diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json
index 91a757c16..08732bd4c 100644
--- a/data/config-mode-dependencies.json
+++ b/data/config-mode-dependencies.json
@@ -1,35 +1,35 @@
{
- "firewall": {"group_resync": ["nat", "policy-route"]},
+ "firewall": {"group_resync": ["conntrack", "nat", "policy-route"]},
"http_api": {"https": ["https"]},
"pki": {
"ethernet": ["interfaces-ethernet"],
"openvpn": ["interfaces-openvpn"],
"https": ["https"],
"ipsec": ["vpn_ipsec"],
"openconnect": ["vpn_openconnect"],
"sstp": ["vpn_sstp"]
},
"qos": {
"bonding": ["interfaces-bonding"],
"bridge": ["interfaces-bridge"],
"dummy": ["interfaces-dummy"],
"ethernet": ["interfaces-ethernet"],
"geneve": ["interfaces-geneve"],
"input": ["interfaces-input"],
"l2tpv3": ["interfaces-l2tpv3"],
"loopback": ["interfaces-loopback"],
"macsec": ["interfaces-macsec"],
"openvpn": ["interfaces-openvpn"],
"pppoe": ["interfaces-pppoe"],
"pseudo-ethernet": ["interfaces-pseudo-ethernet"],
"tunnel": ["interfaces-tunnel"],
"vti": ["interfaces-vti"],
"vxlan": ["interfaces-vxlan"],
"wireguard": ["interfaces-wireguard"],
"wireless": ["interfaces-wireless"],
"wwan": ["interfaces-wwan"]
},
"vpp": {
"ethernet": ["interfaces-ethernet"]
}
}
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 16a03fc6e..970869043 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,48 +1,58 @@
#!/usr/sbin/nft -f
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}
# we first flush all chains and render the content from scratch - this makes
# any delta check obsolete
flush chain raw {{ nft_ct_ignore_name }}
flush chain raw {{ nft_ct_timeout_name }}
table raw {
chain {{ nft_ct_ignore_name }} {
-{% if ignore.rule is vyos_defined %}
-{% for rule, rule_config in ignore.rule.items() %}
+{% if ignore.ipv4.rule is vyos_defined %}
+{% for rule, rule_config in ignore.ipv4.rule.items() %}
+ # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+ {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
+{% endfor %}
+{% endif %}
+ return
+ }
+ chain {{ nft_ct_timeout_name }} {
+{% if timeout.custom.rule is vyos_defined %}
+{% for rule, rule_config in timeout.custom.rule.items() %}
+ # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+{% endfor %}
+{% endif %}
+ return
+ }
+
+{{ group_tmpl.groups(firewall_group, False) }}
+}
+
+flush chain ip6 raw {{ nft_ct_ignore_name }}
+flush chain ip6 raw {{ nft_ct_timeout_name }}
+
+table ip6 raw {
+ chain {{ nft_ct_ignore_name }} {
+{% if ignore.ipv6.rule is vyos_defined %}
+{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-{% set nft_command = '' %}
-{% if rule_config.inbound_interface is vyos_defined %}
-{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
-{% endif %}
-{% if rule_config.protocol is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %}
-{% endif %}
-{% if rule_config.destination.address is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %}
-{% endif %}
-{% if rule_config.destination.port is vyos_defined %}
-{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %}
-{% endif %}
-{% if rule_config.source.address is vyos_defined %}
-{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %}
-{% endif %}
-{% if rule_config.source.port is vyos_defined %}
-{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
-{% endif %}
- {{ nft_command }} counter notrack comment ignore-{{ rule }}
+ {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
{% endfor %}
{% endif %}
return
}
chain {{ nft_ct_timeout_name }} {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{% endfor %}
{% endif %}
return
}
+
+{{ group_tmpl.groups(firewall_group, True) }}
}
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..768031c83 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -1,114 +1,145 @@
#!/usr/sbin/nft -f
# Required by wanloadbalance
table ip nat {
chain VYOS_PRE_SNAT_HOOK {
type nat hook postrouting priority 99; policy accept;
return
}
}
table inet mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
}
table raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
ct helper set "rpc_tcp" tcp dport {111} return
ct helper set "rpc_udp" udp dport {111} return
ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
return
}
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
return
}
}
table ip6 raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain vyos_rpfilter {
type filter hook prerouting priority -300; policy accept;
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+
+ chain VYOS_CT_HELPER {
+ ct helper set "rpc_tcp" tcp dport {111} return
+ ct helper set "rpc_udp" udp dport {111} return
+ ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+ return
+ }
+
+ chain VYOS_CT_IGNORE {
+ return
+ }
+
+ chain VYOS_CT_TIMEOUT {
+ return
+ }
+
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
return
}
}
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
new file mode 100644
index 000000000..8c34fb933
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/source-destination-group-ipv4.xml.i -->
+<node name="group">
+ <properties>
+ <help>Group</help>
+ </properties>
+ <children>
+ <leafNode name="address-group">
+ <properties>
+ <help>Group of addresses</help>
+ <completionHelp>
+ <path>firewall group address-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="domain-group">
+ <properties>
+ <help>Group of domains</help>
+ <completionHelp>
+ <path>firewall group domain-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="network-group">
+ <properties>
+ <help>Group of networks</help>
+ <completionHelp>
+ <path>firewall group network-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="port-group">
+ <properties>
+ <help>Group of ports</help>
+ <completionHelp>
+ <path>firewall group port-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
index 696f76362..c0f632c70 100644
--- a/interface-definitions/include/version/conntrack-version.xml.i
+++ b/interface-definitions/include/version/conntrack-version.xml.i
@@ -1,3 +1,3 @@
<!-- include start from include/version/conntrack-version.xml.i -->
-<syntaxVersion component='conntrack' version='3'></syntaxVersion>
+<syntaxVersion component='conntrack' version='4'></syntaxVersion>
<!-- include end -->
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 8dad048b8..3abf9bbf0 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -1,346 +1,441 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="system">
<children>
<node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py">
<properties>
<help>Connection Tracking Engine Options</help>
<!-- Before NAT and conntrack-sync are configured -->
<priority>218</priority>
</properties>
<children>
<leafNode name="expect-table-size">
<properties>
<help>Size of connection tracking expect table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking expect table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>2048</defaultValue>
</leafNode>
<leafNode name="hash-size">
<properties>
<help>Hash size for connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Size of hash to use for connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>32768</defaultValue>
</leafNode>
<node name="ignore">
<properties>
<help>Customized rules to ignore selective connection tracking</help>
</properties>
<children>
- <tagNode name="rule">
+ <node name="ipv4">
<properties>
- <help>Rule number</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number of conntrack ignore rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
+ <help>IPv4 rules</help>
</properties>
<children>
- #include <include/generic-description.xml.i>
- <node name="destination">
+ <tagNode name="rule">
<properties>
- <help>Destination parameters</help>
+ <help>Rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number of conntrack ignore rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
- #include <include/nat-address.xml.i>
- #include <include/nat-port.xml.i>
+ #include <include/generic-description.xml.i>
+ <node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/source-destination-group-ipv4.xml.i>
+ #include <include/nat-address.xml.i>
+ #include <include/nat-port.xml.i>
+ </children>
+ </node>
+ <leafNode name="inbound-interface">
+ <properties>
+ <help>Interface to ignore connections tracking on</help>
+ <completionHelp>
+ <list>any</list>
+ <script>${vyos_completion_dir}/list_interfaces</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ #include <include/ip-protocol.xml.i>
+ <leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format><protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!<protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/source-destination-group-ipv4.xml.i>
+ #include <include/nat-address.xml.i>
+ #include <include/nat-port.xml.i>
+ </children>
+ </node>
</children>
- </node>
- <leafNode name="inbound-interface">
- <properties>
- <help>Interface to ignore connections tracking on</help>
- <completionHelp>
- <list>any</list>
- <script>${vyos_completion_dir}/list_interfaces</script>
- </completionHelp>
- </properties>
- </leafNode>
- #include <include/ip-protocol.xml.i>
- <leafNode name="protocol">
+ </tagNode>
+ </children>
+ </node>
+ <node name="ipv6">
+ <properties>
+ <help>IPv6 rules</help>
+ </properties>
+ <children>
+ <tagNode name="rule">
<properties>
- <help>Protocol to match (protocol name, number, or "all")</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_protocols.sh</script>
- <list>all tcp_udp</list>
- </completionHelp>
- <valueHelp>
- <format>all</format>
- <description>All IP protocols</description>
- </valueHelp>
- <valueHelp>
- <format>tcp_udp</format>
- <description>Both TCP and UDP</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-255</format>
- <description>IP protocol number</description>
- </valueHelp>
- <valueHelp>
- <format><protocol></format>
- <description>IP protocol name</description>
- </valueHelp>
+ <help>Rule number</help>
<valueHelp>
- <format>!<protocol></format>
