summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2019-07-22 11:08:08 +0200
committerDaniil Baturin <daniil@baturin.org>2019-07-22 11:08:08 +0200
commit6af7b74e2b80b014a80c0c8531b7e219194a9d92 (patch)
tree2fc50e087eb759ecc9a73dbc486d537d651c200c
parentb050fe61956f710e61d8e3a8139c971a23e702f9 (diff)
parentd99bf6a3a623433e743bb2d1d72e2ef3e0ab5057 (diff)
downloadvyos-1x-6af7b74e2b80b014a80c0c8531b7e219194a9d92.tar.gz
vyos-1x-6af7b74e2b80b014a80c0c8531b7e219194a9d92.zip
Merge branch 'current' into equuleus
-rw-r--r--Jenkinsfile131
-rw-r--r--Pipfile.lock2
-rw-r--r--debian/control1
-rwxr-xr-xdebian/rules8
-rw-r--r--interface-definitions/dhcp-server.xml41
-rw-r--r--interface-definitions/dhcpv6-server.xml42
-rw-r--r--interface-definitions/dns-domain-name.xml2
-rw-r--r--interface-definitions/dns-dynamic.xml (renamed from interface-definitions/dynamic-dns.xml)49
-rw-r--r--interface-definitions/dns-forwarding.xml3
-rw-r--r--interface-definitions/https.xml87
-rw-r--r--interface-definitions/ipoe-server.xml369
-rw-r--r--interface-definitions/pppoe-server.xml32
-rw-r--r--interface-definitions/protocols-bfd.xml114
-rw-r--r--interface-definitions/snmp.xml22
-rw-r--r--interface-definitions/wireguard.xml2
-rw-r--r--op-mode-definitions/dhcp.xml61
-rw-r--r--op-mode-definitions/ipoe-server.xml26
-rw-r--r--op-mode-definitions/pppoe-server.xml2
-rw-r--r--op-mode-definitions/pptp-server.xml2
-rw-r--r--op-mode-definitions/show-protocols-bfd.xml30
-rw-r--r--op-mode-definitions/version.xml6
-rw-r--r--python/vyos/config.py29
-rw-r--r--python/vyos/configsession.py148
-rw-r--r--python/vyos/defaults.py10
-rw-r--r--python/vyos/formatversions.py109
-rw-r--r--python/vyos/migrator.py192
-rw-r--r--python/vyos/remote.py136
-rw-r--r--python/vyos/systemversions.py39
-rw-r--r--python/vyos/util.py47
-rwxr-xr-xsrc/conf_mode/accel_pppoe.py60
-rwxr-xr-xsrc/conf_mode/accel_pptp.py4
-rwxr-xr-xsrc/conf_mode/dhcp_server.py25
-rwxr-xr-xsrc/conf_mode/dhcpv6_server.py35
-rwxr-xr-xsrc/conf_mode/dns_forwarding.py101
-rwxr-xr-xsrc/conf_mode/firewall_options.py3
-rwxr-xr-xsrc/conf_mode/host_name.py371
-rwxr-xr-xsrc/conf_mode/http-api.py104
-rwxr-xr-xsrc/conf_mode/https.py132
-rwxr-xr-xsrc/conf_mode/ipoe_server.py417
-rwxr-xr-xsrc/conf_mode/protocols_bfd.py166
-rwxr-xr-xsrc/conf_mode/snmp.py27
-rwxr-xr-xsrc/conf_mode/syslog.py12
-rwxr-xr-xsrc/conf_mode/vrrp.py4
-rwxr-xr-xsrc/conf_mode/wireguard.py11
-rwxr-xr-xsrc/helpers/run-config-migration.py83
-rwxr-xr-xsrc/helpers/system-versions-foot.py39
-rwxr-xr-xsrc/helpers/vyos-merge-config.py115
-rwxr-xr-xsrc/migration-scripts/pppoe-server/1-to-238
-rwxr-xr-xsrc/migration-scripts/system/6-to-748
-rwxr-xr-xsrc/op_mode/show_dhcp.py140
-rwxr-xr-xsrc/op_mode/show_dhcpv6.py149
-rwxr-xr-xsrc/op_mode/version.py3
-rwxr-xr-xsrc/services/vyos-http-api-server237
-rw-r--r--src/systemd/vyos-http-api.service24
-rwxr-xr-xsrc/utils/vyos-config-file-query100
-rwxr-xr-xsrc/validators/cidr3
56 files changed, 3814 insertions, 379 deletions
diff --git a/Jenkinsfile b/Jenkinsfile
new file mode 100644
index 000000000..aac051799
--- /dev/null
+++ b/Jenkinsfile
@@ -0,0 +1,131 @@
+pipeline {
+ agent none
+ stages {
+ stage('build-package') {
+ parallel {
+ stage('Build package amd64') {
+ agent {
+ docker {
+ label 'jessie-amd64'
+ args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006 -v /tmp:/tmp'
+ image 'higebu/vyos-build:current'
+ }
+
+ }
+ steps {
+ sh '''#!/bin/bash
+git clone --single-branch --branch $GIT_BRANCH $GIT_URL $BUILD_NUMBER
+cd $BUILD_NUMBER
+sudo pip3 uninstall vyos -y || true
+sudo pip3 install -r test-requirements.txt
+python3 -m "pylint" src -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > pylint-report.txt || true
+make test
+sudo apt-get -o Acquire::Check-Valid-Until=false update
+sudo mk-build-deps -i -r -t \'apt-get --no-install-recommends -yq\' debian/control
+dpkg-buildpackage -b -us -uc -tc
+mkdir -p /tmp/$GIT_BRANCH/packages/script
+mv ../*.deb /tmp/$GIT_BRANCH/packages/'''
+ }
+ }
+ stage('Build package armhf') {
+ agent {
+ docker {
+ label 'jessie-amd64'
+ image 'vyos-build-armhf:current'
+ args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006 -v /tmp:/tmp'
+ }
+
+ }
+ steps {
+ sh '''#!/bin/bash
+git clone --single-branch --branch $GIT_BRANCH $GIT_URL $BUILD_NUMBER
+cd $BUILD_NUMBER
+sudo pip3 uninstall vyos -y || true
+sudo pip3 install -r test-requirements.txt
+python3 -m "pylint" src -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > pylint-report.txt || true
+make test
+sudo apt-get -o Acquire::Check-Valid-Until=false update
+sudo mk-build-deps -i -r -t \'apt-get --no-install-recommends -yq\' debian/control
+dpkg-buildpackage -b -us -uc -tc
+mkdir -p /tmp/$GIT_BRANCH/packages/script
+mv ../*.deb /tmp/$GIT_BRANCH/packages/'''
+ }
+ }
+ stage('Build package arm64') {
+ agent {
+ docker {
+ label 'jessie-amd64'
+ args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006 -v /tmp:/tmp'
+ image 'vyos-build-arm64:current'
+ }
+
+ }
+ steps {
+ sh '''#!/bin/bash
+git clone --single-branch --branch $GIT_BRANCH $GIT_URL $BUILD_NUMBER
+cd $BUILD_NUMBER
+sudo pip3 uninstall vyos -y || true
+sudo pip3 install -r test-requirements.txt
+python3 -m "pylint" src -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > pylint-report.txt || true
+make test
+sudo apt-get -o Acquire::Check-Valid-Until=false update
+sudo mk-build-deps -i -r -t \'apt-get --no-install-recommends -yq\' debian/control
+dpkg-buildpackage -b -us -uc -tc
+mkdir -p /tmp/$GIT_BRANCH/packages/script
+mv ../*.deb /tmp/$GIT_BRANCH/packages/'''
+ }
+ }
+ }
+ }
+ stage('Deploy packages') {
+ agent {
+ node {
+ label 'jessie-amd64'
+ }
+
+ }
+ steps {
+ sh '''#!/bin/bash
+cd /tmp/$GIT_BRANCH/packages/script
+/var/lib/vyos-build/pkg-build.sh $GIT_BRANCH'''
+ }
+ }
+ stage('Cleanup') {
+ parallel {
+ stage('Cleanup amd64') {
+ agent {
+ node {
+ label 'jessie-amd64'
+ }
+
+ }
+ steps {
+ cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenNotBuilt: true, cleanWhenSuccess: true, cleanWhenUnstable: true, cleanupMatrixParent: true, deleteDirs: true, disableDeferredWipeout: true)
+ }
+ }
+ stage('Cleanup armhf') {
+ agent {
+ node {
+ label 'jessie-amd64'
+ }
+
+ }
+ steps {
+ cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenNotBuilt: true, cleanWhenSuccess: true, cleanWhenUnstable: true, cleanupMatrixParent: true, deleteDirs: true, disableDeferredWipeout: true)
+ }
+ }
+ stage('Cleanup arm64') {
+ agent {
+ node {
+ label 'jessie-amd64'
+ }
+
+ }
+ steps {
+ cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenNotBuilt: true, cleanWhenSuccess: true, cleanWhenUnstable: true, cleanupMatrixParent: true, deleteDirs: true, disableDeferredWipeout: true)
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/Pipfile.lock b/Pipfile.lock
index 5aaef5675..eae5ea9fe 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -22,7 +22,7 @@
"sha256:f84be1bb0040caca4cea721fcbbbbd61f9be9464ca236387158b0feea01914a4"
],
"index": "pypi",
- "version": "==2.10"
+ "version": "==2.10.1"
},
"markupsafe": {
"hashes": [
diff --git a/debian/control b/debian/control
index bf213352e..c8946e991 100644
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Depends: python3,
python3-isc-dhcp-leases,
python3-hurry.filesize,
python3-vici (>= 5.7.2),
+ python3-bottle,
ipaddrcheck,
tcpdump,
tshark,
diff --git a/debian/rules b/debian/rules
index ff2d205ba..952867a76 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,6 +10,7 @@ VYOS_OP_TMPL_DIR := /opt/vyatta/share/vyatta-op/templates
MIGRATION_SCRIPTS_DIR := /opt/vyatta/etc/config-migrate/migrate/
SYSTEM_SCRIPTS_DIR := usr/libexec/vyos/system
+SERVICES_DIR := usr/libexec/vyos/services
%:
dh $@ --with python3, --with quilt
@@ -53,6 +54,10 @@ override_dh_auto_install:
mkdir -p $(DIR)/$(SYSTEM_SCRIPTS_DIR)
cp -r src/system/* $(DIR)/$(SYSTEM_SCRIPTS_DIR)
+ # Install system services
+ mkdir -p $(DIR)/$(SERVICES_DIR)
+ cp -r src/services/* $(DIR)/$(SERVICES_DIR)
+
# Install configuration command definitions
mkdir -p $(DIR)/$(VYOS_CFG_TMPL_DIR)
cp -r templates-cfg/* $(DIR)/$(VYOS_CFG_TMPL_DIR)
@@ -72,3 +77,6 @@ override_dh_auto_install:
# Install systemd service units
mkdir -p $(DIR)/lib/systemd/system
cp -r src/systemd/* $(DIR)/lib/systemd/system
+
+ # Make directory for generated configuration file
+ mkdir -p $(DIR)/etc/vyos
diff --git a/interface-definitions/dhcp-server.xml b/interface-definitions/dhcp-server.xml
index 87999f496..7d42294e8 100644
--- a/interface-definitions/dhcp-server.xml
+++ b/interface-definitions/dhcp-server.xml
@@ -46,9 +46,9 @@
<properties>
<help>DHCP shared network name [REQUIRED]</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid DHCP pool name</constraintErrorMessage>
+ <constraintErrorMessage>Invalid shared network name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
<children>
<leafNode name="authoritative">
@@ -151,7 +151,7 @@
</leafNode>
<leafNode name="exclude">
<properties>
- <help>IP address that needs to be excluded from DHCP lease range</help>
+ <help>IP address to exclude from DHCP lease range</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address to exclude from lease range</description>
@@ -183,9 +183,9 @@
<properties>
<help>DHCP failover peer name [REQUIRED]</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid failover peer name</constraintErrorMessage>
+ <constraintErrorMessage>Invalid failover peer name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="peer-address">
@@ -193,7 +193,7 @@
<help>IP address of failover peer [REQUIRED]</help>
<valueHelp>
<format>ipv4</format>
- <description>IPv4 address to exclude from lease range</description>
+ <description>IPv4 address of failover peer</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
@@ -225,12 +225,12 @@
<help>Lease timeout in seconds (default: 86400)</help>
<valueHelp>
<format>0-4294967295</format>
- <description>DHCP lease time in seconds must be between 0 and 4294967295 (49 days)</description>
+ <description>DHCP lease time in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-4294967295"/>
</constraint>
- <constraintErrorMessage>DHCP lease time must be 0 to 4294967295</constraintErrorMessage>
+ <constraintErrorMessage>DHCP lease time must be between 0 and 4294967295 (49 days)</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="ntp-server">
@@ -288,9 +288,9 @@
<properties>
<help>DHCP lease range</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid DHCP lease range name</constraintErrorMessage>
+ <constraintErrorMessage>Invalid DHCP lease range name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
<children>
<leafNode name="start">
@@ -321,22 +321,22 @@
</tagNode>
<tagNode name="static-mapping">
<properties>
- <help>Static mapping for specified address type</help>
+ <help>Name of static mapping</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid static-mapping name</constraintErrorMessage>
+ <constraintErrorMessage>Invalid static mapping name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
<children>
<leafNode name="disable">
<properties>
- <help>Option to disable static-mapping</help>
+ <help>Option to disable static mapping</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="ip-address">
<properties>
- <help>Static mapping for specified IP address [REQUIRED]</help>
+ <help>Fixed IP address of static mapping</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address used in static mapping</description>
@@ -348,7 +348,7 @@
</leafNode>
<leafNode name="mac-address">
<properties>
- <help>Static mapping for specified MAC address [REQUIRED]</help>
+ <help>MAC address of static mapping [REQUIRED]</help>
<valueHelp>
<format>h:h:h:h:h:h</format>
<description>MAC address used in static mapping [REQUIRED]</description>
@@ -358,6 +358,7 @@
<leafNode name="static-mapping-parameters">
<properties>
<help>Additional static-mapping parameters for DHCP server.
