From ac201314adae549115506023dce7828de71ef8cf Mon Sep 17 00:00:00 2001 From: Peter Hansen Date: Sat, 28 Dec 2019 11:40:04 +0100 Subject: [PATCH 01/19] + add blacklist for commands to config + custom start page with DEFAULT_TEMPLATE --- lg.py | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/lg.py b/lg.py index b8f829c..101b5ac 100644 --- a/lg.py +++ b/lg.py @@ -37,7 +37,7 @@ from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_c import pydot -from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response, Markup +from flask import Flask, render_template, render_template_string, jsonify, redirect, session, request, abort, Response, Markup app = Flask(__name__) app.config.from_pyfile('lg.cfg') @@ -171,6 +171,8 @@ def inject_commands(): ("adv", "show route ..."), ("adv_bgpmap", "show route ... (bgpmap)"), ] + + commands = [i for i in commands if i[0] not in app.config.get("BLACKLIST_COMMANDS", [])] commands_dict = {} for id, text in commands: commands_dict[id] = text @@ -184,6 +186,12 @@ def inject_all_host(): @app.route("/") def hello(): + if app.config.get("DEFAULT_TEMPLATE", False): + first_command = next(iter(inject_commands()['commands_dict'])) + set_session(first_command, "+".join(app.config["PROXY"].keys()), "ipv4", "") + with open(app.config.get("DEFAULT_TEMPLATE"), 'r') as filehandle: + filecontent = filehandle.read() + return render_template_string(filecontent) return redirect("/summary/%s/ipv4" % "+".join(app.config["PROXY"].keys())) @@ -227,6 +235,8 @@ SUMMARY_UNWANTED_PROTOS = ["Kernel", "Static", "Device"] @app.route("/summary/") @app.route("/summary//") def summary(hosts, proto="ipv4"): + if 'summary' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 set_session("summary", hosts, proto, "") command = "show protocols" @@ -269,6 +279,9 @@ def summary(hosts, proto="ipv4"): @app.route("/detail//") def detail(hosts, proto): + if 'detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + name = get_query() if not name: @@ -298,6 +311,9 @@ def detail(hosts, proto): @app.route("/traceroute//") def traceroute(hosts, proto): + if 'traceroute' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + q = get_query() if not q: @@ -331,41 +347,65 @@ def traceroute(hosts, proto): @app.route("/adv//") def show_route_filter(hosts, proto): + if 'adv' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("adv", hosts, proto) @app.route("/adv_bgpmap//") def show_route_filter_bgpmap(hosts, proto): + if 'adv_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("adv_bgpmap", hosts, proto) @app.route("/where//") def show_route_where(hosts, proto): + if 'where' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where", hosts, proto) @app.route("/where_detail//") def show_route_where_detail(hosts, proto): + if 'where_detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where_detail", hosts, proto) @app.route("/where_bgpmap//") def show_route_where_bgpmap(hosts, proto): + if 'where_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where_bgpmap", hosts, proto) @app.route("/prefix//") def show_route_for(hosts, proto): + if 'prefix' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix", hosts, proto) @app.route("/prefix_detail//") def show_route_for_detail(hosts, proto): + if 'prefix_detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix_detail", hosts, proto) @app.route("/prefix_bgpmap//") def show_route_for_bgpmap(hosts, proto): + if 'prefix_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix_bgpmap", hosts, proto) From d3e9d5c6b9c7badfedf95dd7b1b1c962b8a0689c Mon Sep 17 00:00:00 2001 From: Guillaume Marsay Date: Mon, 15 Jun 2020 09:57:59 +0200 Subject: [PATCH 02/19] DOMAIN is now optional --- lg.py | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/lg.py b/lg.py index 3616c58..3be6307 100644 --- a/lg.py +++ b/lg.py @@ -148,16 +148,23 @@ def bird_proxy(host, proto, service, query): return False, 'Host "%s" invalid' % host elif not path: return False, 'Proto "%s" invalid' % proto - else: - url = "http://%s.