From 4c61fa82f59e26023993be56be1ff9bf0cb5251e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 19 Jul 2023 14:25:55 +0000 Subject: T4899: NAT Redirect: adddestination nat redirection (to local host) feature. --- src/conf_mode/nat.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 5f4b658f8..e19b12937 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -72,6 +72,7 @@ def verify_rule(config, err_msg, groups_dict): """ Common verify steps used for both source and destination NAT """ if (dict_search('translation.port', config) != None or + dict_search('translation.redirect.port', config) != None or dict_search('destination.port', config) != None or dict_search('source.port', config)): @@ -221,7 +222,7 @@ def verify(nat): elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') - if not dict_search('translation.address', config) and not dict_search('translation.port', config): + if not dict_search('translation.address', config) and not dict_search('translation.port', config) and not dict_search('translation.redirect.port', config): if 'exclude' not in config: raise ConfigError(f'{err_msg} translation requires address and/or port') -- cgit v1.2.3 From 9cdfbd77f7414ea8a13ae66df41035d2f6edef32 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 20 Jul 2023 21:07:40 +0200 Subject: ospf: T5377: add graceful restart FRR feature (RFC 3623) New CLI commands: * set protocols ospf graceful-restart grace-period 300 * set protocols ospf graceful-restart helper planned-only * set protocols ospf graceful-restart helper no-strict-lsa-checking * set protocols ospf graceful-restart helper supported-grace-time 400 * set protocols ospf graceful-restart helper enable router-id 192.0.2.1 * set protocols ospf graceful-restart helper enable router-id 192.0.2.2 * set protocols ospfv3 graceful-restart grace-period 300 * set protocols ospfv3 graceful-restart helper planned-only * set protocols ospfv3 graceful-restart helper lsa-check-disable * set protocols ospfv3 graceful-restart helper supported-grace-time 400 * set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.1 * set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.2 --- data/templates/frr/ospf6d.frr.j2 | 21 +++++++ data/templates/frr/ospfd.frr.j2 | 21 +++++++ .../include/ospf/graceful-restart.xml.i | 67 ++++++++++++++++++++++ .../include/ospf/protocol-common-config.xml.i | 17 +++++- .../include/ospfv3/protocol-common-config.xml.i | 15 +++++ smoketest/scripts/cli/test_protocols_ospf.py | 25 ++++++++ smoketest/scripts/cli/test_protocols_ospfv3.py | 26 +++++++++ src/conf_mode/protocols_ospf.py | 2 + src/conf_mode/protocols_ospfv3.py | 2 + 9 files changed, 195 insertions(+), 1 deletion(-) create mode 100644 interface-definitions/include/ospf/graceful-restart.xml.i (limited to 'src') diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2 index 84394ed1a..b0b5663dd 100644 --- a/data/templates/frr/ospf6d.frr.j2 +++ b/data/templates/frr/ospf6d.frr.j2 @@ -80,6 +80,27 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if distance.ospfv3 is vyos_defined %} distance ospf6 {{ 'intra-area ' ~ distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' ~ distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' ~ distance.ospfv3.external if distance.ospfv3.external is vyos_defined }} {% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.lsa_check_disable is vyos_defined %} + graceful-restart helper lsa-check-disable +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} {% if log_adjacency_changes is vyos_defined %} log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} {% endif %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 1ee8d8752..121ecf677 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -153,6 +153,27 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if distance.ospf is vyos_defined %} distance ospf {{ 'intra-area ' + distance.ospf.intra_area if distance.ospf.intra_area is vyos_defined }} {{ 'inter-area ' + distance.ospf.inter_area if distance.ospf.inter_area is vyos_defined }} {{ 'external ' + distance.ospf.external if distance.ospf.external is vyos_defined }} {% endif %} +{% if graceful_restart is vyos_defined %} +{% if graceful_restart.grace_period is vyos_defined %} + graceful-restart grace-period {{ graceful_restart.grace_period }} +{% endif %} +{% if graceful_restart.helper.enable.router_id is vyos_defined %} +{% for router_id in graceful_restart.helper.enable.router_id %} + graceful-restart helper enable {{ router_id }} +{% endfor %} +{% elif graceful_restart.helper.enable is vyos_defined %} + graceful-restart helper enable +{% endif %} +{% if graceful_restart.helper.planned_only is vyos_defined %} + graceful-restart helper planned-only +{% endif %} +{% if graceful_restart.helper.no_strict_lsa_checking is vyos_defined %} + no graceful-restart helper strict-lsa-checking +{% endif %} +{% if graceful_restart.helper.supported_grace_time is vyos_defined %} + graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }} +{% endif %} +{% endif %} {% if log_adjacency_changes is vyos_defined %} log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} {% endif %} diff --git a/interface-definitions/include/ospf/graceful-restart.xml.i b/interface-definitions/include/ospf/graceful-restart.xml.i new file mode 100644 index 000000000..37d9a7f13 --- /dev/null +++ b/interface-definitions/include/ospf/graceful-restart.xml.i @@ -0,0 +1,67 @@ + + + + Graceful Restart + + + + + Maximum length of the grace period + + u32:1-1800 + Maximum length of the grace period in seconds + + + + + + 120 + + + + OSPF graceful-restart helpers + + + + + Enable helper support + + + + + Advertising Router-ID + + ipv4 + Router-ID in IP address format + + + + + + + + + + + + Supported only planned restart + + + + + + Supported grace timer + + u32:10-1800 + Grace interval in seconds + + + + + + + + + + + diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 3492b873f..438093222 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -339,6 +339,21 @@ +#include + + + + + + + Disable strict LSA check + + + + + + + Maximum multiple paths (ECMP) @@ -928,4 +943,4 @@ - \ No newline at end of file + diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index