+ Will be placed inside the "host" block of the mapping.
You must use the syntax of dhcpd.conf in this text-field.
Using this without proper knowledge may result in a crashed
DHCP server. Check system log to look for errors.</help>
@@ -414,10 +415,14 @@
<leafNode name="time-offset">
<properties>
<help>Offset of the client's subnet in seconds from Coordinated Universal Time (UTC)</help>
+ <valueHelp>
+ <format>[-]N</format>
+ <description>Time offset (number, may be negative)</description>
+ </valueHelp>
<constraint>
- <regex>^-?[0-9]+$</regex>
+ <regex>-?[0-9]+</regex>
</constraint>
- <constraintErrorMessage>Invalid time offset valuee</constraintErrorMessage>
+ <constraintErrorMessage>Invalid time offset value</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="time-server">
diff --git a/interface-definitions/dhcpv6-server.xml b/interface-definitions/dhcpv6-server.xml
index e63eb2242..28b56a64d 100644
--- a/interface-definitions/dhcpv6-server.xml
+++ b/interface-definitions/dhcpv6-server.xml
@@ -32,9 +32,9 @@
<properties>
<help>DHCPv6 shared network name [REQUIRED]</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid DHCPv6 pool name</constraintErrorMessage>
+ <constraintErrorMessage>Invalid DHCPv6 shared network name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
<children>
<leafNode name="disable">
@@ -112,9 +112,9 @@
<properties>
<help>Domain name for client to search</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid domain name syntax</constraintErrorMessage>
+ <constraintErrorMessage>Invalid domain name. May only contain letters, numbers and .-_</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
@@ -157,9 +157,9 @@
<properties>
<help>NIS domain name for client to use</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid NIS domain name syntax</constraintErrorMessage>
+ <constraintErrorMessage>Invalid NIS domain name</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="nis-server">
@@ -179,9 +179,9 @@
<properties>
<help>NIS+ domain name for client to use</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid NIS+ domain name syntax</constraintErrorMessage>
+ <constraintErrorMessage>Invalid NIS+ domain name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="nisplus-server">
@@ -260,15 +260,15 @@
<properties>
<help>SIP server name</help>
<constraint>
- <regex>^[-_a-zA-Z0-9.]+$</regex>
+ <regex>[-_a-zA-Z0-9.]+</regex>
</constraint>
- <constraintErrorMessage>Invalid SIP server name syntax</constraintErrorMessage>
+ <constraintErrorMessage>Invalid SIP server name. May only contain letters, numbers and .-_</constraintErrorMessage>
<multi/>
</properties>
</leafNode>
<leafNode name="sntp-server">
<properties>
- <help>IPv6 address of an SNTP Server for client to use</help>
+ <help>IPv6 address of an SNTP server for client to use</help>
<constraint>
<validator name="ipv6-address"/>
</constraint>
@@ -278,25 +278,37 @@
<tagNode name="static-mapping">
<properties>
<help>Name of static mapping</help>
+ <constraint>
+ <regex>[-_a-zA-Z0-9.]+</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid static mapping name. May only contain letters, numbers and .-_</constraintErrorMessage>
</properties>
<children>
<leafNode name="disable">
<properties>
- <help>Option to disable static-mapping</help>
+ <help>Option to disable static mapping</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="identifier">
<properties>
- <help>Client identifier for this static mapping</help>
+ <help>Client identifier (DUID) for this static mapping</help>
+ <valueHelp>
+ <format>h[[:h]...]</format>
+ <description>DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id)</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-9A-Fa-f]{1,2}[:])*([0-9A-Fa-f]{1,2})</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid DUID. Must be in the format h[[:h]...] where each \"h\" is 1 to 2 hex characters.</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="ipv6-address">
<properties>
- <help>Client IPv5 address for this static mapping</help>
+ <help>Client IPv6 address for this static mapping</help>
<valueHelp>
<format>ipv6</format>
- <description>IPv6 address for this tatic mapping</description>
+ <description>IPv6 address for this static mapping</description>
</valueHelp>
<constraint>
<validator name="ipv6-address"/>
diff --git a/interface-definitions/dns-domain-name.xml b/interface-definitions/dns-domain-name.xml
index a2c66495f..c16f0b02a 100644
--- a/interface-definitions/dns-domain-name.xml
+++ b/interface-definitions/dns-domain-name.xml
@@ -3,7 +3,7 @@
<interfaceDefinition>
<node name="system">
<children>
- <leafNode name="name-server">
+ <leafNode name="name-server" owner="${vyos_conf_scripts_dir}/host_name.py">
<properties>
<help>Domain Name Server (DNS)</help>
<priority>400</priority>
diff --git a/interface-definitions/dynamic-dns.xml b/interface-definitions/dns-dynamic.xml
index 974bbcbce..8e7e77475 100644
--- a/interface-definitions/dynamic-dns.xml
+++ b/interface-definitions/dns-dynamic.xml
@@ -4,6 +4,9 @@
<node name="service">
<children>
<node name="dns">
+ <properties>
+ <help>Domain Name System related services</help>
+ </properties>
<children>
<node name="dynamic" owner="${vyos_conf_scripts_dir}/dynamic_dns.py">
<properties>
@@ -75,47 +78,47 @@
</valueHelp>
<valueHelp>
<format>afraid</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>changeip</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>cloudflare</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dnspark</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dslreports</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dyndns</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>easydns</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>namecheap</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>noip</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>sitelutions</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>zoneedit</format>
- <description></description>
+ <description/>
</valueHelp>
</properties>
<children>
@@ -144,43 +147,43 @@
</valueHelp>
<valueHelp>
<format>changeip</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>cloudflare</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dnspark</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dslreports1</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>dyndns2</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>easydns</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>namecheap</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>noip</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>sitelutions</format>
- <description></description>
+ <description/>
</valueHelp>
<valueHelp>
<format>zoneedit1</format>
- <description></description>
+ <description/>
</valueHelp>
</properties>
</leafNode>
@@ -207,12 +210,12 @@
<leafNode name="skip">
<properties>
<help>Skip everything before this on the given URL</help>
- </properties>
+ </properties>
</leafNode>
<leafNode name="url">
<properties>
<help>URL to obtain the current external IP address</help>
- </properties>
+ </properties>
</leafNode>
</children>
</node>
diff --git a/interface-definitions/dns-forwarding.xml b/interface-definitions/dns-forwarding.xml
index b989434f2..56820608c 100644
--- a/interface-definitions/dns-forwarding.xml
+++ b/interface-definitions/dns-forwarding.xml
@@ -4,6 +4,9 @@
<node name="service">
<children>
<node name="dns">
+ <properties>
+ <help>Domain Name System related services</help>
+ </properties>
<children>
<node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
<properties>
diff --git a/interface-definitions/https.xml b/interface-definitions/https.xml
new file mode 100644
index 000000000..828de449c
--- /dev/null
+++ b/interface-definitions/https.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0"?>
+<!-- HTTPS configuration -->
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="https" owner="${vyos_conf_scripts_dir}/https.py">
+ <properties>
+ <help>HTTPS configuration</help>
+ <priority>1001</priority>
+ </properties>
+ <children>
+ <leafNode name="listen-address">
+ <properties>
+ <help>Addresses to listen for HTTPS requests</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>HTTPS IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>HTTPS IPv6 address</description>
+ </valueHelp>
+ <multi/>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="api" owner="${vyos_conf_scripts_dir}/http-api.py">
+ <properties>
+ <help>VyOS HTTP API configuration</help>
+ <priority>1002</priority>
+ </properties>
+ <children>
+ <leafNode name="port">
+ <properties>
+ <help>Port for HTTP API service</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Numeric IP port</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="keys">
+ <properties>
+ <help>HTTP API keys</help>
+ </properties>
+ <children>
+ <tagNode name="id">
+ <properties>
+ <help>HTTP API id</help>
+ </properties>
+ <children>
+ <leafNode name="key">
+ <properties>
+ <help>HTTP API plaintext key</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ <leafNode name="strict">
+ <properties>
+ <help>Enforce strict path checking</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="debug">
+ <properties>
+ <help>Debug</help>
+ <valueless/>
+ <hidden/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
+
diff --git a/interface-definitions/ipoe-server.xml b/interface-definitions/ipoe-server.xml
new file mode 100644
index 000000000..6c93d3699
--- /dev/null
+++ b/interface-definitions/ipoe-server.xml
@@ -0,0 +1,369 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="ipoe-server" owner="${vyos_conf_scripts_dir}/ipoe_server.py">
+ <properties>
+ <help>Internet Protocol over Ethernet (IPoE) Server</help>
+ <priority>900</priority>
+ </properties>
+ <children>
+ <tagNode name="interface">
+ <properties>
+ <help>Network interface to server IPoE</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="network-mode">
+ <properties>
+ <help>Network Layer IPoE serves on</help>
+ <completionHelp>
+ <list>L2 L3</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(L2|L3)</regex>
+ </constraint>
+ <valueHelp>
+ <format>L2</format>
+ <description>client share the same subnet</description>
+ </valueHelp>
+ <valueHelp>
+ <format>L3</format>
+ <description>clients are behind this router</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="network">
+ <properties>
+ <help>Enables clients to share the same network or each client has its own vlan</help>
+ <completionHelp>
+ <list>shared vlan</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(shared|vlan)</regex>
+ </constraint>
+ <valueHelp>
+ <format>shared</format>
+ <description>Multiple clients share the same network</description>
+ </valueHelp>
+ <valueHelp>
+ <format>vlan</format>
+ <description>One VLAN per client</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="client-subnet">
+ <properties>
+ <help>Client address pool</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="external-dhcp">
+ <properties>
+ <help>DHCP requests will be forwarded</help>
+ </properties>
+ <children>
+ <leafNode name="dhcp-relay">
+ <properties>
+ <help>DHCP Server the request will be redirected to.</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address of the DHCP Server</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="giaddr">
+ <properties>
+ <help>address of the relay agent (Relay Agent IP Address)</help>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="vlan-id">
+ <properties>
+ <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4096"/>
+ </constraint>
+ <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage>
+ <multi />
+ </properties>
+ </leafNode>
+ <leafNode name="vlan-range">
+ <properties>
+ <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help>
+ <constraint>
+ <regex>(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})</regex>
+ </constraint>
+ <multi />
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <node name="dns-server">
+ <properties>
+ <help>DNS servers offered via internal DHCP</help>
+ </properties>
+ <children>
+ <leafNode name="server-1">
+ <properties>
+ <help>IP address of the primary DNS server</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="server-2">
+ <properties>
+ <help>IP address of the secondary DNS server</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="dnsv6-server">
+ <properties>
+ <help>DNSv6 servers offered via internal DHCPv6</help>
+ </properties>
+ <children>
+ <leafNode name="server-1">
+ <properties>
+ <help>IP address of the primary DNS server</help>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="server-2">
+ <properties>
+ <help>IP address of the secondary DNS server</help>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="server-3">
+ <properties>
+ <help>IP address of the tertiary DNS server</help>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="client-ipv6-pool">
+ <properties>
+ <help>Pool of client IPv6 addresses</help>
+ </properties>
+ <children>
+ <leafNode name="prefix">
+ <properties>
+ <help>Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients)</help>
+ <multi />
+ </properties>
+ </leafNode>
+ <leafNode name="delegate-prefix">
+ <properties>
+ <help>Format: ipv6prefix/mask,prefix_len (delegates prefix to clients via DHCPv6 prefix delegation</help>
+ <multi />
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="authentication">
+ <properties>
+ <help>Client authentication methods</help>
+ </properties>
+ <children>
+ <leafNode name="mode">
+ <properties>
+ <help>Authetication mode</help>
+ <completionHelp>
+ <list>local radius noauth</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(local|radius|noauth)</regex>
+ </constraint>
+ <valueHelp>
+ <format>local</format>
+ <description>Authentication based on local definition</description>
+ </valueHelp>
+ <valueHelp>
+ <format>radius</format>
+ <description>Authentication based on a RADIUS server</description>
+ </valueHelp>
+ <valueHelp>
+ <format>noauth</format>
+ <description>Authentication disabled</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="interface">
+ <properties>
+ <help>Network interface the client mac will appear on</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ <children>
+ <tagNode name="mac-address">
+ <properties>
+ <help>Client mac address allowed to receive an IP address</help>
+ <valueHelp>
+ <format>h:h:h:h:h:h</format>
+ <description>Hardware (MAC) address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="mac-address"/>
+ </constraint>
+ </properties>
+ <children>
+ <node name="rate-limit">
