From ecdc9b1f0bf47b762669d8600aaddc5cfa5ed206 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 16 Mar 2023 12:33:18 +0200 Subject: ipsec: T5043: Rewritten and fixed 'reset vpn' commands 1. Rewritten CLI of 'reset vpn' commands. 2. Created 'reset vpn ipsec remote-access' commands to reset RA IKEv2 session. 3. Created 'reset vpn ipsec site-to-site all' command to reset all configured IPSec site-to-site peers sessions. 4. Rewritten 'reset vpn l2t|pptp|sstp' commands to new opmode style. --- src/op_mode/ipsec.py | 81 ++++++++++++++++++++++++++++++++++++++++++------ src/op_mode/reset_vpn.py | 75 +++++++++++++++++++------------------------- 2 files changed, 103 insertions(+), 53 deletions(-) (limited to 'src') diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py index 8e76f4cc0..6acde08ea 100755 --- a/src/op_mode/ipsec.py +++ b/src/op_mode/ipsec.py @@ -13,7 +13,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import re import sys import typing @@ -24,6 +23,7 @@ from tabulate import tabulate from vyos.util import convert_data from vyos.util import seconds_to_human +from vyos.configquery import ConfigTreeQuery import vyos.opmode import vyos.ipsec @@ -401,30 +401,91 @@ def _get_childsa_id_list(ike_sas: list) -> list: return list_childsa_id +def _get_all_sitetosite_peers_name_list() -> list: + """ + Return site-to-site peers configuration + :return: site-to-site peers configuration + :rtype: list + """ + conf: ConfigTreeQuery = ConfigTreeQuery() + config_path = ['vpn', 'ipsec', 'site-to-site', 'peer'] + peers_config = conf.get_config_dict(config_path, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + peers_list: list = [] + for name in peers_config: + peers_list.append(name) + return peers_list + + def reset_peer(peer: str, tunnel: typing.Optional[str] = None): # Convert tunnel to Strongwan format of CHILD_SA + tunnel_sw = None if tunnel: if tunnel.isnumeric(): - tunnel = f'{peer}-tunnel-{tunnel}' + tunnel_sw = f'{peer}-tunnel-{tunnel}' elif tunnel == 'vti': - tunnel = f'{peer}-vti' + tunnel_sw = f'{peer}-vti' try: - sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel) - + sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel_sw) if not sa_list: - raise vyos.opmode.IncorrectValue('Peer not found, aborting') + raise vyos.opmode.IncorrectValue( + f'Peer\'s {peer} SA(s) not found, aborting') if tunnel and sa_list: childsa_id_list: list = _get_childsa_id_list(sa_list) if not childsa_id_list: raise vyos.opmode.IncorrectValue( - 'Peer or tunnel(s) not found, aborting') - vyos.ipsec.terminate_vici_by_name(peer, tunnel) - print('Peer reset result: success') + f'Peer {peer} tunnel {tunnel} SA(s) not found, aborting') + vyos.ipsec.terminate_vici_by_name(peer, tunnel_sw) + print(f'Peer {peer} reset result: success') except (vyos.ipsec.ViciInitiateError) as err: raise vyos.opmode.UnconfiguredSubsystem(err) - except (vyos.ipsec.ViciInitiateError) as err: + except (vyos.ipsec.ViciCommandError) as err: raise vyos.opmode.IncorrectValue(err) +def reset_all_peers(): + sitetosite_list = _get_all_sitetosite_peers_name_list() + if sitetosite_list: + for peer_name in sitetosite_list: + try: + reset_peer(peer_name) + except (vyos.opmode.IncorrectValue) as err: + print(err) + print('Peers reset result: success') + else: + raise vyos.opmode.UnconfiguredSubsystem( + 'VPN IPSec site-to-site is not configured, aborting') + +def _get_ra_session_list_by_username(username: typing.Optional[str] = None): + """ + Return list of remote-access IKE_SAs uniqueids + :param username: + :type username: + :return: + :rtype: + """ + list_sa_id = [] + sa_list = vyos.ipsec.get_vici_sas() + for sa_val in sa_list: + for sa in sa_val.values(): + if 'remote-eap-id' in sa: + if username: + if username == sa['remote-eap-id'].decode(): + list_sa_id.append(sa['uniqueid'].decode()) + else: + list_sa_id.append(sa['uniqueid'].decode()) + return list_sa_id + + +def reset_ra(username: typing.Optional[str] = None): + #Reset remote-access ipsec sessions + if username: + list_sa_id = _get_ra_session_list_by_username(username) + else: + list_sa_id = _get_ra_session_list_by_username() + if list_sa_id: + vyos.ipsec.terminate_vici_ikeid_list(list_sa_id) + def show_sa(raw: bool): sa_data = _get_raw_data_sas() diff --git a/src/op_mode/reset_vpn.py b/src/op_mode/reset_vpn.py index 3a0ad941c..46195d6cd 100755 --- a/src/op_mode/reset_vpn.py +++ b/src/op_mode/reset_vpn.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,60 +13,49 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import sys -import argparse +import typing from vyos.util import run +import vyos.opmode + cmd_dict = { - 'cmd_base' : '/usr/bin/accel-cmd -p {} terminate {} {}', - 'vpn_types' : { - 'pptp' : 2003, - 'l2tp' : 2004, - 'sstp' : 2005 + 'cmd_base': '/usr/bin/accel-cmd -p {} terminate {} {}', + 'vpn_types': { + 'pptp': 2003, + 'l2tp': 2004, + 'sstp': 2005 } } -def terminate_sessions(username='', interface='', protocol=''): - # Reset vpn connections by username +def reset_conn(protocol: str, username: typing.Optional[str] = None, + interface: typing.Optional[str] = None): if protocol in cmd_dict['vpn_types']: - if username == "all_users": - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'all', '')) - else: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'username', username)) - - # Reset vpn connections by ifname - elif interface: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'if', interface)) - - elif username: - # Reset all vpn connections - if username == "all_users": - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'all', '')) + # Reset by Interface + if interface: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'if', interface)) + return + # Reset by username + if username: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'username', username)) + # Reset all else: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'username', username)) - -def main(): - #parese args - parser = argparse.ArgumentParser() - parser.add_argument('--username', help='Terminate by username (all_users used for disconnect all users)', required=False) - parser.add_argument('--interface', help='Terminate by interface', required=False) - parser.add_argument('--protocol', help='Set protocol (pptp|l2tp|sstp)', required=False) - args = parser.parse_args() - - if args.username or args.interface: - terminate_sessions(username=args.username, interface=args.interface, protocol=args.protocol) + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'all', + '')) else: - print("Param --username or --interface required") - sys.exit(1) - - terminate_sessions() + vyos.opmode.IncorrectValue('Unknown VPN Protocol, aborting') if __name__ == '__main__': - main() + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From 15bf5d64440abaf50083ed5a4e1efdbf0d6cbad5 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 16 Mar 2023 12:35:13 -0500 Subject: openvpn: T5095: raw output should return list instead of dict --- src/op_mode/openvpn.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py index 8f88ab422..7ae49472e 100755 --- a/src/op_mode/openvpn.py +++ b/src/op_mode/openvpn.py @@ -53,7 +53,7 @@ def _get_tunnel_address(peer_host, peer_port, status_file): def _get_interface_status(mode: str, interface: str) -> dict: status_file = f'/run/openvpn/{interface}.status' - data = { + data: dict = { 'mode': mode, 'intf': interface, 'local_host': '', @@ -142,8 +142,8 @@ def _get_interface_status(mode: str, interface: str) -> dict: return data -def _get_raw_data(mode: str) -> dict: - data = {} +def _get_raw_data(mode: str) -> list: + data: list = [] conf = Config() conf_dict = conf.get_config_dict(['interfaces', 'openvpn'], get_first_key=True) @@ -152,8 +152,7 @@ def _get_raw_data(mode: str) -> dict: interfaces = [x for x in list(conf_dict) if conf_dict[x]['mode'] == mode] for intf in interfaces: - data[intf] = _get_interface_status(mode, intf) - d = data[intf] + d = _get_interface_status(mode, intf) d['local_host'] = conf_dict[intf].get('local-host', '') d['local_port'] = conf_dict[intf].get('local-port', '') if conf.exists(f'interfaces openvpn {intf} server client'): @@ -164,10 +163,11 @@ def _get_raw_data(mode: str) -> dict: client['name'] = 'None (PSK)' client['remote_host'] = conf_dict[intf].get('remote-host', [''])[0] client['remote_port'] = conf_dict[intf].get('remote-port', '1194') + data.append(d) return data -def _format_openvpn(data: dict) -> str: +def _format_openvpn(data: list) -> str: if not data: out = 'No OpenVPN interfaces configured' return out @@ -176,11 +176,12 @@ def _format_openvpn(data: dict) -> str: 'TX bytes', 'RX bytes', 'Connected Since'] out = '' - for intf in list(data): + for d in data: data_out = [] - l_host = data[intf]['local_host'] - l_port = data[intf]['local_port'] - for client in list(data[intf]['clients']): + intf = d['intf'] + l_host = d['local_host'] + l_port = d['local_port'] + for client in d['clients']: r_host = client['remote_host'] r_port = client['remote_port'] @@ -201,7 +202,7 @@ def _format_openvpn(data: dict) -> str: return out -def show(raw: bool, mode: ArgMode) -> str: +def show(raw: bool, mode: ArgMode) -> typing.Union[list,str]: openvpn_data = _get_raw_data(mode) if raw: -- cgit v1.2.3 From 9a9f6e346beb209c819d859e2c7081f145060ac1 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 14 Mar 2023 14:59:58 +0000 Subject: T5050: Firewall: Add log options --- .../include/firewall/common-rule.xml.i | 2 +- .../include/firewall/rule-log-options.xml.i | 89 ++++++++++++++++++++++ python/vyos/firewall.py | 17 ++++- smoketest/scripts/cli/test_firewall.py | 18 +++-- src/conf_mode/firewall.py | 10 +++ src/migration-scripts/firewall/9-to-10 | 80 +++++++++++++++++++ 6 files changed, 205 insertions(+), 11 deletions(-) create mode 100644 interface-definitions/include/firewall/rule-log-options.xml.i create mode 100755 src/migration-scripts/firewall/9-to-10 (limited to 'src') diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 3fe3ca872..7417a3c58 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -119,7 +119,7 @@ -#include +#include Connection status diff --git a/interface-definitions/include/firewall/rule-log-options.xml.i b/interface-definitions/include/firewall/rule-log-options.xml.i new file mode 100644 index 000000000..e8b0cdec3 --- /dev/null +++ b/interface-definitions/include/firewall/rule-log-options.xml.i @@ -0,0 +1,89 @@ + + + + Log options + + + + + Set log group + + u32:0-65535 + Log group to send messages to + + + + + + + + + Length of packet payload to include in netlink message + + u32:0-9000 + Length of packet payload to include in netlink message + + + + + + + + + Number of packets to queue inside the kernel before sending them to userspace + + u32:0-65535 + Number of packets to queue inside the kernel before sending them to userspace + + + + + + + + + Set log-level + + emerg alert crit err warn notice info debug + + + emerg + Emerg log level + + + alert + Alert log level + + + crit + Critical log level + + + err + Error log level + + + warn + Warning log level + + + notice + Notice log level + + + info + Info log level + + + debug + Debug log level + + + (emerg|alert|crit|err|warn|notice|info|debug) + + level must be alert, crit, debug, emerg, err, info, notice or warn + + + + + \ No newline at end of file diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 5be897d5f..137fd2c56 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -223,10 +223,21 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): action = rule_conf['action'] if 'action' in rule_conf else 'accept' output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') - if 'log_level' in rule_conf: - log_level = rule_conf['log_level'] - output.append(f'level {log_level}') + if 'level' in rule_conf['log_options']: + log_level = rule_conf['log_options']['level'] + output.append(f'log level {log_level}') + if 'group' in rule_conf['log_options']: + log_group = rule_conf['log_options']['group'] + output.append(f'log group {log_group}') + + if 'queue_threshold' in rule_conf['log_options']: + queue_threshold = rule_conf['log_options']['queue_threshold'] + output.append(f'queue-threshold {queue_threshold}') + + if 'snapshot_length' in rule_conf['log_options']: + log_snaplen = rule_conf['log_options']['snapshot_length'] + output.append(f'snaplen {log_snaplen}') if 'hop_limit' in rule_conf: operators = {'eq': '==', 'gt': '>', 'lt': '<'} diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index d61534d87..e071b7df9 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -207,13 +207,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-level', 'debug']) + self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'protocol', 'tcp']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'destination', 'port', '8888']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-level', 'err']) + self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) @@ -247,8 +247,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME_{name}'], - ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'], - ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" level err', 'ip ttl > 102', 'reject'], + ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'], + ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'], ['tcp dport 22', 'limit rate 5/minute', 'return'], ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'], ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'], @@ -272,6 +272,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024']) self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '17']) self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '52']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log', 'enable']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'group', '66']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept']) self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000']) @@ -301,7 +305,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME_{name}'], - ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', 'return'], + ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'return'], ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'return'], [f'log prefix "[{name}-default-D]"', 'drop'], ['ip saddr 198.51.100.1', f'jump NAME_{name}'], @@ -357,7 +361,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-level', 'crit']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp']) @@ -374,7 +378,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME6_{name}'], - ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" level crit', 'return'], + ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'return'], ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'], ['meta l4proto gre', f'oifname "{interface}"', 'return'], ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop'] diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index b63ed4eb9..c41a442df 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -282,6 +282,16 @@ def verify_rule(firewall, rule_conf, ipv6): if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') + if 'log_options' in rule_conf: + if 'log' not in rule_conf or 'enable' not in rule_conf['log']: + raise ConfigError('log-options defined, but log is not enable') + + if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: + raise ConfigError('log-options snapshot-length defined, but log group is not define') + + if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: + raise ConfigError('log-options queue-threshold defined, but log group is not define') + def verify_nested_group(group_name, group, groups, seen): if 'include' not in group: return diff --git a/src/migration-scripts/firewall/9-to-10 b/src/migration-scripts/firewall/9-to-10 new file mode 100755 index 000000000..6f67cc512 --- /dev/null +++ b/src/migration-scripts/firewall/9-to-10 @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5050: Log options +# cli changes from: +# set firewall [name | ipv6-name] rule log-level +# To +# set firewall [name | ipv6-name] rule log-options level + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['firewall'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +if config.exists(base + ['name']): + for name in config.list_nodes(base + ['name']): + if not config.exists(base + ['name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['name', name, 'rule']): + log_options_base = base + ['name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) + +if config.exists(base + ['ipv6-name']): + for name in config.list_nodes(base + ['ipv6-name']): + if not config.exists(base + ['ipv6-name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) \ No newline at end of file -- cgit v1.2.3 From 7cb95a6bc9801abcc70f8d4cfbcc79718148de1c Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 21 Mar 2023 14:47:48 +0000 Subject: T5099: IPoE-server add option next-pool for named ip pools In cases with multiple named IP pools, it is required the option 'next' to be sure that if IP addresses ended in one pool, then they would begin to be allocated from the next named pool. For accel-ppp it requires specific order as pool must be defined before we can use it with the 'next-option' set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25' set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool' set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25' [ip-pool] 203.0.113.0/25,name=second-pool 192.0.2.0/25,name=first-pool,next=second-pool --- data/templates/accel-ppp/ipoe.config.j2 | 27 ++++-- .../include/accel-ppp/client-ip-pool-name.xml.i | 12 +++ smoketest/scripts/cli/test_service_ipoe-server.py | 93 +++++++++++++++++++++ src/conf_mode/service_ipoe-server.py | 97 ++++++++++++++++++++++ 4 files changed, 222 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index ac83c3dbd..add3dc7e4 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -49,22 +49,35 @@ username=ifname password=csid {% endif %} {% if client_ip_pool.name is vyos_defined %} -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +{% if first_named_pool is vyos_defined %} +ip-pool={{ first_named_pool }} +{% else %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.subnet is vyos_defined %} ip-pool={{ pool }} +{% endif %} +{% endfor %} +{% endif %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.gateway_address is vyos_defined %} gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} {% endif %} {% endfor %} {% endif %} proxy-arp=1 -{% if client_ip_pool.name is vyos_defined %} +{% if ordered_named_pools is vyos_defined %} [ip-pool] -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} -{{ pool_options.subnet }},name={{ pool }} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} +{% set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %} +{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }} +{% endfor %} +{% endfor %} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} -{% endif %} +{% endfor %} {% endfor %} {% endif %} diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i index 654b6727e..b442a15b9 100644 --- a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i +++ b/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i @@ -13,6 +13,18 @@ #include #include + + + Next pool name + + txt + Name of IP pool + + + [-_a-zA-Z0-9.]