in dummy: + d.remove() + else: + d.update(dummy) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_ethernet.py b/src/conf_mode/interfaces_ethernet.py new file mode 100755 index 000000000..7374a29f7 --- /dev/null +++ b/src/conf_mode/interfaces_ethernet.py @@ -0,0 +1,400 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import pprint + +from glob import glob +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_address +from vyos.configverify import verify_dhcpv6 +from vyos.configverify import verify_eapol +from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_mtu +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_vlan_config +from vyos.configverify import verify_vrf +from vyos.configverify import verify_bond_bridge_member +from vyos.ethtool import Ethtool +from vyos.ifconfig import EthernetIf +from vyos.ifconfig import BondIf +from vyos.pki import find_chain +from vyos.pki import encode_certificate +from vyos.pki import load_certificate +from vyos.pki import wrap_private_key +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_to_paths_values +from vyos.utils.dict import dict_set +from vyos.utils.dict import dict_delete +from vyos.utils.file import write_file +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +# XXX: wpa_supplicant works on the source interface +cfg_dir = '/run/wpa_supplicant' +wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf' + +def update_bond_options(conf: Config, eth_conf: dict) -> list: + """ + Return list of blocked options if interface is a bond member + :param conf: Config object + :type conf: Config + :param eth_conf: Ethernet config dictionary + :type eth_conf: dict + :return: List of blocked options + :rtype: list + """ + blocked_list = [] + bond_name = list(eth_conf['is_bond_member'].keys())[0] + config_without_defaults = conf.get_config_dict( + ['interfaces', 'ethernet', eth_conf['ifname']], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_defaults=False, + with_recursive_defaults=False) + config_with_defaults = conf.get_config_dict( + ['interfaces', 'ethernet', eth_conf['ifname']], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_defaults=True, + with_recursive_defaults=True) + bond_config_with_defaults = conf.get_config_dict( + ['interfaces', 'bonding', bond_name], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_defaults=True, + with_recursive_defaults=True) + eth_dict_paths = dict_to_paths_values(config_without_defaults) + eth_path_base = ['interfaces', 'ethernet', eth_conf['ifname']] + + #if option is configured under ethernet section + for option_path, option_value in eth_dict_paths.items(): + bond_option_value = dict_search(option_path, bond_config_with_defaults) + + #If option is allowed for changing then continue + if option_path in EthernetIf.get_bond_member_allowed_options(): + continue + # if option is inherited from bond then set valued from bond interface + if option_path in BondIf.get_inherit_bond_options(): + # If option equals to bond option then do nothing + if option_value == bond_option_value: + continue + else: + # if ethernet has option and bond interface has + # then copy it from bond + if bond_option_value is not None: + if is_node_changed(conf, eth_path_base + option_path.split('.')): + Warning( + f'Cannot apply "{option_path.replace(".", " ")}" to "{option_value}".' \ + f' Interface "{eth_conf["ifname"]}" is a bond member.' \ + f' Option is inherited from bond "{bond_name}"') + dict_set(option_path, bond_option_value, eth_conf) + continue + # if ethernet has option and bond interface does not have + # then delete it form dict and do not apply it + else: + if is_node_changed(conf, eth_path_base + option_path.split('.')): + Warning( + f'Cannot apply "{option_path.replace(".", " ")}".' \ + f' Interface "{eth_conf["ifname"]}" is a bond member.' \ + f' Option is inherited from bond "{bond_name}"') + dict_delete(option_path, eth_conf) + blocked_list.append(option_path) + + # if inherited option is not configured under ethernet section but configured under bond section + for option_path in BondIf.get_inherit_bond_options(): + bond_option_value = dict_search(option_path, bond_config_with_defaults) + if bond_option_value is not None: + if option_path not in eth_dict_paths: + if is_node_changed(conf, eth_path_base + option_path.split('.')): + Warning( + f'Cannot apply "{option_path.replace(".", " ")}" to "{dict_search(option_path, config_with_defaults)}".' \ + f' Interface "{eth_conf["ifname"]}" is a bond member. ' \ + f'Option is inherited from bond "{bond_name}"') + dict_set(option_path, bond_option_value, eth_conf) + eth_conf['bond_blocked_changes'] = blocked_list + return None + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + + # This must be called prior to get_interface_dict(), as this function will + # alter the config level (config.set_level()) + pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + base = ['interfaces', 'ethernet'] + ifname, ethernet = get_interface_dict(conf, base) + if 'is_bond_member' in ethernet: + update_bond_options(conf, ethernet) + + if 'deleted' not in ethernet: + if pki: ethernet['pki'] = pki + + tmp = is_node_changed(conf, base + [ifname, 'speed']) + if tmp: ethernet.update({'speed_duplex_changed': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'duplex']) + if tmp: ethernet.update({'speed_duplex_changed': {}}) + + return ethernet + + + +def verify_speed_duplex(ethernet: dict, ethtool: Ethtool): + """ + Verify speed and duplex + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + :param ethtool: Ethernet object + :type ethtool: Ethtool + """ + if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or + (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')): + raise ConfigError( + 'Speed/Duplex missmatch. Must be both auto or manually configured') + + if ethernet['speed'] != 'auto' and ethernet['duplex'] != 'auto': + # We need to verify if the requested speed and duplex setting is + # supported by the underlaying NIC. + speed = ethernet['speed'] + duplex = ethernet['duplex'] + if not ethtool.check_speed_duplex(speed, duplex): + raise ConfigError( + f'Adapter does not support changing speed ' \ + f'and duplex settings to: {speed}/{duplex}!') + + +def verify_flow_control(ethernet: dict, ethtool: Ethtool): + """ + Verify flow control + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + :param ethtool: Ethernet object + :type ethtool: Ethtool + """ + if 'disable_flow_control' in ethernet: + if not ethtool.check_flow_control(): + raise ConfigError( + 'Adapter does not support changing flow-control settings!') + + +def verify_ring_buffer(ethernet: dict, ethtool: Ethtool): + """ + Verify ring buffer + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + :param ethtool: Ethernet object + :type ethtool: Ethtool + """ + if 'ring_buffer' in ethernet: + max_rx = ethtool.get_ring_buffer_max('rx') + if not max_rx: + raise ConfigError( + 'Driver does not support RX ring-buffer configuration!') + + max_tx = ethtool.get_ring_buffer_max('tx') + if not max_tx: + raise ConfigError( + 'Driver does not support TX ring-buffer configuration!') + + rx = dict_search('ring_buffer.rx', ethernet) + if rx and int(rx) > int(max_rx): + raise ConfigError(f'Driver only supports a maximum RX ring-buffer ' \ + f'size of "{max_rx}" bytes!') + + tx = dict_search('ring_buffer.tx', ethernet) + if tx and int(tx) > int(max_tx): + raise ConfigError(f'Driver only supports a maximum TX ring-buffer ' \ + f'size of "{max_tx}" bytes!') + + +def verify_offload(ethernet: dict, ethtool: Ethtool): + """ + Verify offloading capabilities + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + :param ethtool: Ethernet object + :type ethtool: Ethtool + """ + if dict_search('offload.rps', ethernet) != None: + if not os.path.exists(f'/sys/class/net/{ethernet["ifname"]}/queues/rx-0/rps_cpus'): + raise ConfigError('Interface does not suport RPS!') + driver = ethtool.get_driver_name() + # T3342 - Xen driver requires special treatment + if driver == 'vif': + if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None: + raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\ + 'for MTU size larger then 1500 bytes') + + +def verify_allowedbond_changes(ethernet: dict): + """ + Verify changed options if interface is in bonding + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + """ + if 'bond_blocked_changes' in ethernet: + for option in ethernet['bond_blocked_changes']: + raise ConfigError(f'Cannot configure "{option.replace(".", " ")}"' \ + f' on interface "{ethernet["ifname"]}".' \ + f' Interface is a bond member') + + +def verify(ethernet): + if 'deleted' in ethernet: + return None + if 'is_bond_member' in ethernet: + verify_bond_member(ethernet) + else: + verify_ethernet(ethernet) + + +def verify_bond_member(ethernet): + """ + Verification function for ethernet interface which is in bonding + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + """ + ifname = ethernet['ifname'] + verify_interface_exists(ifname) + verify_eapol(ethernet) + verify_mirror_redirect(ethernet) + ethtool = Ethtool(ifname) + verify_speed_duplex(ethernet, ethtool) + verify_flow_control(ethernet, ethtool) + verify_ring_buffer(ethernet, ethtool) + verify_offload(ethernet, ethtool) + verify_allowedbond_changes(ethernet) + +def verify_ethernet(ethernet): + """ + Verification function for simple ethernet interface + :param ethernet: dictionary which is received from get_interface_dict + :type ethernet: dict + """ + ifname = ethernet['ifname'] + verify_interface_exists(ifname) + verify_mtu(ethernet) + verify_mtu_ipv6(ethernet) + verify_dhcpv6(ethernet) + verify_address(ethernet) + verify_vrf(ethernet) + verify_bond_bridge_member(ethernet) + verify_eapol(ethernet) + verify_mirror_redirect(ethernet) + ethtool = Ethtool(ifname) + # No need to check speed and duplex keys as both have default values. + verify_speed_duplex(ethernet, ethtool) + verify_flow_control(ethernet, ethtool) + verify_ring_buffer(ethernet, ethtool) + verify_offload(ethernet, ethtool) + # use common function to verify VLAN configuration + verify_vlan_config(ethernet) + return None + + +def generate(ethernet): + # render real configuration file once + wpa_supplicant_conf = wpa_suppl_conf.format(**ethernet) + + if 'deleted' in ethernet: + # delete configuration on interface removal + if os.path.isfile(wpa_supplicant_conf): + os.unlink(wpa_supplicant_conf) + return None + + if 'eapol' in ethernet: + ifname = ethernet['ifname'] + + render(wpa_supplicant_conf, 'ethernet/wpa_supplicant.conf.j2', ethernet) + + cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') + cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key') + + cert_name = ethernet['eapol']['certificate'] + pki_cert = ethernet['pki']['certificate'][cert_name] + + loaded_pki_cert = load_certificate(pki_cert['certificate']) + loaded_ca_certs = {load_certificate(c['certificate']) + for c in ethernet['pki']['ca'].values()} if 'ca' in ethernet['pki'] else {} + + cert_full_chain = find_chain(loaded_pki_cert, loaded_ca_certs) + + write_file(cert_file_path, + '\n'.join(encode_certificate(c) for c in cert_full_chain)) + write_file(cert_key_path, wrap_private_key(pki_cert['private']['key'])) + + if 'ca_certificate' in ethernet['eapol']: + ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem') + ca_chains = [] + + for ca_cert_name in ethernet['eapol']['ca_certificate']: + pki_ca_cert = ethernet['pki']['ca'][ca_cert_name] + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + ca_chains.append( + '\n'.join(encode_certificate(c) for c in ca_full_chain)) + + write_file(ca_cert_file_path, '\n'.join(ca_chains)) + + return None + +def apply(ethernet): + ifname = ethernet['ifname'] + # take care about EAPoL supplicant daemon + eapol_action='stop' + + e = EthernetIf(ifname) + if 'deleted' in ethernet: + # delete interface + e.remove() + else: + e.update(ethernet) + if 'eapol' in ethernet: + eapol_action='reload-or-restart' + + call(f'systemctl {eapol_action} wpa_supplicant-wired@{ifname}') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_geneve.py b/src/conf_mode/interfaces_geneve.py new file mode 100755 index 000000000..f6694ddde --- /dev/null +++ b/src/conf_mode/interfaces_geneve.py @@ -0,0 +1,102 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit +from netifaces import interfaces + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_address +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import GeneveIf +from vyos import ConfigError + +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'geneve'] + ifname, geneve = get_interface_dict(conf, base) + + # GENEVE interfaces are picky and require recreation if certain parameters + # change. But a GENEVE interface should - of course - not be re-created if + # it's description or IP address is adjusted. Feels somehow logic doesn't it? + for cli_option in ['remote', 'vni', 'parameters']: + if is_node_changed(conf, base + [ifname, cli_option]): + geneve.update({'rebuild_required': {}}) + + return geneve + +def verify(geneve): + if 'deleted' in geneve: + verify_bridge_delete(geneve) + return None + + verify_mtu_ipv6(geneve) + verify_address(geneve) + verify_bond_bridge_member(geneve) + verify_mirror_redirect(geneve) + + if 'remote' not in geneve: + raise ConfigError('Remote side must be configured') + + if 'vni' not in geneve: + raise ConfigError('VNI must be configured') + + return None + + +def generate(geneve): + return None + +def apply(geneve): + # Check if GENEVE interface already exists + if 'rebuild_required' in geneve or 'delete' in geneve: + if geneve['ifname'] in interfaces(): + g = GeneveIf(geneve['ifname']) + # GENEVE is super picky and the tunnel always needs to be recreated, + # thus we can simply always delete it first. + g.remove() + + if 'deleted' not in geneve: + # Finally create the new interface + g = GeneveIf(**geneve) + g.update(geneve) + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_input.py b/src/conf_mode/interfaces_input.py new file mode 100755 index 000000000..ad248843d --- /dev/null +++ b/src/conf_mode/interfaces_input.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_mirror_redirect +from vyos.ifconfig import InputIf +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at + least the interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'input'] + _, ifb = get_interface_dict(conf, base) + + return ifb + +def verify(ifb): + if 'deleted' in ifb: + return None + + verify_mirror_redirect(ifb) + return None + +def generate(ifb): + return None + +def apply(ifb): + d = InputIf(ifb['ifname']) + + # Remove input interface + if 'deleted' in ifb: + d.remove() + else: + d.update(ifb) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_l2tpv3.py b/src/conf_mode/interfaces_l2tpv3.py new file mode 100755 index 000000000..e1db3206e --- /dev/null +++ b/src/conf_mode/interfaces_l2tpv3.py @@ -0,0 +1,112 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from netifaces import interfaces + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import leaf_node_changed +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import L2TPv3If +from vyos.utils.kernel import check_kmod +from vyos.utils.network import is_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6'] + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'l2tpv3'] + ifname, l2tpv3 = get_interface_dict(conf, base) + + # To delete an l2tpv3 interface we need the current tunnel and session-id + if 'deleted' in l2tpv3: + tmp = leaf_node_changed(conf, base + [ifname, 'tunnel-id']) + # leaf_node_changed() returns a list + l2tpv3.update({'tunnel_id': tmp[0]}) + + tmp = leaf_node_changed(conf, base + [ifname, 'session-id']) + l2tpv3.update({'session_id': tmp[0]}) + + return l2tpv3 + +def verify(l2tpv3): + if 'deleted' in l2tpv3: + verify_bridge_delete(l2tpv3) + return None + + interface = l2tpv3['ifname'] + + for key in ['source_address', 'remote', 'tunnel_id', 'peer_tunnel_id', + 'session_id', 'peer_session_id']: + if key not in l2tpv3: + tmp = key.replace('_', '-') + raise ConfigError(f'Missing mandatory L2TPv3 option: "{tmp}"!') + + if not is_addr_assigned(l2tpv3['source_address']): + raise ConfigError('L2TPv3 source-address address "{source_address}" ' + 'not configured on any interface!'.format(**l2tpv3)) + + verify_mtu_ipv6(l2tpv3) + verify_address(l2tpv3) + verify_bond_bridge_member(l2tpv3) + verify_mirror_redirect(l2tpv3) + return None + +def generate(l2tpv3): + return None + +def apply(l2tpv3): + # Check if L2TPv3 interface already exists + if l2tpv3['ifname'] in interfaces(): + # L2TPv3 is picky when changing tunnels/sessions, thus we can simply + # always delete it first. + l = L2TPv3If(**l2tpv3) + l.remove() + + if 'deleted' not in l2tpv3: + # Finally create the new interface + l = L2TPv3If(**l2tpv3) + l.update(l2tpv3) + + return None + +if __name__ == '__main__': + try: + check_kmod(k_mod) + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_loopback.py b/src/conf_mode/interfaces_loopback.py new file mode 100755 index 000000000..08d34477a --- /dev/null +++ b/src/conf_mode/interfaces_loopback.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_mirror_redirect +from vyos.ifconfig import LoopbackIf +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'loopback'] + _, loopback = get_interface_dict(conf, base) + return loopback + +def verify(loopback): + verify_mirror_redirect(loopback) + return None + +def generate(loopback): + return None + +def apply(loopback): + l = LoopbackIf(**loopback) + if 'deleted' in loopback: + l.remove() + else: + l.update(loopback) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_macsec.py b/src/conf_mode/interfaces_macsec.py new file mode 100755 index 000000000..0a927ac88 --- /dev/null +++ b/src/conf_mode/interfaces_macsec.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from netifaces import interfaces +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configdict import is_source_interface +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import MACsecIf +from vyos.ifconfig import Interface +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos.utils.process import is_systemd_service_running +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +# XXX: wpa_supplicant works on the source interface +wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf' + +# Constants +## gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit +GCM_AES_128_LEN: int = 32 +GCM_128_KEY_ERROR = 'gcm-aes-128 requires a 128bit long key!' +## gcm-aes-256 requires a 256bit long key - 64 characters (string) = 32byte = 256bit +GCM_AES_256_LEN: int = 64 +GCM_256_KEY_ERROR = 'gcm-aes-256 requires a 256bit long key!' + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'macsec'] + ifname, macsec = get_interface_dict(conf, base) + + # Check if interface has been removed + if 'deleted' in macsec: + source_interface = conf.return_effective_value(base + [ifname, 'source-interface']) + macsec.update({'source_interface': source_interface}) + + if is_node_changed(conf, base + [ifname, 'security']): + macsec.update({'shutdown_required': {}}) + + if is_node_changed(conf, base + [ifname, 'source_interface']): + macsec.update({'shutdown_required': {}}) + + if 'source_interface' in macsec: + tmp = is_source_interface(conf, macsec['source_interface'], ['macsec', 'pseudo-ethernet']) + if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp}) + + return macsec + + +def verify(macsec): + if 'deleted' in macsec: + verify_bridge_delete(macsec) + return None + + verify_source_interface(macsec) + verify_vrf(macsec) + verify_mtu_ipv6(macsec) + verify_address(macsec) + verify_bond_bridge_member(macsec) + verify_mirror_redirect(macsec) + + if dict_search('security.cipher', macsec) == None: + raise ConfigError('Cipher suite must be set for MACsec "{ifname}"'.format(**macsec)) + + if dict_search('security.encrypt', macsec) != None: + # Check that only static or MKA config is present + if dict_search('security.static', macsec) != None and (dict_search('security.mka.cak', macsec) != None or dict_search('security.mka.ckn', macsec) != None): + raise ConfigError('Only static or MKA can be used!') + + # Logic to check static configuration + if dict_search('security.static', macsec) != None: + # tx-key must be defined + if dict_search('security.static.key', macsec) == None: + raise ConfigError('Static MACsec tx-key must be defined.') + + tx_len = len(dict_search('security.static.key', macsec)) + + if dict_search('security.cipher', macsec) == 'gcm-aes-128' and tx_len != GCM_AES_128_LEN: + raise ConfigError(GCM_128_KEY_ERROR) + + if dict_search('security.cipher', macsec) == 'gcm-aes-256' and tx_len != GCM_AES_256_LEN: + raise ConfigError(GCM_256_KEY_ERROR) + + # Make sure at least one peer is defined + if 'peer' not in macsec['security']['static']: + raise ConfigError('Must have at least one peer defined for static MACsec') + + # For every enabled peer, make sure a MAC and rx-key is defined + for peer, peer_config in macsec['security']['static']['peer'].items(): + if 'disable' not in peer_config and ('mac' not in peer_config or 'key' not in peer_config): + raise ConfigError('Every enabled MACsec static peer must have a MAC address and rx-key defined.') + + # check rx-key length against cipher suite + rx_len = len(peer_config['key']) + + if dict_search('security.cipher', macsec) == 'gcm-aes-128' and rx_len != GCM_AES_128_LEN: + raise ConfigError(GCM_128_KEY_ERROR) + + if dict_search('security.cipher', macsec) == 'gcm-aes-256' and rx_len != GCM_AES_256_LEN: + raise ConfigError(GCM_256_KEY_ERROR) + + # Logic to check MKA configuration + else: + if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None: + raise ConfigError('Missing mandatory MACsec security keys as encryption is enabled!') + + cak_len = len(dict_search('security.mka.cak', macsec)) + + if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != GCM_AES_128_LEN: + raise ConfigError(GCM_128_KEY_ERROR) + + elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != GCM_AES_256_LEN: + raise ConfigError(GCM_256_KEY_ERROR) + + if 'source_interface' in macsec: + # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad + # and 802.1q) - we need to check the underlaying MTU if our configured + # MTU is at least 40 bytes less then the MTU of our physical interface. + lower_mtu = Interface(macsec['source_interface']).get_mtu() + if lower_mtu < (int(macsec['mtu']) + 40): + raise ConfigError('MACsec overhead does not fit into underlaying device MTU,\n' \ + f'{lower_mtu} bytes is too small!') + + return None + + +def generate(macsec): + # Only generate wpa_supplicant config if using MKA + if dict_search('security.mka.cak', macsec): + render(wpa_suppl_conf.format(**macsec), 'macsec/wpa_supplicant.conf.j2', macsec) + return None + + +def apply(macsec): + systemd_service = 'wpa_supplicant-macsec@{source_interface}'.format(**macsec) + + # Remove macsec interface on deletion or mandatory parameter change + if 'deleted' in macsec or 'shutdown_required' in macsec: + call(f'systemctl stop {systemd_service}') + + if macsec['ifname'] in interfaces(): + tmp = MACsecIf(macsec['ifname']) + tmp.remove() + + if 'deleted' in macsec: + # delete configuration on interface removal + if os.path.isfile(wpa_suppl_conf.format(**macsec)): + os.unlink(wpa_suppl_conf.format(**macsec)) + + return None + + # It is safe to "re-create" the interface always, there is a sanity + # check that the interface will only be create if its non existent + i = MACsecIf(**macsec) + i.update(macsec) + + # Only reload/restart if using MKA + if dict_search('security.mka.cak', macsec): + if not is_systemd_service_running(systemd_service) or 'shutdown_required' in macsec: + call(f'systemctl reload-or-restart {systemd_service}') + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_openvpn.py b/src/conf_mode/interfaces_openvpn.py new file mode 100755 index 000000000..bdeb44837 --- /dev/null +++ b/src/conf_mode/interfaces_openvpn.py @@ -0,0 +1,732 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re +import tempfile + +from cryptography.hazmat.primitives.asymmetric import ec +from glob import glob +from sys import exit +from ipaddress import IPv4Address +from ipaddress import IPv4Network +from ipaddress import IPv6Address +from ipaddress import IPv6Network +from ipaddress import summarize_address_range +from netifaces import interfaces +from secrets import SystemRandom +from shutil import rmtree + +from vyos.base import DeprecationWarning +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import VTunIf +from vyos.pki import load_dh_parameters +from vyos.pki import load_private_key +from vyos.pki import sort_ca_chain +from vyos.pki import verify_ca_chain +from vyos.pki import wrap_certificate +from vyos.pki import wrap_crl +from vyos.pki import wrap_dh_parameters +from vyos.pki import wrap_openvpn_key +from vyos.pki import wrap_private_key +from vyos.template import render +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 +from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_search_args +from vyos.utils.list import is_list_equal +from vyos.utils.file import makedir +from vyos.utils.file import read_file +from vyos.utils.file import write_file +from vyos.utils.kernel import check_kmod +from vyos.utils.kernel import unload_kmod +from vyos.utils.process import call +from vyos.utils.permission import chown +from vyos.utils.process import cmd +from vyos.utils.network import is_addr_assigned + +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +user = 'openvpn' +group = 'openvpn' + +cfg_dir = '/run/openvpn' +cfg_file = '/run/openvpn/{ifname}.conf' +otp_path = '/config/auth/openvpn' +otp_file = '/config/auth/openvpn/{ifname}-otp-secrets' +secret_chars = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567') +service_file = '/run/systemd/system/openvpn@{ifname}.service.d/20-override.conf' + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'openvpn'] + + ifname, openvpn = get_interface_dict(conf, base) + openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn) + + if 'deleted' in openvpn: + return openvpn + + openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + if is_node_changed(conf, base + [ifname, 'openvpn-option']): + openvpn.update({'restart_required': {}}) + if is_node_changed(conf, base + [ifname, 'enable-dco']): + openvpn.update({'restart_required': {}}) + + # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' + # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. + tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) + + # We have to cleanup the config dict, as default values could enable features + # which are not explicitly enabled on the CLI. Example: server mfa totp + # originate comes with defaults, which will enable the + # totp plugin, even when not set via CLI so we + # need to check this first and drop those keys + if dict_search('server.mfa.totp', tmp) == None: + del openvpn['server']['mfa'] + + # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all + # OpenVPN interfaces. Check if DCO is used by any other interface instance. + tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + for interface, interface_config in tmp.items(): + # If one interface has DCO configured, enable it. No need to further check + # all other OpenVPN interfaces. We must use a dedicated key to indicate + # the Kernel module must be loaded or not. The per interface "offload.dco" + # key is required per OpenVPN interface instance. + if dict_search('offload.dco', interface_config) != None: + openvpn['module_load_dco'] = {} + break + + return openvpn + +def is_ec_private_key(pki, cert_name): + if not pki or 'certificate' not in pki: + return False + if cert_name not in pki['certificate']: + return False + + pki_cert = pki['certificate'][cert_name] + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + return False + + key = load_private_key(pki_cert['private']['key']) + return isinstance(key, ec.EllipticCurvePrivateKey) + +def verify_pki(openvpn): + pki = openvpn['pki'] + interface = openvpn['ifname'] + mode = openvpn['mode'] + shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') + tls = dict_search_args(openvpn, 'tls') + + if not bool(shared_secret_key) ^ bool(tls): # xor check if only one is set + raise ConfigError('Must specify only one of "shared-secret-key" and "tls"') + + if mode in ['server', 'client'] and not tls: + raise ConfigError('Must specify "tls" for server and client modes') + + if not pki: + raise ConfigError('PKI is not configured') + + if shared_secret_key: + if not dict_search_args(pki, 'openvpn', 'shared_secret'): + raise ConfigError('There are no openvpn shared-secrets in PKI configuration') + + if shared_secret_key not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid shared-secret on openvpn interface {interface}') + + # If PSK settings are correct, warn about its deprecation + DeprecationWarning("OpenVPN shared-secret support will be removed in future VyOS versions.\n\ + Please migrate your site-to-site tunnels to TLS.\n\ + You can use self-signed certificates with peer fingerprint verification, consult the documentation for details.") + + if tls: + if (mode in ['server', 'client']) and ('ca_certificate' not in tls): + raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface},\ + it is required in server and client modes') + else: + if ('ca_certificate' not in tls) and ('peer_fingerprint' not in tls): + raise ConfigError('Either "tls ca-certificate" or "tls peer-fingerprint" is required\ + on openvpn interface {interface} in site-to-site mode') + + if 'ca_certificate' in tls: + for ca_name in tls['ca_certificate']: + if ca_name not in pki['ca']: + raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}') + + if len(tls['ca_certificate']) > 1: + sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca']) + if not verify_ca_chain(sorted_chain, pki['ca']): + raise ConfigError(f'CA certificates are not a valid chain') + + if mode != 'client' and 'auth_key' not in tls: + if 'certificate' not in tls: + raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}') + + if 'certificate' in tls: + if tls['certificate'] not in pki['certificate']: + raise ConfigError(f'Invalid certificate on openvpn interface {interface}') + + if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None: + raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') + + if 'dh_params' in tls: + pki_dh = pki['dh'][tls['dh_params']] + dh_params = load_dh_parameters(pki_dh['parameters']) + dh_numbers = dh_params.parameter_numbers() + dh_bits = dh_numbers.p.bit_length() + + if dh_bits < 2048: + raise ConfigError(f'Minimum DH key-size is 2048 bits') + + + if 'auth_key' in tls or 'crypt_key' in tls: + if not dict_search_args(pki, 'openvpn', 'shared_secret'): + raise ConfigError('There are no openvpn shared-secrets in PKI configuration') + + if 'auth_key' in tls: + if tls['auth_key'] not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid auth-key on openvpn interface {interface}') + + if 'crypt_key' in tls: + if tls['crypt_key'] not in pki['openvpn']['shared_secret']: + raise ConfigError(f'Invalid crypt-key on openvpn interface {interface}') + +def verify(openvpn): + if 'deleted' in openvpn: + # remove totp secrets file if totp is not configured + if os.path.isfile(otp_file.format(**openvpn)): + os.remove(otp_file.format(**openvpn)) + + verify_bridge_delete(openvpn) + return None + + if 'mode' not in openvpn: + raise ConfigError('Must specify OpenVPN operation mode!') + + # + # OpenVPN client mode - VERIFY + # + if openvpn['mode'] == 'client': + if 'local_port' in openvpn: + raise ConfigError('Cannot specify "local-port" in client mode') + + if 'local_host' in openvpn: + raise ConfigError('Cannot specify "local-host" in client mode') + + if 'remote_host' not in openvpn: + raise ConfigError('Must specify "remote-host" in client mode') + + if openvpn['protocol'] == 'tcp-passive': + raise ConfigError('Protocol "tcp-passive" is not valid in client mode') + + if dict_search('tls.dh_params', openvpn): + raise ConfigError('Cannot specify "tls dh-params" in client mode') + + # + # OpenVPN site-to-site - VERIFY + # + elif openvpn['mode'] == 'site-to-site': + if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn: + raise ConfigError('Must specify "local-address" or add interface to bridge') + + if 'local_address' in openvpn: + if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1: + raise ConfigError('Only one IPv4 local-address can be specified') + + if len([addr for addr in openvpn['local_address'] if is_ipv6(addr)]) > 1: + raise ConfigError('Only one IPv6 local-address can be specified') + + if openvpn['device_type'] == 'tun': + if 'remote_address' not in openvpn: + raise ConfigError('Must specify "remote-address"') + + if 'remote_address' in openvpn: + if len([addr for addr in openvpn['remote_address'] if is_ipv4(addr)]) > 1: + raise ConfigError('Only one IPv4 remote-address can be specified') + + if len([addr for addr in openvpn['remote_address'] if is_ipv6(addr)]) > 1: + raise ConfigError('Only one IPv6 remote-address can be specified') + + if not 'local_address' in openvpn: + raise ConfigError('"remote-address" requires "local-address"') + + v4loAddr = [addr for addr in openvpn['local_address'] if is_ipv4(addr)] + v4remAddr = [addr for addr in openvpn['remote_address'] if is_ipv4(addr)] + if v4loAddr and not v4remAddr: + raise ConfigError('IPv4 "local-address" requires IPv4 "remote-address"') + elif v4remAddr and not v4loAddr: + raise ConfigError('IPv4 "remote-address" requires IPv4 "local-address"') + + v6remAddr = [addr for addr in openvpn['remote_address'] if is_ipv6(addr)] + v6loAddr = [addr for addr in openvpn['local_address'] if is_ipv6(addr)] + if v6loAddr and not v6remAddr: + raise ConfigError('IPv6 "local-address" requires IPv6 "remote-address"') + elif v6remAddr and not v6loAddr: + raise ConfigError('IPv6 "remote-address" requires IPv6 "local-address"') + + if is_list_equal(v4loAddr, v4remAddr) or is_list_equal(v6loAddr, v6remAddr): + raise ConfigError('"local-address" and "remote-address" cannot be the same') + + if dict_search('local_host', openvpn) in dict_search('local_address', openvpn): + raise ConfigError('"local-address" cannot be the same as "local-host"') + + if dict_search('remote_host', openvpn) in dict_search('remote_address', openvpn): + raise ConfigError('"remote-address" and "remote-host" can not be the same') + + if openvpn['device_type'] == 'tap' and 'local_address' in openvpn: + # we can only have one local_address, this is ensured above + v4addr = None + for laddr in openvpn['local_address']: + if is_ipv4(laddr): + v4addr = laddr + break + + if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]: + raise ConfigError('Must specify IPv4 "subnet-mask" for local-address') + + if dict_search('encryption.ncp_ciphers', openvpn): + raise ConfigError('NCP ciphers can only be used in client or server mode') + + else: + # checks for client-server or site-to-site bridged + if 'local_address' in openvpn or 'remote_address' in openvpn: + raise ConfigError('Cannot specify "local-address" or "remote-address" ' \ + 'in client/server or bridge mode') + + # + # OpenVPN server mode - VERIFY + # + if openvpn['mode'] == 'server': + if openvpn['protocol'] == 'tcp-active': + raise ConfigError('Protocol "tcp-active" is not valid in server mode') + + if dict_search('authentication.username', openvpn) or dict_search('authentication.password', openvpn): + raise ConfigError('Cannot specify "authentication" in server mode') + + if 'remote_port' in openvpn: + raise ConfigError('Cannot specify "remote-port" in server mode') + + if 'remote_host' in openvpn: + raise ConfigError('Cannot specify "remote-host" in server mode') + + tmp = dict_search('server.subnet', openvpn) + if tmp: + v4_subnets = len([subnet for subnet in tmp if is_ipv4(subnet)]) + v6_subnets = len([subnet for subnet in tmp if is_ipv6(subnet)]) + if v4_subnets > 1: + raise ConfigError('Cannot specify more than 1 IPv4 server subnet') + if v6_subnets > 1: + raise ConfigError('Cannot specify more than 1 IPv6 server subnet') + + for subnet in tmp: + if is_ipv4(subnet): + subnet = IPv4Network(subnet) + + if openvpn['device_type'] == 'tun' and subnet.prefixlen > 29: + raise ConfigError('Server subnets smaller than /29 with device type "tun" are not supported') + elif openvpn['device_type'] == 'tap' and subnet.prefixlen > 30: + raise ConfigError('Server subnets smaller than /30 with device type "tap" are not supported') + + for client in (dict_search('client', openvpn) or []): + if client['ip'] and not IPv4Address(client['ip'][0]) in subnet: + raise ConfigError(f'Client "{client["name"]}" IP {client["ip"][0]} not in server subnet {subnet}') + + else: + if 'is_bridge_member' not in openvpn: + raise ConfigError('Must specify "server subnet" or add interface to bridge in server mode') + + if hasattr(dict_search('server.client', openvpn), '__iter__'): + for client_k, client_v in dict_search('server.client', openvpn).items(): + if (client_v.get('ip') and len(client_v['ip']) > 1) or (client_v.get('ipv6_ip') and len(client_v['ipv6_ip']) > 1): + raise ConfigError(f'Server client "{client_k}": cannot specify more than 1 IPv4 and 1 IPv6 IP') + + if dict_search('server.client_ip_pool', openvpn): + if not (dict_search('server.client_ip_pool.start', openvpn) and dict_search('server.client_ip_pool.stop', openvpn)): + raise ConfigError('Server client-ip-pool requires both start and stop addresses') + else: + v4PoolStart = IPv4Address(dict_search('server.client_ip_pool.start', openvpn)) + v4PoolStop = IPv4Address(dict_search('server.client_ip_pool.stop', openvpn)) + if v4PoolStart > v4PoolStop: + raise ConfigError(f'Server client-ip-pool start address {v4PoolStart} is larger than stop address {v4PoolStop}') + + v4PoolSize = int(v4PoolStop) - int(v4PoolStart) + if v4PoolSize >= 65536: + raise ConfigError(f'Server client-ip-pool is too large [{v4PoolStart} -> {v4PoolStop} = {v4PoolSize}], maximum is 65536 addresses.') + + v4PoolNets = list(summarize_address_range(v4PoolStart, v4PoolStop)) + for client in (dict_search('client', openvpn) or []): + if client['ip']: + for v4PoolNet in v4PoolNets: + if IPv4Address(client['ip'][0]) in v4PoolNet: + print(f'Warning: Client "{client["name"]}" IP {client["ip"][0]} is in server IP pool, it is not reserved for this client.') + # configuring a client_ip_pool will set 'server ... nopool' which is currently incompatible with 'server-ipv6' (probably to be fixed upstream) + for subnet in (dict_search('server.subnet', openvpn) or []): + if is_ipv6(subnet): + raise ConfigError(f'Setting client-ip-pool is incompatible having an IPv6 server subnet.') + + for subnet in (dict_search('server.subnet', openvpn) or []): + if is_ipv6(subnet): + tmp = dict_search('client_ipv6_pool.base', openvpn) + if tmp: + if not dict_search('server.client_ip_pool', openvpn): + raise ConfigError('IPv6 server pool requires an IPv4 server pool') + + if int(tmp.split('/')[1]) >= 112: + raise ConfigError('IPv6 server pool must be larger than /112') + + # + # todo - weird logic + # + v6PoolStart = IPv6Address(tmp) + v6PoolStop = IPv6Network((v6PoolStart, openvpn['server_ipv6_pool_prefixlen']), strict=False)[-1] # don't remove the parentheses, it's a 2-tuple + v6PoolSize = int(v6PoolStop) - int(v6PoolStart) if int(openvpn['server_ipv6_pool_prefixlen']) > 96 else 65536 + if v6PoolSize < v4PoolSize: + raise ConfigError(f'IPv6 server pool must be at least as large as the IPv4 pool (current sizes: IPv6={v6PoolSize} IPv4={v4PoolSize})') + + v6PoolNets = list(summarize_address_range(v6PoolStart, v6PoolStop)) + for client in (dict_search('client', openvpn) or []): + if client['ipv6_ip']: + for v6PoolNet in v6PoolNets: + if IPv6Address(client['ipv6_ip'][0]) in v6PoolNet: + print(f'Warning: Client "{client["name"]}" IP {client["ipv6_ip"][0]} is in server IP pool, it is not reserved for this client.') + + # add mfa users to the file the mfa plugin uses + if dict_search('server.mfa.totp', openvpn): + user_data = '' + if not os.path.isfile(otp_file.format(**openvpn)): + write_file(otp_file.format(**openvpn), user_data, + user=user, group=group, mode=0o644) + + ovpn_users = read_file(otp_file.format(**openvpn)) + for client in (dict_search('server.client', openvpn) or []): + exists = None + for ovpn_user in ovpn_users.split('\n'): + if re.search('^' + client + ' ', ovpn_user): + user_data += f'{ovpn_user}\n' + exists = 'true' + + if not exists: + random = SystemRandom() + totp_secret = ''.join(random.choice(secret_chars) for _ in range(16)) + user_data += f'{client} otp totp:sha1:base32:{totp_secret}::xxx *\n' + + write_file(otp_file.format(**openvpn), user_data, + user=user, group=group, mode=0o644) + + else: + # checks for both client and site-to-site go here + if dict_search('server.reject_unconfigured_clients', openvpn): + raise ConfigError('Option reject-unconfigured-clients only supported in server mode') + + if 'replace_default_route' in openvpn and 'remote_host' not in openvpn: + raise ConfigError('Cannot set "replace-default-route" without "remote-host"') + + # + # OpenVPN common verification section + # not depending on any operation mode + # + + # verify specified IP address is present on any interface on this system + if 'local_host' in openvpn: + if not is_addr_assigned(openvpn['local_host']): + print('local-host IP address "{local_host}" not assigned' \ + ' to any interface'.format(**openvpn)) + + # TCP active + if openvpn['protocol'] == 'tcp-active': + if 'local_port' in openvpn: + raise ConfigError('Cannot specify "local-port" with "tcp-active"') + + if 'remote_host' not in openvpn: + raise ConfigError('Must specify "remote-host" with "tcp-active"') + + # + # TLS/encryption + # + if 'shared_secret_key' in openvpn: + if dict_search('encryption.cipher', openvpn) in ['aes128gcm', 'aes192gcm', 'aes256gcm']: + raise ConfigError('GCM encryption with shared-secret-key not supported') + + if 'tls' in openvpn: + if {'auth_key', 'crypt_key'} <= set(openvpn['tls']): + raise ConfigError('TLS auth and crypt keys are mutually exclusive') + + tmp = dict_search('tls.role', openvpn) + if tmp: + if openvpn['mode'] in ['client', 'server']: + if not dict_search('tls.auth_key', openvpn): + raise ConfigError('Cannot specify "tls role" in client-server mode') + + if tmp == 'active': + if openvpn['protocol'] == 'tcp-passive': + raise ConfigError('Cannot specify "tcp-passive" when "tls role" is "active"') + + if dict_search('tls.dh_params', openvpn): + raise ConfigError('Cannot specify "tls dh-params" when "tls role" is "active"') + + elif tmp == 'passive': + if openvpn['protocol'] == 'tcp-active': + raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"') + + if 'certificate' in openvpn['tls'] and is_ec_private_key(openvpn['pki'], openvpn['tls']['certificate']): + if 'dh_params' in openvpn['tls']: + print('Warning: using dh-params and EC keys simultaneously will ' \ + 'lead to DH ciphers being used instead of ECDH') + + if dict_search('encryption.cipher', openvpn) == 'none': + print('Warning: "encryption none" was specified!') + print('No encryption will be performed and data is transmitted in ' \ + 'plain text over the network!') + + verify_pki(openvpn) + + # + # Auth user/pass + # + if (dict_search('authentication.username', openvpn) and not + dict_search('authentication.password', openvpn)): + raise ConfigError('Password for authentication is missing') + + if (dict_search('authentication.password', openvpn) and not + dict_search('authentication.username', openvpn)): + raise ConfigError('Username for authentication is missing') + + verify_vrf(openvpn) + verify_bond_bridge_member(openvpn) + verify_mirror_redirect(openvpn) + + return None + +def generate_pki_files(openvpn): + pki = openvpn['pki'] + if not pki: + return None + + interface = openvpn['ifname'] + shared_secret_key = dict_search_args(openvpn, 'shared_secret_key') + tls = dict_search_args(openvpn, 'tls') + + if shared_secret_key: + pki_key = pki['openvpn']['shared_secret'][shared_secret_key] + key_path = os.path.join(cfg_dir, f'{interface}_shared.key') + write_file(key_path, wrap_openvpn_key(pki_key['key']), + user=user, group=group) + + if tls: + if 'ca_certificate' in tls: + cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem') + crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem') + + if os.path.exists(cert_path): + os.unlink(cert_path) + + if os.path.exists(crl_path): + os.unlink(crl_path) + + for cert_name in sort_ca_chain(tls['ca_certificate'], pki['ca']): + pki_ca = pki['ca'][cert_name] + + if 'certificate' in pki_ca: + write_file(cert_path, wrap_certificate(pki_ca['certificate']) + "\n", + user=user, group=group, mode=0o600, append=True) + + if 'crl' in pki_ca: + for crl in pki_ca['crl']: + write_file(crl_path, wrap_crl(crl) + "\n", user=user, group=group, + mode=0o600, append=True) + + openvpn['tls']['crl'] = True + + if 'certificate' in tls: + cert_name = tls['certificate'] + pki_cert = pki['certificate'][cert_name] + + if 'certificate' in pki_cert: + cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem') + write_file(cert_path, wrap_certificate(pki_cert['certificate']), + user=user, group=group, mode=0o600) + + if 'private' in pki_cert and 'key' in pki_cert['private']: + key_path = os.path.join(cfg_dir, f'{interface}_cert.key') + write_file(key_path, wrap_private_key(pki_cert['private']['key']), + user=user, group=group, mode=0o600) + + openvpn['tls']['private_key'] = True + + if 'dh_params' in tls: + dh_name = tls['dh_params'] + pki_dh = pki['dh'][dh_name] + + if 'parameters' in pki_dh: + dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem') + write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']), + user=user, group=group, mode=0o600) + + if 'auth_key' in tls: + key_name = tls['auth_key'] + pki_key = pki['openvpn']['shared_secret'][key_name] + + if 'key' in pki_key: + key_path = os.path.join(cfg_dir, f'{interface}_auth.key') + write_file(key_path, wrap_openvpn_key(pki_key['key']), + user=user, group=group, mode=0o600) + + if 'crypt_key' in tls: + key_name = tls['crypt_key'] + pki_key = pki['openvpn']['shared_secret'][key_name] + + if 'key' in pki_key: + key_path = os.path.join(cfg_dir, f'{interface}_crypt.key') + write_file(key_path, wrap_openvpn_key(pki_key['key']), + user=user, group=group, mode=0o600) + + +def generate(openvpn): + interface = openvpn['ifname'] + directory = os.path.dirname(cfg_file.format(**openvpn)) + openvpn['plugin_dir'] = '/usr/lib/openvpn' + # create base config directory on demand + makedir(directory, user, group) + # enforce proper permissions on /run/openvpn + chown(directory, user, group) + + # we can't know in advance which clients have been removed, + # thus all client configs will be removed and re-added on demand + ccd_dir = os.path.join(directory, 'ccd', interface) + if os.path.isdir(ccd_dir): + rmtree(ccd_dir, ignore_errors=True) + + # Remove systemd directories with overrides + service_dir = os.path.dirname(service_file.format(**openvpn)) + if os.path.isdir(service_dir): + rmtree(service_dir, ignore_errors=True) + + if 'deleted' in openvpn or 'disable' in openvpn: + return None + + # create client config directory on demand + makedir(ccd_dir, user, group) + + # Fix file permissons for keys + generate_pki_files(openvpn) + + # Generate User/Password authentication file + if 'authentication' in openvpn: + render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.j2', openvpn, + user=user, group=group, permission=0o600) + else: + # delete old auth file if present + if os.path.isfile(openvpn['auth_user_pass_file']): + os.remove(openvpn['auth_user_pass_file']) + + # Generate client specific configuration + server_client = dict_search_args(openvpn, 'server', 'client') + if server_client: + for client, client_config in server_client.items(): + client_file = os.path.join(ccd_dir, client) + + # Our client need's to know its subnet mask ... + client_config['server_subnet'] = dict_search('server.subnet', openvpn) + + render(client_file, 'openvpn/client.conf.j2', client_config, + user=user, group=group) + + # we need to support quoting of raw parameters from OpenVPN CLI + # see https://vyos.dev/T1632 + render(cfg_file.format(**openvpn), 'openvpn/server.conf.j2', openvpn, + formater=lambda _: _.replace(""", '"'), user=user, group=group) + + # Render 20-override.conf for OpenVPN service + render(service_file.format(**openvpn), 'openvpn/service-override.conf.j2', openvpn, + formater=lambda _: _.replace(""", '"'), user=user, group=group) + # Reload systemd services config to apply an override + call(f'systemctl daemon-reload') + + return None + +def apply(openvpn): + interface = openvpn['ifname'] + + # Do some cleanup when OpenVPN is disabled/deleted + if 'deleted' in openvpn or 'disable' in openvpn: + call(f'systemctl stop openvpn@{interface}.service') + for cleanup_file in glob(f'/run/openvpn/{interface}.