a7de50638..4c3ca68e1 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -107,6 +107,21 @@ +#include + + + + + + + Disable strict LSA check + + + + + + + Enable routing on an IPv6 interface diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index 977376bdd..f4b540694 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -479,5 +479,30 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertIn(f' ip ospf dead-interval 40', config) self.assertIn(f' no ip ospf mpls ldp-sync', config) + def test_ospf_16_graceful_restart(self): + period = '300' + supported_grace_time = '400' + router_ids = ['192.0.2.1', '192.0.2.2'] + + self.cli_set(base_path + ['graceful-restart', 'grace-period', period]) + self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'no-strict-lsa-checking']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time]) + for router_id in router_ids: + self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf') + self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' graceful-restart grace-period {period}', frrconfig) + self.assertIn(f' graceful-restart helper planned-only', frrconfig) + self.assertIn(f' no graceful-restart helper strict-lsa-checking', frrconfig) + self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig) + for router_id in router_ids: + self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py index b67bfaac7..64dfa18db 100755 --- a/smoketest/scripts/cli/test_protocols_ospfv3.py +++ b/smoketest/scripts/cli/test_protocols_ospfv3.py @@ -281,5 +281,31 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): self.cli_delete(['vrf', 'name', vrf]) self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf']) + + def test_ospfv3_09_graceful_restart(self): + period = '300' + supported_grace_time = '400' + router_ids = ['192.0.2.1', '192.0.2.2'] + + self.cli_set(base_path + ['graceful-restart', 'grace-period', period]) + self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'lsa-check-disable']) + self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time]) + for router_id in router_ids: + self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf6') + self.assertIn(f'router ospf6', frrconfig) + self.assertIn(f' graceful-restart grace-period {period}', frrconfig) + self.assertIn(f' graceful-restart helper planned-only', frrconfig) + self.assertIn(f' graceful-restart helper lsa-check-disable', frrconfig) + self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig) + for router_id in router_ids: + self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 509d4f501..f2075d25b 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -88,6 +88,8 @@ def get_config(config=None): del default_values['area']['area_type']['nssa'] if 'mpls_te' not in ospf: del default_values['mpls_te'] + if 'graceful_restart' not in ospf: + del default_values['graceful_restart'] for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: # table is a tagNode thus we need to clean out all occurances for the diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py index 7f50d8624..fbea51f56 100755 --- a/src/conf_mode/protocols_ospfv3.py +++ b/src/conf_mode/protocols_ospfv3.py @@ -83,6 +83,8 @@ def get_config(config=None): # need to check this first and probably drop that key. if dict_search('default_information.originate', ospfv3) is None: del default_values['default_information'] + if 'graceful_restart' not in ospfv3: + del default_values['graceful_restart'] # XXX: T2665: we currently have no nice way for defaults under tag nodes, # clean them out and add them manually :( -- cgit v1.2.3 From a684ab26c5ebdefb13ca870c0bfd5ef60fb9c6fc Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Sat, 10 Sep 2022 21:32:49 +0800 Subject: T4659: op-mode: Display bridge interface detail --- op-mode-definitions/show-bridge.xml.in | 12 ++++++++++++ src/op_mode/bridge.py | 32 +++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/op-mode-definitions/show-bridge.xml.in b/op-mode-definitions/show-bridge.xml.in index acf3a00c7..a272ea204 100644 --- a/op-mode-definitions/show-bridge.xml.in +++ b/op-mode-definitions/show-bridge.xml.in @@ -42,6 +42,18 @@ ${vyos_op_scripts_dir}/bridge.py show_fdb --interface=$3 + + + Display bridge interface details + + ${vyos_op_scripts_dir}/bridge.py show_detail --interface=$3 + + + + Display bridge interface nexthop-group + + ${vyos_op_scripts_dir}/bridge.py show_detail --nexthop_group --interface=$3 + diff --git a/src/op_mode/bridge.py b/src/op_mode/bridge.py index 5531c41d0..1834b9cc9 100755 --- a/src/op_mode/bridge.py +++ b/src/op_mode/bridge.py @@ -24,6 +24,7 @@ from tabulate import tabulate from vyos.utils.process import cmd from vyos.utils.process import rc_cmd +from vyos.utils.process import call from vyos.utils.dict import dict_search import vyos.opmode @@ -129,7 +130,8 @@ def _get_formatted_output_vlan(data): if vlan_entry.get('vlanEnd'): vlan_end = vlan_entry.get('vlanEnd') vlan = f'{vlan}-{vlan_end}' - flags = ', '.join(vlan_entry.get('flags')).lower() + flags_raw = vlan_entry.get('flags') + flags = ', '.join(flags_raw if isinstance(flags_raw,list) else "").lower() data_entries.append([interface, vlan, flags]) headers = ["Interface", "Vlan", "Flags"] @@ -164,6 +166,23 @@ def _get_formatted_output_mdb(data): output = tabulate(data_entries, headers) return output +def _get_bridge_detail(iface): + """Get interface detail statistics""" + return call(f'vtysh -c "show interface {iface}"') + +def _get_bridge_detail_nexthop_group(iface): + """Get interface detail nexthop_group statistics""" + return call(f'vtysh -c "show interface {iface} nexthop-group"') + +def _get_bridge_detail_nexthop_group_raw(iface): + out = cmd(f'vtysh -c "show interface {iface} nexthop-group"') + return out + +def _get_bridge_detail_raw(iface): + """Get interface detail json statistics""" + data = cmd(f'vtysh -c "show interface {iface} json"') + data_dict = json.loads(data) + return data_dict def show(raw: bool): bridge_data = _get_raw_data_summary() @@ -196,6 +215,17 @@ def show_mdb(raw: bool, interface: str): else: return _get_formatted_output_mdb(mdb_data) +def show_detail(raw: bool, nexthop_group: typing.Optional[bool], interface: str): + if raw: + if nexthop_group: + return _get_bridge_detail_nexthop_group_raw(interface) + else: + return _get_bridge_detail_raw(interface) + else: + if nexthop_group: + return _get_bridge_detail_nexthop_group(interface) + else: + return _get_bridge_detail(interface) if __name__ == '__main__': try: -- cgit v1.2.3 From bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Fri, 21 Jul 2023 10:35:34 +0000 Subject: T5368: service ids ddos-protection add support sflow mode sFlow mode requires fewer resources then mode "mirror" Integrate it into configuration mode set service ids ddos-protection mode 'sflow' set service ids ddos-protection sflow listen-address '127.0.0.1' set service ids ddos-protection sflow port '6343' --- data/templates/ids/fastnetmon.j2 | 11 +++++++- data/templates/ids/fastnetmon_networks_list.j2 | 2 +- .../service-ids-ddos-protection.xml.in | 33 ++++++++++++++++------ src/conf_mode/service_ids_fastnetmon.py | 14 +++++++-- 4 files changed, 47 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2 index 0340d3c92..f6f03d0db 100644 --- a/data/templates/ids/fastnetmon.j2 +++ b/data/templates/ids/fastnetmon.j2 @@ -29,10 +29,19 @@ unban_only_if_attack_finished = on # For each subnet, list track speed in bps and pps for both directions enable_subnet_counters = off -{% if mode.mirror is vyos_defined %} +{% if mode is vyos_defined('mirror') %} mirror_afpacket = on +{% elif mode is vyos_defined('sflow') %} +sflow = on +{% if sflow.port is vyos_defined %} +sflow_port = {{ sflow.port }} +{% endif %} +{% if sflow.listen_address is vyos_defined %} +sflow_host = {{ sflow.listen_address }} +{% endif %} {% endif %} + process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }} process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2 index 5f1b3ba4d..0a0576d2a 100644 --- a/data/templates/ids/fastnetmon_networks_list.j2 +++ b/data/templates/ids/fastnetmon_networks_list.j2 @@ -1,4 +1,4 @@ -{% if network is vyos_defined() %} +{% if network is vyos_defined %} {% for net in network %} {{ net }} {% endfor %} diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index bb06189bc..78463136b 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -70,17 +70,34 @@ - + - Traffic capture modes + Traffic capture mode + + mirror sflow + + + mirror + Listen to mirrored traffic + + + sflow + Capture sFlow flows + + + (mirror|sflow) + + + + + + Sflow settings - - - - Listen mirrored traffic mode - - + #include + #include + + 6343 diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index 2e678cf0b..f6b80552b 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -30,6 +30,7 @@ airbag.enable() config_file = r'/run/fastnetmon/fastnetmon.conf' networks_list = r'/run/fastnetmon/networks_list' excluded_networks_list = r'/run/fastnetmon/excluded_networks_list' +attack_dir = '/var/log/fastnetmon_attacks' def get_config(config=None): if config: @@ -55,8 +56,11 @@ def verify(fastnetmon): if 'mode' not in fastnetmon: raise ConfigError('Specify operating mode!') - if 'listen_interface' not in fastnetmon: - raise ConfigError('Specify interface(s) for traffic capture') + if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon: + raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring") + + if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}): + raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'") if 'alert_script' in fastnetmon: if os.path.isfile(fastnetmon['alert_script']): @@ -74,6 +78,10 @@ def generate(fastnetmon): return None + # Create dir for log attack details + if not os.path.exists(attack_dir): + os.mkdir(attack_dir) + render(config_file, 'ids/fastnetmon.j2', fastnetmon) render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon) -- cgit v1.2.3 From e9153730c76f96fb585df6276b6505a00b14b17b Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 21 Jul 2023 22:20:06 +0200 Subject: login: T5363: keep home when user is deleted Comply with the code comment and not remove the users home directory. This also fixes the issue that user homes get cleaned on system reboot --- src/conf_mode/system-login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 273475c18..afd75913e 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -389,7 +389,7 @@ def apply(login): # command until user is removed - userdel might return 8 as # SSH sessions are not all yet properly cleaned away, thus we # simply re-run the command until the account wen't away - while run(f'userdel --remove {user}', stderr=DEVNULL): + while run(f'userdel {user}', stderr=DEVNULL): sleep(0.250) except Exception as e: -- cgit v1.2.3 From 5f2e9cb81d89a5cfecbac01bec054b3ba4e8dff5 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 6 Jul 2023 17:40:37 +0000 Subject: T5154: NTP: allow maximum of one ipv4 and one ipv6 address on parameter . Also allow only one single value . --- data/templates/chrony/chrony.conf.j2 | 4 +- .../include/version/ntp-version.xml.i | 2 +- interface-definitions/ntp.xml.in | 2 +- smoketest/scripts/cli/test_service_ntp.py | 2 +- src/conf_mode/ntp.py | 34 ++++++++---- src/migration-scripts/ntp/2-to-3 | 62 ++++++++++++++++++++++ 6 files changed, 90 insertions(+), 16 deletions(-) create mode 100755 src/migration-scripts/ntp/2-to-3 (limited to 'src') diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 index 7a36fe69d..0daec8fb8 100644 --- a/data/templates/chrony/chrony.conf.j2 +++ b/data/templates/chrony/chrony.conf.j2 @@ -53,8 +53,6 @@ bindaddress {{ address }} {% endfor %} {% endif %} {% if interface is vyos_defined %} -{% for ifname in interface %} -binddevice {{ ifname }} -{% endfor %} +binddevice {{ interface }} {% endif %} {% endif %} diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i index 9eafbf7f0..155c824dc 100644 --- a/interface-definitions/include/version/ntp-version.xml.i +++ b/interface-definitions/include/version/ntp-version.xml.i @@ -1,3 +1,3 @@ - + diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index 2275dd61c..4e874434b 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -57,7 +57,7 @@ #include - #include + #include #include #include diff --git a/smoketest/scripts/cli/test_service_ntp.py b/smoketest/scripts/cli/test_service_ntp.py index 046e5eea6..47e012913 100755 --- a/smoketest/scripts/cli/test_service_ntp.py +++ b/smoketest/scripts/cli/test_service_ntp.py @@ -108,7 +108,7 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase): self.assertIn(f'bindaddress {listen}', config) def test_03_ntp_interface(self): - interfaces = ['eth0', 'eth1'] + interfaces = ['eth0'] for interface in interfaces: self.cli_set(base_path + ['interface', interface]) diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 92cb73aab..95766c44c 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -24,6 +24,7 @@ from vyos.util import call from vyos.util import chmod_750 from vyos.util import get_interface_config from vyos.template import render +from vyos.template import is_ipv4 from vyos import ConfigError from vyos import airbag airbag.enable() @@ -62,16 +63,29 @@ def verify(ntp): if 'interface' in ntp: # If ntpd should listen on a given interface, ensure it exists - for interface in ntp['interface']: - verify_interface_exists(interface) - - # If we run in a VRF, our interface must belong to this VRF, too - if 'vrf' in ntp: - tmp = get_interface_config(interface) - vrf_name = ntp['vrf'] - if 'master' not in tmp or tmp['master'] != vrf_name: - raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ - f'does not belong to this VRF!') + interface = ntp['interface'] + verify_interface_exists(interface) + + # If we run in a VRF, our interface must belong to this VRF, too + if 'vrf' in ntp: + tmp = get_interface_config(interface) + vrf_name = ntp['vrf'] + if 'master' not in tmp or tmp['master'] != vrf_name: + raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ + f'does not belong to this VRF!') + + if 'listen_address' in ntp: + ipv4_addresses = 0 + ipv6_addresses = 0 + for address in ntp['listen_address']: + if is_ipv4(address): + ipv4_addresses += 1 + else: + ipv6_addresses += 1 + if ipv4_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv4 value for listen-address parameter ') + if ipv6_addresses > 1: + raise ConfigError(f'NTP Only admits one ipv6 value for listen-address parameter ') return None diff --git a/src/migration-scripts/ntp/2-to-3 b/src/migration-scripts/ntp/2-to-3 new file mode 100755 index 000000000..7d4e0bd83 --- /dev/null +++ b/src/migration-scripts/ntp/2-to-3 @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 + +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5154: allow only one ip address per family for parameter 'listen-address' +# Allow only one interface for parameter 'interface' +# If more than one are specified, remove such entries + +import sys + +from vyos.configtree import ConfigTree +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base_path = ['service', 'ntp'] +if not config.exists(base_path): + # Nothing to do + sys.exit(0) + +if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv4(addr)]) > 1): + for addr in config.return_values(base_path + ['listen-address']): + if is_ipv4(addr): + config.delete_value(base_path + ['listen-address'], addr) + +if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv6(addr)]) > 1): + for addr in config.return_values(base_path + ['listen-address']): + if is_ipv6(addr): + config.delete_value(base_path + ['listen-address'], addr) + +if config.exists(base_path + ['interface']): + if len(config.return_values(base_path + ['interface'])) > 1: + config.delete(base_path + ['interface']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From c473f6475f90d17529cc9e4da939560c04b60bda Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 25 Jul 2023 22:21:11 +0200 Subject: container: T5365: ensure container mogration systemd steps are run with sudo --- src/migration-scripts/container/0-to-1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1 index 9fcf295e8..86f89ee04 100755 --- a/src/migration-scripts/container/0-to-1 +++ b/src/migration-scripts/container/0-to-1 @@ -39,12 +39,12 @@ config = ConfigTree(config_file) if config.exists(base): for container in config.list_nodes(base): # Stop any given container first - call(f'systemctl stop vyos-container-{container}.service') + call(f'sudo systemctl stop vyos-container-{container}.service') # Export container image for later re-import to new filesystem. We store # the backup on a real disk as a tmpfs (like /tmp) could probably lack # memory if a host has too many containers stored. image_name = config.return_value(base + [container, 'image']) - call(f'podman image save --quiet --output /root/{container}.tar --format oci-archive {image_name}') + call(f'sudo podman image save --quiet --output /root/{container}.tar --format oci-archive {image_name}') # No need to adjust the strage driver online (this is only used for testing and # debugging on a live system) - it is already overlay2 when the migration script @@ -66,10 +66,10 @@ if config.exists(base): # Export container image for later re-import to new filesystem image_name = config.return_value(base + [container, 'image']) image_path = f'/root/{container}.tar' - call(f'podman image load --quiet --input {image_path}') + call(f'sudo podman image load --quiet --input {image_path}') # Start any given container first - call(f'systemctl start vyos-container-{container}.service') + call(f'sudo systemctl start vyos-container-{container}.service') # Delete temporary container image if os.path.exists(image_path): -- cgit v1.2.3 From 20ac831df73aa89da4eb172bfb4d5f4256071983 Mon Sep 17 00:00:00 2001 From: Jonathan Voss Date: Tue, 25 Jul 2023 14:25:42 -0500 Subject: static: T5398: do not mangle interface names in FRR --- src/conf_mode/protocols_static.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index 7b6150696..5def8d645 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -47,7 +47,7 @@ def get_config(config=None): base_path = ['protocols', 'static'] # eqivalent of the C foo ? 