+ + + + diff --git a/smoketest/scripts/cli/test_service_ipoe-server.py b/smoketest/scripts/cli/test_service_ipoe-server.py index bdab35834..8a141b8f0 100755 --- a/smoketest/scripts/cli/test_service_ipoe-server.py +++ b/smoketest/scripts/cli/test_service_ipoe-server.py @@ -26,6 +26,13 @@ from configparser import ConfigParser ac_name = 'ACN' interface = 'eth0' + +def getConfig(string, end='cli'): + command = f'cat /run/accel-pppd/ipoe.conf | sed -n "/^{string}/,/^{end}/p"' + out = cmd(command) + return out + + class TestServiceIPoEServer(BasicAccelPPPTest.TestCase): @classmethod def setUpClass(cls): @@ -86,6 +93,92 @@ class TestServiceIPoEServer(BasicAccelPPPTest.TestCase): tmp = re.findall(regex, tmp) self.assertTrue(tmp) + def test_accel_named_pool(self): + first_pool = 'VyOS-pool1' + first_subnet = '192.0.2.0/25' + first_gateway = '192.0.2.1' + second_pool = 'Vyos-pool2' + second_subnet = '203.0.113.0/25' + second_gateway = '203.0.113.1' + + self.set(['authentication', 'mode', 'noauth']) + self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway]) + self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet]) + self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway]) + self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet]) + self.set(['interface', interface]) + + # commit changes + self.cli_commit() + + + # Validate configuration values + conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False) + conf.read(self._config_file) + + self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1') + self.assertTrue(conf['ipoe']['noauth'], '1') + self.assertTrue(conf['ipoe']['ip-pool'], first_pool) + self.assertTrue(conf['ipoe']['ip-pool'], second_pool) + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25') + + config = getConfig('[ip-pool]') + pool_config = f'''{second_subnet},name={second_pool} +{first_subnet},name={first_pool} +gw-ip-address={second_gateway}/25 +gw-ip-address={first_gateway}/25''' + self.assertIn(pool_config, config) + + + def test_accel_next_pool(self): + first_pool = 'VyOS-pool1' + first_subnet = '192.0.2.0/25' + first_gateway = '192.0.2.1' + second_pool = 'Vyos-pool2' + second_subnet = '203.0.113.0/25' + second_gateway = '203.0.113.1' + third_pool = 'Vyos-pool3' + third_subnet = '198.51.100.0/24' + third_gateway = '198.51.100.1' + + self.set(['authentication', 'mode', 'noauth']) + self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway]) + self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet]) + self.set(['client-ip-pool', 'name', first_pool, 'next-pool', second_pool]) + self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway]) + self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet]) + self.set(['client-ip-pool', 'name', second_pool, 'next-pool', third_pool]) + self.set(['client-ip-pool', 'name', third_pool, 'gateway-address', third_gateway]) + self.set(['client-ip-pool', 'name', third_pool, 'subnet', third_subnet]) + self.set(['interface', interface]) + + # commit changes + self.cli_commit() + + + # Validate configuration values + conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False) + conf.read(self._config_file) + + self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1') + self.assertTrue(conf['ipoe']['noauth'], '1') + self.assertTrue(conf['ipoe']['ip-pool'], first_pool) + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{third_gateway}/24') + + config = getConfig('[ip-pool]') + # T5099 required specific order + pool_config = f'''{third_subnet},name={third_pool} +{second_subnet},name={second_pool},next={third_pool} +{first_subnet},name={first_pool},next={second_pool} +gw-ip-address={third_gateway}/24 +gw-ip-address={second_gateway}/25 +gw-ip-address={first_gateway}/25''' + self.assertIn(pool_config, config) + + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 4fabe170f..95c72df47 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import os +import jmespath from sys import exit @@ -29,9 +30,92 @@ from vyos import ConfigError from vyos import airbag airbag.enable() + ipoe_conf = '/run/accel-pppd/ipoe.conf' ipoe_chap_secrets = '/run/accel-pppd/ipoe.chap-secrets' + +def get_pools_in_order(data: dict) -> list: + """Return a list of dictionaries representing pool data in the order + in which they should be allocated. Pool must be defined before we can + use it with 'next-pool' option. + + Args: + data: A dictionary of pool data, where the keys are pool names and the + values are dictionaries containing the 'subnet' key and the optional + 'next_pool' key. + + Returns: + list: A list of dictionaries + + Raises: + ValueError: If a 'next_pool' key references a pool name that + has not been defined. + ValueError: If a circular reference is found in the 'next_pool' keys. + + Example: + config_data = { + ... 'first-pool': { + ... 'next_pool': 'second-pool', + ... 'subnet': '192.0.2.0/25' + ... }, + ... 'second-pool': { + ... 'next_pool': 'third-pool', + ... 'subnet': '203.0.113.0/25' + ... }, + ... 'third-pool': { + ... 'subnet': '198.51.100.0/24' + ... }, + ... 'foo': { + ... 'subnet': '100.64.0.0/24', + ... 'next_pool': 'second-pool' + ... } + ... } + + % get_pools_in_order(config_data) + [{'third-pool': {'subnet': '198.51.100.0/24'}}, + {'second-pool': {'next_pool': 'third-pool', 'subnet': '203.0.113.0/25'}}, + {'first-pool': {'next_pool': 'second-pool', 'subnet': '192.0.2.0/25'}}, + {'foo': {'next_pool': 'second-pool', 'subnet': '100.64.0.0/24'}}] + """ + pools = [] + unresolved_pools = {} + + for pool, pool_config in data.items(): + if 'next_pool' not in pool_config: + pools.insert(0, {pool: pool_config}) + else: + unresolved_pools[pool] = pool_config + + while unresolved_pools: + resolved_pools = [] + + for pool, pool_config in unresolved_pools.items(): + next_pool_name = pool_config['next_pool'] + + if any(p for p in pools if next_pool_name in p): + index = next( + (i for i, p in enumerate(pools) if next_pool_name in p), + None) + pools.insert(index + 1, {pool: pool_config}) + resolved_pools.append(pool) + elif next_pool_name in unresolved_pools: + # next pool not yet resolved + pass + else: + raise ValueError( + f"Pool '{next_pool_name}' not defined in configuration data" + ) + + if not resolved_pools: + raise ValueError("Circular reference in configuration data") + + for pool in resolved_pools: + unresolved_pools.pop(pool) + + return pools + + def get_config(config=None): if config: conf = config @@ -43,6 +127,19 @@ def get_config(config=None): # retrieve common dictionary keys ipoe = get_accel_dict(conf, base, ipoe_chap_secrets) + + if jmespath.search('client_ip_pool.name', ipoe): + dict_named_pools = jmespath.search('client_ip_pool.name', ipoe) + # Multiple named pools require ordered values T5099 + ipoe['ordered_named_pools'] = get_pools_in_order(dict_named_pools) + # T5099 'next-pool' option + if jmespath.search('client_ip_pool.name.*.next_pool', ipoe): + for pool, pool_config in ipoe['client_ip_pool']['name'].items(): + if 'next_pool' in pool_config: + ipoe['first_named_pool'] = pool + ipoe['first_named_pool_subnet'] = pool_config + break + return ipoe -- cgit v1.2.3 From 306e422d8306f3e4c35779bf93177c1fb56a4b61 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 21 Mar 2023 20:53:16 +0100 Subject: ospf: T5102: do not always redistribute babel routes --- src/conf_mode/protocols_ospf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 0582d32be..eb64afa0c 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -89,7 +89,7 @@ def get_config(config=None): if 'mpls_te' not in ospf: del default_values['mpls_te'] - for protocol in ['bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: + for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: # table is a tagNode thus we need to clean out all occurances for the # default values and load them in later individually if protocol == 'table': @@ -234,7 +234,7 @@ def verify(ospf): if list(set(global_range) & set(local_range)): raise ConfigError(f'Segment-Routing Global Block ({g_low_label_value}/{g_high_label_value}) '\ f'conflicts with Local Block ({l_low_label_value}/{l_high_label_value})!') - + # Check for a blank or invalid value per prefix if dict_search('segment_routing.prefix', ospf): for prefix, prefix_config in ospf['segment_routing']['prefix'].items(): -- cgit v1.2.3 From 05e00b986a563681b038b226c86c83a29d6da820 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 22 Mar 2023 10:29:35 +0000 Subject: T5105: Fix error message from dhcp-server --- src/conf_mode/dhcp_server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 39c87478f..2b2af252d 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -247,7 +247,7 @@ def verify(dhcp): net2 = ip_network(n) if (net != net2): if net.overlaps(net2): - raise ConfigError('Conflicting subnet ranges: "{net}" overlaps "{net2}"!') + raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!') # Prevent 'disable' for shared-network if only one network is configured if (shared_networks - disabled_shared_networks) < 1: -- cgit v1.2.3 From 0e670fa038304709b4d748de7e7c7d13aef9a553 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 10:21:16 -0500 Subject: graphql: T5106: add auth_token client op --- src/services/api/graphql/graphql/client_op/auth_token.graphql | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 src/services/api/graphql/graphql/client_op/auth_token.graphql (limited to 'src') diff --git a/src/services/api/graphql/graphql/client_op/auth_token.graphql b/src/services/api/graphql/graphql/client_op/auth_token.graphql new file mode 100644 index 000000000..5ea2ecc1c --- /dev/null +++ b/src/services/api/graphql/graphql/client_op/auth_token.graphql @@ -0,0 +1,10 @@ + +mutation AuthToken ($username: String!, $password: String!) { + AuthToken (data: { username: $username, password: $password }) { + success + errors + data { + result + } + } +} -- cgit v1.2.3 From de253a0017da889fd2560811f774fc394528a133 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 11:50:40 -0500 Subject: graphql: T5106: generate client ops for configsession functions --- .../graphql/generate/config_session_function.py | 2 - .../graphql/generate/schema_from_config_session.py | 72 +++++++++++++++++++--- .../api/graphql/generate/schema_from_op_mode.py | 3 +- 3 files changed, 65 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/services/api/graphql/generate/config_session_function.py b/src/services/api/graphql/generate/config_session_function.py index 20fc7cc1d..4ebb47a7e 100644 --- a/src/services/api/graphql/generate/config_session_function.py +++ b/src/services/api/graphql/generate/config_session_function.py @@ -28,5 +28,3 @@ mutations = {'save_config_file': save_config_file, 'load_config_file': load_config_file, 'add_system_image': add_system_image, 'delete_system_image': delete_system_image} - - diff --git a/src/services/api/graphql/generate/schema_from_config_session.py b/src/services/api/graphql/generate/schema_from_config_session.py index 831faa41e..1d5ff1e53 100755 --- a/src/services/api/graphql/generate/schema_from_config_session.py +++ b/src/services/api/graphql/generate/schema_from_config_session.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,8 +20,7 @@ import os import sys -import json -from inspect import signature, getmembers, isfunction, isclass, getmro +from inspect import signature from jinja2 import Template from vyos.defaults import directories @@ -32,9 +31,9 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import snake_to_pascal_case, map_type_name from . config_session_function import queries, mutations - from .. import state SCHEMA_PATH = directories['api_schema'] +CLIENT_OP_PATH = directories['api_client_op'] schema_data: dict = {'schema_name': '', 'schema_fields': []} @@ -85,6 +84,30 @@ extend type Mutation { } """ +op_query_template = """ +query {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + +op_mutation_template = """ +mutation {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + def create_schema(func_name: str, func: callable, template: str) -> str: sig = signature(func) @@ -104,19 +127,52 @@ def create_schema(func_name: str, func: callable, template: str) -> str: return res +def create_client_op(func_name: str, func: callable, template: str) -> str: + sig = signature(func) + + field_dict = {} + for k in sig.parameters: + field_dict[sig.parameters[k].name] = map_type_name(sig.parameters[k].annotation) + + op_sig = ['$key: String'] + op_arg = ['key: $key'] + for k,v in field_dict.items(): + op_sig.append('$'+k+': '+v) + op_arg.append(k+': $'+k) + + op_data = {} + op_data['op_name'] = snake_to_pascal_case(func_name) + op_data['op_sig'] = ', '.join(op_sig) + op_data['op_arg'] = ', '.join(op_arg) + + j2_template = Template(template) + + res = j2_template.render(op_data) + + return res + def generate_config_session_definitions(): - results = [] + schema = [] + client_op = [] for name,func in queries.items(): res = create_schema(name, func, query_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_query_template) + client_op.append(res) for name,func in mutations.items(): res = create_schema(name, func, mutation_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_mutation_template) + client_op.append(res) - out = '\n'.join(results) + out = '\n'.join(schema) with open(f'{SCHEMA_PATH}/configsession.graphql', 'w') as f: f.write(out) + out = '\n'.join(client_op) + with open(f'{CLIENT_OP_PATH}/configsession.graphql', 'w') as f: + f.write(out) + if __name__ == '__main__': generate_config_session_definitions() diff --git a/src/services/api/graphql/generate/schema_from_op_mode.py b/src/services/api/graphql/generate/schema_from_op_mode.py index cb7b0fd21..229ccf90f 100755 --- a/src/services/api/graphql/generate/schema_from_op_mode.py +++ b/src/services/api/graphql/generate/schema_from_op_mode.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -35,7 +35,6 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import is_show_function_name from .. libs.op_mode import snake_to_pascal_case, map_type_name - from .. import state OP_MODE_PATH = directories['op_mode'] SCHEMA_PATH = directories['api_schema'] -- cgit v1.2.3 From 1177c9cf010ee2c8eb17fc0486ad9b5116c5a9d9 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 12:25:07 -0500 Subject: graphql: T5106: generate client ops for composite functions --- .../api/graphql/generate/schema_from_composite.py | 72 +++++++++++++++++++--- 1 file changed, 64 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/services/api/graphql/generate/schema_from_composite.py b/src/services/api/graphql/generate/schema_from_composite.py index 50c5d24f8..06e74032d 100755 --- a/src/services/api/graphql/generate/schema_from_composite.py +++ b/src/services/api/graphql/generate/schema_from_composite.