- <description>IP protocol name</description>
+ <format>u32:1-999999</format>
+ <description>Number of conntrack ignore rule</description>
</valueHelp>
<constraint>
- <validator name="ip-protocol"/>
+ <validator name="numeric" argument="--range 1-999999"/>
</constraint>
- </properties>
- </leafNode>
- <node name="source">
- <properties>
- <help>Source parameters</help>
+ <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
- #include <include/nat-address.xml.i>
- #include <include/nat-port.xml.i>
+ #include <include/generic-description.xml.i>
+ <node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/nat-port.xml.i>
+ </children>
+ </node>
+ <leafNode name="inbound-interface">
+ <properties>
+ <help>Interface to ignore connections tracking on</help>
+ <completionHelp>
+ <list>any</list>
+ <script>${vyos_completion_dir}/list_interfaces</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ #include <include/ip-protocol.xml.i>
+ <leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format><protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!<protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/nat-port.xml.i>
+ </children>
+ </node>
</children>
- </node>
+ </tagNode>
</children>
- </tagNode>
+ </node>
+
</children>
</node>
<node name="log">
<properties>
<help>Log connection tracking events per protocol</help>
</properties>
<children>
<node name="icmp">
<properties>
<help>Log connection tracking events for ICMP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="other">
<properties>
<help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="tcp">
<properties>
<help>Log connection tracking events for TCP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="udp">
<properties>
<help>Log connection tracking events for UDP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
</children>
</node>
<node name="modules">
<properties>
<help>Connection tracking modules</help>
</properties>
<children>
<leafNode name="ftp">
<properties>
<help>FTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="h323">
<properties>
<help>H.323 connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="nfs">
<properties>
<help>NFS connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="pptp">
<properties>
<help>PPTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sip">
<properties>
<help>SIP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sqlnet">
<properties>
<help>SQLnet connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="tftp">
<properties>
<help>TFTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="table-size">
<properties>
<help>Size of connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>262144</defaultValue>
</leafNode>
<node name="tcp">
<properties>
<help>TCP options</help>
</properties>
<children>
<leafNode name="half-open-connections">
<properties>
<help>Maximum number of TCP half-open connections</help>
<valueHelp>
<format>u32:1-2147483647</format>
<description>Generic connection timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-2147483647"/>
</constraint>
</properties>
<defaultValue>512</defaultValue>
</leafNode>
<leafNode name="loose">
<properties>
<help>Policy to track previously established connections</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Allow tracking of previously established connections</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Do not allow tracking of previously established connections</description>
</valueHelp>
<constraint>
<regex>(enable|disable)</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<leafNode name="max-retrans">
<properties>
<help>Maximum number of packets that can be retransmitted without received an ACK</help>
<valueHelp>
<format>u32:1-255</format>
<description>Number of packets to be retransmitted</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
</children>
</node>
<node name="timeout">
<properties>
<help>Connection timeout options</help>
</properties>
<children>
<node name="custom">
<properties>
<help>Define custom timeouts per connection</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-common-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
#include <include/conntrack/timeout-common-protocols.xml.i>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index e167488c6..c1b57b883 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -1,742 +1,820 @@
# Copyright 2019-2023 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see <http://www.gnu.org/licenses/>.
import functools
import os
from jinja2 import Environment
from jinja2 import FileSystemLoader
from jinja2 import ChainableUndefined
from vyos.defaults import directories
from vyos.utils.dict import dict_search_args
from vyos.utils.file import makedir
from vyos.utils.permission import chmod
from vyos.utils.permission import chown
# Holds template filters registered via register_filter()
_FILTERS = {}
_TESTS = {}
# reuse Environments with identical settings to improve performance
@functools.lru_cache(maxsize=2)
def _get_environment(location=None):
if location is None:
loc_loader=FileSystemLoader(directories["templates"])
else:
loc_loader=FileSystemLoader(location)
env = Environment(
# Don't check if template files were modified upon re-rendering
auto_reload=False,
# Cache up to this number of templates for quick re-rendering
cache_size=100,
loader=loc_loader,
trim_blocks=True,
undefined=ChainableUndefined,
extensions=['jinja2.ext.loopcontrols']
)
env.filters.update(_FILTERS)
env.tests.update(_TESTS)
return env
def register_filter(name, func=None):
"""Register a function to be available as filter in templates under given name.
It can also be used as a decorator, see below in this module for examples.
:raise RuntimeError:
when trying to register a filter after a template has been rendered already
:raise ValueError: when trying to register a name which was taken already
"""
if func is None:
return functools.partial(register_filter, name)
if _get_environment.cache_info().currsize:
raise RuntimeError(
"Filters can only be registered before rendering the first template"
)
if name in _FILTERS:
raise ValueError(f"A filter with name {name!r} was registered already")
_FILTERS[name] = func
return func
def register_test(name, func=None):
"""Register a function to be available as test in templates under given name.
It can also be used as a decorator, see below in this module for examples.
:raise RuntimeError:
when trying to register a test after a template has been rendered already
:raise ValueError: when trying to register a name which was taken already
"""
if func is None:
return functools.partial(register_test, name)
if _get_environment.cache_info().currsize:
raise RuntimeError(
"Tests can only be registered before rendering the first template"
)
if name in _TESTS:
raise ValueError(f"A test with name {name!r} was registered already")
_TESTS[name] = func
return func
def render_to_string(template, content, formater=None, location=None):
"""Render a template from the template directory, raise on any errors.
:param template: the path to the template relative to the template folder
:param content: the dictionary of variables to put into rendering context
:param formater:
if given, it has to be a callable the rendered string is passed through
The parsed template files are cached, so rendering the same file multiple times
does not cause as too much overhead.
If used everywhere, it could be changed to load the template from Python
environment variables from an importable Python module generated when the Debian
package is build (recovering the load time and overhead caused by having the
file out of the code).
"""
template = _get_environment(location).get_template(template)
rendered = template.render(content)
if formater is not None:
rendered = formater(rendered)
return rendered
def render(
destination,
template,
content,
formater=None,
permission=None,
user=None,
group=None,
location=None,
):
"""Render a template from the template directory to a file, raise on any errors.
:param destination: path to the file to save the rendered template in
:param permission: permission bitmask to set for the output file
:param user: user to own the output file
:param group: group to own the output file
All other parameters are as for :func:`render_to_string`.
"""
# Create the directory if it does not exist
folder = os.path.dirname(destination)
makedir(folder, user, group)
# As we are opening the file with 'w', we are performing the rendering before
# calling open() to not accidentally erase the file if rendering fails
rendered = render_to_string(template, content, formater, location)
# Write to file
with open(destination, "w") as file:
chmod(file.fileno(), permission)
chown(file.fileno(), user, group)
file.write(rendered)
##################################
# Custom template filters follow #
##################################
@register_filter('force_to_list')
def force_to_list(value):
""" Convert scalars to single-item lists and leave lists untouched """
if isinstance(value, list):
return value
else:
return [value]
@register_filter('seconds_to_human')
def seconds_to_human(seconds, separator=""):
""" Convert seconds to human-readable values like 1d6h15m23s """
from vyos.utils.convert import seconds_to_human
return seconds_to_human(seconds, separator=separator)
@register_filter('bytes_to_human')
def bytes_to_human(bytes, initial_exponent=0, precision=2):
""" Convert bytes to human-readable values like 1.44M """
from vyos.utils.convert import bytes_to_human
return bytes_to_human(bytes, initial_exponent=initial_exponent, precision=precision)
@register_filter('human_to_bytes')
def human_to_bytes(value):
""" Convert a data amount with a unit suffix to bytes, like 2K to 2048 """
from vyos.utils.convert import human_to_bytes
return human_to_bytes(value)
@register_filter('ip_from_cidr')
def ip_from_cidr(prefix):
""" Take an IPv4/IPv6 CIDR host and strip cidr mask.