%s:%d/%s?q=%s" % (host, app.config["DOMAIN"], port, path, quote(query)) - try: - f = urlopen(url) - resultat = f.read() - status = True # retreive remote status - except IOError: - resultat = "Failed retreive url: %s" % url - status = False - return status, resultat + + url = "http://%s" % (host) + if "DOMAIN" in app.config: + url = "%s.%s" % (url, app.config["DOMAIN"]) + url = "%s:%d/%s?" % (url, port, path) + + url = "%sq=%s" % (url, quote(query)) + + try: + f = urlopen(url) + resultat = f.read() + status = True # retreive remote status + except IOError: + resultat = "Failed retreive url: %s" % url + status = False + + return status, resultat @app.context_processor @@ -459,7 +466,10 @@ def show_bgpmap(): return edges[edge_tuple] for host, asmaps in data.iteritems(): - add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9") + if "DOMAIN" in app.config: + add_node(host, label= "%s\r%s" % (host.upper(), app.config["DOMAIN"].upper()), shape="box", fillcolor="#F5A9A9") + else: + add_node(host, label= "%s" % (host.upper()), shape="box", fillcolor="#F5A9A9") as_number = app.config["AS_NUMBER"].get(host, None) if as_number: From 96c33da44690adba5c257863ffcf993bcffe7ab5 Mon Sep 17 00:00:00 2001 From: Guillaume Marsay Date: Mon, 15 Jun 2020 13:27:26 +0200 Subject: [PATCH 03/19] Add SHARED_SECRET --- lg.cfg | 3 +++ lg.py | 3 ++- lgproxy.cfg | 9 +++++++++ lgproxy.py | 13 +++++++++---- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/lg.cfg b/lg.cfg index 2cc3388..5ddfc5d 100644 --- a/lg.cfg +++ b/lg.cfg @@ -5,6 +5,9 @@ LOG_LEVEL="WARNING" DOMAIN = "tetaneutral.net" +# Used for restrict access on lgproxy - must be same in lgproxy.cfg +SHARED_SECRET="ThisTokenIsNotSecret" + BIND_IP = "0.0.0.0" BIND_PORT = 5000 diff --git a/lg.py b/lg.py index 3be6307..e9ea3e5 100644 --- a/lg.py +++ b/lg.py @@ -153,7 +153,8 @@ def bird_proxy(host, proto, service, query): if "DOMAIN" in app.config: url = "%s.%s" % (url, app.config["DOMAIN"]) url = "%s:%d/%s?" % (url, port, path) - + if "SHARED_SECRET" in app.config: + url = "%ssecret=%s&" % (url, app.config["SHARED_SECRET"]) url = "%sq=%s" % (url, quote(query)) try: diff --git a/lgproxy.cfg b/lgproxy.cfg index e7a6e8a..7019e52 100644 --- a/lgproxy.cfg +++ b/lgproxy.cfg @@ -1,12 +1,21 @@ DEBUG=False + LOG_FILE="/var/log/lg-proxy/lg-proxy.log" LOG_LEVEL="WARNING" + BIND_IP = "0.0.0.0" BIND_PORT = 5000 + +# Used for restrict access on lgproxy - Empty list = all allowed ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"] + +# Used for restrict access on lgproxy - Must be same in lg.cfg +SHARED_SECRET="ThisTokenIsNotSecret" + IPV4_SOURCE="" IPV6_SOURCE="" + BIRD_SOCKET="/var/run/bird/bird.ctl" BIRD6_SOCKET="/var/run/bird/bird6.ctl" diff --git a/lgproxy.py b/lgproxy.py index e1b3cdb..a81abb9 100644 --- a/lgproxy.py +++ b/lgproxy.py @@ -54,14 +54,19 @@ def access_log_after(response, *args, **kwargs): app.logger.info("[%s] reponse %s, %s", request.remote_addr, request.url, response.status_code) return response -def check_accesslist(): - if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]: +def check_security(): + if app.config["ACCESS_LIST"] and request.remote_addr not in app.config["ACCESS_LIST"]: + app.logger.info("Your remote address is not valid") + abort(401) + + if app.config.get('SHARED_SECRET') and request.args.get("secret") != app.config["SHARED_SECRET"]: + app.logger.info("Your shared secret is not valid") abort(401) @app.route("/traceroute") @app.route("/traceroute6") def traceroute(): - check_accesslist() + check_security() if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'): traceroute4 = [ 'traceroute' ] @@ -100,7 +105,7 @@ def traceroute(): @app.route("/bird") @app.route("/bird6") def bird(): - check_accesslist() + check_security() if request.path == "/bird": b = BirdSocket(file=app.config.get("BIRD_SOCKET")) elif request.path == "/bird6": b = BirdSocket(file=app.config.get("BIRD6_SOCKET")) From f87719956a156e200112b200545590b71133f884 Mon Sep 17 00:00:00 2001 From: Guillaume Marsay Date: Mon, 15 Jun 2020 13:13:05 +0200 Subject: [PATCH 04/19] Add WEBSITE_TITLE - Issue #69 --- lg.cfg | 2 +- templates/layout.html | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lg.cfg b/lg.cfg index 2cc3388..b40f4d1 100644 --- a/lg.cfg +++ b/lg.cfg @@ -1,4 +1,4 @@ - +WEBSITE_TITLE="Bird-LG / Looking Glass" DEBUG = False LOG_FILE="/var/log/lg.log" LOG_LEVEL="WARNING" diff --git a/templates/layout.html b/templates/layout.html index 34071b0..aa57f29 100644 --- a/templates/layout.html +++ b/templates/layout.html @@ -1,6 +1,6 @@ - {{config.DOMAIN|capitalize}} looking glass + {{config.WEBSITE_TITLE|default("Bird-LG / Looking Glass") }} @@ -18,7 +18,7 @@ - {{config.DOMAIN|capitalize}} / Looking Glass + {{config.WEBSITE_TITLE|default("Bird-LG / Looking Glass") }}
  • Nodes:  
    • From ca4550ae74600715553164fa06ed4c1d1b4c93c6 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Mon, 15 Jun 2020 22:06:59 +0200 Subject: [PATCH 05/19] Fix HTML markup (wrong title position) --- templates/layout.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/layout.html b/templates/layout.html index aa57f29..d57ca80 100644 --- a/templates/layout.html +++ b/templates/layout.html @@ -1,7 +1,7 @@ - {{config.WEBSITE_TITLE|default("Bird-LG / Looking Glass") }} + {{config.WEBSITE_TITLE|default("Bird-LG / Looking Glass") }} From a45ae454084282b4b23cfbb0e743066fc8cb6905 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Mon, 15 Jun 2020 22:34:25 +0200 Subject: [PATCH 06/19] Basic python reformatting Transform all tabs to spaces and remove trailing spaces. --- bird.py | 241 ++++++++++++++++++++++++++--------------------------- lg.py | 14 ++-- lgproxy.py | 23 +++-- toolbox.py | 42 +++++----- 4 files changed, 156 insertions(+), 164 deletions(-) diff --git a/bird.py b/bird.py index 5f6d546..a55deb9 100644 --- a/bird.py +++ b/bird.py @@ -25,153 +25,150 @@ import sys BUFSIZE = 4096 SUCCESS_CODES = { - "0000" : "OK", - "0001" : "Welcome", - "0002" : "Reading configuration", - "0003" : "Reconfigured", - "0004" : "Reconfiguration in progress", - "0005" : "Reconfiguration already in progress, queueing", - "0006" : "Reconfiguration ignored, shutting down", - "0007" : "Shutdown ordered", - "0008" : "Already disabled", - "0009" : "Disabled", - "0010" : "Already enabled", - "0011" : "Enabled", - "0012" : "Restarted", - "0013" : "Status report", - "0014" : "Route count", - "0015" : "Reloading", - "0016" : "Access restricted", + "0000" : "OK", + "0001" : "Welcome", + "0002" : "Reading configuration", + "0003" : "Reconfigured", + "0004" : "Reconfiguration in progress", + "0005" : "Reconfiguration already in progress, queueing", + "0006" : "Reconfiguration ignored, shutting down", + "0007" : "Shutdown ordered", + "0008" : "Already disabled", + "0009" : "Disabled", + "0010" : "Already enabled", + "0011" : "Enabled", + "0012" : "Restarted", + "0013" : "Status report", + "0014" : "Route count", + "0015" : "Reloading", + "0016" : "Access restricted", } TABLES_ENTRY_CODES = { - "1000" : "BIRD version", - "1001" : "Interface list", - "1002" : "Protocol list", - "1003" : "Interface address", - "1004" : "Interface flags", - "1005" : "Interface summary", - "1006" : "Protocol details", - "1007" : "Route list", - "1008" : "Route details", - "1009" : "Static route list", - "1010" : "Symbol list", - "1011" : "Uptime", - "1012" : "Route