Page MenuHomeVyOS Platform

Make the strip-private filter obfuscate only passwords and private keys
Open, LowPublicFEATURE REQUEST

Description

Right now, the | strip-private filter does way too much — it obfuscates IP and MAC addresses even, so configs it produces are certainly safe to share on public forums and channels, but their debugging value is limited.

The implementation also uses regexes so it's prone to false positives and it's impossible to tell from the code which exact config paths it redacts.

We should rework it to leave more decisions to the user and to make its obfuscation logic clearer.

Details

Version
-
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

I also agree that the "default" stripping-behaviour should definitely be rethought for certain parts of the config. For example: the full public-key gets shown of the wireguard-peers on interfaces.

interfaces {
    }
    wireguard wg0 {
        address xxx.xxx.74.1/30
        peer client {
            allowed-ips xxx.xxx.74.2/32
            persistent-keepalive 10
            public-key M/twt7g9aga2hw252gjaw+256zZ8EWY+GA7nHCiyfkc=
        }
        port 51820
        private-key xxxxxx
    }
}

A good way to more customizabilty IMO would probably be, to have some presets (and also create some yourself) like:

show | strip-private "1,2,4"

Number 0 doesn't strip anything
Number 1 uses the default stripping behaviour
Number 2 strips only secrets, keys etc.
Number 3 strips only IPs
Number 4 strips only Ports
Number 5 strips only descriptions
Number 6 strips only external IPs
(etc.. until 10 for example)
...

and then let the user configure presets for their needs like:

set system config-stripping custom 11 firewall "3, 5" -> strips all IPs and descriptions for everything inside of firewall {}
set system config-stripping custom 12 interfaces "2, 6" -> strips all secrets, keys and external IPs from "interfaces"
set system config-stripping custom 13 nat "0" -> leaves everything in NAT unredacted

or maybe even something like

set system config-stripping custom 14 "firewall.ipv4.forward" "6" last-half

-> strips only the last half of each public IP within firewall { ipv4 { forward } }

This would surely be more than enough..


A new filter-system where you can specify the part of the config and then the "obfuscation-logic", all from within one line, would be very useful aswell, but probably even harder to write and maintain:

For example:

show | strip-private "1;firewall.ipv4.forward=3c,5;nat=0"

The letters standing for the following:
a = first half gets filtered
b = second half gets filtered
c = every second char gets filtered
d = everything gets filtered

syncer changed the subtype of this task from "Task" to "Feature Request".
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
dmbaturin changed Issue type from behavior-change to Feature (new functionality).Wed, Nov 27, 6:48 PM