Example:
192.0.2.1/24 -> 192.0.2.1, 2001:db8::1/64 -> 2001:db8::1
"""
from ipaddress import ip_interface
return str(ip_interface(prefix).ip)
@register_filter('address_from_cidr')
def address_from_cidr(prefix):
""" Take an IPv4/IPv6 CIDR prefix and convert the network to an "address".
Example:
192.0.2.0/24 -> 192.0.2.0, 2001:db8::/48 -> 2001:db8::
"""
from ipaddress import ip_network
return str(ip_network(prefix).network_address)
@register_filter('bracketize_ipv6')
def bracketize_ipv6(address):
""" Place a passed IPv6 address into [] brackets, do nothing for IPv4 """
if is_ipv6(address):
return f'[{address}]'
return address
@register_filter('dot_colon_to_dash')
def dot_colon_to_dash(text):
""" Replace dot and colon to dash for string
Example:
192.0.2.1 => 192-0-2-1, 2001:db8::1 => 2001-db8--1
"""
text = text.replace(":", "-")
text = text.replace(".", "-")
return text
@register_filter('generate_uuid4')
def generate_uuid4(text):
""" Generate random unique ID
Example:
% uuid4()
UUID('958ddf6a-ef14-4e81-8cfb-afb12456d1c5')
"""
from uuid import uuid4
return uuid4()
@register_filter('netmask_from_cidr')
def netmask_from_cidr(prefix):
""" Take CIDR prefix and convert the prefix length to a "subnet mask".
Example:
- 192.0.2.0/24 -> 255.255.255.0
- 2001:db8::/48 -> ffff:ffff:ffff::
"""
from ipaddress import ip_network
return str(ip_network(prefix).netmask)
@register_filter('netmask_from_ipv4')
def netmask_from_ipv4(address):
""" Take IP address and search all attached interface IP addresses for the
given one. After address has been found, return the associated netmask.
Example:
- 172.18.201.10 -> 255.255.255.128
"""
from netifaces import interfaces
from netifaces import ifaddresses
from netifaces import AF_INET
for interface in interfaces():
tmp = ifaddresses(interface)
if AF_INET in tmp:
for af_addr in tmp[AF_INET]:
if 'addr' in af_addr:
if af_addr['addr'] == address:
return af_addr['netmask']
raise ValueError
@register_filter('is_ip_network')
def is_ip_network(addr):
""" Take IP(v4/v6) address and validate if the passed argument is a network
or a host address.
Example:
- 192.0.2.0 -> False
- 192.0.2.10/24 -> False
- 192.0.2.0/24 -> True
- 2001:db8:: -> False
- 2001:db8::100 -> False
- 2001:db8::/48 -> True
- 2001:db8:1000::/64 -> True
"""
try:
from ipaddress import ip_network
# input variables must contain a / to indicate its CIDR notation
if len(addr.split('/')) != 2:
raise ValueError()
ip_network(addr)
return True
except:
return False
@register_filter('network_from_ipv4')
def network_from_ipv4(address):
""" Take IP address and search all attached interface IP addresses for the
given one. After address has been found, return the associated network
address.
Example:
- 172.18.201.10 has mask 255.255.255.128 -> network is 172.18.201.0
"""
netmask = netmask_from_ipv4(address)
from ipaddress import ip_interface
cidr_prefix = ip_interface(f'{address}/{netmask}').network
return address_from_cidr(cidr_prefix)
@register_filter('is_interface')
def is_interface(interface):
""" Check if parameter is a valid local interface name """
return os.path.exists(f'/sys/class/net/{interface}')
@register_filter('is_ip')
def is_ip(addr):
""" Check addr if it is an IPv4 or IPv6 address """
return is_ipv4(addr) or is_ipv6(addr)
@register_filter('is_ipv4')
def is_ipv4(text):
""" Filter IP address, return True on IPv4 address, False otherwise """
from ipaddress import ip_interface
try: return ip_interface(text).version == 4
except: return False
@register_filter('is_ipv6')
def is_ipv6(text):
""" Filter IP address, return True on IPv6 address, False otherwise """
from ipaddress import ip_interface
try: return ip_interface(text).version == 6
except: return False
@register_filter('first_host_address')
def first_host_address(text):
""" Return first usable (host) IP address from given prefix.
Example:
- 10.0.0.0/24 -> 10.0.0.1
- 2001:db8::/64 -> 2001:db8::
"""
from ipaddress import ip_interface
from ipaddress import IPv4Network
from ipaddress import IPv6Network
addr = ip_interface(text)
if addr.version == 4:
return str(addr.ip +1)
return str(addr.ip)
@register_filter('last_host_address')
def last_host_address(text):
""" Return first usable IP address from given prefix.
Example:
- 10.0.0.0/24 -> 10.0.0.254
- 2001:db8::/64 -> 2001:db8::ffff:ffff:ffff:ffff
"""
from ipaddress import ip_interface
from ipaddress import IPv4Network
from ipaddress import IPv6Network
addr = ip_interface(text)
if addr.version == 4:
return str(IPv4Network(addr).broadcast_address - 1)
return str(IPv6Network(addr).broadcast_address)
@register_filter('inc_ip')
def inc_ip(address, increment):
""" Increment given IP address by 'increment'
Example (inc by 2):
- 10.0.0.0/24 -> 10.0.0.2
- 2001:db8::/64 -> 2001:db8::2
"""
from ipaddress import ip_interface
return str(ip_interface(address).ip + int(increment))
@register_filter('dec_ip')
def dec_ip(address, decrement):
""" Decrement given IP address by 'decrement'
Example (inc by 2):
- 10.0.0.0/24 -> 10.0.0.2
- 2001:db8::/64 -> 2001:db8::2
"""
from ipaddress import ip_interface
return str(ip_interface(address).ip - int(decrement))
@register_filter('compare_netmask')
def compare_netmask(netmask1, netmask2):
"""
Compare two IP netmask if they have the exact same size.
compare_netmask('10.0.0.0/8', '20.0.0.0/8') -> True
compare_netmask('10.0.0.0/8', '20.0.0.0/16') -> False
"""
from ipaddress import ip_network
try:
return ip_network(netmask1).netmask == ip_network(netmask2).netmask
except:
return False
@register_filter('isc_static_route')
def isc_static_route(subnet, router):
# https://ercpe.de/blog/pushing-static-routes-with-isc-dhcp-server
# Option format is:
# <netmask>, <network-byte1>, <network-byte2>, <network-byte3>, <router-byte1>, <router-byte2>, <router-byte3>
# where bytes with the value 0 are omitted.
from ipaddress import ip_network
net = ip_network(subnet)
# add netmask
string = str(net.prefixlen) + ','
# add network bytes
if net.prefixlen:
width = net.prefixlen // 8
if net.prefixlen % 8:
width += 1
string += ','.join(map(str,tuple(net.network_address.packed)[:width])) + ','
# add router bytes
string += ','.join(router.split('.'))
return string
@register_filter('is_file')
def is_file(filename):
if os.path.exists(filename):
return os.path.isfile(filename)
return False
@register_filter('get_dhcp_router')
def get_dhcp_router(interface):
""" Static routes can point to a router received by a DHCP reply. This
helper is used to get the current default router from the DHCP reply.
Returns False of no router is found, returns the IP address as string if
a router is found.