extended attribute list", - "1013" : "Show ospf neighbors", - "1014" : "Show ospf", - "1015" : "Show ospf interface", - "1016" : "Show ospf state/topology", - "1017" : "Show ospf lsadb", - "1018" : "Show memory", + "1000" : "BIRD version", + "1001" : "Interface list", + "1002" : "Protocol list", + "1003" : "Interface address", + "1004" : "Interface flags", + "1005" : "Interface summary", + "1006" : "Protocol details", + "1007" : "Route list", + "1008" : "Route details", + "1009" : "Static route list", + "1010" : "Symbol list", + "1011" : "Uptime", + "1012" : "Route extended attribute list", + "1013" : "Show ospf neighbors", + "1014" : "Show ospf", + "1015" : "Show ospf interface", + "1016" : "Show ospf state/topology", + "1017" : "Show ospf lsadb", + "1018" : "Show memory", } ERROR_CODES = { - "8000" : "Reply too long", - "8001" : "Route not found", - "8002" : "Configuration file error", - "8003" : "No protocols match", - "8004" : "Stopped due to reconfiguration", - "8005" : "Protocol is down => cannot dump", - "8006" : "Reload failed", - "8007" : "Access denied", + "8000" : "Reply too long", + "8001" : "Route not found", + "8002" : "Configuration file error", + "8003" : "No protocols match", + "8004" : "Stopped due to reconfiguration", + "8005" : "Protocol is down => cannot dump", + "8006" : "Reload failed", + "8007" : "Access denied", - "9000" : "Command too long", - "9001" : "Parse error", - "9002" : "Invalid symbol type", + "9000" : "Command too long", + "9001" : "Parse error", + "9002" : "Invalid symbol type", } END_CODES = ERROR_CODES.keys() + SUCCESS_CODES.keys() -global bird_sockets +global bird_sockets bird_sockets = {} def BirdSocketSingleton(host, port): - global bird_sockets - s = bird_sockets.get((host,port), None) - if not s: - s = BirdSocket(host,port) - bird_sockets[(host,port)] = s - return s + global bird_sockets + s = bird_sockets.get((host,port), None) + if not s: + s = BirdSocket(host,port) + bird_sockets[(host,port)] = s + return s class BirdSocket: - def __init__(self, host="", port="", file=""): - self.__file = file - self.__host = host - self.__port = port - self.__sock = None + def __init__(self, host="", port="", file=""): + self.__file = file + self.__host = host + self.__port = port + self.__sock = None - def __connect(self): - if self.__sock: return + def __connect(self): + if self.__sock: return - if not file: - self.__sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - self.__sock.settimeout(3.0) - self.__sock.connect((self.__host, self.__port)) - else: - self.__sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) - self.__sock.settimeout(3.0) - self.__sock.connect(self.__file) + if not file: + self.__sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.__sock.settimeout(3.0) + self.__sock.connect((self.__host, self.__port)) + else: + self.__sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + self.__sock.settimeout(3.0) + self.__sock.connect(self.__file) - # read welcome message - self.__sock.recv(1024) - self.cmd("restrict") + # read welcome message + self.__sock.recv(1024) + self.cmd("restrict") - def close(self): - if self.__sock: - try: self.__sock.close() - except: pass - self.__sock = None - - def cmd(self, cmd): - try: - self.__connect() - self.__sock.send(cmd + "\n") - data = self.__read() - return data - except socket.error: - why = sys.exc_info()[1] - self.close() - return False, "Bird connection problem: %s" % why + def close(self): + if self.__sock: + try: self.__sock.close() + except: pass + self.__sock = None - def __read(self): - code = "7000" # Not used in bird - parsed_string = "" - lastline = "" + def cmd(self, cmd): + try: + self.__connect() + self.__sock.send(cmd + "\n") + data = self.