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,8 +20,7 @@ import os import sys -import json -from inspect import signature, getmembers, isfunction, isclass, getmro +from inspect import signature from jinja2 import Template from vyos.defaults import directories @@ -32,9 +31,9 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import snake_to_pascal_case, map_type_name from . composite_function import queries, mutations - from .. import state SCHEMA_PATH = directories['api_schema'] +CLIENT_OP_PATH = directories['api_client_op'] schema_data: dict = {'schema_name': '', 'schema_fields': []} @@ -85,6 +84,30 @@ extend type Mutation { } """ +op_query_template = """ +query {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + +op_mutation_template = """ +mutation {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + def create_schema(func_name: str, func: callable, template: str) -> str: sig = signature(func) @@ -104,19 +127,52 @@ def create_schema(func_name: str, func: callable, template: str) -> str: return res +def create_client_op(func_name: str, func: callable, template: str) -> str: + sig = signature(func) + + field_dict = {} + for k in sig.parameters: + field_dict[sig.parameters[k].name] = map_type_name(sig.parameters[k].annotation) + + op_sig = ['$key: String'] + op_arg = ['key: $key'] + for k,v in field_dict.items(): + op_sig.append('$'+k+': '+v) + op_arg.append(k+': $'+k) + + op_data = {} + op_data['op_name'] = snake_to_pascal_case(func_name) + op_data['op_sig'] = ', '.join(op_sig) + op_data['op_arg'] = ', '.join(op_arg) + + j2_template = Template(template) + + res = j2_template.render(op_data) + + return res + def generate_composite_definitions(): - results = [] + schema = [] + client_op = [] for name,func in queries.items(): res = create_schema(name, func, query_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_query_template) + client_op.append(res) for name,func in mutations.items(): res = create_schema(name, func, mutation_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_mutation_template) + client_op.append(res) - out = '\n'.join(results) + out = '\n'.join(schema) with open(f'{SCHEMA_PATH}/composite.graphql', 'w') as f: f.write(out) + out = '\n'.join(client_op) + with open(f'{CLIENT_OP_PATH}/composite.graphql', 'w') as f: + f.write(out) + if __name__ == '__main__': generate_composite_definitions() -- cgit v1.2.3 From 7380bf1216399f905fe85ff26eaa0272b9f6dfe0 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 23 Mar 2023 08:31:28 -0500 Subject: op-mode: T5107: raise error instead of calling exit --- src/op_mode/dns.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src') diff --git a/src/op_mode/dns.py b/src/op_mode/dns.py index a0e47d7ad..f8863c530 100755 --- a/src/op_mode/dns.py +++ b/src/op_mode/dns.py @@ -17,7 +17,6 @@ import sys -from sys import exit from tabulate import tabulate from vyos.configquery import ConfigTreeQuery @@ -75,8 +74,7 @@ def show_forwarding_statistics(raw: bool): config = ConfigTreeQuery() if not config.exists('service dns forwarding'): - print("DNS forwarding is not configured") - exit(0) + raise vyos.opmode.UnconfiguredSubsystem('DNS forwarding is not configured') dns_data = _get_raw_forwarding_statistics() if raw: -- cgit v1.2.3 From 62875954a6679e1124cd727187f64bd37ec4678f Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 23 Mar 2023 14:55:05 +0100 Subject: ipsec: T2816: Cleanup dhcp hook file if not required --- src/conf_mode/vpn_ipsec.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index d207c63df..63887b278 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -549,6 +549,8 @@ def generate(ipsec): if ipsec['dhcp_no_address']: with open(DHCP_HOOK_IFLIST, 'w') as f: f.write(" ".join(ipsec['dhcp_no_address'].values())) + elif os.path.exists(DHCP_HOOK_IFLIST): + os.unlink(DHCP_HOOK_IFLIST) for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH, PUBKEY_PATH]: if not os.path.exists(path): -- cgit v1.2.3 From 9c81b63a1a42d95e99c6a32ca6e3cb4704231352 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 23 Mar 2023 13:41:13 +0000 Subject: T5108: Add option rate-limit for l2tp pptp sstp ipoe raw format There is a missing usefull option 'rate-limit' for L2TP/PPTP/SSTP/IPoE raw output format --- src/op_mode/accelppp.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/op_mode/accelppp.py b/src/op_mode/accelppp.py index 87a25bb96..00de45fc8 100755 --- a/src/op_mode/accelppp.py +++ b/src/op_mode/accelppp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -75,8 +75,8 @@ def _get_raw_statistics(accel_output, pattern, protocol): def _get_raw_sessions(port): - cmd_options = 'show sessions ifname,username,ip,ip6,ip6-dp,type,state,' \ - 'uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes-raw,' \ + cmd_options = 'show sessions ifname,username,ip,ip6,ip6-dp,type,rate-limit,' \ + 'state,uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes-raw,' \ 'tx-bytes-raw,rx-pkts,tx-pkts' output = vyos.accel_ppp.accel_cmd(port, cmd_options) parsed_data: list[dict[str, str]] = vyos.accel_ppp.accel_out_parse( -- cgit v1.2.3 From b48e9a7c4cc89546aaf4a40f71535acfddc7e4d3 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 23 Mar 2023 18:55:02 -0500 Subject: op-mode: T5097: show interfaces should reflect cleared counters 'show interfaces counters' correctly displays counter stats after a call to 'clear interfaces counters', however, 'show interfaces detail' does not. Add missing update to counter stats. --- src/op_mode/interfaces.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py index 678c74980..7d04ec4e3 100755 --- a/src/op_mode/interfaces.py +++ b/src/op_mode/interfaces.py @@ -207,7 +207,11 @@ def _get_raw_data(ifname: typing.Optional[str], res_intf['description'] = interface.get_alias() - res_intf['stats'] = interface.operational.get_stats() + stats = interface.operational.get_stats() + for k in list(stats): + stats[k] = _get_counter_val(cache[k], stats[k]) + + res_intf['stats'] = stats ret.append(res_intf) -- cgit v1.2.3 From c6494f12f92746cc4603fceca6b1a22fed010b93 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Sat, 25 Mar 2023 18:51:34 -0500 Subject: dns: T5113: Support custom port for name-server forwarders Support custom port for name-server forwarders that would allow using custom ports in name server forwarders to enable forwarding to alternative name servers (unbound, stubby, dnscrypt-proxy etc.) operating on non-default port. This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards (pdns doesn't support certificate check for validity yet) by enabling 'dot-to-port-853'. This is set by default if compiled in with DoT support. See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853 This also partially implements T921, T2195 (DoT without certificate check). Implementation details: - In 'dns/forwarding' configuration, 'name-server' now allows optional 'port' (defaults to 53). - Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional 'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used to avoid impacting other places where it is reused because not all of them honor ports (mostly VPN related). - The `host:port` entries to be used by PowerDNS recursor config are normalized eagerly at the point of loading VyOS `Config` instead of doing them lazily while rendering the Jinja2 template to keep the implementation less intrusive. The alternative would entail making quite a bit of change in how 'vyos-hostsd' processes 'static' 'name_servers' entries or persists their runtime states. --- interface-definitions/dns-forwarding.xml.in | 2 +- .../include/name-server-ipv4-ipv6-port.xml.i | 25 ++++++++++++++++++++++ src/conf_mode/dns_forwarding.py | 17 +++++++++++++-- 3 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 interface-definitions/include/name-server-ipv4-ipv6-port.xml.i (limited to 'src') diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 371f198c6..b23eaa351 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -635,7 +635,7 @@ 1500 - #include + #include Local addresses from which to send DNS queries diff --git a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i new file mode 100644 index 000000000..cf86e66a2 --- /dev/null +++ b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i @@ -0,0 +1,25 @@ + + + + Domain Name Servers (DNS) addresses + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + + + #include + + 53 + + + + diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index d0d87d73e..4d6b85d92 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -24,7 +24,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.hostsd_client import Client as hostsd_client from vyos.template import render -from vyos.template import is_ipv6 +from vyos.template import bracketize_ipv6 from vyos.util import call from vyos.util import chown from vyos.util import dict_search @@ -58,8 +58,16 @@ def get_config(config=None): default_values = defaults(base) # T2665 due to how defaults under tag nodes work, we must clear these out before we merge del default_values['authoritative_domain'] + del default_values['name_server'] dns = dict_merge(default_values, dns) + # T2665: we cleared default values for tag node 'name_server' above. + # We now need to add them back back in a granular way. + if 'name_server' in dns: + default_values = defaults(base + ['name-server']) + for server in dns['name_server']: + dns['name_server'][server] = dict_merge(default_values, dns['name_server'][server]) + # some additions to the default dictionary if 'system' in dns: base_nameservers = ['system', 'name-server'] @@ -329,7 +337,12 @@ def apply(dns): # sources hc.delete_name_servers([hostsd_tag]) if 'name_server' in dns: - hc.add_name_servers({hostsd_tag: dns['name_server']}) + # 'name_server' is a dict of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] with IPv6 hosts bracketized + nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in dns['name_server'].items()] + hc.add_name_servers({hostsd_tag: nslist}) # delete all nameserver tags hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor()) -- cgit v1.2.3 From f8522f323ec26a2a1507a6026cbc939bb8960262 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Mon, 27 Mar 2023 12:03:58 -0500 Subject: openvpn: T5051: fix hyphen/underscore error in use of typing.Literal --- src/op_mode/openvpn.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py index 7ae49472e..37fdbcbeb 100755 --- a/src/op_mode/openvpn.py +++ b/src/op_mode/openvpn.py @@ -150,7 +150,8 @@ def _get_raw_data(mode: str) -> list: if not conf_dict: return data - interfaces = [x for x in list(conf_dict) if conf_dict[x]['mode'] == mode] + interfaces = [x for x in list(conf_dict) if + conf_dict[x]['mode'].replace('-', '_') == mode] for intf in interfaces: d = _get_interface_status(mode, intf) d['local_host'] = conf_dict[intf].get('local-host', '') -- cgit v1.2.3 From b5d940d9f279a8391c8d8c56cc86f4855c9d38b5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 27 Mar 2023 22:45:02 +0200 Subject: bgp: T5114: support configuring TCP keepalive messages --- data/templates/frr/bgpd.frr.j2 | 3 ++ .../include/bgp/protocol-common-config.xml.i | 43 ++++++++++++++++++++++ smoketest/scripts/cli/test_protocols_bgp.py | 7 ++++ src/conf_mode/protocols_bgp.py | 5 +++ 4 files changed, 58 insertions(+) (limited to 'src') diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 346eb3996..b749be93f 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -553,6 +553,9 @@ bgp route-reflector allow-outbound-policy {% if parameters.suppress_fib_pending is vyos_defined %} bgp suppress-fib-pending {% endif %} +{% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %} + bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }} +{% endif %} {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %} timers bgp {{ timers.keepalive }} {{ timers.holdtime }} {% endif %} diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 2bf2fdfc3..089c36ef3 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1481,6 +1481,49 @@ #include + + + TCP keepalive parameters + + + + + TCP keepalive idle time + + u32:1-65535 + Idle time in seconds + + + + + + + + + TCP keepalive interval + + u32:1-65535 + Interval in seconds + + + + + + + + + TCP keepalive maximum probes + + u32:1-30 + Maximum probes + + + + + + + + diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index c366b4e89..f6eede87a 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -297,6 +297,9 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): max_path_v6ibgp = '16' cond_adv_timer = '30' min_hold_time = '2' + tcp_keepalive_idle = '66' + tcp_keepalive_interval = '77' + tcp_keepalive_probes = '22' self.cli_set(base_path + ['parameters', 'router-id', router_id]) self.cli_set(base_path + ['parameters', 'log-neighbor-changes']) @@ -327,6 +330,9 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['parameters', 'route-reflector-allow-outbound-policy']) self.cli_set(base_path + ['parameters', 'shutdown']) self.cli_set(base_path + ['parameters', 'suppress-fib-pending']) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'idle', tcp_keepalive_idle]) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'interval', tcp_keepalive_interval]) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'probes', tcp_keepalive_probes]) # AFI maximum path support self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ebgp', max_path_v4]) @@ -356,6 +362,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' bgp route-reflector allow-outbound-policy', frrconfig) self.assertIn(f' bgp shutdown', frrconfig) self.assertIn(f' bgp suppress-fib-pending', frrconfig) + self.assertIn(f' bgp tcp-keepalive {tcp_keepalive_idle} {tcp_keepalive_interval} {tcp_keepalive_probes}', frrconfig) self.assertNotIn(f'bgp ebgp-requires-policy', frrconfig) self.assertIn(f' no bgp suppress-duplicates', frrconfig) diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 4f05957fa..cf553f0e8 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -412,6 +412,11 @@ def verify(bgp): raise ConfigError('Missing mandatory configuration option for '\ f'global administrative distance {key}!') + # TCP keepalive requires all three parameters to be set + if dict_search('parameters.tcp_keepalive', bgp) != None: + if not {'idle', 'interval', 'probes'} <= set(bgp['parameters']['tcp_keepalive']): + raise ConfigError('TCP keepalive incomplete - idle, keepalive and probes must be set') + # Address Family specific validation if 'address_family' in bgp: for afi, afi_config in bgp['address_family'].items(): -- cgit v1.2.3 From 2bb5c5d0fd9ed07649b81a61e9c1a78a9f222405 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Mon, 27 Mar 2023 03:56:13 -0500 Subject: dns: T5115: Support custom port for name servers for forwarding zones. This would allow using custom ports in name server operating on non- default port for forwarding zones. This is a follow-up to T5113 for sake of completeness and having consistent treatment of all name servers configured in PowerDNS recursor. Additionally, migrate `service dns forwarding domain example.com server` to `service dns forwarding domain foo3.com name-server` for consistency and reusability. --- .../dns-forwarding/recursor.forward-zones.conf.j2 | 3 +- interface-definitions/dns-forwarding.xml.in | 19 +-------- .../include/name-server-ipv4-ipv6-port.xml.i | 2 +- .../scripts/cli/test_service_dns_forwarding.py | 13 ++++-- src/conf_mode/dns_forwarding.py | 25 +++++++++-- src/migration-scripts/dns-forwarding/3-to-4 | 49 ++++++++++++++++++++++ src/services/vyos-hostsd | 2 +- 7 files changed, 83 insertions(+), 30 deletions(-) create mode 100755 src/migration-scripts/dns-forwarding/3-to-4 (limited to 'src') diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 index de3269e47..593a98c24 100644 --- a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -23,7 +23,6 @@ {% if forward_zones is vyos_defined %} # zones added via 'service dns forwarding domain' {% for zone, zonedata in forward_zones.items() %} -{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.server | join(', ') }} +{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.name_server | join(', ') }} {% endfor %} {% endif %} - diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index b23eaa351..14b38b24d 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -85,24 +85,7 @@ Domain to forward to a custom DNS server - - - Domain Name Server (DNS) to forward queries to - - ipv4 - Domain Name Server (DNS) IPv4 address - - - ipv6 - Domain Name Server (DNS) IPv6 address - - - - - - - - + #include Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC) diff --git a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i index cf86e66a2..fb0a4f4ae 100644 --- a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i +++ b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i @@ -1,7 +1,7 @@ - Domain Name Servers (DNS) addresses + Domain Name Servers (DNS) addresses to forward queries to ipv4 Domain Name Server (DNS) IPv4 address diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py index 04dced292..88492e348 100755 --- a/smoketest/scripts/cli/test_service_dns_forwarding.py +++ b/smoketest/scripts/cli/test_service_dns_forwarding.py @@ -169,10 +169,13 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['listen-address', address]) domains = ['vyos.io', 'vyos.net', 'vyos.com'] - nameservers = ['192.0.2.1', '192.0.2.2'] + nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}} for domain in domains: - for nameserver in nameservers: - self.cli_set(base_path + ['domain', domain, 'server', nameserver]) + for h,p in nameservers.items(): + if 'port' in p: + self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']]) + else: + self.cli_set(base_path + ['domain', domain, 'name-server', h]) # Test 'recursion-desired' flag for only one domain if domain == domains[0]: @@ -192,7 +195,9 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): if domain == domains[0]: key =f'\+{domain}' else: key =f'{domain}' tmp = get_config_value(key, file=FORWARD_FILE) - self.assertEqual(tmp, ', '.join(nameservers)) + canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p) + for (h, p) in nameservers.items()] + self.assertEqual(tmp, ', '.join(canonical_entries)) # Test 'negative trust anchor' flag for the second domain only if domain == domains[1]: diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index 4d6b85d92..36c1098fe 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -59,6 +59,7 @@ def get_config(config=None): # T2665 due to how defaults under tag nodes work, we must clear these out before we merge del default_values['authoritative_domain'] del default_values['name_server'] + del default_values['domain']['name_server'] dns = dict_merge(default_values, dns) # T2665: we cleared default values for tag node 'name_server' above. @@ -68,6 +69,15 @@ def get_config(config=None): for server in dns['name_server']: dns['name_server'][server] = dict_merge(default_values, dns['name_server'][server]) + # T2665: we cleared default values for tag node 'domain' above. + # We now need to add them back back in a granular way. + if 'domain' in dns: + default_values = defaults(base + ['domain', 'name-server']) + for domain in dns['domain'].keys(): + for server in dns['domain'][domain]['name_server']: + dns['domain'][domain]['name_server'][server] = dict_merge( + default_values, dns['domain'][domain]['name_server'][server]) + # some additions to the default dictionary if 'system' in dns: base_nameservers = ['system', 'name-server'] @@ -271,7 +281,7 @@ def verify(dns): # as a domain will contains dot's which is out dictionary delimiter. if 'domain' in dns: for domain in dns['domain']: - if 'server' not in dns['domain'][domain]: + if 'name_server' not in dns['domain'][domain]: raise ConfigError(f'No server configured for domain {domain}!') if 'dns64_prefix' in dns: @@ -337,9 +347,9 @@ def apply(dns): # sources hc.delete_name_servers([hostsd_tag]) if 'name_server' in dns: - # 'name_server' is a dict of the form + # 'name_server' is of the form # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} - # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] with IPv6 hosts bracketized + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) for (h, p) in dns['name_server'].items()] hc.add_name_servers({hostsd_tag: nslist}) @@ -371,7 +381,14 @@ def apply(dns): # the list and keys() are required as get returns a dict, not list hc.delete_forward_zones(list(hc.get_forward_zones().keys())) if 'domain' in dns: - hc.add_forward_zones(dns['domain']) + zones = dns['domain'] + for domain in zones.keys(): + # 'name_server' is of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] + zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in zones[domain]['name_server'].items()] + hc.add_forward_zones(zones) # hostsd generates NTAs for the authoritative zones # the list and keys() are required as get returns a dict, not list diff --git a/src/migration-scripts/dns-forwarding/3-to-4 b/src/migration-scripts/dns-forwarding/3-to-4 new file mode 100755 index 000000000..55165c2c5 --- /dev/null +++ b/src/migration-scripts/dns-forwarding/3-to-4 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5115: migrate "service dns forwarding domain example.com server" to +# "service dns forwarding domain example.com name-server" + +import sys +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base = ['service', 'dns', 'forwarding', 'domain'] +if not config.exists(base): + # Nothing to do + sys.exit(0) + +for domain in config.list_nodes(base): + if config.exists(base + [domain, 'server']): + config.copy(base + [domain, 'server'], base + [domain, 'name-server']) + config.delete(base + [domain, 'server']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/services/vyos-hostsd b/src/services/vyos-hostsd index a380f2e66..894f9e24d 100755 --- a/src/services/vyos-hostsd +++ b/src/services/vyos-hostsd @@ -329,7 +329,7 @@ tag_regex_schema = op_type_schema.extend({ forward_zone_add_schema = op_type_schema.extend({ 'data': { str: { - 'server': [str], + 'name_server': [str], 'addnta': Any({}, None), 'recursion_desired': Any({}, None), } -- cgit v1.2.3 From 9964b04e0aba8b8e50509faa9aef5ce079a8733b Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 28 Mar 2023 13:53:55 -0500 Subject: interfaces: T4885: add clear/reset_counters to op-mode script --- src/op_mode/interfaces.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src') diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py index 7d04ec4e3..dd87b5901 100755 --- a/src/op_mode/interfaces.py +++ b/src/op_mode/interfaces.py @@ -406,6 +406,18 @@ def show_counters(raw: bool, intf_name: typing.Optional[str], return data return _format_show_counters(data) +def clear_counters(intf_name: typing.Optional[str], + intf_type: typing.Optional[str], + vif: bool, vrrp: bool): + for interface in filtered_interfaces(intf_name, intf_type, vif, vrrp): + interface.operational.clear_counters() + +def reset_counters(intf_name: typing.Optional[str], + intf_type: typing.Optional[str], + vif: bool, vrrp: bool): + for interface in filtered_interfaces(intf_name, intf_type, vif, vrrp): + interface.operational.reset_counters() + if __name__ == '__main__': try: res = vyos.opmode.run(sys.modules[__name__]) -- cgit v1.2.3 From 4a58a27adad59f19c7d14d0b9753259baed011f4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 28 Mar 2023 21:34:15 +0200 Subject: container: T2216: explicitly select CNI network backend As podman is going to use netavark as new default we must explicitly select the old driver until we have migrated to netavark. --- data/templates/container/containers.conf.j2 | 709 ++++++++++++++++++++++++++++ src/conf_mode/container.py | 17 +- 2 files changed, 718 insertions(+), 8 deletions(-) create mode 100644 data/templates/container/containers.conf.j2 (limited to 'src') diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 new file mode 100644 index 000000000..9f66aed27 --- /dev/null +++ b/data/templates/container/containers.conf.j2 @@ -0,0 +1,709 @@ +### Autogenerated by container.py ### + +# The containers configuration file specifies all of the available configuration +# command-line options/flags for container engine tools like Podman & Buildah, +# but in a TOML format that can be easily modified and versioned. + +# Please refer to containers.conf(5) for details of all configuration options. +# Not all container engines implement all of the options. +# All of the options have hard coded defaults and these options will override +# the built in defaults. Users can then override these options via the command +# line. Container engines will read containers.conf files in up to three +# locations in the following order: +# 1. /usr/share/containers/containers.conf +# 2. /etc/containers/containers.conf +# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY) +# Items specified in the latter containers.conf, if they exist, override the +# previous containers.conf settings, or the default settings. + +[containers] + +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added +# +#annotations = [] + +# Used to change the name of the default AppArmor profile of container engine. +# +#apparmor_profile = "container-default" + +# The hosts entries from the base hosts file are added to the containers hosts +# file. This must be either an absolute path or as special values "image" which +# uses the hosts file from the container image or "none" which means +# no base hosts file is used. The default is "" which will use /etc/hosts. +# +#base_hosts_file = "" + +# Default way to to create a cgroup namespace for the container +# Options are: +# `private` Create private Cgroup Namespace for the container. +# `host` Share host Cgroup Namespace with the container. +# +#cgroupns = "private" + +# Control container cgroup configuration +# Determines whether the container will create CGroups. +# Options are: +# `enabled` Enable cgroup support within container +# `disabled` Disable cgroup support, will inherit cgroups from parent +# `no-conmon` Do not create a cgroup dedicated to conmon. +# +#cgroups = "enabled" + +# List of default capabilities for containers. If it is empty or commented out, +# the default capabilities defined in the container engine will be added. +# +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] + +# A list of sysctls to be set in containers by default, +# specified as "name=value", +# for example:"net.ipv4.ping_group_range=0 0". +# +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] + +# A list of ulimits to be set in containers by default, specified as +# "=:", for example: +# "nofile=1024:2048" +# See setrlimit(2) for a list of resource names. +# Any limit not specified here will be inherited from the process launching the +# container engine. +# Ulimits has limits for non privileged container engines. +# +#default_ulimits = [ +# "nofile=1280:2560", +#] + +# List of devices. Specified as +# "::", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +#devices = [] + +# List of default DNS options to be added to /etc/resolv.conf inside of the container. +# +#dns_options = [] + +# List of default DNS search domains to be added to /etc/resolv.conf inside of the container. +# +#dns_searches = [] + +# Set default DNS servers. +# This option can be used to override the DNS configuration passed to the +# container. The special value "none" can be specified to disable creation of +# /etc/resolv.conf in the container. +# The /etc/resolv.conf file in the image will be used without changes. +# +#dns_servers = [] + +# Environment variable list for the conmon process; used for passing necessary +# environment variables to conmon or the runtime. +# +#env = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +# "TERM=xterm", +#] + +# Pass all host environment variables into the container. +# +#env_host = false + +# Set the ip for the host.containers.internal entry in the containers /etc/hosts +# file. This can be set to "none" to disable adding this entry. By default it +# will automatically choose the host ip. +# +# NOTE: When using podman machine this entry will never be added to the containers +# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore +# it is not possible to disable the entry in this case. +# +#host_containers_internal_ip = "" + +# Default proxy environment variables passed into the container. +# The environment variables passed in include: +# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of +# these. This option is needed when host system uses a proxy but container +# should not use proxy. Proxy environment variables specified for the container +# in any other way will override the values passed from the host. +# +#http_proxy = true + +# Run an init inside the container that forwards signals and reaps processes. +# +#init = false + +# Container init binary, if init=true, this is the init binary to be used for containers. +# +#init_path = "/usr/libexec/podman/catatonit" + +# Default way to to create an IPC namespace (POSIX SysV IPC) for the container +# Options are: +# "host" Share host IPC Namespace with the container. +# "none" Create shareable IPC Namespace for the container without a private /dev/shm. +# "private" Create private IPC Namespace for the container, other containers are not allowed to share it. +# "shareable" Create shareable IPC Namespace for the container. +# +#ipcns = "shareable" + +# keyring tells the container engine whether to create +# a kernel keyring for use within the container. +# +#keyring = true + +# label tells the container engine whether to use container separation using +# MAC(SELinux) labeling or not. +# The label flag is ignored on label disabled systems. +# +#label = true + +# Logging driver for the container. Available options: k8s-file and journald. +# +#log_driver = "k8s-file" + +# Maximum size allowed for the container log file. Negative numbers indicate +# that no size limit is imposed. If positive, it must be >= 8192 to match or +# exceed conmon's read buffer. The file is truncated and re-opened so the +# limit is never exceeded. +# +#log_size_max = -1 + +# Specifies default format tag for container log messages. +# This is useful for creating a specific tag for container log messages. +# Containers logs default to truncated container ID as a tag. +# +#log_tag = "" + +# Default way to to create a Network namespace for the container +# Options are: +# `private` Create private Network Namespace for the container. +# `host` Share host Network Namespace with the container. +# `none` Containers do not use the network +# +#netns = "private" + +# Create /etc/hosts for the container. By default, container engine manage +# /etc/hosts, automatically adding the container's own IP address. +# +#no_hosts = false + +# Default way to to create a PID namespace for the container +# Options are: +# `private` Create private PID Namespace for the container. +# `host` Share host PID Namespace with the container. +# +#pidns = "private" + +# Maximum number of processes allowed in a container. +# +#pids_limit = 2048 + +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +#prepare_volume_on_create = false + +# Path to the seccomp.json profile which is used as the default seccomp profile +# for the runtime. +# +#seccomp_profile = "/usr/share/containers/seccomp.json" + +# Size of /dev/shm. Specified as . +# Unit is optional, values: +# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# If the unit is omitted, the system uses bytes. +# +#shm_size = "65536k" + +# Set timezone in container. Takes IANA timezones as well as "local", +# which sets the timezone in the container to match the host machine. +# +#tz = "" + +# Set umask inside the container +# +#umask = "0022" + +# Default way to to create a User namespace for the container +# Options are: +# `auto` Create unique User Namespace for the container. +# `host` Share host User Namespace with the container. +# +#userns = "host" + +# Number of UIDs to allocate for the automatic container creation. +# UIDs are allocated from the "container" UIDs listed in +# /etc/subuid & /etc/subgid +# +#userns_size = 65536 + +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +#utsns = "private" + +# List of volumes. Specified as +# "::", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +#volumes = [] + +[secrets] +#driver = "file" + +[secrets.opts] +#root = "/example/directory" + +[network] + +# Network backend determines what network driver will be used to set up and tear down container networks. +# Valid values are "cni" and "netavark". +# The default value is empty which means that it will automatically choose CNI or netavark. If there are +# already containers/images or CNI networks preset it will choose CNI. +# +# Before changing this value all containers must be stopped otherwise it is likely that +# iptables rules and network interfaces might leak on the host. A reboot will fix this. +# +network_backend = "cni" + +# Path to directory where CNI plugin binaries are located. +# +#cni_plugin_dirs = [ +# "/usr/local/libexec/cni", +# "/usr/libexec/cni", +# "/usr/local/lib/cni", +# "/usr/lib/cni", +# "/opt/cni/bin", +#] + +# The network name of the default network to attach pods to. +# +#default_network = "podman" + +# The default subnet for the default network given in default_network. +# If a network with that name does not exist, a new network using that name and +# this subnet will be created. +# Must be a valid IPv4 CIDR prefix. +# +#default_subnet = "10.88.0.0/16" + +# DefaultSubnetPools is a list of subnets and size which are used to +# allocate subnets automatically for podman network create. +# It will iterate through the list and will pick the first free subnet +# with the given size. This is only used for ipv4 subnets, ipv6 subnets +# are always assigned randomly. +# +#default_subnet_pools = [ +# {"base" = "10.89.0.0/16", "size" = 24}, +# {"base" = "10.90.0.0/15", "size" = 24}, +# {"base" = "10.92.0.0/14", "size" = 