Enhancement #3195
Event trusted-networks-modify
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | <multiple packages> | |||
| Target version: | v6.6 | |||
| Resolution: | NEEDINFO: | No |
Description
- Templates and service reloads occurs in
networks-createandnetworks-deleteevents, and consider onlynetworksrecords.
A new event,trusted-networks-modifymust occur whenever VPN ornetworkrecords are changed.
networks-*event must be deprecated.
- The method
NetworksDB::local_access_specreturns green networks and records of typenetworkfromnetworksDB.
NetworksDB::local_access_specmust be modified to take into account VPN networks.
To provide a smooth transition to the new event, trusted-networks-modify must invoke the deprecated networks-create event. RPMs should quickly migrate to the new event.
Related issues
Associated revisions
Moved /esmith source directory into lib/perl/esmith. Refs #3195
NethServer::TrustedNetworks perl Module. Refs #3195
Extensible module to link multiple TrustedNetworks provider, like
VPNs.
TrustedNetworks.pm: added POD documentation. Refs #3195
TrustedNetworks perl module: added list_full() function. Refs #3195
Changed $results format to list of hash references.
trusted-networks helper: prints a JSON object. Refs #3195
trusted-networks-modify event. Refs #3195
This events obsoletes network-create network-modify and network-delete
events.
The network-create event is still invoked for backward compatibility.
LocalNetwork UI module: use trusted-networks helper. Refs #3195
nethserver-samba: bind to trusted-networks-modify event. Refs #3195
Merge branch 'b3195'. Refs #3195
nethserver-firewall-base: new trusted-networks-modify event performs firewall-adjust, removed here. Refs #3195
nethserver-mail-common: bind new trusted-networks-modify event. Refs #3195
nethserver-cups: bind new trusted-networks-modify event. Refs #3195
nethserver-httpd: bind new trusted-networks-modify event. Refs #3195
nethserver-hylafax: bind new trusted-networks-modify event. Refs #3195
LocalNetworks UI: invoke new trusted-networks-modify event. Refs #3195
nethserver-openvpn: trusted-networks provider implementation. Refs #3195
nethserver-ipsec: trusted-networks provider implementation. Refs #3195
.spec: add NethServer::TrustedNetworks Perl module. Refs #3195
nethserver-hylafax: trusted-networks-modify event is not required at all! Refs #3195
admin docs: trusted networks include VPNs automatically. Refs #3195
NetworksDB (local_access_spec): fixed trusted networks list building. Refs #3195
The method returned only the local address.
Fixed also INIT warning.
Don't die if roadwarrior network parameters are missing. Refs #3195
In TrustedNetworks::OpenVPN (openvpn_networks) provider.
legacy-call-network-create: fixed command path. Refs #3195
Reviewed Italian translation. Refs #3195
Check for network-create event existence. Refs #3195
LocalNetwork: fixed network in use validation. Refs #3195
Check the new network is not a subnet of an existing one, and
vice-versa.
Raise trusted-networks-modify when interfaces are modified. Refs #3195
Note: the firewall-adjust sub-event call in trusted-networks-modify is
required by lokkit-save event.
Unbind interface-update event. Refs #3195
The interface-update event invokes trusted-networks-modify, so
cupsd.conf expansion and daemon restart is not required in
interface-update itself.
openvpn: bind trusted-networks-modify event. Refs #3195
ipsec: bind trusted-networks-modify event. Refs #3195
openvpn: bind trusted-networks-modify event to nethserver-openvpn-save event. Refs #3195
trusted-networks-modify: add tunnel networks. Refs #3195
trusted-networks-modify: add networks from green aliases. Refs #3195
trusted-networks-modify: add tunnel networks. Refs #3195
samba: unbind interface-update event. Refs #3195
Use trusted-networks-modify event.
History
#1
Updated by Davide Principi about 6 years ago
- Description updated (diff)
#2
Updated by Davide Principi about 6 years ago
- Related to Feature #2919: mail-server: configure IP-based access policy from UI added
#3
Updated by Davide Principi about 6 years ago
Documentation change proposal:
#4
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#5
Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#6
Updated by Davide Principi about 6 years ago
- Subject changed from Event trusted-networks-update to Event trusted-networks-modify
- Description updated (diff)
The -update suffix is generally used by packagename-update events. Here we are similar to record-modify semantics.
