From 785a2d26998db580a1996edba584aac612b11b3a Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Thu, 12 Sep 2019 15:40:00 +0000 Subject: [l2tp] T834 fix cli reset commands for l2tp and pptp. Adding l2tp%d tunnel naming. --- src/conf_mode/accel_l2tp.py | 1 + 1 file changed, 1 insertion(+) (limited to 'src/conf_mode') diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py index 3af8b7958..fc60a8cd7 100755 --- a/src/conf_mode/accel_l2tp.py +++ b/src/conf_mode/accel_l2tp.py @@ -94,6 +94,7 @@ wins2={{wins[1]}} [l2tp] verbose=1 +ifname=l2tp%d ppp-max-mtu={{mtu}} mppe={{authentication['mppe']}} {% if outside_addr %} -- cgit v1.2.3 From b09fc4dbb2a0dce2d31245fb9b4777aa29bbd356 Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Thu, 12 Sep 2019 19:40:31 +0000 Subject: [l2tp] T834 Implementation advanced ppp-options/lcp. --- interface-definitions/l2tp-server.xml | 24 ++++++++++++++++++++++++ src/conf_mode/accel_l2tp.py | 21 +++++++++++++++++++++ 2 files changed, 45 insertions(+) (limited to 'src/conf_mode') diff --git a/interface-definitions/l2tp-server.xml b/interface-definitions/l2tp-server.xml index 721913dfe..f795c96db 100644 --- a/interface-definitions/l2tp-server.xml +++ b/interface-definitions/l2tp-server.xml @@ -405,6 +405,7 @@ Option to disable a L2TP Server user + @@ -553,6 +554,29 @@ + + + Advanced protocol options + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py index fc60a8cd7..244a720db 100755 --- a/src/conf_mode/accel_l2tp.py +++ b/src/conf_mode/accel_l2tp.py @@ -134,7 +134,16 @@ single-session=replace {% if idle_timeout %} lcp-echo-timeout={{idle_timeout}} {% endif %} +{% if ppp_options['lcp-echo-interval'] %} +lcp-echo-interval={{ppp_options['lcp-echo-interval']}} +{% else %} lcp-echo-interval=30 +{% endif %} +{% if ppp_options['lcp-echo-failure'] %} +lcp-echo-failure={{ppp_options['lcp-echo-failure']}} +{% else %} +lcp-echo-failure=3 +{% endif %} {% if ccp_disable %} ccp=0 {% endif %} @@ -288,6 +297,7 @@ def get_config(): 'mtu' : '1436', 'ip6_column' : '', 'ip6_dp_column' : '', + 'ppp_options' : {}, } ### general options ### @@ -440,6 +450,17 @@ def get_config(): if c.exists('ccp-disable'): config_data['ccp_disable'] = True + ### ppp_options + ppp_options = {} + if c.exists('ppp-options'): + if c.exists('ppp-options lcp-echo-failure'): + ppp_options['lcp-echo-failure'] = c.return_value('ppp-options lcp-echo-failure') + if c.exists('ppp-options lcp-echo-interval'): + ppp_options['lcp-echo-interval'] = c.return_value('ppp-options lcp-echo-interval') + + if len(ppp_options) !=0: + config_data['ppp_options'] = ppp_options + return config_data def verify(c): -- cgit v1.2.3 From fb1689e20ab9967a4c1e24279f5d4d736b256e83 Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Fri, 13 Sep 2019 18:54:30 +0300 Subject: [bonding] T1660 Adding additional check. Some bonding mode don't support arp_interval --- src/conf_mode/interface-bonding.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py index dc0363fb7..447debe0f 100755 --- a/src/conf_mode/interface-bonding.py +++ b/src/conf_mode/interface-bonding.py @@ -355,7 +355,8 @@ def apply(bond): b.del_port(intf) # ARP link monitoring frequency - b.arp_interval = bond['arp_mon_intvl'] + if bond['mode'] not in ['802.3ad', 'balance-tlb', 'balance-alb']: + b.arp_interval = bond['arp_mon_intvl'] # reset miimon on arp-montior deletion if bond['arp_mon_intvl'] == 0: # reset miimon to default -- cgit v1.2.3 From 7d46fa6fc41b13bf9b3a9e3a305d9309079762f1 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 13 Sep 2019 09:17:47 -0700 Subject: Revert "[bonding] T1660 Adding additional check. Some bonding mode don't support arp_interval" This reverts commit fb1689e20ab9967a4c1e24279f5d4d736b256e83. --- src/conf_mode/interface-bonding.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py index 447debe0f..dc0363fb7 100755 --- a/src/conf_mode/interface-bonding.py +++ b/src/conf_mode/interface-bonding.py @@ -355,8 +355,7 @@ def apply(bond): b.del_port(intf) # ARP link monitoring frequency - if bond['mode'] not in ['802.3ad', 'balance-tlb', 'balance-alb']: - b.arp_interval = bond['arp_mon_intvl'] + b.arp_interval = bond['arp_mon_intvl'] # reset miimon on arp-montior deletion if bond['arp_mon_intvl'] == 0: # reset miimon to default -- cgit v1.2.3 From 2e9ed5ad782fb632f3a0bb026cd3a566ab3862d4 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 13 Sep 2019 20:41:23 +0200 Subject: bonding: T1660: bugfix for triggered OS permission denied exception Some bond modes do not support arp monitor interval and thus internally eset it to 0 which means disabled. If you then write to the sysfs file in question an OS exception (permission denied) is triggered. arp_mon_intvl is initialized as 0 which means disabled so we only write it when it is really requested by the user. There is a validator ensuring that it can only be set in the bond modes which support it. --- src/conf_mode/interface-bonding.