diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py index 645a0571d..a94c7efc6 100755 --- a/src/op_mode/show_ipsec_sa.py +++ b/src/op_mode/show_ipsec_sa.py @@ -1,114 +1,125 @@ #!/usr/bin/env python3 # # Copyright (C) 2019 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import re import sys import vici import tabulate import hurry.filesize import vyos.util +def format_output(conns, sas): + sa_data = [] -try: - session = vici.Session() - sas = session.list_sas() -except PermissionError: - print("You do not have a permission to connect to the IPsec daemon") - sys.exit(1) -except ConnectionRefusedError: - print("IPsec is not runing") - sys.exit(1) -except Exception as e: - print("An error occured: {0}".format(e)) - sys.exit(1) - -sa_data = [] - -for sa in sas: - # list_sas() returns a list of single-item dicts - for peer in sa: - parent_sa = sa[peer] - child_sas = parent_sa["child-sas"] - installed_sas = {k: v for k, v in child_sas.items() if v["state"] == b"INSTALLED"} + for peer, parent_conn in conn.items(): + if peer not in sas: + continue + + parent_sa = sas[peer] + child_sas = parent_sa['child-sas'] + installed_sas = {v['name'].decode(): v for k, v in child_sas.items() if v["state"] == b"INSTALLED"} # parent_sa["state"] = IKE state, child_sas["state"] = ESP state + state = 'down' + uptime = 'N/A' + if parent_sa["state"] == b"ESTABLISHED" and installed_sas: state = "up" - else: - state = "down" - - if state == "up": uptime = vyos.util.seconds_to_human(parent_sa["established"].decode()) - else: - uptime = "N/A" remote_host = parent_sa["remote-host"].decode() remote_id = parent_sa["remote-id"].decode() if remote_host == remote_id: remote_id = "N/A" # The counters can only be obtained from the child SAs - if not installed_sas: - data = [peer, state, "N/A", "N/A", "N/A", "N/A", "N/A", "N/A"] - sa_data.append(data) - else: - for csa in installed_sas: - isa = installed_sas[csa] - csa_name = isa['name'] - csa_name = csa_name.decode() - - bytes_in = hurry.filesize.size(int(isa["bytes-in"].decode())) - bytes_out = hurry.filesize.size(int(isa["bytes-out"].decode())) - bytes_str = "{0}/{1}".format(bytes_in, bytes_out) - - pkts_in = hurry.filesize.size(int(isa["packets-in"].decode()), system=hurry.filesize.si) - pkts_out = hurry.filesize.size(int(isa["packets-out"].decode()), system=hurry.filesize.si) - pkts_str = "{0}/{1}".format(pkts_in, pkts_out) - # Remove B from <1K values - pkts_str = re.sub(r'B', r'', pkts_str) - - enc = isa["encr-alg"].decode() - if "encr-keysize" in isa: - key_size = isa["encr-keysize"].decode() - else: - key_size = "" - if "integ-alg" in isa: - hash = isa["integ-alg"].decode() - else: - hash = "" - if "dh-group" in isa: - dh_group = isa["dh-group"].decode() - else: - dh_group = "" - - proposal = enc - if key_size: - proposal = "{0}_{1}".format(proposal, key_size) - if hash: - proposal = "{0}/{1}".format(proposal, hash) - if dh_group: - proposal = "{0}/{1}".format(proposal, dh_group) - - data = [csa_name, state, uptime, bytes_str, pkts_str, remote_host, remote_id, proposal] + for child_conn in parent_conn['children']: + if child_conn not in installed_sas: + data = [child_conn, "down", "N/A", "N/A", "N/A", "N/A", "N/A", "N/A"] sa_data.append(data) - -headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"] -sa_data = sorted(sa_data, key=lambda peer: peer[0]) -output = tabulate.tabulate(sa_data, headers) -print(output) + continue + + isa = installed_sas[child_conn] + csa_name = isa['name'] + csa_name = csa_name.decode() + + bytes_in = hurry.filesize.size(int(isa["bytes-in"].decode())) + bytes_out = hurry.filesize.size(int(isa["bytes-out"].decode())) + bytes_str = "{0}/{1}".format(bytes_in, bytes_out) + + pkts_in = hurry.filesize.size(int(isa["packets-in"].decode()), system=hurry.filesize.si) + pkts_out = hurry.filesize.size(int(isa["packets-out"].decode()), system=hurry.filesize.si) + pkts_str = "{0}/{1}".format(pkts_in, pkts_out) + # Remove B from <1K values + pkts_str = re.sub(r'B', r'', pkts_str) + + enc = isa["encr-alg"].decode() + if "encr-keysize" in isa: + key_size = isa["encr-keysize"].decode() + else: + key_size = "" + if "integ-alg" in isa: + hash = isa["integ-alg"].decode() + else: + hash = "" + if "dh-group" in isa: + dh_group = isa["dh-group"].decode() + else: + dh_group = "" + + proposal = enc + if key_size: + proposal = "{0}_{1}".format(proposal, key_size) + if hash: + proposal = "{0}/{1}".format(proposal, hash) + if dh_group: + proposal = "{0}/{1}".format(proposal, dh_group) + + data = [csa_name, state, uptime, bytes_str, pkts_str, remote_host, remote_id, proposal] + sa_data.append(data) + return sa_data + +if __name__ == '__main__': + try: + session = vici.Session() + conns = {} + sas = {} + + for conn in session.list_conns(): + for key in conn: + conns[key] = conn[key] + + for sa in session.list_sas(): + for key in sa: + sas[key] = sa[key] + + headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"] + sa_data = format_output(conns, sas) + sa_data = sorted(sa_data, key=lambda peer: peer[0]) + output = tabulate.tabulate(sa_data, headers) + print(output) + except PermissionError: + print("You do not have a permission to connect to the IPsec daemon") + sys.exit(1) + except ConnectionRefusedError: + print("IPsec is not runing") + sys.exit(1) + except Exception as e: + print("An error occured: {0}".format(e)) + sys.exit(1) diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py index 622498a7f..00f34564a 100755 --- a/src/op_mode/vpn_ike_sa.py +++ b/src/op_mode/vpn_ike_sa.py @@ -1,70 +1,77 @@ #!/usr/bin/env python3 # # Copyright (C) 2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import argparse import re +import sys import vici +from vyos.util import process_named_running + ike_sa_peer_prefix = """\ Peer ID / IP Local ID / IP ------------ -------------""" ike_sa_tunnel_prefix = """ State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------""" def s(byte_string): return str(byte_string, 'utf-8') def ike_sa(peer, nat): session = vici.Session() sas = session.list_sas() peers = [] for conn in sas: for name, sa in conn.items(): if peer and not name.startswith('peer_' + peer): continue if name.startswith('peer_') and name in peers: continue if nat and 'nat-local' not in sa: continue peers.append(name) remote_str = f'{s(sa["remote-host"])} {s(sa["remote-id"])}' if s(sa['remote-id']) != '%any' else s(sa["remote-host"]) local_str = f'{s(sa["local-host"])} {s(sa["local-id"])}' if s(sa['local-id']) != '%any' else s(sa["local-host"]) print(ike_sa_peer_prefix) print('%-39s %-39s' % (remote_str, local_str)) state = 'up' if 'state' in sa and s(sa['state']) == 'ESTABLISHED' else 'down' version = 'IKEv' + s(sa['version']) encryption = f'{s(sa["encr-alg"])}' if 'encr-alg' in sa else 'n/a' if 'encr-keysize' in sa: encryption += '_' + s(sa["encr-keysize"]) integrity = s(sa['integ-alg']) if 'integ-alg' in sa else 'n/a' dh_group = s(sa['dh-group']) if 'dh-group' in sa else 'n/a' natt = 'yes' if 'nat-local' in sa and s(sa['nat-local']) == 'yes' else 'no' atime = s(sa['established']) if 'established' in sa else '0' ltime = s(sa['rekey-time']) if 'rekey_time' in sa else '0' print(ike_sa_tunnel_prefix) print(' %-6s %-6s %-12s %-13s %-14s %-6s %-7s %-7s\n' % (state, version, encryption, integrity, dh_group, natt, atime, ltime)) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--peer', help='Peer name', required=False) parser.add_argument('--nat', help='NAT Traversal', required=False) args = parser.parse_args() - ike_sa(args.peer, args.nat) \ No newline at end of file + if not process_named_running('charon'): + print("IPSec Process NOT Running") + sys.exit(0) + + ike_sa(args.peer, args.nat)