"""
lease_file = directories['isc_dhclient_dir'] + f'/dhclient_{interface}.leases'
if not os.path.exists(lease_file):
return None
from vyos.utils.file import read_file
for line in read_file(lease_file).splitlines():
if 'option routers' in line:
(_, _, address) = line.split()
return address.rstrip(';')
@register_filter('natural_sort')
def natural_sort(iterable):
import re
from jinja2.runtime import Undefined
if isinstance(iterable, Undefined) or iterable is None:
return list()
def convert(text):
return int(text) if text.isdigit() else text.lower()
def alphanum_key(key):
return [convert(c) for c in re.split('([0-9]+)', str(key))]
return sorted(iterable, key=alphanum_key)
@register_filter('get_ipv4')
def get_ipv4(interface):
""" Get interface IPv4 addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr_v4()
@register_filter('get_ipv6')
def get_ipv6(interface):
""" Get interface IPv6 addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr_v6()
@register_filter('get_ip')
def get_ip(interface):
""" Get interface IP addresses"""
from vyos.ifconfig import Interface
return Interface(interface).get_addr()
def get_first_ike_dh_group(ike_group):
if ike_group and 'proposal' in ike_group:
for priority, proposal in ike_group['proposal'].items():
if 'dh_group' in proposal:
return 'dh-group' + proposal['dh_group']
return 'dh-group2' # Fallback on dh-group2
@register_filter('get_esp_ike_cipher')
def get_esp_ike_cipher(group_config, ike_group=None):
pfs_lut = {
'dh-group1' : 'modp768',
'dh-group2' : 'modp1024',
'dh-group5' : 'modp1536',
'dh-group14' : 'modp2048',
'dh-group15' : 'modp3072',
'dh-group16' : 'modp4096',
'dh-group17' : 'modp6144',
'dh-group18' : 'modp8192',
'dh-group19' : 'ecp256',
'dh-group20' : 'ecp384',
'dh-group21' : 'ecp521',
'dh-group22' : 'modp1024s160',
'dh-group23' : 'modp2048s224',
'dh-group24' : 'modp2048s256',
'dh-group25' : 'ecp192',
'dh-group26' : 'ecp224',
'dh-group27' : 'ecp224bp',
'dh-group28' : 'ecp256bp',
'dh-group29' : 'ecp384bp',
'dh-group30' : 'ecp512bp',
'dh-group31' : 'curve25519',
'dh-group32' : 'curve448'
}
ciphers = []
if 'proposal' in group_config:
for priority, proposal in group_config['proposal'].items():
# both encryption and hash need to be specified for a proposal
if not {'encryption', 'hash'} <= set(proposal):
continue
tmp = '{encryption}-{hash}'.format(**proposal)
if 'prf' in proposal:
tmp += '-' + proposal['prf']
if 'dh_group' in proposal:
tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ]
elif 'pfs' in group_config and group_config['pfs'] != 'disable':
group = group_config['pfs']
if group_config['pfs'] == 'enable':
group = get_first_ike_dh_group(ike_group)
tmp += '-' + pfs_lut[group]
ciphers.append(tmp)
return ciphers
@register_filter('get_uuid')
def get_uuid(interface):
""" Get interface IP addresses"""
from uuid import uuid1
return uuid1()
openvpn_translate = {
'des': 'des-cbc',
'3des': 'des-ede3-cbc',
'bf128': 'bf-cbc',
'bf256': 'bf-cbc',
'aes128gcm': 'aes-128-gcm',
'aes128': 'aes-128-cbc',
'aes192gcm': 'aes-192-gcm',
'aes192': 'aes-192-cbc',
'aes256gcm': 'aes-256-gcm',
'aes256': 'aes-256-cbc'
}
@register_filter('openvpn_cipher')
def get_openvpn_cipher(cipher):
if cipher in openvpn_translate:
return openvpn_translate[cipher].upper()
return cipher.upper()
@register_filter('openvpn_ncp_ciphers')
def get_openvpn_ncp_ciphers(ciphers):
out = []
for cipher in ciphers:
if cipher in openvpn_translate:
out.append(openvpn_translate[cipher])
else:
out.append(cipher)
return ':'.join(out).upper()
@register_filter('snmp_auth_oid')
def snmp_auth_oid(type):
if type not in ['md5', 'sha', 'aes', 'des', 'none']:
raise ValueError()
OIDs = {
'md5' : '.1.3.6.1.6.3.10.1.1.2',
'sha' : '.1.3.6.1.6.3.10.1.1.3',
'aes' : '.1.3.6.1.6.3.10.1.2.4',
'des' : '.1.3.6.1.6.3.10.1.2.2',
'none': '.1.3.6.1.6.3.10.1.2.1'
}
return OIDs[type]
@register_filter('nft_action')
def nft_action(vyos_action):
if vyos_action == 'accept':
return 'return'
return vyos_action
@register_filter('nft_rule')
def nft_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name='ip'):
from vyos.firewall import parse_rule
return parse_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name)
@register_filter('nft_default_rule')
def nft_default_rule(fw_conf, fw_name, ipv6=False):
output = ['counter']
default_action = fw_conf['default_action']
if 'enable_default_log' in fw_conf:
action_suffix = default_action[:1].upper()
output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"')
#output.append(nft_action(default_action))
output.append(f'{default_action}')
if 'default_jump_target' in fw_conf:
target = fw_conf['default_jump_target']
def_suffix = '6' if ipv6 else ''
output.append(f'NAME{def_suffix}_{target}')
output.append(f'comment "{fw_name} default-action {default_action}"')
return " ".join(output)
@register_filter('nft_state_policy')
def nft_state_policy(conf, state):
out = [f'ct state {state}']
if 'log' in conf and 'enable' in conf['log']:
log_state = state[:3].upper()
log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
if 'log_level' in conf:
log_level = conf['log_level']
out.append(f'level {log_level}')
out.append('counter')
if 'action' in conf:
out.append(conf['action'])
return " ".join(out)
@register_filter('nft_intra_zone_action')
def nft_intra_zone_action(zone_conf, ipv6=False):
if 'intra_zone_filtering' in zone_conf:
intra_zone = zone_conf['intra_zone_filtering']
fw_name = 'ipv6_name' if ipv6 else 'name'
name_prefix = 'NAME6_' if ipv6 else 'NAME_'
if 'action' in intra_zone:
if intra_zone['action'] == 'accept':
return 'return'
return intra_zone['action']
elif dict_search_args(intra_zone, 'firewall', fw_name):
name = dict_search_args(intra_zone, 'firewall', fw_name)
return f'jump {name_prefix}{name}'
return 'return'
@register_filter('nft_nested_group')
def nft_nested_group(out_list, includes, groups, key):
if not vyos_defined(out_list):
out_list = []
def add_includes(name):
if key in groups[name]:
for item in groups[name][key]:
if item in out_list:
continue
out_list.append(item)
if 'include' in groups[name]:
for name_inc in groups[name]['include']:
add_includes(name_inc)
for name in includes:
add_includes(name)
return out_list
@register_filter('nat_rule')
def nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
from vyos.nat import parse_nat_rule
return parse_nat_rule(rule_conf, rule_id, nat_type, ipv6)
@register_filter('nat_static_rule')
def nat_static_rule(rule_conf, rule_id, nat_type):
from vyos.nat import parse_nat_static_rule
return parse_nat_static_rule(rule_conf, rule_id, nat_type)
+@register_filter('conntrack_ignore_rule')
+def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
+ ip_prefix = 'ip6' if ipv6 else 'ip'
+ def_suffix = '6' if ipv6 else ''
+ output = []
+
+ if 'inbound_interface' in rule_conf:
+ ifname = rule_conf['inbound_interface']
+ output.append(f'iifname {ifname}')
+
+ if 'protocol' in rule_conf:
+ proto = rule_conf['protocol']
+ output.append(f'meta l4proto {proto}')
+
+ for side in ['source', 'destination']:
+ if side in rule_conf:
+ side_conf = rule_conf[side]
+ prefix = side[0]
+
+ if 'address' in side_conf:
+ address = side_conf['address']
+ operator = ''
+ if address[0] == '!':
+ operator = '!='
+ address = address[1:]
+ output.append(f'{ip_prefix} {prefix}addr {operator} {address}')
+
+ if 'port' in side_conf:
+ port = side_conf['port']
+ operator = ''
+ if port[0] == '!':
+ operator = '!='
+ port = port[1:]
+ output.append(f'th {prefix}port {operator} {port}')
+
+ if 'group' in side_conf:
+ group = side_conf['group']
+