+ <properties>
+ <help>Upload/Download speed limits</help>
+ </properties>
+ <children>
+ <leafNode name="upload">
+ <properties>
+ <help>Upload bandwidth limit in kbits/sec</help>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="download">
+ <properties>
+ <help>Download bandwidth limit in kbits/sec</help>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <tagNode name="radius-server">
+ <properties>
+ <help>IP address of RADIUS server</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address of RADIUS server</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="secret">
+ <properties>
+ <help>Key for accessing the specified server</help>
+ </properties>
+ </leafNode>
+ <leafNode name="req-limit">
+ <properties>
+ <help>Maximum number of simultaneous requests to server (default: unlimited)</help>
+ </properties>
+ </leafNode>
+ <leafNode name="fail-time">
+ <properties>
+ <help>If server doesn't responds mark it as unavailable for this amount of time in seconds</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <node name="radius-settings">
+ <properties>
+ <help>RADIUS settings</help>
+ </properties>
+ <children>
+ <leafNode name="timeout">
+ <properties>
+ <help>Timeout to wait response from server (seconds)</help>
+ </properties>
+ </leafNode>
+ <leafNode name="acct-timeout">
+ <properties>
+ <help>Timeout to wait reply for Interim-Update packets. (default 3 seconds)</help>
+ </properties>
+ </leafNode>
+ <leafNode name="max-try">
+ <properties>
+ <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help>
+ </properties>
+ </leafNode>
+ <leafNode name="nas-identifier">
+ <properties>
+ <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help>
+ </properties>
+ </leafNode>
+ <leafNode name="nas-ip-address">
+ <properties>
+ <help>Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address.</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address of the DAE Server</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="dae-server">
+ <properties>
+ <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help>
+ </properties>
+ <children>
+ <leafNode name="ip-address">
+ <properties>
+ <help>IP address for Dynamic Authorization Extension server (DM/CoA)</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address of the DAE Server</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="port">
+ <properties>
+ <help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
+ <valueHelp>
+ <format>number</format>
+ <description>port number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="secret">
+ <properties>
+ <help>Secret for Dynamic Authorization Extension server (DM/CoA)</help>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/pppoe-server.xml b/interface-definitions/pppoe-server.xml
index 1190cd9ff..aab830f1e 100644
--- a/interface-definitions/pppoe-server.xml
+++ b/interface-definitions/pppoe-server.xml
@@ -194,6 +194,11 @@
<help>Specifies which radius attribute contains rate information. (default is Filter-Id)</help>
</properties>
</leafNode>
+ <leafNode name="vendor">
+ <properties>
+ <help>Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius)</help>
+ </properties>
+ </leafNode>
<leafNode name="enable">
<properties>
<help>Enables Bandwidth shaping via RADIUS</help>
@@ -332,15 +337,36 @@
</leafNode>
</children>
</node>
- <leafNode name="interface">
+
+ <tagNode name="interface">
<properties>
<help>interface(s) to listen on</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
- <multi/>
</properties>
- </leafNode>
+ <children>
+ <leafNode name="vlan-id">
+ <properties>
+ <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4096"/>
+ </constraint>
+ <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage>
+ <multi />
+ </properties>
+ </leafNode>
+ <leafNode name="vlan-range">
+ <properties>
+ <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help>
+ <constraint>
+ <regex>(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})</regex>
+ </constraint>
+ <multi />
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
<leafNode name="local-ip">
<properties>
<help>local gateway address</help>
diff --git a/interface-definitions/protocols-bfd.xml b/interface-definitions/protocols-bfd.xml
new file mode 100644
index 000000000..47d5bf97d
--- /dev/null
+++ b/interface-definitions/protocols-bfd.xml
@@ -0,0 +1,114 @@
+<?xml version="1.0"?>
+<!-- Bidirectional Forwarding Detection (BFD) configuration -->
+<interfaceDefinition>
+ <node name="protocols">
+ <children>
+ <node name="bfd" owner="${vyos_conf_scripts_dir}/protocols_bfd.py">
+ <properties>
+ <help>Bidirectional Forwarding Detection (BFD)</help>
+ <priority>820</priority>
+ </properties>
+ <children>
+ <tagNode name="peer">
+ <properties>
+ <help>Configures a new BFD peer to listen and talk to</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>BFD peer IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>BFD peer IPv6 address</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <node name="source">
+ <properties>
+ <help>Bind listener to specifid interface/address, mandatory for IPv6</help>
+ </properties>
+ <children>
+ <leafNode name="interface">
+ <properties>
+ <help>Local interface to bind our peer listener to</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="address">
+ <properties>
+ <help>Local address to bind our peer listener to</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Local IPv4 address used to connect to the peer</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Local IPv6 address used to connect to the peer</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="interval">
+ <properties>
+ <help>Configure timer intervals</help>
+ </properties>
+ <children>
+ <leafNode name="receive">
+ <properties>
+ <help>Minimum interval of receiving control packets</help>
+ <valueHelp>
+ <format>10-60000</format>
+ <description>Interval in milliseconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 10-60000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="transmit">
+ <properties>
+ <help>Minimum interval of transmitting control packets</help>
+ <valueHelp>
+ <format>10-60000</format>
+ <description>Interval in milliseconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 10-60000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="multiplier">
+ <properties>
+ <help>Multiplier to determine packet loss</help>
+ <valueHelp>
+ <format>2-255</format>
+ <description>Remote transmission interval will be multiplied by this value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 2-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="shutdown">
+ <properties>
+ <help>Disable this peer</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="multihop">
+ <properties>
+ <help>Allow this BFD peer to not be directly connected</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/snmp.xml b/interface-definitions/snmp.xml
index 103aa39d7..8b2fa8a93 100644
--- a/interface-definitions/snmp.xml
+++ b/interface-definitions/snmp.xml
@@ -599,6 +599,28 @@
</tagNode>
</children>
</node>
+ <node name="script-extensions">
+ <properties>
+ <help>SNMP script extensions</help>
+ </properties>
+ <children>
+ <tagNode name="extension-name">
+ <properties>
+ <help>Extension name</help>
+ </properties>
+ <children>
+ <leafNode name="script">
+ <properties>
+ <help>Script location and name</help>
+ <completionHelp>
+ <script>ls /config/user-data</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
</children>
</node>
</children>
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index cc86855a5..e752a2f1d 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -20,7 +20,7 @@
<properties>
<help>IP address</help>
<constraint>
- <validator name="ip-host"/>
+ <validator name="cidr"/>
</constraint>
<valueHelp>
<format>ipv4-address</format>
diff --git a/op-mode-definitions/dhcp.xml b/op-mode-definitions/dhcp.xml
index a7d09304e..f142cdd0e 100644
--- a/op-mode-definitions/dhcp.xml
+++ b/op-mode-definitions/dhcp.xml
@@ -9,7 +9,7 @@
<children>
<node name="server">
<properties>
- <help>Show DHCP information</help>
+ <help>Show DHCP server information</help>
</properties>
<children>
<node name="leases">
@@ -20,9 +20,30 @@
<children>
<tagNode name="pool">
<properties>
- <help>Show DHCP leases for a specific pool</help>
+ <help>Show DHCP server leases for a specific pool</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed pool</script>
+ </completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --pool $4</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --pool $6</command>
+ </tagNode>
+ <tagNode name="sort">
+ <properties>
+ <help>Show DHCP server leases sorted by the specified key</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed sort</script>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --sort $6</command>
+ </tagNode>
+ <tagNode name="state">
+ <properties>
+ <help>Show DHCP server leases with a specific state (can be multiple, comma-separated)</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed state</script>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --state $(echo $6 | tr , " ")</command>
</tagNode>
</children>
</node>
@@ -35,8 +56,11 @@
<tagNode name="pool">
<properties>
<help>Show DHCP server statistics for a specific pool</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed pool</script>
+ </completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --statistics --pool $4</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --statistics --pool $6</command>
</tagNode>
</children>
</node>
@@ -59,6 +83,35 @@
<help>Show DHCPv6 server leases</help>
</properties>
<command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases</command>
+ <children>
+ <tagNode name="pool">
+ <properties>
+ <help>Show DHCPv6 server leases for a specific pool</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed pool</script>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --pool $6</command>
+ </tagNode>
+ <tagNode name="sort">
+ <properties>
+ <help>Show DHCPv6 server leases sorted by the specified key</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed sort</script>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --sort $6</command>
+ </tagNode>
+ <tagNode name="state">
+ <properties>
+ <help>Show DHCPv6 server leases with a specific state (can be multiple, comma-separated)</help>
+ <completionHelp>
+ <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed state</script>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --state $(echo $6 | tr , " ")</command>
+ </tagNode>
+ </children>
</node>
</children>
</node>
diff --git a/op-mode-definitions/ipoe-server.xml b/op-mode-definitions/ipoe-server.xml
new file mode 100644
index 000000000..ea14e9a5c
--- /dev/null
+++ b/op-mode-definitions/ipoe-server.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="show">
+ <children>
+ <node name="ipoe-server">
+ <properties>
+ <help>show ipoe-server status</help>
+ </properties>
+ <children>
+ <leafNode name="sessions">
+ <properties>
+ <help>Show active IPoE server sessions</help>
+ </properties>
+ <command>/usr/bin/accel-cmd -p 2002 show sessions ifname,called-sid,calling-sid,ip,ip6,ip6-dp,rate-limit,state,uptime,sid</command>
+ </leafNode>
+ <leafNode name="statistics">
+ <properties>
+ <help>Show IPoE server statistics</help>
+ </properties>
+ <command>/usr/bin/accel-cmd -p 2002 show stat</command>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/pppoe-server.xml b/op-mode-definitions/pppoe-server.xml
index d8a518573..a2366c710 100644
--- a/op-mode-definitions/pppoe-server.xml
+++ b/op-mode-definitions/pppoe-server.xml
@@ -11,7 +11,7 @@
<properties>
<help>Show active PPPoE server sessions</help>
</properties>
- <command>/usr/bin/accel-cmd 'show sessions ifname,username,ip,calling-sid,rate-limit,state,uptime,rx-bytes,tx-bytes'</command>
+ <command>/usr/bin/accel-cmd 'show sessions ifname,username,ip,ip6,ip6-dp,calling-sid,rate-limit,state,uptime,rx-bytes,tx-bytes'</command>
</leafNode>
<leafNode name="statistics">
<properties>
diff --git a/op-mode-definitions/pptp-server.xml b/op-mode-definitions/pptp-server.xml
index 7f141dc53..388063885 100644
--- a/op-mode-definitions/pptp-server.xml
+++ b/op-mode-definitions/pptp-server.xml
@@ -9,7 +9,7 @@
<children>
<leafNode name="sessions">
<properties>
- <help>Show active PPPoE server sessions</help>
+ <help>Show active PPTP server sessions</help>
</properties>
<command>/usr/bin/accel-cmd -p 2003 'show sessions'</command>
</leafNode>
diff --git a/op-mode-definitions/show-protocols-bfd.xml b/op-mode-definitions/show-protocols-bfd.xml
new file mode 100644
index 000000000..3c682d6f7
--- /dev/null
+++ b/op-mode-definitions/show-protocols-bfd.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="show">
+ <children>
+ <node name="protocols">
+ <children>
+ <node name="bfd">
+ <children>
+ <node name="peer">
+ <properties>
+ <help>Show all Bidirectional Forwarding Detection (BFD) peer status</help>
+ </properties>
+ <command>/usr/bin/vtysh -c "show bfd peers"</command>
+ </node>
+ <tagNode name="peer">
+ <properties>
+ <help>Show Bidirectional Forwarding Detection (BFD) peer status</help>
+ <completionHelp>
+ <script>/usr/bin/vtysh -c "show bfd peer" | grep peer | awk '{print $2}'</script>
+ </completionHelp>
+ </properties>
+ <command>/usr/bin/vtysh -c "show bfd peer $5"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/version.xml b/op-mode-definitions/version.xml
index 593785f7a..57931fdff 100644
--- a/op-mode-definitions/version.xml
+++ b/op-mode-definitions/version.xml
@@ -6,19 +6,19 @@
<properties>
<help>Show system version information</help>
</properties>
- <command>${vyos_op_scripts_dir}/version.py</command>
+ <command>sudo ${vyos_op_scripts_dir}/version.py</command>
<children>
<leafNode name="funny">
<properties>
<help>Show system version and some fun stuff</help>
</properties>
- <command>${vyos_op_scripts_dir}/version.py --funny</command>
+ <command>sudo ${vyos_op_scripts_dir}/version.py --funny</command>
</leafNode>
<leafNode name="all">
<properties>
<help>Show system version and versions of all packages</help>
</properties>
- <command>${vyos_op_scripts_dir}/version.py --all</command>
+ <command>sudo ${vyos_op_scripts_dir}/version.py --all</command>
</leafNode>
</children>
</node>
diff --git a/python/vyos/config.py b/python/vyos/config.py
index bcf04225b..c9c73b971 100644
--- a/python/vyos/config.py
+++ b/python/vyos/config.py
@@ -87,9 +87,13 @@ class Config(object):
the only state it keeps is relative *config path* for convenient access to config
subtrees.
