Enhancement #3195
Event trusted-networks-modify
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | <multiple packages> | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
- Templates and service reloads occurs in
networks-create
andnetworks-delete
events, and consider onlynetworks
records.
A new event,trusted-networks-modify
must occur whenever VPN ornetwork
records are changed.
networks-*
event must be deprecated.
- The method
NetworksDB::local_access_spec
returns green networks and records of typenetwork
fromnetworks
DB.
NetworksDB::local_access_spec
must be modified to take into account VPN networks.
To provide a smooth transition to the new event, trusted-networks-modify
must invoke the deprecated networks-create
event. RPMs should quickly migrate to the new event.
Related issues
Associated revisions
Moved /esmith source directory into lib/perl/esmith. Refs #3195
NethServer::TrustedNetworks perl Module. Refs #3195
Extensible module to link multiple TrustedNetworks provider, like
VPNs.
TrustedNetworks.pm: added POD documentation. Refs #3195
TrustedNetworks perl module: added list_full() function. Refs #3195
Changed $results format to list of hash references.
trusted-networks helper: prints a JSON object. Refs #3195
trusted-networks-modify event. Refs #3195
This events obsoletes network-create network-modify and network-delete
events.
The network-create event is still invoked for backward compatibility.
LocalNetwork UI module: use trusted-networks helper. Refs #3195
nethserver-samba: bind to trusted-networks-modify event. Refs #3195
Merge branch 'b3195'. Refs #3195
nethserver-firewall-base: new trusted-networks-modify event performs firewall-adjust, removed here. Refs #3195
nethserver-mail-common: bind new trusted-networks-modify event. Refs #3195
nethserver-cups: bind new trusted-networks-modify event. Refs #3195
nethserver-httpd: bind new trusted-networks-modify event. Refs #3195
nethserver-hylafax: bind new trusted-networks-modify event. Refs #3195
LocalNetworks UI: invoke new trusted-networks-modify event. Refs #3195
nethserver-openvpn: trusted-networks provider implementation. Refs #3195
nethserver-ipsec: trusted-networks provider implementation. Refs #3195
.spec: add NethServer::TrustedNetworks Perl module. Refs #3195
nethserver-hylafax: trusted-networks-modify event is not required at all! Refs #3195
admin docs: trusted networks include VPNs automatically. Refs #3195
NetworksDB (local_access_spec): fixed trusted networks list building. Refs #3195
The method returned only the local address.
Fixed also INIT warning.
Don't die if roadwarrior network parameters are missing. Refs #3195
In TrustedNetworks::OpenVPN (openvpn_networks) provider.
legacy-call-network-create: fixed command path. Refs #3195
Reviewed Italian translation. Refs #3195
Check for network-create event existence. Refs #3195
LocalNetwork: fixed network in use validation. Refs #3195
Check the new network is not a subnet of an existing one, and
vice-versa.
Raise trusted-networks-modify when interfaces are modified. Refs #3195
Note: the firewall-adjust sub-event call in trusted-networks-modify is
required by lokkit-save event.
Unbind interface-update event. Refs #3195
The interface-update event invokes trusted-networks-modify, so
cupsd.conf expansion and daemon restart is not required in
interface-update itself.
openvpn: bind trusted-networks-modify event. Refs #3195
ipsec: bind trusted-networks-modify event. Refs #3195
openvpn: bind trusted-networks-modify event to nethserver-openvpn-save event. Refs #3195
trusted-networks-modify: add tunnel networks. Refs #3195
trusted-networks-modify: add networks from green aliases. Refs #3195
trusted-networks-modify: add tunnel networks. Refs #3195
samba: unbind interface-update event. Refs #3195
Use trusted-networks-modify event.
History
#1 Updated by Davide Principi about 6 years ago
- Description updated (diff)
#2 Updated by Davide Principi about 6 years ago
- Related to Feature #2919: mail-server: configure IP-based access policy from UI added
#3 Updated by Davide Principi about 6 years ago
Documentation change proposal:
#4 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#5 Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#6 Updated by Davide Principi about 6 years ago
- Subject changed from Event trusted-networks-update to Event trusted-networks-modify
- Description updated (diff)
The -update suffix is generally used by packagename-update
events. Here we are similar to record-modify
semantics.
#7 Updated by Davide Principi about 6 years ago
Known legacy event consumers are
- nethserver-samba
- nethserver-firewall-base
- nethserver-mail-common
- nethserver-cups
- nethserver-httpd
- nethserver-hylafax
- ...