+ if 'address_group' in group:
+ group_name = group['address_group']
+ operator = ''
+ if group_name[0] == '!':
+ operator = '!='
+ group_name = group_name[1:]
+ output.append(f'{ip_prefix} {prefix}addr {operator} @A{def_suffix}_{group_name}')
+ # Generate firewall group domain-group
+ elif 'domain_group' in group:
+ group_name = group['domain_group']
+ operator = ''
+ if group_name[0] == '!':
+ operator = '!='
+ group_name = group_name[1:]
+ output.append(f'{ip_prefix} {prefix}addr {operator} @D_{group_name}')
+ elif 'network_group' in group:
+ group_name = group['network_group']
+ operator = ''
+ if group_name[0] == '!':
+ operator = '!='
+ group_name = group_name[1:]
+ output.append(f'{ip_prefix} {prefix}addr {operator} @N{def_suffix}_{group_name}')
+ if 'port_group' in group:
+ group_name = group['port_group']
+
+ if proto == 'tcp_udp':
+ proto = 'th'
+
+ operator = ''
+ if group_name[0] == '!':
+ operator = '!='
+ group_name = group_name[1:]
+
+ output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
+
+ output.append('counter notrack')
+ output.append(f'comment "ignore-{rule_id}"')
+
+ return " ".join(output)
+
@register_filter('range_to_regex')
def range_to_regex(num_range):
"""Convert range of numbers or list of ranges
to regex
% range_to_regex('11-12')
'(1[1-2])'
% range_to_regex(['11-12', '14-15'])
'(1[1-2]|1[4-5])'
"""
from vyos.range_regex import range_to_regex
if isinstance(num_range, list):
data = []
for entry in num_range:
if '-' not in entry:
data.append(entry)
else:
data.append(range_to_regex(entry))
return f'({"|".join(data)})'
if '-' not in num_range:
return num_range
regex = range_to_regex(num_range)
return f'({regex})'
@register_test('vyos_defined')
def vyos_defined(value, test_value=None, var_type=None):
"""
Jinja2 plugin to test if a variable is defined and not none - vyos_defined
will test value if defined and is not none and return true or false.
If test_value is supplied, the value must also pass == test_value to return true.
If var_type is supplied, the value must also be of the specified class/type
Examples:
1. Test if var is defined and not none:
{% if foo is vyos_defined %}
...
{% endif %}
2. Test if variable is defined, not none and has value "something"
{% if bar is vyos_defined("something") %}
...
{% endif %}
Parameters
----------
value : any
Value to test from ansible
test_value : any, optional
Value to test in addition of defined and not none, by default None
var_type : ['float', 'int', 'str', 'list', 'dict', 'tuple', 'bool'], optional
Type or Class to test for
Returns
-------
boolean
True if variable matches criteria, False in other cases.
Implementation inspired and re-used from https://github.com/aristanetworks/ansible-avd/
"""
from jinja2 import Undefined
if isinstance(value, Undefined) or value is None:
# Invalid value - return false
return False
elif test_value is not None and value != test_value:
# Valid value but not matching the optional argument
return False
elif str(var_type).lower() in ['float', 'int', 'str', 'list', 'dict', 'tuple', 'bool'] and str(var_type).lower() != type(value).__name__:
# Invalid class - return false
return False
else:
# Valid value and is matching optional argument if provided - return true
return True
diff --git a/smoketest/configs/basic-vyos b/smoketest/configs/basic-vyos
index 033c1a518..78dba3ee2 100644
--- a/smoketest/configs/basic-vyos
+++ b/smoketest/configs/basic-vyos
@@ -1,170 +1,182 @@
interfaces {
ethernet eth0 {
address 192.168.0.1/24
duplex auto
smp-affinity auto
speed auto
}
ethernet eth1 {
duplex auto
smp-affinity auto
speed auto
}
ethernet eth2 {
duplex auto
smp-affinity auto
speed auto
vif 100 {
address 100.100.0.1/24
}
vif-s 200 {
address 100.64.200.254/24
vif-c 201 {
address 100.64.201.254/24
}
vif-c 202 {
address 100.64.202.254/24
}
}
}
loopback lo {
}
}
protocols {
static {
arp 192.168.0.20 {
hwaddr 00:50:00:00:00:20
}
arp 192.168.0.30 {
hwaddr 00:50:00:00:00:30
}
arp 192.168.0.40 {
hwaddr 00:50:00:00:00:40
}
arp 100.100.0.2 {
hwaddr 00:50:00:00:02:02
}
arp 100.100.0.3 {
hwaddr 00:50:00:00:02:03
}
arp 100.100.0.4 {
hwaddr 00:50:00:00:02:04
}
arp 100.64.200.1 {
hwaddr 00:50:00:00:00:01
}
arp 100.64.200.2 {
hwaddr 00:50:00:00:00:02
}
arp 100.64.201.10 {
hwaddr 00:50:00:00:00:10
}
arp 100.64.201.20 {
hwaddr 00:50:00:00:00:20
}
arp 100.64.202.30 {
hwaddr 00:50:00:00:00:30
}
arp 100.64.202.40 {
hwaddr 00:50:00:00:00:40
}
route 0.0.0.0/0 {
next-hop 100.64.0.1 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
authoritative
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name vyos.net
domain-search vyos.net
range LANDynamic {
start 192.168.0.20
stop 192.168.0.240
}
}
}
}
dns {
forwarding {
allow-from 192.168.0.0/16
cache-size 10000
dnssec off
listen-address 192.168.0.1
}
}
ssh {
ciphers aes128-ctr,aes192-ctr,aes256-ctr
ciphers chacha20-poly1305@openssh.com,rijndael-cbc@lysator.liu.se
listen-address 192.168.0.1
key-exchange curve25519-sha256@libssh.org
key-exchange diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
+ conntrack {
+ ignore {
+ rule 1 {
+ destination {
+ address 192.0.2.2
+ }
+ source {
+ address 192.0.2.1
+ }
+ }
+ }
+ }
host-name vyos
login {
user vyos {
authentication {
encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0
plaintext-password ""
}
}
}
name-server 192.168.0.1
syslog {
console {
facility all {
level emerg
}
facility mail {
level info
}
}
global {
facility all {
level info
}
facility protocols {
level debug
}
facility security {
level info
}
preserve-fqdn
}
host syslog.vyos.net {
facility local7 {
level notice
}
facility protocols {
level alert
}
facility security {
level warning
}
format {
octet-counted
}
port 8000
}
}
time-zone Europe/Berlin
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.6 */
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 9c43640a9..a0de914bc 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -1,161 +1,206 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import re
from sys import exit
from vyos.config import Config
from vyos.firewall import find_nftables_rule
from vyos.firewall import remove_nftables_rule
from vyos.utils.process import process_named_running
from vyos.utils.dict import dict_search
+from vyos.utils.dict import dict_search_args
from vyos.utils.process import cmd
+from vyos.utils.process import rc_cmd
from vyos.utils.process import run
from vyos.template import render
from vyos import ConfigError
from vyos import airbag
airbag.enable()
conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf'
sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf'
nftables_ct_file = r'/run/nftables-ct.conf'
# Every ALG (Application Layer Gateway) consists of either a Kernel Object
# also called a Kernel Module/Driver or some rules present in iptables
module_map = {
'ftp' : {
'ko' : ['nf_nat_ftp', 'nf_conntrack_ftp'],
},
'h323' : {
'ko' : ['nf_nat_h323', 'nf_conntrack_h323'],
},
'nfs' : {
'nftables' : ['ct helper set "rpc_tcp" tcp dport "{111}" return',
'ct helper set "rpc_udp" udp dport "{111}" return']
},
'pptp' : {
'ko' : ['nf_nat_pptp', 'nf_conntrack_pptp'],
},
'sip' : {
'ko' : ['nf_nat_sip', 'nf_conntrack_sip'],
},
'sqlnet' : {
'nftables' : ['ct helper set "tns_tcp" tcp dport "{1521,1525,1536}" return']
},
'tftp' : {
'ko' : ['nf_nat_tftp', 'nf_conntrack_tftp'],
},
}
+valid_groups = [
+ 'address_group',
+ 'domain_group',
+ 'network_group',
+ 'port_group'
+]
+
def resync_conntrackd():
tmp = run('/usr/libexec/vyos/conf_mode/conntrack_sync.py')
if tmp > 0:
print('ERROR: error restarting conntrackd!')