__read() + return data + except socket.error: + why = sys.exc_info()[1] + self.close() + return False, "Bird connection problem: %s" % why - while code not in END_CODES: - data = self.__sock.recv(BUFSIZE) - - lines = (lastline + data).split("\n") - if len(data) == BUFSIZE: - lastline = lines[-1] - lines = lines[:-1] + def __read(self): + code = "7000" # Not used in bird + parsed_string = "" + lastline = "" - for line in lines: - code = line[0:4] + while code not in END_CODES: + data = self.__sock.recv(BUFSIZE) - if not line.strip(): - continue - elif code == "0000": - return True, parsed_string - elif code in SUCCESS_CODES.keys(): - return True, SUCCESS_CODES.get(code) - elif code in ERROR_CODES.keys(): - return False, ERROR_CODES.get(code) - elif code[0] in [ "1", "2"] : - parsed_string += line[5:] + "\n" - elif code[0] == " ": - parsed_string += line[1:] + "\n" - elif code[0] == "+": - parsed_string += line[1:] - else: - parsed_string += "<<>>\n"%line + lines = (lastline + data).split("\n") + if len(data) == BUFSIZE: + lastline = lines[-1] + lines = lines[:-1] - return True, parsed_string - - -__all__ = ['BirdSocketSingleton' , 'BirdSocket' ] - + for line in lines: + code = line[0:4] + + if not line.strip(): + continue + elif code == "0000": + return True, parsed_string + elif code in SUCCESS_CODES.keys(): + return True, SUCCESS_CODES.get(code) + elif code in ERROR_CODES.keys(): + return False, ERROR_CODES.get(code) + elif code[0] in [ "1", "2"] : + parsed_string += line[5:] + "\n" + elif code[0] == " ": + parsed_string += line[1:] + "\n" + elif code[0] == "+": + parsed_string += line[1:] + else: + parsed_string += "<<>>\n"%line + + return True, parsed_string +__all__ = ['BirdSocketSingleton', 'BirdSocket'] diff --git a/lg.py b/lg.py index e9ea3e5..b26a71b 100644 --- a/lg.py +++ b/lg.py @@ -455,13 +455,12 @@ def show_bgpmap(): label_without_star = kwargs["label"].replace("*", "") if e.get_label() is not None: - labels = e.get_label().split("\r") + labels = e.get_label().split("\r") else: return edges[edge_tuple] if "%s*" % label_without_star not in labels: - labels = [ kwargs["label"] ] + [ l for l in labels if not l.startswith(label_without_star) ] + labels = [ kwargs["label"] ] + [ l for l in labels if not l.startswith(label_without_star) ] labels = sorted(labels, cmp=lambda x,y: x.endswith("*") and -1 or 1) - label = escape("\r".join(labels)) e.set_label(label) return edges[edge_tuple] @@ -478,7 +477,7 @@ def show_bgpmap(): edge = add_edge(as_number, nodes[host]) edge.set_color("red") edge.set_style("bold") - + #colors = [ "#009e23", "#1a6ec1" , "#d05701", "#6f879f", "#939a0e", "#0e9a93", "#9a0e85", "#56d8e1" ] previous_as = None hosts = data.keys() @@ -504,14 +503,13 @@ def show_bgpmap(): if not hop: hop = True if _as not in hosts: - hop_label = _as + hop_label = _as if first: hop_label = hop_label + "*" continue else: hop_label = "" - if _as == asmap[-1]: add_node(_as, fillcolor="#F5A9A9", shape="box", ) else: @@ -592,7 +590,7 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text): # ugly hack for good printing path = [ peer_protocol_name ] # path = ["%s\r%s" % (peer_protocol_name, get_as_name(get_as_number_from_protocol_name(host, proto, peer_protocol_name)))] - + expr3 = re.search(r'(.