Known providers:
- nethserver-ipsec
- nethserver-openvpn
- green networks
- network records in networks DB
#8 Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
MODIFIED
The following packages have been modified:
nethserver-base
nethserver-hylafax
nethserver-samba
nethserver-firewall-base
nethserver-mail-common
nethserver-cups
nethserver-httpd
nethserver-ipsec (provider)
nethserver-openvpn (provider)
API DOCUMENTATION
perldoc NethServer::TrustedNetworks
PACKAGER NOTE
Pull requests on documentation
- https://github.com/NethServer/nethserver-docs/pull/73
- https://github.com/NethServer/nethserver-docs/pull/71
Test case
Update all the packages to the modified version. Changes on Trusted Networks
page must be applied on the system as before.
- nethserver-samba
checkhosts allow
directive insmb.conf
has also IPsec and OpenVPN networks - nethserver-mail-common
check/etc/postfix/mynetworks.cidr
has also IPsec and OpenVPN networks - nethserver-cups
check/etc/cups/cupsd.conf
has also IPsec and OpenVPN networks - nethserver-httpd
to test, install also nethserver-ibays and create a new ibay. Under web settings enableAllow access from trusted networks only
. Check the.ibay
file under/etc/httpd/nethserver.d/
has also IPsec and OpenVPN networks inAllow from
directive. - nethserver-hylafax, just test install
- nethserver-firewall-base, just test install
- nethserver-base
checkTrusted Networks
page works correctly and changes are applied to underlying packages (see above).
#9 Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-openvpn-1.2.1-1.1.g43b5436.ns6.noarch.rpmnethserver-openvpn-1.2.1-1.3.g59a6af2.ns6.noarch.rpm
nethserver-openvpn-1.2.1-1.4.gae278e3.ns6.noarch.rpmnethserver-ipsec-1.0.3-1.10.g260c52c.ns6.noarch.rpm
nethserver-ipsec-1.0.3-1.11.g76ca3b6.ns6.noarch.rpm
nethserver-httpd-2.4.1-1.1.gacbe582.ns6.noarch.rpm nethserver-cups-1.1.1-1.noarch.rpm
nethserver-cups-1.1.1-1.4.g315783b.ns6.noarch.rpm
nethserver-mail-common-1.5.0-1.1.g8d2e69c.ns6.noarch.rpm
nethserver-firewall-base-2.6.3-1.4.gae44624.ns6.noarch.rpm nethserver-samba-1.5.1-1.1.g0920486.ns6.noarch.rpm
nethserver-samba-1.5.1-1.2.ge5c9553.ns6.noarch.rpm
nethserver-hylafax-1.1.1-1.2.gec1196f.ns6.noarch.rpm nethserver-base-2.7.2-1.10.g932f163.ns6.noarch.rpm
nethserver-base-2.7.2-1.15.g9c6590f.ns6.noarch.rpm
#10 Updated by Davide Principi about 6 years ago
- Category changed from nethserver-base to <multiple packages>
#11 Updated by dz0 0te about 6 years ago
- Assignee set to dz0 0te
#12 Updated by dz0 0te about 6 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
dz0 0te) - % Done changed from 70 to 20
System and Package Version installed
VM KVM - Clean install of Nethserver 6.6 fully updated
VM ip: 192.168.100.73
Package Installed: nethserver-base-2.7.2-1.ns6.noarch
nethserver-samba-1.5.1-1.ns6.noarch
nethserver-firewall-base-2.6.3-1.ns6.noarch
nethserver-hylafax-1.1.1-1.ns6.noarch
nethserver-openvpn-1.2.1-1.ns6.noarch
nethserver-mail-common-1.5.0-1.ns6.noarch
nethserver-cups-1.1.1-1.ns6.noarch
nethserver-ipsec-1.0.3-1.ns6.noarch
nethserver-httpd-2.4.1-1.ns6.noarch
Other Package installed: Basic firewall,Email,Fax server,File server,MySQL server,POP3 connector,Print server,SMTP proxy,VPN,Web filter,Web server
Test Original Problem
Enhancement
enabled/configured openvpn and ipsec
Install Updated Package
yum --enablerepo=nethserver-testing install nethserver-base nethserver-hylafax nethserver-samba nethserver-firewall-base nethserver-mail-common nethserver-cups nethserver-httpd nethserver-ipsec nethserver-openvpn
Test Results after update
disappeared existing trusted newtork (including the local LAN) from various config files
1. $ cat /etc/samba/smb.conf | grep allow
hosts allow = 127.0.0.1
- 10trustednetworks
#
127.0.0.1/32 OK
ex:
- Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order deny,allow
Allow From 127.0.0.1
Allow From 192.168.100.0/255.255.255.0
Allow From 10.100.100.0/255.255.255.0
</Location>
4. $ cat /etc/httpd/nethserver.d/bayone.ibay | grep Allow
Order Deny,Allow
Allow from 127.0.0.1
AllowOverride None
5. add/del a new net from UI Trusting Network:
Task completed with errors
S10legacy-call-network-create #2 (exit status 32512)
Note
Disabling/re-enabling openvpn with other ip range, update the data in Trusted Networks ma still the same results from the previous test 1-4
2nd test on another clean vm with no pakachges installed.