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['system', 'conntrack']
conntrack = conf.get_config_dict(base, key_mangling=('-', '_'),
get_first_key=True,
with_recursive_defaults=True)
+ conntrack['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
return conntrack
def verify(conntrack):
- if dict_search('ignore.rule', conntrack) != None:
- for rule, rule_config in conntrack['ignore']['rule'].items():
- if dict_search('destination.port', rule_config) or \
- dict_search('source.port', rule_config):
- if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
- raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
+ for inet in ['ipv4', 'ipv6']:
+ if dict_search_args(conntrack, 'ignore', inet, 'rule') != None:
+ for rule, rule_config in conntrack['ignore'][inet]['rule'].items():
+ if dict_search('destination.port', rule_config) or \
+ dict_search('destination.group.port_group', rule_config) or \
+ dict_search('source.port', rule_config) or \
+ dict_search('source.group.port_group', rule_config):
+ if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
+ raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
+
+ for side in ['destination', 'source']:
+ if side in rule_config:
+ side_conf = rule_config[side]
+
+ if 'group' in side_conf:
+ if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
+ raise ConfigError('Only one address-group, network-group or domain-group can be specified')
+
+ for group in valid_groups:
+ if group in side_conf['group']:
+ group_name = side_conf['group'][group]
+ error_group = group.replace("_", "-")
+
+ if group in ['address_group', 'network_group', 'domain_group']:
+ if 'address' in side_conf:
+ raise ConfigError(f'{error_group} and address cannot both be defined')
+
+ if group_name and group_name[0] == '!':
+ group_name = group_name[1:]
+
+ if inet == 'ipv6':
+ group = f'ipv6_{group}'
+
+ group_obj = dict_search_args(conntrack['firewall_group'], group, group_name)
+
+ if group_obj is None:
+ raise ConfigError(f'Invalid {error_group} "{group_name}" on ignore rule')
+
+ if not group_obj:
+ Warning(f'{error_group} "{group_name}" has no members!')
return None
def generate(conntrack):
render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack)
-
- # dry-run newly generated configuration
- tmp = run(f'nft -c -f {nftables_ct_file}')
- if tmp > 0:
- if os.path.exists(nftables_ct_file):
- os.unlink(nftables_ct_file)
- raise ConfigError('Configuration file errors encountered!')
-
return None
-def find_nftables_ct_rule(rule):
+def find_nftables_ct_rule(table, chain, rule):
helper_search = re.search('ct helper set "(\w+)"', rule)
if helper_search:
rule = helper_search[1]
- return find_nftables_rule('raw', 'VYOS_CT_HELPER', [rule])
+ return find_nftables_rule(table, chain, [rule])
-def find_remove_rule(rule):
- handle = find_nftables_ct_rule(rule)
+def find_remove_rule(table, chain, rule):
+ handle = find_nftables_ct_rule(table, chain, rule)
if handle:
- remove_nftables_rule('raw', 'VYOS_CT_HELPER', handle)
+ remove_nftables_rule(table, chain, handle)
def apply(conntrack):
# Depending on the enable/disable state of the ALG (Application Layer Gateway)
# modules we need to either insmod or rmmod the helpers.
for module, module_config in module_map.items():
if dict_search(f'modules.{module}', conntrack) is None:
if 'ko' in module_config:
for mod in module_config['ko']:
# Only remove the module if it's loaded
if os.path.exists(f'/sys/module/{mod}'):
cmd(f'rmmod {mod}')
if 'nftables' in module_config:
for rule in module_config['nftables']:
- find_remove_rule(rule)
+ find_remove_rule('raw', 'VYOS_CT_HELPER', rule)
+ find_remove_rule('ip6 raw', 'VYOS_CT_HELPER', rule)
else:
if 'ko' in module_config:
for mod in module_config['ko']:
cmd(f'modprobe {mod}')
if 'nftables' in module_config:
for rule in module_config['nftables']:
- if not find_nftables_ct_rule(rule):
- cmd(f'nft insert rule ip raw VYOS_CT_HELPER {rule}')
+ if not find_nftables_ct_rule('raw', 'VYOS_CT_HELPER', rule):
+ cmd(f'nft insert rule raw VYOS_CT_HELPER {rule}')
+
+ if not find_nftables_ct_rule('ip6 raw', 'VYOS_CT_HELPER', rule):
+ cmd(f'nft insert rule ip6 raw VYOS_CT_HELPER {rule}')
# Load new nftables ruleset
- cmd(f'nft -f {nftables_ct_file}')
+ install_result, output = rc_cmd(f'nft -f {nftables_ct_file}')
+ if install_result == 1:
+ raise ConfigError(f'Failed to apply configuration: {output}')
if process_named_running('conntrackd'):
# Reload conntrack-sync daemon to fetch new sysctl values
resync_conntrackd()
# We silently ignore all errors
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1264080
cmd(f'sysctl -f {sysctl_file}')
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
index 7e2fe2462..eac3d37af 100755
--- a/src/helpers/vyos-domain-resolver.py
+++ b/src/helpers/vyos-domain-resolver.py
@@ -1,177 +1,179 @@
#!/usr/bin/env python3
#
# Copyright (C) 2022-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import json
import os
import time
from vyos.configdict import dict_merge
from vyos.configquery import ConfigTreeQuery
from vyos.firewall import fqdn_config_parse
from vyos.firewall import fqdn_resolve
from vyos.utils.commit import commit_in_progress
from vyos.utils.dict import dict_search_args
from vyos.utils.process import cmd
from vyos.utils.process import run
from vyos.xml_ref import get_defaults
base = ['firewall']
timeout = 300
cache = False
domain_state = {}
ipv4_tables = {
'ip vyos_mangle',
'ip vyos_filter',
- 'ip vyos_nat'
+ 'ip vyos_nat',
+ 'ip raw'
}
ipv6_tables = {
'ip6 vyos_mangle',
- 'ip6 vyos_filter'
+ 'ip6 vyos_filter',
+ 'ip6 raw'
}
def get_config(conf):
firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
no_tag_node_value_mangle=True)
default_values = get_defaults(base, get_first_key=True)
firewall = dict_merge(default_values, firewall)
global timeout, cache
if 'resolver_interval' in firewall:
timeout = int(firewall['resolver_interval'])
if 'resolver_cache' in firewall:
cache = True
fqdn_config_parse(firewall)
return firewall
def resolve(domains, ipv6=False):
global domain_state
ip_list = set()
for domain in domains:
resolved = fqdn_resolve(domain, ipv6=ipv6)
if resolved and cache:
domain_state[domain] = resolved
elif not resolved:
if domain not in domain_state:
continue
resolved = domain_state[domain]
ip_list = ip_list | resolved
return ip_list
def nft_output(table, set_name, ip_list):
output = [f'flush set {table} {set_name}']
if ip_list:
ip_str = ','.join(ip_list)
output.append(f'add element {table} {set_name} {{ {ip_str} }}')
return output
def nft_valid_sets():
try:
valid_sets = []
sets_json = cmd('nft -j list sets')
sets_obj = json.loads(sets_json)
for obj in sets_obj['nftables']:
if 'set' in obj:
family = obj['set']['family']
table = obj['set']['table']
name = obj['set']['name']
valid_sets.append((f'{family} {table}', name))
return valid_sets
except:
return []
def update(firewall):
conf_lines = []
count = 0
valid_sets = nft_valid_sets()