"""
- def __init__(self):
+ def __init__(self, session_env=None):
self._cli_shell_api = "/bin/cli-shell-api"
self._level = ""
+ if session_env:
+ self.__session_env = session_env
+ else:
+ self.__session_env = None
def _make_command(self, op, path):
args = path.split()
@@ -97,7 +101,10 @@ class Config(object):
return cmd
def _run(self, cmd):
- p = subprocess.Popen(cmd, stdout=subprocess.PIPE)
+ if self.__session_env:
+ p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=self.__session_env)
+ else:
+ p = subprocess.Popen(cmd, stdout=subprocess.PIPE)
out = p.stdout.read()
p.wait()
if p.returncode != 0:
@@ -169,6 +176,21 @@ class Config(object):
except VyOSError:
return False
+ def show_config(self, path='', default=None):
+ """
+ Args:
+ path (str): Configuration tree path, or empty
+ default (str): Default value to return
+
+ Returns:
+ str: working configuration
+ """
+ try:
+ out = self._run(self._make_command('showConfig', path))
+ return out
+ except VyOSError:
+ return(default)
+
def is_multi(self, path):
"""
Args:
@@ -383,7 +405,8 @@ class Config(object):
else:
try:
out = self._run(self._make_command('returnEffectiveValues', full_path))
- return out
+ values = re.findall(r"\'(.*?)\'", out)
+ return values
except VyOSError:
return(default)
diff --git a/python/vyos/configsession.py b/python/vyos/configsession.py
new file mode 100644
index 000000000..78f332d66
--- /dev/null
+++ b/python/vyos/configsession.py
@@ -0,0 +1,148 @@
+# configsession -- the write API for the VyOS running config
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This library is free software; you can redistribute it and/or modify it under the terms of
+# the GNU Lesser General Public License as published by the Free Software Foundation;
+# either version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along with this library;
+# if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+import os
+import re
+import sys
+import subprocess
+
+CLI_SHELL_API = '/bin/cli-shell-api'
+SET = '/opt/vyatta/sbin/my_set'
+DELETE = '/opt/vyatta/sbin/my_delete'
+COMMENT = '/opt/vyatta/sbin/my_comment'
+COMMIT = '/opt/vyatta/sbin/my_commit'
+DISCARD = '/opt/vyatta/sbin/my_discard'
+
+# Default "commit via" string
+APP = "vyos-http-api"
+
+# When started as a service rather than from a user shell,
+# the process lacks the VyOS-specific environment that comes
+# from bash configs, so we have to inject it
+# XXX: maybe it's better to do via a systemd environment file
+def inject_vyos_env(env):
+ env['VYATTA_CFG_GROUP_NAME'] = 'vyattacfg'
+ env['VYATTA_USER_LEVEL_DIR'] = '/opt/vyatta/etc/shell/level/admin'
+ env['vyatta_bindir']= '/opt/vyatta/bin'
+ env['vyatta_cfg_templates'] = '/opt/vyatta/share/vyatta-cfg/templates'
+ env['vyatta_configdir'] = '/opt/vyatta/config'
+ env['vyatta_datadir'] = '/opt/vyatta/share'
+ env['vyatta_datarootdir'] = '/opt/vyatta/share'
+ env['vyatta_libdir'] = '/opt/vyatta/lib'
+ env['vyatta_libexecdir'] = '/opt/vyatta/libexec'
+ env['vyatta_op_templates'] = '/opt/vyatta/share/vyatta-op/templates'
+ env['vyatta_prefix'] = '/opt/vyatta'
+ env['vyatta_sbindir'] = '/opt/vyatta/sbin'
+ env['vyatta_sysconfdir'] = '/opt/vyatta/etc'
+ env['vyos_bin_dir'] = '/usr/bin'
+ env['vyos_cfg_templates'] = '/opt/vyatta/share/vyatta-cfg/templates'
+ env['vyos_completion_dir'] = '/usr/libexec/vyos/completion'
+ env['vyos_configdir'] = '/opt/vyatta/config'
+ env['vyos_conf_scripts_dir'] = '/usr/libexec/vyos/conf_mode'
+ env['vyos_datadir'] = '/opt/vyatta/share'
+ env['vyos_datarootdir']= '/opt/vyatta/share'
+ env['vyos_libdir'] = '/opt/vyatta/lib'
+ env['vyos_libexec_dir'] = '/usr/libexec/vyos'
+ env['vyos_op_scripts_dir'] = '/usr/libexec/vyos/op_mode'
+ env['vyos_op_templates'] = '/opt/vyatta/share/vyatta-op/templates'
+ env['vyos_prefix'] = '/opt/vyatta'
+ env['vyos_sbin_dir'] = '/usr/sbin'
+ env['vyos_validators_dir'] = '/usr/libexec/vyos/validators'
+
+ return env
+
+
+class ConfigSessionError(Exception):
+ pass
+
+
+class ConfigSession(object):
+ """
+ The write API of VyOS.
+ """
+ def __init__(self, session_id, app=APP):
+ """
+ Creates a new config session.
+
+ Args:
+ session_id (str): Session identifier
+ app (str): Application name, purely informational
+
+ Note:
+ The session identifier MUST be globally unique within the system.
+ The best practice is to only have one ConfigSession object per process
+ and used the PID for the session identifier.
+ """
+
+ env_str = subprocess.check_output([CLI_SHELL_API, 'getSessionEnv', str(session_id)])
+ self.__session_id = session_id
+
+ # Extract actual variables from the chunk of shell it outputs
+ # XXX: it's better to extend cli-shell-api to provide easily readable output
+ env_list = re.findall(r'([A-Z_]+)=([^;\s]+)', env_str.decode())
+
+ session_env = os.environ
+ session_env = inject_vyos_env(session_env)
+ for k, v in env_list:
+ session_env[k] = v
+
+ self.__session_env = session_env
+ self.__session_env["COMMIT_VIA"] = app
+
+ self.__run_command([CLI_SHELL_API, 'setupSession'])
+
+ def __del__(self):
+ try:
+ output = subprocess.check_output([CLI_SHELL_API, 'teardownSession'], env=self.__session_env).decode().strip()
+ if output:
+ print("cli-shell-api teardownSession output for sesion {0}: {1}".format(self.__session_id, output), file=sys.stderr)
+ except Exception as e:
+ print("Could not tear down session {0}: {1}".format(self.__session_id, e), file=sys.stderr)
+
+ def __run_command(self, cmd_list):
+ p = subprocess.Popen(cmd_list, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=self.__session_env)
+ result = p.wait()
+ output = p.stdout.read().decode()
+ if result != 0:
+ raise ConfigSessionError(output)
+
+ def get_session_env(self):
+ return self.__session_env
+
+ def set(self, path, value=None):
+ if not value:
+ value = []
+ else:
+ value = [value]
+ self.__run_command([SET] + path + value)
+
+ def delete(self, path, value=None):
+ if not value:
+ value = []
+ else:
+ value = [value]
+ self.__run_command([DELETE] + path + value)
+
+ def comment(self, path, value=None):
+ if not value:
+ value = [""]
+ else:
+ value = [value]
+ self.__run_command([COMMENT] + path + value)
+
+ def commit(self):
+ self.__run_command([COMMIT])
+
+ def discard(self):
+ self.__run_command([DISCARD])
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index 36185f16a..524b80424 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -15,7 +15,15 @@
directories = {
- "data": "/usr/share/vyos/"
+ "data": "/usr/share/vyos/",
+ "conf_mode": "/usr/libexec/vyos/conf_mode",
+ "config": "/opt/vyatta/etc/config",
+ "current": "/opt/vyatta/etc/config-migrate/current",
+ "migrate": "/opt/vyatta/etc/config-migrate/migrate",
}
cfg_group = 'vyattacfg'
+
+cfg_vintage = 'vyatta'
+
+commit_lock = '/opt/vyatta/config/.lock'
diff --git a/python/vyos/formatversions.py b/python/vyos/formatversions.py
new file mode 100644
index 000000000..29117a5d3
--- /dev/null
+++ b/python/vyos/formatversions.py
@@ -0,0 +1,109 @@
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import os
+import re
+import fileinput
+
+def read_vyatta_versions(config_file):
+ config_file_versions = {}
+
+ with open(config_file, 'r') as config_file_handle:
+ for config_line in config_file_handle:
+ if re.match(r'/\* === vyatta-config-version:.+=== \*/$', config_line):
+ if not re.match(r'/\* === vyatta-config-version:\s+"([\w,-]+@\d+:)+([\w,-]+@\d+)"\s+=== \*/$', config_line):
+ raise ValueError("malformed configuration string: "
+ "{}".format(config_line))
+
+ for pair in re.findall(r'([\w,-]+)@(\d+)', config_line):
+ config_file_versions[pair[0]] = int(pair[1])
+
+
+ return config_file_versions
+
+def read_vyos_versions(config_file):
+ config_file_versions = {}
+
+ with open(config_file, 'r') as config_file_handle:
+ for config_line in config_file_handle:
+ if re.match(r'// vyos-config-version:.+', config_line):
+ if not re.match(r'// vyos-config-version:\s+"([\w,-]+@\d+:)+([\w,-]+@\d+)"\s*', config_line):
+ raise ValueError("malformed configuration string: "
+ "{}".format(config_line))
+
+ for pair in re.findall(r'([\w,-]+)@(\d+)', config_line):
+ config_file_versions[pair[0]] = int(pair[1])
+
+ return config_file_versions
+
+def remove_versions(config_file):
+ """
+ Remove old version string.
+ """
+ for line in fileinput.input(config_file, inplace=True):
+ if re.match(r'/\* Warning:.+ \*/$', line):
+ continue
+ if re.match(r'/\* === vyatta-config-version:.+=== \*/$', line):
+ continue
+ if re.match(r'/\* Release version:.+ \*/$', line):
+ continue
+ if re.match('// vyos-config-version:.+', line):
+ continue
+ if re.match('// Warning:.+', line):
+ continue
+ if re.match('// Release version:.+', line):
+ continue
+ sys.stdout.write(line)
+
+def format_versions_string(config_versions):
+ cfg_keys = list(config_versions.keys())
+ cfg_keys.sort()
+
+ component_version_strings = []
+
+ for key in cfg_keys:
+ cfg_vers = config_versions[key]
+ component_version_strings.append('{}@{}'.format(key, cfg_vers))
+
+ separator = ":"
+ component_version_string = separator.join(component_version_strings)
+
+ return component_version_string
+
+def write_vyatta_versions_foot(config_file, component_version_string,
+ os_version_string):
+ if config_file:
+ with open(config_file, 'a') as config_file_handle:
+ config_file_handle.write('/* Warning: Do not remove the following line. */\n')
+ config_file_handle.write('/* === vyatta-config-version: "{}" === */\n'.format(component_version_string))
+ config_file_handle.write('/* Release version: {} */\n'.format(os_version_string))
+ else:
+ sys.stdout.write('/* Warning: Do not remove the following line. */\n')
+ sys.stdout.write('/* === vyatta-config-version: "{}" === */\n'.format(component_version_string))
+ sys.stdout.write('/* Release version: {} */\n'.format(os_version_string))
+
+def write_vyos_versions_foot(config_file, component_version_string,
+ os_version_string):
+ if config_file:
+ with open(config_file, 'a') as config_file_handle:
+ config_file_handle.write('// Warning: Do not remove the following line.\n')
+ config_file_handle.write('// vyos-config-version: "{}"\n'.format(component_version_string))
+ config_file_handle.write('// Release version: {}\n'.format(os_version_string))
+ else:
+ sys.stdout.write('// Warning: Do not remove the following line.\n')
+ sys.stdout.write('// vyos-config-version: "{}"\n'.format(component_version_string))
+ sys.stdout.write('// Release version: {}\n'.format(os_version_string))
+
diff --git a/python/vyos/migrator.py b/python/vyos/migrator.py
new file mode 100644
index 000000000..59d68f0f7
--- /dev/null
+++ b/python/vyos/migrator.py
@@ -0,0 +1,192 @@
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import os
+import subprocess
+import vyos.version
+import vyos.defaults
+import vyos.systemversions as systemversions
+import vyos.formatversions as formatversions
+
+class MigratorError(Exception):
+ pass
+
+class Migrator(object):
+ def __init__(self, config_file, force=False, set_vintage=None):
+ self._config_file = config_file
+ self._force = force
+ self._set_vintage = set_vintage
+ self._config_file_vintage = None
+ self._changed = False
+
+ def read_config_file_versions(self):
+ """
+ Get component versions from config file footer and set vintage;
+ return empty dictionary if config string is missing.
+ """
+ cfg_file = self._config_file
+ component_versions = {}
+
+ cfg_versions = formatversions.read_vyatta_versions(cfg_file)
+
+ if cfg_versions:
+ self._config_file_vintage = 'vyatta'
+ component_versions = cfg_versions
+
+ cfg_versions = formatversions.read_vyos_versions(cfg_file)
+
+ if cfg_versions:
+ self._config_file_vintage = 'vyos'
+ component_versions = cfg_versions
+
+ return component_versions
+
+ def update_vintage(self):
+ old_vintage = self._config_file_vintage
+
+ if self._set_vintage:
+ self._config_file_vintage = self._set_vintage
+
+ if not self._config_file_vintage:
+ self._config_file_vintage = vyos.defaults.cfg_vintage
+
+ if self._config_file_vintage not in ['vyatta', 'vyos']:
+ raise MigratorError("Unknown vintage.")
+
+ if self._config_file_vintage == old_vintage:
+ return False
+ else:
+ return True
+
+ def run_migration_scripts(self, config_file_versions, system_versions):
+ """
+ Run migration scripts iteratively, until config file version equals
+ system component version.
+ """
+ cfg_versions = config_file_versions
+ sys_versions = system_versions
+
+ sys_keys = list(sys_versions.keys())
+ sys_keys.sort()
+
+ rev_versions = {}
+
+ for key in sys_keys:
+ sys_ver = sys_versions[key]
+ if key in cfg_versions:
+ cfg_ver = cfg_versions[key]
+ else:
+ cfg_ver = 0
+
+ migrate_script_dir = os.path.join(
+ vyos.defaults.directories['migrate'], key)
+
+ while cfg_ver < sys_ver:
+ next_ver = cfg_ver + 1
+
+ migrate_script = os.path.join(migrate_script_dir,
+ '{}-to-{}'.format(cfg_ver, next_ver))
+
+ try:
+ subprocess.check_output([migrate_script,
+ self._config_file])
+ except FileNotFoundError:
+ pass
+ except subprocess.CalledProcessError as err:
+ print("Called process error: {}.".format(err))
+ sys.exit(1)
+
+ cfg_ver = next_ver
+
+ rev_versions[key] = cfg_ver
+
+ return rev_versions
+
+ def write_config_file_versions(self, cfg_versions):
+ """
+ Write new versions string.
+ """
+ versions_string = formatversions.format_versions_string(cfg_versions)
+
+ os_version_string = vyos.version.get_version()
+
+ if self._config_file_vintage == 'vyatta':
+ formatversions.write_vyatta_versions_foot(self._config_file,
+ versions_string,
+ os_version_string)
+
+ if self._config_file_vintage == 'vyos':
+ formatversions.write_vyos_versions_foot(self._config_file,
+ versions_string,
+ os_version_string)
+
+ def run(self):
+ """
+ Gather component versions from config file and system.
+ Run migration scripts.
+ Update vintage ('vyatta' or 'vyos'), if needed.
+ If changed, remove old versions string from config file, and
+ write new versions string.