'a' : 'b' statement base = vrf and ['vrf', 'name', vrf, 'protocols', 'static'] or base_path - static = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + static = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) # Assign the name of our VRF context if vrf: static['vrf'] = vrf -- cgit v1.2.3 From b3eaa3c11a3754eed11602286baf10320af3b48e Mon Sep 17 00:00:00 2001 From: Apachez Date: Wed, 26 Jul 2023 11:25:42 +0200 Subject: T5399: VRF-support for show ntp --- src/op_mode/show_ntp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/op_mode/show_ntp.sh b/src/op_mode/show_ntp.sh index 85f8eda15..4b59b801e 100755 --- a/src/op_mode/show_ntp.sh +++ b/src/op_mode/show_ntp.sh @@ -18,7 +18,7 @@ if ! ps -C chronyd &>/dev/null; then fi PID=$(pgrep chronyd | head -n1) -VRF_NAME=$(ip vrf identify ) +VRF_NAME=$(ip vrf identify ${PID}) if [ ! -z ${VRF_NAME} ]; then VRF_CMD="sudo ip vrf exec ${VRF_NAME}" -- cgit v1.2.3 From 9e0a9b7df3d7187173feaf922fedbac8f0f0b674 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 26 Jul 2023 22:28:43 +0200 Subject: openvpn: T4974: do not automatically load the DCO module Module should be loaded/unloaded on demand. --- src/etc/modprobe.d/openvpn.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 src/etc/modprobe.d/openvpn.conf (limited to 'src') diff --git a/src/etc/modprobe.d/openvpn.conf b/src/etc/modprobe.d/openvpn.conf new file mode 100644 index 000000000..a9259fea2 --- /dev/null +++ b/src/etc/modprobe.d/openvpn.conf @@ -0,0 +1 @@ +blacklist ovpn-dco-v2 -- cgit v1.2.3 From fa07179ae7f1dc07e6ccc1b20d2b81384b6efe07 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 26 Jul 2023 23:14:19 +0200 Subject: openvpn: T4974: dynamically load/unload kernel module --- python/vyos/utils/kernel.py | 11 +++++++++++ src/conf_mode/interfaces-openvpn.py | 11 +++++++++++ 2 files changed, 22 insertions(+) (limited to 'src') diff --git a/python/vyos/utils/kernel.py b/python/vyos/utils/kernel.py index 0eb113174..1f3bbdffe 100644 --- a/python/vyos/utils/kernel.py +++ b/python/vyos/utils/kernel.py @@ -25,3 +25,14 @@ def check_kmod(k_mod): if not os.path.exists(f'/sys/module/{module}'): if call(f'modprobe {module}') != 0: raise ConfigError(f'Loading Kernel module {module} failed') + +def unload_kmod(k_mod): + """ Common utility function to unload required kernel modules on demand """ + from vyos import ConfigError + from vyos.utils.process import call + if isinstance(k_mod, str): + k_mod = k_mod.split() + for module in k_mod: + if os.path.exists(f'/sys/module/{module}'): + if call(f'rmmod {module}') != 0: + raise ConfigError(f'Unloading Kernel module {module} failed') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 607a19385..2e4bea377 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -56,6 +56,8 @@ from vyos.utils.list import is_list_equal from vyos.utils.file import makedir from vyos.utils.file import read_file from vyos.utils.file import write_file +from vyos.utils.kernel import check_kmod +from vyos.utils.kernel import unload_kmod from vyos.utils.process import call from vyos.utils.permission import chown from vyos.utils.process import cmd @@ -95,6 +97,8 @@ def get_config(config=None): openvpn['pki'] = tmp_pki if is_node_changed(conf, base + [ifname, 'openvpn-option']): openvpn.update({'restart_required': {}}) + if is_node_changed(conf, base + [ifname, 'enable-dco']): + openvpn.update({'restart_required': {}}) # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. @@ -679,6 +683,13 @@ def apply(openvpn): if not is_addr_assigned(openvpn['local_host']): cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') + # dynamically load/unload DCO Kernel extension if requested + dco_module = 'ovpn_dco_v2' + if 'enable_dco' in openvpn: + check_kmod(dco_module) + else: + unload_kmod(dco_module) + # No matching OpenVPN process running - maybe it got killed or none # existed - nevertheless, spawn new OpenVPN process action = 'reload-or-restart' -- cgit v1.2.3 From 341a84240e6d85c62ad5500ab2ef6e19dcf63cef Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 09:45:55 +0200 Subject: openvpn: T4974: restructure get_config() Preparation to make the code flow look more intuitive and add room to add parsing of additional OpenVPN interfaces for DCO module load. --- src/conf_mode/interfaces-openvpn.py | 47 +++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 2e4bea377..653474ed0 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -88,32 +88,33 @@ def get_config(config=None): conf = Config() base = ['interfaces', 'openvpn'] - tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - ifname, openvpn = get_interface_dict(conf, base) - - if 'deleted' not in openvpn: - openvpn['pki'] = tmp_pki - if is_node_changed(conf, base + [ifname, 'openvpn-option']): - openvpn.update({'restart_required': {}}) - if is_node_changed(conf, base + [ifname, 'enable-dco']): - openvpn.update({'restart_required': {}}) - - # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' - # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. - tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) - - # We have to cleanup the config dict, as default values could enable features - # which are not explicitly enabled on the CLI. Example: server mfa totp - # originate comes with defaults, which will enable the - # totp plugin, even when not set via CLI so we - # need to check this first and drop those keys - if dict_search('server.mfa.totp', tmp) == None: - del openvpn['server']['mfa'] - openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn) + if 'deleted' in openvpn: + return openvpn + + openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + if is_node_changed(conf, base + [ifname, 'openvpn-option']): + openvpn.update({'restart_required': {}}) + if is_node_changed(conf, base + [ifname, 'enable-dco']): + openvpn.update({'restart_required': {}}) + + # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' + # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. + tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True) + + # We have to cleanup the config dict, as default values could enable features + # which are not explicitly enabled on the CLI. Example: server mfa totp + # originate comes with defaults, which will enable the + # totp plugin, even when not set via CLI so we + # need to check this first and drop those keys + if dict_search('server.mfa.totp', tmp) == None: + del openvpn['server']['mfa'] + return openvpn def is_ec_private_key(pki, cert_name): -- cgit v1.2.3 From 32b9ac3653fa27e90c0a6b16c3ab141fd4237cb7 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 11:16:40 +0200 Subject: openvpn: T4974: move CLI node "enable-dco" -> "offload dco" to match other inetfaces