*'): + if os.path.isfile(cleanup_file): + os.unlink(cleanup_file) + + if interface in interfaces(): + VTunIf(interface).remove() + + # dynamically load/unload DCO Kernel extension if requested + dco_module = 'ovpn_dco_v2' + if 'module_load_dco' in openvpn: + check_kmod(dco_module) + else: + unload_kmod(dco_module) + + # Now bail out early if interface is disabled or got deleted + if 'deleted' in openvpn or 'disable' in openvpn: + return None + + # verify specified IP address is present on any interface on this system + # Allow to bind service to nonlocal address, if it virtaual-vrrp address + # or if address will be assign later + if 'local_host' in openvpn: + if not is_addr_assigned(openvpn['local_host']): + cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') + + # No matching OpenVPN process running - maybe it got killed or none + # existed - nevertheless, spawn new OpenVPN process + action = 'reload-or-restart' + if 'restart_required' in openvpn: + action = 'restart' + call(f'systemctl {action} openvpn@{interface}.service') + + o = VTunIf(**openvpn) + o.update(openvpn) + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) + diff --git a/src/conf_mode/interfaces_pppoe.py b/src/conf_mode/interfaces_pppoe.py new file mode 100755 index 000000000..42f084309 --- /dev/null +++ b/src/conf_mode/interfaces_pppoe.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from copy import deepcopy +from netifaces import interfaces + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configdict import get_pppoe_interfaces +from vyos.configverify import verify_authentication +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_vrf +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.ifconfig import PPPoEIf +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.process import is_systemd_service_running +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'pppoe'] + ifname, pppoe = get_interface_dict(conf, base) + + # We should only terminate the PPPoE session if critical parameters change. + # All parameters that can be changed on-the-fly (like interface description) + # should not lead to a reconnect! + for options in ['access-concentrator', 'connect-on-demand', 'service-name', + 'source-interface', 'vrf', 'no-default-route', + 'authentication', 'host_uniq']: + if is_node_changed(conf, base + [ifname, options]): + pppoe.update({'shutdown_required': {}}) + # bail out early - no need to further process other nodes + break + + if 'deleted' not in pppoe: + # We always set the MRU value to the MTU size. This code path only re-creates + # the old behavior if MRU is not set on the CLI. + if 'mru' not in pppoe: + pppoe['mru'] = pppoe['mtu'] + + return pppoe + +def verify(pppoe): + if 'deleted' in pppoe: + # bail out early + return None + + verify_source_interface(pppoe) + verify_authentication(pppoe) + verify_vrf(pppoe) + verify_mtu_ipv6(pppoe) + verify_mirror_redirect(pppoe) + + if {'connect_on_demand', 'vrf'} <= set(pppoe): + raise ConfigError('On-demand dialing and VRF can not be used at the same time') + + # both MTU and MRU have default values, thus we do not need to check + # if the key exists + if int(pppoe['mru']) > int(pppoe['mtu']): + raise ConfigError('PPPoE MRU needs to be lower then MTU!') + + return None + +def generate(pppoe): + # set up configuration file path variables where our templates will be + # rendered into + ifname = pppoe['ifname'] + config_pppoe = f'/etc/ppp/peers/{ifname}' + + if 'deleted' in pppoe or 'disable' in pppoe: + if os.path.exists(config_pppoe): + os.unlink(config_pppoe) + + return None + + # Create PPP configuration files + render(config_pppoe, 'pppoe/peer.j2', pppoe, permission=0o640) + + return None + +def apply(pppoe): + ifname = pppoe['ifname'] + if 'deleted' in pppoe or 'disable' in pppoe: + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = PPPoEIf(ifname) + p.remove() + call(f'systemctl stop ppp@{ifname}.service') + return None + + # reconnect should only be necessary when certain config options change, + # like ACS name, authentication ... (see get_config() for details) + if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or + 'shutdown_required' in pppoe): + + # cleanup system (e.g. FRR routes first) + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = PPPoEIf(ifname) + p.remove() + + call(f'systemctl restart ppp@{ifname}.service') + # When interface comes "live" a hook is called: + # /etc/ppp/ip-up.d/99-vyos-pppoe-callback + # which triggers PPPoEIf.update() + else: + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = PPPoEIf(ifname) + p.update(pppoe) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_pseudo-ethernet.py b/src/conf_mode/interfaces_pseudo-ethernet.py new file mode 100755 index 000000000..dce5c2358 --- /dev/null +++ b/src/conf_mode/interfaces_pseudo-ethernet.py @@ -0,0 +1,107 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit +from netifaces import interfaces + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configdict import is_source_interface +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_vlan_config +from vyos.configverify import verify_mtu_parent +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import MACVLANIf +from vyos import ConfigError + +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at + least the interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'pseudo-ethernet'] + ifname, peth = get_interface_dict(conf, base) + + mode = is_node_changed(conf, ['mode']) + if mode: peth.update({'shutdown_required' : {}}) + + if is_node_changed(conf, base + [ifname, 'mode']): + peth.update({'rebuild_required': {}}) + + if 'source_interface' in peth: + _, peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], + peth['source_interface']) + # test if source-interface is maybe already used by another interface + tmp = is_source_interface(conf, peth['source_interface'], ['macsec']) + if tmp and tmp != ifname: peth.update({'is_source_interface' : tmp}) + + return peth + +def verify(peth): + if 'deleted' in peth: + verify_bridge_delete(peth) + return None + + verify_source_interface(peth) + verify_vrf(peth) + verify_address(peth) + verify_mtu_parent(peth, peth['parent']) + verify_mirror_redirect(peth) + # use common function to verify VLAN configuration + verify_vlan_config(peth) + + return None + +def generate(peth): + return None + +def apply(peth): + # Check if the MACVLAN interface already exists + if 'rebuild_required' in peth or 'deleted' in peth: + if peth['ifname'] in interfaces(): + p = MACVLANIf(peth['ifname']) + # MACVLAN is always needs to be recreated, + # thus we can simply always delete it first. + p.remove() + + if 'deleted' not in peth: + p = MACVLANIf(**peth) + p.update(peth) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_sstpc.py b/src/conf_mode/interfaces_sstpc.py new file mode 100755 index 000000000..b588910dc --- /dev/null +++ b/src/conf_mode/interfaces_sstpc.py @@ -0,0 +1,145 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_authentication +from vyos.configverify import verify_vrf +from vyos.ifconfig import SSTPCIf +from vyos.pki import encode_certificate +from vyos.pki import find_chain +from vyos.pki import load_certificate +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos.utils.process import is_systemd_service_running +from vyos.utils.file import write_file +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'sstpc'] + ifname, sstpc = get_interface_dict(conf, base) + + # We should only terminate the SSTP client session if critical parameters + # change. All parameters that can be changed on-the-fly (like interface + # description) should not lead to a reconnect! + for options in ['authentication', 'no_peer_dns', 'no_default_route', + 'server', 'ssl']: + if is_node_changed(conf, base + [ifname, options]): + sstpc.update({'shutdown_required': {}}) + # bail out early - no need to further process other nodes + break + + # Load PKI certificates for later processing + sstpc['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + return sstpc + +def verify(sstpc): + if 'deleted' in sstpc: + return None + + verify_authentication(sstpc) + verify_vrf(sstpc) + + if not dict_search('server', sstpc): + raise ConfigError('Remote SSTP server must be specified!') + + if not dict_search('ssl.ca_certificate', sstpc): + raise ConfigError('Missing mandatory CA certificate!') + + return None + +def generate(sstpc): + ifname = sstpc['ifname'] + config_sstpc = f'/etc/ppp/peers/{ifname}' + + sstpc['ca_file_path'] = f'/run/sstpc/{ifname}_ca-cert.pem' + + if 'deleted' in sstpc: + for file in [sstpc['ca_file_path'], config_sstpc]: + if os.path.exists(file): + os.unlink(file) + return None + + ca_name = sstpc['ssl']['ca_certificate'] + pki_ca_cert = sstpc['pki']['ca'][ca_name] + + loaded_ca_cert = load_certificate(pki_ca_cert['certificate']) + loaded_ca_certs = {load_certificate(c['certificate']) + for c in sstpc['pki']['ca'].values()} if 'ca' in sstpc['pki'] else {} + + ca_full_chain = find_chain(loaded_ca_cert, loaded_ca_certs) + + write_file(sstpc['ca_file_path'], '\n'.join(encode_certificate(c) for c in ca_full_chain)) + render(config_sstpc, 'sstp-client/peer.j2', sstpc, permission=0o640) + + return None + +def apply(sstpc): + ifname = sstpc['ifname'] + if 'deleted' in sstpc or 'disable' in sstpc: + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = SSTPCIf(ifname) + p.remove() + call(f'systemctl stop ppp@{ifname}.service') + return None + + # reconnect should only be necessary when specific options change, + # like server, authentication ... (see get_config() for details) + if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or + 'shutdown_required' in sstpc): + + # cleanup system (e.g. FRR routes first) + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = SSTPCIf(ifname) + p.remove() + + call(f'systemctl restart ppp@{ifname}.service') + # When interface comes "live" a hook is called: + # /etc/ppp/ip-up.d/96-vyos-sstpc-callback + # which triggers SSTPCIf.update() + else: + if os.path.isdir(f'/sys/class/net/{ifname}'): + p = SSTPCIf(ifname) + p.update(sstpc) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_tunnel.py b/src/conf_mode/interfaces_tunnel.py new file mode 100755 index 000000000..91aed9cc3 --- /dev/null +++ b/src/conf_mode/interfaces_tunnel.py @@ -0,0 +1,224 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 yOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from netifaces import interfaces + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_vrf +from vyos.configverify import verify_tunnel +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import Interface +from vyos.ifconfig import Section +from vyos.ifconfig import TunnelIf +from vyos.utils.network import get_interface_config +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least + the interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'tunnel'] + ifname, tunnel = get_interface_dict(conf, base) + + if 'deleted' not in tunnel: + tmp = is_node_changed(conf, base + [ifname, 'encapsulation']) + if tmp: tunnel.update({'encapsulation_changed': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'parameters', 'ip', 'key']) + if tmp: tunnel.update({'key_changed': {}}) + + # We also need to inspect other configured tunnels as there are Kernel + # restrictions where we need to comply. E.g. GRE tunnel key can't be used + # twice, or with multiple GRE tunnels to the same location we must specify + # a GRE key + conf.set_level(base) + tunnel['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + # delete our own instance from this dict + ifname = tunnel['ifname'] + del tunnel['other_tunnels'][ifname] + # if only one tunnel is present on the system, no need to keep this key + if len(tunnel['other_tunnels']) == 0: + del tunnel['other_tunnels'] + + # We must check if our interface is configured to be a DMVPN member + nhrp_base = ['protocols', 'nhrp', 'tunnel'] + conf.set_level(nhrp_base) + nhrp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True) + if nhrp: tunnel.update({'nhrp' : list(nhrp.keys())}) + + if 'encapsulation' in tunnel and tunnel['encapsulation'] not in ['erspan', 'ip6erspan']: + del tunnel['parameters']['erspan'] + + return tunnel + +def verify(tunnel): + if 'deleted' in tunnel: + verify_bridge_delete(tunnel) + + if 'nhrp' in tunnel and tunnel['ifname'] in tunnel['nhrp']: + raise ConfigError('Tunnel used for NHRP, it can not be deleted!') + + return None + + verify_tunnel(tunnel) + + if tunnel['encapsulation'] in ['erspan', 'ip6erspan']: + if dict_search('parameters.ip.key', tunnel) == None: + raise ConfigError('ERSPAN requires ip key parameter!') + + # this is a default field + ver = int(tunnel['parameters']['erspan']['version']) + if ver == 1: + if 'hw_id' in tunnel['parameters']['erspan']: + raise ConfigError('ERSPAN version 1 does not support hw-id!') + if 'direction' in tunnel['parameters']['erspan']: + raise ConfigError('ERSPAN version 1 does not support direction!') + elif ver == 2: + if 'idx' in tunnel['parameters']['erspan']: + raise ConfigError('ERSPAN version 2 does not index parameter!') + if 'direction' not in tunnel['parameters']['erspan']: + raise ConfigError('ERSPAN version 2 requires direction to be set!') + + # If tunnel source is any and gre key is not set + interface = tunnel['ifname'] + if tunnel['encapsulation'] in ['gre'] and \ + dict_search('source_address', tunnel) == '0.0.0.0' and \ + dict_search('parameters.ip.key', tunnel) == None: + raise ConfigError(f'"parameters ip key" must be set for {interface} when '\ + 'encapsulation is GRE!') + + gre_encapsulations = ['gre', 'gretap'] + if tunnel['encapsulation'] in gre_encapsulations and 'other_tunnels' in tunnel: + # Check pairs tunnel source-address/encapsulation/key with exists tunnels. + # Prevent the same key for 2 tunnels with same source-address/encap. T2920 + for o_tunnel, o_tunnel_conf in tunnel['other_tunnels'].items(): + # no match on encapsulation - bail out + our_encapsulation = tunnel['encapsulation'] + their_encapsulation = o_tunnel_conf['encapsulation'] + if our_encapsulation in gre_encapsulations and their_encapsulation \ + not in gre_encapsulations: + continue + + our_address = dict_search('source_address', tunnel) + our_key = dict_search('parameters.ip.key', tunnel) + their_address = dict_search('source_address', o_tunnel_conf) + their_key = dict_search('parameters.ip.key', o_tunnel_conf) + if our_key != None: + if their_address == our_address and their_key == our_key: + raise ConfigError(f'Key "{our_key}" for source-address "{our_address}" ' \ + f'is already used for tunnel "{o_tunnel}"!') + else: + our_source_if = dict_search('source_interface', tunnel) + their_source_if = dict_search('source_interface', o_tunnel_conf) + our_remote = dict_search('remote', tunnel) + their_remote = dict_search('remote', o_tunnel_conf) + # If no IP GRE key is defined we can not have more then one GRE tunnel + # bound to any one interface/IP address and the same remote. This will + # result in a OS PermissionError: add tunnel "gre0" failed: File exists + if (their_address == our_address or our_source_if == their_source_if) and \ + our_remote == their_remote: + raise ConfigError(f'Missing required "ip key" parameter when '\ + 'running more then one GRE based tunnel on the '\ + 'same source-interface/source-address') + + # Keys are not allowed with ipip and sit tunnels + if tunnel['encapsulation'] in ['ipip', 'sit']: + if dict_search('parameters.ip.key', tunnel) != None: + raise ConfigError('Keys are not allowed with ipip and sit tunnels!') + + verify_mtu_ipv6(tunnel) + verify_address(tunnel) + verify_vrf(tunnel) + verify_bond_bridge_member(tunnel) + verify_mirror_redirect(tunnel) + + if 'source_interface' in tunnel: + verify_interface_exists(tunnel['source_interface']) + + # TTL != 0 and nopmtudisc are incompatible, parameters and ip use default + # values, thus the keys are always present. + if dict_search('parameters.ip.no_pmtu_discovery', tunnel) != None: + if dict_search('parameters.ip.ttl', tunnel) != '0': + raise ConfigError('Disabled PMTU requires TTL set to "0"!') + if tunnel['encapsulation'] in ['ipip6', 'ip6ip6', 'ip6gre']: + raise ConfigError('Can not disable PMTU discovery for given encapsulation') + + if dict_search('parameters.ip.ignore_df', tunnel) != None: + if tunnel['encapsulation'] not in ['gretap']: + raise ConfigError('Option ignore-df can only be used on GRETAP tunnels!') + + if dict_search('parameters.ip.no_pmtu_discovery', tunnel) == None: + raise ConfigError('Option ignore-df requires path MTU discovery to be disabled!') + + +def generate(tunnel): + return None + +def apply(tunnel): + interface = tunnel['ifname'] + # If a gretap tunnel is already existing we can not "simply" change local or + # remote addresses. This returns "Operation not supported" by the Kernel. + # There is no other solution to destroy and recreate the tunnel. + encap = '' + remote = '' + tmp = get_interface_config(interface) + if tmp: + encap = dict_search('linkinfo.info_kind', tmp) + remote = dict_search('linkinfo.info_data.remote', tmp) + + if ('deleted' in tunnel or 'encapsulation_changed' in tunnel or encap in + ['gretap', 'ip6gretap', 'erspan', 'ip6erspan'] or remote in ['any'] or + 'key_changed' in tunnel): + if interface in interfaces(): + tmp = Interface(interface) + tmp.remove() + if 'deleted' in tunnel: + return None + + tun = TunnelIf(**tunnel) + tun.update(tunnel) + + return None + +if __name__ == '__main__': + try: + c = get_config() + generate(c) + verify(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_virtual-ethernet.py b/src/conf_mode/interfaces_virtual-ethernet.py new file mode 100755 index 000000000..8efe89c41 --- /dev/null +++ b/src/conf_mode/interfaces_virtual-ethernet.py @@ -0,0 +1,114 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from netifaces import interfaces +from vyos import ConfigError +from vyos import airbag +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_vrf +from vyos.ifconfig import VethIf + +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at + least the interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'virtual-ethernet'] + ifname, veth = get_interface_dict(conf, base) + + # We need to know all other veth related interfaces as veth requires a 1:1 + # mapping for the peer-names. The Linux kernel automatically creates both + # interfaces, the local one and the peer-name, but VyOS also needs a peer + # interfaces configrued on the CLI so we can assign proper IP addresses etc. + veth['other_interfaces'] = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + return veth + + +def verify(veth): + if 'deleted' in veth: + verify_bridge_delete(veth) + # Prevent to delete veth interface which used for another "vethX peer-name" + for iface, iface_config in veth['other_interfaces'].items(): + if veth['ifname'] in iface_config['peer_name']: + ifname = veth['ifname'] + raise ConfigError( + f'Cannot delete "{ifname}" used for "interface {iface} peer-name"' + ) + return None + + verify_vrf(veth) + verify_address(veth) + + if 'peer_name' not in veth: + raise ConfigError(f'Remote peer name must be set for "{veth["ifname"]}"!') + + peer_name = veth['peer_name'] + ifname = veth['ifname'] + + if veth['peer_name'] not in veth['other_interfaces']: + raise ConfigError(f'Used peer-name "{peer_name}" on interface "{ifname}" ' \ + 'is not configured!') + + if veth['other_interfaces'][peer_name]['peer_name'] != ifname: + raise ConfigError( + f'Configuration mismatch between "{ifname}" and "{peer_name}"!') + + if peer_name == ifname: + raise ConfigError( + f'Peer-name "{peer_name}" cannot be the same as interface "{ifname}"!') + + return None + + +def generate(peth): + return None + +def apply(veth): + # Check if the Veth interface already exists + if 'rebuild_required' in veth or 'deleted' in veth: + if veth['ifname'] in interfaces(): + p = VethIf(veth['ifname']) + p.remove() + + if 'deleted' not in veth: + p = VethIf(**veth) + p.update(veth) + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_vti.py b/src/conf_mode/interfaces_vti.py new file mode 100755 index 000000000..9871810ae --- /dev/null +++ b/src/conf_mode/interfaces_vti.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from netifaces import interfaces +from sys import exit + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configverify import verify_mirror_redirect +from vyos.ifconfig import VTIIf +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'vti'] + _, vti = get_interface_dict(conf, base) + return vti + +def verify(vti): + verify_mirror_redirect(vti) + return None + +def generate(vti): + return None + +def apply(vti): + # Remove macsec interface + if 'deleted' in vti: + VTIIf(**vti).remove() + return None + + tmp = VTIIf(**vti) + tmp.update(vti) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_vxlan.py b/src/conf_mode/interfaces_vxlan.py new file mode 100755 index 000000000..4251e611b --- /dev/null +++ b/src/conf_mode/interfaces_vxlan.py @@ -0,0 +1,236 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from netifaces import interfaces + +from vyos.base import Warning +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed +from vyos.configdict import node_changed +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_source_interface +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import Interface +from vyos.ifconfig import VXLANIf +from vyos.template import is_ipv6 +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least + the interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'vxlan'] + ifname, vxlan = get_interface_dict(conf, base) + + # VXLAN interfaces are picky and require recreation if certain parameters + # change. But a VXLAN interface should - of course - not be re-created if + # it's description or IP address is adjusted. Feels somehow logic doesn't it? + for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote', + 'source-address', 'source-interface', 'vni']: + if is_node_changed(conf, base + [ifname, cli_option]): + vxlan.update({'rebuild_required': {}}) + break + + # When dealing with VNI filtering we need to know what VNI was actually removed, + # so build up a dict matching the vlan_to_vni structure but with removed values. + tmp = node_changed(conf, base + [ifname, 'vlan-to-vni'], recursive=True) + if tmp: + vxlan.update({'vlan_to_vni_removed': {}}) + for vlan in tmp: + vni = leaf_node_changed(conf, base + [ifname, 'vlan-to-vni', vlan, 'vni']) + vxlan['vlan_to_vni_removed'].update({vlan : {'vni' : vni[0]}}) + + # We need to verify that no other VXLAN tunnel is configured when external + # mode is in use - Linux Kernel limitation + conf.set_level(base) + vxlan['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + # This if-clause is just to be sure - it will always evaluate to true + ifname = vxlan['ifname'] + if ifname in vxlan['other_tunnels']: + del vxlan['other_tunnels'][ifname] + if len(vxlan['other_tunnels']) == 0: + del vxlan['other_tunnels'] + + return vxlan + +def verify(vxlan): + if 'deleted' in vxlan: + verify_bridge_delete(vxlan) + return None + + if int(vxlan['mtu']) < 1500: + Warning('RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU') + + if 'group' in vxlan: + if 'source_interface' not in vxlan: + raise ConfigError('Multicast VXLAN requires an underlaying interface') + verify_source_interface(vxlan) + + if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan): + raise ConfigError('Group, remote, source-address or source-interface must be configured') + + if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None: + raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!') + + if dict_search('parameters.external', vxlan) != None: + if 'vni' in vxlan: + raise ConfigError('Can not specify both "external" and "VNI"!') + + if 'other_tunnels' in vxlan: + # When multiple VXLAN interfaces are defined and "external" is used, + # all VXLAN interfaces need to have vni-filter enabled! + # See Linux Kernel commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 + other_vni_filter = False + for tunnel, tunnel_config in vxlan['other_tunnels'].items(): + if dict_search('parameters.vni_filter', tunnel_config) != None: + other_vni_filter = True + break + # eqivalent of the C foo ? 'a' : 'b' statement + vni_filter = True and (dict_search('parameters.vni_filter', vxlan) != None) or False + # If either one is enabled, so must be the other. Both can be off and both can be on + if (vni_filter and not other_vni_filter) or (not vni_filter and other_vni_filter): + raise ConfigError(f'Using multiple VXLAN interfaces with "external" '\ + 'requires all VXLAN interfaces to have "vni-filter" configured!') + + if not vni_filter and not other_vni_filter: + other_tunnels = ', '.join(vxlan['other_tunnels']) + raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\ + f'CLI option is used and "vni-filter" is unset. '\ + f'Additional tunnels: {other_tunnels}') + + if 'gpe' in vxlan and 'external' not in vxlan: + raise ConfigError(f'VXLAN-GPE is only supported when "external" '\ + f'CLI option is used.') + + if 'source_interface' in vxlan: + # VXLAN adds at least an overhead of 50 byte - we need to check the + # underlaying device if our VXLAN package is not going to be fragmented! + vxlan_overhead = 50 + if 'source_address' in vxlan and is_ipv6(vxlan['source_address']): + # IPv6 adds an extra 20 bytes overhead because the IPv6 header is 20 + # bytes larger than the IPv4 header - assuming no extra options are + # in use. + vxlan_overhead += 20 + + # If source_address is not used - check IPv6 'remote' list + elif 'remote' in vxlan: + if any(is_ipv6(a) for a in vxlan['remote']): + vxlan_overhead += 20 + + lower_mtu = Interface(vxlan['source_interface']).get_mtu() + if lower_mtu < (int(vxlan['mtu']) + vxlan_overhead): + raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\ + f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)') + + # Check for mixed IPv4 and IPv6 addresses + protocol = None + if 'source_address' in vxlan: + if is_ipv6(vxlan['source_address']): + protocol = 'ipv6' + else: + protocol = 'ipv4' + + if 'remote' in vxlan: + error_msg = 'Can not mix both IPv4 and IPv6 for VXLAN underlay' + for remote in vxlan['remote']: + if is_ipv6(remote): + if protocol == 'ipv4': + raise ConfigError(error_msg) + protocol = 'ipv6' + else: + if protocol == 'ipv6': + raise ConfigError(error_msg) + protocol = 'ipv4' + + if 'vlan_to_vni' in vxlan: + if 'is_bridge_member' not in vxlan: + raise ConfigError('VLAN to VNI mapping requires that VXLAN interface '\ + 'is member of a bridge interface!') + + vnis_used = [] + for vif, vif_config in vxlan['vlan_to_vni'].items(): + if 'vni' not in vif_config: + raise ConfigError(f'Must define VNI for VLAN "{vif}"!') + vni = vif_config['vni'] + if vni in vnis_used: + raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!') + vnis_used.append(vni) + + if dict_search('parameters.neighbor_suppress', vxlan) != None: + if 'is_bridge_member' not in vxlan: + raise ConfigError('Neighbor suppression requires that VXLAN interface '\ + 'is member of a bridge interface!') + + verify_mtu_ipv6(vxlan) + verify_address(vxlan) + verify_bond_bridge_member(vxlan) + verify_mirror_redirect(vxlan) + + # We use a defaultValue for port, thus it's always safe to use + if vxlan['port'] == '8472': + Warning('Starting from VyOS 1.4, the default port for VXLAN '\ + 'has been changed to 4789. This matches the IANA assigned '\ + 'standard port number!') + + return None + +def generate(vxlan): + return None + +def apply(vxlan): + # Check if the VXLAN interface already exists + if 'rebuild_required' in vxlan or 'delete' in vxlan: + if vxlan['ifname'] in interfaces(): + v = VXLANIf(vxlan['ifname']) + # VXLAN is super picky and the tunnel always needs to be recreated, + # thus we can simply always delete it first. + v.remove() + + if 'deleted' not in vxlan: + # Finally create the new interface + v = VXLANIf(**vxlan) + v.update(vxlan) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_wireguard.py b/src/conf_mode/interfaces_wireguard.py new file mode 100755 index 000000000..79e5d3f44 --- /dev/null +++ b/src/conf_mode/interfaces_wireguard.py @@ -0,0 +1,133 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mtu_ipv6 +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import WireGuardIf +from vyos.utils.kernel import check_kmod +from vyos.utils.network import check_port_availability +from vyos.utils.network import is_wireguard_key_pair +from vyos import ConfigError +from vyos import airbag +airbag.enable() + + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'wireguard'] + ifname, wireguard = get_interface_dict(conf, base) + + # Check if a port was changed + tmp = is_node_changed(conf, base + [ifname, 'port']) + if tmp: wireguard['port_changed'] = {} + + # T4702: If anything on a peer changes we remove the peer first and re-add it + if is_node_changed(conf, base + [ifname, 'peer']): + wireguard.update({'rebuild_required': {}}) + + return wireguard + +def verify(wireguard): + if 'deleted' in wireguard: + verify_bridge_delete(wireguard) + return None + + verify_mtu_ipv6(wireguard) + verify_address(wireguard) + verify_vrf(wireguard) + verify_bond_bridge_member(wireguard) + verify_mirror_redirect(wireguard) + + if 'private_key' not in wireguard: + raise ConfigError('Wireguard private-key not defined') + + if 'peer' not in wireguard: + raise ConfigError('At least one Wireguard peer is required!') + + if 'port' in wireguard and 'port_changed' in wireguard: + listen_port = int(wireguard['port']) + if check_port_availability('0.0.0.0', listen_port, 'udp') is not True: + raise ConfigError(f'UDP port {listen_port} is busy or unavailable and ' + 'cannot be used for the interface!') + + # run checks on individual configured WireGuard peer + public_keys = [] + for tmp in wireguard['peer']: + peer = wireguard['peer'][tmp] + + if 'allowed_ips' not in peer: + raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!') + + if 'public_key' not in peer: + raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!') + + if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer): + raise ConfigError('Both Wireguard port and address must be defined ' + f'for peer "{tmp}" if either one of them is set!') + + if peer['public_key'] in public_keys: + raise ConfigError(f'Duplicate public-key defined on peer "{tmp}"') + + if 'disable' not in peer: + if is_wireguard_key_pair(wireguard['private_key'], peer['public_key']): + raise ConfigError(f'Peer "{tmp}" has the same public key as the interface "{wireguard["ifname"]}"') + + public_keys.append(peer['public_key']) + +def apply(wireguard): + if 'rebuild_required' in wireguard or 'deleted' in wireguard: + wg = WireGuardIf(**wireguard) + # WireGuard only supports peer removal based on the configured public-key, + # by deleting the entire interface this is the shortcut instead of parsing + # out all peers and removing them one by one. + # + # Peer reconfiguration will always come with a short downtime while the + # WireGuard interface is recreated (see below) + wg.remove() + + # Create the new interface if required + if 'deleted' not in wireguard: + wg = WireGuardIf(**wireguard) + wg.update(wireguard) + + return None + +if __name__ == '__main__': + try: + check_kmod('wireguard') + c = get_config() + verify(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_wireless.py b/src/conf_mode/interfaces_wireless.py new file mode 100755 index 000000000..02b4a2500 --- /dev/null +++ b/src/conf_mode/interfaces_wireless.py @@ -0,0 +1,275 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from re import findall +from netaddr import EUI, mac_unix_expanded + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import dict_merge +from vyos.configverify import verify_address +from vyos.configverify import verify_bridge_delete +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_vlan_config +from vyos.configverify import verify_vrf +from vyos.configverify import verify_bond_bridge_member +from vyos.ifconfig import WiFiIf +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +# XXX: wpa_supplicant works on the source interface +wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf' +hostapd_conf = '/run/hostapd/{ifname}.conf' +hostapd_accept_station_conf = '/run/hostapd/{ifname}_station_accept.conf' +hostapd_deny_station_conf = '/run/hostapd/{ifname}_station_deny.conf' + +def find_other_stations(conf, base, ifname): + """ + Only one wireless interface per phy can be in station mode - + find all interfaces attached to a phy which run in station mode + """ + old_level = conf.get_level() + conf.set_level(base) + dict = {} + for phy in os.listdir('/sys/class/ieee80211'): + list = [] + for interface in conf.list_nodes([]): + if interface == ifname: + continue + # the following node is mandatory + if conf.exists([interface, 'physical-device', phy]): + tmp = conf.return_value([interface, 'type']) + if tmp == 'station': + list.append(interface) + if list: + dict.update({phy: list}) + conf.set_level(old_level) + return dict + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'wireless'] + + ifname, wifi = get_interface_dict(conf, base) + + if 'deleted' not in wifi: + # then get_interface_dict provides default keys + if wifi.from_defaults(['security', 'wep']): # if not set by user + del wifi['security']['wep'] + if wifi.from_defaults(['security', 'wpa']): # if not set by user + del wifi['security']['wpa'] + + if dict_search('security.wpa', wifi) != None: + wpa_cipher = wifi['security']['wpa'].get('cipher') + wpa_mode = wifi['security']['wpa'].get('mode') + if not wpa_cipher: + tmp = None + if wpa_mode == 'wpa': + tmp = {'security': {'wpa': {'cipher' : ['TKIP', 'CCMP']}}} + elif wpa_mode == 'wpa2': + tmp = {'security': {'wpa': {'cipher' : ['CCMP']}}} + elif wpa_mode == 'both': + tmp = {'security': {'wpa': {'cipher' : ['CCMP', 'TKIP']}}} + + if tmp: wifi = dict_merge(tmp, wifi) + + # Only one wireless interface per phy can be in station mode + tmp = find_other_stations(conf, base, wifi['ifname']) + if tmp: wifi['station_interfaces'] = tmp + + # used in hostapt.conf.j2 + wifi['hostapd_accept_station_conf'] = hostapd_accept_station_conf.format(**wifi) + wifi['hostapd_deny_station_conf'] = hostapd_deny_station_conf.format(**wifi) + + return wifi + +def verify(wifi): + if 'deleted' in wifi: + verify_bridge_delete(wifi) + return None + + if 'physical_device' not in wifi: + raise ConfigError('You must specify a physical-device "phy"') + + if 'type' not in wifi: + raise ConfigError('You must specify a WiFi mode') + + if 'ssid' not in wifi and wifi['type'] != 'monitor': + raise ConfigError('SSID must be configured unless type is set to "monitor"!') + + if wifi['type'] == 'access-point': + if 'country_code' not in wifi: + raise ConfigError('Wireless country-code is mandatory') + + if 'channel' not in wifi: + raise ConfigError('Wireless channel must be configured!') + + if 'security' in wifi: + if {'wep', 'wpa'} <= set(wifi.get('security', {})): + raise ConfigError('Must either use WEP or WPA security!') + + if 'wep' in wifi['security']: + if 'key' in wifi['security']['wep'] and len(wifi['security']['wep']) > 4: + raise ConfigError('No more then 4 WEP keys configurable') + elif 'key' not in wifi['security']['wep']: + raise ConfigError('Security WEP configured - missing WEP keys!') + + elif 'wpa' in wifi['security']: + wpa = wifi['security']['wpa'] + if not any(i in ['passphrase', 'radius'] for i in wpa): + raise ConfigError('Misssing WPA key or RADIUS server') + + if 'radius' in wpa: + if 'server' in wpa['radius']: + for server in wpa['radius']['server']: + if 'key' not in wpa['radius']['server'][server]: + raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}') + + if 'capabilities' in wifi: + capabilities = wifi['capabilities'] + if 'vht' in capabilities: + if 'ht' not in capabilities: + raise ConfigError('Specify HT flags if you want to use VHT!') + + if {'beamform', 'antenna_count'} <= set(capabilities.get('vht', {})): + if capabilities['vht']['antenna_count'] == '1': + raise ConfigError('Cannot use beam forming with just one antenna!') + + if capabilities['vht']['beamform'] == 'single-user-beamformer': + if int(capabilities['vht']['antenna_count']) < 3: + # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705 + raise ConfigError('Single-user beam former requires at least 3 antennas!') + + if 'station_interfaces' in wifi and wifi['type'] == 'station': + phy = wifi['physical_device'] + if phy in wifi['station_interfaces']: + if len(wifi['station_interfaces'][phy]) > 0: + raise ConfigError('Only one station per wireless physical interface possible!') + + verify_address(wifi) + verify_vrf(wifi) + verify_bond_bridge_member(wifi) + verify_mirror_redirect(wifi) + + # use common function to verify VLAN configuration + verify_vlan_config(wifi) + + return None + +def generate(wifi): + interface = wifi['ifname'] + + # always stop hostapd service first before reconfiguring it + call(f'systemctl stop hostapd@{interface}.service') + # always stop wpa_supplicant service first before reconfiguring it + call(f'systemctl stop wpa_supplicant@{interface}.service') + + # Delete config files if interface is removed + if 'deleted' in wifi: + if os.path.isfile(hostapd_conf.format(**wifi)): + os.unlink(hostapd_conf.format(**wifi)) + if os.path.isfile(hostapd_accept_station_conf.format(**wifi)): + os.unlink(hostapd_accept_station_conf.format(**wifi)) + if os.path.isfile(hostapd_deny_station_conf.format(**wifi)): + os.unlink(hostapd_deny_station_conf.format(**wifi)) + if os.path.isfile(wpa_suppl_conf.format(**wifi)): + os.unlink(wpa_suppl_conf.format(**wifi)) + + return None + + if 'mac' not in wifi: + # http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd + # generate locally administered MAC address from used phy interface + with open('/sys/class/ieee80211/{physical_device}/addresses'.format(**wifi), 'r') as f: + # some PHYs tend to have multiple interfaces and thus supply multiple MAC + # addresses - we only need the first one for our calculation + tmp = f.readline().rstrip() + tmp = EUI(tmp).value + # mask last nibble from the MAC address + tmp &= 0xfffffffffff0 + # set locally administered bit in MAC address + tmp |= 0x020000000000 + # we now need to add an offset to our MAC address indicating this + # subinterfaces index + tmp += int(findall(r'\d+', interface)[0]) + + # convert integer to "real" MAC address representation + mac = EUI(hex(tmp).split('x')[-1]) + # change dialect to use : as delimiter instead of - + mac.dialect = mac_unix_expanded + wifi['mac'] = str(mac) + + # XXX: Jinja2 can not operate on a dictionary key when it starts of with a number + if '40mhz_incapable' in (dict_search('capabilities.ht', wifi) or []): + wifi['capabilities']['ht']['fourtymhz_incapable'] = wifi['capabilities']['ht']['40mhz_incapable'] + del wifi['capabilities']['ht']['40mhz_incapable'] + + # render appropriate new config files depending on access-point or station mode + if wifi['type'] == 'access-point': + render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.j2', wifi) + render(hostapd_accept_station_conf.format(**wifi), 'wifi/hostapd_accept_station.conf.j2', wifi) + render(hostapd_deny_station_conf.format(**wifi), 'wifi/hostapd_deny_station.conf.j2', wifi) + + elif wifi['type'] == 'station': + render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.j2', wifi) + + return None + +def apply(wifi): + interface = wifi['ifname'] + if 'deleted' in wifi: + WiFiIf(interface).remove() + else: + # Finally create the new interface + w = WiFiIf(**wifi) + w.update(wifi) + + # Enable/Disable interface - interface is always placed in + # administrative down state in WiFiIf class + if 'disable' not in wifi: + # Physical interface is now configured. Proceed by starting hostapd or + # wpa_supplicant daemon. When type is monitor we can just skip this. + if wifi['type'] == 'access-point': + call(f'systemctl start hostapd@{interface}.service') + + elif wifi['type'] == 'station': + call(f'systemctl start wpa_supplicant@{interface}.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/interfaces_wwan.py b/src/conf_mode/interfaces_wwan.py new file mode 100755 index 000000000..2515dc838 --- /dev/null +++ b/src/conf_mode/interfaces_wwan.py @@ -0,0 +1,189 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from time import sleep + +from vyos.config import Config +from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed +from vyos.configverify import verify_authentication +from vyos.configverify import verify_interface_exists +from vyos.configverify import verify_mirror_redirect +from vyos.configverify import verify_vrf +from vyos.ifconfig import WWANIf +from vyos.utils.dict import dict_search +from vyos.utils.process import cmd +from vyos.utils.process import call +from vyos.utils.process import DEVNULL +from vyos.utils.process import is_systemd_service_active +from vyos.utils.file import write_file +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +service_name = 'ModemManager.service' +cron_script = '/etc/cron.d/vyos-wwan' + +def get_config(config=None): + """ + Retrive CLI config as dictionary. Dictionary can never be empty, as at least the + interface name will be added or a deleted flag + """ + if config: + conf = config + else: + conf = Config() + base = ['interfaces', 'wwan'] + ifname, wwan = get_interface_dict(conf, base) + + # We should only terminate the WWAN session if critical parameters change. + # All parameters that can be changed on-the-fly (like interface description) + # should not lead to a reconnect! + tmp = is_node_changed(conf, base + [ifname, 'address']) + if tmp: wwan.update({'shutdown_required': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'apn']) + if tmp: wwan.update({'shutdown_required': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'disable']) + if tmp: wwan.update({'shutdown_required': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'vrf']) + if tmp: wwan.update({'shutdown_required': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'authentication']) + if tmp: wwan.update({'shutdown_required': {}}) + + tmp = is_node_changed(conf, base + [ifname, 'ipv6', 'address', 'autoconf']) + if tmp: wwan.update({'shutdown_required': {}}) + + # We need to know the amount of other WWAN interfaces as ModemManager needs + # to be started or stopped. + wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + # This if-clause is just to be sure - it will always evaluate to true + if ifname in wwan['other_interfaces']: + del wwan['other_interfaces'][ifname] + if len(wwan['other_interfaces']) == 0: + del wwan['other_interfaces'] + + return wwan + +def verify(wwan): + if 'deleted' in wwan: + return None + + ifname = wwan['ifname'] + if not 'apn' in wwan: + raise ConfigError(f'No APN configured for "{ifname}"!') + + verify_interface_exists(ifname) + verify_authentication(wwan) + verify_vrf(wwan) + verify_mirror_redirect(wwan) + + return None + +def generate(wwan): + if 'deleted' in wwan: + # We are the last WWAN interface - there are no other ones remaining + # thus the cronjob needs to go away, too + if 'other_interfaces' not in wwan: + if os.path.exists(cron_script): + os.unlink(cron_script) + return None + + # Install cron triggered helper script to re-dial WWAN interfaces on + # disconnect - e.g. happens during RF signal loss. The script watches every + # WWAN interface - so there is only one instance. + if not os.path.exists(cron_script): + write_file(cron_script, '*/5 * * * * root /usr/libexec/vyos/vyos-check-wwan.py\n') + + return None + +def apply(wwan): + # ModemManager is required to dial WWAN connections - one instance is + # required to serve all modems. Activate ModemManager on first invocation + # of any WWAN interface. + if not is_systemd_service_active(service_name): + cmd(f'systemctl start {service_name}') + + counter = 100 + # Wait until a modem is detected and then we can continue + while counter > 0: + counter -= 1 + tmp = cmd('mmcli -L') + if tmp != 'No modems were found': + break + sleep(0.250) + + if 'shutdown_required' in wwan: + # we only need the modem number. wwan0 -> 0, wwan1 -> 1 + modem = wwan['ifname'].lstrip('wwan') + base_cmd = f'mmcli --modem {modem}' + # Number of bearers is limited - always disconnect first + cmd(f'{base_cmd} --simple-disconnect') + + w = WWANIf(wwan['ifname']) + if 'deleted' in wwan or 'disable' in wwan: + w.remove() + + # We are the last WWAN interface - there are no other WWAN interfaces + # remaining, thus we can stop ModemManager and free resources. + if 'other_interfaces' not in wwan: + cmd(f'systemctl stop {service_name}') + # Clean CRON helper script which is used for to re-connect when + # RF signal is lost + if os.path.exists(cron_script): + os.unlink(cron_script) + + return None + + if 'shutdown_required' in wwan: + ip_type = 'ipv4' + slaac = dict_search('ipv6.address.autoconf', wwan) != None + if 'address' in wwan: + if 'dhcp' in wwan['address'] and ('dhcpv6' in wwan['address'] or slaac): + ip_type = 'ipv4v6' + elif 'dhcpv6' in wwan['address'] or slaac: + ip_type = 'ipv6' + elif 'dhcp' in wwan['address']: + ip_type = 'ipv4' + + options = f'ip-type={ip_type},apn=' + wwan['apn'] + if 'authentication' in wwan: + options += ',user={username},password={password}'.format(**wwan['authentication']) + + command = f'{base_cmd} --simple-connect="{options}"' + call(command, stdout=DEVNULL) + + w.update(wwan) + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py deleted file mode 100755 index 06c7e7b72..000000000 --- a/src/conf_mode/le_cert.py +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import sys -import os - -import vyos.defaults -from vyos.config import Config -from vyos import ConfigError -from vyos.utils.process import cmd -from vyos.utils.process import call -from vyos.utils.process import is_systemd_service_running - -from vyos import airbag -airbag.enable() - -vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode'] -vyos_certbot_dir = vyos.defaults.directories['certbot'] - -dependencies = [ - 'https.py', -] - -def request_certbot(cert): - email = cert.get('email') - if email is not None: - email_flag = '-m {0}'.format(email) - else: - email_flag = '' - - domains = cert.get('domains') - if domains is not None: - domain_flag = '-d ' + ' -d '.join(domains) - else: - domain_flag = '' - - certbot_cmd = f'certbot certonly --config-dir {vyos_certbot_dir} -n --nginx --agree-tos --no-eff-email --expand {email_flag} {domain_flag}' - - cmd(certbot_cmd, - raising=ConfigError, - message="The certbot request failed for the specified domains.") - -def get_config(): - conf = Config() - if not conf.exists('service https certificates certbot'): - return None - else: - conf.set_level('service https certificates certbot') - - cert = {} - - if conf.exists('domain-name'): - cert['domains'] = conf.return_values('domain-name') - - if conf.exists('email'): - cert['email'] = conf.return_value('email') - - return cert - -def verify(cert): - if cert is None: - return None - - if 'domains' not in cert: - raise ConfigError("At least one domain name is required to" - " request a letsencrypt certificate.") - - if 'email' not in cert: - raise ConfigError("An email address is required to request" - " a letsencrypt certificate.") - -def generate(cert): - if cert is None: - return None - - # certbot will attempt to reload nginx, even with 'certonly'; - # start nginx if not active - if not is_systemd_service_running('nginx.service'): - call('systemctl