*)unreachable\s+\[(\w+)\s+', line) if expr3: if path: @@ -612,7 +610,7 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text): path.extend(ASes) else: path = ASes - + if path: path.append(net_dest) paths.append(path) diff --git a/lgproxy.py b/lgproxy.py index a81abb9..89b6a9a 100644 --- a/lgproxy.py +++ b/lgproxy.py @@ -41,7 +41,7 @@ app = Flask(__name__) app.debug = app.config["DEBUG"] app.config.from_pyfile(args.config_file) -file_handler = TimedRotatingFileHandler(filename=app.config["LOG_FILE"], when="midnight") +file_handler = TimedRotatingFileHandler(filename=app.config["LOG_FILE"], when="midnight") app.logger.setLevel(getattr(logging, app.config["LOG_LEVEL"].upper())) app.logger.addHandler(file_handler) @@ -67,7 +67,7 @@ def check_security(): @app.route("/traceroute6") def traceroute(): check_security() - + if sys.platform.startswith('freebsd') or sys.platform.startswith('netbsd') or sys.platform.startswith('openbsd'): traceroute4 = [ 'traceroute' ] traceroute6 = [ 'traceroute6' ] @@ -76,15 +76,14 @@ def traceroute(): traceroute6 = [ 'traceroute', '-6' ] src = [] - if request.path == '/traceroute6': - traceroute = traceroute6 - if app.config.get("IPV6_SOURCE",""): - src = [ "-s", app.config.get("IPV6_SOURCE") ] - + if request.path == '/traceroute6': + traceroute = traceroute6 + if app.config.get("IPV6_SOURCE", ""): + src = [ "-s", app.config.get("IPV6_SOURCE") ] else: - traceroute = traceroute4 - if app.config.get("IPV4_SOURCE",""): - src = [ "-s", app.config.get("IPV4_SOURCE") ] + traceroute = traceroute4 + if app.config.get("IPV4_SOURCE",""): + src = [ "-s", app.config.get("IPV4_SOURCE") ] query = request.args.get("q","") query = unquote(query) @@ -97,11 +96,9 @@ def traceroute(): options = [ '-A', '-q1', '-N32', '-w1', '-m15' ] command = traceroute + src + options + [ query ] result = subprocess.Popen( command , stdout=subprocess.PIPE).communicate()[0].decode('utf-8', 'ignore').replace("\n","
    ") - return result - @app.route("/bird") @app.route("/bird6") def bird(): @@ -118,7 +115,7 @@ def bird(): b.close() # FIXME: use status return result - + if __name__ == "__main__": app.logger.info("lgproxy start") diff --git a/toolbox.py b/toolbox.py index f2b50e1..a25e457 100644 --- a/toolbox.py +++ b/toolbox.py @@ -29,16 +29,16 @@ resolv.timeout = 0.5 resolv.lifetime = 1 def resolve(n, q): - return str(resolv.query(n,q)[0]) + return str(resolv.query(n,q)[0]) def mask_is_valid(n): - if not n: - return True - try: - mask = int(n) - return ( mask >= 1 and mask <= 128) - except: - return False + if not n: + return True + try: + mask = int(n) + return ( mask >= 1 and mask <= 128) + except: + return False def ipv4_is_valid(n): try: @@ -55,21 +55,21 @@ def ipv6_is_valid(n): return False def save_cache_pickle(filename, data): - output = open(filename, 'wb') - pickle.dump(data, output) - output.close() + output = open(filename, 'wb') + pickle.dump(data, output) + output.close() def load_cache_pickle(filename, default = None): - try: - pkl_file = open(filename, 'rb') - except IOError: - return default - try: - data = pickle.load(pkl_file) - except: - data = default - pkl_file.close() - return data + try: + pkl_file = open(filename, 'rb') + except IOError: + return default + try: + data = pickle.load(pkl_file) + except: + data = default + pkl_file.close() + return data def unescape(s): want_unicode = False From 1d3eefa971f468751c105b96ae203bae0b2a921b Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Mon, 15 Jun 2020 22:47:51 +0200 Subject: [PATCH 07/19] Don't display URL containing shared secret when there is an error --- lg.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lg.py b/lg.py index b26a71b..7b0c8ab 100644 --- a/lg.py +++ b/lg.py @@ -162,7 +162,8 @@ def bird_proxy(host, proto, service, query): resultat = f.read() status = True # retreive remote status except IOError: - resultat = "Failed retreive url: %s" % url + resultat = "Failed to retrieve URL for host %s" % host + app.logger.warning("Failed to retrieve URL for host %s: %s", host, url) status = False return status, resultat From c84267edd8e2df32cf8ca0c565e31654c482dc04 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Mon, 15 Jun 2020 22:54:01 +0200 Subject: [PATCH 08/19] Clarify documentation of shared secret and access list --- lg.cfg | 2 +- lgproxy.cfg | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lg.cfg