Keep a common CLI structure by re-using the already established offload node from ethernet. --- data/templates/openvpn/server.conf.j2 | 3 +-- interface-definitions/interfaces-openvpn.xml.in | 19 +++++++++++------ src/conf_mode/interfaces-openvpn.py | 28 ++++++++++++++++++------- 3 files changed, 35 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index 525605240..d144529f3 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -48,11 +48,10 @@ push "redirect-gateway def1" {% if use_lzo_compression is vyos_defined %} compress lzo {% endif %} -{% if enable_dco is not vyos_defined %} +{% if offload.dco is not vyos_defined %} disable-dco {% endif %} - {% if mode is vyos_defined('client') %} # # OpenVPN Client mode diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index ca6d80f8b..127a8179b 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -285,6 +285,19 @@ + + + Configurable offload options + + + + + Enable data channel offload on this interface + + + + + Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors. @@ -793,12 +806,6 @@ - - - Use to enable OpenVPN data channel offload on this TUN interface - - - #include #include diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 653474ed0..3bef9b8f6 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -115,6 +115,18 @@ def get_config(config=None): if dict_search('server.mfa.totp', tmp) == None: del openvpn['server']['mfa'] + # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all + # OpenVPN interfaces. Check if DCO is used by any other interface instance. + tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + for interface, interface_config in tmp.items(): + # If one interface has DCO configured, enable it. No need to further check + # all other OpenVPN interfaces. We must use a dedicated key to indicate + # the Kernel module must be loaded or not. The per interface "offload.dco" + # key is required per OpenVPN interface instance. + if dict_search('offload.dco', interface_config) != None: + openvpn['module_load_dco'] = {} + break + return openvpn def is_ec_private_key(pki, cert_name): @@ -675,6 +687,15 @@ def apply(openvpn): if interface in interfaces(): VTunIf(interface).remove() + # dynamically load/unload DCO Kernel extension if requested + dco_module = 'ovpn_dco_v2' + if 'module_load_dco' in openvpn: + check_kmod(dco_module) + else: + unload_kmod(dco_module) + + # Now bail out early if interface is disabled or got deleted + if 'deleted' in openvpn or 'disable' in openvpn: return None # verify specified IP address is present on any interface on this system @@ -684,13 +705,6 @@ def apply(openvpn): if not is_addr_assigned(openvpn['local_host']): cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1') - # dynamically load/unload DCO Kernel extension if requested - dco_module = 'ovpn_dco_v2' - if 'enable_dco' in openvpn: - check_kmod(dco_module) - else: - unload_kmod(dco_module) - # No matching OpenVPN process running - maybe it got killed or none # existed - nevertheless, spawn new OpenVPN process action = 'reload-or-restart' -- cgit v1.2.3 From 3de59f1365e5b908d3b24748d77dcb0bd9477ca8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 27 Jul 2023 11:18:11 +0200 Subject: wwan: T3795: remove superfluous call to set_level() --- src/conf_mode/interfaces-wwan.py | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py index 6658ca86a..2515dc838 100755 --- a/src/conf_mode/interfaces-wwan.py +++ b/src/conf_mode/interfaces-wwan.py @@ -75,7 +75,6 @@ def get_config(config=None): # We need to know the amount of other WWAN interfaces as ModemManager needs # to be started or stopped. - conf.set_level(base) wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) -- cgit v1.2.3 From f0a630cce26aa4f99e367bae2b41495c5f740f95 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Tue, 25 Jul 2023 02:36:49 -0400 Subject: T5127: vpnv4/vpnv6 : warning for router-id --- src/conf_mode/protocols_bgp.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src') diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index cec025fea..7b9f15505 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -475,6 +475,8 @@ def verify(bgp): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): raise ConfigError( 'Command "import vrf" conflicts with "rd vpn export" command!') + if not dict_search('parameters.router_id', bgp): + Warning(f'BGP "router-id" is required when using "rd" and "route-target"!') if dict_search('route_target.vpn.both', afi_config): if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']): -- cgit v1.2.3 From 7826a0e35e25e3d0e1a782c9507d49352e3dd720 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 29 Jul 2023 22:53:57 +0200 Subject: T3355: migrate "show dhcp client lease" to new op-mode style vyos@vyos# ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 Interface eth0.10 IP address 172.16.33.123 [Active] Subnet Mask 255.255.255.0 Domain Name vyos.net Router 172.16.33.254 Name Server 172.16.254.30 DHCP Server 172.16.33.254 DHCP Server 86400 Last Update Sat Jul 29 21:13:32 CEST 2023 Expiry Sun Jul 30 21:13:31 CEST 2023 vyos@vyos# ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 --raw [ { "last_update": "Sat Jul 29 21:13:32 CEST 2023", "reason": "BOUND", "interface": "eth0.10", "new_expiry": "1690744411", "new_dhcp_lease_time": "86400", "medium": "", "alias_ip_address": "", "new_ip_address": "172.16.33.123", "new_broadcast_address": "172.16.33.255", "new_subnet_mask": "255.255.255.0", "new_domain_name": "vyos.net", "new_network_number": "172.16.33.0", "new_domain_name_servers": "172.16.254.30", "new_routers": "172.16.33.254", "new_static_routes": "", "new_dhcp_server_identifier": "172.16.33.254", "new_dhcp_message_type": "5", "old_ip_address": "", "old_subnet_mask": "", "old_domain_name": "", "old_domain_name_servers": "", "old_routers": "", "old_static_routes": "" } ] --- op-mode-definitions/dhcp.xml.in | 24 +++++++++++++ src/op_mode/dhcp.py | 78 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 101 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in index 66584efc3..6855fe447 100644 --- a/op-mode-definitions/dhcp.xml.in +++ b/op-mode-definitions/dhcp.xml.in @@ -7,6 +7,30 @@ Show DHCP (Dynamic Host Configuration