After installing new packages, in Trusted Network: Empty Table
add/del new net same problem as before.
Enabling vpn still leaves various config with only 127.0.0.1
#13 Updated by Giacomo Sanchietti about 6 years ago
#14 Updated by Filippo Carletti about 6 years ago
Giacomo Sanchietti wrote:
See also: http://community.nethserver.org/t/allow-access-from-green-and-trusted-network
The page you requested doesn't exist or is private.
#15 Updated by Giacomo Sanchietti about 6 years ago
The page you requested doesn't exist or is private.
Here is the correct link:
http://community.nethserver.org/t/allow-access-from-green-and-trusted-networks/1182/2
#16 Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#17 Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
MODIFIED
#18 Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Davide Principi) - % Done changed from 60 to 70
In nethserver-testing:
nethserver-openvpn-1.2.1-1.2.g7d0aa23.ns6.noarch.rpmnethserver-base-2.7.2-1.11.g1a8cfe7.ns6.noarch.rpm
nethserver-base-2.7.2-1.12.g3cb8567.ns6.noarch.rpm
#19 Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#20 Updated by Davide Principi about 6 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 20
- VPN ipsec net2net networks
- VPN openvpn user account networks
- bind
trusted-networks-modify
to the above item changes and packages installation - UI subnet checks (generic case of already-existing items)
#21 Updated by Davide Principi about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#22 Updated by Davide Principi about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case (additional)
- changes on
VPN > IPSec/L2TP
page, inNetwork address/mask
must be reflected into config files (see previous test case) - changes on
VPN > OpenVPN
page, inNetwork/mask
, underRouted mode
must be reflected into config files (see previous test case) - changes on
Network
page must be reflected in config files for green interfaces. - Create a new item in
Trusted networks
page: the validator must refuse to create an already existing network, or a subnet or supernet of an existing network.
#23 Updated by Davide Principi about 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
see the note 9
#24 Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#25 Updated by Vasco Castelo Branco about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 90
Verified with:
nethserver-base-2.7.2-1.ns6.noarch
#26 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
Good verification so far, but I just added a couple of minor features.
We need just to test these ones.
- nethserver-openvpn-1.2.1-1.5.gb3e743d.ns6.noarch.rpm
- nethserver-ipsec-1.0.3-1.12.g182f6e4.ns6.noarch.rpm
- nethserver-base-2.7.2-1.16.gb45799e.ns6.noarch.rpm
- Create an alias for a green network
- Check the alias network is inside the trusted networks, you can use this command:
grep "hosts allow" /etc/samba/smb.conf
- Create an IPSec tunnel
- Check the right subnet is inside the trusted networks (use command from test case 1)
- Create a VPN account with an associated network and netmask
- Check the network is inside the trusted networks (use command from test case 1)
#27 Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
#28 Updated by Vasco Castelo Branco about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Vasco Castelo Branco) - % Done changed from 70 to 90
#29 Updated by Giacomo Sanchietti about 6 years ago
- Assignee set to Giacomo Sanchietti
#30 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to CLOSED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 90 to 100
- nethserver-firewall-base-2.6.4-1.ns6.noarch.rpm
- nethserver-base-2.7.4-1.ns6.noarch.rpm
- nethserver-hylafax-1.1.2-1.ns6.noarch.rpm
- nethserver-samba-1.5.2-1.ns6.noarch.rpm
- nethserver-mail-common-1.5.1-1.ns6.noarch.rpm
- nethserver-cups-1.1.2-1.ns6.noarch.rpm
- nethserver-httpd-2.4.2-1.ns6.noarch.rpm
- nethserver-openvpn-1.2.2-1.ns6.noarch.rpm
Release of nethserver-ipsec is postponed until documentation will be ready.