start nginx.service') - - request_certbot(cert) - -def apply(cert): - if cert is not None: - call('systemctl restart certbot.timer') - else: - call('systemctl stop certbot.timer') - return None - - for dep in dependencies: - cmd(f'{vyos_conf_scripts_dir}/{dep}', raising=ConfigError) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) - diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py deleted file mode 100755 index 3c647a0e8..000000000 --- a/src/conf_mode/lldp.py +++ /dev/null @@ -1,123 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2017-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.utils.network import is_addr_assigned -from vyos.utils.network import is_loopback_addr -from vyos.version import get_version_data -from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = "/etc/default/lldpd" -vyos_config_file = "/etc/lldpd.d/01-vyos.conf" -base = ['service', 'lldp'] - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - if not conf.exists(base): - return {} - - lldp = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - if conf.exists(['service', 'snmp']): - lldp['system_snmp_enabled'] = '' - - version_data = get_version_data() - lldp['version'] = version_data['version'] - - # prune location information if not set by user - for interface in lldp.get('interface', []): - if lldp.from_defaults(['interface', interface, 'location']): - del lldp['interface'][interface]['location'] - elif lldp.from_defaults(['interface', interface, 'location','coordinate_based']): - del lldp['interface'][interface]['location']['coordinate_based'] - - return lldp - -def verify(lldp): - # bail out early - looks like removal from running config - if lldp is None: - return - - if 'management_address' in lldp: - for address in lldp['management_address']: - message = f'LLDP management address "{address}" is invalid' - if is_loopback_addr(address): - Warning(f'{message} - loopback address') - elif not is_addr_assigned(address): - Warning(f'{message} - not assigned to any interface') - - if 'interface' in lldp: - for interface, interface_config in lldp['interface'].items(): - # bail out early if no location info present in interface config - if 'location' not in interface_config: - continue - if 'coordinate_based' in interface_config['location']: - if not {'latitude', 'latitude'} <= set(interface_config['location']['coordinate_based']): - raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!') - - # check options - if 'snmp' in lldp: - if 'system_snmp_enabled' not in lldp: - raise ConfigError('SNMP must be configured to enable LLDP SNMP!') - - -def generate(lldp): - # bail out early - looks like removal from running config - if lldp is None: - return - - render(config_file, 'lldp/lldpd.j2', lldp) - render(vyos_config_file, 'lldp/vyos.conf.j2', lldp) - -def apply(lldp): - systemd_service = 'lldpd.service' - if lldp: - # start/restart lldp service - call(f'systemctl restart {systemd_service}') - else: - # LLDP service has been terminated - call(f'systemctl stop {systemd_service}') - if os.path.isfile(config_file): - os.unlink(config_file) - if os.path.isfile(vyos_config_file): - os.unlink(vyos_config_file) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/load-balancing-haproxy.py b/src/conf_mode/load-balancing-haproxy.py deleted file mode 100755 index 333ebc66c..000000000 --- a/src/conf_mode/load-balancing-haproxy.py +++ /dev/null @@ -1,169 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from shutil import rmtree - -from vyos.config import Config -from vyos.utils.process import call -from vyos.utils.network import check_port_availability -from vyos.utils.network import is_listen_port_bind_service -from vyos.pki import wrap_certificate -from vyos.pki import wrap_private_key -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -load_balancing_dir = '/run/haproxy' -load_balancing_conf_file = f'{load_balancing_dir}/haproxy.cfg' -systemd_service = 'haproxy.service' -systemd_override = r'/run/systemd/system/haproxy.service.d/10-override.conf' - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['load-balancing', 'reverse-proxy'] - lb = conf.get_config_dict(base, - get_first_key=True, - key_mangling=('-', '_'), - no_tag_node_value_mangle=True) - - if lb: - lb['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - if lb: - lb = conf.merge_defaults(lb, recursive=True) - - return lb - - -def verify(lb): - if not lb: - return None - - if 'backend' not in lb or 'service' not in lb: - raise ConfigError(f'"service" and "backend" must be configured!') - - for front, front_config in lb['service'].items(): - if 'port' not in front_config: - raise ConfigError(f'"{front} service port" must be configured!') - - # Check if bind address:port are used by another service - tmp_address = front_config.get('address', '0.0.0.0') - tmp_port = front_config['port'] - if check_port_availability(tmp_address, int(tmp_port), 'tcp') is not True and \ - not is_listen_port_bind_service(int(tmp_port), 'haproxy'): - raise ConfigError(f'"TCP" port "{tmp_port}" is used by another service') - - for back, back_config in lb['backend'].items(): - if 'server' not in back_config: - raise ConfigError(f'"{back} server" must be configured!') - for bk_server, bk_server_conf in back_config['server'].items(): - if 'address' not in bk_server_conf or 'port' not in bk_server_conf: - raise ConfigError(f'"backend {back} server {bk_server} address and port" must be configured!') - - if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf): - raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"') - -def generate(lb): - if not lb: - # Delete /run/haproxy/haproxy.cfg - config_files = [load_balancing_conf_file, systemd_override] - for file in config_files: - if os.path.isfile(file): - os.unlink(file) - # Delete old directories - if os.path.isdir(load_balancing_dir): - rmtree(load_balancing_dir, ignore_errors=True) - - return None - - # Create load-balance dir - if not os.path.isdir(load_balancing_dir): - os.mkdir(load_balancing_dir) - - # SSL Certificates for frontend - for front, front_config in lb['service'].items(): - if 'ssl' in front_config: - - if 'certificate' in front_config['ssl']: - cert_names = front_config['ssl']['certificate'] - - for cert_name in cert_names: - pki_cert = lb['pki']['certificate'][cert_name] - cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem') - cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key') - - with open(cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_cert['certificate'])) - - if 'private' in pki_cert and 'key' in pki_cert['private']: - with open(cert_key_path, 'w') as f: - f.write(wrap_private_key(pki_cert['private']['key'])) - - if 'ca_certificate' in front_config['ssl']: - ca_name = front_config['ssl']['ca_certificate'] - pki_ca_cert = lb['pki']['ca'][ca_name] - ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') - - with open(ca_cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_ca_cert['certificate'])) - - # SSL Certificates for backend - for back, back_config in lb['backend'].items(): - if 'ssl' in back_config: - - if 'ca_certificate' in back_config['ssl']: - ca_name = back_config['ssl']['ca_certificate'] - pki_ca_cert = lb['pki']['ca'][ca_name] - ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') - - with open(ca_cert_file_path, 'w') as f: - f.write(wrap_certificate(pki_ca_cert['certificate'])) - - render(load_balancing_conf_file, 'load-balancing/haproxy.cfg.j2', lb) - render(systemd_override, 'load-balancing/override_haproxy.conf.j2', lb) - - return None - - -def apply(lb): - call('systemctl daemon-reload') - if not lb: - call(f'systemctl stop {systemd_service}') - else: - call(f'systemctl reload-or-restart {systemd_service}') - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/load-balancing-wan.py b/src/conf_mode/load-balancing-wan.py deleted file mode 100755 index 5da0b906b..000000000 --- a/src/conf_mode/load-balancing-wan.py +++ /dev/null @@ -1,151 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from shutil import rmtree - -from vyos.base import Warning -from vyos.config import Config -from vyos.configdep import set_dependents, call_dependents -from vyos.utils.process import cmd -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -load_balancing_dir = '/run/load-balance' -load_balancing_conf_file = f'{load_balancing_dir}/wlb.conf' -systemd_service = 'vyos-wan-load-balance.service' - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['load-balancing', 'wan'] - lb = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - # prune limit key if not set by user - for rule in lb.get('rule', []): - if lb.from_defaults(['rule', rule, 'limit']): - del lb['rule'][rule]['limit'] - - set_dependents('conntrack', conf) - - return lb - - -def verify(lb): - if not lb: - return None - - if 'interface_health' not in lb: - raise ConfigError( - 'A valid WAN load-balance configuration requires an interface with a nexthop!' - ) - - for interface, interface_config in lb['interface_health'].items(): - if 'nexthop' not in interface_config: - raise ConfigError( - f'interface-health {interface} nexthop must be specified!') - - if 'test' in interface_config: - for test_rule, test_config in interface_config['test'].items(): - if 'type' in test_config: - if test_config['type'] == 'user-defined' and 'test_script' not in test_config: - raise ConfigError( - f'test {test_rule} script must be defined for test-script!' - ) - - if 'rule' not in lb: - Warning( - 'At least one rule with an (outbound) interface must be defined for WAN load balancing to be active!' - ) - else: - for rule, rule_config in lb['rule'].items(): - if 'inbound_interface' not in rule_config: - raise ConfigError(f'rule {rule} inbound-interface must be specified!') - if {'failover', 'exclude'} <= set(rule_config): - raise ConfigError(f'rule {rule} failover cannot be configured with exclude!') - if {'limit', 'exclude'} <= set(rule_config): - raise ConfigError(f'rule {rule} limit cannot be used with exclude!') - if 'interface' not in rule_config: - if 'exclude' not in rule_config: - Warning( - f'rule {rule} will be inactive because no (outbound) interfaces have been defined for this rule' - ) - for direction in {'source', 'destination'}: - if direction in rule_config: - if 'protocol' in rule_config and 'port' in rule_config[ - direction]: - if rule_config['protocol'] not in {'tcp', 'udp'}: - raise ConfigError('ports can only be specified when protocol is "tcp" or "udp"') - - -def generate(lb): - if not lb: - # Delete /run/load-balance/wlb.conf - if os.path.isfile(load_balancing_conf_file): - os.unlink(load_balancing_conf_file) - # Delete old directories - if os.path.isdir(load_balancing_dir): - rmtree(load_balancing_dir, ignore_errors=True) - if os.path.exists('/var/run/load-balance/wlb.out'): - os.unlink('/var/run/load-balance/wlb.out') - - return None - - # Create load-balance dir - if not os.path.isdir(load_balancing_dir): - os.mkdir(load_balancing_dir) - - render(load_balancing_conf_file, 'load-balancing/wlb.conf.j2', lb) - - return None - - -def apply(lb): - if not lb: - try: - cmd(f'systemctl stop {systemd_service}') - except Exception as e: - print(f"Error message: {e}") - - else: - cmd('sudo sysctl -w net.netfilter.nf_conntrack_acct=1') - cmd(f'systemctl restart {systemd_service}') - - call_dependents() - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py new file mode 100755 index 000000000..333ebc66c --- /dev/null +++ b/src/conf_mode/load-balancing_reverse-proxy.py @@ -0,0 +1,169 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from shutil import rmtree + +from vyos.config import Config +from vyos.utils.process import call +from vyos.utils.network import check_port_availability +from vyos.utils.network import is_listen_port_bind_service +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +load_balancing_dir = '/run/haproxy' +load_balancing_conf_file = f'{load_balancing_dir}/haproxy.cfg' +systemd_service = 'haproxy.service' +systemd_override = r'/run/systemd/system/haproxy.service.d/10-override.conf' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['load-balancing', 'reverse-proxy'] + lb = conf.get_config_dict(base, + get_first_key=True, + key_mangling=('-', '_'), + no_tag_node_value_mangle=True) + + if lb: + lb['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + if lb: + lb = conf.merge_defaults(lb, recursive=True) + + return lb + + +def verify(lb): + if not lb: + return None + + if 'backend' not in lb or 'service' not in lb: + raise ConfigError(f'"service" and "backend" must be configured!') + + for front, front_config in lb['service'].items(): + if 'port' not in front_config: + raise ConfigError(f'"{front} service port" must be configured!') + + # Check if bind address:port are used by another service + tmp_address = front_config.get('address', '0.0.0.0') + tmp_port = front_config['port'] + if check_port_availability(tmp_address, int(tmp_port), 'tcp') is not True and \ + not is_listen_port_bind_service(int(tmp_port), 'haproxy'): + raise ConfigError(f'"TCP" port "{tmp_port}" is used by another service') + + for back, back_config in lb['backend'].items(): + if 'server' not in back_config: + raise ConfigError(f'"{back} server" must be configured!') + for bk_server, bk_server_conf in back_config['server'].items(): + if 'address' not in bk_server_conf or 'port' not in bk_server_conf: + raise ConfigError(f'"backend {back} server {bk_server} address and port" must be configured!') + + if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf): + raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"') + +def generate(lb): + if not lb: + # Delete /run/haproxy/haproxy.cfg + config_files = [load_balancing_conf_file, systemd_override] + for file in config_files: + if os.path.isfile(file): + os.unlink(file) + # Delete old directories + if os.path.isdir(load_balancing_dir): + rmtree(load_balancing_dir, ignore_errors=True) + + return None + + # Create load-balance dir + if not os.path.isdir(load_balancing_dir): + os.mkdir(load_balancing_dir) + + # SSL Certificates for frontend + for front, front_config in lb['service'].items(): + if 'ssl' in front_config: + + if 'certificate' in front_config['ssl']: + cert_names = front_config['ssl']['certificate'] + + for cert_name in cert_names: + pki_cert = lb['pki']['certificate'][cert_name] + cert_file_path = os.path.join(load_balancing_dir, f'{cert_name}.pem') + cert_key_path = os.path.join(load_balancing_dir, f'{cert_name}.pem.key') + + with open(cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_cert['certificate'])) + + if 'private' in pki_cert and 'key' in pki_cert['private']: + with open(cert_key_path, 'w') as f: + f.write(wrap_private_key(pki_cert['private']['key'])) + + if 'ca_certificate' in front_config['ssl']: + ca_name = front_config['ssl']['ca_certificate'] + pki_ca_cert = lb['pki']['ca'][ca_name] + ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') + + with open(ca_cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_ca_cert['certificate'])) + + # SSL Certificates for backend + for back, back_config in lb['backend'].items(): + if 'ssl' in back_config: + + if 'ca_certificate' in back_config['ssl']: + ca_name = back_config['ssl']['ca_certificate'] + pki_ca_cert = lb['pki']['ca'][ca_name] + ca_cert_file_path = os.path.join(load_balancing_dir, f'{ca_name}.pem') + + with open(ca_cert_file_path, 'w') as f: + f.write(wrap_certificate(pki_ca_cert['certificate'])) + + render(load_balancing_conf_file, 'load-balancing/haproxy.cfg.j2', lb) + render(systemd_override, 'load-balancing/override_haproxy.conf.j2', lb) + + return None + + +def apply(lb): + call('systemctl daemon-reload') + if not lb: + call(f'systemctl stop {systemd_service}') + else: + call(f'systemctl reload-or-restart {systemd_service}') + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/load-balancing_wan.py b/src/conf_mode/load-balancing_wan.py new file mode 100755 index 000000000..5da0b906b --- /dev/null +++ b/src/conf_mode/load-balancing_wan.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from shutil import rmtree + +from vyos.base import Warning +from vyos.config import Config +from vyos.configdep import set_dependents, call_dependents +from vyos.utils.process import cmd +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +load_balancing_dir = '/run/load-balance' +load_balancing_conf_file = f'{load_balancing_dir}/wlb.conf' +systemd_service = 'vyos-wan-load-balance.service' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['load-balancing', 'wan'] + lb = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + # prune limit key if not set by user + for rule in lb.get('rule', []): + if lb.from_defaults(['rule', rule, 'limit']): + del lb['rule'][rule]['limit'] + + set_dependents('conntrack', conf) + + return lb + + +def verify(lb): + if not lb: + return None + + if 'interface_health' not in lb: + raise ConfigError( + 'A valid WAN load-balance configuration requires an interface with a nexthop!' + ) + + for interface, interface_config in lb['interface_health'].items(): + if 'nexthop' not in interface_config: + raise ConfigError( + f'interface-health {interface} nexthop must be specified!') + + if 'test' in interface_config: + for test_rule, test_config in interface_config['test'].items(): + if 'type' in test_config: + if test_config['type'] == 'user-defined' and 'test_script' not in test_config: + raise ConfigError( + f'test {test_rule} script must be defined for test-script!' + ) + + if 'rule' not in lb: + Warning( + 'At least one rule with an (outbound) interface must be defined for WAN load balancing to be active!' + ) + else: + for rule, rule_config in lb['rule'].items(): + if 'inbound_interface' not in rule_config: + raise ConfigError(f'rule {rule} inbound-interface must be specified!') + if {'failover', 'exclude'} <= set(rule_config): + raise ConfigError(f'rule {rule} failover cannot be configured with exclude!') + if {'limit', 'exclude'} <= set(rule_config): + raise ConfigError(f'rule {rule} limit cannot be used with exclude!') + if 'interface' not in rule_config: + if 'exclude' not in rule_config: + Warning( + f'rule {rule} will be inactive because no (outbound) interfaces have been defined for this rule' + ) + for direction in {'source', 'destination'}: + if direction in rule_config: + if 'protocol' in rule_config and 'port' in rule_config[ + direction]: + if rule_config['protocol'] not in {'tcp', 'udp'}: + raise ConfigError('ports can only be specified when protocol is "tcp" or "udp"') + + +def generate(lb): + if not lb: + # Delete /run/load-balance/wlb.conf + if os.path.isfile(load_balancing_conf_file): + os.unlink(load_balancing_conf_file) + # Delete old directories + if os.path.isdir(load_balancing_dir): + rmtree(load_balancing_dir, ignore_errors=True) + if os.path.exists('/var/run/load-balance/wlb.out'): + os.unlink('/var/run/load-balance/wlb.out') + + return None + + # Create load-balance dir + if not os.path.isdir(load_balancing_dir): + os.mkdir(load_balancing_dir) + + render(load_balancing_conf_file, 'load-balancing/wlb.conf.j2', lb) + + return None + + +def apply(lb): + if not lb: + try: + cmd(f'systemctl stop {systemd_service}') + except Exception as e: + print(f"Error message: {e}") + + else: + cmd('sudo sysctl -w net.netfilter.nf_conntrack_acct=1') + cmd(f'systemctl restart {systemd_service}') + + call_dependents() + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py deleted file mode 100755 index 1cc23a7df..000000000 --- a/src/conf_mode/ntp.py +++ /dev/null @@ -1,136 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from vyos.config import Config -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.configverify import verify_interface_exists -from vyos.utils.process import call -from vyos.utils.permission import chmod_750 -from vyos.utils.network import get_interface_config -from vyos.template import render -from vyos.template import is_ipv4 -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/run/chrony/chrony.conf' -systemd_override = r'/run/systemd/system/chrony.service.d/override.conf' -user_group = '_chrony' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'ntp'] - if not conf.exists(base): - return None - - ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - ntp['config_file'] = config_file - ntp['user'] = user_group - - tmp = is_node_changed(conf, base + ['vrf']) - if tmp: ntp.update({'restart_required': {}}) - - return ntp - -def verify(ntp): - # bail out early - looks like removal from running config - if not ntp: - return None - - if 'server' not in ntp: - raise ConfigError('NTP server not configured') - - verify_vrf(ntp) - - if 'interface' in ntp: - # If ntpd should listen on a given interface, ensure it exists - interface = ntp['interface'] - verify_interface_exists(interface) - - # If we run in a VRF, our interface must belong to this VRF, too - if 'vrf' in ntp: - tmp = get_interface_config(interface) - vrf_name = ntp['vrf'] - if 'master' not in tmp or tmp['master'] != vrf_name: - raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ - f'does not belong to this VRF!') - - if 'listen_address' in ntp: - ipv4_addresses = 0 - ipv6_addresses = 0 - for address in ntp['listen_address']: - if is_ipv4(address): - ipv4_addresses += 1 - else: - ipv6_addresses += 1 - if ipv4_addresses > 1: - raise ConfigError(f'NTP Only admits one ipv4 value for listen-address parameter ') - if ipv6_addresses > 1: - raise ConfigError(f'NTP Only admits one ipv6 value for listen-address parameter ') - - return None - -def generate(ntp): - # bail out early - looks like removal from running config - if not ntp: - return None - - render(config_file, 'chrony/chrony.conf.j2', ntp, user=user_group, group=user_group) - render(systemd_override, 'chrony/override.conf.j2', ntp, user=user_group, group=user_group) - - # Ensure proper permission for chrony command socket - config_dir = os.path.dirname(config_file) - chmod_750(config_dir) - - return None - -def apply(ntp): - systemd_service = 'chrony.service' - # Reload systemd manager configuration - call('systemctl daemon-reload') - - if not ntp: - # NTP support is removed in the commit - call(f'systemctl stop {systemd_service}') - if os.path.exists(config_file): - os.unlink(config_file) - if os.path.isfile(systemd_override): - os.unlink(systemd_override) - return - - # we need to restart the service if e.g. the VRF name changed - systemd_action = 'reload-or-restart' - if 'restart_required' in ntp: - systemd_action = 'restart' - - call(f'systemctl {systemd_action} {systemd_service}') - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 34ba2fe69..f7e14aa16 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -36,22 +36,22 @@ sync_search = [ { 'keys': ['certificate'], 'path': ['service', 'https'], - 'script': '/usr/libexec/vyos/conf_mode/https.py' + 'script': '/usr/libexec/vyos/conf_mode/service_https.py' }, { 'keys': ['certificate', 'ca_certificate'], 'path': ['interfaces', 'ethernet'], - 'script': '/usr/libexec/vyos/conf_mode/interfaces-ethernet.py' + 'script': '/usr/libexec/vyos/conf_mode/interfaces_ethernet.py' }, { 'keys': ['certificate', 'ca_certificate', 'dh_params', 'shared_secret_key', 'auth_key', 'crypt_key'], 'path': ['interfaces', 'openvpn'], - 'script': '/usr/libexec/vyos/conf_mode/interfaces-openvpn.py' + 'script': '/usr/libexec/vyos/conf_mode/interfaces_openvpn.py' }, { 'keys': ['ca_certificate'], 'path': ['interfaces', 'sstpc'], - 'script': '/usr/libexec/vyos/conf_mode/interfaces-sstpc.py' + 'script': '/usr/libexec/vyos/conf_mode/interfaces_sstpc.py' }, { 'keys': ['certificate', 'ca_certificate', 'local_key', 'remote_key'], diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py deleted file mode 100755 index 91e4fce2c..000000000 --- a/src/conf_mode/policy-local-route.py +++ /dev/null @@ -1,315 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from itertools import product -from sys import exit - -from netifaces import interfaces -from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.configdict import node_changed -from vyos.configdict import leaf_node_changed -from vyos.template import render -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - - -def get_config(config=None): - - if config: - conf = config - else: - conf = Config() - base = ['policy'] - - pbr = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - for route in ['local_route', 'local_route6']: - dict_id = 'rule_remove' if route == 'local_route' else 'rule6_remove' - route_key = 'local-route' if route == 'local_route' else 'local-route6' - base_rule = base + [route_key, 'rule'] - - # delete policy local-route - dict = {} - tmp = node_changed(conf, base_rule, key_mangling=('-', '_')) - if tmp: - for rule in (tmp or []): - src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address']) - src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port']) - fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark']) - iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface']) - dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address']) - dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port']) - table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table']) - proto = leaf_node_changed(conf, base_rule + [rule, 'protocol']) - rule_def = {} - if src: - rule_def = dict_merge({'source': {'address': src}}, rule_def) - if src_port: - rule_def = dict_merge({'source': {'port': src_port}}, rule_def) - if fwmk: - rule_def = dict_merge({'fwmark' : fwmk}, rule_def) - if iif: - rule_def = dict_merge({'inbound_interface' : iif}, rule_def) - if dst: - rule_def = dict_merge({'destination': {'address': dst}}, rule_def) - if dst_port: - rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def) - if table: - rule_def = dict_merge({'table' : table}, rule_def) - if proto: - rule_def = dict_merge({'protocol' : proto}, rule_def) - dict = dict_merge({dict_id : {rule : rule_def}}, dict) - pbr.update(dict) - - if not route in pbr: - continue - - # delete policy local-route rule x source x.x.x.x - # delete policy local-route rule x fwmark x - # delete policy local-route rule x destination x.x.x.x - if 'rule' in pbr[route]: - for rule, rule_config in pbr[route]['rule'].items(): - src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address']) - src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port']) - fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark']) - iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface']) - dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address']) - dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port']) - table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table']) - proto = leaf_node_changed(conf, base_rule + [rule, 'protocol']) - # keep track of changes in configuration - # otherwise we might remove an existing node although nothing else has changed - changed = False - - rule_def = {} - # src is None if there are no changes to src - if src is None: - # if src hasn't changed, include it in the removal selector - # if a new selector is added, we have to remove all previous rules without this selector - # to make sure we remove all previous rules with this source(s), it will be included - if 'source' in rule_config: - if 'address' in rule_config['source']: - rule_def = dict_merge({'source': {'address': rule_config['source']['address']}}, rule_def) - else: - # if src is not None, it's previous content will be returned - # this can be an empty array if it's just being set, or the previous value - # either way, something has to be changed and we only want to remove previous values - changed = True - # set the old value for removal if it's not empty - if len(src) > 0: - rule_def = dict_merge({'source': {'address': src}}, rule_def) - - # source port - if src_port is None: - if 'source' in rule_config: - if 'port' in rule_config['source']: - tmp = rule_config['source']['port'] - if isinstance(tmp, str): - tmp = [tmp] - rule_def = dict_merge({'source': {'port': tmp}}, rule_def) - else: - changed = True - if len(src_port) > 0: - rule_def = dict_merge({'source': {'port': src_port}}, rule_def) - - # fwmark - if fwmk is None: - if 'fwmark' in rule_config: - tmp = rule_config['fwmark'] - if isinstance(tmp, str): - tmp = [tmp] - rule_def = dict_merge({'fwmark': tmp}, rule_def) - else: - changed = True - if len(fwmk) > 0: - rule_def = dict_merge({'fwmark' : fwmk}, rule_def) - - # inbound-interface - if iif is None: - if 'inbound_interface' in rule_config: - rule_def = dict_merge({'inbound_interface': rule_config['inbound_interface']}, rule_def) - else: - changed = True - if len(iif) > 0: - rule_def = dict_merge({'inbound_interface' : iif}, rule_def) - - # destination address - if dst is None: - if 'destination' in rule_config: - if 'address' in rule_config['destination']: - rule_def = dict_merge({'destination': {'address': rule_config['destination']['address']}}, rule_def) - else: - changed = True - if len(dst) > 0: - rule_def = dict_merge({'destination': {'address': dst}}, rule_def) - - # destination port - if dst_port is None: - if 'destination' in rule_config: - if 'port' in rule_config['destination']: - tmp = rule_config['destination']['port'] - if isinstance(tmp, str): - tmp = [tmp] - rule_def = dict_merge({'destination': {'port': tmp}}, rule_def) - else: - changed = True - if len(dst_port) > 0: - rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def) - - # table - if table is None: - if 'set' in rule_config and 'table' in rule_config['set']: - rule_def = dict_merge({'table': [rule_config['set']['table']]}, rule_def) - else: - changed = True - if len(table) > 0: - rule_def = dict_merge({'table' : table}, rule_def) - - # protocol - if proto is None: - if 'protocol' in rule_config: - tmp = rule_config['protocol'] - if isinstance(tmp, str): - tmp = [tmp] - rule_def = dict_merge({'protocol': tmp}, rule_def) - else: - changed = True - if len(proto) > 0: - rule_def = dict_merge({'protocol' : proto}, rule_def) - - if changed: - dict = dict_merge({dict_id : {rule : rule_def}}, dict) - pbr.update(dict) - - return pbr - -def verify(pbr): - # bail out early - looks like removal from running config - if not pbr: - return None - - for route in ['local_route', 'local_route6']: - if not route in pbr: - continue - - pbr_route = pbr[route] - if 'rule' in pbr_route: - for rule in pbr_route['rule']: - if ( - 'source' not in pbr_route['rule'][rule] and - 'destination' not in pbr_route['rule'][rule] and - 'fwmark' not in pbr_route['rule'][rule] and - 'inbound_interface' not in pbr_route['rule'][rule] and - 'protocol' not in pbr_route['rule'][rule] - ): - raise ConfigError('Source or destination address or fwmark or inbound-interface or protocol is required!') - - if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']: - raise ConfigError('Table set is required!') - - if 'inbound_interface' in pbr_route['rule'][rule]: - interface = pbr_route['rule'][rule]['inbound_interface'] - if interface not in interfaces(): - raise ConfigError(f'Interface "{interface}" does not exist') - - return None - -def generate(pbr): - if not pbr: - return None - - return None - -def apply(pbr): - if not pbr: - return None - - # Delete old rule if needed - for rule_rm in ['rule_remove', 'rule6_remove']: - if rule_rm in pbr: - v6 = " -6" if rule_rm == 'rule6_remove' else "" - - for rule, rule_config in pbr[rule_rm].items(): - source = rule_config.get('source', {}).get('address', ['']) - source_port = rule_config.get('source', {}).get('port', ['']) - destination = rule_config.get('destination', {}).get('address', ['']) - destination_port = rule_config.get('destination', {}).get('port', ['']) - fwmark = rule_config.get('fwmark', ['']) - inbound_interface = rule_config.get('inbound_interface', ['']) - protocol = rule_config.get('protocol', ['']) - table = rule_config.get('table', ['']) - - for src, dst, src_port, dst_port, fwmk, iif, proto, table in product( - source, destination, source_port, destination_port, - fwmark, inbound_interface, protocol, table): - f_src = '' if src == '' else f' from {src} ' - f_src_port = '' if src_port == '' else f' sport {src_port} ' - f_dst = '' if dst == '' else f' to {dst} ' - f_dst_port = '' if dst_port == '' else f' dport {dst_port} ' - f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} ' - f_iif = '' if iif == '' else f' iif {iif} ' - f_proto = '' if proto == '' else f' ipproto {proto} ' - f_table = '' if table == '' else f' lookup {table} ' - - call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif}{f_table}') - - # Generate new config - for route in ['local_route', 'local_route6']: - if not route in pbr: - continue - - v6 = " -6" if route == 'local_route6' else "" - pbr_route = pbr[route] - - if 'rule' in pbr_route: - for rule, rule_config in pbr_route['rule'].items(): - table = rule_config['set'].get('table', '') - source = rule_config.get('source', {}).get('address', ['all']) - source_port = rule_config.get('source', {}).get('port', '') - destination = rule_config.get('destination', {}).get('address', ['all']) - destination_port = rule_config.get('destination', {}).get('port', '') - fwmark = rule_config.get('fwmark', '') - inbound_interface = rule_config.get('inbound_interface', '') - protocol = rule_config.get('protocol', '') - - for src in source: - f_src = f' from {src} ' if src else '' - for dst in destination: - f_dst = f' to {dst} ' if dst else '' - f_src_port = f' sport {source_port} ' if source_port else '' - f_dst_port = f' dport {destination_port} ' if destination_port else '' - f_fwmk = f' fwmark {fwmark} ' if fwmark else '' - f_iif = f' iif {inbound_interface} ' if inbound_interface else '' - f_proto = f' ipproto {protocol} ' if protocol else '' - - call(f'ip{v6} rule add prio {rule}{f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif} lookup {table}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py deleted file mode 100755 index adad012de..000000000 --- a/src/conf_mode/policy-route.py +++ /dev/null @@ -1,195 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from json import loads -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.template import render -from vyos.utils.dict import dict_search_args -from vyos.utils.process import cmd -from vyos.utils.process import run -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -mark_offset = 0x7FFFFFFF -nftables_conf = '/run/nftables_policy.conf' - -valid_groups = [ - 'address_group', - 'domain_group', - 'network_group', - 'port_group', - 'interface_group' -] - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['policy'] - - policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - policy['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - return policy - -def verify_rule(policy, name, rule_conf, ipv6, rule_id): - icmp = 'icmp' if not ipv6 else 'icmpv6' - if icmp in rule_conf: - icmp_defined = False - if 'type_name' in rule_conf[icmp]: - icmp_defined = True - if 'code' in rule_conf[icmp] or 'type' in rule_conf[icmp]: - raise ConfigError(f'{name} rule {rule_id}: Cannot use ICMP type/code with ICMP type-name') - if 'code' in rule_conf[icmp]: - icmp_defined = True - if 'type' not in rule_conf[icmp]: - raise ConfigError(f'{name} rule {rule_id}: ICMP code can only be defined if ICMP type is defined') - if 'type' in rule_conf[icmp]: - icmp_defined = True - - if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp: - raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP') - - if 'set' in rule_conf: - if 'tcp_mss' in rule_conf['set']: - tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') - if not tcp_flags or 'syn' not in tcp_flags: - raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS') - - tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') - if tcp_flags: - if dict_search_args(rule_conf, 'protocol') != 'tcp': - raise ConfigError('Protocol must be tcp when specifying tcp flags') - - not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not') - if not_flags: - duplicates = [flag for flag in tcp_flags if flag in not_flags] - if duplicates: - raise ConfigError(f'Cannot match a tcp flag as set and not set') - - for side in ['destination', 'source']: - if side in rule_conf: - side_conf = rule_conf[side] - - if 'group' in side_conf: - if len({'address_group', 'domain_group', 'network_group'} & set(side_conf['group'])) > 1: - raise ConfigError('Only one address-group, domain-group or network-group can be specified') - - for group in valid_groups: - if group in side_conf['group']: - group_name = side_conf['group'][group] - - if group_name.startswith('!'): - group_name = group_name[1:] - - fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group - error_group = fw_group.replace("_", "-") - group_obj = dict_search_args(policy['firewall_group'], fw_group, group_name) - - if group_obj is None: - raise ConfigError(f'Invalid {error_group} "{group_name}" on policy route rule') - - if not group_obj: - Warning(f'{error_group} "{group_name}" has no members') - - if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): - if 'protocol' not in rule_conf: - raise ConfigError('Protocol must be defined if specifying a port or port-group') - - if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: - raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') - -def verify(policy): - for route in ['route', 'route6']: - ipv6 = route == 'route6' - if route in policy: - for name, pol_conf in policy[route].items(): - if 'rule' in pol_conf: - for rule_id, rule_conf in pol_conf['rule'].items(): - verify_rule(policy, name, rule_conf, ipv6, rule_id) - - return None - -def generate(policy): - if not os.path.exists(nftables_conf): - policy['first_install'] = True - - render(nftables_conf, 'firewall/nftables-policy.j2', policy) - return None - -def apply_table_marks(policy): - for route in ['route', 'route6']: - if route in policy: - cmd_str = 'ip' if route == 'route' else 'ip -6' - tables = [] - for name, pol_conf in policy[route].items(): - if 'rule' in pol_conf: - for rule_id, rule_conf in pol_conf['rule'].items(): - set_table = dict_search_args(rule_conf, 'set', 'table') - if set_table: - if set_table == 'main': - set_table = '254' - if set_table in tables: - continue - tables.append(set_table) - table_mark = mark_offset - int(set_table) - cmd(f'{cmd_str} rule add pref {set_table} fwmark {table_mark} table {set_table}') - -def cleanup_table_marks(): - for cmd_str in ['ip', 'ip -6']: - json_rules = cmd(f'{cmd_str} -j -N rule list') - rules = loads(json_rules) - for rule in rules: - if 'fwmark' not in rule or 'table' not in rule: - continue - fwmark = rule['fwmark'] - table = int(rule['table']) - if fwmark[:2] == '0x': - fwmark = int(fwmark, 16) - if (int(fwmark) == (mark_offset - table)): - cmd(f'{cmd_str} rule del fwmark {fwmark} table {table}') - -def apply(policy): - install_result = run(f'nft -f {nftables_conf}') - if install_result == 1: - raise ConfigError('Failed to apply policy based routing') - - if 'first_install' not in policy: - cleanup_table_marks() - - apply_table_marks(policy) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/policy_local-route.py b/src/conf_mode/policy_local-route.py new file mode 100755 index 000000000..91e4fce2c --- /dev/null +++ b/src/conf_mode/policy_local-route.py @@ -0,0 +1,315 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from itertools import product +from sys import exit + +from netifaces import interfaces +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.configdict import leaf_node_changed +from vyos.template import render +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + + +def get_config(config=None): + + if config: + conf = config + else: + conf = Config() + base = ['policy'] + + pbr = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + for route in ['local_route', 'local_route6']: + dict_id = 'rule_remove' if route == 'local_route' else 'rule6_remove' + route_key = 'local-route' if route == 'local_route' else 'local-route6' + base_rule = base + [route_key, 'rule'] + + # delete policy local-route + dict = {} + tmp = node_changed(conf, base_rule, key_mangling=('-', '_')) + if tmp: + for rule in (tmp or []): + src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address']) + src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port']) + fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark']) + iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface']) + dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address']) + dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port']) + table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table']) + proto = leaf_node_changed(conf, base_rule + [rule, 'protocol']) + rule_def = {} + if src: + rule_def = dict_merge({'source': {'address': src}}, rule_def) + if src_port: + rule_def = dict_merge({'source': {'port': src_port}}, rule_def) + if fwmk: + rule_def = dict_merge({'fwmark' : fwmk}, rule_def) + if iif: + rule_def = dict_merge({'inbound_interface' : iif}, rule_def) + if dst: + rule_def = dict_merge({'destination': {'address': dst}}, rule_def) + if dst_port: + rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def) + if table: + rule_def = dict_merge({'table' : table}, rule_def) + if proto: + rule_def = dict_merge({'protocol' : proto}, rule_def) + dict = dict_merge({dict_id : {rule : rule_def}}, dict) + pbr.update(dict) + + if not route in pbr: + continue + + # delete policy local-route rule x source x.x.x.x + # delete policy local-route rule x fwmark x + # delete policy local-route rule x destination x.x.x.x + if 'rule' in pbr[route]: + for rule, rule_config in pbr[route]['rule'].items(): + src = leaf_node_changed(conf, base_rule + [rule, 'source', 'address']) + src_port = leaf_node_changed(conf, base_rule + [rule, 'source', 'port']) + fwmk = leaf_node_changed(conf, base_rule + [rule, 'fwmark']) + iif = leaf_node_changed(conf, base_rule + [rule, 'inbound-interface']) + dst = leaf_node_changed(conf, base_rule + [rule, 'destination', 'address']) + dst_port = leaf_node_changed(conf, base_rule + [rule, 'destination', 'port']) + table = leaf_node_changed(conf, base_rule + [rule, 'set', 'table']) + proto = leaf_node_changed(conf, base_rule + [rule, 'protocol']) + # keep track of changes in configuration + # otherwise we might remove an existing node although nothing else has changed + changed = False + + rule_def = {} + # src is None if there are no changes to src + if src is None: + # if src hasn't changed, include it in the removal selector + # if a new selector is added, we have to remove all previous rules without this selector + # to make sure we remove all previous rules with this source(s), it will be included + if 'source' in rule_config: + if 'address' in rule_config['source']: + rule_def = dict_merge({'source': {'address': rule_config['source']['address']}}, rule_def) + else: + # if src is not None, it's previous content will be returned + # this can be an empty array if it's just being set, or the previous value + # either way, something has to be changed and we only want to remove previous values + changed = True + # set the old value for removal if it's not empty + if len(src) > 0: + rule_def = dict_merge({'source': {'address': src}}, rule_def) + + # source port + if src_port is None: + if 'source' in rule_config: + if 'port' in rule_config['source']: + tmp = rule_config['source']['port'] + if isinstance(tmp, str): + tmp = [tmp] + rule_def = dict_merge({'source': {'port': tmp}}, rule_def) + else: + changed = True + if len(src_port) > 0: + rule_def = dict_merge({'source': {'port': src_port}}, rule_def) + + # fwmark + if fwmk is None: + if 'fwmark' in rule_config: + tmp = rule_config['fwmark'] + if isinstance(tmp, str): + tmp = [tmp] + rule_def = dict_merge({'fwmark': tmp}, rule_def) + else: + changed = True + if len(fwmk) > 0: + rule_def = dict_merge({'fwmark' : fwmk}, rule_def) + + # inbound-interface + if iif is None: + if 'inbound_interface' in rule_config: + rule_def = dict_merge({'inbound_interface': rule_config['inbound_interface']}, rule_def) + else: + changed = True + if len(iif) > 0: + rule_def = dict_merge({'inbound_interface' : iif}, rule_def) + + # destination address + if dst is None: + if 'destination' in rule_config: + if 'address' in rule_config['destination']: + rule_def = dict_merge({'destination': {'address': rule_config['destination']['address']}}, rule_def) + else: + changed = True + if len(dst) > 0: + rule_def = dict_merge({'destination': {'address': dst}}, rule_def) + + # destination port + if dst_port is None: + if 'destination' in rule_config: + if 'port' in rule_config['destination']: + tmp = rule_config['destination']['port'] + if isinstance(tmp, str): + tmp = [tmp] + rule_def = dict_merge({'destination': {'port': tmp}}, rule_def) + else: + changed = True + if len(dst_port) > 0: + rule_def = dict_merge({'destination': {'port': dst_port}}, rule_def) + + # table + if table is None: + if 'set' in rule_config and 'table' in rule_config['set']: + rule_def = dict_merge({'table': [rule_config['set']['table']]}, rule_def) + else: + changed = True + if len(table) > 0: + rule_def = dict_merge({'table' : table}, rule_def) + + # protocol + if proto is None: + if 'protocol' in rule_config: + tmp = rule_config['protocol'] + if isinstance(tmp, str): + tmp = [tmp] + rule_def = dict_merge({'protocol': tmp}, rule_def) + else: + changed = True + if len(proto) > 0: + rule_def = dict_merge({'protocol' : proto}, rule_def) + + if changed: + dict = dict_merge({dict_id : {rule : rule_def}}, dict) + pbr.update(dict) + + return pbr + +def verify(pbr): + # bail out early - looks like removal from running config + if not pbr: + return None + + for route in ['local_route', 'local_route6']: + if not route in pbr: + continue + + pbr_route = pbr[route] + if 'rule' in pbr_route: + for rule in pbr_route['rule']: + if ( + 'source' not in pbr_route['rule'][rule] and + 'destination' not in pbr_route['rule'][rule] and + 'fwmark' not in pbr_route['rule'][rule] and + 'inbound_interface' not in pbr_route['rule'][rule] and + 'protocol' not in pbr_route['rule'][rule] + ): + raise ConfigError('Source or destination address or fwmark or inbound-interface or protocol is required!') + + if 'set' not in pbr_route['rule'][rule] or 'table' not in pbr_route['rule'][rule]['set']: + raise ConfigError('Table set is required!') + + if 'inbound_interface' in pbr_route['rule'][rule]: + interface = pbr_route['rule'][rule]['inbound_interface'] + if interface not in interfaces(): + raise ConfigError(f'Interface "{interface}" does not exist') + + return None + +def generate(pbr): + if not pbr: + return None + + return None + +def apply(pbr): + if not pbr: + return None + + # Delete old rule if needed + for rule_rm in ['rule_remove', 'rule6_remove']: + if rule_rm in pbr: + v6 = " -6" if rule_rm == 'rule6_remove' else "" + + for rule, rule_config in pbr[rule_rm].items(): + source = rule_config.get('source', {}).get('address', ['']) + source_port = rule_config.get('source', {}).get('port', ['']) + destination = rule_config.get('destination', {}).get('address', ['']) + destination_port = rule_config.get('destination', {}).get('port', ['']) + fwmark = rule_config.get('fwmark', ['']) + inbound_interface = rule_config.get('inbound_interface', ['']) + protocol = rule_config.get('protocol', ['']) + table = rule_config.get('table', ['']) + + for src, dst, src_port, dst_port, fwmk, iif, proto, table in product( + source, destination, source_port, destination_port, + fwmark, inbound_interface, protocol, table): + f_src = '' if src == '' else f' from {src} ' + f_src_port = '' if src_port == '' else f' sport {src_port} ' + f_dst = '' if dst == '' else f' to {dst} ' + f_dst_port = '' if dst_port == '' else f' dport {dst_port} ' + f_fwmk = '' if fwmk == '' else f' fwmark {fwmk} ' + f_iif = '' if iif == '' else f' iif {iif} ' + f_proto = '' if proto == '' else f' ipproto {proto} ' + f_table = '' if table == '' else f' lookup {table} ' + + call(f'ip{v6} rule del prio {rule} {f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif}{f_table}') + + # Generate new config + for route in ['local_route', 'local_route6']: + if not route in pbr: + continue + + v6 = " -6" if route == 'local_route6' else "" + pbr_route = pbr[route] + + if 'rule' in pbr_route: + for rule, rule_config in pbr_route['rule'].items(): + table = rule_config['set'].get('table', '') + source = rule_config.get('source', {}).get('address', ['all']) + source_port = rule_config.get('source', {}).get('port', '') + destination = rule_config.get('destination', {}).get('address', ['all']) + destination_port = rule_config.get('destination', {}).get('port', '') + fwmark = rule_config.get('fwmark', '') + inbound_interface = rule_config.get('inbound_interface', '') + protocol = rule_config.get('protocol', '') + + for src in source: + f_src = f' from {src} ' if src else '' + for dst in destination: + f_dst = f' to {dst} ' if dst else '' + f_src_port = f' sport {source_port} ' if source_port else '' + f_dst_port = f' dport {destination_port} ' if destination_port else '' + f_fwmk = f' fwmark {fwmark} ' if fwmark else '' + f_iif = f' iif {inbound_interface} ' if inbound_interface else '' + f_proto = f' ipproto {protocol} ' if protocol else '' + + call(f'ip{v6} rule add prio {rule}{f_src}{f_dst}{f_proto}{f_src_port}{f_dst_port}{f_fwmk}{f_iif} lookup {table}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/policy_route.py b/src/conf_mode/policy_route.py new file mode 100755 index 000000000..adad012de --- /dev/null +++ b/src/conf_mode/policy_route.py @@ -0,0 +1,195 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from json import loads +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.template import render +from vyos.utils.dict import dict_search_args +from vyos.utils.process import cmd +from vyos.utils.process import run +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +mark_offset = 0x7FFFFFFF +nftables_conf = '/run/nftables_policy.conf' + +valid_groups = [ + 'address_group', + 'domain_group', + 'network_group', + 'port_group', + 'interface_group' +] + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['policy'] + + policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, + no_tag_node_value_mangle=True) + + policy['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True, + no_tag_node_value_mangle=True) + + return policy + +def verify_rule(policy, name, rule_conf, ipv6, rule_id): + icmp = 'icmp' if not ipv6 else 'icmpv6' + if icmp in rule_conf: + icmp_defined = False + if 'type_name' in rule_conf[icmp]: + icmp_defined = True + if 'code' in rule_conf[icmp] or 'type' in rule_conf[icmp]: + raise ConfigError(f'{name} rule {rule_id}: Cannot use ICMP type/code with ICMP type-name') + if 'code' in rule_conf[icmp]: + icmp_defined = True + if 'type' not in rule_conf[icmp]: + raise ConfigError(f'{name} rule {rule_id}: ICMP code can only be defined if ICMP type is defined') + if 'type' in rule_conf[icmp]: + icmp_defined = True + + if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp: + raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP') + + if 'set' in rule_conf: + if 'tcp_mss' in rule_conf['set']: + tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') + if not tcp_flags or 'syn' not in tcp_flags: + raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS') + + tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') + if tcp_flags: + if dict_search_args(rule_conf, 'protocol') != 'tcp': + raise ConfigError('Protocol must be tcp when specifying tcp flags') + + not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not') + if not_flags: + duplicates = [flag for flag in tcp_flags if flag in not_flags] + if duplicates: + raise ConfigError(f'Cannot match a tcp flag as set and not set') + + for side in ['destination', 'source']: + if side in rule_conf: + side_conf = rule_conf[side] + + if 'group' in side_conf: + if len({'address_group', 'domain_group', 'network_group'} & set(side_conf['group'])) > 1: + raise ConfigError('Only one address-group, domain-group or network-group can be specified') + + for group in valid_groups: + if group in side_conf['group']: + group_name = side_conf['group'][group] + + if group_name.startswith('!'): + group_name = group_name[1:] + + fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group + error_group = fw_group.replace("_", "-") + group_obj = dict_search_args(policy['firewall_group'], fw_group, group_name) + + if group_obj is None: + raise ConfigError(f'Invalid {error_group} "{group_name}" on policy route rule') + + if not group_obj: + Warning(f'{error_group} "{group_name}" has no members') + + if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): + if 'protocol' not in rule_conf: + raise ConfigError('Protocol must be defined if specifying a port or port-group') + + if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: + raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') + +def verify(policy): + for route in ['route', 'route6']: + ipv6 = route == 'route6' + if route in policy: + for name, pol_conf in policy[route].items(): + if 'rule' in pol_conf: + for rule_id, rule_conf in pol_conf['rule'].items(): + verify_rule(policy, name, rule_conf, ipv6, rule_id) + + return None + +def generate(policy): + if not os.path.exists(nftables_conf): + policy['first_install'] = True + + render(nftables_conf, 'firewall/nftables-policy.j2', policy) + return None + +def apply_table_marks(policy): + for route in ['route', 'route6']: + if route in policy: + cmd_str = 'ip' if route == 'route' else 'ip -6' + tables = [] + for name, pol_conf in policy[route].items(): + if 'rule' in pol_conf: + for rule_id, rule_conf in pol_conf['rule'].items(): + set_table = dict_search_args(rule_conf, 'set', 'table') + if set_table: + if set_table == 'main': + set_table = '254' + if set_table in tables: + continue + tables.append(set_table) + table_mark = mark_offset - int(set_table) + cmd(f'{cmd_str} rule add pref {set_table} fwmark {table_mark} table {set_table}') + +def cleanup_table_marks(): + for cmd_str in ['ip', 'ip -6']: + json_rules = cmd(f'{cmd_str} -j -N rule list') + rules = loads(json_rules) + for rule in rules: + if 'fwmark' not in rule or 'table' not in rule: + continue + fwmark = rule['fwmark'] + table = int(rule['table']) + if fwmark[:2] == '0x': + fwmark = int(fwmark, 16) + if (int(fwmark) == (mark_offset - table)): + cmd(f'{cmd_str} rule del fwmark {fwmark} table {table}') + +def apply(policy): + install_result = run(f'nft -f {nftables_conf}') + if install_result == 1: + raise ConfigError('Failed to apply policy based routing') + + if 'first_install' not in policy: + cleanup_table_marks() + + apply_table_marks(policy) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/protocols_igmp-proxy.py b/src/conf_mode/protocols_igmp-proxy.py new file mode 100755 index 000000000..40db417dd --- /dev/null +++ b/src/conf_mode/protocols_igmp-proxy.