b/lg.cfg index 14a654a..4d120ea 100644 --- a/lg.cfg +++ b/lg.cfg @@ -5,7 +5,7 @@ LOG_LEVEL="WARNING" DOMAIN = "tetaneutral.net" -# Used for restrict access on lgproxy - must be same in lgproxy.cfg +# Used to optionally restrict access to lgproxy based on a shared secret. SHARED_SECRET="ThisTokenIsNotSecret" BIND_IP = "0.0.0.0" diff --git a/lgproxy.cfg b/lgproxy.cfg index 7019e52..e4b08f8 100644 --- a/lgproxy.cfg +++ b/lgproxy.cfg @@ -7,10 +7,12 @@ LOG_LEVEL="WARNING" BIND_IP = "0.0.0.0" BIND_PORT = 5000 -# Used for restrict access on lgproxy - Empty list = all allowed +# Used to restrict access to lgproxy based on source IP address. +# Empty list = any IP is allowed to run queries. ACCESS_LIST = ["91.224.149.206", "178.33.111.110", "2a01:6600:8081:ce00::1"] -# Used for restrict access on lgproxy - Must be same in lg.cfg +# Used to restrict access to lgproxy based on a shared secret (must also be configured in lg.cfg) +# Empty string or unset = no shared secret is required to run queries. SHARED_SECRET="ThisTokenIsNotSecret" IPV4_SOURCE="" From 53e717381d3dca88d3636c5ca0349306a3464e8c Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Tue, 16 Jun 2020 15:36:44 +0200 Subject: [PATCH 09/19] bgpmap: Fix crash when 'peer_protocol_name' is not matched by regexp This protects against cases where the regexp expr2 is broken (such as currently with some interface names) Fixes: #64 --- lg.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lg.py b/lg.py index 7b0c8ab..4a59d73 100644 --- a/lg.py +++ b/lg.py @@ -558,7 +558,7 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text): path = None paths = [] net_dest = None - peer_protocol_name = None + peer_protocol_name = "" for line in text: line = line.strip() From 967c721b86899b67614bb47277d4c9dc25cd5ab0 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Tue, 16 Jun 2020 15:39:55 +0200 Subject: [PATCH 10/19] bgpmap: fix regexp to match interface names with non-alphanumerical characters Commit eaf531eee21 ("Correctly parse aspath for both bird 1.x and 2.0.") inadvertently made a regexp more strict, and it no longer matches some interface names. Example include `eth1.945` (tagged VLAN, which is a common use-case for routers) or `br-foo`. As a result, the regexp would not parse the "peer protocol name" that is normally displayed on the bgpmap. Fixes: #64 --- lg.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lg.py b/lg.py index 4a59d73..59cf17e 100644 --- a/lg.py +++ b/lg.py @@ -568,7 +568,7 @@ def build_as_tree_from_raw_bird_ouput(host, proto, text): net_dest = expr.group(1).strip() peer_protocol_name = expr.group(2).strip() - expr2 = re.search(r'(.*)via\s+([0-9a-fA-F:\.]+)\s+on\s+\w+(\s+\[(\w+)\s+)?', line) + expr2 = re.search(r'(.*)via\s+([0-9a-fA-F:\.]+)\s+on\s+\S+(\s+\[(\w+)\s+)?', line) if expr2: if path: path.append(net_dest) From 73edb4ce1d584037abd3965413c6b48702051209 Mon Sep 17 00:00:00 2001 From: Dimitri Pappas Date: Mon, 17 Aug 2020 04:58:33 +0200 Subject: [PATCH 11/19] Added https://lg.angolacables.co.ao/ to README.mkd --- README.mkd | 1 + 1 file changed, 1 insertion(+) diff --git a/README.mkd b/README.mkd index cd7bcb3..80f8801 100644 --- a/README.mkd +++ b/README.mkd @@ -84,3 +84,4 @@ Happy users * http://lg.catnix.net/ * https://lg.worldstream.nl/ * https://route-server.netshelter.de/ +* https://lg.angolacables.co.ao/ From ef6b32c527478fefe7a4436e10b96ee28ed5b308 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Mon, 10 May 2021 19:14:39 +0200 Subject: [PATCH 12/19] Fix XSS when handling query Fixes #63 --- templates/layout.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/layout.html b/templates/layout.html index d57ca80..c0b7281 100644 --- a/templates/layout.html +++ b/templates/layout.html @@ -120,7 +120,7 @@