Page MenuHomeVyOS Platform
Create Task
Maniphest T6457

Update strip-private function to improve op command output for IPs
Open, LowPublicENHANCEMENT
Actions

Description

Currently, when running strip-private against op commands that contain IPs (both IPv4 and IPv6), the values get stripped to static values for the first 2 octets/hextets (i.e. xxx.xxx and xxxx:xxxx). This breaks output if those values didn't have the same length originally.

Example (note position of u/u):

vyos@vyos:~$ show interfaces ethernet | match "Interface|---|eth0.101"
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0.101         10.0.101.237/24                   u/u

vyos@vyos:~$ show interfaces ethernet | strip-private | match "Interface|---|eth0.101"
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0.101         xxx.xxx.101.237/24                   u/u

After the change, the stripped IP should have the same length as it had originally. This maintains the integrity of the original output:

vyos@vyos:~$ show interfaces ethernet | strip-private | match "Interface|---|eth0.101"
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0.101         xx.x.101.237/24                   u/u

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Behavior change

Event Timeline

L0crian created this task.Jun 8 2024, 6:37 PM
L0crian updated the task description. (Show Details)Jun 8 2024, 6:39 PM
Apachez subscribed.Jun 8 2024, 7:17 PM

The suggested change as in matching number of "x" with number of characters in each octet/hextet in the IPv4/IPv6 address will be less anonymizing than todays method.

It will also be harder to quickly see/search for where replacement have occured. For example when I do this manually I replace sensitive information with "<REMOVED>" so it will be easier to spot where I have removed info.

One workaround for this could be to make two versions of "strip-private"?

That is todays version of "strip-private" will work similar to today where "10.1.22.123" is replaced with "xxx.xxx.xxx.xxx" (or perhaps just "x.x.x.x" to make it less likely that any rendering/output overwraps into new lines or larger than 80 characters per line).

But a second edition, which also would be opt-in due to new naming, could be something like "strip-private-less" where "10.1.22.123" would be replaced by "xx.x.22.123".

This way "strip-private" will be fully anonymizing sensitive information while "strip-private-less" will be "good enough" for situations where one want to keep the rendering/output or for whatever other reasons feels that a full anonymizing of the config is "too much" since it will also be harder to troubleshoot some cases.

dmbaturin triaged this task as Low priority.Jun 10 2024, 7:53 AM
pasik subscribed.Jun 10 2024, 8:12 AM