#7
Updated by Davide Principi about 6 years ago
Known legacy event consumers are
- nethserver-samba
- nethserver-firewall-base
- nethserver-mail-common
- nethserver-cups
- nethserver-httpd
- nethserver-hylafax
- ...
Known providers:
- nethserver-ipsec
- nethserver-openvpn
- green networks
- network records in networks DB
#8
Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
MODIFIED
The following packages have been modified:
nethserver-base
nethserver-hylafax
nethserver-samba
nethserver-firewall-base
nethserver-mail-common
nethserver-cups
nethserver-httpd
nethserver-ipsec (provider)
nethserver-openvpn (provider)
API DOCUMENTATION
perldoc NethServer::TrustedNetworks
PACKAGER NOTE
Pull requests on documentation
- https://github.com/NethServer/nethserver-docs/pull/73
- https://github.com/NethServer/nethserver-docs/pull/71
Test case
Update all the packages to the modified version. Changes on Trusted Networks page must be applied on the system as before.
- nethserver-samba
checkhosts allowdirective insmb.confhas also IPsec and OpenVPN networks - nethserver-mail-common
check/etc/postfix/mynetworks.cidrhas also IPsec and OpenVPN networks - nethserver-cups
check/etc/cups/cupsd.confhas also IPsec and OpenVPN networks - nethserver-httpd
to test, install also nethserver-ibays and create a new ibay. Under web settings enableAllow access from trusted networks only. Check the.ibayfile under/etc/httpd/nethserver.d/has also IPsec and OpenVPN networks inAllow fromdirective. - nethserver-hylafax, just test install
- nethserver-firewall-base, just test install
- nethserver-base
checkTrusted Networkspage works correctly and changes are applied to underlying packages (see above).
#9
Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-openvpn-1.2.1-1.1.g43b5436.ns6.noarch.rpmnethserver-openvpn-1.2.1-1.3.g59a6af2.ns6.noarch.rpm
nethserver-openvpn-1.2.1-1.4.gae278e3.ns6.noarch.rpmnethserver-ipsec-1.0.3-1.10.g260c52c.ns6.noarch.rpm
nethserver-ipsec-1.0.3-1.11.g76ca3b6.ns6.noarch.rpm
nethserver-httpd-2.4.1-1.1.gacbe582.ns6.noarch.rpm nethserver-cups-1.1.1-1.noarch.rpm
nethserver-cups-1.1.1-1.4.g315783b.ns6.noarch.rpm
nethserver-mail-common-1.5.0-1.1.g8d2e69c.ns6.noarch.rpm
nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch.rpm nethserver-samba-1.5.1-1.1.g0920486.ns6.noarch.rpm
nethserver-samba-1.5.1-1.2.ge5c9553.ns6.noarch.rpm
nethserver-hylafax-1.1.1-1.2.gec1196f.ns6.noarch.rpm nethserver-base-2.7.2-1.10.g932f163.ns6.noarch.rpm
nethserver-base-2.7.2-1.15.g9c6590f.ns6.noarch.rpm
#10
Updated by Davide Principi about 6 years ago
- Category changed from nethserver-base to <multiple packages>
#11
Updated by dz0 0te about 6 years ago
- Assignee set to dz0 0te
#12
Updated by dz0 0te about 6 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
dz0 0te) - % Done changed from 70 to 20
System and Package Version installed
VM KVM - Clean install of Nethserver 6.6 fully updated
VM ip: 192.168.100.73
Package Installed: nethserver-base-2.7.2-1.ns6.noarch
nethserver-samba-1.5.1-1.ns6.noarch
nethserver-firewall-base-2.6.3-1.ns6.noarch
nethserver-hylafax-1.1.1-1.ns6.noarch
nethserver-openvpn-1.2.1-1.ns6.noarch
nethserver-mail-common-1.5.0-1.ns6.noarch
nethserver-cups-1.1.1-1.ns6.noarch
nethserver-ipsec-1.0.3-1.ns6.noarch
nethserver-httpd-2.4.1-1.ns6.noarch
Other Package installed: Basic firewall,Email,Fax server,File server,MySQL server,POP3 connector,Print server,SMTP proxy,VPN,Web filter,Web server
Test Original Problem
Enhancement
enabled/configured openvpn and ipsec
Install Updated Package
yum --enablerepo=nethserver-testing install nethserver-base nethserver-hylafax nethserver-samba nethserver-firewall-base nethserver-mail-common nethserver-cups nethserver-httpd nethserver-ipsec nethserver-openvpn
Test Results after update
disappeared existing trusted newtork (including the local LAN) from various config files
1. $ cat /etc/samba/smb.conf | grep allow
hosts allow = 127.0.0.1
- 10trustednetworks
#
127.0.0.1/32 OK
ex:
- Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow From 127.0.0.1
Allow From 192.168.100.0/255.255.255.0
Allow From 10.100.100.0/255.255.255.0
</Location>
4. $ cat /etc/httpd/nethserver.d/bayone.ibay | grep Allow
Order Deny,Allow
Allow from 127.0.0.1
AllowOverride None
5. add/del a new net from UI Trusting Network:
Task completed with errors
S10legacy-call-network-create #2 (exit status 32512)
Note
Disabling/re-enabling openvpn with other ip range, update the data in Trusted Networks ma still the same results from the previous test 1-4
2nd test on another clean vm with no pakachges installed.