domain_groups = dict_search_args(firewall, 'group', 'domain_group')
if domain_groups:
for set_name, domain_config in domain_groups.items():
if 'address' not in domain_config:
continue
nft_set_name = f'D_{set_name}'
domains = domain_config['address']
ip_list = resolve(domains, ipv6=False)
for table in ipv4_tables:
if (table, nft_set_name) in valid_sets:
conf_lines += nft_output(table, nft_set_name, ip_list)
ip6_list = resolve(domains, ipv6=True)
for table in ipv6_tables:
if (table, nft_set_name) in valid_sets:
conf_lines += nft_output(table, nft_set_name, ip6_list)
count += 1
for set_name, domain in firewall['ip_fqdn'].items():
table = 'ip vyos_filter'
nft_set_name = f'FQDN_{set_name}'
ip_list = resolve([domain], ipv6=False)
if (table, nft_set_name) in valid_sets:
conf_lines += nft_output(table, nft_set_name, ip_list)
count += 1
for set_name, domain in firewall['ip6_fqdn'].items():
table = 'ip6 vyos_filter'
nft_set_name = f'FQDN_{set_name}'
ip_list = resolve([domain], ipv6=True)
if (table, nft_set_name) in valid_sets:
conf_lines += nft_output(table, nft_set_name, ip_list)
count += 1
nft_conf_str = "\n".join(conf_lines) + "\n"
code = run(f'nft -f -', input=nft_conf_str)
print(f'Updated {count} sets - result: {code}')
if __name__ == '__main__':
print(f'VyOS domain resolver')
count = 1
while commit_in_progress():
if ( count % 60 == 0 ):
print(f'Commit still in progress after {count}s - waiting')
count += 1
time.sleep(1)
conf = ConfigTreeQuery()
firewall = get_config(conf)
print(f'interval: {timeout}s - cache: {cache}')
while True:
update(firewall)
time.sleep(timeout)
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 96f163213..a5d1a31fa 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -1,445 +1,448 @@
#!/bin/bash
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /lib/lsb/init-functions
: ${vyatta_env:=/etc/default/vyatta}
source $vyatta_env
declare progname=${0##*/}
declare action=$1; shift
declare -x BOOTFILE=$vyatta_sysconfdir/config/config.boot
# If vyos-config= boot option is present, use that file instead
for x in $(cat /proc/cmdline); do
[[ $x = vyos-config=* ]] || continue
VYOS_CONFIG="${x#vyos-config=}"
done
if [ ! -z "$VYOS_CONFIG" ]; then
if [ -r "$VYOS_CONFIG" ]; then
echo "Config selected manually: $VYOS_CONFIG"
declare -x BOOTFILE="$VYOS_CONFIG"
else
echo "WARNING: Could not read selected config file, using default!"
fi
fi
declare -a subinit
declare -a all_subinits=( firewall )
if [ $# -gt 0 ] ; then
for s in $@ ; do
[ -x ${vyatta_sbindir}/${s}.init ] && subinit[${#subinit}]=$s
done
else
for s in ${all_subinits[@]} ; do
[ -x ${vyatta_sbindir}/${s}.init ] && subinit[${#subinit}]=$s
done
fi
GROUP=vyattacfg
# easy way to make empty file without any command
empty()
{
>$1
}
# check if bootup of this portion is disabled
disabled () {
grep -q -w no-vyos-$1 /proc/cmdline
}
# if necessary, provide initial config
init_bootfile () {
if [ ! -r $BOOTFILE ] ; then
if [ -f $vyatta_sysconfdir/config.boot.default ]; then
cp $vyatta_sysconfdir/config.boot.default $BOOTFILE
else
$vyos_libexec_dir/system-versions-foot.py > $BOOTFILE
fi
chgrp ${GROUP} $BOOTFILE
chmod 660 $BOOTFILE
fi
}
# if necessary, migrate initial config
migrate_bootfile ()
{
if [ -x $vyos_libexec_dir/run-config-migration.py ]; then
log_progress_msg migrate
sg ${GROUP} -c "$vyos_libexec_dir/run-config-migration.py $BOOTFILE"
fi
}
# load the initial config
load_bootfile ()
{
log_progress_msg configure
(
if [ -f /etc/default/vyatta-load-boot ]; then
# build-specific environment for boot-time config loading
source /etc/default/vyatta-load-boot
fi
if [ -x $vyos_libexec_dir/vyos-boot-config-loader.py ]; then
sg ${GROUP} -c "$vyos_libexec_dir/vyos-boot-config-loader.py $BOOTFILE"
fi
)
}
# restore if missing pre-config script
restore_if_missing_preconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script
fi
}
# execute the pre-config script
run_preconfig_script ()
{
if [ -x $vyatta_sysconfdir/config/scripts/vyos-preconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyos-preconfig-bootup.script
fi
}
# restore if missing post-config script
restore_if_missing_postconfig_script ()
{
if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then
cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/
chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script
fi
}
# execute the post-config scripts
run_postconfig_scripts ()
{
if [ -x $vyatta_sysconfdir/config/scripts/vyatta-postconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyatta-postconfig-bootup.script
fi
if [ -x $vyatta_sysconfdir/config/scripts/vyos-postconfig-bootup.script ]; then
$vyatta_sysconfdir/config/scripts/vyos-postconfig-bootup.script
fi
}
run_postupgrade_script ()
{
if [ -f $vyatta_sysconfdir/config/.upgraded ]; then
# Run the system script
/usr/libexec/vyos/system/post-upgrade
# Run user scripts
if [ -d $vyatta_sysconfdir/config/scripts/post-upgrade.d ]; then
run-parts $vyatta_sysconfdir/config/scripts/post-upgrade.d
fi
rm -f $vyatta_sysconfdir/config/.upgraded
fi
}
#
# On image booted machines, we need to mount /boot from the image-specific
# boot directory so that kernel package installation will put the
# files in the right place. We also have to mount /boot/grub from the
# system-wide grub directory so that tools that edit the grub.cfg
# file will find it in the expected location.
#
bind_mount_boot ()
{
persist_path=$(/opt/vyatta/sbin/vyos-persistpath)
if [ $? == 0 ]; then
if [ -e $persist_path/boot ]; then
image_name=$(cat /proc/cmdline | sed -e s+^.*vyos-union=/boot/++ | sed -e 's/ .*$//')
if [ -n "$image_name" ]; then
mount --bind $persist_path/boot/$image_name /boot
if [ $? -ne 0 ]; then
echo "Couldn't bind mount /boot"
fi
if [ ! -d /boot/grub ]; then
mkdir /boot/grub
fi
mount --bind $persist_path/boot/grub /boot/grub
if [ $? -ne 0 ]; then
echo "Couldn't bind mount /boot/grub"
fi
fi
fi
fi
}
clear_or_override_config_files ()
{
for conf in snmp/snmpd.conf snmp/snmptrapd.conf snmp/snmp.conf \
keepalived/keepalived.conf cron.d/vyos-crontab \
ipvsadm.rules default/ipvsadm resolv.conf
do
if [ -s /etc/$conf ] ; then
empty /etc/$conf
chmod 0644 /etc/$conf
fi
done
}
update_interface_config ()
{
if [ -d /run/udev/vyos ]; then
$vyos_libexec_dir/vyos-interface-rescan.py $BOOTFILE
fi
}
cleanup_post_commit_hooks () {
# Remove links from the post-commit hooks directory.
# note that this approach only supports hooks that are "configured",
# i.e., it does not support hooks that need to always be present.
cpostdir=$(cli-shell-api getPostCommitHookDir)
# exclude commits hooks from vyatta-cfg
excluded="10vyatta-log-commit.pl 99vyos-user-postcommit-hooks"
if [ -d "$cpostdir" ]; then
for f in $cpostdir/*; do
if [[ ! $excluded =~ $(basename $f) ]]; then
rm -f $cpostdir/$(basename $f)
fi
done
fi
}
# These are all the default security setting which are later
# overridden when configuration is read. These are the values the
# system defaults.
security_reset ()