Protocol) information + + + Show DHCP client information + + + + + Show DHCP client leases + + + + + Show DHCP client information for a given interface + + + + + ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface $6 + + + ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet + + + Show DHCP server information diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 3e51e990b..653e670c5 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -14,10 +14,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os import sys import typing from datetime import datetime +from glob import glob from ipaddress import ip_address from isc_dhcp_leases import IscDhcpLeases from tabulate import tabulate @@ -27,8 +29,9 @@ import vyos.opmode from vyos.base import Warning from vyos.configquery import ConfigTreeQuery -from vyos.utils.process import cmd from vyos.utils.dict import dict_search +from vyos.utils.file import read_file +from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running config = ConfigTreeQuery() @@ -287,6 +290,79 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], return _get_formatted_server_leases(lease_data, family=family) +def _get_raw_client_leases(family='inet', interface=None): + lease_dir = '/var/lib/dhcp' + lease_files = [] + lease_data = [] + + if interface: + tmp = f'{lease_dir}/dhclient_{interface}.lease' + if os.path.exists(tmp): + lease_files.append(tmp) + else: + # All DHCP leases + lease_files = glob(f'{lease_dir}/dhclient_*.lease') + + for lease in lease_files: + tmp = {} + with open(lease, 'r') as f: + for line in f.readlines(): + line = line.rstrip() + if 'last_update' not in tmp: + tmp.update({'last_update' : line}) + continue + + k, v = line.split('=') + tmp.update({k : v.replace("'", "")}) + + lease_data.append(tmp) + + return lease_data + +def _get_formatted_client_leases(lease_data, family): + from time import localtime + from time import strftime + + from vyos.validate import is_intf_addr_assigned + + data_entries = [] + for lease in lease_data: + data_entries.append(["Interface", lease['interface']]) + if 'new_ip_address' in lease: + tmp = '[Active]' if is_intf_addr_assigned(lease['interface'], lease['new_ip_address']) else '[Inactive]' + data_entries.append(["IP address", lease['new_ip_address'], tmp]) + if 'new_subnet_mask' in lease: + data_entries.append(["Subnet Mask", lease['new_subnet_mask']]) + if 'new_domain_name' in lease: + data_entries.append(["Domain Name", lease['new_domain_name']]) + if 'new_routers' in lease: + data_entries.append(["Router", lease['new_routers']]) + if 'new_domain_name_servers' in lease: + data_entries.append(["Name Server", lease['new_domain_name_servers']]) + if 'new_dhcp_server_identifier' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_server_identifier']]) + if 'new_dhcp_lease_time' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_lease_time']]) + if 'last_update' in lease: + data_entries.append(["Last Update", lease['last_update']]) + if 'new_expiry' in lease: + tmp = strftime('%a %b %d %H:%M:%S %Z %Y', localtime(int(lease['new_expiry']))) + data_entries.append(["Expiry", tmp]) + + # Add empty marker + data_entries.append(['']) + + output = tabulate(data_entries, tablefmt='plain') + + return output + +def show_client_leases(raw: bool, family: ArgFamily, interface: typing.Optional[str]): + lease_data = _get_raw_client_leases(family=family, interface=interface) + if raw: + return lease_data + else: + return _get_formatted_client_leases(lease_data, family=family) + if __name__ == '__main__': try: res = vyos.opmode.run(sys.modules[__name__]) -- cgit v1.2.3 From 1a44d8607f715934f2c03f28a9bf547321b26ed8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 30 Jul 2023 22:03:53 +0200 Subject: T3355: always work with UNIX timestamps for dhcp client lease display ISC dhcp client contains least_update timestamp in human readable format this makes less sense for an API and also the expiry timestamp is provided in UNIX time. Convert string (e.g. Sun Jul 30 18:13:44 CEST 2023) to UNIX time (1690733624) vyos@vyos:~$ ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 Interface eth0.10 IP address 172.16.33.123 [Active] Subnet Mask 255.255.255.0 Domain Name vyos.net Router 172.16.33.254 Name Server 172.16.254.30 DHCP Server 172.16.33.254 DHCP Server 86400 Last Update Sun Jul 30 18:13:44 CEST 2023 Expiry Mon Jul 31 18:13:43 CEST 2023 vyos@vyos:~$ ${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface eth0.10 --raw [ { "last_update": 1690733624, "reason": "RENEW", "interface": "eth0.10", "new_expiry": "1690820023", "new_dhcp_lease_time": "86400", "medium": "", "alias_ip_address": "", "new_ip_address": "172.16.33.123", "new_broadcast_address": "172.16.33.255", "new_subnet_mask": "255.255.255.0", "new_domain_name": "vyos.net", "new_network_number": "172.16.33.0", "new_domain_name_servers": "172.16.254.30", "new_routers": "172.16.33.254", "new_static_routes": "", "new_dhcp_server_identifier": "172.16.33.254", "new_dhcp_message_type": "5", "old_ip_address": "172.16.33.123", "old_subnet_mask": "255.255.255.0", "old_domain_name": "vyos.net", "old_domain_name_servers": "172.16.254.30", "old_routers": "172.16.33.254", "old_static_routes": "" } ] --- src/op_mode/dhcp.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 653e670c5..20ef698bd 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -34,6 +34,8 @@ from vyos.utils.file import read_file from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running +time_string = "%a %b %d %H:%M:%S %Z %Y" + config = ConfigTreeQuery() lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup'] sort_valid_inet = ['end', 'mac', 'hostname', 'ip', 'pool', 'remaining', 'start', 'state'] @@ -291,6 +293,9 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], def _get_raw_client_leases(family='inet', interface=None): + from time import mktime + from datetime import datetime + lease_dir = '/var/lib/dhcp' lease_files = [] lease_data = [] @@ -309,7 +314,11 @@ def _get_raw_client_leases(family='inet', interface=None): for line in f.readlines(): line = line.rstrip() if 'last_update' not in tmp: - tmp.update({'last_update' : line}) + # ISC dhcp client contains least_update timestamp