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from netifaces import interfaces + +from vyos.base import Warning +from vyos.config import Config +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/etc/igmpproxy.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['protocols', 'igmp-proxy'] + igmp_proxy = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_defaults=True) + + if conf.exists(['protocols', 'igmp']): + igmp_proxy.update({'igmp_configured': ''}) + + if conf.exists(['protocols', 'pim']): + igmp_proxy.update({'pim_configured': ''}) + + return igmp_proxy + +def verify(igmp_proxy): + # bail out early - looks like removal from running config + if not igmp_proxy or 'disable' in igmp_proxy: + return None + + if 'igmp_configured' in igmp_proxy or 'pim_configured' in igmp_proxy: + raise ConfigError('Can not configure both IGMP proxy and PIM '\ + 'at the same time') + + # at least two interfaces are required, one upstream and one downstream + if 'interface' not in igmp_proxy or len(igmp_proxy['interface']) < 2: + raise ConfigError('Must define exactly one upstream and at least one ' \ + 'downstream interface!') + + upstream = 0 + for interface, config in igmp_proxy['interface'].items(): + if interface not in interfaces(): + raise ConfigError(f'Interface "{interface}" does not exist') + if dict_search('role', config) == 'upstream': + upstream += 1 + + if upstream == 0: + raise ConfigError('At least 1 upstream interface is required!') + elif upstream > 1: + raise ConfigError('Only 1 upstream interface allowed!') + + return None + +def generate(igmp_proxy): + # bail out early - looks like removal from running config + if not igmp_proxy: + return None + + # bail out early - service is disabled, but inform user + if 'disable' in igmp_proxy: + Warning('IGMP Proxy will be deactivated because it is disabled') + return None + + render(config_file, 'igmp-proxy/igmpproxy.conf.j2', igmp_proxy) + + return None + +def apply(igmp_proxy): + if not igmp_proxy or 'disable' in igmp_proxy: + # IGMP Proxy support is removed in the commit + call('systemctl stop igmpproxy.service') + if os.path.exists(config_file): + os.unlink(config_file) + else: + call('systemctl restart igmpproxy.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/protocols_segment-routing.py b/src/conf_mode/protocols_segment-routing.py new file mode 100755 index 000000000..d865c2ac0 --- /dev/null +++ b/src/conf_mode/protocols_segment-routing.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import node_changed +from vyos.template import render_to_string +from vyos.utils.dict import dict_search +from vyos.utils.system import sysctl_write +from vyos import ConfigError +from vyos import frr +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['protocols', 'segment-routing'] + sr = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_recursive_defaults=True) + + # FRR has VRF support for different routing daemons. As interfaces belong + # to VRFs - or the global VRF, we need to check for changed interfaces so + # that they will be properly rendered for the FRR config. Also this eases + # removal of interfaces from the running configuration. + interfaces_removed = node_changed(conf, base + ['interface']) + if interfaces_removed: + sr['interface_removed'] = list(interfaces_removed) + + import pprint + pprint.pprint(sr) + return sr + +def verify(sr): + if 'srv6' in sr: + srv6_enable = False + if 'interface' in sr: + for interface, interface_config in sr['interface'].items(): + if 'srv6' in interface_config: + srv6_enable = True + break + if not srv6_enable: + raise ConfigError('SRv6 should be enabled on at least one interface!') + return None + +def generate(sr): + if not sr: + return None + + sr['new_frr_config'] = render_to_string('frr/zebra.segment_routing.frr.j2', sr) + return None + +def apply(sr): + zebra_daemon = 'zebra' + + if 'interface_removed' in sr: + for interface in sr['interface_removed']: + # Disable processing of IPv6-SR packets + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') + + if 'interface' in sr: + for interface, interface_config in sr['interface'].items(): + # Accept or drop SR-enabled IPv6 packets on this interface + if 'srv6' in interface_config: + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '1') + # Define HMAC policy for ingress SR-enabled packets on this interface + # It's a redundant check as HMAC has a default value - but better safe + # then sorry + tmp = dict_search('srv6.hmac', interface_config) + if tmp == 'accept': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '0') + elif tmp == 'drop': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '1') + elif tmp == 'ignore': + sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '-1') + else: + sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') + + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'^segment-routing') + if 'new_frr_config' in sr: + frr_cfg.add_before(frr.default_add_before, sr['new_frr_config']) + frr_cfg.commit_configuration(zebra_daemon) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/protocols_segment_routing.py b/src/conf_mode/protocols_segment_routing.py deleted file mode 100755 index d865c2ac0..000000000 --- a/src/conf_mode/protocols_segment_routing.py +++ /dev/null @@ -1,118 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.configdict import node_changed -from vyos.template import render_to_string -from vyos.utils.dict import dict_search -from vyos.utils.system import sysctl_write -from vyos import ConfigError -from vyos import frr -from vyos import airbag -airbag.enable() - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['protocols', 'segment-routing'] - sr = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True, - with_recursive_defaults=True) - - # FRR has VRF support for different routing daemons. As interfaces belong - # to VRFs - or the global VRF, we need to check for changed interfaces so - # that they will be properly rendered for the FRR config. Also this eases - # removal of interfaces from the running configuration. - interfaces_removed = node_changed(conf, base + ['interface']) - if interfaces_removed: - sr['interface_removed'] = list(interfaces_removed) - - import pprint - pprint.pprint(sr) - return sr - -def verify(sr): - if 'srv6' in sr: - srv6_enable = False - if 'interface' in sr: - for interface, interface_config in sr['interface'].items(): - if 'srv6' in interface_config: - srv6_enable = True - break - if not srv6_enable: - raise ConfigError('SRv6 should be enabled on at least one interface!') - return None - -def generate(sr): - if not sr: - return None - - sr['new_frr_config'] = render_to_string('frr/zebra.segment_routing.frr.j2', sr) - return None - -def apply(sr): - zebra_daemon = 'zebra' - - if 'interface_removed' in sr: - for interface in sr['interface_removed']: - # Disable processing of IPv6-SR packets - sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') - - if 'interface' in sr: - for interface, interface_config in sr['interface'].items(): - # Accept or drop SR-enabled IPv6 packets on this interface - if 'srv6' in interface_config: - sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '1') - # Define HMAC policy for ingress SR-enabled packets on this interface - # It's a redundant check as HMAC has a default value - but better safe - # then sorry - tmp = dict_search('srv6.hmac', interface_config) - if tmp == 'accept': - sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '0') - elif tmp == 'drop': - sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '1') - elif tmp == 'ignore': - sysctl_write(f'net.ipv6.conf.{interface}.seg6_require_hmac', '-1') - else: - sysctl_write(f'net.ipv6.conf.{interface}.seg6_enabled', '0') - - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(r'^segment-routing') - if 'new_frr_config' in sr: - frr_cfg.add_before(frr.default_add_before, sr['new_frr_config']) - frr_cfg.commit_configuration(zebra_daemon) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/protocols_static_arp.py b/src/conf_mode/protocols_static_arp.py new file mode 100755 index 000000000..b141f1141 --- /dev/null +++ b/src/conf_mode/protocols_static_arp.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import node_changed +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['protocols', 'static', 'arp'] + arp = conf.get_config_dict(base, get_first_key=True) + + if 'interface' in arp: + for interface in arp['interface']: + tmp = node_changed(conf, base + ['interface', interface, 'address'], recursive=True) + if tmp: arp['interface'][interface].update({'address_old' : tmp}) + + return arp + +def verify(arp): + pass + +def generate(arp): + pass + +def apply(arp): + if not arp: + return None + + if 'interface' in arp: + for interface, interface_config in arp['interface'].items(): + # Delete old static ARP assignments first + if 'address_old' in interface_config: + for address in interface_config['address_old']: + call(f'ip neigh del {address} dev {interface}') + + # Add new static ARP entries to interface + if 'address' not in interface_config: + continue + for address, address_config in interface_config['address'].items(): + mac = address_config['mac'] + call(f'ip neigh replace {address} lladdr {mac} dev {interface}') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py deleted file mode 100755 index a8fce8e01..000000000 --- a/src/conf_mode/salt-minion.py +++ /dev/null @@ -1,118 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from socket import gethostname -from sys import exit -from urllib3 import PoolManager - -from vyos.base import Warning -from vyos.config import Config -from vyos.configverify import verify_interface_exists -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.permission import chown -from vyos import ConfigError - -from vyos import airbag -airbag.enable() - -config_file = r'/etc/salt/minion' -master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' - -user='minion' -group='vyattacfg' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'salt-minion'] - - if not conf.exists(base): - return None - - salt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # ID default is dynamic thus we can not use defaults() - if 'id' not in salt: - salt['id'] = gethostname() - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - salt = conf.merge_defaults(salt, recursive=True) - - if not conf.exists(base): - return None - else: - conf.set_level(base) - - return salt - -def verify(salt): - if not salt: - return None - - if 'hash' in salt and salt['hash'] == 'sha1': - Warning('Do not use sha1 hashing algorithm, upgrade to sha256 or later!') - - if 'source_interface' in salt: - verify_interface_exists(salt['source_interface']) - - return None - -def generate(salt): - if not salt: - return None - - render(config_file, 'salt-minion/minion.j2', salt, user=user, group=group) - - if not os.path.exists(master_keyfile): - if 'master_key' in salt: - req = PoolManager().request('GET', salt['master_key'], preload_content=False) - with open(master_keyfile, 'wb') as f: - while True: - data = req.read(1024) - if not data: - break - f.write(data) - - req.release_conn() - chown(master_keyfile, user, group) - - return None - -def apply(salt): - service_name = 'salt-minion.service' - if not salt: - # Salt removed from running config - call(f'systemctl stop {service_name}') - if os.path.exists(config_file): - os.unlink(config_file) - else: - call(f'systemctl restart {service_name}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_broadcast-relay.py b/src/conf_mode/service_broadcast-relay.py new file mode 100755 index 000000000..31c552f5a --- /dev/null +++ b/src/conf_mode/service_broadcast-relay.py @@ -0,0 +1,111 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2017-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from glob import glob +from netifaces import AF_INET +from sys import exit + +from vyos.config import Config +from vyos.configverify import verify_interface_exists +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.network import is_afi_configured +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file_base = r'/etc/default/udp-broadcast-relay' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'broadcast-relay'] + + relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + return relay + +def verify(relay): + if not relay or 'disabled' in relay: + return None + + for instance, config in relay.get('id', {}).items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: + continue + + # we certainly require a UDP port to listen to + if 'port' not in config: + raise ConfigError(f'Port number is mandatory for UDP broadcast relay "{instance}"') + + # Relaying data without two interface is kinda senseless ... + if len(config.get('interface', [])) < 2: + raise ConfigError('At least two interfaces are required for UDP broadcast relay "{instance}"') + + for interface in config.get('interface', []): + verify_interface_exists(interface) + if not is_afi_configured(interface, AF_INET): + raise ConfigError(f'Interface "{interface}" has no IPv4 address configured!') + + return None + +def generate(relay): + if not relay or 'disabled' in relay: + return None + + for config in glob(config_file_base + '*'): + os.remove(config) + + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: + continue + + config['instance'] = instance + render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.j2', + config) + + return None + +def apply(relay): + # first stop all running services + call('systemctl stop udp-broadcast-relay@*.service') + + if not relay or 'disable' in relay: + return None + + # start only required service instances + for instance, config in relay.get('id').items(): + # we don't have to check this instance when it's disabled + if 'disabled' in config: + continue + + call(f'systemctl start udp-broadcast-relay@{instance}.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_config-sync.py b/src/conf_mode/service_config-sync.py new file mode 100755 index 000000000..4b8a7f6ee --- /dev/null +++ b/src/conf_mode/service_config-sync.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import json +from pathlib import Path + +from vyos.config import Config +from vyos import ConfigError +from vyos import airbag + +airbag.enable() + + +service_conf = Path(f'/run/config_sync_conf.conf') +post_commit_dir = '/run/scripts/commit/post-hooks.d' +post_commit_file_src = '/usr/libexec/vyos/vyos_config_sync.py' +post_commit_file = f'{post_commit_dir}/vyos_config_sync' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'config-sync'] + if not conf.exists(base): + return None + config = conf.get_config_dict(base, get_first_key=True, + with_recursive_defaults=True) + + return config + + +def verify(config): + # bail out early - looks like removal from running config + if not config: + return None + + if 'mode' not in config: + raise ConfigError(f'config-sync mode is mandatory!') + + for option in ['secondary', 'section']: + if option not in config: + raise ConfigError(f"config-sync '{option}' is not configured!") + + if 'address' not in config['secondary']: + raise ConfigError(f'secondary address is mandatory!') + if 'key' not in config['secondary']: + raise ConfigError(f'secondary key is mandatory!') + + +def generate(config): + if not config: + + if os.path.exists(post_commit_file): + os.unlink(post_commit_file) + + if service_conf.exists(): + service_conf.unlink() + + return None + + # Write configuration file + conf_json = json.dumps(config, indent=4) + service_conf.write_text(conf_json) + + # Create post commit dir + if not os.path.isdir(post_commit_dir): + os.makedirs(post_commit_dir) + + # Symlink from helpers to post-commit + if not os.path.exists(post_commit_file): + os.symlink(post_commit_file_src, post_commit_file) + + return None + + +def apply(config): + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_config_sync.py b/src/conf_mode/service_config_sync.py deleted file mode 100755 index 4b8a7f6ee..000000000 --- a/src/conf_mode/service_config_sync.py +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import json -from pathlib import Path - -from vyos.config import Config -from vyos import ConfigError -from vyos import airbag - -airbag.enable() - - -service_conf = Path(f'/run/config_sync_conf.conf') -post_commit_dir = '/run/scripts/commit/post-hooks.d' -post_commit_file_src = '/usr/libexec/vyos/vyos_config_sync.py' -post_commit_file = f'{post_commit_dir}/vyos_config_sync' - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'config-sync'] - if not conf.exists(base): - return None - config = conf.get_config_dict(base, get_first_key=True, - with_recursive_defaults=True) - - return config - - -def verify(config): - # bail out early - looks like removal from running config - if not config: - return None - - if 'mode' not in config: - raise ConfigError(f'config-sync mode is mandatory!') - - for option in ['secondary', 'section']: - if option not in config: - raise ConfigError(f"config-sync '{option}' is not configured!") - - if 'address' not in config['secondary']: - raise ConfigError(f'secondary address is mandatory!') - if 'key' not in config['secondary']: - raise ConfigError(f'secondary key is mandatory!') - - -def generate(config): - if not config: - - if os.path.exists(post_commit_file): - os.unlink(post_commit_file) - - if service_conf.exists(): - service_conf.unlink() - - return None - - # Write configuration file - conf_json = json.dumps(config, indent=4) - service_conf.write_text(conf_json) - - # Create post commit dir - if not os.path.isdir(post_commit_dir): - os.makedirs(post_commit_dir) - - # Symlink from helpers to post-commit - if not os.path.exists(post_commit_file): - os.symlink(post_commit_file_src, post_commit_file) - - return None - - -def apply(config): - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_conntrack-sync.py b/src/conf_mode/service_conntrack-sync.py new file mode 100755 index 000000000..4fb2ce27f --- /dev/null +++ b/src/conf_mode/service_conntrack-sync.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from vyos.config import Config +from vyos.configverify import verify_interface_exists +from vyos.utils.dict import dict_search +from vyos.utils.process import process_named_running +from vyos.utils.file import read_file +from vyos.utils.process import call +from vyos.utils.process import run +from vyos.template import render +from vyos.template import get_ipv4 +from vyos.utils.network import is_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = '/run/conntrackd/conntrackd.conf' + +def resync_vrrp(): + tmp = run('/usr/libexec/vyos/conf_mode/high-availability.py') + if tmp > 0: + print('ERROR: error restarting VRRP daemon!') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'conntrack-sync'] + if not conf.exists(base): + return None + + conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, with_defaults=True) + + conntrack['hash_size'] = read_file('/sys/module/nf_conntrack/parameters/hashsize') + conntrack['table_size'] = read_file('/proc/sys/net/netfilter/nf_conntrack_max') + + conntrack['vrrp'] = conf.get_config_dict(['high-availability', 'vrrp', 'sync-group'], + get_first_key=True) + + return conntrack + +def verify(conntrack): + if not conntrack: + return None + + if 'interface' not in conntrack: + raise ConfigError('Interface not defined!') + + has_peer = False + for interface, interface_config in conntrack['interface'].items(): + verify_interface_exists(interface) + # Interface must not only exist, it must also carry an IP address + if len(get_ipv4(interface)) < 1: + raise ConfigError(f'Interface {interface} requires an IP address!') + if 'peer' in interface_config: + has_peer = True + + # If one interface runs in unicast mode instead of multicast, so must all the + # others, else conntrackd will error out with: "cannot use UDP with other + # dedicated link protocols" + if has_peer: + for interface, interface_config in conntrack['interface'].items(): + if 'peer' not in interface_config: + raise ConfigError('Can not mix unicast and multicast mode!') + + if 'expect_sync' in conntrack: + if len(conntrack['expect_sync']) > 1 and 'all' in conntrack['expect_sync']: + raise ConfigError('Can not configure expect-sync "all" with other protocols!') + + if 'listen_address' in conntrack: + for address in conntrack['listen_address']: + if not is_addr_assigned(address): + raise ConfigError(f'Specified listen-address {address} not assigned to any interface!') + + vrrp_group = dict_search('failover_mechanism.vrrp.sync_group', conntrack) + if vrrp_group == None: + raise ConfigError(f'No VRRP sync-group defined!') + if vrrp_group not in conntrack['vrrp']: + raise ConfigError(f'VRRP sync-group {vrrp_group} not configured!') + + return None + +def generate(conntrack): + if not conntrack: + if os.path.isfile(config_file): + os.unlink(config_file) + return None + + render(config_file, 'conntrackd/conntrackd.conf.j2', conntrack) + + return None + +def apply(conntrack): + systemd_service = 'conntrackd.service' + if not conntrack: + # Failover mechanism daemon should be indicated that it no longer needs + # to execute conntrackd actions on transition. This is only required + # once when conntrackd is stopped and taken out of service! + if process_named_running('conntrackd'): + resync_vrrp() + + call(f'systemctl stop {systemd_service}') + return None + + # Failover mechanism daemon should be indicated that it needs to execute + # conntrackd actions on transition. This is only required once when conntrackd + # is started the first time! + if not process_named_running('conntrackd'): + resync_vrrp() + + call(f'systemctl reload-or-restart {systemd_service}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dhcp-relay.py b/src/conf_mode/service_dhcp-relay.py new file mode 100755 index 000000000..37d708847 --- /dev/null +++ b/src/conf_mode/service_dhcp-relay.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.template import render +from vyos.base import Warning +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/dhcp-relay/dhcrelay.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'dhcp-relay'] + if not conf.exists(base): + return None + + relay = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return relay + +def verify(relay): + # bail out early - looks like removal from running config + if not relay or 'disable' in relay: + return None + + if 'lo' in (dict_search('interface', relay) or []): + raise ConfigError('DHCP relay does not support the loopback interface.') + + if 'server' not in relay : + raise ConfigError('No DHCP relay server(s) configured.\n' \ + 'At least one DHCP relay server required.') + + if 'interface' in relay: + Warning('DHCP relay interface is DEPRECATED - please use upstream-interface and listen-interface instead!') + if 'upstream_interface' in relay or 'listen_interface' in relay: + raise ConfigError(' configuration is not compatible with upstream/listen interface') + else: + Warning(' is going to be deprecated.\n' \ + 'Please use and ') + + if 'upstream_interface' in relay and 'listen_interface' not in relay: + raise ConfigError('No listen-interface configured') + if 'listen_interface' in relay and 'upstream_interface' not in relay: + raise ConfigError('No upstream-interface configured') + + return None + +def generate(relay): + # bail out early - looks like removal from running config + if not relay or 'disable' in relay: + return None + + render(config_file, 'dhcp-relay/dhcrelay.conf.j2', relay) + return None + +def apply(relay): + # bail out early - looks like removal from running config + service_name = 'isc-dhcp-relay.service' + if not relay or 'disable' in relay: + call(f'systemctl stop {service_name}') + if os.path.exists(config_file): + os.unlink(config_file) + return None + + call(f'systemctl restart {service_name}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dhcp-server.py b/src/conf_mode/service_dhcp-server.py new file mode 100755 index 000000000..7ebc560ba --- /dev/null +++ b/src/conf_mode/service_dhcp-server.py @@ -0,0 +1,385 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from ipaddress import ip_address +from ipaddress import ip_network +from netaddr import IPRange +from sys import exit + +from vyos.config import Config +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key +from vyos.template import render +from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_search_args +from vyos.utils.file import chmod_775 +from vyos.utils.file import makedir +from vyos.utils.file import write_file +from vyos.utils.process import call +from vyos.utils.network import is_subnet_connected +from vyos.utils.network import is_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +ctrl_config_file = '/run/kea/kea-ctrl-agent.conf' +ctrl_socket = '/run/kea/dhcp4-ctrl-socket' +config_file = '/run/kea/kea-dhcp4.conf' +lease_file = '/config/dhcp/dhcp4-leases.csv' +systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf' +user_group = '_kea' + +ca_cert_file = '/run/kea/kea-failover-ca.pem' +cert_file = '/run/kea/kea-failover.pem' +cert_key_file = '/run/kea/kea-failover-key.pem' + +def dhcp_slice_range(exclude_list, range_dict): + """ + This function is intended to slice a DHCP range. What does it mean? + + Lets assume we have a DHCP range from '192.0.2.1' to '192.0.2.100' + but want to exclude address '192.0.2.74' and '192.0.2.75'. We will + pass an input 'range_dict' in the format: + {'start' : '192.0.2.1', 'stop' : '192.0.2.100' } + and we will receive an output list of: + [{'start' : '192.0.2.1' , 'stop' : '192.0.2.73' }, + {'start' : '192.0.2.76', 'stop' : '192.0.2.100' }] + The resulting list can then be used in turn to build the proper dhcpd + configuration file. + """ + output = [] + # exclude list must be sorted for this to work + exclude_list = sorted(exclude_list) + range_start = range_dict['start'] + range_stop = range_dict['stop'] + range_last_exclude = '' + + for e in exclude_list: + if (ip_address(e) >= ip_address(range_start)) and \ + (ip_address(e) <= ip_address(range_stop)): + range_last_exclude = e + + for e in exclude_list: + if (ip_address(e) >= ip_address(range_start)) and \ + (ip_address(e) <= ip_address(range_stop)): + + # Build new address range ending one address before exclude address + r = { + 'start' : range_start, + 'stop' : str(ip_address(e) -1) + } + # On the next run our address range will start one address after + # the exclude address + range_start = str(ip_address(e) + 1) + + # on subsequent exclude addresses we can not + # append them to our output + if not (ip_address(r['start']) > ip_address(r['stop'])): + # Everything is fine, add range to result + output.append(r) + + # Take care of last IP address range spanning from the last exclude + # address (+1) to the end of the initial configured range + if ip_address(e) == ip_address(range_last_exclude): + r = { + 'start': str(ip_address(e) + 1), + 'stop': str(range_stop) + } + if not (ip_address(r['start']) > ip_address(r['stop'])): + output.append(r) + else: + # if the excluded address was not part of the range, we simply return + # the entire ranga again + if not range_last_exclude: + if range_dict not in output: + output.append(range_dict) + + return output + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'dhcp-server'] + if not conf.exists(base): + return None + + dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + if 'shared_network_name' in dhcp: + for network, network_config in dhcp['shared_network_name'].items(): + if 'subnet' in network_config: + for subnet, subnet_config in network_config['subnet'].items(): + # If exclude IP addresses are defined we need to slice them out of + # the defined ranges + if {'exclude', 'range'} <= set(subnet_config): + new_range_id = 0 + new_range_dict = {} + for r, r_config in subnet_config['range'].items(): + for slice in dhcp_slice_range(subnet_config['exclude'], r_config): + new_range_dict.update({new_range_id : slice}) + new_range_id +=1 + + dhcp['shared_network_name'][network]['subnet'][subnet].update( + {'range' : new_range_dict}) + + if dict_search('failover.certificate', dhcp): + dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + + return dhcp + +def verify(dhcp): + # bail out early - looks like removal from running config + if not dhcp or 'disable' in dhcp: + return None + + # If DHCP is enabled we need one share-network + if 'shared_network_name' not in dhcp: + raise ConfigError('No DHCP shared networks configured.\n' \ + 'At least one DHCP shared network must be configured.') + + # Inspect shared-network/subnet + listen_ok = False + subnets = [] + failover_ok = False + shared_networks = len(dhcp['shared_network_name']) + disabled_shared_networks = 0 + + + # A shared-network requires a subnet definition + for network, network_config in dhcp['shared_network_name'].items(): + if 'disable' in network_config: + disabled_shared_networks += 1 + + if 'subnet' not in network_config: + raise ConfigError(f'No subnets defined for {network}. At least one\n' \ + 'lease subnet must be configured.') + + for subnet, subnet_config in network_config['subnet'].items(): + # All delivered static routes require a next-hop to be set + if 'static_route' in subnet_config: + for route, route_option in subnet_config['static_route'].items(): + if 'next_hop' not in route_option: + raise ConfigError(f'DHCP static-route "{route}" requires router to be defined!') + + # Check if DHCP address range is inside configured subnet declaration + if 'range' in subnet_config: + networks = [] + for range, range_config in subnet_config['range'].items(): + if not {'start', 'stop'} <= set(range_config): + raise ConfigError(f'DHCP range "{range}" start and stop address must be defined!') + + # Start/Stop address must be inside network + for key in ['start', 'stop']: + if ip_address(range_config[key]) not in ip_network(subnet): + raise ConfigError(f'DHCP range "{range}" {key} address not within shared-network "{network}, {subnet}"!') + + # Stop address must be greater or equal to start address + if ip_address(range_config['stop']) < ip_address(range_config['start']): + raise ConfigError(f'DHCP range "{range}" stop address must be greater or equal\n' \ + 'to the ranges start address!') + + for network in networks: + start = range_config['start'] + stop = range_config['stop'] + if start in network: + raise ConfigError(f'Range "{range}" start address "{start}" already part of another range!') + if stop in network: + raise ConfigError(f'Range "{range}" stop address "{stop}" already part of another range!') + + tmp = IPRange(range_config['start'], range_config['stop']) + networks.append(tmp) + + # Exclude addresses must be in bound + if 'exclude' in subnet_config: + for exclude in subnet_config['exclude']: + if ip_address(exclude) not in ip_network(subnet): + raise ConfigError(f'Excluded IP address "{exclude}" not within shared-network "{network}, {subnet}"!') + + # At least one DHCP address range or static-mapping required + if 'range' not in subnet_config and 'static_mapping' not in subnet_config: + raise ConfigError(f'No DHCP address range or active static-mapping configured\n' \ + f'within shared-network "{network}, {subnet}"!') + + if 'static_mapping' in subnet_config: + # Static mappings require just a MAC address (will use an IP from the dynamic pool if IP is not set) + for mapping, mapping_config in subnet_config['static_mapping'].items(): + if 'ip_address' in mapping_config: + if ip_address(mapping_config['ip_address']) not in ip_network(subnet): + raise ConfigError(f'Configured static lease address for mapping "{mapping}" is\n' \ + f'not within shared-network "{network}, {subnet}"!') + + if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ + ('mac' in mapping_config and 'duid' in mapping_config): + raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' + f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') + + # There must be one subnet connected to a listen interface. + # This only counts if the network itself is not disabled! + if 'disable' not in network_config: + if is_subnet_connected(subnet, primary=False): + listen_ok = True + + # Subnets must be non overlapping + if subnet in subnets: + raise ConfigError(f'Configured subnets must be unique! Subnet "{subnet}"\n' + 'defined multiple times!') + subnets.append(subnet) + + # Check for overlapping subnets + net = ip_network(subnet) + for n in subnets: + net2 = ip_network(n) + if (net != net2): + if net.overlaps(net2): + raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!') + + # Prevent 'disable' for shared-network if only one network is configured + if (shared_networks - disabled_shared_networks) < 1: + raise ConfigError(f'At least one shared network must be active!') + + if 'failover' in dhcp: + for key in ['name', 'remote', 'source_address', 'status']: + if key not in dhcp['failover']: + tmp = key.replace('_', '-') + raise ConfigError(f'DHCP failover requires "{tmp}" to be specified!') + + if len({'certificate', 'ca_certificate'} & set(dhcp['failover'])) == 1: + raise ConfigError(f'DHCP secured failover requires both certificate and CA certificate') + + if 'certificate' in dhcp['failover']: + cert_name = dhcp['failover']['certificate'] + + if cert_name not in dhcp['pki']['certificate']: + raise ConfigError(f'Invalid certificate specified for DHCP failover') + + if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'certificate'): + raise ConfigError(f'Invalid certificate specified for DHCP failover') + + if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'private', 'key'): + raise ConfigError(f'Missing private key on certificate specified for DHCP failover') + + if 'ca_certificate' in dhcp['failover']: + ca_cert_name = dhcp['failover']['ca_certificate'] + if ca_cert_name not in dhcp['pki']['ca']: + raise ConfigError(f'Invalid CA certificate specified for DHCP failover') + + if not dict_search_args(dhcp['pki']['ca'], ca_cert_name, 'certificate'): + raise ConfigError(f'Invalid CA certificate specified for DHCP failover') + + for address in (dict_search('listen_address', dhcp) or []): + if is_addr_assigned(address): + listen_ok = True + # no need to probe further networks, we have one that is valid + continue + else: + raise ConfigError(f'listen-address "{address}" not configured on any interface') + + + if not listen_ok: + raise ConfigError('None of the configured subnets have an appropriate primary IP address on any\n' + 'broadcast interface configured, nor was there an explicit listen-address\n' + 'configured for serving DHCP relay packets!') + + return None + +def generate(dhcp): + # bail out early - looks like removal from running config + if not dhcp or 'disable' in dhcp: + return None + + dhcp['lease_file'] = lease_file + dhcp['machine'] = os.uname().machine + + # Create directory for lease file if necessary + lease_dir = os.path.dirname(lease_file) + if not os.path.isdir(lease_dir): + makedir(lease_dir, group='vyattacfg') + chmod_775(lease_dir) + + # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way + if not os.path.exists(lease_file): + write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) + + for f in [cert_file, cert_key_file, ca_cert_file]: + if os.path.exists(f): + os.unlink(f) + + if 'failover' in dhcp: + if 'certificate' in dhcp['failover']: + cert_name = dhcp['failover']['certificate'] + cert_data = dhcp['pki']['certificate'][cert_name]['certificate'] + key_data = dhcp['pki']['certificate'][cert_name]['private']['key'] + write_file(cert_file, wrap_certificate(cert_data), user=user_group, mode=0o600) + write_file(cert_key_file, wrap_private_key(key_data), user=user_group, mode=0o600) + + dhcp['failover']['cert_file'] = cert_file + dhcp['failover']['cert_key_file'] = cert_key_file + + if 'ca_certificate' in dhcp['failover']: + ca_cert_name = dhcp['failover']['ca_certificate'] + ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate'] + write_file(ca_cert_file, wrap_certificate(ca_cert_data), user=user_group, mode=0o600) + + dhcp['failover']['ca_cert_file'] = ca_cert_file + + render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp) + + render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp, user=user_group, group=user_group) + render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp, user=user_group, group=user_group) + + return None + +def apply(dhcp): + services = ['kea-ctrl-agent', 'kea-dhcp4-server', 'kea-dhcp-ddns-server'] + + if not dhcp or 'disable' in dhcp: + for service in services: + call(f'systemctl stop {service}.service') + + if os.path.exists(config_file): + os.unlink(config_file) + + return None + + for service in services: + action = 'restart' + + if service == 'kea-dhcp-ddns-server' and 'dynamic_dns_update' not in dhcp: + action = 'stop' + + if service == 'kea-ctrl-agent' and 'failover' not in dhcp: + action = 'stop' + + call(f'systemctl {action} {service}.service') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dhcpv6-relay.py b/src/conf_mode/service_dhcpv6-relay.py new file mode 100755 index 000000000..6537ca3c2 --- /dev/null +++ b/src/conf_mode/service_dhcpv6-relay.py @@ -0,0 +1,106 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.ifconfig import Interface +from vyos.template import render +from vyos.template import is_ipv6 +from vyos.utils.process import call +from vyos.utils.network import is_ipv6_link_local +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = '/run/dhcp-relay/dhcrelay6.