{
# restore PAM back to virgin state (no radius/tacacs services)
pam-auth-update --package --remove radius
rm -f /etc/pam_radius_auth.conf
pam-auth-update --package --remove tacplus
rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
# Certain configuration files are re-generated by the configuration
# subsystem and must reside under /etc and can not easily be moved to /run.
# So on every boot we simply delete any remaining files and let the CLI
# regenearte them.
# PPPoE
rm -f /etc/ppp/peers/pppoe* /etc/ppp/peers/wlm*
# IPSec
rm -rf /etc/ipsec.conf /etc/ipsec.secrets
find /etc/swanctl -type f | xargs rm -f
# limit cleanup
rm -f /etc/security/limits.d/10-vyos.conf
# iproute2 cleanup
rm -f /etc/iproute2/rt_tables.d/vyos-*.conf
# Container
rm -f /etc/containers/storage.conf /etc/containers/registries.conf /etc/containers/containers.conf
# Clean all networks and re-create them from our CLI
rm -f /etc/containers/networks/*
# System Options (SSH/cURL)
rm -f /etc/ssh/ssh_config.d/*vyos*.conf
rm -f /etc/curlrc
}
# XXX: T3885 - generate persistend DHCPv6 DUID (Type4 - UUID based)
gen_duid ()
{
DUID_FILE="/var/lib/dhcpv6/dhcp6c_duid"
UUID_FILE="/sys/class/dmi/id/product_uuid"
UUID_FILE_ALT="/sys/class/dmi/id/product_serial"
if [ ! -f ${UUID_FILE} ] && [ ! -f ${UUID_FILE_ALT} ]; then
return 1
fi
# DUID is based on the BIOS/EFI UUID. We omit additional - characters
if [ -f ${UUID_FILE} ]; then
UUID=$(cat ${UUID_FILE} | tr -d -)
fi
if [ -z ${UUID} ]; then
UUID=$(uuidgen --sha1 --namespace @dns --name $(cat ${UUID_FILE_ALT}) | tr -d -)
fi
# Add DUID type4 (UUID) information
DUID_TYPE="0004"
# The length-information (as per RFC6355 UUID is 128 bits long) is in big-endian
# format - beware when porting to ARM64. The length field consists out of the
# UUID (128 bit + 16 bits DUID type) resulting in hex 12.
DUID_LEN="0012"
if [ "$(echo -n I | od -to2 | head -n1 | cut -f2 -d" " | cut -c6 )" -eq 1 ]; then
# true on little-endian (x86) systems
DUID_LEN="1200"
fi
for i in $(echo -n ${DUID_LEN}${DUID_TYPE}${UUID} | sed 's/../& /g'); do
echo -ne "\x$i"
done > ${DUID_FILE}
}
start ()
{
# reset and clean config files
security_reset || log_failure_msg "security reset failed"
# some legacy directories migrated over from old rl-system.init
mkdir -p /var/run/vyatta /var/log/vyatta
chgrp vyattacfg /var/run/vyatta /var/log/vyatta
chmod 775 /var/run/vyatta /var/log/vyatta
log_daemon_msg "Waiting for NICs to settle down"
# On boot time udev migth take a long time to reorder nic's, this will ensure that
# all udev activity is completed and all nics presented at boot-time will have their
# final name before continuing with vyos-router initialization.
SECONDS=0
udevadm settle
STATUS=$?
log_progress_msg "settled in ${SECONDS}sec."
log_end_msg ${STATUS}
# mountpoint for bpf maps required by xdp
mount -t bpf none /sys/fs/bpf
# Clear out Debian APT source config file
empty /etc/apt/sources.list
# Generate DHCPv6 DUID
gen_duid || log_failure_msg "could not generate DUID"
# Mount a temporary filesystem for container networks.
# Configuration should be loaded from VyOS cli.
cni_dir="/etc/cni/net.d"
[ ! -d ${cni_dir} ] && mkdir -p ${cni_dir}
mount -t tmpfs none ${cni_dir}
# Init firewall
nfct helper add rpc inet tcp
nfct helper add rpc inet udp
nfct helper add tns inet tcp
+ nfct helper add rpc inet6 tcp
+ nfct helper add rpc inet6 udp
+ nfct helper add tns inet6 tcp
nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
rm -f /etc/hostname
${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name"
systemctl start frr.service
# As VyOS does not execute commands that are not present in the CLI we call
# the script by hand to have a single source for the login banner and MOTD
${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
${vyos_conf_scripts_dir}/system-login.py || log_failure_msg "could not reset system login"
${vyos_conf_scripts_dir}/system-login-banner.py || log_failure_msg "could not reset motd and issue files"
${vyos_conf_scripts_dir}/system-option.py || log_failure_msg "could not reset system option files"
${vyos_conf_scripts_dir}/conntrack.py || log_failure_msg "could not reset conntrack subsystem"
${vyos_conf_scripts_dir}/container.py || log_failure_msg "could not reset container subsystem"
clear_or_override_config_files || log_failure_msg "could not reset config files"
# enable some debugging before loading the configuration
if grep -q vyos-debug /proc/cmdline; then
log_action_begin_msg "Enable runtime debugging options"
touch /tmp/vyos.container.debug
touch /tmp/vyos.ifconfig.debug
touch /tmp/vyos.frr.debug
touch /tmp/vyos.container.debug
fi
log_action_begin_msg "Mounting VyOS Config"
# ensure the vyatta_configdir supports a large number of inodes since
# the config hierarchy is often inode-bound (instead of size).
# impose a minimum and then scale up dynamically with the actual size
# of the system memory.
local tmem=$(sed -n 's/^MemTotal: \+\([0-9]\+\) kB$/\1/p' /proc/meminfo)
local tpages
local tmpfs_opts="nosuid,nodev,mode=775,nr_inodes=0" #automatically allocate inodes
mount -o $tmpfs_opts -t tmpfs none ${vyatta_configdir} \
&& chgrp ${GROUP} ${vyatta_configdir}
log_action_end_msg $?
disabled bootfile || init_bootfile
cleanup_post_commit_hooks
log_daemon_msg "Starting VyOS router"
disabled migrate || migrate_bootfile
restore_if_missing_preconfig_script
run_preconfig_script
run_postupgrade_script
update_interface_config
for s in ${subinit[@]} ; do
if ! disabled $s; then
log_progress_msg $s
if ! ${vyatta_sbindir}/${s}.init start
then log_failure_msg
exit 1
fi
fi
done
bind_mount_boot
disabled configure || load_bootfile
log_end_msg $?
telinit q
chmod g-w,o-w /
restore_if_missing_postconfig_script
run_postconfig_scripts
}
stop()
{
local -i status=0
log_daemon_msg "Stopping VyOS router"
for ((i=${#sub_inits[@]} - 1; i >= 0; i--)) ; do
s=${subinit[$i]}
log_progress_msg $s
${vyatta_sbindir}/${s}.init stop
let status\|=$?
done
log_end_msg $status
log_action_begin_msg "Un-mounting VyOS Config"
umount ${vyatta_configdir}
log_action_end_msg $?
systemctl stop frr.service
}
case "$action" in
start) start ;;
stop) stop ;;
restart|force-reload) stop && start ;;
*) log_failure_msg "usage: $progname [ start|stop|restart ] [ subinit ... ]" ;
false ;;
esac
exit $?
# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End:
diff --git a/src/migration-scripts/conntrack/3-to-4 b/src/migration-scripts/conntrack/3-to-4
new file mode 100755
index 000000000..e90c383af
--- /dev/null
+++ b/src/migration-scripts/conntrack/3-to-4
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Add support for IPv6 conntrack ignore, move existing nodes to `system conntrack ignore ipv4`
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['system', 'conntrack']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+if config.exists(base + ['ignore', 'rule']):
+ config.set(base + ['ignore', 'ipv4'])
+ config.copy(base + ['ignore', 'rule'], base + ['ignore', 'ipv4', 'rule'])
+ config.delete(base + ['ignore', 'rule'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)