After installing new packages, in Trusted Network: Empty Table
add/del new net same problem as before.
Enabling vpn still leaves various config with only 127.0.0.1
#13
Updated by Giacomo Sanchietti about 6 years ago
#14
Updated by Filippo Carletti about 6 years ago
Giacomo Sanchietti wrote:
See also: http://community.nethserver.org/t/allow-access-from-green-and-trusted-network
The page you requested doesn't exist or is private.
#15
Updated by Giacomo Sanchietti about 6 years ago
The page you requested doesn't exist or is private.
Here is the correct link:
http://community.nethserver.org/t/allow-access-from-green-and-trusted-networks/1182/2
#16
Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#17
Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
MODIFIED
#18
Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 60 to 70
In nethserver-testing:
nethserver-openvpn-1.2.1-1.2.g7d0aa23.ns6.noarch.rpmnethserver-base-2.7.2-1.11.g1a8cfe7.ns6.noarch.rpm
nethserver-base-2.7.2-1.12.g3cb8567.ns6.noarch.rpm
#19
Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#20
Updated by Davide Principi about 6 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 20
- VPN ipsec net2net networks
- VPN openvpn user account networks
- bind
trusted-networks-modifyto the above item changes and packages installation - UI subnet checks (generic case of already-existing items)
#21
Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#22
Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case (additional)
- changes on
VPN > IPSec/L2TPpage, inNetwork address/maskmust be reflected into config files (see previous test case) - changes on
VPN > OpenVPNpage, inNetwork/mask, underRouted modemust be reflected into config files (see previous test case) - changes on
Networkpage must be reflected in config files for green interfaces. - Create a new item in
Trusted networkspage: the validator must refuse to create an already existing network, or a subnet or supernet of an existing network.
#23
Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
see the note 9
#24
Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#25
Updated by Vasco Castelo Branco about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 90
Verified with:
nethserver-base-2.7.2-1.ns6.noarch
#26
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
Good verification so far, but I just added a couple of minor features.
We need just to test these ones.
- nethserver-openvpn-1.2.1-1.5.gb3e743d.ns6.noarch.rpm
- nethserver-ipsec-1.0.3-1.12.g182f6e4.ns6.noarch.rpm
- nethserver-base-2.7.2-1.16.gb45799e.ns6.noarch.rpm
- Create an alias for a green network
- Check the alias network is inside the trusted networks, you can use this command:
grep "hosts allow" /etc/samba/smb.conf
- Create an IPSec tunnel
- Check the right subnet is inside the trusted networks (use command from test case 1)
- Create a VPN account with an associated network and netmask
- Check the network is inside the trusted networks (use command from test case 1)
#27
Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#28
Updated by Vasco Castelo Branco about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 90
#29
Updated by Giacomo Sanchietti about 6 years ago
- Assignee set to Giacomo Sanchietti
#30
Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to CLOSED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 90 to 100
- nethserver-firewall-base-2.6.4-1.ns6.noarch.rpm
- nethserver-base-2.7.4-1.ns6.noarch.rpm
- nethserver-hylafax-1.1.2-1.ns6.noarch.rpm
- nethserver-samba-1.5.2-1.ns6.noarch.rpm
- nethserver-mail-common-1.5.1-1.ns6.noarch.rpm
- nethserver-cups-1.1.2-1.ns6.noarch.rpm
- nethserver-httpd-2.4.2-1.ns6.noarch.rpm
- nethserver-openvpn-1.2.2-1.ns6.noarch.rpm
Release of nethserver-ipsec is postponed until documentation will be ready.