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'dhcpv6-relay'] + if not conf.exists(base): + return None + + relay = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return relay + +def verify(relay): + # bail out early - looks like removal from running config + if not relay or 'disable' in relay: + return None + + if 'upstream_interface' not in relay: + raise ConfigError('At least one upstream interface required!') + for interface, config in relay['upstream_interface'].items(): + if 'address' not in config: + raise ConfigError('DHCPv6 server required for upstream ' \ + f'interface {interface}!') + + if 'listen_interface' not in relay: + raise ConfigError('At least one listen interface required!') + + # DHCPv6 relay requires at least one global unicat address assigned to the + # interface + for interface in relay['listen_interface']: + has_global = False + for addr in Interface(interface).get_addr(): + if is_ipv6(addr) and not is_ipv6_link_local(addr): + has_global = True + if not has_global: + raise ConfigError(f'Interface {interface} does not have global '\ + 'IPv6 address assigned!') + + return None + +def generate(relay): + # bail out early - looks like removal from running config + if not relay or 'disable' in relay: + return None + + render(config_file, 'dhcp-relay/dhcrelay6.conf.j2', relay) + return None + +def apply(relay): + # bail out early - looks like removal from running config + service_name = 'isc-dhcp-relay6.service' + if not relay or 'disable' in relay: + # DHCPv6 relay support is removed in the commit + call(f'systemctl stop {service_name}') + if os.path.exists(config_file): + os.unlink(config_file) + return None + + call(f'systemctl restart {service_name}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dhcpv6-server.py b/src/conf_mode/service_dhcpv6-server.py new file mode 100755 index 000000000..9cc57dbcf --- /dev/null +++ b/src/conf_mode/service_dhcpv6-server.py @@ -0,0 +1,222 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from ipaddress import ip_address +from ipaddress import ip_network +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.file import chmod_775 +from vyos.utils.file import makedir +from vyos.utils.file import write_file +from vyos.utils.dict import dict_search +from vyos.utils.network import is_subnet_connected +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = '/run/kea/kea-dhcp6.conf' +ctrl_socket = '/run/kea/dhcp6-ctrl-socket' +lease_file = '/config/dhcp/dhcp6-leases.csv' +user_group = '_kea' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'dhcpv6-server'] + if not conf.exists(base): + return None + + dhcpv6 = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + return dhcpv6 + +def verify(dhcpv6): + # bail out early - looks like removal from running config + if not dhcpv6 or 'disable' in dhcpv6: + return None + + # If DHCP is enabled we need one share-network + if 'shared_network_name' not in dhcpv6: + raise ConfigError('No DHCPv6 shared networks configured. At least '\ + 'one DHCPv6 shared network must be configured.') + + # Inspect shared-network/subnet + subnets = [] + listen_ok = False + for network, network_config in dhcpv6['shared_network_name'].items(): + # A shared-network requires a subnet definition + if 'subnet' not in network_config: + raise ConfigError(f'No DHCPv6 lease subnets configured for "{network}". '\ + 'At least one lease subnet must be configured for '\ + 'each shared network!') + + for subnet, subnet_config in network_config['subnet'].items(): + if 'address_range' in subnet_config: + if 'start' in subnet_config['address_range']: + range6_start = [] + range6_stop = [] + for start, start_config in subnet_config['address_range']['start'].items(): + if 'stop' not in start_config: + raise ConfigError(f'address-range stop address for start "{start}" is not defined!') + stop = start_config['stop'] + + # Start address must be inside network + if not ip_address(start) in ip_network(subnet): + raise ConfigError(f'address-range start address "{start}" is not in subnet "{subnet}"!') + + # Stop address must be inside network + if not ip_address(stop) in ip_network(subnet): + raise ConfigError(f'address-range stop address "{stop}" is not in subnet "{subnet}"!') + + # Stop address must be greater or equal to start address + if not ip_address(stop) >= ip_address(start): + raise ConfigError(f'address-range stop address "{stop}" must be greater then or equal ' \ + f'to the range start address "{start}"!') + + # DHCPv6 range start address must be unique - two ranges can't + # start with the same address - makes no sense + if start in range6_start: + raise ConfigError(f'Conflicting DHCPv6 lease range: '\ + f'Pool start address "{start}" defined multipe times!') + range6_start.append(start) + + # DHCPv6 range stop address must be unique - two ranges can't + # end with the same address - makes no sense + if stop in range6_stop: + raise ConfigError(f'Conflicting DHCPv6 lease range: '\ + f'Pool stop address "{stop}" defined multipe times!') + range6_stop.append(stop) + + if 'prefix' in subnet_config: + for prefix in subnet_config['prefix']: + if ip_network(prefix) not in ip_network(subnet): + raise ConfigError(f'address-range prefix "{prefix}" is not in subnet "{subnet}""') + + # Prefix delegation sanity checks + if 'prefix_delegation' in subnet_config: + if 'prefix' not in subnet_config['prefix_delegation']: + raise ConfigError('prefix-delegation prefix not defined!') + + for prefix, prefix_config in subnet_config['prefix_delegation']['prefix'].items(): + if 'delegated_length' not in prefix_config: + raise ConfigError(f'Delegated IPv6 prefix length for "{prefix}" '\ + f'must be configured') + + if 'prefix_length' not in prefix_config: + raise ConfigError('Length of delegated IPv6 prefix must be configured') + + if prefix_config['prefix_length'] > prefix_config['delegated_length']: + raise ConfigError('Length of delegated IPv6 prefix must be within parent prefix') + + # Static mappings don't require anything (but check if IP is in subnet if it's set) + if 'static_mapping' in subnet_config: + for mapping, mapping_config in subnet_config['static_mapping'].items(): + if 'ipv6_address' in mapping_config: + # Static address must be in subnet + if ip_address(mapping_config['ipv6_address']) not in ip_network(subnet): + raise ConfigError(f'static-mapping address for mapping "{mapping}" is not in subnet "{subnet}"!') + + if ('mac' not in mapping_config and 'duid' not in mapping_config) or \ + ('mac' in mapping_config and 'duid' in mapping_config): + raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for ' + f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!') + + if 'vendor_option' in subnet_config: + if len(dict_search('vendor_option.cisco.tftp_server', subnet_config)) > 2: + raise ConfigError(f'No more then two Cisco tftp-servers should be defined for subnet "{subnet}"!') + + # Subnets must be unique + if subnet in subnets: + raise ConfigError(f'DHCPv6 subnets must be unique! Subnet {subnet} defined multiple times!') + subnets.append(subnet) + + # DHCPv6 requires at least one configured address range or one static mapping + # (FIXME: is not actually checked right now?) + + # There must be one subnet connected to a listen interface if network is not disabled. + if 'disable' not in network_config: + if is_subnet_connected(subnet): + listen_ok = True + + # DHCPv6 subnet must not overlap. ISC DHCP also complains about overlapping + # subnets: "Warning: subnet 2001:db8::/32 overlaps subnet 2001:db8:1::/32" + net = ip_network(subnet) + for n in subnets: + net2 = ip_network(n) + if (net != net2): + if net.overlaps(net2): + raise ConfigError('DHCPv6 conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) + + if not listen_ok: + raise ConfigError('None of the DHCPv6 subnets are connected to a subnet6 on '\ + 'this machine. At least one subnet6 must be connected such that '\ + 'DHCPv6 listens on an interface!') + + + return None + +def generate(dhcpv6): + # bail out early - looks like removal from running config + if not dhcpv6 or 'disable' in dhcpv6: + return None + + dhcpv6['lease_file'] = lease_file + dhcpv6['machine'] = os.uname().machine + + # Create directory for lease file if necessary + lease_dir = os.path.dirname(lease_file) + if not os.path.isdir(lease_dir): + makedir(lease_dir, group='vyattacfg') + chmod_775(lease_dir) + + # Create lease file if necessary and let kea own it - 'kea-lfc' expects it that way + if not os.path.exists(lease_file): + write_file(lease_file, '', user=user_group, group=user_group, mode=0o644) + + render(config_file, 'dhcp-server/kea-dhcp6.conf.j2', dhcpv6, user=user_group, group=user_group) + return None + +def apply(dhcpv6): + # bail out early - looks like removal from running config + service_name = 'kea-dhcp6-server.service' + if not dhcpv6 or 'disable' in dhcpv6: + # DHCP server is removed in the commit + call(f'systemctl stop {service_name}') + if os.path.exists(config_file): + os.unlink(config_file) + return None + + call(f'systemctl restart {service_name}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dns_dynamic.py b/src/conf_mode/service_dns_dynamic.py new file mode 100755 index 000000000..99fa8feee --- /dev/null +++ b/src/conf_mode/service_dns_dynamic.py @@ -0,0 +1,187 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.configverify import verify_interface_exists +from vyos.template import render +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/ddclient/ddclient.conf' +systemd_override = r'/run/systemd/system/ddclient.service.d/override.conf' + +# Dynamic interfaces that might not exist when the configuration is loaded +dynamic_interfaces = ('pppoe', 'sstpc') + +# Protocols that require zone +zone_necessary = ['cloudflare', 'digitalocean', 'godaddy', 'hetzner', 'gandi', + 'nfsn', 'nsupdate'] +zone_supported = zone_necessary + ['dnsexit2', 'zoneedit1'] + +# Protocols that do not require username +username_unnecessary = ['1984', 'cloudflare', 'cloudns', 'digitalocean', 'dnsexit2', + 'duckdns', 'freemyip', 'hetzner', 'keysystems', 'njalla', + 'nsupdate', 'regfishde'] + +# Protocols that support TTL +ttl_supported = ['cloudflare', 'dnsexit2', 'gandi', 'hetzner', 'godaddy', 'nfsn', + 'nsupdate'] + +# Protocols that support both IPv4 and IPv6 +dualstack_supported = ['cloudflare', 'digitalocean', 'dnsexit2', 'duckdns', + 'dyndns2', 'easydns', 'freedns', 'hetzner', 'infomaniak', + 'njalla'] + +# dyndns2 protocol in ddclient honors dual stack for selective servers +# because of the way it is implemented in ddclient +dyndns_dualstack_servers = ['members.dyndns.org', 'dynv6.com'] + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'dns', 'dynamic'] + if not conf.exists(base): + return None + + dyndns = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + dyndns['config_file'] = config_file + return dyndns + +def verify(dyndns): + # bail out early - looks like removal from running config + if not dyndns or 'name' not in dyndns: + return None + + # Dynamic DNS service provider - configuration validation + for service, config in dyndns['name'].items(): + + error_msg_req = f'is required for Dynamic DNS service "{service}"' + error_msg_uns = f'is not supported for Dynamic DNS service "{service}"' + + for field in ['protocol', 'address', 'host_name']: + if field not in config: + raise ConfigError(f'"{field.replace("_", "-")}" {error_msg_req}') + + # If dyndns address is an interface, ensure + # that the interface exists (or just warn if dynamic interface) + # and that web-options are not set + if config['address'] != 'web': + # exclude check interface for dynamic interfaces + if config['address'].startswith(dynamic_interfaces): + Warning(f'Interface "{config["address"]}" does not exist yet and cannot ' + f'be used for Dynamic DNS service "{service}" until it is up!') + else: + verify_interface_exists(config['address']) + if 'web_options' in config: + raise ConfigError(f'"web-options" is applicable only when using HTTP(S) ' + f'web request to obtain the IP address') + + # Warn if using checkip.dyndns.org, as it does not support HTTPS + # See: https://github.com/ddclient/ddclient/issues/597 + if 'web_options' in config: + if 'url' not in config['web_options']: + raise ConfigError(f'"url" in "web-options" {error_msg_req} ' + f'with protocol "{config["protocol"]}"') + elif re.search("^(https?://)?checkip\.dyndns\.org", config['web_options']['url']): + Warning(f'"checkip.dyndns.org" does not support HTTPS requests for IP address ' + f'lookup. Please use a different IP address lookup service.') + + # RFC2136 uses 'key' instead of 'password' + if config['protocol'] != 'nsupdate' and 'password' not in config: + raise ConfigError(f'"password" {error_msg_req}') + + # Other RFC2136 specific configuration validation + if config['protocol'] == 'nsupdate': + if 'password' in config: + raise ConfigError(f'"password" {error_msg_uns} with protocol "{config["protocol"]}"') + for field in ['server', 'key']: + if field not in config: + raise ConfigError(f'"{field}" {error_msg_req} with protocol "{config["protocol"]}"') + + if config['protocol'] in zone_necessary and 'zone' not in config: + raise ConfigError(f'"zone" {error_msg_req} with protocol "{config["protocol"]}"') + + if config['protocol'] not in zone_supported and 'zone' in config: + raise ConfigError(f'"zone" {error_msg_uns} with protocol "{config["protocol"]}"') + + if config['protocol'] not in username_unnecessary and 'username' not in config: + raise ConfigError(f'"username" {error_msg_req} with protocol "{config["protocol"]}"') + + if config['protocol'] not in ttl_supported and 'ttl' in config: + raise ConfigError(f'"ttl" {error_msg_uns} with protocol "{config["protocol"]}"') + + if config['ip_version'] == 'both': + if config['protocol'] not in dualstack_supported: + raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} ' + f'with protocol "{config["protocol"]}"') + # dyndns2 protocol in ddclient honors dual stack only for dyn.com (dyndns.org) + if config['protocol'] == 'dyndns2' and 'server' in config and config['server'] not in dyndns_dualstack_servers: + raise ConfigError(f'Both IPv4 and IPv6 at the same time {error_msg_uns} ' + f'for "{config["server"]}" with protocol "{config["protocol"]}"') + + if {'wait_time', 'expiry_time'} <= config.keys() and int(config['expiry_time']) < int(config['wait_time']): + raise ConfigError(f'"expiry-time" must be greater than "wait-time" for ' + f'Dynamic DNS service "{service}"') + + return None + +def generate(dyndns): + # bail out early - looks like removal from running config + if not dyndns or 'name' not in dyndns: + return None + + render(config_file, 'dns-dynamic/ddclient.conf.j2', dyndns, permission=0o600) + render(systemd_override, 'dns-dynamic/override.conf.j2', dyndns) + return None + +def apply(dyndns): + systemd_service = 'ddclient.service' + # Reload systemd manager configuration + call('systemctl daemon-reload') + + # bail out early - looks like removal from running config + if not dyndns or 'name' not in dyndns: + call(f'systemctl stop {systemd_service}') + if os.path.exists(config_file): + os.unlink(config_file) + else: + call(f'systemctl reload-or-restart {systemd_service}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_dns_forwarding.py b/src/conf_mode/service_dns_forwarding.py new file mode 100755 index 000000000..c186f47af --- /dev/null +++ b/src/conf_mode/service_dns_forwarding.py @@ -0,0 +1,358 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from netifaces import interfaces +from sys import exit +from glob import glob + +from vyos.config import Config +from vyos.hostsd_client import Client as hostsd_client +from vyos.template import render +from vyos.template import bracketize_ipv6 +from vyos.utils.process import call +from vyos.utils.permission import chown +from vyos.utils.dict import dict_search + +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +pdns_rec_user = pdns_rec_group = 'pdns' +pdns_rec_run_dir = '/run/powerdns' +pdns_rec_lua_conf_file = f'{pdns_rec_run_dir}/recursor.conf.lua' +pdns_rec_hostsd_lua_conf_file = f'{pdns_rec_run_dir}/recursor.vyos-hostsd.conf.lua' +pdns_rec_hostsd_zones_file = f'{pdns_rec_run_dir}/recursor.forward-zones.conf' +pdns_rec_config_file = f'{pdns_rec_run_dir}/recursor.conf' + +hostsd_tag = 'static' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'dns', 'forwarding'] + if not conf.exists(base): + return None + + dns = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + # some additions to the default dictionary + if 'system' in dns: + base_nameservers = ['system', 'name-server'] + if conf.exists(base_nameservers): + dns.update({'system_name_server': conf.return_values(base_nameservers)}) + + if 'authoritative_domain' in dns: + dns['authoritative_zones'] = [] + dns['authoritative_zone_errors'] = [] + for node in dns['authoritative_domain']: + zonedata = dns['authoritative_domain'][node] + if ('disable' in zonedata) or (not 'records' in zonedata): + continue + zone = { + 'name': node, + 'file': "{}/zone.{}.conf".format(pdns_rec_run_dir, node), + 'records': [], + } + + recorddata = zonedata['records'] + + for rtype in [ 'a', 'aaaa', 'cname', 'mx', 'ns', 'ptr', 'txt', 'spf', 'srv', 'naptr' ]: + if rtype not in recorddata: + continue + for subnode in recorddata[rtype]: + if 'disable' in recorddata[rtype][subnode]: + continue + + rdata = recorddata[rtype][subnode] + + if rtype in [ 'a', 'aaaa' ]: + if not 'address' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required') + continue + + if subnode == 'any': + subnode = '*' + + for address in rdata['address']: + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': address + }) + elif rtype in ['cname', 'ptr', 'ns']: + if not 'target' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required') + continue + + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': '{}.'.format(rdata['target']) + }) + elif rtype == 'mx': + if not 'server' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required') + continue + + for servername in rdata['server']: + serverdata = rdata['server'][servername] + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': '{} {}.'.format(serverdata['priority'], servername) + }) + elif rtype == 'txt': + if not 'value' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required') + continue + + for value in rdata['value']: + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': "\"{}\"".format(value.replace("\"", "\\\"")) + }) + elif rtype == 'spf': + if not 'value' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required') + continue + + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': '"{}"'.format(rdata['value'].replace("\"", "\\\"")) + }) + elif rtype == 'srv': + if not 'entry' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required') + continue + + for entryno in rdata['entry']: + entrydata = rdata['entry'][entryno] + if not 'hostname' in entrydata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}') + continue + + if not 'port' in entrydata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: port is required for entry {entryno}') + continue + + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname']) + }) + elif rtype == 'naptr': + if not 'rule' in rdata: + dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required') + continue + + for ruleno in rdata['rule']: + ruledata = rdata['rule'][ruleno] + flags = "" + if 'lookup-srv' in ruledata: + flags += "S" + if 'lookup-a' in ruledata: + flags += "A" + if 'resolve-uri' in ruledata: + flags += "U" + if 'protocol-specific' in ruledata: + flags += "P" + + if 'order' in ruledata: + order = ruledata['order'] + else: + order = ruleno + + if 'regexp' in ruledata: + regexp= ruledata['regexp'].replace("\"", "\\\"") + else: + regexp = '' + + if ruledata['replacement']: + replacement = '{}.'.format(ruledata['replacement']) + else: + replacement = '' + + zone['records'].append({ + 'name': subnode, + 'type': rtype.upper(), + 'ttl': rdata['ttl'], + 'value': '{} {} "{}" "{}" "{}" {}'.format(order, ruledata['preference'], flags, ruledata['service'], regexp, replacement) + }) + + dns['authoritative_zones'].append(zone) + + return dns + +def verify(dns): + # bail out early - looks like removal from running config + if not dns: + return None + + if 'listen_address' not in dns: + raise ConfigError('DNS forwarding requires a listen-address') + + if 'allow_from' not in dns: + raise ConfigError('DNS forwarding requires an allow-from network') + + # we can not use dict_search() when testing for domain servers + # as a domain will contains dot's which is out dictionary delimiter. + if 'domain' in dns: + for domain in dns['domain']: + if 'name_server' not in dns['domain'][domain]: + raise ConfigError(f'No server configured for domain {domain}!') + + if 'dns64_prefix' in dns: + dns_prefix = dns['dns64_prefix'].split('/')[1] + # RFC 6147 requires prefix /96 + if int(dns_prefix) != 96: + raise ConfigError('DNS 6to4 prefix must be of length /96') + + if ('authoritative_zone_errors' in dns) and dns['authoritative_zone_errors']: + for error in dns['authoritative_zone_errors']: + print(error) + raise ConfigError('Invalid authoritative records have been defined') + + if 'system' in dns: + if not 'system_name_server' in dns: + print('Warning: No "system name-server" configured') + + return None + +def generate(dns): + # bail out early - looks like removal from running config + if not dns: + return None + + render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', + dns, user=pdns_rec_user, group=pdns_rec_group) + + render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', + dns, user=pdns_rec_user, group=pdns_rec_group) + + for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): + os.unlink(zone_filename) + + if 'authoritative_zones' in dns: + for zone in dns['authoritative_zones']: + render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2', + zone, user=pdns_rec_user, group=pdns_rec_group) + + + # if vyos-hostsd didn't create its files yet, create them (empty) + for file in [pdns_rec_hostsd_lua_conf_file, pdns_rec_hostsd_zones_file]: + with open(file, 'a'): + pass + chown(file, user=pdns_rec_user, group=pdns_rec_group) + + return None + +def apply(dns): + if not dns: + # DNS forwarding is removed in the commit + call('systemctl stop pdns-recursor.service') + + if os.path.isfile(pdns_rec_config_file): + os.unlink(pdns_rec_config_file) + + for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): + os.unlink(zone_filename) + else: + ### first apply vyos-hostsd config + hc = hostsd_client() + + # add static nameservers to hostsd so they can be joined with other + # sources + hc.delete_name_servers([hostsd_tag]) + if 'name_server' in dns: + # 'name_server' is of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] + nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in dns['name_server'].items()] + hc.add_name_servers({hostsd_tag: nslist}) + + # delete all nameserver tags + hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor()) + + ## add nameserver tags - the order determines the nameserver order! + # our own tag (static) + hc.add_name_server_tags_recursor([hostsd_tag]) + + if 'system' in dns: + hc.add_name_server_tags_recursor(['system']) + else: + hc.delete_name_server_tags_recursor(['system']) + + # add dhcp nameserver tags for configured interfaces + if 'system_name_server' in dns: + for interface in dns['system_name_server']: + # system_name_server key contains both IP addresses and interface + # names (DHCP) to use DNS servers. We need to check if the + # value is an interface name - only if this is the case, add the + # interface based DNS forwarder. + if interface in interfaces(): + hc.add_name_server_tags_recursor(['dhcp-' + interface, + 'dhcpv6-' + interface ]) + + # hostsd will generate the forward-zones file + # the list and keys() are required as get returns a dict, not list + hc.delete_forward_zones(list(hc.get_forward_zones().keys())) + if 'domain' in dns: + zones = dns['domain'] + for domain in zones.keys(): + # 'name_server' is of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] + zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in zones[domain]['name_server'].items()] + hc.add_forward_zones(zones) + + # hostsd generates NTAs for the authoritative zones + # the list and keys() are required as get returns a dict, not list + hc.delete_authoritative_zones(list(hc.get_authoritative_zones())) + if 'authoritative_zones' in dns: + hc.add_authoritative_zones(list(map(lambda zone: zone['name'], dns['authoritative_zones']))) + + # call hostsd to generate forward-zones and its lua-config-file + hc.apply() + + ### finally (re)start pdns-recursor + call('systemctl restart pdns-recursor.service') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_event-handler.py b/src/conf_mode/service_event-handler.py new file mode 100755 index 000000000..5028ef52f --- /dev/null +++ b/src/conf_mode/service_event-handler.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import json +from pathlib import Path + +from vyos.config import Config +from vyos.utils.dict import dict_search +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag + +airbag.enable() + +service_name = 'vyos-event-handler' +service_conf = Path(f'/run/{service_name}.conf') + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'event-handler', 'event'] + config = conf.get_config_dict(base, + get_first_key=True, + no_tag_node_value_mangle=True) + + return config + + +def verify(config): + # bail out early - looks like removal from running config + if not config: + return None + + for name, event_config in config.items(): + if not dict_search('filter.pattern', event_config) or not dict_search( + 'script.path', event_config): + raise ConfigError( + 'Event-handler: both pattern and script path items are mandatory' + ) + + if dict_search('script.environment.message', event_config): + raise ConfigError( + 'Event-handler: "message" environment variable is reserved for log message text' + ) + + +def generate(config): + if not config: + # Remove old config and return + service_conf.unlink(missing_ok=True) + return None + + # Write configuration file + conf_json = json.dumps(config, indent=4) + service_conf.write_text(conf_json) + + return None + + +def apply(config): + if config: + call(f'systemctl restart {service_name}.service') + else: + call(f'systemctl stop {service_name}.service') + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_event_handler.py b/src/conf_mode/service_event_handler.py deleted file mode 100755 index 5028ef52f..000000000 --- a/src/conf_mode/service_event_handler.py +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import json -from pathlib import Path - -from vyos.config import Config -from vyos.utils.dict import dict_search -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag - -airbag.enable() - -service_name = 'vyos-event-handler' -service_conf = Path(f'/run/{service_name}.conf') - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'event-handler', 'event'] - config = conf.get_config_dict(base, - get_first_key=True, - no_tag_node_value_mangle=True) - - return config - - -def verify(config): - # bail out early - looks like removal from running config - if not config: - return None - - for name, event_config in config.items(): - if not dict_search('filter.pattern', event_config) or not dict_search( - 'script.path', event_config): - raise ConfigError( - 'Event-handler: both pattern and script path items are mandatory' - ) - - if dict_search('script.environment.message', event_config): - raise ConfigError( - 'Event-handler: "message" environment variable is reserved for log message text' - ) - - -def generate(config): - if not config: - # Remove old config and return - service_conf.unlink(missing_ok=True) - return None - - # Write configuration file - conf_json = json.dumps(config, indent=4) - service_conf.write_text(conf_json) - - return None - - -def apply(config): - if config: - call(f'systemctl restart {service_name}.service') - else: - call(f'systemctl stop {service_name}.service') - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_https.py b/src/conf_mode/service_https.py new file mode 100755 index 000000000..3dc5dfc01 --- /dev/null +++ b/src/conf_mode/service_https.py @@ -0,0 +1,335 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import sys +import json + +from copy import deepcopy +from time import sleep + +import vyos.defaults +import vyos.certbot_util + +from vyos.base import Warning +from vyos.config import Config +from vyos.configdiff import get_config_diff +from vyos.configverify import verify_vrf +from vyos import ConfigError +from vyos.pki import wrap_certificate +from vyos.pki import wrap_private_key +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.process import is_systemd_service_running +from vyos.utils.process import is_systemd_service_active +from vyos.utils.network import check_port_availability +from vyos.utils.network import is_listen_port_bind_service +from vyos.utils.file import write_file + +from vyos import airbag +airbag.enable() + +config_file = '/etc/nginx/sites-available/default' +systemd_override = r'/run/systemd/system/nginx.service.d/override.conf' +cert_dir = '/etc/ssl/certs' +key_dir = '/etc/ssl/private' +certbot_dir = vyos.defaults.directories['certbot'] + +api_config_state = '/run/http-api-state' +systemd_service = '/run/systemd/system/vyos-http-api.service' + +# https config needs to coordinate several subsystems: api, certbot, +# self-signed certificate, as well as the virtual hosts defined within the +# https config definition itself. Consequently, one needs a general dict, +# encompassing the https and other configs, and a list of such virtual hosts +# (server blocks in nginx terminology) to pass to the jinja2 template. +default_server_block = { + 'id' : '', + 'address' : '*', + 'port' : '443', + 'name' : ['_'], + 'api' : False, + 'vyos_cert' : {}, + 'certbot' : False +} + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'https'] + if not conf.exists(base): + return None + + diff = get_config_diff(conf) + + https = conf.get_config_dict(base, get_first_key=True) + + if https: + https['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True) + + https['children_changed'] = diff.node_changed_children(base) + https['api_add_or_delete'] = diff.node_changed_presence(base + ['api']) + + if 'api' not in https: + return https + + http_api = conf.get_config_dict(base + ['api'], key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + if http_api.from_defaults(['graphql']): + del http_api['graphql'] + + # Do we run inside a VRF context? + vrf_path = ['service', 'https', 'vrf'] + if conf.exists(vrf_path): + http_api['vrf'] = conf.return_value(vrf_path) + + https['api'] = http_api + + return https + +def verify(https): + from vyos.utils.dict import dict_search + + if https is None: + return None + + if 'certificates' in https: + certificates = https['certificates'] + + if 'certificate' in certificates: + if not https['pki']: + raise ConfigError("PKI is not configured") + + cert_name = certificates['certificate'] + + if cert_name not in https['pki']['certificate']: + raise ConfigError("Invalid certificate on https configuration") + + pki_cert = https['pki']['certificate'][cert_name] + + if 'certificate' not in pki_cert: + raise ConfigError("Missing certificate on https configuration") + + if 'private' not in pki_cert or 'key' not in pki_cert['private']: + raise ConfigError("Missing certificate private key on https configuration") + + if 'certbot' in https['certificates']: + vhost_names = [] + for _, vh_conf in https.get('virtual-host', {}).items(): + vhost_names += vh_conf.get('server-name', []) + domains = https['certificates']['certbot'].get('domain-name', []) + domains_found = [domain for domain in domains if domain in vhost_names] + if not domains_found: + raise ConfigError("At least one 'virtual-host server-name' " + "matching the 'certbot domain-name' is required.") + + server_block_list = [] + + # organize by vhosts + vhost_dict = https.get('virtual-host', {}) + + if not vhost_dict: + # no specified virtual hosts (server blocks); use default + server_block_list.append(default_server_block) + else: + for vhost in list(vhost_dict): + server_block = deepcopy(default_server_block) + data = vhost_dict.get(vhost, {}) + server_block['address'] = data.get('listen-address', '*') + server_block['port'] = data.get('port', '443') + server_block_list.append(server_block) + + for entry in server_block_list: + _address = entry.get('address') + _address = '0.0.0.0' if _address == '*' else _address + _port = entry.get('port') + proto = 'tcp' + if check_port_availability(_address, int(_port), proto) is not True and \ + not is_listen_port_bind_service(int(_port), 'nginx'): + raise ConfigError(f'"{proto}" port "{_port}" is used by another service') + + verify_vrf(https) + + # Verify API server settings, if present + if 'api' in https: + keys = dict_search('api.keys.id', https) + gql_auth_type = dict_search('api.graphql.authentication.type', https) + + # If "api graphql" is not defined and `gql_auth_type` is None, + # there's certainly no JWT auth option, and keys are required + jwt_auth = (gql_auth_type == "token") + + # Check for incomplete key configurations in every case + valid_keys_exist = False + if keys: + for k in keys: + if 'key' not in keys[k]: + raise ConfigError(f'Missing HTTPS API key string for key id "{k}"') + else: + valid_keys_exist = True + + # If only key-based methods are enabled, + # fail the commit if no valid key configurations are found + if (not valid_keys_exist) and (not jwt_auth): + raise ConfigError('At least one HTTPS API key is required unless GraphQL token authentication is enabled') + + if (not valid_keys_exist) and jwt_auth: + Warning(f'API keys are not configured: the classic (non-GraphQL) API will be unavailable.') + + return None + +def generate(https): + if https is None: + return None + + if 'api' not in https: + if os.path.exists(systemd_service): + os.unlink(systemd_service) + else: + render(systemd_service, 'https/vyos-http-api.service.j2', https['api']) + with open(api_config_state, 'w') as f: + json.dump(https['api'], f, indent=2) + + server_block_list = [] + + # organize by vhosts + + vhost_dict = https.get('virtual-host', {}) + + if not vhost_dict: + # no specified virtual hosts (server blocks); use default + server_block_list.append(default_server_block) + else: + for vhost in list(vhost_dict): + server_block = deepcopy(default_server_block) + server_block['id'] = vhost + data = vhost_dict.get(vhost, {}) + server_block['address'] = data.get('listen-address', '*') + server_block['port'] = data.get('port', '443') + name = data.get('server-name', ['_']) + server_block['name'] = name + allow_client = data.get('allow-client', {}) + server_block['allow_client'] = allow_client.get('address', []) + server_block_list.append(server_block) + + # get certificate data + + cert_dict = https.get('certificates', {}) + + if 'certificate' in cert_dict: + cert_name = cert_dict['certificate'] + pki_cert = https['pki']['certificate'][cert_name] + + cert_path = os.path.join(cert_dir, f'{cert_name}.pem') + key_path = os.path.join(key_dir, f'{cert_name}.pem') + + server_cert = str(wrap_certificate(pki_cert['certificate'])) + if 'ca-certificate' in cert_dict: + ca_cert = cert_dict['ca-certificate'] + server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate'])) + + write_file(cert_path, server_cert) + write_file(key_path, wrap_private_key(pki_cert['private']['key'])) + + vyos_cert_data = { + 'crt': cert_path, + 'key': key_path + } + + for block in server_block_list: + block['vyos_cert'] = vyos_cert_data + + # letsencrypt certificate using certbot + + certbot = False + cert_domains = cert_dict.get('certbot', {}).get('domain-name', []) + if cert_domains: + certbot = True + for domain in cert_domains: + sub_list = vyos.certbot_util.choose_server_block(server_block_list, + domain) + if sub_list: + for sb in sub_list: + sb['certbot'] = True + sb['certbot_dir'] = certbot_dir + # certbot organizes certificates by first domain + sb['certbot_domain_dir'] = cert_domains[0] + + if 'api' in list(https): + vhost_list = https.get('api-restrict', {}).get('virtual-host', []) + if not vhost_list: + for block in server_block_list: + block['api'] = True + else: + for block in server_block_list: + if block['id'] in vhost_list: + block['api'] = True + + data = { + 'server_block_list': server_block_list, + 'certbot': certbot + } + + render(config_file, 'https/nginx.default.j2', data) + render(systemd_override, 'https/override.conf.j2', https) + return None + +def apply(https): + # Reload systemd manager configuration + call('systemctl daemon-reload') + http_api_service_name = 'vyos-http-api.service' + https_service_name = 'nginx.service' + + if https is None: + if is_systemd_service_active(f'{http_api_service_name}'): + call(f'systemctl stop {http_api_service_name}') + call(f'systemctl stop {https_service_name}') + return + + if 'api' in https['children_changed']: + if 'api' in https: + if is_systemd_service_running(f'{http_api_service_name}'): + call(f'systemctl reload {http_api_service_name}') + else: + call(f'systemctl restart {http_api_service_name}') + # Let uvicorn settle before (possibly) restarting nginx + sleep(1) + else: + if is_systemd_service_active(f'{http_api_service_name}'): + call(f'systemctl stop {http_api_service_name}') + + if (not is_systemd_service_running(f'{https_service_name}') or + https['api_add_or_delete'] or + set(https['children_changed']) - set(['api'])): + call(f'systemctl restart {https_service_name}') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/service_https_certificates_certbot.py b/src/conf_mode/service_https_certificates_certbot.py new file mode 100755 index 000000000..1a6a498de --- /dev/null +++ b/src/conf_mode/service_https_certificates_certbot.py @@ -0,0 +1,114 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import sys +import os + +import vyos.defaults +from vyos.config import Config +from vyos import ConfigError +from vyos.utils.process import cmd +from vyos.utils.process import call +from vyos.utils.process import is_systemd_service_running + +from vyos import airbag +airbag.enable() + +vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode'] +vyos_certbot_dir = vyos.defaults.directories['certbot'] + +dependencies = [ + 'service_https.py', +] + +def request_certbot(cert): + email = cert.get('email') + if email is not None: + email_flag = '-m {0}'.format(email) + else: + email_flag = '' + + domains = cert.get('domains') + if domains is not None: + domain_flag = '-d ' + ' -d '.join(domains) + else: + domain_flag = '' + + certbot_cmd = f'certbot certonly --config-dir {vyos_certbot_dir} -n --nginx --agree-tos --no-eff-email --expand {email_flag} {domain_flag}' + + cmd(certbot_cmd, + raising=ConfigError, + message="The certbot request failed for the specified domains.") + +def get_config(): + conf = Config() + if not conf.exists('service https certificates certbot'): + return None + else: + conf.set_level('service https certificates certbot') + + cert = {} + + if conf.exists('domain-name'): + cert['domains'] = conf.return_values('domain-name') + + if conf.exists('email'): + cert['email'] = conf.return_value('email') + + return cert + +def verify(cert): + if cert is None: + return None + + if 'domains' not in cert: + raise ConfigError("At least one domain name is required to" + " request a letsencrypt certificate.") + + if 'email' not in cert: + raise ConfigError("An email address is required to request" + " a letsencrypt certificate.") + +def generate(cert): + if cert is None: + return None + + # certbot will attempt to reload nginx, even with 'certonly'; + # start nginx if not active + if not is_systemd_service_running('nginx.service'): + call('systemctl start nginx.service') + + request_certbot(cert) + +def apply(cert): + if cert is not None: + call('systemctl restart certbot.timer') + else: + call('systemctl stop certbot.timer') + return None + + for dep in dependencies: + cmd(f'{vyos_conf_scripts_dir}/{dep}', raising=ConfigError) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/service_ids_ddos-protection.py b/src/conf_mode/service_ids_ddos-protection.py new file mode 100755 index 000000000..276a71fcb --- /dev/null +++ b/src/conf_mode/service_ids_ddos-protection.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/fastnetmon/fastnetmon.conf' +networks_list = r'/run/fastnetmon/networks_list' +excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' +attack_dir = '/var/log/fastnetmon_attacks' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'ids', 'ddos-protection'] + if not conf.exists(base): + return None + + fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return fastnetmon + +def verify(fastnetmon): + if not fastnetmon: + return None + + if 'mode' not in fastnetmon: + raise ConfigError('Specify operating mode!') + + if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: + raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") + + if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): + raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") + + if 'alert_script' in fastnetmon: + if os.path.isfile(fastnetmon['alert_script']): + # Check script permissions + if not os.access(fastnetmon['alert_script'], os.X_OK): + raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script'])) + else: + raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon)) + +def generate(fastnetmon): + if not fastnetmon: + for file in [config_file, networks_list]: + if os.path.isfile(file): + os.unlink(file) + + return None + + # Create dir for log attack details + if not os.path.exists(attack_dir): + os.mkdir(attack_dir) + + render(config_file, 'ids/fastnetmon.j2', fastnetmon) + render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) + render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) + return None + +def apply(fastnetmon): + systemd_service = 'fastnetmon.service' + if not fastnetmon: + # Stop fastnetmon service if removed + call(f'systemctl stop {systemd_service}') + else: + call(f'systemctl reload-or-restart {systemd_service}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py deleted file mode 100755 index 276a71fcb..000000000 --- a/src/conf_mode/service_ids_fastnetmon.py +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.template import render -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/run/fastnetmon/fastnetmon.conf' -networks_list = r'/run/fastnetmon/networks_list' -excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' -attack_dir = '/var/log/fastnetmon_attacks' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'ids', 'ddos-protection'] - if not conf.exists(base): - return None - - fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - return fastnetmon - -def verify(fastnetmon): - if not fastnetmon: - return None - - if 'mode' not in fastnetmon: - raise ConfigError('Specify operating mode!') - - if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: - raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") - - if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): - raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") - - if 'alert_script' in fastnetmon: - if os.path.isfile(fastnetmon['alert_script']): - # Check script permissions - if not os.access(fastnetmon['alert_script'], os.X_OK): - raise ConfigError('Script "{alert_script}" is not executable!'.format(fastnetmon['alert_script'])) - else: - raise ConfigError('File "{alert_script}" does not exists!'.format(fastnetmon)) - -def generate(fastnetmon): - if not fastnetmon: - for file in [config_file, networks_list]: - if os.path.isfile(file): - os.unlink(file) - - return None - - # Create dir for log attack details - if not os.path.exists(attack_dir): - os.mkdir(attack_dir) - - render(config_file, 'ids/fastnetmon.j2', fastnetmon) - render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) - render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) - return None - -def apply(fastnetmon): - systemd_service = 'fastnetmon.service' - if not fastnetmon: - # Stop fastnetmon service if removed - call(f'systemctl stop {systemd_service}') - else: - call(f'systemctl reload-or-restart {systemd_service}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_lldp.py b/src/conf_mode/service_lldp.py new file mode 100755 index 000000000..3c647a0e8 --- /dev/null +++ b/src/conf_mode/service_lldp.py @@ -0,0 +1,123 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2017-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.utils.network import is_addr_assigned +from vyos.utils.network import is_loopback_addr +from vyos.version import get_version_data +from vyos.utils.process import call +from vyos.utils.dict import dict_search +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = "/etc/default/lldpd" +vyos_config_file = "/etc/lldpd.d/01-vyos.conf" +base = ['service', 'lldp'] + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + if not conf.exists(base): + return {} + + lldp = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + if conf.exists(['service', 'snmp']): + lldp['system_snmp_enabled'] = '' + + version_data = get_version_data() + lldp['version'] = version_data['version'] + + # prune location information if not set by user + for interface in lldp.get('interface', []): + if lldp.from_defaults(['interface', interface, 'location']): + del lldp['interface'][interface]['location'] + elif lldp.from_defaults(['interface', interface, 'location','coordinate_based']): + del lldp['interface'][interface]['location']['coordinate_based'] + + return lldp + +def verify(lldp): + # bail out early - looks like removal from running config + if lldp is None: + return + + if 'management_address' in lldp: + for address in lldp['management_address']: + message = f'LLDP management address "{address}" is invalid' + if is_loopback_addr(address): + Warning(f'{message} - loopback address') + elif not is_addr_assigned(address): + Warning(f'{message} - not assigned to any interface') + + if 'interface' in lldp: + for interface, interface_config in lldp['interface'].items(): + # bail out early if no location info present in interface config + if 'location' not in interface_config: + continue + if 'coordinate_based' in interface_config['location']: + if not {'latitude', 'latitude'} <= set(interface_config['location']['coordinate_based']): + raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!') + + # check options + if 'snmp' in lldp: + if 'system_snmp_enabled' not in lldp: + raise ConfigError('SNMP must be configured to enable LLDP SNMP!') + + +def generate(lldp): + # bail out early - looks like removal from running config + if lldp is None: + return + + render(config_file, 'lldp/lldpd.j2', lldp) + render(vyos_config_file, 'lldp/vyos.conf.j2', lldp) + +def apply(lldp): + systemd_service = 'lldpd.service' + if lldp: + # start/restart lldp service + call(f'systemctl restart {systemd_service}') + else: + # LLDP service has been terminated + call(f'systemctl stop {systemd_service}') + if os.path.isfile(config_file): + os.unlink(config_file) + if os.path.isfile(vyos_config_file): + os.unlink(vyos_config_file) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_mdns-repeater.py b/src/conf_mode/service_mdns-repeater.py deleted file mode 100755 index 6526c23d1..000000000 --- a/src/conf_mode/service_mdns-repeater.py +++ /dev/null @@ -1,146 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2017-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from json import loads -from sys import exit -from netifaces import ifaddresses, interfaces, AF_INET, AF_INET6 - -from vyos.config import Config -from vyos.ifconfig.vrrp import VRRP -from vyos.template import render -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = '/run/avahi-daemon/avahi-daemon.conf' -systemd_override = r'/run/systemd/system/avahi-daemon.service.d/override.conf' -vrrp_running_file = '/run/mdns_vrrp_active' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'mdns', 'repeater'] - if not conf.exists(base): - return None - - mdns = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - if mdns: - mdns['vrrp_exists'] = conf.exists('high-availability vrrp') - mdns['config_file'] = config_file - - return mdns - -def verify(mdns): - if not mdns or 'disable' in mdns: - return None - - # We need at least two interfaces to repeat mDNS advertisments - if 'interface' not in mdns or len(mdns['interface']) < 2: - raise ConfigError('mDNS repeater requires at least 2 configured interfaces!') - - # For mdns-repeater to work it is essential that the interfaces has - # an IPv4 address assigned - for interface in mdns['interface']: - if interface not in interfaces(): - raise ConfigError(f'Interface "{interface}" does not exist!') - - if mdns['ip_version'] in ['ipv4', 'both'] and AF_INET not in ifaddresses(interface): - raise ConfigError('mDNS repeater requires an IPv4 address to be ' - f'configured on interface "{interface}"') - - if mdns['ip_version'] in ['ipv6', 'both'] and AF_INET6 not in ifaddresses(interface): - raise ConfigError('mDNS repeater requires an IPv6 address to be ' - f'configured on interface "{interface}"') - - return None - -# Get VRRP states from interfaces, returns only interfaces where state is MASTER -def get_vrrp_master(interfaces): - json_data = loads(VRRP.collect('json')) - for group in json_data: - if 'data' in group: - if 'ifp_ifname' in group['data']: - iface = group['data']['ifp_ifname'] - state = group['data']['state'] # 2 = Master - if iface in interfaces and state != 2: - interfaces.remove(iface) - return interfaces - -def generate(mdns): - if not mdns: - return None - - if 'disable' in mdns: - print('Warning: mDNS repeater will be deactivated because it is disabled') - return None - - if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: - mdns['interface'] = get_vrrp_master(mdns['interface']) - - if len(mdns['interface']) < 2: - return None - - render(config_file, 'mdns-repeater/avahi-daemon.conf.j2', mdns) - render(systemd_override, 'mdns-repeater/override.conf.j2', mdns) - return None - -def apply(mdns): - systemd_service = 'avahi-daemon.service' - # Reload systemd manager configuration - call('systemctl daemon-reload') - - if not mdns or 'disable' in mdns: - call(f'systemctl stop {systemd_service}') - if os.path.exists(config_file): - os.unlink(config_file) - - if os.path.exists(vrrp_running_file): - os.unlink(vrrp_running_file) - else: - if 'vrrp_disable' not in mdns and os.path.exists(vrrp_running_file): - os.unlink(vrrp_running_file) - - if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: - if not os.path.exists(vrrp_running_file): - os.mknod(vrrp_running_file) # vrrp script looks for this file to update mdns repeater - - if len(mdns['interface']) < 2: - call(f'systemctl stop {systemd_service}') - return None - - call(f'systemctl restart {systemd_service}') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_mdns_repeater.py b/src/conf_mode/service_mdns_repeater.py new file mode 100755 index 000000000..6526c23d1 --- /dev/null +++ b/src/conf_mode/service_mdns_repeater.py @@ -0,0 +1,146 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2017-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from json import loads +from sys import exit +from netifaces import ifaddresses, interfaces, AF_INET, AF_INET6 + +from vyos.config import Config +from vyos.ifconfig.vrrp import VRRP +from vyos.template import render +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = '/run/avahi-daemon/avahi-daemon.conf' +systemd_override = r'/run/systemd/system/avahi-daemon.service.d/override.conf' +vrrp_running_file = '/run/mdns_vrrp_active' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'mdns', 'repeater'] + if not conf.exists(base): + return None + + mdns = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + if mdns: + mdns['vrrp_exists'] = conf.exists('high-availability vrrp') + mdns['config_file'] = config_file + + return mdns + +def verify(mdns): + if not mdns or 'disable' in mdns: + return None + + # We need at least two interfaces to repeat mDNS advertisments + if 'interface' not in mdns or len(mdns['interface']) < 2: + raise ConfigError('mDNS repeater requires at least 2 configured interfaces!') + + # For mdns-repeater to work it is essential that the interfaces has + # an IPv4 address assigned + for interface in mdns['interface']: + if interface not in interfaces(): + raise ConfigError(f'Interface "{interface}" does not exist!') + + if mdns['ip_version'] in ['ipv4', 'both'] and AF_INET not in ifaddresses(interface): + raise ConfigError('mDNS repeater requires an IPv4 address to be ' + f'configured on interface "{interface}"') + + if mdns['ip_version'] in ['ipv6', 'both'] and AF_INET6 not in ifaddresses(interface): + raise ConfigError('mDNS repeater requires an IPv6 address to be ' + f'configured on interface "{interface}"') + + return None + +# Get VRRP states from interfaces, returns only interfaces where state is MASTER +def get_vrrp_master(interfaces): + json_data = loads(VRRP.collect('json')) + for group in json_data: + if 'data' in group: + if 'ifp_ifname' in group['data']: + iface = group['data']['ifp_ifname'] + state = group['data']['state'] # 2 = Master + if iface in interfaces and state != 2: + interfaces.remove(iface) + return interfaces + +def generate(mdns): + if not mdns: + return None + + if 'disable' in mdns: + print('Warning: mDNS repeater will be deactivated because it is disabled') + return None + + if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: + mdns['interface'] = get_vrrp_master(mdns['interface']) + + if len(mdns['interface']) < 2: + return None + + render(config_file, 'mdns-repeater/avahi-daemon.conf.j2', mdns) + render(systemd_override, 'mdns-repeater/override.conf.j2', mdns) + return None + +def apply(mdns): + systemd_service = 'avahi-daemon.service' + # Reload systemd manager configuration + call('systemctl daemon-reload') + + if not mdns or 'disable' in mdns: + call(f'systemctl stop {systemd_service}') + if os.path.exists(config_file): + os.unlink(config_file) + + if os.path.exists(vrrp_running_file): + os.unlink(vrrp_running_file) + else: + if 'vrrp_disable' not in mdns and os.path.exists(vrrp_running_file): + os.unlink(vrrp_running_file) + + if mdns['vrrp_exists'] and 'vrrp_disable' in mdns: + if not os.path.exists(vrrp_running_file): + os.mknod(vrrp_running_file) # vrrp script looks for this file to update mdns repeater + + if len(mdns['interface']) < 2: + call(f'systemctl stop {systemd_service}') + return None + + call(f'systemctl restart {systemd_service}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_ntp.py b/src/conf_mode/service_ntp.py new file mode 100755 index 000000000..1cc23a7df --- /dev/null +++ b/src/conf_mode/service_ntp.py @@ -0,0 +1,136 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from vyos.config import Config +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.configverify import verify_interface_exists +from vyos.utils.process import call +from vyos.utils.permission import chmod_750 +from vyos.utils.network import get_interface_config +from vyos.template import render +from vyos.template import is_ipv4 +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/chrony/chrony.conf' +systemd_override = r'/run/systemd/system/chrony.service.d/override.conf' +user_group = '_chrony' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'ntp'] + if not conf.exists(base): + return None + + ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + ntp['config_file'] = config_file + ntp['user'] = user_group + + tmp = is_node_changed(conf, base + ['vrf']) + if tmp: ntp.update({'restart_required': {}}) + + return ntp + +def verify(ntp): + # bail out early - looks like removal from running config + if not ntp: + return None + + if 'server' not in ntp: + raise ConfigError('NTP server not configured') + + verify_vrf(ntp) + + if 'interface' in ntp: + # If ntpd should listen on a given interface, ensure it exists + interface = ntp['interface'] + verify_interface_exists(interface) + + # If we run in a VRF, our interface must belong to this VRF, too + if 'vrf' in ntp: + tmp = get_interface_config(interface) + vrf_name = ntp['vrf'] + if 'master' not in tmp or tmp['master'] != vrf_name: + raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ + f'does not belong to this VRF!') + + if 'listen_address' in ntp: + ipv4_addresses = 0 + ipv6_addresses = 0 + for address in ntp['listen_address']: + if is_ipv4(address): + ipv4_addresses += 1 + else: + ipv6_addresses += 1 + if ipv4_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv4 value for listen-address parameter ') + if ipv6_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv6 value for listen-address parameter ') + + return None + +def generate(ntp): + # bail out early - looks like removal from running config + if not ntp: + return None + + render(config_file, 'chrony/chrony.conf.j2', ntp, user=user_group, group=user_group) + render(systemd_override, 'chrony/override.conf.j2', ntp, user=user_group, group=user_group) + + # Ensure proper permission for chrony command socket + config_dir = os.path.dirname(config_file) + chmod_750(config_dir) + + return None + +def apply(ntp): + systemd_service = 'chrony.service' + # Reload systemd manager configuration + call('systemctl daemon-reload') + + if not ntp: + # NTP support is removed in the commit + call(f'systemctl stop {systemd_service}') + if os.path.exists(config_file): + os.unlink(config_file) + if os.path.isfile(systemd_override): + os.unlink(systemd_override) + return + + # we need to restart the service if e.g. the VRF name changed + systemd_action = 'reload-or-restart' + if 'restart_required' in ntp: + systemd_action = 'restart' + + call(f'systemctl {systemd_action} {systemd_service}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_salt-minion.py b/src/conf_mode/service_salt-minion.py new file mode 100755 index 000000000..a8fce8e01 --- /dev/null +++ b/src/conf_mode/service_salt-minion.