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py index dc0363fb7..08bc4857b 100755 --- a/src/conf_mode/interface-bonding.py +++ b/src/conf_mode/interface-bonding.py @@ -354,12 +354,12 @@ def apply(bond): for intf in b.get_slaves(): b.del_port(intf) - # ARP link monitoring frequency - b.arp_interval = bond['arp_mon_intvl'] - # reset miimon on arp-montior deletion + # ARP link monitoring frequency, reset miimon when arp-montior is inactive if bond['arp_mon_intvl'] == 0: # reset miimon to default b.bond_miimon = 250 + else: + b.arp_interval = bond['arp_mon_intvl'] # ARP monitor targets need to be synchronized between sysfs and CLI. # Unfortunately an address can't be send twice to sysfs as this will -- cgit v1.2.3 From 00d4b8ed90d23181352871a4593d866d9aba0f06 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 13 Sep 2019 21:02:50 +0200 Subject: bonding: T1614: use proper (previously missing) miimon property --- src/conf_mode/interface-bonding.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py index 08bc4857b..fb8837856 100755 --- a/src/conf_mode/interface-bonding.py +++ b/src/conf_mode/interface-bonding.py @@ -357,7 +357,7 @@ def apply(bond): # ARP link monitoring frequency, reset miimon when arp-montior is inactive if bond['arp_mon_intvl'] == 0: # reset miimon to default - b.bond_miimon = 250 + b.miimon = 250 else: b.arp_interval = bond['arp_mon_intvl'] -- cgit v1.2.3 From 5a132333955be5d557a6f57bb783b898cababbf4 Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Sat, 14 Sep 2019 20:18:00 +0000 Subject: [openvpn] T1661 Fixing returned value on check function --- src/conf_mode/interface-openvpn.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 548c78535..fa0af0111 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -326,14 +326,14 @@ def checkCertHeader(header, filename): Returns True on success or on file not found to not trigger the exceptions """ if not os.path.isfile(filename): - return True + return False with open(filename, 'r') as f: for line in f: if re.match(header, line): return True - return False + return True def get_config(): openvpn = deepcopy(default_config_data) @@ -696,8 +696,9 @@ def verify(openvpn): # # TLS/encryption # - if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['shared_secret_file']): - raise ConfigError('Specified shared-secret-key-file "{}" is not valid'.format(openvpn['shared_secret_file'])) + if openvpn['shared_secret_file']: + if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['shared_secret_file']): + raise ConfigError('Specified shared-secret-key-file "{}" is not valid'.format(openvpn['shared_secret_file'])) if openvpn['tls']: if not openvpn['tls_ca_cert']: @@ -719,8 +720,9 @@ def verify(openvpn): if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) - if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): - raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl'])) + if openvpn['tls_crl']: + if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): + raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl'])) if not checkCertHeader('-----BEGIN DH PARAMETERS-----', openvpn['tls_dh']): raise ConfigError('Specified dh-file "{}" is not valid'.format(openvpn['tls_dh'])) -- cgit v1.2.3 From cf9ff0e3ee803dd868f5d3d29d8184a13cf745f9 Mon Sep 17 00:00:00 2001 From: DmitriyEshenko Date: Sat, 14 Sep 2019 21:32:36 +0000 Subject: [openvpn] T1661 Adding additional check for tls_dh if it not need for ovpn client --- src/conf_mode/interface-openvpn.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index fa0af0111..34c094862 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -724,8 +724,9 @@ def verify(openvpn): if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): raise ConfigError('Specified crl-file "{} not valid'.format(openvpn['tls_crl'])) - if not checkCertHeader('-----BEGIN DH PARAMETERS-----', openvpn['tls_dh']): - raise ConfigError('Specified dh-file "{}" is not valid'.format(openvpn['tls_dh'])) + if openvpn['tls_dh']: + if not checkCertHeader('-----BEGIN DH PARAMETERS-----', openvpn['tls_dh']): + raise ConfigError('Specified dh-file "{}" is not valid'.format(openvpn['tls_dh'])) if openvpn['tls_role']: if openvpn['mode'] in ['client', 'server']: -- cgit v1.2.3 From 6e169b011569bddd0c07d476528a3ecad56e6499 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 15 Sep 2019 19:31:34 +0200 Subject: bonding: T1614: do not overwrite interface description with interface name --- src/conf_mode/interface-bonding.py | 2 -- 1 file changed, 2 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py index fb8837856..f0a33beff 100755 --- a/src/conf_mode/interface-bonding.py +++ b/src/conf_mode/interface-bonding.py @@ -157,8 +157,6 @@ def get_config(): # retrieve interface description if conf.exists('description'): bond['description'] = conf.return_value('description') - else: - bond['description'] = bond['intf'] # get DHCP client identifier if conf.exists('dhcp-options client-id'): -- cgit v1.2.3