+ """
+ cfg_file = self._config_file
+
+ cfg_versions = self.read_config_file_versions()
+ if self._force:
+ # This will force calling all migration scripts:
+ cfg_versions = {}
+
+ sys_versions = systemversions.get_system_versions()
+
+ rev_versions = self.run_migration_scripts(cfg_versions, sys_versions)
+
+ if rev_versions != cfg_versions:
+ self._changed = True
+
+ if self.update_vintage():
+ self._changed = True
+
+ if not self._changed:
+ return
+
+ formatversions.remove_versions(cfg_file)
+
+ self.write_config_file_versions(rev_versions)
+
+ def config_changed(self):
+ return self._changed
+
+class VirtualMigrator(Migrator):
+ def __init__(self, config_file, vintage='vyos'):
+ super().__init__(config_file, set_vintage = vintage)
+
+ def run(self):
+ cfg_file = self._config_file
+
+ cfg_versions = self.read_config_file_versions()
+ if not cfg_versions:
+ raise MigratorError("Config file has no version information;"
+ " virtual migration not possible.")
+
+ if self.update_vintage():
+ self._changed = True
+
+ if not self._changed:
+ return
+
+ formatversions.remove_versions(cfg_file)
+
+ self.write_config_file_versions(cfg_versions)
+
diff --git a/python/vyos/remote.py b/python/vyos/remote.py
new file mode 100644
index 000000000..49936ec08
--- /dev/null
+++ b/python/vyos/remote.py
@@ -0,0 +1,136 @@
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import os
+import re
+import fileinput
+import subprocess
+
+
+def check_and_add_host_key(host_name):
+ """
+ Filter host keys and prompt for adding key to known_hosts file, if
+ needed.
+ """
+ known_hosts = '{}/.ssh/known_hosts'.format(os.getenv('HOME'))
+ if not os.path.exists(known_hosts):
+ mode = 0o600
+ os.mknod(known_hosts, 0o600)
+
+ keyscan_cmd = 'ssh-keyscan -t rsa {} 2>/dev/null'.format(host_name)
+
+ try:
+ host_key = subprocess.check_output(keyscan_cmd, shell=True,
+ stderr=subprocess.DEVNULL,
+ universal_newlines=True)
+ except subprocess.CalledProcessError as err:
+ sys.exit("Can not get RSA host key")
+
+ # libssh2 (jessie; stretch) does not recognize ec host keys, and curl
+ # will fail with error 51 if present in known_hosts file; limit to rsa.
+ usable_keys = False
+ offending_keys = []
+ for line in fileinput.input(known_hosts, inplace=True):
+ if host_name in line and 'ssh-rsa' in line:
+ if line.split()[-1] != host_key.split()[-1]:
+ offending_keys.append(line)
+ continue
+ else:
+ usable_keys = True
+ if host_name in line and not 'ssh-rsa' in line:
+ continue
+
+ sys.stdout.write(line)
+
+ if usable_keys:
+ return
+
+ if offending_keys:
+ print("Host key has changed!")
+ print("If you trust the host key fingerprint below, continue.")
+
+ fingerprint_cmd = 'ssh-keygen -lf /dev/stdin <<< "{}"'.format(host_key)
+ try:
+ fingerprint = subprocess.check_output(fingerprint_cmd, shell=True,
+ stderr=subprocess.DEVNULL,
+ universal_newlines=True)
+ except subprocess.CalledProcessError as err:
+ sys.exit("Can not get RSA host key fingerprint.")
+
+ print("RSA host key fingerprint is {}".format(fingerprint.split()[1]))
+ response = input("Do you trust this host? [y]/n ")
+
+ if not response or response == 'y':
+ with open(known_hosts, 'a+') as f:
+ print("Adding {} to the list of known"
+ " hosts.".format(host_name))
+ f.write(host_key)
+ else:
+ sys.exit("Host not trusted")
+
+def get_remote_config(remote_file):
+ """ Invoke curl to download remote (config) file.
+
+ Args:
+ remote file URI:
+ scp://<user>[:<passwd>]@<host>/<file>
+ sftp://<user>[:<passwd>]@<host>/<file>
+ http://<host>/<file>
+ https://<host>/<file>
+ ftp://<user>[:<passwd>]@<host>/<file>
+ tftp://<host>/<file>
+ """
+ request = dict.fromkeys(['protocol', 'host', 'file', 'user', 'passwd'])
+ protocols = ['scp', 'sftp', 'http', 'https', 'ftp', 'tftp']
+ or_protocols = '|'.join(protocols)
+
+ request_match = re.match(r'(' + or_protocols + r')://(.*?)(/.*)',
+ remote_file)
+ if request_match:
+ (request['protocol'], request['host'],
+ request['file']) = request_match.groups()
+ else:
+ print("Malformed URI")
+ sys.exit(1)
+
+ user_match = re.search(r'(.*)@(.*)', request['host'])
+ if user_match:
+ request['user'] = user_match.groups()[0]
+ request['host'] = user_match.groups()[1]
+ passwd_match = re.search(r'(.*):(.*)', request['user'])
+ if passwd_match:
+ # Deprectated in RFC 3986, but maintain for backward compatability.
+ request['user'] = passwd_match.groups()[0]
+ request['passwd'] = passwd_match.groups()[1]
+
+ remote_file = '{0}://{1}{2}'.format(request['protocol'], request['host'], request['file'])
+
+ if request['protocol'] in ('scp', 'sftp'):
+ check_and_add_host_key(request['host'])
+
+ if request['user'] and not request['passwd']:
+ curl_cmd = 'curl -# -u {0} {1}'.format(request['user'], remote_file)
+ else:
+ curl_cmd = 'curl -# {0}'.format(remote_file)
+
+ config_file = None
+ try:
+ config_file = subprocess.check_output(curl_cmd, shell=True,
+ universal_newlines=True)
+ except subprocess.CalledProcessError as err:
+ print("Called process error: {}.".format(err))
+
+ return config_file
diff --git a/python/vyos/systemversions.py b/python/vyos/systemversions.py
new file mode 100644
index 000000000..9b3f4f413
--- /dev/null
+++ b/python/vyos/systemversions.py
@@ -0,0 +1,39 @@
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import re
+import sys
+import vyos.defaults
+
+def get_system_versions():
+ """
+ Get component versions from running system; critical failure if
+ unable to read migration directory.
+ """
+ system_versions = {}
+
+ try:
+ version_info = os.listdir(vyos.defaults.directories['current'])
+ except OSError as err:
+ print("OS error: {}".format(err))
+ sys.exit(1)
+
+ for info in version_info:
+ if re.match(r'[\w,-]+@\d+', info):
+ pair = info.split('@')
+ system_versions[pair[0]] = int(pair[1])
+
+ return system_versions
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 8b5342575..6ab606983 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -1,4 +1,4 @@
-# Copyright 2018 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -16,6 +16,9 @@
import os
import re
import grp
+import time
+import subprocess
+
import psutil
import vyos.defaults
@@ -131,3 +134,45 @@ def file_is_persistent(path):
return (False, warning)
else:
return (True, None)
+
+def commit_in_progress():
+ """ Not to be used in normal op mode scripts! """
+
+ # The CStore backend locks the config by opening a file
+ # The file is not removed after commit, so just checking
+ # if it exists is insufficient, we need to know if it's open by anyone
+
+ # There are two ways to check if any other process keeps a file open.
+ # The first one is to try opening it and see if the OS objects.
+ # That's faster but prone to race conditions and can be intrusive.
+ # The other one is to actually check if any process keeps it open.
+ # It's non-intrusive but needs root permissions, else you can't check
+ # processes of other users.
+ #
+ # Since this will be used in scripts that modify the config outside of the CLI
+ # framework, those knowingly have root permissions.
+ # For everything else, we add a safeguard.
+ id = subprocess.check_output(['/usr/bin/id', '-u']).decode().strip()
+ if id != '0':
+ raise OSError("This functions needs root permissions to return correct results")
+
+ for proc in psutil.process_iter():
+ try:
+ files = proc.open_files()
+ if files:
+ for f in files:
+ if f.path == vyos.defaults.commit_lock:
+ return True
+ except psutil.NoSuchProcess as err:
+ # Process died before we could examine it
+ pass
+ # Default case
+ return False
+
+def wait_for_commit_lock():
+ """ Not to be used in normal op mode scripts! """
+
+ # Very synchronous approach to multiprocessing
+ while commit_in_progress():
+ time.sleep(1)
+
diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py
index 3b3bf8cac..9c879502a 100755
--- a/src/conf_mode/accel_pppoe.py
+++ b/src/conf_mode/accel_pppoe.py
@@ -47,6 +47,8 @@ pppoe
ippool
{% if client_ipv6_pool %}
ipv6pool
+ipv6_nd
+ipv6_dhcp
{% endif %}
chap-secrets
auth_pap
@@ -81,6 +83,7 @@ master=1
[client-ip-range]
disable
+{% if ppp_gw %}
[ip-pool]
gw-ip-address={{ppp_gw}}
{% if client_ip_pool %}
@@ -92,6 +95,7 @@ gw-ip-address={{ppp_gw}}
{{sn}}
{% endfor %}
{% endif %}
+{% endif -%}
{% if client_ipv6_pool %}
[ipv6-pool]
@@ -101,7 +105,7 @@ gw-ip-address={{ppp_gw}}
{% for prfx in client_ipv6_pool['delegate-prefix']: %}
delegate={{prfx}}
{% endfor %}
-{% endif -%}
+{% endif %}
{% if dns %}
[dns]
@@ -111,14 +115,14 @@ dns1={{dns[0]}}
{% if dns[1] %}
dns2={{dns[1]}}
{% endif -%}
-{% endif -%}
+{% endif %}
{% if dnsv6 %}
-[dnsv6]
+[ipv6-dns]
{% for srv in dnsv6: %}
-dns={{srv}}
+{{srv}}
{% endfor %}
-{% endif -%}
+{% endif %}
{% if wins %}
[wins]
@@ -169,6 +173,9 @@ verbose=1
[shaper]
verbose=1
attr={{authentication['radiusopt']['shaper']['attr']}}
+{% if authentication['radiusopt']['shaper']['vendor'] %}
+vendor={{authentication['radiusopt']['shaper']['vendor']}}
+{% endif -%}
{% endif -%}
{% endif %}
@@ -208,6 +215,10 @@ lcp-echo-failure=3
{% if ppp_options['ipv4'] %}
ipv4={{ppp_options['ipv4']}}
{% endif %}
+{% if client_ipv6_pool %}
+ipv6=allow
+{% endif %}
+
{% if ppp_options['ipv6'] %}
ipv6={{ppp_options['ipv6']}}
{% if ppp_options['ipv6-intf-id'] %}
@@ -220,6 +231,7 @@ ipv6-peer-intf-id={{ppp_options['ipv6-peer-intf-id']}}
ipv6-accept-peer-intf-id={{ppp_options['ipv6-accept-peer-intf-id']}}
{% endif %}
{% endif %}
+
mtu={{mtu}}
[pppoe]
@@ -230,13 +242,16 @@ ac-name={{concentrator}}
{% if interface %}
{% for int in interface %}
interface={{int}}
-{% endfor %}
+{% if interface[int]['vlans'] %}
+vlan_mon={{interface[int]['vlans']|join(',')}}
+interface=re:{{int}}\.(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})
{% endif %}
+{% endfor -%}
+{% endif -%}
{% if svc_name %}
service-name={{svc_name}}
-{% endif %}
+{% endif -%}
pado-delay=0
-# maybe: called-sid, tr101, padi-limit etc.
{% if limits %}
[connlimit]
@@ -326,7 +341,7 @@ def get_config():
'client_ip_pool' : '',
'client_ip_subnets' : [],
'client_ipv6_pool' : {},
- 'interface' : [],
+ 'interface' : {},
'ppp_gw' : '',
'svc_name' : '',
'dns' : [],
@@ -345,7 +360,12 @@ def get_config():
if c.exists('service-name'):
config_data['svc_name'] = c.return_value('service-name')
if c.exists('interface'):
- config_data['interface'] = c.return_values('interface')
+ for intfc in c.list_nodes('interface'):
+ config_data['interface'][intfc] = {'vlans' : []}
+ if c.exists('interface ' + intfc + ' vlan-id'):
+ config_data['interface'][intfc]['vlans'] += c.return_values('interface ' + intfc + ' vlan-id')
+ if c.exists('interface ' + intfc + ' vlan-range'):
+ config_data['interface'][intfc]['vlans'] +=c.return_values('interface ' + intfc + ' vlan-range')
if c.exists('local-ip'):
config_data['ppp_gw'] = c.return_value('local-ip')
if c.exists('dns-servers'):
@@ -476,6 +496,8 @@ def get_config():
config_data['authentication']['radiusopt']['shaper'] = {
'attr' : c.return_value('authentication radius-settings rate-limit attribute')
}
+ if c.exists('authentication radius-settings rate-limit vendor'):
+ config_data['authentication']['radiusopt']['shaper']['vendor'] = c.return_value('authentication radius-settings rate-limit vendor')
if c.exists('mtu'):
config_data['mtu'] = c.return_value('mtu')
@@ -543,18 +565,14 @@ def verify(c):
if c['authentication']['radiussrv'][rsrv]['secret'] == None:
raise ConfigError('radius server ' + rsrv + ' needs a secret configured')
- ### local ippool and gateway settings
-
- if not c['ppp_gw']:
- raise ConfigError('pppoe-server local-ip required')
-
- if not c['client_ip_subnets'] and not c['client_ip_pool']:
- print ("Warning: No pppoe client IP pool defined")
+ ### local ippool and gateway settings config checks
- ### activate as soon as it is clear what to do migrate or depricate.