in human readable + # format this makes less sense for an API and also the expiry + # timestamp is provided in UNIX time. Convert string (e.g. Sun Jul + # 30 18:13:44 CEST 2023) to UNIX time (1690733624) + tmp.update({'last_update' : int(mktime(datetime.strptime(line, time_string).timetuple()))}) continue k, v = line.split('=') @@ -344,9 +353,10 @@ def _get_formatted_client_leases(lease_data, family): if 'new_dhcp_lease_time' in lease: data_entries.append(["DHCP Server", lease['new_dhcp_lease_time']]) if 'last_update' in lease: - data_entries.append(["Last Update", lease['last_update']]) + tmp = strftime(time_string, localtime(int(lease['last_update']))) + data_entries.append(["Last Update", tmp]) if 'new_expiry' in lease: - tmp = strftime('%a %b %d %H:%M:%S %Z %Y', localtime(int(lease['new_expiry']))) + tmp = strftime(time_string, localtime(int(lease['new_expiry']))) data_entries.append(["Expiry", tmp]) # Add empty marker -- cgit v1.2.3 From 230c3f5b9fedf055c15fc1e968b508c0fcaf0c59 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 31 Jul 2023 13:49:24 +0200 Subject: login: T4790: sync number of max RADIUS servers with equuleus branch (8) --- src/conf_mode/system-login.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index afd75913e..82941e0c0 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -54,7 +54,7 @@ MAX_USER_UID: int = 59999 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec MAX_RADIUS_TIMEOUT: int = 50 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) -MAX_RADIUS_COUNT: int = 25 +MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 -- cgit v1.2.3 From 1d86092328ef43368fcb0bf348c14a01466e5892 Mon Sep 17 00:00:00 2001 From: 1vivy <1vivy@tutanota.com> Date: Sun, 23 Jul 2023 13:31:00 -0400 Subject: dhcpv6-pd: T5387: add support for no-release flag When no-release is specified, dhcp6c client will not release allocated address or prefix on client exit. vyos.ifconfig: dhcpv6: T5387: re-use options_file for no release flag [WIP] * Todo: render Jinja2 template and fill it vyos.ifconfig: dhcpv6: T5387: finish options_file and no release flag in cli vyos.ifconfig: dhcpv6: T5387: fix missing/wrong end tag vyos.ifconfig: dhcpv6: T5387: fix options, no var for -n dhcpv6-client: T5387: fix missing / from filepaths --- data/templates/dhcp-client/dhcp6c_daemon-options.j2 | 2 ++ interface-definitions/include/interface/dhcpv6-options.xml.i | 6 ++++++ python/vyos/ifconfig/interface.py | 2 ++ src/systemd/dhcp6c@.service | 4 +++- 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 data/templates/dhcp-client/dhcp6c_daemon-options.j2 (limited to 'src') diff --git a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 b/data/templates/dhcp-client/dhcp6c_daemon-options.j2 new file mode 100644 index 000000000..d33d418fc --- /dev/null +++ b/data/templates/dhcp-client/dhcp6c_daemon-options.j2 @@ -0,0 +1,2 @@ +{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} +DHCP6C_OPTS="-D -k /run/dhcp6c/dhcp6c.{{ ifname }}.sock -c /run/dhcp6c/dhcp6c.{{ ifname }}.conf -p /run/dhcp6c/dhcp6c.{{ ifname }}.pid {{ no_release }} {{ ifname }}" diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i index 609af1a2b..5ca1d525f 100644 --- a/interface-definitions/include/interface/dhcpv6-options.xml.i +++ b/interface-definitions/include/interface/dhcpv6-options.xml.i @@ -95,6 +95,12 @@ + + + Do not send a release message on client exit + + + diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 120f2131b..99ddb2021 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -1288,9 +1288,11 @@ class Interface(Control): ifname = self.ifname config_file = f'/run/dhcp6c/dhcp6c.{ifname}.conf' + options_file = f'/run/dhcp6c/dhcp6c.{ifname}.options' systemd_service = f'dhcp6c@{ifname}.service' if enable and 'disable' not in self._config: + render(options_file, 'dhcp-client/dhcp6c_daemon-options.j2', self._config) render(config_file, 'dhcp-client/ipv6.j2', self._config) # We must ignore any return codes. This is required to enable diff --git a/src/systemd/dhcp6c@.service b/src/systemd/dhcp6c@.service index 9a97ee261..495cb7e26 100644 --- a/src/systemd/dhcp6c@.service +++ b/src/systemd/dhcp6c@.service @@ -2,14 +2,16 @@ Description=WIDE DHCPv6 client on %i Documentation=man:dhcp6c(8) man:dhcp6c.conf(5) ConditionPathExists=/run/dhcp6c/dhcp6c.%i.conf +ConditionPathExists=/run/dhcp6c/dhcp6c.%i.options After=vyos-router.service StartLimitIntervalSec=0 [Service] WorkingDirectory=/run/dhcp6c +EnvironmentFile=-/run/dhcp6c/dhcp6c.%i.options Type=forking PIDFile=/run/dhcp6c/dhcp6c.%i.pid -ExecStart=/usr/sbin/dhcp6c -D -k /run/dhcp6c/dhcp6c.%i.sock -c /run/dhcp6c/dhcp6c.%i.conf -p /run/dhcp6c/dhcp6c.%i.pid %i +ExecStart=/usr/sbin/dhcp6c $DHCP6C_OPTS Restart=on-failure RestartSec=20 -- cgit v1.2.3 From befd4045b59f6182591daa9f19702404791303ae Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 31 Jul 2023 16:51:52 +0000 Subject: T5406: webproxy op-mode command: add vrf support for blacklist update command --- op-mode-definitions/webproxy.xml.in | 11 +++++++++++ src/op_mode/webproxy_update_blacklist.sh | 9 ++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 4e555c3d9..57df44ff8 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -87,6 +87,17 @@ Update the webproxy blacklist database sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist + + + + Update webproxy blacklist database via specified VRF + + vrf name + + + sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" + + diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh index 4fb9a54c6..05ea86f9e 100755 --- a/src/op_mode/webproxy_update_blacklist.sh +++ b/src/op_mode/webproxy_update_blacklist.sh @@ -45,6 +45,9 @@ do --auto-update-blacklist) auto="yes" ;; + --vrf) + vrf="yes" + ;; (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;; (*) break;; esac @@ -76,7 +79,11 @@ fi if [[ -n $update ]] && [[ $update -eq "yes" ]]; then tmp_blacklists='/tmp/blacklists.gz' - curl -o $tmp_blacklists $blacklist_url + if [[ -n $vrf ]] && [[ $vrf -eq "yes" ]]; then + sudo ip vrf exec $1 curl -o $tmp_blacklists $blacklist_url + else + curl -o $tmp_blacklists $blacklist_url + fi if [ $? -ne 0 ]; then echo "Unable to download [$blacklist_url]!" exit 1 -- cgit v1.2.3