24}, +# {"base" = "10.96.0.0/11", "size" = 24}, +# {"base" = "10.128.0.0/9", "size" = 24}, +#] + +# Path to the directory where network configuration files are located. +# For the CNI backend the default is "/etc/cni/net.d" as root +# and "$HOME/.config/cni/net.d" as rootless. +# For the netavark backend "/etc/containers/networks" is used as root +# and "$graphroot/networks" as rootless. +# +#network_config_dir = "/etc/cni/net.d/" + +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 + +[engine] +# Index to the active service +# +#active_service = production + +# The compression format to use when pushing an image. +# Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# +#compression_format = "gzip" + + +# Cgroup management implementation used for the runtime. +# Valid options "systemd" or "cgroupfs" +# +#cgroup_manager = "systemd" + +# Environment variables to pass into conmon +# +#conmon_env_vars = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +#] + +# Paths to look for the conmon container manager binary +# +#conmon_path = [ +# "/usr/libexec/podman/conmon", +# "/usr/local/libexec/podman/conmon", +# "/usr/local/lib/podman/conmon", +# "/usr/bin/conmon", +# "/usr/sbin/conmon", +# "/usr/local/bin/conmon", +# "/usr/local/sbin/conmon" +#] + +# Enforces using docker.io for completing short names in Podman's compatibility +# REST API. Note that this will ignore unqualified-search-registries and +# short-name aliases defined in containers-registries.conf(5). +#compat_api_enforce_docker_hub = true + +# Specify the keys sequence used to detach a container. +# Format is a single character [a-Z] or a comma separated sequence of +# `ctrl-`, where `` is one of: +# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_` +# +#detach_keys = "ctrl-p,ctrl-q" + +# Determines whether engine will reserve ports on the host when they are +# forwarded to containers. When enabled, when ports are forwarded to containers, +# ports are held open by as long as the container is running, ensuring that +# they cannot be reused by other programs on the host. However, this can cause +# significant memory usage if a container has many ports forwarded to it. +# Disabling this can save memory. +# +#enable_port_reservation = true + +# Environment variables to be used when running the container engine (e.g., Podman, Buildah). +# For example "http_proxy=internal.proxy.company.com". +# Note these environment variables will not be used within the container. +# Set the env section under [containers] table, if you want to set environment variables for the container. +# +#env = [] + +# Define where event logs will be stored, when events_logger is "file". +#events_logfile_path="" + +# Sets the maximum size for events_logfile_path. +# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# The format for the size is ``, e.g., `1b` or `3g`. +# If no unit is included then the size will be read in bytes. +# When the limit is exceeded, the logfile will be rotated and the old one will be deleted. +# If the maximum size is set to 0, then no limit will be applied, +# and the logfile will not be rotated. +#events_logfile_max_size = "1m" + +# Selects which logging mechanism to use for container engine events. +# Valid values are `journald`, `file` and `none`. +# +#events_logger = "journald" + +# A is a list of directories which are used to search for helper binaries. +# +#helper_binaries_dir = [ +# "/usr/local/libexec/podman", +# "/usr/local/lib/podman", +# "/usr/libexec/podman", +# "/usr/lib/podman", +#] + +# Path to OCI hooks directories for automatically executed hooks. +# +#hooks_dir = [ +# "/usr/share/containers/oci/hooks.d", +#] + +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# +#image_default_format = "" + +# Default transport method for pulling and pushing for images +# +#image_default_transport = "docker://" + +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# +#image_parallel_copies = 0 + +# Tells container engines how to handle the builtin image volumes. +# * bind: An anonymous named volume will be created and mounted +# into the container. +# * tmpfs: The volume is mounted onto the container as a tmpfs, +# which allows users to create content that disappears when +# the container is stopped. +# * ignore: All volumes are just ignored and no action is taken. +# +#image_volume_mode = "" + +# Default command to run the infra container +# +#infra_command = "/pause" + +# Infra (pause) container image name for pod infra containers. When running a +# pod, we start a `pause` process in a container to hold open the namespaces +# associated with the pod. This container does nothing other then sleep, +# reserving the pods resources for the lifetime of the pod. By default container +# engines run a builtin container using the pause executable. If you want override +# specify an image to pull. +# +#infra_image = "" + +# Specify the locking mechanism to use; valid values are "shm" and "file". +# Change the default only if you are sure of what you are doing, in general +# "file" is useful only on platforms where cgo is not available for using the +# faster "shm" lock type. You may need to run "podman system renumber" after +# you change the lock type. +# +#lock_type** = "shm" + +# MultiImageArchive - if true, the container engine allows for storing archives +# (e.g., of the docker-archive transport) with multiple images. By default, +# Podman creates single-image archives. +# +#multi_image_archive = "false" + +# Default engine namespace +# If engine is joined to a namespace, it will see only containers and pods +# that were created in the same namespace, and will create new containers and +# pods in that namespace. +# The default namespace is "", which corresponds to no namespace. When no +# namespace is set, all containers and pods are visible. +# +#namespace = "" + +# Path to the slirp4netns binary +# +#network_cmd_path = "" + +# Default options to pass to the slirp4netns binary. +# Valid options values are: +# +# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). +# Default is false. +# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). +# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). +# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). +# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). +# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. +# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). +# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. +# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. +# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container +# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, +# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for +# rootless containers when connected to user-defined networks. +# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but +# preserves the correct source IP address. This port handler cannot be used for user-defined networks. +# +#network_cmd_options = [] + +# Whether to use chroot instead of pivot_root in the runtime +# +#no_pivot_root = false + +# Number of locks available for containers and pods. +# If this is changed, a lock renumber must be performed (e.g. with the +# 'podman system renumber' command). +# +#num_locks = 2048 + +# Set the exit policy of the pod when the last container exits. +#pod_exit_policy = "continue" + +# Whether to pull new image before running a container +# +#pull_policy = "missing" + +# Indicates whether the application should be running in remote mode. This flag modifies the +# --remote option on container engines. Setting the flag to true will default +# `podman --remote=true` for access to the remote Podman service. +# +#remote = false + +# Default OCI runtime +# +#runtime = "crun" + +# List of the OCI runtimes that support --format=json. When json is supported +# engine will use it for reporting nicer errors. +# +#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"] + +# List of the OCI runtimes that supports running containers with KVM Separation. +# +#runtime_supports_kvm = ["kata", "krun"] + +# List of the OCI runtimes that supports running containers without cgroups. +# +#runtime_supports_nocgroups = ["crun", "krun"] + +# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment +# variable. If you specify "storage", then the location of the +# container/storage tmp directory will be used. +# image_copy_tmp_dir="/var/tmp" + +# Number of seconds to wait without a connection +# before the `podman system service` times out and exits +# +#service_timeout = 5 + +# Directory for persistent engine files (database, etc) +# By default, this will be configured relative to where the containers/storage +# stores containers +# Uncomment to change location from this default +# +#static_dir = "/var/lib/containers/storage/libpod" + +# Number of seconds to wait for container to exit before sending kill signal. +# +#stop_timeout = 10 + +# Number of seconds to wait before exit command in API process is given to. +# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds). +# +#exit_command_delay = 300 + +# map of service destinations +# +#[service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootful "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock +# +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" + +# Directory for temporary files. Must be tmpfs (wiped after reboot) +# +#tmp_dir = "/run/libpod" + +# Directory for libpod named volumes. +# By default, this will be configured relative to where containers/storage +# stores containers. +# Uncomment to change location from this default. +# +#volume_path = "/var/lib/containers/storage/volumes" + +# Default timeout (in seconds) for volume plugin operations. +# Plugins are external programs accessed via a REST API; this sets a timeout +# for requests to that API. +# A value of 0 is treated as no timeout. +#volume_plugin_timeout = 5 + +# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) +[engine.runtimes] +#crun = [ +# "/usr/bin/crun", +# "/usr/sbin/crun", +# "/usr/local/bin/crun", +# "/usr/local/sbin/crun", +# "/sbin/crun", +# "/bin/crun", +# "/run/current-system/sw/bin/crun", +#] + +#kata = [ +# "/usr/bin/kata-runtime", +# "/usr/sbin/kata-runtime", +# "/usr/local/bin/kata-runtime", +# "/usr/local/sbin/kata-runtime", +# "/sbin/kata-runtime", +# "/bin/kata-runtime", +# "/usr/bin/kata-qemu", +# "/usr/bin/kata-fc", +#] + +#runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +#] + +#runsc = [ +# "/usr/bin/runsc", +# "/usr/sbin/runsc", +# "/usr/local/bin/runsc", +# "/usr/local/sbin/runsc", +# "/bin/runsc", +# "/sbin/runsc", +# "/run/current-system/sw/bin/runsc", +#] + +#krun = [ +# "/usr/bin/krun", +# "/usr/local/bin/krun", +#] + +[engine.volume_plugins] +#testplugin = "/run/podman/plugins/test.sock" + +[machine] +# Number of CPU's a machine is created with. +# +#cpus=1 + +# The size of the disk in GB created when init-ing a podman-machine VM. +# +#disk_size=10 + +# Default image URI when creating a new VM using `podman machine init`. +# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major +# version of the OS (e.g `36`) for Fedora 36. For all platforms you can +# alternatively specify a custom download URL to an image. Container engines +# translate URIs $OS and $ARCH to the native OS and ARCH. URI +# "https://example.com/$OS/$ARCH/foobar.ami" becomes +# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. +# The default value is `testing`. +# +# image = "testing" + +# Memory in MB a machine is created with. +# +#memory=2048 + +# The username to use and create on the podman machine OS for rootless +# container access. +# +#user = "core" + +# Host directories to be mounted as volumes into the VM by default. +# Environment variables like $HOME as well as complete paths are supported for +# the source and destination. An optional third field `:ro` can be used to +# tell the container engines to mount the volume readonly. +# +# volumes = [ +# "$HOME:$HOME", +#] + +# The [machine] table MUST be the last entry in this file. +# (Unless another table is added) +# TOML does not provide a way to end a table other than a further table being +# defined, so every key hereafter will be part of [machine] and not the +# main config. diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 68070ea5b..44c9b74da 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -38,8 +38,9 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -config_containers_registry = '/etc/containers/registries.conf' -config_containers_storage = '/etc/containers/storage.conf' +config_containers = '/etc/containers/containers.conf' +config_registry = '/etc/containers/registries.conf' +config_storage = '/etc/containers/storage.conf' systemd_unit_path = '/run/systemd/system' def _cmd(command): @@ -335,10 +336,9 @@ def generate_run_arguments(name, container_config): def generate(container): # bail out early - looks like removal from running config if not container: - if os.path.exists(config_containers_registry): - os.unlink(config_containers_registry) - if os.path.exists(config_containers_storage): - os.unlink(config_containers_storage) + for file in [config_containers, config_registry, config_storage]: + if os.path.exists(file): + os.unlink(file) return None if 'network' in container: @@ -390,8 +390,9 @@ def generate(container): if rc != 0: raise ConfigError(out) - render(config_containers_registry, 'container/registries.conf.j2', container) - render(config_containers_storage, 'container/storage.conf.j2', container) + render(config_containers, 'container/containers.conf.j2', container) + render(config_registry, 'container/registries.conf.j2', container) + render(config_storage, 'container/storage.conf.j2', container) if 'name' in container: for name, container_config in container['name'].items(): -- cgit v1.2.3 From 52e51ffbb84996aee9d5b94eebf64589ead31225 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 28 Mar 2023 21:53:07 +0200 Subject: container: T5047: restart only containers that changed By default VyOS used to restart all containers it managed. This makes no sense as it will be service disrupting. Instead only restart the containers that had changes on the CLI beeing made. --- src/conf_mode/container.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 44c9b74da..bf83416b2 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -24,8 +24,10 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed +from vyos.configdict import is_node_changed from vyos.util import call from vyos.util import cmd +from vyos.util import dict_search from vyos.util import run from vyos.util import rc_cmd from vyos.util import write_file @@ -84,6 +86,15 @@ def get_config(config=None): for name in container['name']: container['name'][name] = dict_merge(default_values, container['name'][name]) + # T5047: Any container related configuration changed? We only + # wan't to restart the required containers and not all of them ... + tmp = is_node_changed(conf, base + ['name', name]) + if tmp: + if 'container_restart' not in container: + container['container_restart'] = [name] + else: + container['container_restart'].append(name) + # XXX: T2665: we can not safely rely on the defaults() when there are # tagNodes in place, it is better to blend in the defaults manually. if 'port' in container['name'][name]: @@ -448,7 +459,8 @@ def apply(container): os.unlink(file_path) continue - cmd(f'systemctl restart vyos-container-{name}.service') + if name in dict_search('container_restart', container): + cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: call('systemctl daemon-reload') -- cgit v1.2.3 From b9ab6ab5987edf34fb79d5f0fafee381103f69d7 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Tue, 28 Mar 2023 17:48:37 -0500 Subject: ntp: T5118: Remove vestigial ntp completion script This isn't used anymore after migration from ntpd to chrony as part of T3008. --- src/completion/list_ntp_servers.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100755 src/completion/list_ntp_servers.sh (limited to 'src') diff --git a/src/completion/list_ntp_servers.sh b/src/completion/list_ntp_servers.sh deleted file mode 100755 index d0977fbd6..000000000 --- a/src/completion/list_ntp_servers.