- #if c['client_ip_pool']:
- # print ("Warning: client-ip-pool (start|stop) is depricated, please use client-ip-pool subnet")
- # sl.syslog(sl.LOG_NOTICE, "client-ip-pool start stop is depricated, please use client-ip-pool subnet")
+ if c['client_ip_subnets'] or c['client_ip_pool']:
+ if not c['ppp_gw']:
+ raise ConfigError('pppoe-server local-ip required')
+
+ if c['ppp_gw'] and not c['client_ip_subnets'] and not c['client_ip_pool']:
+ print ("Warning: No pppoe client IPv4 pool defined")
def generate(c):
if c == None:
diff --git a/src/conf_mode/accel_pptp.py b/src/conf_mode/accel_pptp.py
index 6c53e8dd4..1dd7efb3e 100755
--- a/src/conf_mode/accel_pptp.py
+++ b/src/conf_mode/accel_pptp.py
@@ -84,7 +84,9 @@ wins2={{wins[1]}}
{% endif %}
[pptp]
+{% if outside_addr %}
bind={{outside_addr}}
+{% endif %}
verbose=5
ppp-max-mtu={{mtu}}
mppe={{authentication['mppe']}}
@@ -294,7 +296,7 @@ def verify(c):
if c['authentication']['mode'] == 'local':
if not c['authentication']['local-users']:
- raise ConfigError('pppoe-server authentication local-users required')
+ raise ConfigError('pptp-server authentication local-users required')
for usr in c['authentication']['local-users']:
if not c['authentication']['local-users'][usr]['passwd']:
raise ConfigError('user ' + usr + ' requires a password')
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index c8ae2fa91..3e1381cd0 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -186,8 +186,10 @@ shared-network {{ network.name }} {
{%- endif -%}
{%- for host in subnet.static_mapping %}
{% if not host.disabled -%}
- host {{ network.name }}_{{ host.name }} {
+ host {% if host_decl_name -%} {{ host.name }} {%- else -%} {{ network.name }}_{{ host.name }} {%- endif %} {
+ {%- if host.ip_address %}
fixed-address {{ host.ip_address }};
+ {%- endif %}
hardware ethernet {{ host.mac_address }};
{%- if host.static_parameters %}
# The following {{ host.static_parameters | length }} line(s) were added as static-mapping-parameters in the CLI and have not been validated
@@ -728,22 +730,19 @@ def verify(dhcp):
raise ConfigError('No DHCP address range or active static-mapping set\n' \
'for subnet {0}!'.format(subnet['network']))
- # Static IP address mappings require both an IP address and MAC address
+ # Static mappings require just a MAC address (will use an IP from the dynamic pool if IP is not set)
for mapping in subnet['static_mapping']:
- # Static IP address must be configured
- if not mapping['ip_address']:
- raise ConfigError('DHCP static lease IP address not specified for static mapping\n' \
- '{0} under shared network name {1}!'.format(mapping['name'], network['name']))
- # Static IP address must be in bound
- if not ipaddress.ip_address(mapping['ip_address']) in ipaddress.ip_network(subnet['network']):
- raise ConfigError('DHCP static lease IP address {0} for static mapping {1}\n' \
- 'in shared network {2} is outside DHCP lease subnet {3}!' \
- .format(mapping['ip_address'], mapping['name'], network['name'], subnet['network']))
+ if mapping['ip_address']:
+ # Static IP address must be in bound
+ if not ipaddress.ip_address(mapping['ip_address']) in ipaddress.ip_network(subnet['network']):
+ raise ConfigError('DHCP static lease IP address {0} for static mapping {1}\n' \
+ 'in shared network {2} is outside DHCP lease subnet {3}!' \
+ .format(mapping['ip_address'], mapping['name'], network['name'], subnet['network']))
# Static mapping requires MAC address
if not mapping['mac_address']:
- raise ConfigError('DHCP static lease MAC address not specified for static mapping\n' \
+ raise ConfigError('DHCP static lease MAC address not specified for static mapping\n' \
'{0} under shared network name {1}!'.format(mapping['name'], network['name']))
# There must be one subnet connected to a listen interface.
@@ -754,7 +753,7 @@ def verify(dhcp):
# Subnets must be non overlapping
if subnet['network'] in subnets:
- raise ConfigError('DHCP subnets must be unique! Subnet {0} defined multiple times!'.format(subnet))
+ raise ConfigError('DHCP subnets must be unique! Subnet {0} defined multiple times!'.format(subnet['network']))
else:
subnets.append(subnet['network'])
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py
index bb3e6e90d..039321430 100755
--- a/src/conf_mode/dhcpv6_server.py
+++ b/src/conf_mode/dhcpv6_server.py
@@ -27,8 +27,8 @@ import vyos.validate
from vyos.config import Config
from vyos import ConfigError
-config_file = r'/etc/dhcp/dhcpd6.conf'
-lease_file = r'/config/dhcpd6.leases'
+config_file = r'/etc/dhcp/dhcpdv6.conf'
+lease_file = r'/config/dhcpdv6.leases'
daemon_config_file = r'/etc/default/isc-dhcpv6-server'
# Please be careful if you edit the template.
@@ -94,13 +94,20 @@ shared-network {{ network.name }} {
{%- for host in subnet.static_mapping %}
{% if not host.disabled -%}
host {{ network.name }}_{{ host.name }} {
- host-identifier option dhcp6.client-id "{{ host.client_identifier }}";
+ {%- if host.client_identifier %}
+ host-identifier option dhcp6.client-id {{ host.client_identifier }};
+ {%- endif %}
+ {%- if host.ipv6_address %}
fixed-address6 {{ host.ipv6_address }};
+ {%- endif %}
}
{%- endif %}
{%- endfor %}
}
{%- endfor %}
+ on commit {
+ set shared-networkname = "{{ network.name }}";
+ }
}
{%- endif %}
{% endfor %}
@@ -112,8 +119,8 @@ daemon_tmpl = """
# sourced by /etc/init.d/isc-dhcpv6-server
-DHCPD_CONF=/etc/dhcp/dhcpd6.conf
-DHCPD_PID=/var/run/dhcpd6.pid
+DHCPD_CONF=/etc/dhcp/dhcpdv6.conf
+DHCPD_PID=/var/run/dhcpdv6.pid
OPTIONS="-6 -lf {{ lease_file }}"
INTERFACES=""
"""
@@ -381,7 +388,25 @@ def verify(dhcpv6):
raise ConfigError('DHCPv6 prefix {0} is not in subnet {1}\n' \
'specified for shared network {2}!'.format(prefix['prefix'], subnet['network'], network['name']))
+ # Static mappings don't require anything (but check if IP is in subnet if it's set)
+ for mapping in subnet['static_mapping']:
+ if mapping['ipv6_address']:
+ # Static address must be in subnet
+ if not ipaddress.ip_address(mapping['ipv6_address']) in ipaddress.ip_network(subnet['network']):
+ raise ConfigError('DHCPv6 static mapping IPv6 address {0} for static mapping {1}\n' \
+ 'in shared network {2} is outside subnet {3}!' \
+ .format(mapping['ipv6_address'], mapping['name'], network['name'], subnet['network']))
+
+ # Subnets must be unique
+ if subnet['network'] in subnets:
+ raise ConfigError('DHCPv6 subnets must be unique! Subnet {0} defined multiple times!'.format(subnet['network']))
+ else:
+ subnets.append(subnet['network'])
+
# DHCPv6 requires at least one configured address range or one static mapping
+ # (FIXME: is not actually checked right now?)
+
+ # There must be one subnet connected to a listen interface if network is not disabled.
if not network['disabled']:
if vyos.validate.is_subnet_connected(subnet['network']):
listen_ok = True
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index 135f6fec0..3ca77adee 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -19,12 +19,20 @@
import sys
import os
-import netifaces
+import argparse
import jinja2
+import netifaces
+
+import vyos.util
from vyos.config import Config
from vyos import ConfigError
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--dhclient", action="store_true",
+ help="Started from dhclient-script")
+
config_file = r'/etc/powerdns/recursor.conf'
# XXX: pdns recursor doesn't like whitespace near entry separators,
@@ -54,24 +62,22 @@ export-etc-hosts={{ export_hosts_file }}
# listen-on
local-address={{ listen_on | join(',') }}
-# domain ... server ...
-{% if domains -%}
-
-forward-zones={% for d in domains %}
-{{ d.name }}={{ d.servers | join(";") }}
-{{- "," if not loop.last -}}
-{% endfor %}
-
-{% endif %}
-
# dnssec
dnssec={{ dnssec }}
-{% if name_servers -%}
-# name-server
-forward-zones-recurse=.={{ name_servers | join(';') }}
-{% else %}
-# no name-servers specified - start full recursor
+# forward-zones / recursion
+#
+# statement is only inserted if either one forwarding domain or nameserver is configured
+# if nothing is given at all, powerdns will act as a real recursor and resolve all requests by its own
+#
+{% if name_servers or domains %}forward-zones-recurse=
+{%- for d in domains %}
+{{ d.name }}={{ d.servers | join(";") }}
+{{- ", " if not loop.last -}}
+{%- endfor -%}
+{%- if name_servers -%}
+{%- if domains -%}, {% endif -%}.={{ name_servers | join(';') }}
+{% endif %}
{% endif %}
"""
@@ -84,31 +90,36 @@ default_config_data = {
'name_servers': [],
'negative_ttl': 3600,
'domains': [],
- 'dnssec' : 'process-no-validate'
+ 'dnssec': 'process-no-validate'
}
# borrowed from: https://github.com/donjajo/py-world/blob/master/resolvconfReader.py, THX!
def get_resolvers(file):
- resolvers = []
try:
with open(file, 'r') as resolvconf:
- for line in resolvconf.readlines():
- line = line.split('#',1)[0];
- line = line.rstrip();
- if 'nameserver' in line:
- resolvers.append(line.split()[1])
+ lines = [line.split('#', 1)[0].rstrip()
+ for line in resolvconf.readlines()]
+ resolvers = [line.split()[1]
+ for line in lines if 'nameserver' in line]
return resolvers
except IOError:
return []
-def get_config():
+
+def get_config(arguments):
dns = default_config_data
conf = Config()
+
+ if arguments.dhclient:
+ conf.exists = conf.exists_effective
+ conf.return_value = conf.return_effective_value
+ conf.return_values = conf.return_effective_values
+
if not conf.exists('service dns forwarding'):
return None
- else:
- conf.set_level('service dns forwarding')
+
+ conf.set_level('service dns forwarding')
if conf.exists('cache-size'):
cache_size = conf.return_value('cache-size')
@@ -139,7 +150,8 @@ def get_config():
system_name_servers = []
system_name_servers = conf.return_values('name-server')
if not system_name_servers:
- print("DNS forwarding warning: No name-servers set under 'system name-server'\n")
+ print(
+ "DNS forwarding warning: No name-servers set under 'system name-server'\n")
else:
dns['name_servers'] = dns['name_servers'] + system_name_servers
conf.set_level('service dns forwarding')
@@ -171,9 +183,10 @@ def get_config():
try:
addrs = netifaces.ifaddresses(interface)
except ValueError:
- print("WARNING: interface {0} does not exist".format(interface))
+ print(
+ "WARNING: interface {0} does not exist".format(interface))
continue
-
+
if netifaces.AF_INET in addrs.keys():
for ip4 in addrs[netifaces.AF_INET]:
listen4.append(ip4['addr'])
@@ -183,7 +196,8 @@ def get_config():
listen6.append(ip6['addr'])
if (not listen4) and (not (listen6)):
- print("WARNING: interface {0} has no configured addresses".format(interface))
+ print(
+ "WARNING: interface {0} has no configured addresses".format(interface))
dns['listen_on'] = dns['listen_on'] + listen4 + listen6
@@ -195,56 +209,69 @@ def get_config():
interfaces = []
interfaces = conf.return_values('dhcp')
for interface in interfaces:
- dhcp_resolvers = get_resolvers("/etc/resolv.conf.dhclient-new-{0}".format(interface))
+ dhcp_resolvers = get_resolvers(
+ "/etc/resolv.conf.dhclient-new-{0}".format(interface))
if dhcp_resolvers:
dns['name_servers'] = dns['name_servers'] + dhcp_resolvers
return dns
+
def bracketize_ipv6_addrs(addrs):
"""Wraps each IPv6 addr in addrs in [], leaving IPv4 addrs untouched."""
return ['[{0}]'.format(a) if a.count(':') > 1 else a for a in addrs]
+
def verify(dns):
# bail out early - looks like removal from running config
if dns is None:
return None
if not dns['listen_on']:
- raise ConfigError("Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option")
+ raise ConfigError(
+ "Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option")
if dns['domains']:
for domain in dns['domains']:
if not domain['servers']:
- raise ConfigError('Error: No server configured for domain {0}'.format(domain['name']))
+ raise ConfigError(
+ 'Error: No server configured for domain {0}'.format(domain['name']))
return None
+
def generate(dns):
# bail out early - looks like removal from running config
if dns is None:
return None
tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
-
config_text = tmpl.render(dns)
with open(config_file, 'w') as f:
f.write(config_text)
return None
+
def apply(dns):
if dns is not None:
os.system("systemctl restart pdns-recursor")
else:
# DNS forwarding is removed in the commit
os.system("systemctl stop pdns-recursor")
- os.unlink(config_file)
+ if os.path.isfile(config_file):
+ os.unlink(config_file)
- return None
if __name__ == '__main__':
+ args = parser.parse_args()
+
+ if args.dhclient:
+ # There's a big chance it was triggered by a commit still in progress
+ # so we need to wait until the new values are in the running config
+ vyos.util.wait_for_commit_lock()
+
try:
- c = get_config()
+ c = get_config(args)
verify(c)
generate(c)
apply(c)
diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py
index e2c306904..2be80cdbf 100755
--- a/src/conf_mode/firewall_options.py
+++ b/src/conf_mode/firewall_options.py
@@ -32,7 +32,8 @@ def get_config():
opts = copy.deepcopy(default_config_data)
conf = Config()
if not conf.exists('firewall options'):
- return None
+ # bail out early
+ return opts
else:
conf.set_level('firewall options')
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py
index 81a52e87f..16467c8df 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/host_name.py
@@ -23,20 +23,29 @@ conf-mode script for 'system host-name' and 'system domain-name'.
import os
import re
import sys
-import subprocess
import copy
-import jinja2
import glob
+import subprocess
+import argparse
+import jinja2
+
+import vyos.util
from vyos.config import Config
from vyos import ConfigError
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--dhclient", action="store_true",
+ help="Started from dhclient-script")
+
config_file_hosts = '/etc/hosts'
config_file_resolv = '/etc/resolv.conf'
config_tmpl_hosts = """
### Autogenerated by host_name.py ###
-127.0.0.1 localhost {{ hostname }}{% if domain_name %}.{{ domain_name }}{% endif %}
+127.0.0.1 localhost
+127.0.1.1 {{ hostname }}{% if domain_name %}.{{ domain_name }}{% endif %}
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
@@ -72,32 +81,6 @@ search {{ domain_search | join(" ") }}
"""
-# borrowed from: https://github.com/donjajo/py-world/blob/master/resolvconfReader.py, THX!
