From 2e8cb293199b462cc6b0ee88eb7fc96550e3f924 Mon Sep 17 00:00:00 2001 From: spiritbreaker22 <77387271+spiritbreaker22@users.noreply.github.com> Date: Thu, 8 Jun 2023 09:24:03 +0200 Subject: [PATCH 1/2] Adds swanctl.conf (New > 23.1) to the Agent 1.0.6 --- opnsense_checkmk_agent.py | 76 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/opnsense_checkmk_agent.py b/opnsense_checkmk_agent.py index 2219619..977d3f4 100644 --- a/opnsense_checkmk_agent.py +++ b/opnsense_checkmk_agent.py @@ -908,7 +908,7 @@ def checklocal_openvpn(self): _ret.append('{status} "OpenVPN Client: {description}" connectiontime=0|connections_ssl_vpn=0|if_in_octets=0|if_out_octets=0|expiredays={expiredays} Nicht verbunden {expiredate}'.format(**_client)) return _ret - def checklocal_ipsec(self): + def checklocal_ipsec_legacy(self): _ret =[] _ipsec_config = self._config_reader().get("ipsec") if type(_ipsec_config) != dict: @@ -974,7 +974,81 @@ def checklocal_ipsec(self): _con["phase2"] = f"{_phase2_up}/{_required_phase2}" _ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets={bytes-received}|if_out_octets={bytes-sent}|lifetime={life-time} {phase2} {state} {local-id} - {remote-id}({remote-host})".format(**_con)) return _ret + + def checklocal_ipsec_new(self): + _ret =[] + try: + _swanctl_config = self._config_reader().get("OPNsense").get("Swanctl").get("Connections") #.get("Connection") + if type(_swanctl_config) != dict: + return [] + except: + return [] + _connections_config = _swanctl_config.get("Connection") + _childrens_config = self._config_reader().get("OPNsense").get("Swanctl").get("children") + if type(_connections_config) != list: + _connections_config = [_connections_config] + if type(_childrens_config) != list: + _childrens_config = [_childrens_config] + _json_data = self._run_prog("/usr/local/opnsense/scripts/ipsec/list_status.py") + if len(_json_data.strip()) > 20: + _json_data = json.loads(_json_data) + else: + _json_data = {} + for _connection in _connections_config: + _uuid = _connection.get("@uuid","") + _remote = _connection.get("remote_addrs") + _name = _connection.get("description") + #_ret.append( "Connection: '%s' rem: '%s' uuid: '%s'" % (_name,_remote,_uuid) ) + #continue + if len(_name.strip()) < 1: + _name = _connection.get("remote_addrs") + _condata = _json_data.get(f"{_uuid}",{}) + _con = { + "status" : 2, + "bytes-received" : 0, + "bytes-sent" : 0, + "life-time" : 0, + "state" : "unknown", + "remote-host" : "unknown", + "remote-name" : _name, + "local-id" : _condata.get("local-id"), + "remote-id" : _condata.get("remote-id") + } + + _children_up = 0 + for _sas in _condata.get("sas",[]): + _con["state"] = _sas.get("state") + _con["local-id"] = _sas.get("local-id") + _con["remote-id"] = _sas.get("remote-id") + if _sas.get("state") != "ESTABLISHED": + continue + _con["remote-host"] = _sas.get("remote-host") + for _child in _sas.get("child-sas",{}).values(): + if _child.get("state") != "INSTALLED": + continue + _children_up += 1 + _install_time = max(1,int(_child.get("install-time","1"))) + _con["bytes-received"] += int(int(_child.get("bytes-in","0")) /_install_time) + _con["bytes-sent"] += int(int(_child.get("bytes-out","0")) /_install_time) + _con["life-time"] = max(_con["life-time"],_install_time) + _con["status"] = 0 if _con["status"] != 1 else 1 + + _required_children = len(list(filter(lambda x: x.get("connection") == _uuid,_childrens_config))) + + if _children_up >= _required_children: + _ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets={bytes-received}|if_out_octets={bytes-sent}|lifetime={life-time} {state} {local-id} - {remote-id}({remote-host})".format(**_con)) + elif _children_up == 0: + if _condata.keys(): + _ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets=0|if_out_octets=0|lifetime=0 not connected {local-id} - {remote-id}({remote-host})".format(**_con)) + else: + _ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets=0|if_out_octets=0|lifetime=0 not running".format(**_con)) + else: + _con["status"] = max(_con["status"],1) + _con["phase2"] = f"{_children_up}/{_required_phase2}" + _ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets={bytes-received}|if_out_octets={bytes-sent}|lifetime={life-time} {phase2} {state} {local-id} - {remote-id}({remote-host})".format(**_con)) + return _ret + def checklocal_wireguard(self): _ret = [] try: From 3a3283d53c984d61bebde83a64fa2d2ff6f17c8d Mon Sep 17 00:00:00 2001 From: spiritbreaker22 <77387271+spiritbreaker22@users.noreply.github.com> Date: Thu, 8 Jun 2023 09:38:31 +0200 Subject: [PATCH 2/2] Update opnsense_checkmk_agent.py deleted comments --- opnsense_checkmk_agent.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/opnsense_checkmk_agent.py b/opnsense_checkmk_agent.py index 977d3f4..981c6e2 100644 --- a/opnsense_checkmk_agent.py +++ b/opnsense_checkmk_agent.py @@ -978,7 +978,7 @@ def checklocal_ipsec_legacy(self): def checklocal_ipsec_new(self): _ret =[] try: - _swanctl_config = self._config_reader().get("OPNsense").get("Swanctl").get("Connections") #.get("Connection") + _swanctl_config = self._config_reader().get("OPNsense").get("Swanctl").get("Connections") if type(_swanctl_config) != dict: return [] except: @@ -996,10 +996,7 @@ def checklocal_ipsec_new(self): _json_data = {} for _connection in _connections_config: _uuid = _connection.get("@uuid","") - _remote = _connection.get("remote_addrs") _name = _connection.get("description") - #_ret.append( "Connection: '%s' rem: '%s' uuid: '%s'" % (_name,_remote,_uuid) ) - #continue if len(_name.strip()) < 1: _name = _connection.get("remote_addrs") _condata = _json_data.get(f"{_uuid}",{})