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -# Completion script used to select specific NTP server -/bin/cli-shell-api -- listEffectiveNodes system ntp server | sed "s/'//g" -- cgit v1.2.3 From 4a44d8bbd328b99582d8079fd086a7239bfc2121 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 29 Mar 2023 07:56:36 +0200 Subject: frr: T5045: remove LimitNOFILESoft Commit cb872efb ("frr: T5045: lift LimitNOFILE 1024 -> 4096") added both LimitNOFILE and LimitNOFILESoft parameters for FRR, as "systemctl cat frr.service" showed both versions. During daemon startup systemd complains: Unknown key name 'LimitNOFILESoft' in section 'Service', ignoring. So the key got removed again. --- src/etc/systemd/system/frr.service.d/override.conf | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/etc/systemd/system/frr.service.d/override.conf b/src/etc/systemd/system/frr.service.d/override.conf index 2e2f67f70..2e4b6e295 100644 --- a/src/etc/systemd/system/frr.service.d/override.conf +++ b/src/etc/systemd/system/frr.service.d/override.conf @@ -4,7 +4,6 @@ Before=vyos-router.service [Service] LimitNOFILE=4096 -LimitNOFILESoft=4096 ExecStartPre=/bin/bash -c 'mkdir -p /run/frr/config; \ echo "log syslog" > /run/frr/config/frr.conf; \ echo "log facility local7" >> /run/frr/config/frr.conf; \ -- cgit v1.2.3 From c57494027bd3b5865634c62ccd97f44e1d75c546 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 29 Mar 2023 09:27:16 -0500 Subject: configtree: T5089: sorting of nodes is now implemented on parsing config --- src/tests/test_config_parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/tests/test_config_parser.py b/src/tests/test_config_parser.py index 6e0a071f8..8148aa79b 100644 --- a/src/tests/test_config_parser.py +++ b/src/tests/test_config_parser.py @@ -34,8 +34,8 @@ class TestConfigParser(TestCase): def test_top_level_tag(self): self.assertTrue(self.config.exists(["top-level-tag-node"])) - # No sorting is intentional, child order must be preserved - self.assertEqual(self.config.list_nodes(["top-level-tag-node"]), ["foo", "bar"]) + # Sorting is now intentional, during parsing of config + self.assertEqual(self.config.list_nodes(["top-level-tag-node"]), ["bar", "foo"]) def test_copy(self): self.config.copy(["top-level-tag-node", "bar"], ["top-level-tag-node", "baz"]) -- cgit v1.2.3 From dccc689e0e666787834f45e6ab6bd972fddabf95 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Mon, 20 Mar 2023 11:50:14 -0500 Subject: configdiff: T5089: add unit test --- src/tests/test_config_diff.py | 70 +++++++++++++++++++++++++++++++++++++++++++ tests/data/config.left | 36 ++++++++++++++++++++++ tests/data/config.right | 25 ++++++++++++++++ 3 files changed, 131 insertions(+) create mode 100644 src/tests/test_config_diff.py create mode 100644 tests/data/config.left create mode 100644 tests/data/config.right (limited to 'src') diff --git a/src/tests/test_config_diff.py b/src/tests/test_config_diff.py new file mode 100644 index 000000000..f61cbc4a2 --- /dev/null +++ b/src/tests/test_config_diff.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import vyos.configtree + +from unittest import TestCase + +class TestConfigDiff(TestCase): + def setUp(self): + with open('tests/data/config.left', 'r') as f: + config_string = f.read() + self.config_left = vyos.configtree.ConfigTree(config_string) + + with open('tests/data/config.right', 'r') as f: + config_string = f.read() + self.config_right = vyos.configtree.ConfigTree(config_string) + + self.config_null = vyos.configtree.ConfigTree('') + + def test_unit(self): + diff = vyos.configtree.DiffTree(self.config_left, self.config_null) + sub = diff.sub + self.assertEqual(sub.to_string(), self.config_left.to_string()) + + diff = vyos.configtree.DiffTree(self.config_null, self.config_left) + add = diff.add + self.assertEqual(add.to_string(), self.config_left.to_string()) + + def test_symmetry(self): + lr_diff = vyos.configtree.DiffTree(self.config_left, + self.config_right) + rl_diff = vyos.configtree.DiffTree(self.config_right, + self.config_left) + + sub = lr_diff.sub + add = rl_diff.add + self.assertEqual(sub.to_string(), add.to_string()) + add = lr_diff.add + sub = rl_diff.sub + self.assertEqual(add.to_string(), sub.to_string()) + + def test_identity(self): + lr_diff = vyos.configtree.DiffTree(self.config_left, + self.config_right) + + sub = lr_diff.sub + inter = lr_diff.inter + add = lr_diff.add + + r_union = vyos.configtree.union(add, inter) + l_union = vyos.configtree.union(sub, inter) + + self.assertEqual(r_union.to_string(), + self.config_right.to_string(ordered_values=True)) + self.assertEqual(l_union.to_string(), + self.config_left.to_string(ordered_values=True)) diff --git a/tests/data/config.left b/tests/data/config.left new file mode 100644 index 000000000..e57c40396 --- /dev/null +++ b/tests/data/config.left @@ -0,0 +1,36 @@ +node1 { + tag_node foo { + valueless + multi_node 'v2' + multi_node 'v1' + single 'left_val' + } + tag_node bar { + node { + single 'v0' + } + } + tag_node other { + leaf 'leaf_l' + } +} + +node3 { +} + +node2 { + sub_node_other { + single 'val' + } + sub_node { + tag_node other { + single 'val' + } + tag_node bob { + valued 'baz' + } + tag_node duff { + valued 'buz' + } + } +} diff --git a/tests/data/config.right b/tests/data/config.right new file mode 100644 index 000000000..48defeb89 --- /dev/null +++ b/tests/data/config.right @@ -0,0 +1,25 @@ +node1 { + tag_node baz { + other_node { + multi_node 'some_val' + multe_node 'other_val' + } + } + tag_node foo { + valueless + multi_node 'v3' + multi_node 'v1' + single 'right_val' + } + tag_node other { + leaf 'leaf_r' + } +} + +node2 { + sub_node { + tag_node other { + multi 'mv' + } + } +} -- cgit v1.2.3 From a78982625a8a18069bd5a13744734873698fd0f9 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 30 Mar 2023 18:28:56 +0300 Subject: ipsec: T5093: Fixed 'reset vpn ipsec profile' command Fixed 'reset vpn ipsec profile' command using vici library and new op-mode style. Added ability to use 'reset vpn ipsec profile' command with 'remote-host' option. --- op-mode-definitions/vpn-ipsec.xml.in | 19 +++++++-- python/vyos/ipsec.py | 38 +++++++++++++++++ src/completion/list_ipsec_profile_tunnels.py | 48 +++++++++++++++++++++ src/op_mode/ipsec.py | 62 ++++++++++++++++++++++++++++ src/op_mode/vpn_ipsec.py | 61 ++------------------------- 5 files changed, 168 insertions(+), 60 deletions(-) create mode 100644 src/completion/list_ipsec_profile_tunnels.py (limited to 'src') diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index 5baaec7ce..5a7e6dd63 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -14,7 +14,7 @@ - Reset all tunnels for given DMVPN profile + Reset a specific tunnel for given DMVPN profile vpn ipsec profile @@ -23,11 +23,24 @@ Reset a specific tunnel for given DMVPN profile + + + - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="$8" + + + + Reset a specific tunnel for given DMVPN NBMA + + <x.x.x.x> <h:h:h:h:h:h:h:h> + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_dst --profile="$5" --tunnel="$7" --nbma_dst="$9" + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_all --profile="$5" --tunnel="$7" - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="all" diff --git a/python/vyos/ipsec.py b/python/vyos/ipsec.py index cb7c39ff6..bb5611025 100644 --- a/python/vyos/ipsec.py +++ b/python/vyos/ipsec.py @@ -139,3 +139,41 @@ def terminate_vici_by_name(ike_name: str, child_name: str) -> None: else: raise ViciCommandError( f'Failed to terminate SA for IKE {ike_name}') + + +def vici_initiate(ike_sa_name: str, child_sa_name: str, src_addr: str, + dst_addr: str) -> bool: + """Initiate IKE SA connection with specific peer + + Args: + ike_sa_name (str): an IKE SA connection name + child_sa_name (str): a child SA profile name + src_addr (str): source address + dst_addr (str): remote address + + Returns: + bool: a result of initiation command + """ + from vici import Session as vici_session + + try: + session = vici_session() + except Exception: + raise ViciInitiateError("IPsec not initialized") + + try: + session_generator = session.initiate({ + 'ike': ike_sa_name, + 'child': child_sa_name, + 'timeout': '-1', + 'my-host': src_addr, + 'other-host': dst_addr + }) + # a dummy `for` loop is required because of requirements + # from vici. Without a full iteration on the output, the + # command to vici may not be executed completely + for _ in session_generator: + pass + return True + except Exception: + raise ViciCommandError(f'Failed to initiate SA for IKE {ike_sa_name}') \ No newline at end of file diff --git a/src/completion/list_ipsec_profile_tunnels.py b/src/completion/list_ipsec_profile_tunnels.py new file mode 100644 index 000000000..df6c52f6d --- /dev/null +++ b/src/completion/list_ipsec_profile_tunnels.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import sys +import argparse + +from vyos.config import Config +from vyos.util import dict_search + +def get_tunnels_from_ipsecprofile(profile): + config = Config() + base = ['vpn', 'ipsec', 'profile', profile, 'bind'] + profile_conf = config.get_config_dict(base, effective=True, key_mangling=('-', '_')) + tunnels = [] + + try: + for tunnel in (dict_search('bind.tunnel', profile_conf) or []): + tunnels.append(tunnel) + except: + pass + + return tunnels + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("-p", "--profile", type=str, help="List tunnels per profile") + args = parser.parse_args() + + tunnels = [] + + tunnels = get_tunnels_from_ipsecprofile(args.profile) + + print(" ".join(tunnels)) + diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py index 6acde08ea..7f4fb72e5 100755 --- a/src/op_mode/ipsec.py +++ b/src/op_mode/ipsec.py @@ -13,6 +13,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . + import re import sys import typing @@ -487,6 +488,67 @@ def reset_ra(username: typing.Optional[str] = None): vyos.ipsec.terminate_vici_ikeid_list(list_sa_id) +def reset_profile_dst(profile: str, tunnel: str, nbma_dst: str): + if profile and tunnel and nbma_dst: + ike_sa_name = f'dmvpn-{profile}-{tunnel}' + try: + # Get IKE SAs + sa_list = convert_data( + vyos.ipsec.get_vici_sas_by_name(ike_sa_name, None)) + if not sa_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} not found, aborting') + sa_nbma_list = list([x for x in sa_list if + ike_sa_name in x and x[ike_sa_name][ + 'remote-host'] == nbma_dst]) + if not sa_nbma_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} remote-host {nbma_dst} not found, aborting') + # terminate IKE SAs + vyos.ipsec.terminate_vici_ikeid_list(list( + [x[ike_sa_name]['uniqueid'] for x in sa_nbma_list if + ike_sa_name in x])) + # initiate IKE SAs + for ike in sa_nbma_list: + if ike_sa_name in ike: + vyos.ipsec.vici_initiate(ike_sa_name, 'dmvpn', + ike[ike_sa_name]['local-host'], + ike[ike_sa_name]['remote-host']) + print( + f'Profile {profile} tunnel {tunnel} remote-host {nbma_dst} reset result: success') + except (vyos.ipsec.ViciInitiateError) as err: + raise vyos.opmode.UnconfiguredSubsystem(err) + except (vyos.ipsec.ViciCommandError) as err: + raise vyos.opmode.IncorrectValue(err) + + +def reset_profile_all(profile: str, tunnel: str): + if profile and tunnel: + ike_sa_name = f'dmvpn-{profile}-{tunnel}' + try: + # Get IKE SAs + sa_list: list = convert_data( + vyos.ipsec.get_vici_sas_by_name(ike_sa_name, None)) + if not sa_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} not found, aborting') + # terminate IKE SAs + vyos.ipsec.terminate_vici_by_name(ike_sa_name, None) + # initiate IKE SAs + for ike in sa_list: + if ike_sa_name in ike: + vyos.ipsec.vici_initiate(ike_sa_name, 'dmvpn', + ike[ike_sa_name]['local-host'], + ike[ike_sa_name]['remote-host']) + print( + f'Profile {profile} tunnel {tunnel} remote-host {ike[ike_sa_name]["remote-host"]} reset result: success') + print(f'Profile {profile} tunnel {tunnel} reset result: success') + except (vyos.ipsec.ViciInitiateError) as err: + raise vyos.opmode.UnconfiguredSubsystem(err) + except (vyos.ipsec.ViciCommandError) as err: + raise vyos.opmode.IncorrectValue(err) + + def show_sa(raw: bool): sa_data = _get_raw_data_sas() if raw: diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index 2392cfe92..b81d1693e 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -16,12 +16,12 @@ import re import argparse -from subprocess import TimeoutExpired from vyos.util import call SWANCTL_CONF = '/etc/swanctl/swanctl.conf' + def get_peer_connections(peer, tunnel, return_all = False): search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*' matches = [] @@ -34,57 +34,6 @@ def get_peer_connections(peer, tunnel, return_all = False): matches.append(result[1]) return matches -def reset_peer(peer, tunnel): - if not peer: - print('Invalid peer, aborting') - return - - conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all')) - - if not conns: - print('Tunnel(s) not found, aborting') - return - - result = True - for conn in conns: - try: - call(f'/usr/sbin/ipsec down {conn}{{*}}', timeout = 10) - call(f'/usr/sbin/ipsec up {conn}', timeout = 10) - except TimeoutExpired as e: - print(f'Timed out while resetting {conn}') - result = False - - - print('Peer reset result: ' + ('success' if result else 'failed')) - -def get_profile_connection(profile, tunnel = None): - search = rf'(dmvpn-{profile}-[\w]+)' if tunnel == 'all' else rf'(dmvpn-{profile}-{tunnel})' - with open(SWANCTL_CONF, 'r') as f: - for line in f.readlines(): - result = re.search(search, line) - if result: - return result[1] - return None - -def reset_profile(profile, tunnel): - if not profile: - print('Invalid profile, aborting') - return - - if not tunnel: - print('Invalid tunnel, aborting') - return - - conn = get_profile_connection(profile) - - if not conn: - print('Profile not found, aborting') - return - - call(f'/usr/sbin/ipsec down {conn}') - result = call(f'/usr/sbin/ipsec up {conn}') - - print('Profile reset result: ' + ('success' if result == 0 else 'failed')) def debug_peer(peer, tunnel): peer = peer.replace(':', '-') @@ -119,6 +68,7 @@ def debug_peer(peer, tunnel): for conn in conns: call(f'/usr/sbin/ipsec statusall | grep {conn}') + if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--action', help='Control action', required=True) @@ -127,9 +77,6 @@ if __name__ == '__main__': args = parser.parse_args() - if args.action == 'reset-peer': - reset_peer(args.name, args.tunnel) - elif args.action == "reset-profile": - reset_profile(args.name, args.tunnel) - elif args.action == "vpn-debug": + + if args.action == "vpn-debug": debug_peer(args.name, args.tunnel) -- cgit v1.2.3 From 33b804c2030f8bc47acb3499a155a0e2f1f2db0f Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 30 Mar 2023 14:12:59 -0500 Subject: interfaces: T5130: remove obsoleted show_interfaces.py --- src/op_mode/show_interfaces.py | 310 ----------------------------------------- 1 file changed, 310 deletions(-) delete mode 100755 src/op_mode/show_interfaces.py (limited to 'src') diff --git a/src/op_mode/show_interfaces.py b/src/op_mode/show_interfaces.py deleted file mode 100755 index eac068274..000000000 --- a/src/op_mode/show_interfaces.py +++ /dev/null @@ -1,310 +0,0 @@ -#!/usr/bin/env python3 - -# Copyright 2017-2021 VyOS maintainers and contributors -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see . - -import os -import re -import sys -import glob -import argparse - -from vyos.ifconfig import Section -from vyos.ifconfig import Interface -from vyos.ifconfig import VRRP -from vyos.util import cmd, call - - -# interfaces = Sections.reserved() -interfaces = ['eno', 'ens', 'enp', 'enx', 'eth', 'vmnet', 'lo', 'tun', 'wan', 'pppoe'] -glob_ifnames = '/sys/class/net/({})*'.format('|'.join(interfaces)) - - -actions = {} -def register(name): - """ - Decorator to register a function into actions with a name. - `actions[name]' can be used to call the registered functions. - We wrap each function in a SIGPIPE handler as all registered functions - can be subject to a broken pipe if there are a lot of interfaces. - """ - def _register(function): - def handled_function(*args, **kwargs): - try: - function(*args, **kwargs) - except BrokenPipeError: - # Flush output to /dev/null and bail out. - os.dup2(os.open(os.devnull, os.O_WRONLY), sys.stdout.fileno()) - sys.exit(1) - actions[name] = handled_function - return handled_function - return _register - - -def filtered_interfaces(ifnames, iftypes, vif, vrrp): - """ - get all the interfaces from the OS and returns them - ifnames can be used to filter which interfaces should be considered - - ifnames: a list of interfaces names to consider, empty do not filter - return an instance of the interface class - """ - if isinstance(iftypes, list): - for iftype in iftypes: - yield from filtered_interfaces(ifnames, iftype, vif, vrrp) - - for ifname in Section.interfaces(iftypes): - # Bail out early if interface name not part of our search list - if ifnames and ifname not in ifnames: - continue - - # As we are only "reading" from the interface - we must use the - # generic base class which exposes all the data via a common API - interface = Interface(ifname, create=False, debug=False) - - # VLAN interfaces have a '.' in their name by convention - if vif and not '.' in ifname: - continue - - if vrrp: - vrrp_interfaces = VRRP.active_interfaces() - if ifname not in vrrp_interfaces: - continue - - yield interface - - -def split_text(text, used=0): - """ - take a string and attempt to split it to fit with the width of the screen - - text: the string to split - used: number of characted already used in the screen - """ - no_tty = call('tty -s') - - returned = cmd('stty size') if not no_tty else '' - if len(returned) == 2: - rows, columns = [int(_) for _ in returned] - else: - rows, columns = (40, 80) - - desc_len = columns - used - - line = '' - for word in text.split(): - if len(line) + len(word) < desc_len: - line = f'{line} {word}' - continue - if line: - yield line[1:] - else: - line = f'{line} {word}' - - yield line[1:] - - -def get_counter_val(clear, now): - """ - attempt to correct a counter if it wrapped, copied from perl - - clear: previous counter - now: the current counter - """ - # This function has to deal with both 32 and 64 bit counters - if clear == 0: - return now - - # device is using 64 bit values assume they never wrap - value = now - clear - if (now >> 32) != 0: - return value - - # The counter has rolled. If the counter has rolled - # multiple times since the clear value, then this math - # is meaningless. - if (value < 0): - value = (4294967296 - clear) + now - - return value - - -@register('help') -def usage(*args): - print(f"Usage: {sys.argv[0]} [intf=NAME|intf-type=TYPE|vif|vrrp] action=ACTION") - print(f" NAME = " + ' | '.join(Section.interfaces())) - print(f" TYPE = " + ' | '.join(Section.sections())) - print(f" ACTION = " + ' | '.join(actions)) - sys.exit(1) - - -@register('allowed') -def run_allowed(**kwarg): - sys.stdout.write(' '.join(Section.interfaces())) - - -def pppoe(ifname): - out = cmd(f'ps -C pppd -f') - if ifname in out: - return 'C' - elif ifname in [_.split('/')[-1] for _ in glob.glob('/etc/ppp/peers/pppoe*')]: - return 'D' - return '' - - -@register('show') -def run_show_intf(ifnames, iftypes, vif, vrrp): - handled = [] - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - handled.append(interface.ifname) - cache = interface.operational.load_counters() - - out = cmd(f'ip addr show {interface.ifname}') - out = re.sub(f'^\d+:\s+','',out) - if re.search('link/tunnel6', out): - tunnel = cmd(f'ip -6 tun show {interface.ifname}') - # tun0: ip/ipv6 remote ::2 local ::1 encaplimit 4 hoplimit 64 tclass inherit flowlabel inherit (flowinfo 0x00000000) - tunnel = re.sub('.