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from socket import gethostname +from sys import exit +from urllib3 import PoolManager + +from vyos.base import Warning +from vyos.config import Config +from vyos.configverify import verify_interface_exists +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.permission import chown +from vyos import ConfigError + +from vyos import airbag +airbag.enable() + +config_file = r'/etc/salt/minion' +master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' + +user='minion' +group='vyattacfg' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'salt-minion'] + + if not conf.exists(base): + return None + + salt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # ID default is dynamic thus we can not use defaults() + if 'id' not in salt: + salt['id'] = gethostname() + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + salt = conf.merge_defaults(salt, recursive=True) + + if not conf.exists(base): + return None + else: + conf.set_level(base) + + return salt + +def verify(salt): + if not salt: + return None + + if 'hash' in salt and salt['hash'] == 'sha1': + Warning('Do not use sha1 hashing algorithm, upgrade to sha256 or later!') + + if 'source_interface' in salt: + verify_interface_exists(salt['source_interface']) + + return None + +def generate(salt): + if not salt: + return None + + render(config_file, 'salt-minion/minion.j2', salt, user=user, group=group) + + if not os.path.exists(master_keyfile): + if 'master_key' in salt: + req = PoolManager().request('GET', salt['master_key'], preload_content=False) + with open(master_keyfile, 'wb') as f: + while True: + data = req.read(1024) + if not data: + break + f.write(data) + + req.release_conn() + chown(master_keyfile, user, group) + + return None + +def apply(salt): + service_name = 'salt-minion.service' + if not salt: + # Salt removed from running config + call(f'systemctl stop {service_name}') + if os.path.exists(config_file): + os.unlink(config_file) + else: + call(f'systemctl restart {service_name}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_snmp.py b/src/conf_mode/service_snmp.py new file mode 100755 index 000000000..6565ffd60 --- /dev/null +++ b/src/conf_mode/service_snmp.py @@ -0,0 +1,269 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configverify import verify_vrf +from vyos.snmpv3_hashgen import plaintext_to_md5 +from vyos.snmpv3_hashgen import plaintext_to_sha1 +from vyos.snmpv3_hashgen import random +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.permission import chmod_755 +from vyos.utils.dict import dict_search +from vyos.utils.network import is_addr_assigned +from vyos.version import get_version_data +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file_client = r'/etc/snmp/snmp.conf' +config_file_daemon = r'/etc/snmp/snmpd.conf' +config_file_access = r'/usr/share/snmp/snmpd.conf' +config_file_user = r'/var/lib/snmp/snmpd.conf' +systemd_override = r'/run/systemd/system/snmpd.service.d/override.conf' +systemd_service = 'snmpd.service' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'snmp'] + + snmp = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + if not conf.exists(base): + snmp.update({'deleted' : ''}) + + if conf.exists(['service', 'lldp', 'snmp']): + snmp.update({'lldp_snmp' : ''}) + + if 'deleted' in snmp: + return snmp + + version_data = get_version_data() + snmp['version'] = version_data['version'] + + # create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx' + snmp['vyos_user'] = 'vyos' + random(8) + snmp['vyos_user_pass'] = random(16) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + snmp = conf.merge_defaults(snmp, recursive=True) + + if 'listen_address' in snmp: + # Always listen on localhost if an explicit address has been configured + # This is a safety measure to not end up with invalid listen addresses + # that are not configured on this system. See https://vyos.dev/T850 + if '127.0.0.1' not in snmp['listen_address']: + tmp = {'127.0.0.1': {'port': '161'}} + snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) + + if '::1' not in snmp['listen_address']: + tmp = {'::1': {'port': '161'}} + snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) + + return snmp + +def verify(snmp): + if 'deleted' in snmp: + return None + + if {'deleted', 'lldp_snmp'} <= set(snmp): + raise ConfigError('Can not delete SNMP service, as LLDP still uses SNMP!') + + ### check if the configured script actually exist + if 'script_extensions' in snmp and 'extension_name' in snmp['script_extensions']: + for extension, extension_opt in snmp['script_extensions']['extension_name'].items(): + if 'script' not in extension_opt: + raise ConfigError(f'Script extension "{extension}" requires an actual script to be configured!') + + tmp = extension_opt['script'] + if not os.path.isfile(tmp): + Warning(f'script "{tmp}" does not exist!') + else: + chmod_755(extension_opt['script']) + + if 'listen_address' in snmp: + for address in snmp['listen_address']: + # We only wan't to configure addresses that exist on the system. + # Hint the user if they don't exist + if 'vrf' in snmp: + vrf_name = snmp['vrf'] + if not is_addr_assigned(address, vrf_name) and address not in ['::1','127.0.0.1']: + raise ConfigError(f'SNMP listen address "{address}" not configured in vrf "{vrf_name}"!') + elif not is_addr_assigned(address): + raise ConfigError(f'SNMP listen address "{address}" not configured in default vrf!') + + if 'trap_target' in snmp: + for trap, trap_config in snmp['trap_target'].items(): + if 'community' not in trap_config: + raise ConfigError(f'Trap target "{trap}" requires a community to be set!') + + if 'oid_enable' in snmp: + Warning(f'Custom OIDs are enabled and may lead to system instability and high resource consumption') + + + verify_vrf(snmp) + + # bail out early if SNMP v3 is not configured + if 'v3' not in snmp: + return None + + if 'user' in snmp['v3']: + for user, user_config in snmp['v3']['user'].items(): + if 'group' not in user_config: + raise ConfigError(f'Group membership required for user "{user}"!') + + if 'plaintext_password' not in user_config['auth'] and 'encrypted_password' not in user_config['auth']: + raise ConfigError(f'Must specify authentication encrypted-password or plaintext-password for user "{user}"!') + + if 'plaintext_password' not in user_config['privacy'] and 'encrypted_password' not in user_config['privacy']: + raise ConfigError(f'Must specify privacy encrypted-password or plaintext-password for user "{user}"!') + + if 'group' in snmp['v3']: + for group, group_config in snmp['v3']['group'].items(): + if 'seclevel' not in group_config: + raise ConfigError(f'Must configure "seclevel" for group "{group}"!') + if 'view' not in group_config: + raise ConfigError(f'Must configure "view" for group "{group}"!') + + # Check if 'view' exists + view = group_config['view'] + if 'view' not in snmp['v3'] or view not in snmp['v3']['view']: + raise ConfigError(f'You must create view "{view}" first!') + + if 'view' in snmp['v3']: + for view, view_config in snmp['v3']['view'].items(): + if 'oid' not in view_config: + raise ConfigError(f'Must configure an "oid" for view "{view}"!') + + if 'trap_target' in snmp['v3']: + for trap, trap_config in snmp['v3']['trap_target'].items(): + if 'plaintext_password' not in trap_config['auth'] and 'encrypted_password' not in trap_config['auth']: + raise ConfigError(f'Must specify one of authentication encrypted-password or plaintext-password for trap "{trap}"!') + + if {'plaintext_password', 'encrypted_password'} <= set(trap_config['auth']): + raise ConfigError(f'Can not specify both authentication encrypted-password and plaintext-password for trap "{trap}"!') + + if 'plaintext_password' not in trap_config['privacy'] and 'encrypted_password' not in trap_config['privacy']: + raise ConfigError(f'Must specify one of privacy encrypted-password or plaintext-password for trap "{trap}"!') + + if {'plaintext_password', 'encrypted_password'} <= set(trap_config['privacy']): + raise ConfigError(f'Can not specify both privacy encrypted-password and plaintext-password for trap "{trap}"!') + + if 'type' not in trap_config: + raise ConfigError('SNMP v3 trap "type" must be specified!') + + return None + +def generate(snmp): + # As we are manipulating the snmpd user database we have to stop it first! + # This is even save if service is going to be removed + call(f'systemctl stop {systemd_service}') + # Clean config files + config_files = [config_file_client, config_file_daemon, + config_file_access, config_file_user, systemd_override] + for file in config_files: + if os.path.isfile(file): + os.unlink(file) + + if 'deleted' in snmp: + return None + + if 'v3' in snmp: + # net-snmp is now regenerating the configuration file in the background + # thus we need to re-open and re-read the file as the content changed. + # After that we can no read the encrypted password from the config and + # replace the CLI plaintext password with its encrypted version. + os.environ['vyos_libexec_dir'] = '/usr/libexec/vyos' + + if 'user' in snmp['v3']: + for user, user_config in snmp['v3']['user'].items(): + if dict_search('auth.type', user_config) == 'sha': + hash = plaintext_to_sha1 + else: + hash = plaintext_to_md5 + + if dict_search('auth.plaintext_password', user_config) is not None: + tmp = hash(dict_search('auth.plaintext_password', user_config), + dict_search('v3.engineid', snmp)) + + snmp['v3']['user'][user]['auth']['encrypted_password'] = tmp + del snmp['v3']['user'][user]['auth']['plaintext_password'] + + call(f'/opt/vyatta/sbin/my_set service snmp v3 user "{user}" auth encrypted-password "{tmp}" > /dev/null') + call(f'/opt/vyatta/sbin/my_delete service snmp v3 user "{user}" auth plaintext-password > /dev/null') + + if dict_search('privacy.plaintext_password', user_config) is not None: + tmp = hash(dict_search('privacy.plaintext_password', user_config), + dict_search('v3.engineid', snmp)) + + snmp['v3']['user'][user]['privacy']['encrypted_password'] = tmp + del snmp['v3']['user'][user]['privacy']['plaintext_password'] + + call(f'/opt/vyatta/sbin/my_set service snmp v3 user "{user}" privacy encrypted-password "{tmp}" > /dev/null') + call(f'/opt/vyatta/sbin/my_delete service snmp v3 user "{user}" privacy plaintext-password > /dev/null') + + # Write client config file + render(config_file_client, 'snmp/etc.snmp.conf.j2', snmp) + # Write server config file + render(config_file_daemon, 'snmp/etc.snmpd.conf.j2', snmp) + # Write access rights config file + render(config_file_access, 'snmp/usr.snmpd.conf.j2', snmp) + # Write access rights config file + render(config_file_user, 'snmp/var.snmpd.conf.j2', snmp) + # Write daemon configuration file + render(systemd_override, 'snmp/override.conf.j2', snmp) + + return None + +def apply(snmp): + # Always reload systemd manager configuration + call('systemctl daemon-reload') + + if 'deleted' in snmp: + return None + + # start SNMP daemon + call(f'systemctl restart {systemd_service}') + + # Enable AgentX in FRR + # This should be done for each daemon individually because common command + # works only if all the daemons started with SNMP support + # Following daemons from FRR 9.0/stable have SNMP module compiled in VyOS + frr_daemons_list = ['zebra', 'bgpd', 'ospf6d', 'ospfd', 'ripd', 'isisd', 'ldpd'] + for frr_daemon in frr_daemons_list: + call(f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_ssh.py b/src/conf_mode/service_ssh.py new file mode 100755 index 000000000..ee5e1eca2 --- /dev/null +++ b/src/conf_mode/service_ssh.py @@ -0,0 +1,142 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from syslog import syslog +from syslog import LOG_INFO + +from vyos.config import Config +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.utils.process import call +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/run/sshd/sshd_config' +systemd_override = r'/run/systemd/system/ssh.service.d/override.conf' + +sshguard_config_file = '/etc/sshguard/sshguard.conf' +sshguard_whitelist = '/etc/sshguard/whitelist' + +key_rsa = '/etc/ssh/ssh_host_rsa_key' +key_dsa = '/etc/ssh/ssh_host_dsa_key' +key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['service', 'ssh'] + if not conf.exists(base): + return None + + ssh = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + tmp = is_node_changed(conf, base + ['vrf']) + if tmp: ssh.update({'restart_required': {}}) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + ssh = conf.merge_defaults(ssh, recursive=True) + + # pass config file path - used in override template + ssh['config_file'] = config_file + + # Ignore default XML values if config doesn't exists + # Delete key from dict + if not conf.exists(base + ['dynamic-protection']): + del ssh['dynamic_protection'] + + return ssh + +def verify(ssh): + if not ssh: + return None + + if 'rekey' in ssh and 'data' not in ssh['rekey']: + raise ConfigError(f'Rekey data is required!') + + verify_vrf(ssh) + return None + +def generate(ssh): + if not ssh: + if os.path.isfile(config_file): + os.unlink(config_file) + if os.path.isfile(systemd_override): + os.unlink(systemd_override) + + return None + + # This usually happens only once on a fresh system, SSH keys need to be + # freshly generted, one per every system! + if not os.path.isfile(key_rsa): + syslog(LOG_INFO, 'SSH RSA host key not found, generating new key!') + call(f'ssh-keygen -q -N "" -t rsa -f {key_rsa}') + if not os.path.isfile(key_dsa): + syslog(LOG_INFO, 'SSH DSA host key not found, generating new key!') + call(f'ssh-keygen -q -N "" -t dsa -f {key_dsa}') + if not os.path.isfile(key_ed25519): + syslog(LOG_INFO, 'SSH ed25519 host key not found, generating new key!') + call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}') + + render(config_file, 'ssh/sshd_config.j2', ssh) + render(systemd_override, 'ssh/override.conf.j2', ssh) + + if 'dynamic_protection' in ssh: + render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh) + render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh) + # Reload systemd manager configuration + call('systemctl daemon-reload') + + return None + +def apply(ssh): + systemd_service_ssh = 'ssh.service' + systemd_service_sshguard = 'sshguard.service' + if not ssh: + # SSH access is removed in the commit + call(f'systemctl stop {systemd_service_ssh}') + call(f'systemctl stop {systemd_service_sshguard}') + return None + + if 'dynamic_protection' not in ssh: + call(f'systemctl stop {systemd_service_sshguard}') + else: + call(f'systemctl reload-or-restart {systemd_service_sshguard}') + + # we need to restart the service if e.g. the VRF name changed + systemd_action = 'reload-or-restart' + if 'restart_required' in ssh: + systemd_action = 'restart' + + call(f'systemctl {systemd_action} {systemd_service_ssh}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_tftp-server.py b/src/conf_mode/service_tftp-server.py new file mode 100755 index 000000000..3ad346e2e --- /dev/null +++ b/src/conf_mode/service_tftp-server.py @@ -0,0 +1,142 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import stat +import pwd + +from copy import deepcopy +from glob import glob +from sys import exit + +from vyos.base import Warning +from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.template import render +from vyos.template import is_ipv4 +from vyos.utils.process import call +from vyos.utils.permission import chmod_755 +from vyos.utils.network import is_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +config_file = r'/etc/default/tftpd' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'tftp-server'] + if not conf.exists(base): + return None + + tftpd = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + return tftpd + +def verify(tftpd): + # bail out early - looks like removal from running config + if not tftpd: + return None + + # Configuring allowed clients without a server makes no sense + if 'directory' not in tftpd: + raise ConfigError('TFTP root directory must be configured!') + + if 'listen_address' not in tftpd: + raise ConfigError('TFTP server listen address must be configured!') + + for address, address_config in tftpd['listen_address'].items(): + if not is_addr_assigned(address): + Warning(f'TFTP server listen address "{address}" not ' \ + 'assigned to any interface!') + verify_vrf(address_config) + + return None + +def generate(tftpd): + # cleanup any available configuration file + # files will be recreated on demand + for i in glob(config_file + '*'): + os.unlink(i) + + # bail out early - looks like removal from running config + if tftpd is None: + return None + + idx = 0 + for address, address_config in tftpd['listen_address'].items(): + config = deepcopy(tftpd) + port = tftpd['port'] + if is_ipv4(address): + config['listen_address'] = f'{address}:{port} -4' + else: + config['listen_address'] = f'[{address}]:{port} -6' + + if 'vrf' in address_config: + config['vrf'] = address_config['vrf'] + + file = config_file + str(idx) + render(file, 'tftp-server/default.j2', config) + idx = idx + 1 + + return None + +def apply(tftpd): + # stop all services first - then we will decide + call('systemctl stop tftpd@*.service') + + # bail out early - e.g. service deletion + if tftpd is None: + return None + + tftp_root = tftpd['directory'] + if not os.path.exists(tftp_root): + os.makedirs(tftp_root) + chmod_755(tftp_root) + + # get UNIX uid for user 'tftp' + tftp_uid = pwd.getpwnam('tftp').pw_uid + tftp_gid = pwd.getpwnam('tftp').pw_gid + + # get UNIX uid for tftproot directory + dir_uid = os.stat(tftp_root).st_uid + dir_gid = os.stat(tftp_root).st_gid + + # adjust uid/gid of tftproot directory if files don't belong to user tftp + if (tftp_uid != dir_uid) or (tftp_gid != dir_gid): + os.chown(tftp_root, tftp_uid, tftp_gid) + + idx = 0 + for address in tftpd['listen_address']: + call(f'systemctl restart tftpd@{idx}.service') + idx = idx + 1 + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py deleted file mode 100755 index 6565ffd60..000000000 --- a/src/conf_mode/snmp.py +++ /dev/null @@ -1,269 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.configverify import verify_vrf -from vyos.snmpv3_hashgen import plaintext_to_md5 -from vyos.snmpv3_hashgen import plaintext_to_sha1 -from vyos.snmpv3_hashgen import random -from vyos.template import render -from vyos.utils.process import call -from vyos.utils.permission import chmod_755 -from vyos.utils.dict import dict_search -from vyos.utils.network import is_addr_assigned -from vyos.version import get_version_data -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file_client = r'/etc/snmp/snmp.conf' -config_file_daemon = r'/etc/snmp/snmpd.conf' -config_file_access = r'/usr/share/snmp/snmpd.conf' -config_file_user = r'/var/lib/snmp/snmpd.conf' -systemd_override = r'/run/systemd/system/snmpd.service.d/override.conf' -systemd_service = 'snmpd.service' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'snmp'] - - snmp = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - if not conf.exists(base): - snmp.update({'deleted' : ''}) - - if conf.exists(['service', 'lldp', 'snmp']): - snmp.update({'lldp_snmp' : ''}) - - if 'deleted' in snmp: - return snmp - - version_data = get_version_data() - snmp['version'] = version_data['version'] - - # create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx' - snmp['vyos_user'] = 'vyos' + random(8) - snmp['vyos_user_pass'] = random(16) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - snmp = conf.merge_defaults(snmp, recursive=True) - - if 'listen_address' in snmp: - # Always listen on localhost if an explicit address has been configured - # This is a safety measure to not end up with invalid listen addresses - # that are not configured on this system. See https://vyos.dev/T850 - if '127.0.0.1' not in snmp['listen_address']: - tmp = {'127.0.0.1': {'port': '161'}} - snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) - - if '::1' not in snmp['listen_address']: - tmp = {'::1': {'port': '161'}} - snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) - - return snmp - -def verify(snmp): - if 'deleted' in snmp: - return None - - if {'deleted', 'lldp_snmp'} <= set(snmp): - raise ConfigError('Can not delete SNMP service, as LLDP still uses SNMP!') - - ### check if the configured script actually exist - if 'script_extensions' in snmp and 'extension_name' in snmp['script_extensions']: - for extension, extension_opt in snmp['script_extensions']['extension_name'].items(): - if 'script' not in extension_opt: - raise ConfigError(f'Script extension "{extension}" requires an actual script to be configured!') - - tmp = extension_opt['script'] - if not os.path.isfile(tmp): - Warning(f'script "{tmp}" does not exist!') - else: - chmod_755(extension_opt['script']) - - if 'listen_address' in snmp: - for address in snmp['listen_address']: - # We only wan't to configure addresses that exist on the system. - # Hint the user if they don't exist - if 'vrf' in snmp: - vrf_name = snmp['vrf'] - if not is_addr_assigned(address, vrf_name) and address not in ['::1','127.0.0.1']: - raise ConfigError(f'SNMP listen address "{address}" not configured in vrf "{vrf_name}"!') - elif not is_addr_assigned(address): - raise ConfigError(f'SNMP listen address "{address}" not configured in default vrf!') - - if 'trap_target' in snmp: - for trap, trap_config in snmp['trap_target'].items(): - if 'community' not in trap_config: - raise ConfigError(f'Trap target "{trap}" requires a community to be set!') - - if 'oid_enable' in snmp: - Warning(f'Custom OIDs are enabled and may lead to system instability and high resource consumption') - - - verify_vrf(snmp) - - # bail out early if SNMP v3 is not configured - if 'v3' not in snmp: - return None - - if 'user' in snmp['v3']: - for user, user_config in snmp['v3']['user'].items(): - if 'group' not in user_config: - raise ConfigError(f'Group membership required for user "{user}"!') - - if 'plaintext_password' not in user_config['auth'] and 'encrypted_password' not in user_config['auth']: - raise ConfigError(f'Must specify authentication encrypted-password or plaintext-password for user "{user}"!') - - if 'plaintext_password' not in user_config['privacy'] and 'encrypted_password' not in user_config['privacy']: - raise ConfigError(f'Must specify privacy encrypted-password or plaintext-password for user "{user}"!') - - if 'group' in snmp['v3']: - for group, group_config in snmp['v3']['group'].items(): - if 'seclevel' not in group_config: - raise ConfigError(f'Must configure "seclevel" for group "{group}"!') - if 'view' not in group_config: - raise ConfigError(f'Must configure "view" for group "{group}"!') - - # Check if 'view' exists - view = group_config['view'] - if 'view' not in snmp['v3'] or view not in snmp['v3']['view']: - raise ConfigError(f'You must create view "{view}" first!') - - if 'view' in snmp['v3']: - for view, view_config in snmp['v3']['view'].items(): - if 'oid' not in view_config: - raise ConfigError(f'Must configure an "oid" for view "{view}"!') - - if 'trap_target' in snmp['v3']: - for trap, trap_config in snmp['v3']['trap_target'].items(): - if 'plaintext_password' not in trap_config['auth'] and 'encrypted_password' not in trap_config['auth']: - raise ConfigError(f'Must specify one of authentication encrypted-password or plaintext-password for trap "{trap}"!') - - if {'plaintext_password', 'encrypted_password'} <= set(trap_config['auth']): - raise ConfigError(f'Can not specify both authentication encrypted-password and plaintext-password for trap "{trap}"!') - - if 'plaintext_password' not in trap_config['privacy'] and 'encrypted_password' not in trap_config['privacy']: - raise ConfigError(f'Must specify one of privacy encrypted-password or plaintext-password for trap "{trap}"!') - - if {'plaintext_password', 'encrypted_password'} <= set(trap_config['privacy']): - raise ConfigError(f'Can not specify both privacy encrypted-password and plaintext-password for trap "{trap}"!') - - if 'type' not in trap_config: - raise ConfigError('SNMP v3 trap "type" must be specified!') - - return None - -def generate(snmp): - # As we are manipulating the snmpd user database we have to stop it first! - # This is even save if service is going to be removed - call(f'systemctl stop {systemd_service}') - # Clean config files - config_files = [config_file_client, config_file_daemon, - config_file_access, config_file_user, systemd_override] - for file in config_files: - if os.path.isfile(file): - os.unlink(file) - - if 'deleted' in snmp: - return None - - if 'v3' in snmp: - # net-snmp is now regenerating the configuration file in the background - # thus we need to re-open and re-read the file as the content changed. - # After that we can no read the encrypted password from the config and - # replace the CLI plaintext password with its encrypted version. - os.environ['vyos_libexec_dir'] = '/usr/libexec/vyos' - - if 'user' in snmp['v3']: - for user, user_config in snmp['v3']['user'].items(): - if dict_search('auth.type', user_config) == 'sha': - hash = plaintext_to_sha1 - else: - hash = plaintext_to_md5 - - if dict_search('auth.plaintext_password', user_config) is not None: - tmp = hash(dict_search('auth.plaintext_password', user_config), - dict_search('v3.engineid', snmp)) - - snmp['v3']['user'][user]['auth']['encrypted_password'] = tmp - del snmp['v3']['user'][user]['auth']['plaintext_password'] - - call(f'/opt/vyatta/sbin/my_set service snmp v3 user "{user}" auth encrypted-password "{tmp}" > /dev/null') - call(f'/opt/vyatta/sbin/my_delete service snmp v3 user "{user}" auth plaintext-password > /dev/null') - - if dict_search('privacy.plaintext_password', user_config) is not None: - tmp = hash(dict_search('privacy.plaintext_password', user_config), - dict_search('v3.engineid', snmp)) - - snmp['v3']['user'][user]['privacy']['encrypted_password'] = tmp - del snmp['v3']['user'][user]['privacy']['plaintext_password'] - - call(f'/opt/vyatta/sbin/my_set service snmp v3 user "{user}" privacy encrypted-password "{tmp}" > /dev/null') - call(f'/opt/vyatta/sbin/my_delete service snmp v3 user "{user}" privacy plaintext-password > /dev/null') - - # Write client config file - render(config_file_client, 'snmp/etc.snmp.conf.j2', snmp) - # Write server config file - render(config_file_daemon, 'snmp/etc.snmpd.conf.j2', snmp) - # Write access rights config file - render(config_file_access, 'snmp/usr.snmpd.conf.j2', snmp) - # Write access rights config file - render(config_file_user, 'snmp/var.snmpd.conf.j2', snmp) - # Write daemon configuration file - render(systemd_override, 'snmp/override.conf.j2', snmp) - - return None - -def apply(snmp): - # Always reload systemd manager configuration - call('systemctl daemon-reload') - - if 'deleted' in snmp: - return None - - # start SNMP daemon - call(f'systemctl restart {systemd_service}') - - # Enable AgentX in FRR - # This should be done for each daemon individually because common command - # works only if all the daemons started with SNMP support - # Following daemons from FRR 9.0/stable have SNMP module compiled in VyOS - frr_daemons_list = ['zebra', 'bgpd', 'ospf6d', 'ospfd', 'ripd', 'isisd', 'ldpd'] - for frr_daemon in frr_daemons_list: - call(f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null') - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py deleted file mode 100755 index ee5e1eca2..000000000 --- a/src/conf_mode/ssh.py +++ /dev/null @@ -1,142 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from syslog import syslog -from syslog import LOG_INFO - -from vyos.config import Config -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.utils.process import call -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/run/sshd/sshd_config' -systemd_override = r'/run/systemd/system/ssh.service.d/override.conf' - -sshguard_config_file = '/etc/sshguard/sshguard.conf' -sshguard_whitelist = '/etc/sshguard/whitelist' - -key_rsa = '/etc/ssh/ssh_host_rsa_key' -key_dsa = '/etc/ssh/ssh_host_dsa_key' -key_ed25519 = '/etc/ssh/ssh_host_ed25519_key' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['service', 'ssh'] - if not conf.exists(base): - return None - - ssh = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - tmp = is_node_changed(conf, base + ['vrf']) - if tmp: ssh.update({'restart_required': {}}) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - ssh = conf.merge_defaults(ssh, recursive=True) - - # pass config file path - used in override template - ssh['config_file'] = config_file - - # Ignore default XML values if config doesn't exists - # Delete key from dict - if not conf.exists(base + ['dynamic-protection']): - del ssh['dynamic_protection'] - - return ssh - -def verify(ssh): - if not ssh: - return None - - if 'rekey' in ssh and 'data' not in ssh['rekey']: - raise ConfigError(f'Rekey data is required!') - - verify_vrf(ssh) - return None - -def generate(ssh): - if not ssh: - if os.path.isfile(config_file): - os.unlink(config_file) - if os.path.isfile(systemd_override): - os.unlink(systemd_override) - - return None - - # This usually happens only once on a fresh system, SSH keys need to be - # freshly generted, one per every system! - if not os.path.isfile(key_rsa): - syslog(LOG_INFO, 'SSH RSA host key not found, generating new key!') - call(f'ssh-keygen -q -N "" -t rsa -f {key_rsa}') - if not os.path.isfile(key_dsa): - syslog(LOG_INFO, 'SSH DSA host key not found, generating new key!') - call(f'ssh-keygen -q -N "" -t dsa -f {key_dsa}') - if not os.path.isfile(key_ed25519): - syslog(LOG_INFO, 'SSH ed25519 host key not found, generating new key!') - call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}') - - render(config_file, 'ssh/sshd_config.j2', ssh) - render(systemd_override, 'ssh/override.conf.j2', ssh) - - if 'dynamic_protection' in ssh: - render(sshguard_config_file, 'ssh/sshguard_config.j2', ssh) - render(sshguard_whitelist, 'ssh/sshguard_whitelist.j2', ssh) - # Reload systemd manager configuration - call('systemctl daemon-reload') - - return None - -def apply(ssh): - systemd_service_ssh = 'ssh.service' - systemd_service_sshguard = 'sshguard.service' - if not ssh: - # SSH access is removed in the commit - call(f'systemctl stop {systemd_service_ssh}') - call(f'systemctl stop {systemd_service_sshguard}') - return None - - if 'dynamic_protection' not in ssh: - call(f'systemctl stop {systemd_service_sshguard}') - else: - call(f'systemctl reload-or-restart {systemd_service_sshguard}') - - # we need to restart the service if e.g. the VRF name changed - systemd_action = 'reload-or-restart' - if 'restart_required' in ssh: - systemd_action = 'restart' - - call(f'systemctl {systemd_action} {systemd_service_ssh}') - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py deleted file mode 100755 index 7612e2c0d..000000000 --- a/src/conf_mode/system-ip.py +++ /dev/null @@ -1,143 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.configverify import verify_route_map -from vyos.template import render_to_string -from vyos.utils.dict import dict_search -from vyos.utils.file import write_file -from vyos.utils.process import call -from vyos.utils.process import is_systemd_service_active -from vyos.utils.system import sysctl_write - -from vyos import ConfigError -from vyos import frr -from vyos import airbag -airbag.enable() - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'ip'] - - opt = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - # When working with FRR we need to know the corresponding address-family - opt['afi'] = 'ip' - - # We also need the route-map information from the config - # - # XXX: one MUST always call this without the key_mangling() option! See - # vyos.configverify.verify_common_route_maps() for more information. - tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], - get_first_key=True)}} - # Merge policy dict into "regular" config dict - opt = dict_merge(tmp, opt) - return opt - -def verify(opt): - if 'protocol' in opt: - for protocol, protocol_options in opt['protocol'].items(): - if 'route_map' in protocol_options: - verify_route_map(protocol_options['route_map'], opt) - return - -def generate(opt): - opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) - return - -def apply(opt): - # Apply ARP threshold values - # table_size has a default value - thus the key always exists - size = int(dict_search('arp.table_size', opt)) - # Amount upon reaching which the records begin to be cleared immediately - sysctl_write('net.ipv4.neigh.default.gc_thresh3', size) - # Amount after which the records begin to be cleaned after 5 seconds - sysctl_write('net.ipv4.neigh.default.gc_thresh2', size // 2) - # Minimum number of stored records is indicated which is not cleared - sysctl_write('net.ipv4.neigh.default.gc_thresh1', size // 8) - - # enable/disable IPv4 forwarding - tmp = dict_search('disable_forwarding', opt) - value = '0' if (tmp != None) else '1' - write_file('/proc/sys/net/ipv4/conf/all/forwarding', value) - - # enable/disable IPv4 directed broadcast forwarding - tmp = dict_search('disable_directed_broadcast', opt) - value = '0' if (tmp != None) else '1' - write_file('/proc/sys/net/ipv4/conf/all/bc_forwarding', value) - - # configure multipath - tmp = dict_search('multipath.ignore_unreachable_nexthops', opt) - value = '1' if (tmp != None) else '0' - sysctl_write('net.ipv4.fib_multipath_use_neigh', value) - - tmp = dict_search('multipath.layer4_hashing', opt) - value = '1' if (tmp != None) else '0' - sysctl_write('net.ipv4.fib_multipath_hash_policy', value) - - # configure TCP options (defaults as of Linux 6.4) - tmp = dict_search('tcp.mss.probing', opt) - if tmp is None: - value = 0 - elif tmp == 'on-icmp-black-hole': - value = 1 - elif tmp == 'force': - value = 2 - else: - # Shouldn't happen - raise ValueError("TCP MSS probing is neither 'on-icmp-black-hole' nor 'force'!") - sysctl_write('net.ipv4.tcp_mtu_probing', value) - - tmp = dict_search('tcp.mss.base', opt) - value = '1024' if (tmp is None) else tmp - sysctl_write('net.ipv4.tcp_base_mss', value) - - tmp = dict_search('tcp.mss.floor', opt) - value = '48' if (tmp is None) else tmp - sysctl_write('net.ipv4.tcp_mtu_probe_floor', value) - - # During startup of vyos-router that brings up FRR, the service is not yet - # running when this script is called first. Skip this part and wait for initial - # commit of the configuration to trigger this statement - if is_systemd_service_active('frr.service'): - zebra_daemon = 'zebra' - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() - - # The route-map used for the FIB (zebra) is part of the zebra daemon - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') - if 'frr_zebra_config' in opt: - frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) - frr_cfg.commit_configuration(zebra_daemon) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py deleted file mode 100755 index 90a1a8087..000000000 --- a/src/conf_mode/system-ipv6.py +++ /dev/null @@ -1,120 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit -from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.configverify import verify_route_map -from vyos.template import render_to_string -from vyos.utils.dict import dict_search -from vyos.utils.file import write_file -from vyos.utils.process import is_systemd_service_active -from vyos.utils.system import sysctl_write -from vyos import ConfigError -from vyos import frr -from vyos import airbag -airbag.enable() - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'ipv6'] - - opt = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - # When working with FRR we need to know the corresponding address-family - opt['afi'] = 'ipv6' - - # We also need the route-map information from the config - # - # XXX: one MUST always call this without the key_mangling() option! See - # vyos.configverify.verify_common_route_maps() for more information. - tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], - get_first_key=True)}} - # Merge policy dict into "regular" config dict - opt = dict_merge(tmp, opt) - return opt - -def verify(opt): - if 'protocol' in opt: - for protocol, protocol_options in opt['protocol'].items(): - if 'route_map' in protocol_options: - verify_route_map(protocol_options['route_map'], opt) - return - -def generate(opt): - opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) - return - -def apply(opt): - # configure multipath - tmp = dict_search('multipath.layer4_hashing', opt) - value = '1' if (tmp != None) else '0' - sysctl_write('net.ipv6.fib_multipath_hash_policy', value) - - # Apply ND threshold values - # table_size has a default value - thus the key always exists - size = int(dict_search('neighbor.table_size', opt)) - # Amount upon reaching which the records begin to be cleared immediately - sysctl_write('net.ipv6.neigh.default.gc_thresh3', size) - # Amount after which the records begin to be cleaned after 5 seconds - sysctl_write('net.ipv6.neigh.default.gc_thresh2', size // 2) - # Minimum number of stored records is indicated which is not cleared - sysctl_write('net.ipv6.neigh.default.gc_thresh1', size // 8) - - # enable/disable IPv6 forwarding - tmp = dict_search('disable_forwarding', opt) - value = '0' if (tmp != None) else '1' - write_file('/proc/sys/net/ipv6/conf/all/forwarding', value) - - # configure IPv6 strict-dad - tmp = dict_search('strict_dad', opt) - value = '2' if (tmp != None) else '1' - for root, dirs, files in os.walk('/proc/sys/net/ipv6/conf'): - for name in files: - if name == 'accept_dad': - write_file(os.path.join(root, name), value) - - # During startup of vyos-router that brings up FRR, the service is not yet - # running when this script is called first. Skip this part and wait for initial - # commit of the configuration to trigger this statement - if is_systemd_service_active('frr.service'): - zebra_daemon = 'zebra' - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() - - # The route-map used for the FIB (zebra) is part of the zebra daemon - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') - if 'frr_zebra_config' in opt: - frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) - frr_cfg.commit_configuration(zebra_daemon) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-login-banner.py b/src/conf_mode/system-login-banner.py deleted file mode 100755 index 65fa04417..000000000 --- a/src/conf_mode/system-login-banner.py +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit -from copy import deepcopy - -from vyos.config import Config -from vyos.utils.file import write_file -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -try: - with open('/usr/share/vyos/default_motd') as f: - motd = f.read() -except: - # Use an empty banner if the default banner file cannot be read - motd = "\n" - -PRELOGIN_FILE = r'/etc/issue' -PRELOGIN_NET_FILE = r'/etc/issue.net' -POSTLOGIN_FILE = r'/etc/motd' - -default_config_data = { - 'issue': 'Welcome to VyOS - \\n \\l\n\n', - 'issue_net': '', - 'motd': motd -} - -def get_config(config=None): - banner = deepcopy(default_config_data) - if config: - conf = config - else: - conf = Config() - base_level = ['system', 'login', 'banner'] - - if not conf.exists(base_level): - return banner - else: - conf.set_level(base_level) - - # Post-Login banner - if conf.exists(['post-login']): - tmp = conf.return_value(['post-login']) - # post-login banner can be empty as well - if tmp: - tmp = tmp.replace('\\n','\n') - tmp = tmp.replace('\\t','\t') - # always add newline character - tmp += '\n' - else: - tmp = '' - - banner['motd'] = tmp - - # Pre-Login banner - if conf.exists(['pre-login']): - tmp = conf.return_value(['pre-login']) - # pre-login banner can be empty as well - if tmp: - tmp = tmp.replace('\\n','\n') - tmp = tmp.replace('\\t','\t') - # always add newline character - tmp += '\n' - else: - tmp = '' - - banner['issue'] = banner['issue_net'] = tmp - - return banner - -def verify(banner): - pass - -def generate(banner): - pass - -def apply(banner): - write_file(PRELOGIN_FILE, banner['issue']) - write_file(PRELOGIN_NET_FILE, banner['issue_net']) - write_file(POSTLOGIN_FILE, banner['motd']) - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py deleted file mode 100755 index f34575aff..000000000 --- a/src/conf_mode/system-login.py +++ /dev/null @@ -1,423 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from passlib.hosts import linux_context -from psutil import users -from pwd import getpwall -from pwd import getpwnam -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos.configverify import verify_vrf -from vyos.defaults import directories -from vyos.template import render -from vyos.template import is_ipv4 -from vyos.utils.dict import dict_search -from vyos.utils.file import chown -from vyos.utils.process import cmd -from vyos.utils.process import call -from vyos.utils.process import rc_cmd -from vyos.utils.process import run -from vyos.utils.process import DEVNULL -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -autologout_file = "/etc/profile.d/autologout.sh" -limits_file = "/etc/security/limits.d/10-vyos.conf" -radius_config_file = "/etc/pam_radius_auth.conf" -tacacs_pam_config_file = "/etc/tacplus_servers" -tacacs_nss_config_file = "/etc/tacplus_nss.conf" -nss_config_file = "/etc/nsswitch.conf" - -# Minimum UID used when adding system users -MIN_USER_UID: int = 1000 -# Maximim UID used when adding system users -MAX_USER_UID: int = 59999 -# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec -MAX_RADIUS_TIMEOUT: int = 50 -# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) -MAX_RADIUS_COUNT: int = 8 -# Maximum number of supported TACACS servers -MAX_TACACS_COUNT: int = 8 - -# List of local user accounts that must be preserved -SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', - 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', - 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', - 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] - -def get_local_users(): - """Return list of dynamically allocated users (see Debian Policy Manual)""" - local_users = [] - for s_user in getpwall(): - if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: - continue - if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: - continue - if s_user.pw_name in SYSTEM_USER_SKIP_LIST: - continue - local_users.append(s_user.pw_name) - - return local_users - -def get_shadow_password(username): - with open('/etc/shadow') as f: - for user in f.readlines(): - items = user.split(":") - if username == items[0]: - return items[1] - return None - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'login'] - login = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - # users no longer existing in the running configuration need to be deleted - local_users = get_local_users() - cli_users = [] - if 'user' in login: - cli_users = list(login['user']) - - # prune TACACS global defaults if not set by user - if login.from_defaults(['tacacs']): - del login['tacacs'] - # same for RADIUS - if login.from_defaults(['radius']): - del login['radius'] - - # create a list of all users, cli and users - all_users = list(set(local_users + cli_users)) - # We will remove any normal users that dos not exist in the current - # configuration. This can happen if user is added but configuration was not - # saved and system is rebooted. - rm_users = [tmp for tmp in all_users if tmp not in cli_users] - if rm_users: login.update({'rm_users' : rm_users}) - - return login - -def verify(login): - if 'rm_users' in login: - # This check is required as the script is also executed from vyos-router - # init script and there is no SUDO_USER environment variable available - # during system boot. - if 'SUDO_USER' in os.environ: - cur_user = os.environ['SUDO_USER'] - if cur_user in login['rm_users']: - raise ConfigError(f'Attempting to delete current user: {cur_user}') - - if 'user' in login: - system_users = getpwall() - for user, user_config in login['user'].items(): - # Linux system users range up until UID 1000, we can not create a - # VyOS CLI user which already exists as system user - for s_user in system_users: - if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID: - raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') - - for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): - if 'type' not in pubkey_options: - raise ConfigError(f'Missing type for public-key "{pubkey}"!') - if 'key' not in pubkey_options: - raise ConfigError(f'Missing key for public-key "{pubkey}"!') - - if {'radius', 'tacacs'} <= set(login): - raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!') - - # At lease one RADIUS server must not be disabled - if 'radius' in login: - if 'server' not in login['radius']: - raise ConfigError('No RADIUS server defined!') - sum_timeout: int = 0 - radius_servers_count: int = 0 - fail = True - for server, server_config in dict_search('radius.server', login).items(): - if 'key' not in server_config: - raise ConfigError(f'RADIUS server "{server}" requires key!') - if 'disable' not in server_config: - sum_timeout += int(server_config['timeout']) - radius_servers_count += 1 - fail = False - - if fail: - raise ConfigError('All RADIUS servers are disabled') - - if radius_servers_count > MAX_RADIUS_COUNT: - raise ConfigError(f'Number of RADIUS servers exceeded maximum of {MAX_RADIUS_COUNT}!') - - if sum_timeout > MAX_RADIUS_TIMEOUT: - raise ConfigError('Sum of RADIUS servers timeouts ' - 'has to be less or eq 50 sec') - - verify_vrf(login['radius']) - - if 'source_address' in login['radius']: - ipv4_count = 0 - ipv6_count = 0 - for address in login['radius']['source_address']: - if is_ipv4(address): ipv4_count += 1 - else: ipv6_count += 1 - - if ipv4_count > 1: - raise ConfigError('Only one IPv4 source-address can be set!') - if ipv6_count > 1: - raise ConfigError('Only one IPv6 source-address can be set!') - - if 'tacacs' in login: - tacacs_servers_count: int = 0 - fail = True - for server, server_config in dict_search('tacacs.server', login).items(): - if 'key' not in server_config: - raise ConfigError(f'TACACS server "{server}" requires key!') - if 'disable' not in server_config: - tacacs_servers_count += 1 - fail = False - - if fail: - raise ConfigError('All RADIUS servers are disabled') - - if tacacs_servers_count > MAX_TACACS_COUNT: - raise ConfigError(f'Number of TACACS servers exceeded maximum of {MAX_TACACS_COUNT}!') - - verify_vrf(login['tacacs']) - - if 'max_login_session' in login and 'timeout' not in login: - raise ConfigError('"login timeout" must be configured!') - - return None - - -def generate(login): - # calculate users encrypted password - if 'user' in login: - for user, user_config in login['user'].items(): - tmp = dict_search('authentication.plaintext_password', user_config) - if tmp: - encrypted_password = linux_context.hash(tmp) - login['user'][user]['authentication']['encrypted_password'] = encrypted_password - del login['user'][user]['authentication']['plaintext_password'] - - # remove old plaintext password and set new encrypted password - env = os.environ.copy() - env['vyos_libexec_dir'] = directories['base'] - - # Set default commands for re-adding user with encrypted password - del_user_plain = f"system login user {user} authentication plaintext-password" - add_user_encrypt = f"system login user {user} authentication encrypted-password '{encrypted_password}'" - - lvl = env['VYATTA_EDIT_LEVEL'] - # We're in config edit level, for example "edit system login" - # Change default commands for re-adding user with encrypted password - if lvl != '/': - # Replace '/system/login' to 'system login' - lvl = lvl.strip('/').split('/') - # Convert command str to list - del_user_plain = del_user_plain.split() - # New command exclude level, for example "edit system login" - del_user_plain = del_user_plain[len(lvl):] - # Convert string to list - del_user_plain = " ".join(del_user_plain) - - add_user_encrypt = add_user_encrypt.split() - add_user_encrypt = add_user_encrypt[len(lvl):] - add_user_encrypt = " ".join(add_user_encrypt) - - ret, out = rc_cmd(f"/opt/vyatta/sbin/my_delete {del_user_plain}", env=env) - if ret: raise ConfigError(out) - ret, out = rc_cmd(f"/opt/vyatta/sbin/my_set {add_user_encrypt}", env=env) - if ret: raise ConfigError(out) - else: - try: - if get_shadow_password(user) == dict_search('authentication.encrypted_password', user_config): - # If the current encrypted bassword matches the encrypted password - # from the config - do not update it. This will remove the encrypted - # value from the system logs. - # - # The encrypted password will be set only once during the first boot - # after an image upgrade. - del login['user'][user]['authentication']['encrypted_password'] - except: - pass - - ### RADIUS based user authentication - if 'radius' in login: - render(radius_config_file, 'login/pam_radius_auth.conf.j2', login, - permission=0o600, user='root', group='root') - else: - if os.path.isfile(radius_config_file): - os.unlink(radius_config_file) - - ### TACACS+ based user authentication - if 'tacacs' in login: - render(tacacs_pam_config_file, 'login/tacplus_servers.j2', login, - permission=0o644, user='root', group='root') - render(tacacs_nss_config_file, 'login/tacplus_nss.conf.j2', login, - permission=0o644, user='root', group='root') - else: - if os.path.isfile(tacacs_pam_config_file): - os.unlink(tacacs_pam_config_file) - if os.path.isfile(tacacs_nss_config_file): - os.unlink(tacacs_nss_config_file) - - - - # NSS must always be present on the system - render(nss_config_file, 'login/nsswitch.conf.j2', login, - permission=0o644, user='root', group='root') - - # /etc/security/limits.d/10-vyos.conf - if 'max_login_session' in login: - render(limits_file, 'login/limits.j2', login, - permission=0o644, user='root', group='root') - else: - if os.path.isfile(limits_file): - os.unlink(limits_file) - - if 'timeout' in login: - render(autologout_file, 'login/autologout.j2', login, - permission=0o755, user='root', group='root') - else: - if os.path.isfile(autologout_file): - os.unlink(autologout_file) - - return None - - -def apply(login): - enable_otp = False - if 'user' in login: - for user, user_config in login['user'].items(): - # make new user using vyatta shell and make home directory (-m), - # default group of 100 (users) - command = 'useradd --create-home --no-user-group ' - # check if user already exists: - if user in get_local_users(): - # update existing account - command = 'usermod' - - # all accounts use /bin/vbash - command += ' --shell /bin/vbash' - # we need to use '' quotes when passing formatted data to the shell - # else it will not work as some data parts are lost in translation - tmp = dict_search('authentication.encrypted_password', user_config) - if tmp: command += f" --password '{tmp}'" - - tmp = dict_search('full_name', user_config) - if tmp: command += f" --comment '{tmp}'" - - tmp = dict_search('home_directory', user_config) - if tmp: command += f" --home '{tmp}'" - else: command += f" --home '/home/{user}'" - - command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea {user}' - try: - cmd(command) - # we should not rely on the value stored in - # user_config['home_directory'], as a crazy user will choose - # username root or any other system user which will fail. - # - # XXX: Should we deny using root at all? - home_dir = getpwnam(user).pw_dir - # T5875: ensure UID is properly set on home directory if user is re-added - if os.path.exists(home_dir): - chown(home_dir, user=user, recursive=True) - - render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2', - user_config, permission=0o600, - formater=lambda _: _.replace(""", '"'), - user=user, group='users') - - except Exception as e: - raise ConfigError(f'Adding user "{user}" raised exception: "{e}"') - - # Generate 2FA/MFA One-Time-Pad configuration - if dict_search('authentication.otp.key', user_config): - enable_otp = True - render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2', - user_config, permission=0o400, user=user, group='users') - else: - # delete configuration as it's not enabled for the user - if os.path.exists(f'{home_dir}/.google_authenticator'): - os.remove(f'{home_dir}/.google_authenticator') - - if 'rm_users' in login: - for user in login['rm_users']: - try: - # Disable user to prevent re-login - call(f'usermod -s /sbin/nologin {user}') - - # Logout user if he is still logged in - if user in list(set([tmp[0] for tmp in users()])): - print(f'{user} is logged in, forcing logout!') - # re-run command until user is logged out - while run(f'pkill -HUP -u {user}'): - sleep(0.250) - - # Remove user account but leave home directory in place. Re-run - # command until user is removed - userdel might return 8 as - # SSH sessions are not all yet properly cleaned away, thus we - # simply re-run the command until the account wen't away - while run(f'userdel {user}', stderr=DEVNULL): - sleep(0.250) - - except Exception as e: - raise ConfigError(f'Deleting user "{user}" raised exception: {e}') - - # Enable/disable RADIUS in PAM configuration - cmd('pam-auth-update --disable radius-mandatory radius-optional') - if 'radius' in login: - if login['radius'].get('security_mode', '') == 'mandatory': - pam_profile = 'radius-mandatory' - else: - pam_profile = 'radius-optional' - cmd(f'pam-auth-update --enable {pam_profile}') - - # Enable/disable TACACS+ in PAM configuration - cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') - if 'tacacs' in login: - if login['tacacs'].get('security_mode', '') == 'mandatory': - pam_profile = 'tacplus-mandatory' - else: - pam_profile = 'tacplus-optional' - cmd(f'pam-auth-update --enable {pam_profile}') - - # Enable/disable Google authenticator - cmd('pam-auth-update --disable mfa-google-authenticator') - if enable_otp: - cmd(f'pam-auth-update --enable mfa-google-authenticator') - - return None - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-logs.py b/src/conf_mode/system-logs.py deleted file mode 100755 index 8ad4875d4..000000000 --- a/src/conf_mode/system-logs.py +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from sys import exit - -from vyos import ConfigError -from vyos import airbag -from vyos.config import Config -from vyos.logger import syslog -from vyos.template import render -from vyos.utils.dict import dict_search -airbag.enable() - -# path to logrotate configs -logrotate_atop_file = '/etc/logrotate.d/vyos-atop' -logrotate_rsyslog_file = '/etc/logrotate.d/vyos-rsyslog' - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['system', 'logs'] - logs_config = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - return logs_config - - -def verify(logs_config): - # Nothing to verify here - pass - - -def generate(logs_config): - # get configuration for logrotate atop - logrotate_atop = dict_search('logrotate.atop', logs_config) - # generate new config file for atop - syslog.debug('Adding logrotate config for atop') - render(logrotate_atop_file, 'logs/logrotate/vyos-atop.j2', logrotate_atop) - - # get configuration for logrotate rsyslog - logrotate_rsyslog = dict_search('logrotate.messages', logs_config) - # generate new config file for rsyslog - syslog.debug('Adding logrotate config for rsyslog') - render(logrotate_rsyslog_file, 'logs/logrotate/vyos-rsyslog.j2', - logrotate_rsyslog) - - -def apply(logs_config): - # No further actions needed - pass - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py deleted file mode 100755 index d92121b3d..000000000 --- a/src/conf_mode/system-option.py +++ /dev/null @@ -1,159 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from netifaces import interfaces -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos.configverify import verify_source_interface -from vyos.template import render -from vyos.utils.process import cmd -from vyos.utils.process import is_systemd_service_running -from vyos.utils.network import is_addr_assigned -from vyos.utils.network import is_intf_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -curlrc_config = r'/etc/curlrc' -ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf' -systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' -time_format_to_locale = { - '12-hour': 'en_US.UTF-8', - '24-hour': 'en_GB.UTF-8' -} - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'option'] - options = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - - return options - -def verify(options): - if 'http_client' in options: - config = options['http_client'] - if 'source_interface' in config: - if not config['source_interface'] in interfaces(): - raise ConfigError(f'Source interface {source_interface} does not ' - f'exist'.format(**config)) - - if {'source_address', 'source_interface'} <= set(config): - raise ConfigError('Can not define both HTTP source-interface and source-address') - - if 'source_address' in config: - if not is_addr_assigned(config['source_address']): - raise ConfigError('No interface with give address specified!') - - if 'ssh_client' in options: - config = options['ssh_client'] - if 'source_address' in config: - address = config['source_address'] - if not is_addr_assigned(config['source_address']): - raise ConfigError('No interface with address "{address}" configured!') - - if 'source_interface' in config: - verify_source_interface(config) - if 'source_address' in config: - address = config['source_address'] - interface = config['source_interface'] - if not is_intf_addr_assigned(interface, address): - raise ConfigError(f'Address "{address}" not assigned on interface "{interface}"!') - - return None - -def generate(options): - render(curlrc_config, 'system/curlrc.j2', options) - render(ssh_config, 'system/ssh_config.j2', options) - return None - -def apply(options): - # System bootup beep - if 'startup_beep' in options: - cmd('systemctl enable vyos-beep.service') - else: - cmd('systemctl disable vyos-beep.service') - - # Ctrl-Alt-Delete action - if os.path.exists(systemd_action_file): - os.unlink(systemd_action_file) - if 'ctrl_alt_delete' in options: - if options['ctrl_alt_delete'] == 'reboot': - os.symlink('/lib/systemd/system/reboot.target', systemd_action_file) - elif options['ctrl_alt_delete'] == 'poweroff': - os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file) - - # Configure HTTP client - if 'http_client' not in options: - if os.path.exists(curlrc_config): - os.unlink(curlrc_config) - - # Configure SSH client - if 'ssh_client' not in options: - if os.path.exists(ssh_config): - os.unlink(ssh_config) - - # Reboot system on kernel panic - timeout = '0' - if 'reboot_on_panic' in options: - timeout = '60' - with open('/proc/sys/kernel/panic', 'w') as f: - f.write(timeout) - - # tuned - performance tuning - if 'performance' in options: - cmd('systemctl restart tuned.service') - # wait until daemon has started before sending configuration - while (not is_systemd_service_running('tuned.service')): - sleep(0.250) - cmd('tuned-adm profile network-{performance}'.format(**options)) - else: - cmd('systemctl stop tuned.service') - - # Keyboard layout - there will be always the default key inside the dict - # but we check for key existence anyway - if 'keyboard_layout' in options: - cmd('loadkeys {keyboard_layout}'.format(**options)) - - # Enable/diable root-partition-auto-resize SystemD service - if 'root_partition_auto_resize' in options: - cmd('systemctl enable root-partition-auto-resize.service') - else: - cmd('systemctl disable root-partition-auto-resize.service') - - # Time format 12|24-hour - if 'time_format' in options: - time_format = time_format_to_locale.get(options['time_format']) - cmd(f'localectl set-locale LC_TIME={time_format}') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-proxy.py b/src/conf_mode/system-proxy.py deleted file mode 100755 index 079c43e7e..000000000 --- a/src/conf_mode/system-proxy.py +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -proxy_def = r'/etc/profile.d/vyos-system-proxy.sh' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'proxy'] - if not conf.exists(base): - return None - - proxy = conf.get_config_dict(base, get_first_key=True) - return proxy - -def verify(proxy): - if not proxy: - return - - if 'url' not in proxy or 'port' not in proxy: - raise ConfigError('Proxy URL and port require a value') - - if ('username' in proxy and 'password' not in proxy) or \ - ('username' not in proxy and 'password' in proxy): - raise ConfigError('Both username and password need to be defined!') - -def generate(proxy): - if not proxy: - if os.path.isfile(proxy_def): - os.unlink(proxy_def) - return - - render(proxy_def, 'system/proxy.j2', proxy, permission=0o755) - -def apply(proxy): - pass - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py deleted file mode 100755 index 07fbb0734..000000000 --- a/src/conf_mode/system-syslog.py +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os - -from sys import exit - -from vyos.config import Config -from vyos.configdict import is_node_changed -from vyos.configverify import verify_vrf -from vyos.utils.process import call -from vyos.template import render -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -rsyslog_conf = '/etc/rsyslog.d/00-vyos.conf' -logrotate_conf = '/etc/logrotate.d/vyos-rsyslog' -systemd_override = r'/run/systemd/system/rsyslog.service.d/override.conf' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['system', 'syslog'] - if not conf.exists(base): - return None - - syslog = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - syslog.update({ 'logrotate' : logrotate_conf }) - - tmp = is_node_changed(conf, base + ['vrf']) - if tmp: syslog.update({'restart_required': {}}) - - syslog = conf.merge_defaults(syslog, recursive=True) - if syslog.from_defaults(['global']): - del syslog['global'] - - return syslog - -def verify(syslog): - if not syslog: - return None - - verify_vrf(syslog) - -def generate(syslog): - if not syslog: - if os.path.exists(rsyslog_conf): - os.unlink(rsyslog_conf) - if os.path.exists(logrotate_conf): - os.unlink(logrotate_conf) - - return None - - render(rsyslog_conf, 'rsyslog/rsyslog.conf.j2', syslog) - render(systemd_override, 'rsyslog/override.conf.j2', syslog) - render(logrotate_conf, 'rsyslog/logrotate.j2', syslog) - - # Reload systemd manager configuration - call('systemctl daemon-reload') - return None - -def apply(syslog): - systemd_socket = 'syslog.socket' - systemd_service = 'syslog.service' - if not syslog: - call(f'systemctl stop {systemd_service} {systemd_socket}') - return None - - # we need to restart the service if e.g. the VRF name changed - systemd_action = 'reload-or-restart' - if 'restart_required' in syslog: - systemd_action = 'restart' - - call(f'systemctl {systemd_action} {systemd_service}') - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/system-timezone.py b/src/conf_mode/system-timezone.py deleted file mode 100755 index cd3d4b229..000000000 --- a/src/conf_mode/system-timezone.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2019 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import sys -import os - -from copy import deepcopy -from vyos.config import Config -from vyos import ConfigError -from vyos.utils.process import call - -from vyos import airbag -airbag.enable() - -default_config_data = { - 'name': 'UTC' -} - -def get_config(config=None): - tz = deepcopy(default_config_data) - if config: - conf = config - else: - conf = Config() - if conf.exists('system time-zone'): - tz['name'] = conf.return_value('system time-zone') - - return tz - -def verify(tz): - pass - -def generate(tz): - pass - -def apply(tz): - call('/usr/bin/timedatectl set-timezone {}'.format(tz['name'])) - call('systemctl restart rsyslog') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/system_acceleration.py b/src/conf_mode/system_acceleration.py new file mode 100755 index 000000000..e4b248675 --- /dev/null +++ b/src/conf_mode/system_acceleration.py @@ -0,0 +1,106 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from sys import exit + +from vyos.config import Config +from vyos.utils.process import popen +from vyos.utils.process import run +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +qat_init_script = '/etc/init.d/qat_service' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + data = {} + + if conf.exists(['system', 'acceleration', 'qat']): + data.update({'qat_enable' : ''}) + + if conf.exists(['vpn', 'ipsec']): + data.update({'ipsec' : ''}) + + if conf.exists(['interfaces', 'openvpn']): + data.update({'openvpn' : ''}) + + return data + + +def vpn_control(action, force_ipsec=False): + # XXX: Should these commands report failure? + if action == 'restore' and force_ipsec: + return run('ipsec start') + + return run(f'ipsec {action}') + + +def verify(qat): + if 'qat_enable' not in qat: + return + + # Check if QAT service installed + if not os.path.exists(qat_init_script): + raise ConfigError('QAT init script not found') + + # Check if QAT device exist + output, err = popen('lspci -nn', decode='utf-8') + if not err: + # PCI id | Chipset + # 19e2 -> C3xx + # 37c8 -> C62x + # 0435 -> DH895 + # 6f54 -> D15xx + # 18ee -> QAT_200XX + data = re.findall( + '(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)|(8086:18ee)', output) + # If QAT devices found + if not data: + raise ConfigError('No QAT acceleration device found') + +def apply(qat): + # Shutdown VPN service which can use QAT + if 'ipsec' in qat: + vpn_control('stop') + + # Enable/Disable QAT service + if 'qat_enable' in qat: + run(f'{qat_init_script} start') + else: + run(f'{qat_init_script} stop') + + # Recover VPN service + if 'ipsec' in qat: + vpn_control('start') + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + apply(c) + except ConfigError as e: + print(e) + vpn_control('restore', force_ipsec=('ipsec' in c)) + exit(1) diff --git a/src/conf_mode/system_config-management.py b/src/conf_mode/system_config-management.py new file mode 100755 index 000000000..c681a8405 --- /dev/null +++ b/src/conf_mode/system_config-management.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import sys + +from vyos import ConfigError +from vyos.config import Config +from vyos.config_mgmt import ConfigMgmt +from vyos.config_mgmt import commit_post_hook_dir, commit_hooks + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['system', 'config-management'] + if not conf.exists(base): + return None + + mgmt = ConfigMgmt(config=conf) + + return mgmt + +def verify(_mgmt): + return + +def generate(mgmt): + if mgmt is None: + return + + mgmt.initialize_revision() + +def apply(mgmt): + if mgmt is None: + return + + locations = mgmt.locations + archive_target = os.path.join(commit_post_hook_dir, + commit_hooks['commit_archive']) + if locations: + try: + os.symlink('/usr/bin/config-mgmt', archive_target) + except FileExistsError: + pass + except OSError as exc: + raise ConfigError from exc + else: + try: + os.unlink(archive_target) + except FileNotFoundError: + pass + except OSError as exc: + raise ConfigError from exc + + revisions = mgmt.max_revisions + revision_target = os.path.join(commit_post_hook_dir, + commit_hooks['commit_revision']) + if revisions > 0: + try: + os.symlink('/usr/bin/config-mgmt', revision_target) + except FileExistsError: + pass + except OSError as exc: + raise ConfigError from exc + else: + try: + os.unlink(revision_target) + except FileNotFoundError: + pass + except OSError as exc: + raise ConfigError from exc + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py new file mode 100755 index 000000000..7f6c71440 --- /dev/null +++ b/src/conf_mode/system_conntrack.py @@ -0,0 +1,243 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from sys import exit + +from vyos.config import Config +from vyos.configdep import set_dependents, call_dependents +from vyos.utils.process import process_named_running +from vyos.utils.dict import dict_search +from vyos.utils.dict import dict_search_args +from vyos.utils.dict import dict_search_recursive +from vyos.utils.process import cmd +from vyos.utils.process import rc_cmd +from vyos.utils.process import run +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' +sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' +nftables_ct_file = r'/run/nftables-ct.conf' + +# Every ALG (Application Layer Gateway) consists of either a Kernel Object +# also called a Kernel Module/Driver or some rules present in iptables +module_map = { + 'ftp': { + 'ko': ['nf_nat_ftp', 'nf_conntrack_ftp'], + 'nftables': ['ct helper set "ftp_tcp" tcp dport {21} return'] + }, + 'h323': { + 'ko': ['nf_nat_h323', 'nf_conntrack_h323'], + 'nftables': ['ct helper set "ras_udp" udp dport {1719} return', + 'ct helper set "q931_tcp" tcp dport {1720} return'] + }, + 'nfs': { + 'nftables': ['ct helper set "rpc_tcp" tcp dport {111} return', + 'ct helper set "rpc_udp" udp dport {111} return'] + }, + 'pptp': { + 'ko': ['nf_nat_pptp', 'nf_conntrack_pptp'], + 'nftables': ['ct helper set "pptp_tcp" tcp dport {1723} return'], + 'ipv4': True + }, + 'sip': { + 'ko': ['nf_nat_sip', 'nf_conntrack_sip'], + 'nftables': ['ct helper set "sip_tcp" tcp dport {5060,5061} return', + 'ct helper set "sip_udp" udp dport {5060,5061} return'] + }, + 'sqlnet': { + 'nftables': ['ct helper set "tns_tcp" tcp dport {1521,1525,1536} return'] + }, + 'tftp': { + 'ko': ['nf_nat_tftp', 'nf_conntrack_tftp'], + 'nftables': ['ct helper set "tftp_udp" udp dport {69} return'] + }, +} + +valid_groups = [ + 'address_group', + 'domain_group', + 'network_group', + 'port_group' +] + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'conntrack'] + + conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + conntrack['firewall'] = conf.get_config_dict(['firewall'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return' + conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return' + conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return' + conntrack['wlb_local_action'] = conf.exists(['load-balancing', 'wan', 'enable-local-traffic']) + + conntrack['module_map'] = module_map + + if conf.exists(['service', 'conntrack-sync']): + set_dependents('conntrack_sync', conf) + + return conntrack + +def verify(conntrack): + for inet in ['ipv4', 'ipv6']: + if dict_search_args(conntrack, 'ignore', inet, 'rule') != None: + for rule, rule_config in conntrack['ignore'][inet]['rule'].items(): + if dict_search('destination.port', rule_config) or \ + dict_search('destination.group.port_group', rule_config) or \ + dict_search('source.port', rule_config) or \ + dict_search('source.group.port_group', rule_config): + if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']: + raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}') + + tcp_flags = dict_search_args(rule_config, 'tcp', 'flags') + if tcp_flags: + if dict_search_args(rule_config, 'protocol') != 'tcp': + raise ConfigError('Protocol must be tcp when specifying tcp flags') + + not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not') + if not_flags: + duplicates = [flag for flag in tcp_flags if flag in not_flags] + if duplicates: + raise ConfigError(f'Cannot match a tcp flag as set and not set') + + for side in ['destination', 'source']: + if side in rule_config: + side_conf = rule_config[side] + + if 'group' in side_conf: + if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1: + raise ConfigError('Only one address-group, network-group or domain-group can be specified') + + for group in valid_groups: + if group in side_conf['group']: + group_name = side_conf['group'][group] + error_group = group.replace("_", "-") + + if group in ['address_group', 'network_group', 'domain_group']: + if 'address' in side_conf: + raise ConfigError(f'{error_group} and address cannot both be defined') + + if group_name and group_name[0] == '!': + group_name = group_name[1:] + + if inet == 'ipv6': + group = f'ipv6_{group}' + + group_obj = dict_search_args(conntrack['firewall'], 'group', group, group_name) + + if group_obj is None: + raise ConfigError(f'Invalid {error_group} "{group_name}" on ignore rule') + + if not group_obj: + Warning(f'{error_group} "{group_name}" has no members!') + + if dict_search_args(conntrack, 'timeout', 'custom', inet, 'rule') != None: + for rule, rule_config in conntrack['timeout']['custom'][inet]['rule'].items(): + if 'protocol' not in rule_config: + raise ConfigError(f'Conntrack custom timeout rule {rule} requires protocol tcp or udp') + else: + if 'tcp' in rule_config['protocol'] and 'udp' in rule_config['protocol']: + raise ConfigError(f'conntrack custom timeout rule {rule} - Cant use both tcp and udp protocol') + return None + +def generate(conntrack): + if not os.path.exists(nftables_ct_file): + conntrack['first_install'] = True + + # Determine if conntrack is needed + conntrack['ipv4_firewall_action'] = 'return' + conntrack['ipv6_firewall_action'] = 'return' + + for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): + if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()): + if path[0] == 'ipv4': + conntrack['ipv4_firewall_action'] = 'accept' + elif path[0] == 'ipv6': + conntrack['ipv6_firewall_action'] = 'accept' + + render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) + render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) + render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack) + return None + +def apply(conntrack): + # Depending on the enable/disable state of the ALG (Application Layer Gateway) + # modules we need to either insmod or rmmod the helpers. + + add_modules = [] + rm_modules = [] + + for module, module_config in module_map.items(): + if dict_search_args(conntrack, 'modules', module) is None: + if 'ko' in module_config: + unloaded = [mod for mod in module_config['ko'] if os.path.exists(f'/sys/module/{mod}')] + rm_modules.extend(unloaded) + else: + if 'ko' in module_config: + add_modules.extend(module_config['ko']) + + # Add modules before nftables uses them + if add_modules: + module_str = ' '.join(add_modules) + cmd(f'modprobe -a {module_str}') + + # Load new nftables ruleset + install_result, output = rc_cmd(f'nft -f {nftables_ct_file}') + if install_result == 1: + raise ConfigError(f'Failed to apply configuration: {output}') + + # Remove modules after nftables stops using them + if rm_modules: + module_str = ' '.join(rm_modules) + cmd(f'rmmod {module_str}') + + try: + call_dependents() + except ConfigError: + # Ignore config errors on dependent due to being called too early. Example: + # ConfigError("ConfigError('Interface ethN requires an IP address!')") + pass + + # We silently ignore all errors + # See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080 + cmd(f'sysctl -f {sysctl_file}') + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_flow-accounting.py b/src/conf_mode/system_flow-accounting.py new file mode 100755 index 000000000..206f513c8 --- /dev/null +++ b/src/conf_mode/system_flow-accounting.py @@ -0,0 +1,320 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from sys import exit +from ipaddress import ip_address + +from vyos.base import Warning +from vyos.config import Config +from vyos.config import config_dict_merge +from vyos.configverify import verify_vrf +from vyos.ifconfig import Section +from vyos.template import render +from vyos.utils.process import call +from vyos.utils.process import cmd +from vyos.utils.process import run +from vyos.utils.network import is_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +uacctd_conf_path = '/run/pmacct/uacctd.conf' +systemd_service = 'uacctd.service' +systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf' +nftables_nflog_table = 'raw' +nftables_nflog_chain = 'VYOS_PREROUTING_HOOK' +egress_nftables_nflog_table = 'inet mangle' +egress_nftables_nflog_chain = 'FORWARD' + +# get nftables rule dict for chain in table +def _nftables_get_nflog(chain, table): + # define list with rules + rules = [] + + # prepare regex for parsing rules + rule_pattern = '[io]ifname "(?P[\w\.\*\-]+)".*handle (?P[\d]+)' + rule_re = re.compile(rule_pattern) + + # run nftables, save output and split it by lines + nftables_command = f'nft -a list chain {table} {chain}' + tmp = cmd(nftables_command, message='Failed to get flows list') + # parse each line and add information to list + for current_rule in tmp.splitlines(): + if 'FLOW_ACCOUNTING_RULE' not in current_rule: + continue + current_rule_parsed = rule_re.search(current_rule) + if current_rule_parsed: + groups = current_rule_parsed.groupdict() + rules.append({ 'interface': groups["interface"], 'table': table, 'handle': groups["handle"] }) + + # return list with rules + return rules + +def _nftables_config(configured_ifaces, direction, length=None): + # define list of nftables commands to modify settings + nftable_commands = [] + nftables_chain = nftables_nflog_chain + nftables_table = nftables_nflog_table + + if direction == "egress": + nftables_chain = egress_nftables_nflog_chain + nftables_table = egress_nftables_nflog_table + + # prepare extended list with configured interfaces + configured_ifaces_extended = [] + for iface in configured_ifaces: + configured_ifaces_extended.append({ 'iface': iface }) + + # get currently configured interfaces with nftables rules + active_nflog_rules = _nftables_get_nflog(nftables_chain, nftables_table) + + # compare current active list with configured one and delete excessive interfaces, add missed + active_nflog_ifaces = [] + for rule in active_nflog_rules: + interface = rule['interface'] + if interface not in configured_ifaces: + table = rule['table'] + handle = rule['handle'] + nftable_commands.append(f'nft delete rule {table} {nftables_chain} handle {handle}') + else: + active_nflog_ifaces.append({ + 'iface': interface, + }) + + # do not create new rules for already configured interfaces + for iface in active_nflog_ifaces: + if iface in active_nflog_ifaces and iface in configured_ifaces_extended: + configured_ifaces_extended.remove(iface) + + # create missed rules + for iface_extended in configured_ifaces_extended: + iface = iface_extended['iface'] + iface_prefix = "o" if direction == "egress" else "i" + rule_definition = f'{iface_prefix}ifname "{iface}" counter log group 2 snaplen {length} queue-threshold 100 comment "FLOW_ACCOUNTING_RULE"' + nftable_commands.append(f'nft insert rule {nftables_table} {nftables_chain} {rule_definition}') + # Also add IPv6 ingres logging + if nftables_table == nftables_nflog_table: + nftable_commands.append(f'nft insert rule ip6 {nftables_table} {nftables_chain} {rule_definition}') + + # change nftables + for command in nftable_commands: + cmd(command, raising=ConfigError) + + +def _nftables_trigger_setup(operation: str) -> None: + """Add a dummy rule to unlock the main pmacct loop with a packet-trigger + + Args: + operation (str): 'add' or 'delete' a trigger + """ + # check if a chain exists + table_exists = False + if run('nft -snj list table ip pmacct') == 0: + table_exists = True + + if operation == 'delete' and table_exists: + nft_cmd: str = 'nft delete table ip pmacct' + cmd(nft_cmd, raising=ConfigError) + if operation == 'add' and not table_exists: + nft_cmds: list[str] = [ + 'nft add table ip pmacct', + 'nft add chain ip pmacct pmacct_out { type filter hook output priority raw - 50 \\; policy accept \\; }', + 'nft add rule ip pmacct pmacct_out oif lo ip daddr 127.0.254.0 counter log group 2 snaplen 1 queue-threshold 0 comment NFLOG_TRIGGER' + ] + for nft_cmd in nft_cmds: + cmd(nft_cmd, raising=ConfigError) + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'flow-accounting'] + if not conf.exists(base): + return None + + flow_accounting = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + # We have gathered the dict representation of the CLI, but there are + # default values which we need to conditionally update into the + # dictionary retrieved. + default_values = conf.get_config_defaults(**flow_accounting.kwargs, + recursive=True) + + # delete individual flow type defaults - should only be added if user + # sets this feature + for flow_type in ['sflow', 'netflow']: + if flow_type not in flow_accounting and flow_type in default_values: + del default_values[flow_type] + + flow_accounting = config_dict_merge(default_values, flow_accounting) + + return flow_accounting + +def verify(flow_config): + if not flow_config: + return None + + # check if at least one collector is enabled + if 'sflow' not in flow_config and 'netflow' not in flow_config and 'disable_imt' in flow_config: + raise ConfigError('You need to configure at least sFlow or NetFlow, ' \ + 'or not set "disable-imt" for flow-accounting!') + + # Check if at least one interface is configured + if 'interface' not in flow_config: + raise ConfigError('Flow accounting requires at least one interface to ' \ + 'be configured!') + + # check that all configured interfaces exists in the system + for interface in flow_config['interface']: + if interface not in Section.interfaces(): + # Changed from error to warning to allow adding dynamic interfaces + # and interface templates + Warning(f'Interface "{interface}" is not presented in the system') + + # check sFlow configuration + if 'sflow' in flow_config: + # check if at least one sFlow collector is configured + if 'server' not in flow_config['sflow']: + raise ConfigError('You need to configure at least one sFlow server!') + + # check that all sFlow collectors use the same IP protocol version + sflow_collector_ipver = None + for server in flow_config['sflow']['server']: + if sflow_collector_ipver: + if sflow_collector_ipver != ip_address(server).version: + raise ConfigError("All sFlow servers must use the same IP protocol") + else: + sflow_collector_ipver = ip_address(server).version + + # check if vrf is defined for Sflow + verify_vrf(flow_config) + sflow_vrf = None + if 'vrf' in flow_config: + sflow_vrf = flow_config['vrf'] + + # check agent-id for sFlow: we should avoid mixing IPv4 agent-id with IPv6 collectors and vice-versa + for server in flow_config['sflow']['server']: + if 'agent_address' in flow_config['sflow']: + if ip_address(server).version != ip_address(flow_config['sflow']['agent_address']).version: + raise ConfigError('IPv4 and IPv6 addresses can not be mixed in "sflow agent-address" and "sflow '\ + 'server". You need to set the same IP version for both "agent-address" and '\ + 'all sFlow servers') + + if 'agent_address' in flow_config['sflow']: + tmp = flow_config['sflow']['agent_address'] + if not is_addr_assigned(tmp, sflow_vrf): + raise ConfigError(f'Configured "sflow agent-address {tmp}" does not exist in the system!') + + # Check if configured sflow source-address exist in the system + if 'source_address' in flow_config['sflow']: + if not is_addr_assigned(flow_config['sflow']['source_address'], sflow_vrf): + tmp = flow_config['sflow']['source_address'] + raise ConfigError(f'Configured "sflow source-address {tmp}" does not exist on the system!') + + # check NetFlow configuration + if 'netflow' in flow_config: + # check if vrf is defined for netflow + netflow_vrf = None + if 'vrf' in flow_config: + netflow_vrf = flow_config['vrf'] + + # check if at least one NetFlow collector is configured if NetFlow configuration is presented + if 'server' not in flow_config['netflow']: + raise ConfigError('You need to configure at least one NetFlow server!') + + # Check if configured netflow source-address exist in the system + if 'source_address' in flow_config['netflow']: + if not is_addr_assigned(flow_config['netflow']['source_address'], netflow_vrf): + tmp = flow_config['netflow']['source_address'] + raise ConfigError(f'Configured "netflow source-address {tmp}" does not exist on the system!') + + # Check if engine-id compatible with selected protocol version + if 'engine_id' in flow_config['netflow']: + v5_filter = '^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])$' + v9v10_filter = '^(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$' + engine_id = flow_config['netflow']['engine_id'] + version = flow_config['netflow']['version'] + + if flow_config['netflow']['version'] == '5': + regex_filter = re.compile(v5_filter) + if not regex_filter.search(engine_id): + raise ConfigError(f'You cannot use NetFlow engine-id "{engine_id}" '\ + f'together with NetFlow protocol version "{version}"!') + else: + regex_filter = re.compile(v9v10_filter) + if not regex_filter.search(flow_config['netflow']['engine_id']): + raise ConfigError(f'Can not use NetFlow engine-id "{engine_id}" together '\ + f'with NetFlow protocol version "{version}"!') + + # return True if all checks were passed + return True + +def generate(flow_config): + if not flow_config: + return None + + render(uacctd_conf_path, 'pmacct/uacctd.conf.j2', flow_config) + render(systemd_override, 'pmacct/override.conf.j2', flow_config) + # Reload systemd manager configuration + call('systemctl daemon-reload') + +def apply(flow_config): + # Check if flow-accounting was removed and define command + if not flow_config: + _nftables_config([], 'ingress') + _nftables_config([], 'egress') + + # Stop flow-accounting daemon and remove configuration file + call(f'systemctl stop {systemd_service}') + if os.path.exists(uacctd_conf_path): + os.unlink(uacctd_conf_path) + + # must be done after systemctl + _nftables_trigger_setup('delete') + + return + + # Start/reload flow-accounting daemon + call(f'systemctl restart {systemd_service}') + + # configure nftables rules for defined interfaces + if 'interface' in flow_config: + _nftables_config(flow_config['interface'], 'ingress', flow_config['packet_length']) + + # configure egress the same way if configured otherwise remove it + if 'enable_egress' in flow_config: + _nftables_config(flow_config['interface'], 'egress', flow_config['packet_length']) + else: + _nftables_config([], 'egress') + + # add a trigger for signal processing + _nftables_trigger_setup('add') + + +if __name__ == '__main__': + try: + config = get_config() + verify(config) + generate(config) + apply(config) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_host-name.py b/src/conf_mode/system_host-name.py new file mode 100755 index 000000000..6204cf247 --- /dev/null +++ b/src/conf_mode/system_host-name.py @@ -0,0 +1,188 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import re +import sys +import copy + +import vyos.hostsd_client + +from vyos.base import Warning +from vyos.config import Config +from vyos.ifconfig import Section +from vyos.template import is_ip +from vyos.utils.process import cmd +from vyos.utils.process import call +from vyos.utils.process import process_named_running +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +default_config_data = { + 'hostname': 'vyos', + 'domain_name': '', + 'domain_search': [], + 'nameserver': [], + 'nameservers_dhcp_interfaces': {}, + 'static_host_mapping': {} +} + +hostsd_tag = 'system' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + hosts = copy.deepcopy(default_config_data) + + hosts['hostname'] = conf.return_value(['system', 'host-name']) + + # This may happen if the config is not loaded yet, + # e.g. if run by cloud-init + if not hosts['hostname']: + hosts['hostname'] = default_config_data['hostname'] + + if conf.exists(['system', 'domain-name']): + hosts['domain_name'] = conf.return_value(['system', 'domain-name']) + hosts['domain_search'].append(hosts['domain_name']) + + if conf.exists(['system', 'domain-search']): + for search in conf.return_values(['system', 'domain-search']): + hosts['domain_search'].append(search) + + if conf.exists(['system', 'name-server']): + for ns in conf.return_values(['system', 'name-server']): + if is_ip(ns): + hosts['nameserver'].append(ns) + else: + tmp = '' + if_type = Section.section(ns) + if conf.exists(['interfaces', if_type, ns, 'address']): + tmp = conf.return_values(['interfaces', if_type, ns, 'address']) + + hosts['nameservers_dhcp_interfaces'].update({ ns : tmp }) + + # system static-host-mapping + for hn in conf.list_nodes(['system', 'static-host-mapping', 'host-name']): + hosts['static_host_mapping'][hn] = {} + hosts['static_host_mapping'][hn]['address'] = conf.return_values(['system', 'static-host-mapping', 'host-name', hn, 'inet']) + hosts['static_host_mapping'][hn]['aliases'] = conf.return_values(['system', 'static-host-mapping', 'host-name', hn, 'alias']) + + return hosts + + +def verify(hosts): + if hosts is None: + return None + + # pattern $VAR(@) "^[[:alnum:]][-.[:alnum:]]*[[:alnum:]]$" ; "invalid host name $VAR(@)" + hostname_regex = re.compile("^[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]$") + if not hostname_regex.match(hosts['hostname']): + raise ConfigError('Invalid host name ' + hosts["hostname"]) + + # pattern $VAR(@) "^.