-def get_resolvers(file):
- resolvers = []
- try:
- with open(file, 'r') as resolvconf:
- for line in resolvconf.readlines():
- line = line.split('#',1)[0];
- line = line.rstrip();
- if 'nameserver' in line:
- resolvers.append(line.split()[1])
- return resolvers
- except IOError:
- return []
-
-def get_dhcp_search_doms(file):
- search_doms = []
- try:
- with open(file, 'r') as resolvconf:
- for line in resolvconf.readlines():
- line = line.split('#',1)[0];
- line = line.rstrip();
- if 'search' in line:
- return re.sub('^search','',line).lstrip().split()
- except IOError:
- return []
-
default_config_data = {
'hostname': 'vyos',
'domain_name': '',
@@ -106,158 +89,218 @@ default_config_data = {
'no_dhcp_ns': False
}
-def get_config():
- conf = Config()
- hosts = copy.deepcopy(default_config_data)
-
- if conf.exists("system host-name"):
- hosts['hostname'] = conf.return_value("system host-name")
-
- if conf.exists("system domain-name"):
- hosts['domain_name'] = conf.return_value("system domain-name")
- hosts['domain_search'].append(hosts['domain_name'])
-
- for search in conf.return_values("system domain-search domain"):
- hosts['domain_search'].append(search)
+# borrowed from: https://github.com/donjajo/py-world/blob/master/resolvconfReader.py, THX!
+def get_resolvers(file):
+ resolv = {}
+ try:
+ with open(file, 'r') as resolvconf:
+ lines = [line.split('#', 1)[0].rstrip()
+ for line in resolvconf.readlines()]
+ resolvers = [line.split()[1]
+ for line in lines if 'nameserver' in line]
+ domains = [line.split()[1] for line in lines if 'search' in line]
+ resolv['resolvers'] = resolvers
+ resolv['domains'] = domains
+ return resolv
+ except IOError:
+ return []
+
+
+def get_config(arguments):
+ conf = Config()
+ hosts = copy.deepcopy(default_config_data)
+
+ if arguments.dhclient:
+ conf.exists = conf.exists_effective
+ conf.return_value = conf.return_effective_value
+ conf.return_values = conf.return_effective_values
+
+ if conf.exists("system host-name"):
+ hosts['hostname'] = conf.return_value("system host-name")
+ # This may happen if the config is not loaded yet,
+ # e.g. if run by cloud-init
+ if not hosts['hostname']:
+ hosts['hostname'] = default_config_data['hostname']
+
+ if conf.exists("system domain-name"):
+ hosts['domain_name'] = conf.return_value("system domain-name")
+ hosts['domain_search'].append(hosts['domain_name'])
+
+ for search in conf.return_values("system domain-search domain"):
+ hosts['domain_search'].append(search)
+
+ if conf.exists("system name-server"):
+ hosts['nameserver'] = conf.return_values("system name-server")
+
+ if conf.exists("system disable-dhcp-nameservers"):
+ hosts['no_dhcp_ns'] = conf.exists('system disable-dhcp-nameservers')
+
+ # system static-host-mapping
+ hosts['static_host_mapping'] = {'hostnames': {}}
+
+ if conf.exists('system static-host-mapping host-name'):
+ for hn in conf.list_nodes('system static-host-mapping host-name'):
+ hosts['static_host_mapping']['hostnames'][hn] = {
+ 'ipaddr': conf.return_value('system static-host-mapping host-name ' + hn + ' inet'),
+ 'alias': ''
+ }
+
+ if conf.exists('system static-host-mapping host-name ' + hn + ' alias'):
+ a = conf.return_values(
+ 'system static-host-mapping host-name ' + hn + ' alias')
+ hosts['static_host_mapping']['hostnames'][hn]['alias'] = " ".join(a)
+
+ return hosts
- if conf.exists("system name-server"):
- hosts['nameserver'] = conf.return_values("system name-server")
- if conf.exists("system disable-dhcp-nameservers"):
- hosts['no_dhcp_ns'] = conf.exists('system disable-dhcp-nameservers')
+def verify(config):
+ if config is None:
+ return None
+
+ # pattern $VAR(@) "^[[:alnum:]][-.[:alnum:]]*[[:alnum:]]$" ; "invalid host name $VAR(@)"
+ hostname_regex = re.compile("^[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]$")
+ if not hostname_regex.match(config['hostname']):
+ raise ConfigError('Invalid host name ' + config["hostname"])
+
+ # pattern $VAR(@) "^.{1,63}$" ; "invalid host-name length"
+ length = len(config['hostname'])
+ if length < 1 or length > 63:
+ raise ConfigError(
+ 'Invalid host-name length, must be less than 63 characters')
+
+ # The search list is currently limited to six domains with a total of 256 characters.
+ # https://linux.die.net/man/5/resolv.conf
+ if len(config['domain_search']) > 6:
+ raise ConfigError(
+ 'The search list is currently limited to six domains')
+
+ tmp = ' '.join(config['domain_search'])
+ if len(tmp) > 256:
+ raise ConfigError(
+ 'The search list is currently limited to 256 characters')
+
+ # static mappings alias hostname
+ if config['static_host_mapping']['hostnames']:
+ for hn in config['static_host_mapping']['hostnames']:
+ if not config['static_host_mapping']['hostnames'][hn]['ipaddr']:
+ raise ConfigError('IP address required for ' + hn)
+ for hn_alias in config['static_host_mapping']['hostnames'][hn]['alias'].split(' '):
+ if not hostname_regex.match(hn_alias) and len(hn_alias) != 0:
+ raise ConfigError('Invalid hostname alias ' + hn_alias)
- ## system static-host-mapping
- hosts['static_host_mapping'] = { 'hostnames' : {}}
+ return None
- if conf.exists('system static-host-mapping host-name'):
- for hn in conf.list_nodes('system static-host-mapping host-name'):
- hosts['static_host_mapping']['hostnames'][hn] = {
- 'ipaddr' : conf.return_value('system static-host-mapping host-name ' + hn + ' inet'),
- 'alias' : ''
- }
-
- if conf.exists('system static-host-mapping host-name ' + hn + ' alias'):
- a = conf.return_values('system static-host-mapping host-name ' + hn + ' alias')
- hosts['static_host_mapping']['hostnames'][hn]['alias'] = " ".join( conf.return_values('system static-host-mapping host-name ' + hn + ' alias') )
- return hosts
+def generate(config):
+ if config is None:
+ return None
+
+ # If "system disable-dhcp-nameservers" is __configured__ all DNS resolvers
+ # received via dhclient should not be added into the final 'resolv.conf'.
+ #
+ # We iterate over every resolver file and retrieve the received nameservers
+ # for later adjustment of the system nameservers
+ dhcp_ns = []
+ dhcp_sd = []
+ for file in glob.glob('/etc/resolv.conf.dhclient-new*'):
+ for key, value in get_resolvers(file).items():
+ ns = [r for r in value if key == 'resolvers']
+ dhcp_ns.extend(ns)
+ sd = [d for d in value if key == 'domains']
+ dhcp_sd.extend(sd)
+
+ if not config['no_dhcp_ns']:
+ config['nameserver'] += dhcp_ns
+ config['domain_search'] += dhcp_sd
+
+ # Prune duplicate values
+ # Not order preserving, but then when multiple DHCP clients are used,
+ # there can't be guarantees about the order anyway
+ dhcp_ns = list(set(dhcp_ns))
+ dhcp_sd = list(set(dhcp_sd))
+
+ # We have third party scripts altering /etc/hosts, too.
+ # One example are the DHCP hostname update scripts thus we need to cache in
+ # every modification first - so changing domain-name, domain-search or hostname
+ # during runtime works
+ old_hosts = ""
+ with open(config_file_hosts, 'r') as f:
+ # Skips text before the beginning of our marker.
+ # NOTE: Marker __MUST__ match the one specified in config_tmpl_hosts
+ for line in f:
+ if line.strip() == '### modifications from other scripts should be added below':
+ break
+
+ for line in f:
+ # This additional line.strip() filters empty lines
+ if line.strip():
+ old_hosts += line
+
+ # Add an additional newline
+ old_hosts += '\n'
+
+ tmpl = jinja2.Template(config_tmpl_hosts)
+ config_text = tmpl.render(config)
+
+ with open(config_file_hosts, 'w') as f:
+ f.write(config_text)
+ f.write(old_hosts)
+
+ tmpl = jinja2.Template(config_tmpl_resolv)
+ config_text = tmpl.render(config)
+ with open(config_file_resolv, 'w') as f:
+ f.write(config_text)
-def verify(config):
- if config is None:
return None
- # pattern $VAR(@) "^[[:alnum:]][-.[:alnum:]]*[[:alnum:]]$" ; "invalid host name $VAR(@)"
- hostname_regex = re.compile("^[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]$")
- if not hostname_regex.match(config['hostname']):
- raise ConfigError('Invalid host name ' + config["hostname"])
- # pattern $VAR(@) "^.{1,63}$" ; "invalid host-name length"
- length = len(config['hostname'])
- if length < 1 or length > 63:
- raise ConfigError('Invalid host-name length, must be less than 63 characters')
+def apply(config):
+ if config is None:
+ return None
- # The search list is currently limited to six domains with a total of 256 characters.
- # https://linux.die.net/man/5/resolv.conf
- if len(config['domain_search']) > 6:
- raise ConfigError('The search list is currently limited to six domains')
+ # No domain name -- the Debian way.
+ hostname_new = config['hostname']
- tmp = ' '.join(config['domain_search'])
- if len(tmp) > 256:
- raise ConfigError('The search list is currently limited to 256 characters')
+ # rsyslog runs into a race condition at boot time with systemd
+ # restart rsyslog only if the hostname changed.
+ hostname_old = subprocess.check_output(['hostnamectl', '--static']).decode().strip()
- # static mappings alias hostname
- if config['static_host_mapping']['hostnames']:
- for hn in config['static_host_mapping']['hostnames']:
- if not config['static_host_mapping']['hostnames'][hn]['ipaddr']:
- raise ConfigError('IP address required for ' + hn)
- for hn_alias in config['static_host_mapping']['hostnames'][hn]['alias'].split(' '):
- if not hostname_regex.match(hn_alias) and len (hn_alias) !=0:
- raise ConfigError('Invalid hostname alias ' + hn_alias)
+ os.system("hostnamectl set-hostname --static {0}".format(hostname_new))
- return None
+ # Restart services that use the hostname
+ if hostname_new != hostname_old:
+ os.system("systemctl restart rsyslog.service")
-def generate(config):
- if config is None:
- return None
+ # If SNMP is running, restart it too
+ if os.system("pgrep snmpd > /dev/null") == 0:
+ os.system("systemctl restart snmpd.service")
- # If "system disable-dhcp-nameservers" is __configured__ all DNS resolvers
- # received via dhclient should not be added into the final 'resolv.conf'.
- #
- # We iterate over every resolver file and retrieve the received nameservers
- # for later adjustment of the system nameservers
- dhcp_ns = []
- for file in glob.glob('/etc/resolv.conf.dhclient-new*'):
- for r in get_resolvers(file):
- dhcp_ns.append(r)
-
- if not config['no_dhcp_ns']:
- config['nameserver'] += dhcp_ns
- for file in glob.glob('/etc/resolv.conf.dhclient-new*'):
- config['domain_search'] = get_dhcp_search_doms(file)
-
- # We have third party scripts altering /etc/hosts, too.
- # One example are the DHCP hostname update scripts thus we need to cache in
- # every modification first - so changing domain-name, domain-search or hostname
- # during runtime works
- old_hosts = ""
- with open(config_file_hosts, 'r') as f:
- # Skips text before the beginning of our marker.
- # NOTE: Marker __MUST__ match the one specified in config_tmpl_hosts
- for line in f:
- if line.strip() == '### modifications from other scripts should be added below':
- break
-
- for line in f:
- # This additional line.strip() filters empty lines
- if line.strip():
- old_hosts += line
-
- # Add an additional newline
- old_hosts += '\n'
-
- tmpl = jinja2.Template(config_tmpl_hosts)
- config_text = tmpl.render(config)
-
- with open(config_file_hosts, 'w') as f:
- f.write(config_text)
- f.write(old_hosts)
-
- tmpl = jinja2.Template(config_tmpl_resolv)
- config_text = tmpl.render(config)
- with open(config_file_resolv, 'w') as f:
- f.write(config_text)
-
- return None
+ # restart pdns if it is used
+ if os.system("/usr/bin/rec_control ping >/dev/null 2>&1") == 0:
+ os.system("/etc/init.d/pdns-recursor restart >/dev/null")
-def apply(config):
- if config is None:
return None
- fqdn = config['hostname']
- if config['domain_name']:
- fqdn += '.' + config['domain_name']
-
- os.system("hostnamectl set-hostname --static {0}".format(fqdn.rstrip('.')))