*encap', 'encap', tunnel) - out = re.sub('(\n\s+)(link/tunnel6)', f'\g<1>{tunnel}\g<1>\g<2>', out) - - print(out) - - timestamp = int(cache.get('timestamp', 0)) - if timestamp: - when = interface.operational.strtime(timestamp) - print(f' Last clear: {when}') - - description = interface.get_alias() - if description: - print(f' Description: {description}') - - print() - print(interface.operational.formated_stats()) - - for ifname in ifnames: - if ifname not in handled and ifname.startswith('pppoe'): - state = pppoe(ifname) - if not state: - continue - string = { - 'C': 'Coming up', - 'D': 'Link down', - }[state] - print('{}: {}'.format(ifname, string)) - - -@register('show-brief') -def run_show_intf_brief(ifnames, iftypes, vif, vrrp): - format1 = '%-16s %-33s %-4s %s' - format2 = '%-16s %s' - - print('Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down') - print(format1 % ("Interface", "IP Address", "S/L", "Description")) - print(format1 % ("---------", "----------", "---", "-----------")) - - handled = [] - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - handled.append(interface.ifname) - - oper_state = interface.operational.get_state() - admin_state = interface.get_admin_state() - - intf = [interface.ifname,] - - oper = ['u', ] if oper_state in ('up', 'unknown') else ['D', ] - admin = ['u', ] if admin_state in ('up', 'unknown') else ['A', ] - addrs = [_ for _ in interface.get_addr() if not _.startswith('fe80::')] or ['-', ] - descs = list(split_text(interface.get_alias(),0)) - - while intf or oper or admin or addrs or descs: - i = intf.pop(0) if intf else '' - a = addrs.pop(0) if addrs else '' - d = descs.pop(0) if descs else '' - s = [admin.pop(0)] if admin else [] - l = [oper.pop(0)] if oper else [] - if len(a) < 33: - print(format1 % (i, a, '/'.join(s+l), d)) - else: - print(format2 % (i, a)) - print(format1 % ('', '', '/'.join(s+l), d)) - - for ifname in ifnames: - if ifname not in handled and ifname.startswith('pppoe'): - state = pppoe(ifname) - if not state: - continue - string = { - 'C': 'u/D', - 'D': 'A/D', - }[state] - print(format1 % (ifname, '', string, '')) - - -@register('show-count') -def run_show_counters(ifnames, iftypes, vif, vrrp): - formating = '%-12s %10s %10s %10s %10s' - print(formating % ('Interface', 'Rx Packets', 'Rx Bytes', 'Tx Packets', 'Tx Bytes')) - - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - oper = interface.operational.get_state() - - if oper not in ('up','unknown'): - continue - - stats = interface.operational.get_stats() - cache = interface.operational.load_counters() - print(formating % ( - interface.ifname, - get_counter_val(cache['rx_packets'], stats['rx_packets']), - get_counter_val(cache['rx_bytes'], stats['rx_bytes']), - get_counter_val(cache['tx_packets'], stats['tx_packets']), - get_counter_val(cache['tx_bytes'], stats['tx_bytes']), - )) - - -@register('clear') -def run_clear_intf(ifnames, iftypes, vif, vrrp): - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - print(f'Clearing {interface.ifname}') - interface.operational.clear_counters() - - -@register('reset') -def run_reset_intf(ifnames, iftypes, vif, vrrp): - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - interface.operational.reset_counters() - - -if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=False, description='Show interface information') - parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface(s)') - parser.add_argument('--intf-type', action="store", type=str, default='', help='only show the specified interface type') - parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') - parser.add_argument('--vif', action='store_true', default=False, help="only show vif interfaces") - parser.add_argument('--vrrp', action='store_true', default=False, help="only show vrrp interfaces") - parser.add_argument('--help', action='store_true', default=False, help="show help") - - args = parser.parse_args() - - def missing(*args): - print('Invalid action [{args.action}]') - usage() - - actions.get(args.action, missing)( - [_ for _ in args.intf.split(' ') if _], - [_ for _ in args.intf_type.split(' ') if _], - args.vif, - args.vrrp - ) -- cgit v1.2.3 From 657f5c1a08351c7740ff74cc112321d8f4e2155c Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Fri, 31 Mar 2023 13:09:21 +0000 Subject: T5125: Add op-mode for sFlow based on hsflowd Add op-mode for sFlow based on hsflowd "show sflow" Add machine readable format '--raw' and formatted output --- data/templates/sflow/hsflowd.conf.j2 | 1 + op-mode-definitions/sflow.xml.in | 15 +++++ smoketest/scripts/cli/test_system_sflow.py | 1 + src/op_mode/sflow.py | 102 +++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+) create mode 100644 op-mode-definitions/sflow.xml.in create mode 100755 src/op_mode/sflow.py (limited to 'src') diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2 index 94f5939be..5000956bd 100644 --- a/data/templates/sflow/hsflowd.conf.j2 +++ b/data/templates/sflow/hsflowd.conf.j2 @@ -28,4 +28,5 @@ sflow { {% if drop_monitor_limit is vyos_defined %} dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off } {% endif %} + dbus { } } diff --git a/op-mode-definitions/sflow.xml.in b/op-mode-definitions/sflow.xml.in new file mode 100644 index 000000000..9f02dacda --- /dev/null +++ b/op-mode-definitions/sflow.xml.in @@ -0,0 +1,15 @@ + + + + + + + + Show sFlow statistics + + + sudo ${vyos_op_scripts_dir}/sflow.py show + + + + diff --git a/smoketest/scripts/cli/test_system_sflow.py b/smoketest/scripts/cli/test_system_sflow.py index fef88b56a..1aec050a4 100755 --- a/smoketest/scripts/cli/test_system_sflow.py +++ b/smoketest/scripts/cli/test_system_sflow.py @@ -91,6 +91,7 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): self.assertIn(f'collector {{ ip = {server} udpport = {port} }}', hsflowd) self.assertIn(f'collector {{ ip = {local_server} udpport = {default_port} }}', hsflowd) self.assertIn(f'dropmon {{ limit={mon_limit} start=on sw=on hw=off }}', hsflowd) + self.assertIn('dbus { }', hsflowd) for interface in Section.interfaces('ethernet'): self.assertIn(f'pcap {{ dev={interface} }}', hsflowd) diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py new file mode 100755 index 000000000..1ff006274 --- /dev/null +++ b/src/op_mode/sflow.py @@ -0,0 +1,102 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import dbus +import sys + +from tabulate import tabulate + +from vyos.configquery import ConfigTreeQuery +from vyos.util import cmd + +import vyos.opmode + + +def _get_raw_sflow(): + bus = dbus.SystemBus() + config = ConfigTreeQuery() + + interfaces = config.values('system sflow interface') + servers = config.list_nodes('system sflow server') + + sflow = bus.get_object('net.sflow.hsflowd', '/net/sflow/hsflowd') + sflow_telemetry = dbus.Interface( + sflow, dbus_interface='net.sflow.hsflowd.telemetry') + agent_address = sflow_telemetry.GetAgent() + samples_dropped = int(sflow_telemetry.Get('dropped_samples')) + samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) + samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) + datagrams_sent = int(sflow_telemetry.Get('datagrams')) + rtmetric_samples = int(sflow_telemetry.Get('rtmetric_samples')) + samples_suppressed = int(sflow_telemetry.Get('flow_samples_suppressed')) + counter_samples_suppressed = int( + sflow_telemetry.Get("counter_samples_suppressed")) + version = sflow_telemetry.GetVersion() + + sflow_dict = { + 'agent_address': agent_address, + 'sflow_interfaces': interfaces, + 'sflow_servers': servers, + 'counter_samples_sent': samples_counter_sent, + 'datagrams_sent': datagrams_sent, + 'packet_samples_dropped': samples_dropped, + 'packet_samples_sent': samples_packet_sent, + 'rtmetric_samples': rtmetric_samples, + 'flow_samples_suppressed': samples_suppressed, + 'counter_samples_suppressed': counter_samples_suppressed, + 'hsflowd_version': version + } + return sflow_dict + + +def _get_formatted_sflow(data): + table = [ + ['Agent address', f'{data.get("agent_address")}'], + ['sFlow interfaces', f'{data.get("sflow_interfaces", "n/a")}'], + ['sFlow servers', f'{data.get("sflow_servers", "n/a")}'], + ['Datagrams sent', f'{data.get("datagrams_sent")}'], + ['Packet samples sent', f'{data.get("packet_samples_sent")}'], + ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], + ['Counter samples sent', f'{data.get("counter_samples_sent")}'], + ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], + ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] + ] + + return tabulate(table) + + +def show(raw: bool): + + config = ConfigTreeQuery() + if not config.exists('system sflow'): + raise vyos.opmode.UnconfiguredSubsystem( + '"system sflow" is not configured!') + + sflow_data = _get_raw_sflow() + if raw: + return sflow_data + else: + return _get_formatted_sflow(sflow_data) + + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From 11b1d043310833447ddeea3b68fba2a1d1f5799d Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 29 Mar 2023 19:48:52 -0500 Subject: http-api: T5126: allow restricting client IP address --- data/templates/https/nginx.default.j2 | 6 +++++ interface-definitions/https.xml.in | 1 + interface-definitions/include/allow-client.xml.i | 33 ++++++++++++++++++++++++ src/conf_mode/https.py | 2 ++ 4 files changed, 42 insertions(+) create mode 100644 interface-definitions/include/allow-client.xml.i (limited to 'src') diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index d42b3b389..b541ff309 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -49,6 +49,12 @@ server { proxy_buffering off; {% else %} return 503; +{% endif %} +{% if server.allow_client %} +{% for client in server.allow_client %} + allow {{ client }}; +{% endfor %} + deny all; {% endif %} } diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 6adb07598..cf30ab2be 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -60,6 +60,7 @@ + #include diff --git a/interface-definitions/include/allow-client.xml.i b/interface-definitions/include/allow-client.xml.i new file mode 100644 index 000000000..03a0b3ff8 --- /dev/null +++ b/interface-definitions/include/allow-client.xml.i @@ -0,0 +1,33 @@ + + + Restrict to allowed IP client addresses + + + + + Allowed IP client addresses + + ipv4 + IPv4 address + + + ipv6 + IPv6 address + + + ipv4net + IPv4 address and prefix length + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index ce5e63928..b0c38e8d3 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -159,6 +159,8 @@ def generate(https): server_block['port'] = data.get('listen-port', '443') name = data.get('server-name', ['_']) server_block['name'] = name + allow_client = data.get('allow-client', {}) + server_block['allow_client'] = allow_client.get('address', []) server_block_list.append(server_block) # get certificate data -- cgit v1.2.3 From 86d7b8d1d2b53b9fa93bd456abb4ea1b4f2949b6 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 14:42:45 +0200 Subject: container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterable Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart. --- src/conf_mode/container.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index bf83416b2..4e4db7180 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -459,7 +459,8 @@ def apply(container): os.unlink(file_path) continue - if name in dict_search('container_restart', container): + tmp = dict_search('container_restart', container) + if tmp and name in tmp: cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: -- cgit v1.2.3 From 0ea3e1420c373027bdf57ea9e794b81dd6b6ad4f Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 15:31:46 +0200 Subject: container: T5082: switch to netavark network stack We now support assigning discrete IPv6 addresses to a container. --- data/templates/container/containers.conf.j2 | 2 +- debian/control | 1 + interface-definitions/container.xml.in | 7 ++- src/conf_mode/container.py | 95 +++++++++++++++-------------- 4 files changed, 56 insertions(+), 49 deletions(-) (limited to 'src') diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 index 9f66aed27..c635ca213 100644 --- a/data/templates/container/containers.conf.j2 +++ b/data/templates/container/containers.conf.j2 @@ -282,7 +282,7 @@ default_sysctls = [ # Before changing this value all containers must be stopped otherwise it is likely that # iptables rules and network interfaces might leak on the host. A reboot will fix this. # -network_backend = "cni" +network_backend = "netavark" # Path to directory where CNI plugin binaries are located. # diff --git a/debian/control b/debian/control index 028b7cd43..8cd49f62a 100644 --- a/debian/control +++ b/debian/control @@ -99,6 +99,7 @@ Depends: mtr-tiny, ndisc6, ndppd, + netavark, netplug, nfct, nftables (>= 0.9.3), diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 0849af656..b09536a16 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -191,15 +191,20 @@ - Assign static IP address to container ipv4 IPv4 address + + ipv6 + IPv6 address + + + diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 4e4db7180..5cfbfc30c 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -16,6 +16,7 @@ import os +from hashlib import sha256 from ipaddress import ip_address from ipaddress import ip_network from json import dumps as json_write @@ -27,7 +28,6 @@ from vyos.configdict import node_changed from vyos.configdict import is_node_changed from vyos.util import call from vyos.util import cmd -from vyos.util import dict_search from vyos.util import run from vyos.util import rc_cmd from vyos.util import write_file @@ -166,21 +166,29 @@ def verify(container): raise ConfigError(f'Container network "{network_name}" does not exist!') if 'address' in container_config['network'][network_name]: - address = container_config['network'][network_name]['address'] - network = None - if is_ipv4(address): - network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0] - elif is_ipv6(address): - network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0] - - # Specified container IP address must belong to network prefix - if ip_address(address) not in ip_network(network): - raise ConfigError(f'Used container address "{address}" not in network "{network}"!') - - # We can not use the first IP address of a network prefix as this is used by podman - if ip_address(address) == ip_network(network)[1]: - raise ConfigError(f'IP address "{address}" can not be used for a container, '\ - 'reserved for the container engine!') + cnt_ipv4 = 0 + cnt_ipv6 = 0 + for address in container_config['network'][network_name]['address']: + network = None + if is_ipv4(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0] + cnt_ipv4 += 1 + elif is_ipv6(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0] + cnt_ipv6 += 1 + + # Specified container IP address must belong to network prefix + if ip_address(address) not in ip_network(network): + raise ConfigError(f'Used container address "{address}" not in network "{network}"!') + + # We can not use the first IP address of a network prefix as this is used by podman + if