{1,63}$" ; "invalid host-name length" + length = len(hosts['hostname']) + if length < 1 or length > 63: + raise ConfigError( + 'Invalid host-name length, must be less than 63 characters') + + all_static_host_mapping_addresses = [] + # static mappings alias hostname + for host, hostprops in hosts['static_host_mapping'].items(): + if not hostprops['address']: + raise ConfigError(f'IP address required for static-host-mapping "{host}"') + all_static_host_mapping_addresses.append(hostprops['address']) + for a in hostprops['aliases']: + if not hostname_regex.match(a) and len(a) != 0: + raise ConfigError(f'Invalid alias "{a}" in static-host-mapping "{host}"') + + for interface, interface_config in hosts['nameservers_dhcp_interfaces'].items(): + # Warnin user if interface does not have DHCP or DHCPv6 configured + if not set(interface_config).intersection(['dhcp', 'dhcpv6']): + Warning(f'"{interface}" is not a DHCP interface but uses DHCP name-server option!') + + return None + + +def generate(config): + pass + +def apply(config): + if config is None: + return None + + ## Send the updated data to vyos-hostsd + try: + hc = vyos.hostsd_client.Client() + + hc.set_host_name(config['hostname'], config['domain_name']) + + hc.delete_search_domains([hostsd_tag]) + if config['domain_search']: + hc.add_search_domains({hostsd_tag: config['domain_search']}) + + hc.delete_name_servers([hostsd_tag]) + if config['nameserver']: + hc.add_name_servers({hostsd_tag: config['nameserver']}) + + # add our own tag's (system) nameservers and search to resolv.conf + hc.delete_name_server_tags_system(hc.get_name_server_tags_system()) + hc.add_name_server_tags_system([hostsd_tag]) + + # this will add the dhcp client nameservers to resolv.conf + for intf in config['nameservers_dhcp_interfaces']: + hc.add_name_server_tags_system([f'dhcp-{intf}', f'dhcpv6-{intf}']) + + hc.delete_hosts([hostsd_tag]) + if config['static_host_mapping']: + hc.add_hosts({hostsd_tag: config['static_host_mapping']}) + + hc.apply() + except vyos.hostsd_client.VyOSHostsdError as e: + raise ConfigError(str(e)) + + ## Actually update the hostname -- vyos-hostsd doesn't do that + + # No domain name -- the Debian way. + hostname_new = config['hostname'] + + # rsyslog runs into a race condition at boot time with systemd + # restart rsyslog only if the hostname changed. + hostname_old = cmd('hostnamectl --static') + call(f'hostnamectl set-hostname --static {hostname_new}') + + # Restart services that use the hostname + if hostname_new != hostname_old: + call("systemctl restart rsyslog.service") + + # If SNMP is running, restart it too + if process_named_running('snmpd'): + call('systemctl restart snmpd.service') + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py new file mode 100755 index 000000000..7612e2c0d --- /dev/null +++ b/src/conf_mode/system_ip.py @@ -0,0 +1,143 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configverify import verify_route_map +from vyos.template import render_to_string +from vyos.utils.dict import dict_search +from vyos.utils.file import write_file +from vyos.utils.process import call +from vyos.utils.process import is_systemd_service_active +from vyos.utils.system import sysctl_write + +from vyos import ConfigError +from vyos import frr +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'ip'] + + opt = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + # When working with FRR we need to know the corresponding address-family + opt['afi'] = 'ip' + + # We also need the route-map information from the config + # + # XXX: one MUST always call this without the key_mangling() option! See + # vyos.configverify.verify_common_route_maps() for more information. + tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], + get_first_key=True)}} + # Merge policy dict into "regular" config dict + opt = dict_merge(tmp, opt) + return opt + +def verify(opt): + if 'protocol' in opt: + for protocol, protocol_options in opt['protocol'].items(): + if 'route_map' in protocol_options: + verify_route_map(protocol_options['route_map'], opt) + return + +def generate(opt): + opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) + return + +def apply(opt): + # Apply ARP threshold values + # table_size has a default value - thus the key always exists + size = int(dict_search('arp.table_size', opt)) + # Amount upon reaching which the records begin to be cleared immediately + sysctl_write('net.ipv4.neigh.default.gc_thresh3', size) + # Amount after which the records begin to be cleaned after 5 seconds + sysctl_write('net.ipv4.neigh.default.gc_thresh2', size // 2) + # Minimum number of stored records is indicated which is not cleared + sysctl_write('net.ipv4.neigh.default.gc_thresh1', size // 8) + + # enable/disable IPv4 forwarding + tmp = dict_search('disable_forwarding', opt) + value = '0' if (tmp != None) else '1' + write_file('/proc/sys/net/ipv4/conf/all/forwarding', value) + + # enable/disable IPv4 directed broadcast forwarding + tmp = dict_search('disable_directed_broadcast', opt) + value = '0' if (tmp != None) else '1' + write_file('/proc/sys/net/ipv4/conf/all/bc_forwarding', value) + + # configure multipath + tmp = dict_search('multipath.ignore_unreachable_nexthops', opt) + value = '1' if (tmp != None) else '0' + sysctl_write('net.ipv4.fib_multipath_use_neigh', value) + + tmp = dict_search('multipath.layer4_hashing', opt) + value = '1' if (tmp != None) else '0' + sysctl_write('net.ipv4.fib_multipath_hash_policy', value) + + # configure TCP options (defaults as of Linux 6.4) + tmp = dict_search('tcp.mss.probing', opt) + if tmp is None: + value = 0 + elif tmp == 'on-icmp-black-hole': + value = 1 + elif tmp == 'force': + value = 2 + else: + # Shouldn't happen + raise ValueError("TCP MSS probing is neither 'on-icmp-black-hole' nor 'force'!") + sysctl_write('net.ipv4.tcp_mtu_probing', value) + + tmp = dict_search('tcp.mss.base', opt) + value = '1024' if (tmp is None) else tmp + sysctl_write('net.ipv4.tcp_base_mss', value) + + tmp = dict_search('tcp.mss.floor', opt) + value = '48' if (tmp is None) else tmp + sysctl_write('net.ipv4.tcp_mtu_probe_floor', value) + + # During startup of vyos-router that brings up FRR, the service is not yet + # running when this script is called first. Skip this part and wait for initial + # commit of the configuration to trigger this statement + if is_systemd_service_active('frr.service'): + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') + if 'frr_zebra_config' in opt: + frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) + frr_cfg.commit_configuration(zebra_daemon) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_ipv6.py b/src/conf_mode/system_ipv6.py new file mode 100755 index 000000000..90a1a8087 --- /dev/null +++ b/src/conf_mode/system_ipv6.py @@ -0,0 +1,120 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configverify import verify_route_map +from vyos.template import render_to_string +from vyos.utils.dict import dict_search +from vyos.utils.file import write_file +from vyos.utils.process import is_systemd_service_active +from vyos.utils.system import sysctl_write +from vyos import ConfigError +from vyos import frr +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'ipv6'] + + opt = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + # When working with FRR we need to know the corresponding address-family + opt['afi'] = 'ipv6' + + # We also need the route-map information from the config + # + # XXX: one MUST always call this without the key_mangling() option! See + # vyos.configverify.verify_common_route_maps() for more information. + tmp = {'policy' : {'route-map' : conf.get_config_dict(['policy', 'route-map'], + get_first_key=True)}} + # Merge policy dict into "regular" config dict + opt = dict_merge(tmp, opt) + return opt + +def verify(opt): + if 'protocol' in opt: + for protocol, protocol_options in opt['protocol'].items(): + if 'route_map' in protocol_options: + verify_route_map(protocol_options['route_map'], opt) + return + +def generate(opt): + opt['frr_zebra_config'] = render_to_string('frr/zebra.route-map.frr.j2', opt) + return + +def apply(opt): + # configure multipath + tmp = dict_search('multipath.layer4_hashing', opt) + value = '1' if (tmp != None) else '0' + sysctl_write('net.ipv6.fib_multipath_hash_policy', value) + + # Apply ND threshold values + # table_size has a default value - thus the key always exists + size = int(dict_search('neighbor.table_size', opt)) + # Amount upon reaching which the records begin to be cleared immediately + sysctl_write('net.ipv6.neigh.default.gc_thresh3', size) + # Amount after which the records begin to be cleaned after 5 seconds + sysctl_write('net.ipv6.neigh.default.gc_thresh2', size // 2) + # Minimum number of stored records is indicated which is not cleared + sysctl_write('net.ipv6.neigh.default.gc_thresh1', size // 8) + + # enable/disable IPv6 forwarding + tmp = dict_search('disable_forwarding', opt) + value = '0' if (tmp != None) else '1' + write_file('/proc/sys/net/ipv6/conf/all/forwarding', value) + + # configure IPv6 strict-dad + tmp = dict_search('strict_dad', opt) + value = '2' if (tmp != None) else '1' + for root, dirs, files in os.walk('/proc/sys/net/ipv6/conf'): + for name in files: + if name == 'accept_dad': + write_file(os.path.join(root, name), value) + + # During startup of vyos-router that brings up FRR, the service is not yet + # running when this script is called first. Skip this part and wait for initial + # commit of the configuration to trigger this statement + if is_systemd_service_active('frr.service'): + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') + if 'frr_zebra_config' in opt: + frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) + frr_cfg.commit_configuration(zebra_daemon) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py new file mode 100755 index 000000000..f34575aff --- /dev/null +++ b/src/conf_mode/system_login.py @@ -0,0 +1,423 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from passlib.hosts import linux_context +from psutil import users +from pwd import getpwall +from pwd import getpwnam +from sys import exit +from time import sleep + +from vyos.config import Config +from vyos.configverify import verify_vrf +from vyos.defaults import directories +from vyos.template import render +from vyos.template import is_ipv4 +from vyos.utils.dict import dict_search +from vyos.utils.file import chown +from vyos.utils.process import cmd +from vyos.utils.process import call +from vyos.utils.process import rc_cmd +from vyos.utils.process import run +from vyos.utils.process import DEVNULL +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +autologout_file = "/etc/profile.d/autologout.sh" +limits_file = "/etc/security/limits.d/10-vyos.conf" +radius_config_file = "/etc/pam_radius_auth.conf" +tacacs_pam_config_file = "/etc/tacplus_servers" +tacacs_nss_config_file = "/etc/tacplus_nss.conf" +nss_config_file = "/etc/nsswitch.conf" + +# Minimum UID used when adding system users +MIN_USER_UID: int = 1000 +# Maximim UID used when adding system users +MAX_USER_UID: int = 59999 +# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec +MAX_RADIUS_TIMEOUT: int = 50 +# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) +MAX_RADIUS_COUNT: int = 8 +# Maximum number of supported TACACS servers +MAX_TACACS_COUNT: int = 8 + +# List of local user accounts that must be preserved +SYSTEM_USER_SKIP_LIST: list = ['radius_user', 'radius_priv_user', 'tacacs0', 'tacacs1', + 'tacacs2', 'tacacs3', 'tacacs4', 'tacacs5', 'tacacs6', + 'tacacs7', 'tacacs8', 'tacacs9', 'tacacs10',' tacacs11', + 'tacacs12', 'tacacs13', 'tacacs14', 'tacacs15'] + +def get_local_users(): + """Return list of dynamically allocated users (see Debian Policy Manual)""" + local_users = [] + for s_user in getpwall(): + if getpwnam(s_user.pw_name).pw_uid < MIN_USER_UID: + continue + if getpwnam(s_user.pw_name).pw_uid > MAX_USER_UID: + continue + if s_user.pw_name in SYSTEM_USER_SKIP_LIST: + continue + local_users.append(s_user.pw_name) + + return local_users + +def get_shadow_password(username): + with open('/etc/shadow') as f: + for user in f.readlines(): + items = user.split(":") + if username == items[0]: + return items[1] + return None + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'login'] + login = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + # users no longer existing in the running configuration need to be deleted + local_users = get_local_users() + cli_users = [] + if 'user' in login: + cli_users = list(login['user']) + + # prune TACACS global defaults if not set by user + if login.from_defaults(['tacacs']): + del login['tacacs'] + # same for RADIUS + if login.from_defaults(['radius']): + del login['radius'] + + # create a list of all users, cli and users + all_users = list(set(local_users + cli_users)) + # We will remove any normal users that dos not exist in the current + # configuration. This can happen if user is added but configuration was not + # saved and system is rebooted. + rm_users = [tmp for tmp in all_users if tmp not in cli_users] + if rm_users: login.update({'rm_users' : rm_users}) + + return login + +def verify(login): + if 'rm_users' in login: + # This check is required as the script is also executed from vyos-router + # init script and there is no SUDO_USER environment variable available + # during system boot. + if 'SUDO_USER' in os.environ: + cur_user = os.environ['SUDO_USER'] + if cur_user in login['rm_users']: + raise ConfigError(f'Attempting to delete current user: {cur_user}') + + if 'user' in login: + system_users = getpwall() + for user, user_config in login['user'].items(): + # Linux system users range up until UID 1000, we can not create a + # VyOS CLI user which already exists as system user + for s_user in system_users: + if s_user.pw_name == user and s_user.pw_uid < MIN_USER_UID: + raise ConfigError(f'User "{user}" can not be created, conflict with local system account!') + + for pubkey, pubkey_options in (dict_search('authentication.public_keys', user_config) or {}).items(): + if 'type' not in pubkey_options: + raise ConfigError(f'Missing type for public-key "{pubkey}"!') + if 'key' not in pubkey_options: + raise ConfigError(f'Missing key for public-key "{pubkey}"!') + + if {'radius', 'tacacs'} <= set(login): + raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!') + + # At lease one RADIUS server must not be disabled + if 'radius' in login: + if 'server' not in login['radius']: + raise ConfigError('No RADIUS server defined!') + sum_timeout: int = 0 + radius_servers_count: int = 0 + fail = True + for server, server_config in dict_search('radius.server', login).items(): + if 'key' not in server_config: + raise ConfigError(f'RADIUS server "{server}" requires key!') + if 'disable' not in server_config: + sum_timeout += int(server_config['timeout']) + radius_servers_count += 1 + fail = False + + if fail: + raise ConfigError('All RADIUS servers are disabled') + + if radius_servers_count > MAX_RADIUS_COUNT: + raise ConfigError(f'Number of RADIUS servers exceeded maximum of {MAX_RADIUS_COUNT}!') + + if sum_timeout > MAX_RADIUS_TIMEOUT: + raise ConfigError('Sum of RADIUS servers timeouts ' + 'has to be less or eq 50 sec') + + verify_vrf(login['radius']) + + if 'source_address' in login['radius']: + ipv4_count = 0 + ipv6_count = 0 + for address in login['radius']['source_address']: + if is_ipv4(address): ipv4_count += 1 + else: ipv6_count += 1 + + if ipv4_count > 1: + raise ConfigError('Only one IPv4 source-address can be set!') + if ipv6_count > 1: + raise ConfigError('Only one IPv6 source-address can be set!') + + if 'tacacs' in login: + tacacs_servers_count: int = 0 + fail = True + for server, server_config in dict_search('tacacs.server', login).items(): + if 'key' not in server_config: + raise ConfigError(f'TACACS server "{server}" requires key!') + if 'disable' not in server_config: + tacacs_servers_count += 1 + fail = False + + if fail: + raise ConfigError('All RADIUS servers are disabled') + + if tacacs_servers_count > MAX_TACACS_COUNT: + raise ConfigError(f'Number of TACACS servers exceeded maximum of {MAX_TACACS_COUNT}!') + + verify_vrf(login['tacacs']) + + if 'max_login_session' in login and 'timeout' not in login: + raise ConfigError('"login timeout" must be configured!') + + return None + + +def generate(login): + # calculate users encrypted password + if 'user' in login: + for user, user_config in login['user'].items(): + tmp = dict_search('authentication.plaintext_password', user_config) + if tmp: + encrypted_password = linux_context.hash(tmp) + login['user'][user]['authentication']['encrypted_password'] = encrypted_password + del login['user'][user]['authentication']['plaintext_password'] + + # remove old plaintext password and set new encrypted password + env = os.environ.copy() + env['vyos_libexec_dir'] = directories['base'] + + # Set default commands for re-adding user with encrypted password + del_user_plain = f"system login user {user} authentication plaintext-password" + add_user_encrypt = f"system login user {user} authentication encrypted-password '{encrypted_password}'" + + lvl = env['VYATTA_EDIT_LEVEL'] + # We're in config edit level, for example "edit system login" + # Change default commands for re-adding user with encrypted password + if lvl != '/': + # Replace '/system/login' to 'system login' + lvl = lvl.strip('/').split('/') + # Convert command str to list + del_user_plain = del_user_plain.split() + # New command exclude level, for example "edit system login" + del_user_plain = del_user_plain[len(lvl):] + # Convert string to list + del_user_plain = " ".join(del_user_plain) + + add_user_encrypt = add_user_encrypt.split() + add_user_encrypt = add_user_encrypt[len(lvl):] + add_user_encrypt = " ".join(add_user_encrypt) + + ret, out = rc_cmd(f"/opt/vyatta/sbin/my_delete {del_user_plain}", env=env) + if ret: raise ConfigError(out) + ret, out = rc_cmd(f"/opt/vyatta/sbin/my_set {add_user_encrypt}", env=env) + if ret: raise ConfigError(out) + else: + try: + if get_shadow_password(user) == dict_search('authentication.encrypted_password', user_config): + # If the current encrypted bassword matches the encrypted password + # from the config - do not update it. This will remove the encrypted + # value from the system logs. + # + # The encrypted password will be set only once during the first boot + # after an image upgrade. + del login['user'][user]['authentication']['encrypted_password'] + except: + pass + + ### RADIUS based user authentication + if 'radius' in login: + render(radius_config_file, 'login/pam_radius_auth.conf.j2', login, + permission=0o600, user='root', group='root') + else: + if os.path.isfile(radius_config_file): + os.unlink(radius_config_file) + + ### TACACS+ based user authentication + if 'tacacs' in login: + render(tacacs_pam_config_file, 'login/tacplus_servers.j2', login, + permission=0o644, user='root', group='root') + render(tacacs_nss_config_file, 'login/tacplus_nss.conf.j2', login, + permission=0o644, user='root', group='root') + else: + if os.path.isfile(tacacs_pam_config_file): + os.unlink(tacacs_pam_config_file) + if os.path.isfile(tacacs_nss_config_file): + os.unlink(tacacs_nss_config_file) + + + + # NSS must always be present on the system + render(nss_config_file, 'login/nsswitch.conf.j2', login, + permission=0o644, user='root', group='root') + + # /etc/security/limits.d/10-vyos.conf + if 'max_login_session' in login: + render(limits_file, 'login/limits.j2', login, + permission=0o644, user='root', group='root') + else: + if os.path.isfile(limits_file): + os.unlink(limits_file) + + if 'timeout' in login: + render(autologout_file, 'login/autologout.j2', login, + permission=0o755, user='root', group='root') + else: + if os.path.isfile(autologout_file): + os.unlink(autologout_file) + + return None + + +def apply(login): + enable_otp = False + if 'user' in login: + for user, user_config in login['user'].items(): + # make new user using vyatta shell and make home directory (-m), + # default group of 100 (users) + command = 'useradd --create-home --no-user-group ' + # check if user already exists: + if user in get_local_users(): + # update existing account + command = 'usermod' + + # all accounts use /bin/vbash + command += ' --shell /bin/vbash' + # we need to use '' quotes when passing formatted data to the shell + # else it will not work as some data parts are lost in translation + tmp = dict_search('authentication.encrypted_password', user_config) + if tmp: command += f" --password '{tmp}'" + + tmp = dict_search('full_name', user_config) + if tmp: command += f" --comment '{tmp}'" + + tmp = dict_search('home_directory', user_config) + if tmp: command += f" --home '{tmp}'" + else: command += f" --home '/home/{user}'" + + command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea {user}' + try: + cmd(command) + # we should not rely on the value stored in + # user_config['home_directory'], as a crazy user will choose + # username root or any other system user which will fail. + # + # XXX: Should we deny using root at all? + home_dir = getpwnam(user).pw_dir + # T5875: ensure UID is properly set on home directory if user is re-added + if os.path.exists(home_dir): + chown(home_dir, user=user, recursive=True) + + render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2', + user_config, permission=0o600, + formater=lambda _: _.replace(""", '"'), + user=user, group='users') + + except Exception as e: + raise ConfigError(f'Adding user "{user}" raised exception: "{e}"') + + # Generate 2FA/MFA One-Time-Pad configuration + if dict_search('authentication.otp.key', user_config): + enable_otp = True + render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2', + user_config, permission=0o400, user=user, group='users') + else: + # delete configuration as it's not enabled for the user + if os.path.exists(f'{home_dir}/.google_authenticator'): + os.remove(f'{home_dir}/.google_authenticator') + + if 'rm_users' in login: + for user in login['rm_users']: + try: + # Disable user to prevent re-login + call(f'usermod -s /sbin/nologin {user}') + + # Logout user if he is still logged in + if user in list(set([tmp[0] for tmp in users()])): + print(f'{user} is logged in, forcing logout!') + # re-run command until user is logged out + while run(f'pkill -HUP -u {user}'): + sleep(0.250) + + # Remove user account but leave home directory in place. Re-run + # command until user is removed - userdel might return 8 as + # SSH sessions are not all yet properly cleaned away, thus we + # simply re-run the command until the account wen't away + while run(f'userdel {user}', stderr=DEVNULL): + sleep(0.250) + + except Exception as e: + raise ConfigError(f'Deleting user "{user}" raised exception: {e}') + + # Enable/disable RADIUS in PAM configuration + cmd('pam-auth-update --disable radius-mandatory radius-optional') + if 'radius' in login: + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}') + + # Enable/disable TACACS+ in PAM configuration + cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') + if 'tacacs' in login: + if login['tacacs'].get('security_mode', '') == 'mandatory': + pam_profile = 'tacplus-mandatory' + else: + pam_profile = 'tacplus-optional' + cmd(f'pam-auth-update --enable {pam_profile}') + + # Enable/disable Google authenticator + cmd('pam-auth-update --disable mfa-google-authenticator') + if enable_otp: + cmd(f'pam-auth-update --enable mfa-google-authenticator') + + return None + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_login_banner.py b/src/conf_mode/system_login_banner.py new file mode 100755 index 000000000..65fa04417 --- /dev/null +++ b/src/conf_mode/system_login_banner.py @@ -0,0 +1,107 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit +from copy import deepcopy + +from vyos.config import Config +from vyos.utils.file import write_file +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +try: + with open('/usr/share/vyos/default_motd') as f: + motd = f.read() +except: + # Use an empty banner if the default banner file cannot be read + motd = "\n" + +PRELOGIN_FILE = r'/etc/issue' +PRELOGIN_NET_FILE = r'/etc/issue.net' +POSTLOGIN_FILE = r'/etc/motd' + +default_config_data = { + 'issue': 'Welcome to VyOS - \\n \\l\n\n', + 'issue_net': '', + 'motd': motd +} + +def get_config(config=None): + banner = deepcopy(default_config_data) + if config: + conf = config + else: + conf = Config() + base_level = ['system', 'login', 'banner'] + + if not conf.exists(base_level): + return banner + else: + conf.set_level(base_level) + + # Post-Login banner + if conf.exists(['post-login']): + tmp = conf.return_value(['post-login']) + # post-login banner can be empty as well + if tmp: + tmp = tmp.replace('\\n','\n') + tmp = tmp.replace('\\t','\t') + # always add newline character + tmp += '\n' + else: + tmp = '' + + banner['motd'] = tmp + + # Pre-Login banner + if conf.exists(['pre-login']): + tmp = conf.return_value(['pre-login']) + # pre-login banner can be empty as well + if tmp: + tmp = tmp.replace('\\n','\n') + tmp = tmp.replace('\\t','\t') + # always add newline character + tmp += '\n' + else: + tmp = '' + + banner['issue'] = banner['issue_net'] = tmp + + return banner + +def verify(banner): + pass + +def generate(banner): + pass + +def apply(banner): + write_file(PRELOGIN_FILE, banner['issue']) + write_file(PRELOGIN_NET_FILE, banner['issue_net']) + write_file(POSTLOGIN_FILE, banner['motd']) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_logs.py b/src/conf_mode/system_logs.py new file mode 100755 index 000000000..8ad4875d4 --- /dev/null +++ b/src/conf_mode/system_logs.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import exit + +from vyos import ConfigError +from vyos import airbag +from vyos.config import Config +from vyos.logger import syslog +from vyos.template import render +from vyos.utils.dict import dict_search +airbag.enable() + +# path to logrotate configs +logrotate_atop_file = '/etc/logrotate.d/vyos-atop' +logrotate_rsyslog_file = '/etc/logrotate.d/vyos-rsyslog' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['system', 'logs'] + logs_config = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return logs_config + + +def verify(logs_config): + # Nothing to verify here + pass + + +def generate(logs_config): + # get configuration for logrotate atop + logrotate_atop = dict_search('logrotate.atop', logs_config) + # generate new config file for atop + syslog.debug('Adding logrotate config for atop') + render(logrotate_atop_file, 'logs/logrotate/vyos-atop.j2', logrotate_atop) + + # get configuration for logrotate rsyslog + logrotate_rsyslog = dict_search('logrotate.messages', logs_config) + # generate new config file for rsyslog + syslog.debug('Adding logrotate config for rsyslog') + render(logrotate_rsyslog_file, 'logs/logrotate/vyos-rsyslog.j2', + logrotate_rsyslog) + + +def apply(logs_config): + # No further actions needed + pass + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_option.py b/src/conf_mode/system_option.py new file mode 100755 index 000000000..d92121b3d --- /dev/null +++ b/src/conf_mode/system_option.py @@ -0,0 +1,159 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from netifaces import interfaces +from sys import exit +from time import sleep + +from vyos.config import Config +from vyos.configverify import verify_source_interface +from vyos.template import render +from vyos.utils.process import cmd +from vyos.utils.process import is_systemd_service_running +from vyos.utils.network import is_addr_assigned +from vyos.utils.network import is_intf_addr_assigned +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +curlrc_config = r'/etc/curlrc' +ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf' +systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' +time_format_to_locale = { + '12-hour': 'en_US.UTF-8', + '24-hour': 'en_GB.UTF-8' +} + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'option'] + options = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + return options + +def verify(options): + if 'http_client' in options: + config = options['http_client'] + if 'source_interface' in config: + if not config['source_interface'] in interfaces(): + raise ConfigError(f'Source interface {source_interface} does not ' + f'exist'.format(**config)) + + if {'source_address', 'source_interface'} <= set(config): + raise ConfigError('Can not define both HTTP source-interface and source-address') + + if 'source_address' in config: + if not is_addr_assigned(config['source_address']): + raise ConfigError('No interface with give address specified!') + + if 'ssh_client' in options: + config = options['ssh_client'] + if 'source_address' in config: + address = config['source_address'] + if not is_addr_assigned(config['source_address']): + raise ConfigError('No interface with address "{address}" configured!') + + if 'source_interface' in config: + verify_source_interface(config) + if 'source_address' in config: + address = config['source_address'] + interface = config['source_interface'] + if not is_intf_addr_assigned(interface, address): + raise ConfigError(f'Address "{address}" not assigned on interface "{interface}"!') + + return None + +def generate(options): + render(curlrc_config, 'system/curlrc.j2', options) + render(ssh_config, 'system/ssh_config.j2', options) + return None + +def apply(options): + # System bootup beep + if 'startup_beep' in options: + cmd('systemctl enable vyos-beep.service') + else: + cmd('systemctl disable vyos-beep.service') + + # Ctrl-Alt-Delete action + if os.path.exists(systemd_action_file): + os.unlink(systemd_action_file) + if 'ctrl_alt_delete' in options: + if options['ctrl_alt_delete'] == 'reboot': + os.symlink('/lib/systemd/system/reboot.target', systemd_action_file) + elif options['ctrl_alt_delete'] == 'poweroff': + os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file) + + # Configure HTTP client + if 'http_client' not in options: + if os.path.exists(curlrc_config): + os.unlink(curlrc_config) + + # Configure SSH client + if 'ssh_client' not in options: + if os.path.exists(ssh_config): + os.unlink(ssh_config) + + # Reboot system on kernel panic + timeout = '0' + if 'reboot_on_panic' in options: + timeout = '60' + with open('/proc/sys/kernel/panic', 'w') as f: + f.write(timeout) + + # tuned - performance tuning + if 'performance' in options: + cmd('systemctl restart tuned.service') + # wait until daemon has started before sending configuration + while (not is_systemd_service_running('tuned.service')): + sleep(0.250) + cmd('tuned-adm profile network-{performance}'.format(**options)) + else: + cmd('systemctl stop tuned.service') + + # Keyboard layout - there will be always the default key inside the dict + # but we check for key existence anyway + if 'keyboard_layout' in options: + cmd('loadkeys {keyboard_layout}'.format(**options)) + + # Enable/diable root-partition-auto-resize SystemD service + if 'root_partition_auto_resize' in options: + cmd('systemctl enable root-partition-auto-resize.service') + else: + cmd('systemctl disable root-partition-auto-resize.service') + + # Time format 12|24-hour + if 'time_format' in options: + time_format = time_format_to_locale.get(options['time_format']) + cmd(f'localectl set-locale LC_TIME={time_format}') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_proxy.py b/src/conf_mode/system_proxy.py new file mode 100755 index 000000000..079c43e7e --- /dev/null +++ b/src/conf_mode/system_proxy.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +proxy_def = r'/etc/profile.d/vyos-system-proxy.sh' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'proxy'] + if not conf.exists(base): + return None + + proxy = conf.get_config_dict(base, get_first_key=True) + return proxy + +def verify(proxy): + if not proxy: + return + + if 'url' not in proxy or 'port' not in proxy: + raise ConfigError('Proxy URL and port require a value') + + if ('username' in proxy and 'password' not in proxy) or \ + ('username' not in proxy and 'password' in proxy): + raise ConfigError('Both username and password need to be defined!') + +def generate(proxy): + if not proxy: + if os.path.isfile(proxy_def): + os.unlink(proxy_def) + return + + render(proxy_def, 'system/proxy.j2', proxy, permission=0o755) + +def apply(proxy): + pass + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_syslog.py b/src/conf_mode/system_syslog.py new file mode 100755 index 000000000..07fbb0734 --- /dev/null +++ b/src/conf_mode/system_syslog.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.utils.process import call +from vyos.template import render +from vyos import ConfigError +from vyos import airbag +airbag.enable() + +rsyslog_conf = '/etc/rsyslog.d/00-vyos.conf' +logrotate_conf = '/etc/logrotate.d/vyos-rsyslog' +systemd_override = r'/run/systemd/system/rsyslog.service.d/override.conf' + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'syslog'] + if not conf.exists(base): + return None + + syslog = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + syslog.update({ 'logrotate' : logrotate_conf }) + + tmp = is_node_changed(conf, base + ['vrf']) + if tmp: syslog.update({'restart_required': {}}) + + syslog = conf.merge_defaults(syslog, recursive=True) + if syslog.from_defaults(['global']): + del syslog['global'] + + return syslog + +def verify(syslog): + if not syslog: + return None + + verify_vrf(syslog) + +def generate(syslog): + if not syslog: + if os.path.exists(rsyslog_conf): + os.unlink(rsyslog_conf) + if os.path.exists(logrotate_conf): + os.unlink(logrotate_conf) + + return None + + render(rsyslog_conf, 'rsyslog/rsyslog.conf.j2', syslog) + render(systemd_override, 'rsyslog/override.conf.j2', syslog) + render(logrotate_conf, 'rsyslog/logrotate.j2', syslog) + + # Reload systemd manager configuration + call('systemctl daemon-reload') + return None + +def apply(syslog): + systemd_socket = 'syslog.socket' + systemd_service = 'syslog.service' + if not syslog: + call(f'systemctl stop {systemd_service} {systemd_socket}') + return None + + # we need to restart the service if e.g. the VRF name changed + systemd_action = 'reload-or-restart' + if 'restart_required' in syslog: + systemd_action = 'restart' + + call(f'systemctl {systemd_action} {systemd_service}') + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_task-scheduler.py b/src/conf_mode/system_task-scheduler.py new file mode 100755 index 000000000..129be5d3c --- /dev/null +++ b/src/conf_mode/system_task-scheduler.py @@ -0,0 +1,153 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2017 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import os +import re +import sys + +from vyos.config import Config +from vyos import ConfigError + +from vyos import airbag +airbag.enable() + +crontab_file = "/etc/cron.d/vyos-crontab" + + +def format_task(minute="*", hour="*", day="*", dayofweek="*", month="*", user="root", rawspec=None, command=""): + fmt_full = "{minute} {hour} {day} {month} {dayofweek} {user} {command}\n" + fmt_raw = "{spec} {user} {command}\n" + + if rawspec is None: + s = fmt_full.format(minute=minute, hour=hour, day=day, + dayofweek=dayofweek, month=month, command=command, user=user) + else: + s = fmt_raw.format(spec=rawspec, user=user, command=command) + + return s + +def split_interval(s): + result = re.search(r"(\d+)([mdh]?)", s) + value = int(result.group(1)) + suffix = result.group(2) + return( (value, suffix) ) + +def make_command(executable, arguments): + if arguments: + return("sg vyattacfg \"{0} {1}\"".format(executable, arguments)) + else: + return("sg vyattacfg \"{0}\"".format(executable)) + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + conf.set_level("system task-scheduler task") + task_names = conf.list_nodes("") + tasks = [] + + for name in task_names: + interval = conf.return_value("{0} interval".format(name)) + spec = conf.return_value("{0} crontab-spec".format(name)) + executable = conf.return_value("{0} executable path".format(name)) + args = conf.return_value("{0} executable arguments".format(name)) + task = { + "name": name, + "interval": interval, + "spec": spec, + "executable": executable, + "args": args + } + tasks.append(task) + + return tasks + +def verify(tasks): + for task in tasks: + if not task["interval"] and not task["spec"]: + raise ConfigError("Invalid task {0}: must define either interval or crontab-spec".format(task["name"])) + + if task["interval"]: + if task["spec"]: + raise ConfigError("Invalid task {0}: cannot use interval and crontab-spec at the same time".format(task["name"])) + + if not re.match(r"^\d+[mdh]?$", task["interval"]): + raise(ConfigError("Invalid interval {0} in task {1}: interval should be a number optionally followed by m, h, or d".format(task["name"], task["interval"]))) + else: + # Check if values are within allowed range + value, suffix = split_interval(task["interval"]) + + if not suffix or suffix == "m": + if value > 60: + raise ConfigError("Invalid task {0}: interval in minutes must not exceed 60".format(task["name"])) + elif suffix == "h": + if value > 24: + raise ConfigError("Invalid task {0}: interval in hours must not exceed 24".format(task["name"])) + elif suffix == "d": + if value > 31: + raise ConfigError("Invalid task {0}: interval in days must not exceed 31".format(task["name"])) + + if not task["executable"]: + raise ConfigError("Invalid task {0}: executable is not defined".format(task["name"])) + else: + # Check if executable exists and is executable + if not (os.path.isfile(task["executable"]) and os.access(task["executable"], os.X_OK)): + raise ConfigError("Invalid task {0}: file {1} does not exist or is not executable".format(task["name"], task["executable"])) + +def generate(tasks): + crontab_header = "### Generated by vyos-update-crontab.py ###\n" + if len(tasks) == 0: + if os.path.exists(crontab_file): + os.remove(crontab_file) + else: + pass + else: + crontab_lines = [] + for task in tasks: + command = make_command(task["executable"], task["args"]) + if task["spec"]: + line = format_task(command=command, rawspec=task["spec"]) + else: + value, suffix = split_interval(task["interval"]) + if not suffix or suffix == "m": + line = format_task(command=command, minute="*/{0}".format(value)) + elif suffix == "h": + line = format_task(command=command, minute="0", hour="*/{0}".format(value)) + elif suffix == "d": + line = format_task(command=command, minute="0", hour="0", day="*/{0}".format(value)) + crontab_lines.append(line) + + with open(crontab_file, 'w') as f: + f.write(crontab_header) + f.writelines(crontab_lines) + +def apply(config): + # No daemon restarts etc. needed for cron + pass + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/system_timezone.py b/src/conf_mode/system_timezone.py new file mode 100755 index 000000000..cd3d4b229 --- /dev/null +++ b/src/conf_mode/system_timezone.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import sys +import os + +from copy import deepcopy +from vyos.config import Config +from vyos import ConfigError +from vyos.utils.process import call + +from vyos import airbag +airbag.enable() + +default_config_data = { + 'name': 'UTC' +} + +def get_config(config=None): + tz = deepcopy(default_config_data) + if config: + conf = config + else: + conf = Config() + if conf.exists('system time-zone'): + tz['name'] = conf.return_value('system time-zone') + + return tz + +def verify(tz): + pass + +def generate(tz): + pass + +def apply(tz): + call('/usr/bin/timedatectl set-timezone {}'.format(tz['name'])) + call('systemctl restart rsyslog') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) diff --git a/src/conf_mode/system_update-check.py b/src/conf_mode/system_update-check.py new file mode 100755 index 000000000..8d641a97d --- /dev/null +++ b/src/conf_mode/system_update-check.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import json +import jmespath + +from pathlib import Path +from sys import exit + +from vyos.config import Config +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + + +base = ['system', 'update-check'] +service_name = 'vyos-system-update' +service_conf = Path(f'/run/{service_name}.conf') +motd_file = Path('/run/motd.d/10-vyos-update') + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + if not conf.exists(base): + return None + + config = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + return config + + +def verify(config): + # bail out early - looks like removal from running config + if config is None: + return + + if 'url' not in config: + raise ConfigError('URL is required!') + + +def generate(config): + # bail out early - looks like removal from running config + if config is None: + # Remove old config and return + service_conf.unlink(missing_ok=True) + # MOTD used in /run/motd.d/10-update + motd_file.unlink(missing_ok=True) + return None + + # Write configuration file + conf_json = json.dumps(config, indent=4) + service_conf.write_text(conf_json) + + return None + + +def apply(config): + if config: + if 'auto_check' in config: + call(f'systemctl restart {service_name}.service') + else: + call(f'systemctl stop {service_name}.service') + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/system_update_check.py b/src/conf_mode/system_update_check.py deleted file mode 100755 index 8d641a97d..000000000 --- a/src/conf_mode/system_update_check.py +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import json -import jmespath - -from pathlib import Path -from sys import exit - -from vyos.config import Config -from vyos.utils.process import call -from vyos import ConfigError -from vyos import airbag -airbag.enable() - - -base = ['system', 'update-check'] -service_name = 'vyos-system-update' -service_conf = Path(f'/run/{service_name}.conf') -motd_file = Path('/run/motd.d/10-vyos-update') - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - if not conf.exists(base): - return None - - config = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - return config - - -def verify(config): - # bail out early - looks like removal from running config - if config is None: - return - - if 'url' not in config: - raise ConfigError('URL is required!') - - -def generate(config): - # bail out early - looks like removal from running config - if config is None: - # Remove old config and return - service_conf.unlink(missing_ok=True) - # MOTD used in /run/motd.d/10-update - motd_file.unlink(missing_ok=True) - return None - - # Write configuration file - conf_json = json.dumps(config, indent=4) - service_conf.write_text(conf_json) - - return None - - -def apply(config): - if config: - if 'auto_check' in config: - call(f'systemctl restart {service_name}.service') - else: - call(f'systemctl stop {service_name}.service') - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/task_scheduler.py b/src/conf_mode/task_scheduler.py deleted file mode 100755 index 129be5d3c..000000000 --- a/src/conf_mode/task_scheduler.py +++ /dev/null @@ -1,153 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2017 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# - -import os -import re -import sys - -from vyos.config import Config -from vyos import ConfigError - -from vyos import airbag -airbag.enable() - -crontab_file = "/etc/cron.d/vyos-crontab" - - -def format_task(minute="*", hour="*", day="*", dayofweek="*", month="*", user="root", rawspec=None, command=""): - fmt_full = "{minute} {hour} {day} {month} {dayofweek} {user} {command}\n" - fmt_raw = "{spec} {user} {command}\n" - - if rawspec is None: - s = fmt_full.format(minute=minute, hour=hour, day=day, - dayofweek=dayofweek, month=month, command=command, user=user) - else: - s = fmt_raw.format(spec=rawspec, user=user, command=command) - - return s - -def split_interval(s): - result = re.search(r"(\d+)([mdh]?)", s) - value = int(result.group(1)) - suffix = result.group(2) - return( (value, suffix) ) - -def make_command(executable, arguments): - if arguments: - return("sg vyattacfg \"{0} {1}\"".format(executable, arguments)) - else: - return("sg vyattacfg \"{0}\"".format(executable)) - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - conf.set_level("system task-scheduler task") - task_names = conf.list_nodes("") - tasks = [] - - for name in task_names: - interval = conf.return_value("{0} interval".format(name)) - spec = conf.return_value("{0} crontab-spec".format(name)) - executable = conf.return_value("{0} executable path".format(name)) - args = conf.return_value("{0} executable arguments".format(name)) - task = { - "name": name, - "interval": interval, - "spec": spec, - "executable": executable, - "args": args - } - tasks.append(task) - - return tasks - -def verify(tasks): - for task in tasks: - if not task["interval"] and not task["spec"]: - raise ConfigError("Invalid task {0}: must define either interval or crontab-spec".format(task["name"])) - - if task["interval"]: - if task["spec"]: - raise ConfigError("Invalid task {0}: cannot use interval and crontab-spec at the same time".format(task["name"])) - - if not re.match(r"^\d+[mdh]?$", task["interval"]): - raise(ConfigError("Invalid interval {0} in task {1}: interval should be a number optionally followed by m, h, or d".format(task["name"], task["interval"]))) - else: - # Check if values are within allowed range - value, suffix = split_interval(task["interval"]) - - if not suffix or suffix == "m": - if value > 60: - raise ConfigError("Invalid task {0}: interval in minutes must not exceed 60".format(task["name"])) - elif suffix == "h": - if value > 24: - raise ConfigError("Invalid task {0}: interval in hours must not exceed 24".format(task["name"])) - elif suffix == "d": - if value > 31: - raise ConfigError("Invalid task {0}: interval in days must not exceed 31".format(task["name"])) - - if not task["executable"]: - raise ConfigError("Invalid task {0}: executable is not defined".format(task["name"])) - else: - # Check if executable exists and is executable - if not (os.path.isfile(task["executable"]) and os.access(task["executable"], os.X_OK)): - raise ConfigError("Invalid task {0}: file {1} does not exist or is not executable".format(task["name"], task["executable"])) - -def generate(tasks): - crontab_header = "### Generated by vyos-update-crontab.py ###\n" - if len(tasks) == 0: - if os.path.exists(crontab_file): - os.remove(crontab_file) - else: - pass - else: - crontab_lines = [] - for task in tasks: - command = make_command(task["executable"], task["args"]) - if task["spec"]: - line = format_task(command=command, rawspec=task["spec"]) - else: - value, suffix = split_interval(task["interval"]) - if not suffix or suffix == "m": - line = format_task(command=command, minute="*/{0}".format(value)) - elif suffix == "h": - line = format_task(command=command, minute="0", hour="*/{0}".format(value)) - elif suffix == "d": - line = format_task(command=command, minute="0", hour="0", day="*/{0}".format(value)) - crontab_lines.append(line) - - with open(crontab_file, 'w') as f: - f.write(crontab_header) - f.writelines(crontab_lines) - -def apply(config): - # No daemon restarts etc. needed for cron - pass - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/tftp_server.py deleted file mode 100755 index 3ad346e2e..000000000 --- a/src/conf_mode/tftp_server.py +++ /dev/null @@ -1,142 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import stat -import pwd - -from copy import deepcopy -from glob import glob -from sys import exit - -from vyos.base import Warning -from vyos.config import Config -from vyos.configverify import verify_vrf -from vyos.template import render -from vyos.template import is_ipv4 -from vyos.utils.process import call -from vyos.utils.permission import chmod_755 -from vyos.utils.network import is_addr_assigned -from vyos import ConfigError -from vyos import airbag -airbag.enable() - -config_file = r'/etc/default/tftpd' - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['service', 'tftp-server'] - if not conf.exists(base): - return None - - tftpd = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, - with_recursive_defaults=True) - return tftpd - -def verify(tftpd): - # bail out early - looks like removal from running config - if not tftpd: - return None - - # Configuring allowed clients without a server makes no sense - if 'directory' not in tftpd: - raise ConfigError('TFTP root directory must be configured!') - - if 'listen_address' not in tftpd: - raise ConfigError('TFTP server listen address must be configured!') - - for address, address_config in tftpd['listen_address'].items(): - if not is_addr_assigned(address): - Warning(f'TFTP server listen address "{address}" not ' \ - 'assigned to any interface!') - verify_vrf(address_config) - - return None - -def generate(tftpd): - # cleanup any available configuration file - # files will be recreated on demand - for i in glob(config_file + '*'): - os.unlink(i) - - # bail out early - looks like removal from running config - if tftpd is None: - return None - - idx = 0 - for address, address_config in tftpd['listen_address'].items(): - config = deepcopy(tftpd) - port = tftpd['port'] - if is_ipv4(address): - config['listen_address'] = f'{address}:{port} -4' - else: - config['listen_address'] = f'[{address}]:{port} -6' - - if 'vrf' in address_config: - config['vrf'] = address_config['vrf'] - - file = config_file + str(idx) - render(file, 'tftp-server/default.j2', config) - idx = idx + 1 - - return None - -def apply(tftpd): - # stop all services first - then we will decide - call('systemctl stop tftpd@*.service') - - # bail out early - e.g. service deletion - if tftpd is None: - return None - - tftp_root = tftpd['directory'] - if not os.path.exists(tftp_root): - os.makedirs(tftp_root) - chmod_755(tftp_root) - - # get UNIX uid for user 'tftp' - tftp_uid = pwd.getpwnam('tftp').pw_uid - tftp_gid = pwd.getpwnam('tftp').pw_gid - - # get UNIX uid for tftproot directory - dir_uid = os.stat(tftp_root).st_uid - dir_gid = os.stat(tftp_root).st_gid - - # adjust uid/gid of tftproot directory if files don't belong to user tftp - if (tftp_uid != dir_uid) or (tftp_gid != dir_gid): - os.chown(tftp_root, tftp_uid, tftp_gid) - - idx = 0 - for address in tftpd['listen_address']: - call(f'systemctl restart tftpd@{idx}.service') - idx = idx + 1 - - return None - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) -- cgit v1.2.3