ip_address(address) == ip_network(network)[1]: + raise ConfigError(f'IP address "{address}" can not be used for a container, '\ + 'reserved for the container engine!') + + if cnt_ipv4 > 1 or cnt_ipv6 > 1: + raise ConfigError(f'Only one IP address per address family can be used for '\ + f'container "{name}". {cnt_ipv4} IPv4 and {cnt_ipv6} IPv6 address(es)!') if 'device' in container_config: for dev, dev_config in container_config['device'].items(): @@ -338,9 +346,13 @@ def generate_run_arguments(name, container_config): ip_param = '' networks = ",".join(container_config['network']) for network in container_config['network']: - if 'address' in container_config['network'][network]: - address = container_config['network'][network]['address'] - ip_param = f'--ip {address}' + if 'address' not in container_config['network'][network]: + continue + for address in container_config['network'][network]['address']: + if is_ipv6(address): + ip_param += f' --ip6 {address}' + else: + ip_param += f' --ip {address}' return f'{container_base_cmd} --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip() @@ -355,33 +367,26 @@ def generate(container): if 'network' in container: for network, network_config in container['network'].items(): tmp = { - 'cniVersion' : '0.4.0', - 'name' : network, - 'plugins' : [{ - 'type': 'bridge', - 'bridge': f'cni-{network}', - 'isGateway': True, - 'ipMasq': False, - 'hairpinMode': False, - 'ipam' : { - 'type': 'host-local', - 'routes': [], - 'ranges' : [], - }, - }] + 'name': network, + 'id' : sha256(f'{network}'.encode()).hexdigest(), + 'driver': 'bridge', + 'network_interface': f'podman-{network}', + 'subnets': [], + 'ipv6_enabled': False, + 'internal': False, + 'dns_enabled': False, + 'ipam_options': { + 'driver': 'host-local' + } } - for prefix in network_config['prefix']: - net = [{'gateway' : inc_ip(prefix, 1), 'subnet' : prefix}] - tmp['plugins'][0]['ipam']['ranges'].append(net) + net = {'subnet' : prefix, 'gateway' : inc_ip(prefix, 1)} + tmp['subnets'].append(net) - # install per address-family default orutes - default_route = '0.0.0.0/0' if is_ipv6(prefix): - default_route = '::/0' - tmp['plugins'][0]['ipam']['routes'].append({'dst': default_route}) + tmp['ipv6_enabled'] = True - write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2)) + write_file(f'/etc/containers/networks/{network}.json', json_write(tmp, indent=2)) if 'registry' in container: cmd = f'podman logout --all' @@ -432,10 +437,7 @@ def apply(container): # Delete old networks if needed if 'network_remove' in container: for network in container['network_remove']: - call(f'podman network rm {network}') - tmp = f'/etc/cni/net.d/{network}.conflist' - if os.path.exists(tmp): - os.unlink(tmp) + call(f'podman network rm {network} >/dev/null 2>&1') # Add container disabled_new = False @@ -459,8 +461,7 @@ def apply(container): os.unlink(file_path) continue - tmp = dict_search('container_restart', container) - if tmp and name in tmp: + if 'container_restart' in container and name in container['container_restart']: cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: -- cgit v1.2.3 From b53c25a7bcd0a825cadf0e6c754297004ed3f0e4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 18:56:02 +0200 Subject: container: T4959: bugfix credential validation on registries Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use. --- src/conf_mode/container.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 5cfbfc30c..3827f4c70 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -258,9 +258,11 @@ def verify(container): if 'network' in container_config and network in container_config['network']: raise ConfigError(f'Can not remove network "{network}", used by container "{container}"!') - if 'registry' in container and 'authentication' in container['registry']: - for registry, registry_config in container['registry']['authentication'].items(): - if not {'username', 'password'} <= set(registry_config): + if 'registry' in container: + for registry, registry_config in container['registry'].items(): + if 'authentication' not in registry_config: + continue + if not {'username', 'password'} <= set(registry_config['authentication']): raise ConfigError('If registry username or or password is defined, so must be the other!') return None -- cgit v1.2.3 From 7d6731435410b16a2497dc0bc156fbde77797fb3 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sat, 1 Apr 2023 18:44:25 +0000 Subject: T5125: Extend op-mode show sflow add new metric Add new metric, the number of packet-drop-events sent --- src/op_mode/sflow.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py index 1ff006274..ddb8bf44d 100755 --- a/src/op_mode/sflow.py +++ b/src/op_mode/sflow.py @@ -37,6 +37,7 @@ def _get_raw_sflow(): sflow, dbus_interface='net.sflow.hsflowd.telemetry') agent_address = sflow_telemetry.GetAgent() samples_dropped = int(sflow_telemetry.Get('dropped_samples')) + samples_drop_events_sent = int(sflow_telemetry.Get('event_samples')) samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) datagrams_sent = int(sflow_telemetry.Get('datagrams')) @@ -52,6 +53,7 @@ def _get_raw_sflow(): 'sflow_servers': servers, 'counter_samples_sent': samples_counter_sent, 'datagrams_sent': datagrams_sent, + 'samples_drop_events_sent': samples_drop_events_sent, 'packet_samples_dropped': samples_dropped, 'packet_samples_sent': samples_packet_sent, 'rtmetric_samples': rtmetric_samples, @@ -67,10 +69,11 @@ def _get_formatted_sflow(data): ['Agent address', f'{data.get("agent_address")}'], ['sFlow interfaces', f'{data.get("sflow_interfaces", "n/a")}'], ['sFlow servers', f'{data.get("sflow_servers", "n/a")}'], + ['Counter samples sent', f'{data.get("counter_samples_sent")}'], ['Datagrams sent', f'{data.get("datagrams_sent")}'], ['Packet samples sent', f'{data.get("packet_samples_sent")}'], ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], - ['Counter samples sent', f'{data.get("counter_samples_sent")}'], + ['Samples drop events sent', f'{data.get("samples_drop_events_sent")}'], ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] ] -- cgit v1.2.3 From b65296a0ff39e66d87e916971477cce351f6d5a5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 2 Apr 2023 09:27:03 +0200 Subject: container: T5134: support binding container network to specific VRF Container networks now can be bound to a specific VRF instance. set vrf name table set container network vrf --- interface-definitions/container.xml.in | 1 + src/conf_mode/container.py | 13 +++++++++++++ 2 files changed, 14 insertions(+) (limited to 'src') diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b52054dd0..9b6d2369d 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -367,6 +367,7 @@ + #include diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 3827f4c70..05595f86f 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -26,6 +26,8 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.ifconfig import Interface from vyos.util import call from vyos.util import cmd from vyos.util import run @@ -250,6 +252,8 @@ def verify(container): if v6_prefix > 1: raise ConfigError(f'Only one IPv6 prefix can be defined for network "{network}"!') + # Verify VRF exists + verify_vrf(network_config) # A network attached to a container can not be deleted if {'network_remove', 'name'} <= set(container): @@ -469,6 +473,15 @@ def apply(container): if disabled_new: call('systemctl daemon-reload') + # Start network and assign it to given VRF if requested. this can only be done + # after the containers got started as the podman network interface will + # only be enabled by the first container and yet I do not know how to enable + # the network interface in advance + if 'network' in container: + for network, network_config in container['network'].items(): + tmp = Interface(f'podman-{network}') + tmp.set_vrf(network_config.get('vrf', '')) + return None if __name__ == '__main__': -- cgit v1.2.3 From 1b7534855f92ea307059bd01258746e45d6f79a5 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Apr 2023 09:44:18 +0000 Subject: T5125: Sflow op-mode add event_samples_suppressed option Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent" --- src/op_mode/sflow.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py index ddb8bf44d..88f70d6bd 100755 --- a/src/op_mode/sflow.py +++ b/src/op_mode/sflow.py @@ -37,11 +37,12 @@ def _get_raw_sflow(): sflow, dbus_interface='net.sflow.hsflowd.telemetry') agent_address = sflow_telemetry.GetAgent() samples_dropped = int(sflow_telemetry.Get('dropped_samples')) - samples_drop_events_sent = int(sflow_telemetry.Get('event_samples')) + packet_drop_sent = int(sflow_telemetry.Get('event_samples')) samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) datagrams_sent = int(sflow_telemetry.Get('datagrams')) rtmetric_samples = int(sflow_telemetry.Get('rtmetric_samples')) + event_samples_suppressed = int(sflow_telemetry.Get('event_samples_suppressed')) samples_suppressed = int(sflow_telemetry.Get('flow_samples_suppressed')) counter_samples_suppressed = int( sflow_telemetry.Get("counter_samples_suppressed")) @@ -53,10 +54,11 @@ def _get_raw_sflow(): 'sflow_servers': servers, 'counter_samples_sent': samples_counter_sent, 'datagrams_sent': datagrams_sent, - 'samples_drop_events_sent': samples_drop_events_sent, + 'packet_drop_sent': packet_drop_sent, 'packet_samples_dropped': samples_dropped, 'packet_samples_sent': samples_packet_sent, 'rtmetric_samples': rtmetric_samples, + 'event_samples_suppressed': event_samples_suppressed, 'flow_samples_suppressed': samples_suppressed, 'counter_samples_suppressed': counter_samples_suppressed, 'hsflowd_version': version @@ -73,7 +75,8 @@ def _get_formatted_sflow(data): ['Datagrams sent', f'{data.get("datagrams_sent")}'], ['Packet samples sent', f'{data.get("packet_samples_sent")}'], ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], - ['Samples drop events sent', f'{data.get("samples_drop_events_sent")}'], + ['Packet drops sent', f'{data.get("packet_drop_sent")}'], + ['Packet drops suppressed', f'{data.get("event_samples_suppressed")}'], ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] ] -- cgit v1.2.3 From 1a1f425f869f94c7c7a9d57b71555e9e13796c9e Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Apr 2023 11:41:47 +0000 Subject: T5141: Add numbers for dhclient-exit-hooks.d to enforce order Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook' --- .../dhclient-exit-hooks.d/03-vyatta-dhclient-hook | 44 +++++++++++ .../dhcp/dhclient-exit-hooks.d/98-run-user-hooks | 5 ++ .../dhclient-exit-hooks.d/99-ipsec-dhclient-hook | 86 ++++++++++++++++++++++ .../dhcp/dhclient-exit-hooks.d/99-run-user-hooks | 5 -- .../dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook | 86 ---------------------- .../dhclient-exit-hooks.d/vyatta-dhclient-hook | 44 ----------- 6 files changed, 135 insertions(+), 135 deletions(-) create mode 100644 src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook create mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks create mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook delete mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks delete mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook delete mode 100644 src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook (limited to 'src') diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook new file mode 100644 index 000000000..49bb18372 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook @@ -0,0 +1,44 @@ +#!/bin/sh + +# Author: Stig Thormodsrud +# Date: 2007 +# Description: dhcp client hook + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007, 2008 Vyatta, Inc. +# All Rights Reserved. +# **** End License **** + +# To enable this script set the following variable to "yes" +RUN="yes" + +proto="" +if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6)$ ]]; then + proto="v6" +fi + +if [ "$RUN" = "yes" ]; then + LOG=/var/lib/dhcp/dhclient_"$interface"."$proto"lease + echo `date` > $LOG + + for i in reason interface new_expiry new_dhcp_lease_time medium \ + alias_ip_address new_ip_address new_broadcast_address \ + new_subnet_mask new_domain_name new_network_number \ + new_domain_name_servers new_routers new_static_routes \ + new_dhcp_server_identifier new_dhcp_message_type \ + old_ip_address old_subnet_mask old_domain_name \ + old_domain_name_servers old_routers \ + old_static_routes; do + echo $i=\'${!i}\' >> $LOG + done +fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks new file mode 100755 index 000000000..442419d79 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks @@ -0,0 +1,5 @@ +#!/bin/bash +DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/" +if [ -d "${DHCP_POST_HOOKS}" ] ; then + run-parts "${DHCP_POST_HOOKS}" +fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook new file mode 100755 index 000000000..1f1926e17 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then + exit 0 +fi + +DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" + +if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then + if grep -qw $interface $DHCP_HOOK_IFLIST; then + sudo rm $DHCP_HOOK_IFLIST + sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py + exit 0 + fi +fi + +if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then + exit 0 +fi + +python3 - < 0: + regex_match = re.search(r'(peer_[^:\[]+)', line) + if regex_match: + connection_name = regex_match[1] + break + if connection_name: + call(f'sudo ipsec down {connection_name}') + +if __name__ == '__main__': + interface = os.getenv('interface') + new_ip = os.getenv('new_ip_address') + old_ip = os.getenv('old_ip_address') + + if os.path.exists(SWANCTL_CONF): + conf_lines = read_file(SWANCTL_CONF) + found = False + to_match = f'# dhcp:{interface}' + + for i, line in enumerate(conf_lines): + if line.find(to_match) > 0: + conf_lines[i] = line.replace(old_ip, new_ip) + found = True + + for i, line in enumerate(secrets_lines): + if line.find(to_match) > 0: + secrets_lines[i] = line.replace(old_ip, new_ip) + + if found: + write_file(SWANCTL_CONF, conf_lines) + ipsec_down(old_ip) + call('sudo ipsec rereadall') + call('sudo ipsec reload') + call('sudo swanctl -q') + + exit(0) +PYEND \ No newline at end of file diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks deleted file mode 100755 index 442419d79..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/" -if [ -d "${DHCP_POST_HOOKS}" ] ; then - run-parts "${DHCP_POST_HOOKS}" -fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook deleted file mode 100755 index 1f1926e17..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then - exit 0 -fi - -DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" - -if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then - if grep -qw $interface $DHCP_HOOK_IFLIST; then - sudo rm $DHCP_HOOK_IFLIST - sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py - exit 0 - fi -fi - -if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then - exit 0 -fi - -python3 - < 0: - regex_match = re.search(r'(peer_[^:\[]+)', line) - if regex_match: - connection_name = regex_match[1] - break - if connection_name: - call(f'sudo ipsec down {connection_name}') - -if __name__ == '__main__': - interface = os.getenv('interface') - new_ip = os.getenv('new_ip_address') - old_ip = os.getenv('old_ip_address') - - if os.path.exists(SWANCTL_CONF): - conf_lines = read_file(SWANCTL_CONF) - found = False - to_match = f'# dhcp:{interface}' - - for i, line in enumerate(conf_lines): - if line.find(to_match) > 0: - conf_lines[i] = line.replace(old_ip, new_ip) - found = True - - for i, line in enumerate(secrets_lines): - if line.find(to_match) > 0: - secrets_lines[i] = line.replace(old_ip, new_ip) - - if found: - write_file(SWANCTL_CONF, conf_lines) - ipsec_down(old_ip) - call('sudo ipsec rereadall') - call('sudo ipsec reload') - call('sudo swanctl -q') - - exit(0) -PYEND \ No newline at end of file diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook deleted file mode 100644 index 49bb18372..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -# Author: Stig Thormodsrud -# Date: 2007 -# Description: dhcp client hook - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2006, 2007, 2008 Vyatta, Inc. -# All Rights Reserved. -# **** End License **** - -# To enable this script set the following variable to "yes" -RUN="yes" - -proto="" -if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6)$ ]]; then - proto="v6" -fi - -if [ "$RUN" = "yes" ]; then - LOG=/var/lib/dhcp/dhclient_"$interface"."$proto"lease - echo `date` > $LOG - - for i in reason interface new_expiry new_dhcp_lease_time medium \ - alias_ip_address new_ip_address new_broadcast_address \ - new_subnet_mask new_domain_name new_network_number \ - new_domain_name_servers new_routers new_static_routes \ - new_dhcp_server_identifier new_dhcp_message_type \ - old_ip_address old_subnet_mask old_domain_name \ - old_domain_name_servers old_routers \ - old_static_routes; do - echo $i=\'${!i}\' >> $LOG - done -fi -- cgit v1.2.3