-
- # Restart services that use the hostname
- os.system("systemctl restart rsyslog.service")
-
- # If SNMP is running, restart it too
- if os.system("pgrep snmpd > /dev/null") == 0:
- os.system("systemctl restart snmpd.service")
-
- # restart pdns if it is used
- if os.system("/usr/bin/rec_control ping >/dev/null 2>&1") == 0:
- os.system("/etc/init.d/pdns-recursor restart >/dev/null")
-
- return None
if __name__ == '__main__':
- try:
- c = get_config()
- verify(c)
- generate(c)
- apply(c)
- except ConfigError as e:
- print(e)
- sys.exit(1)
+ args = parser.parse_args()
+
+ if args.dhclient:
+ # There's a big chance it was triggered by a commit still in progress
+ # so we need to wait until the new values are in the running config
+ vyos.util.wait_for_commit_lock()
+
+
+ try:
+ c = get_config(args)
+ # If it's called from dhclient, then either:
+ # a) verification was already done at commit time
+ # b) it's run on an unconfigured system, e.g. by cloud-init
+ # Therefore, verification is either redundant or useless
+ if not args.dhclient:
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
new file mode 100755
index 000000000..7d618dded
--- /dev/null
+++ b/src/conf_mode/http-api.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import subprocess
+import json
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+config_file = '/etc/vyos/http-api.conf'
+
+default_config_data = {
+ 'listen_address' : '127.0.0.1',
+ 'port' : '8080',
+ 'strict' : 'false',
+ 'debug' : 'false',
+ 'api_keys' : [ {"id": "testapp", "key": "qwerty"} ]
+}
+
+vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
+
+# XXX: this model will need to be extended for tag nodes
+dependencies = [
+ 'https.py',
+]
+
+def get_config():
+ http_api = default_config_data
+ conf = Config()
+ if not conf.exists('service https api'):
+ return None
+ else:
+ conf.set_level('service https api')
+
+ if conf.exists('strict'):
+ http_api['strict'] = 'true'
+
+ if conf.exists('debug'):
+ http_api['debug'] = 'true'
+
+ if conf.exists('port'):
+ port = conf.return_value('port')
+ http_api['port'] = port
+
+ if conf.exists('keys'):
+ for name in conf.list_nodes('keys id'):
+ if conf.exists('keys id {0} key'.format(name)):
+ key = conf.return_value('keys id {0} key'.format(name))
+ new_key = { 'id': name, 'key': key }
+ http_api['api_keys'].append(new_key)
+
+ return http_api
+
+def verify(http_api):
+ return None
+
+def generate(http_api):
+ if http_api is None:
+ return None
+
+ with open(config_file, 'w') as f:
+ json.dump(http_api, f, indent=2)
+
+ return None
+
+def apply(http_api):
+ if http_api is not None:
+ os.system('sudo systemctl restart vyos-http-api.service')
+ for dep in dependencies:
+ cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep)
+ try:
+ subprocess.check_call(cmd, shell=True)
+ except subprocess.CalledProcessError as err:
+ raise ConfigError("{}.".format(err))
+ else:
+ os.system('sudo systemctl stop vyos-http-api.service')
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
new file mode 100755
index 000000000..dae51dd7d
--- /dev/null
+++ b/src/conf_mode/https.py
@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+
+import jinja2
+
+from vyos.config import Config
+from vyos import ConfigError
+
+config_file = '/etc/nginx/sites-available/default'
+
+# Please be careful if you edit the template.
+config_tmpl = """
+
+### Autogenerated by http-api.py ###
+# Default server configuration
+#
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name _;
+ return 302 https://$server_name$request_uri;
+}
+
+server {
+
+ # SSL configuration
+ #
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ #
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ #
+ include snippets/snakeoil.conf;
+
+{% for l_addr in listen_address %}
+ server_name {{ l_addr }};
+{% endfor %}
+
+ location / {
+{% if api %}
+ proxy_pass http://localhost:{{ api.port }};
+ proxy_buffering off;
+{% endif %}
+ }
+
+ error_page 501 502 503 =200 @50*_json;
+
+ location @50*_json {
+ default_type application/json;
+ return 200 '{"error": "Start service in configuration mode: set service https api"}';
+ }
+
+}
+"""
+
+default_config_data = {
+ 'listen_address' : [ '127.0.0.1' ]
+}
+
+default_api_config_data = {
+ 'port' : '8080',
+}
+
+def get_config():
+ https = default_config_data
+ conf = Config()
+ if not conf.exists('service https'):
+ return None
+ else:
+ conf.set_level('service https')
+
+ if conf.exists('listen-address'):
+ addrs = conf.return_values('listen-address')
+ https['listen_address'] = addrs[:]
+
+ if conf.exists('api'):
+ https['api'] = default_api_config_data
+
+ if conf.exists('api port'):
+ port = conf.return_value('api port')
+ https['api']['port'] = port
+
+ return https
+
+def verify(https):
+ return None
+
+def generate(https):
+ if https is None:
+ return None
+
+ tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
+ config_text = tmpl.render(https)
+ with open(config_file, 'w') as f:
+ f.write(config_text)
+
+ return None
+
+def apply(https):
+ if https is not None:
+ os.system('sudo systemctl restart nginx.service')
+ else:
+ os.system('sudo systemctl stop nginx.service')
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/conf_mode/ipoe_server.py b/src/conf_mode/ipoe_server.py
new file mode 100755
index 000000000..ca6b423e5
--- /dev/null
+++ b/src/conf_mode/ipoe_server.py
@@ -0,0 +1,417 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import re
+import time
+import socket
+import subprocess
+import jinja2
+import syslog as sl
+
+from vyos.config import Config
+from vyos import ConfigError
+
+ipoe_cnf_dir = r'/etc/accel-ppp/ipoe'
+ipoe_cnf = ipoe_cnf_dir + r'/ipoe.config'
+
+pidfile = r'/var/run/accel_ipoe.pid'
+cmd_port = r'2002'
+
+chap_secrets = ipoe_cnf_dir + '/chap-secrets'
+## accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p /var/run/accel_pppoe.pid
+
+ipoe_config = '''
+### generated by ipoe.py ###
+[modules]
+log_syslog
+ippool
+ipoe
+shaper
+ipv6pool
+ipv6_nd
+ipv6_dhcp
+{% if auth['mech'] == 'radius' %}
+radius
+{% endif -%}
+{% if auth['mech'] == 'local' %}
+chap-secrets
+{% endif %}
+
+[core]
+thread-count={{thread_cnt}}
+
+[log]
+syslog=accel-ipoe,daemon
+copy=1
+level=5
+
+[ipoe]
+verbose=1
+{% for intfc in interfaces %}
+interface={{intfc}},\
+shared={{interfaces[intfc]['shared']}},\
+mode={{interfaces[intfc]['mode']}},\
+ifcfg={{interfaces[intfc]['ifcfg']}},\
+range={{interfaces[intfc]['range']}},\
+start={{interfaces[intfc]['sess_start']}},\
+ipv6=1
+{% endfor %}
+{% if auth['mech'] == 'noauth' %}
+noauth=1
+{% endif %}
+{% if auth['mech'] == 'local' %}
+username=ifname
+password=csid
+{% endif %}
+
+{%- for intfc in interfaces %}
+{% if (interfaces[intfc]['shared'] == '0') and (interfaces[intfc]['vlan_mon']) %}
+vlan_mon={{interfaces[intfc]['vlan_mon']|join(',')}}
+interface=re:{{intfc}}\.(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})
+{% endif %}
+{% endfor %}
+
+{% if (dns['server1']) or (dns['server2']) %}
+[dns]
+{% if dns['server1'] %}
+dns1={{dns['server1']}}
+{% endif -%}
+{% if dns['server2'] %}
+dns2={{dns['server2']}}
+{% endif -%}
+{% endif -%}
+
+{% if (dnsv6['server1']) or (dnsv6['server2']) or (dnsv6['server3']) %}
+[dnsv6]
+dns={{dnsv6['server1']}}
+dns={{dnsv6['server2']}}
+dns={{dnsv6['server3']}}
+{% endif %}
+
+[ipv6-nd]
+verbose=1
+
+[ipv6-dhcp]
+verbose=1
+
+{% if ipv6['prfx'] %}
+[ipv6-pool]
+{% for prfx in ipv6['prfx'] %}
+{{prfx}}
+{% endfor %}
+{% for pd in ipv6['pd'] %}
+delegate={{pd}}
+{% endfor %}
+{% endif %}
+
+{% if auth['mech'] == 'local' %}
+[chap-secrets]
+chap-secrets=/etc/accel-ppp/ipoe/chap-secrets
+{% endif %}
+
+{% if auth['mech'] == 'radius' %}
+[radius]
+verbose=1
+{% for srv in auth['radius'] %}
+server={{srv}},{{auth['radius'][srv]['secret']}},\
+req-limit={{auth['radius'][srv]['req-limit']}},\
+fail-time={{auth['radius'][srv]['fail-time']}}
+{% endfor %}
+{% if auth['radsettings']['dae-server']['ip-address'] %}
+dae-server={{auth['radsettings']['dae-server']['ip-address']}}:\
+{{auth['radsettings']['dae-server']['port']}},\
+{{auth['radsettings']['dae-server']['secret']}}
+{% endif -%}
+{% if auth['radsettings']['acct-timeout'] %}
+acct-timeout={{auth['radsettings']['acct-timeout']}}
+{% endif -%}
+{% if auth['radsettings']['max-try'] %}
+max-try={{auth['radsettings']['max-try']}}
+{% endif -%}
+{% if auth['radsettings']['timeout'] %}
+timeout={{auth['radsettings']['timeout']}}
+{% endif -%}
+{% if auth['radsettings']['nas-ip-address'] %}
+nas-ip-address={{auth['radsettings']['nas-ip-address']}}
+{% endif -%}
+{% if auth['radsettings']['nas-identifier'] %}
+nas-identifier={{auth['radsettings']['nas-identifier']}}
+{% endif -%}
+{% endif %}
+
+[cli]
+tcp=127.0.0.1:2002
+'''
+
+### pppoe chap secrets
+chap_secrets_conf = '''
+# username server password acceptable local IP addresses shaper
+{% for aifc in auth['auth_if'] %}
+{% for mac in auth['auth_if'][aifc] %}
+{% if (auth['auth_if'][aifc][mac]['up']) and (auth['auth_if'][aifc][mac]['down']) %}
+{{aifc}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}}
+{% else %}
+{{aifc}}\t*\t{{mac.lower()}}\t*
+{% endif %}
+{% endfor %}
+{% endfor %}
+'''
+
+##### Inline functions start ####
+### config path creation
+if not os.path.exists(ipoe_cnf_dir):
+ os.makedirs(ipoe_cnf_dir)
+ sl.syslog(sl.LOG_NOTICE, ipoe_cnf_dir + " created")
+
+def get_cpu():
+ cpu_cnt = 1
+ if os.cpu_count() == 1:
+ cpu_cnt = 1
+ else:
+ cpu_cnt = int(os.cpu_count()/2)
+ return cpu_cnt
+
+def chk_con():
+ cnt = 0
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ while True:
+ try:
+ s.connect(("127.0.0.1", int(cmd_port)))
+ break
+ except ConnectionRefusedError:
+ time.sleep(0.5)
+ cnt +=1
+ if cnt == 100:
+ raise("failed to start pppoe server")
+ break
+
+def accel_cmd(cmd=''):
+ if not cmd:
+ return None
+ try:
+ ret = subprocess.check_output(['/usr/bin/accel-cmd', '-p', cmd_port, cmd]).decode().strip()
+ return ret
+ except:
+ return 1
+
+### chap_secrets file if auth mode local
+def gen_chap_secrets(c):
+ tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True)
+ chap_secrets_txt = tmpl.render(c)
+ old_umask = os.umask(0o077)
+ open(chap_secrets,'w').write(chap_secrets_txt)
+ os.umask(old_umask)
+ sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written')
+
+##### Inline functions end ####
+
+def get_config():
+ c = Config()
+ if not c.exists('service ipoe-server'):
+ return None
+
+ config_data = {}
+
+ c.set_level('service ipoe-server')
+ config_data['interfaces'] = {}
+ for intfc in c.list_nodes('interface'):
+ config_data['interfaces'][intfc] = {
+ 'mode' : 'L2',
+ 'shared' : '1',
+ 'sess_start' : 'dhcpv4', ### may need a conifg option, can be dhcpv4 or up for unclassified pkts
+ 'range' : None,
+ 'ifcfg' : '1',
+ 'vlan_mon' : []
+ }
+ config_data['dns'] = {
+ 'server1' : None,
+ 'server2' : None
+ }
+ config_data['dnsv6'] = {
+ 'server1' : None,
+ 'server2' : None,
+ 'server3' : None
+ }
+ config_data['ipv6'] = {
+ 'prfx' : [],
+ 'pd' : [],
+ }
+ config_data['auth'] = {
+ 'auth_if' : {},
+ 'mech' : 'noauth',
+ 'radius' : {},
+ 'radsettings' : {
+ 'dae-server' : {}
+ }
+ }
+
+ if c.exists('interface ' + intfc + ' network-mode'):
+ config_data['interfaces'][intfc]['mode'] = c.return_value('interface ' + intfc + ' network-mode')
+ if c.return_value('interface ' + intfc + ' network') == 'vlan':
+ config_data['interfaces'][intfc]['shared'] = '0'
+ if c.exists('interface ' + intfc + ' vlan-id'):
+ config_data['interfaces'][intfc]['vlan_mon'] += c.return_values('interface ' + intfc + ' vlan-id')
+ if c.exists('interface ' + intfc + ' vlan-range'):
+ config_data['interfaces'][intfc]['vlan_mon'] += c.return_values('interface ' + intfc + ' vlan-range')
+ if c.exists('interface ' + intfc + ' client-subnet'):
+ config_data['interfaces'][intfc]['range'] = c.return_value('interface ' + intfc + ' client-subnet')
+ if c.exists('dns-server server-1'):
+ config_data['dns']['server1'] = c.return_value('dns-server server-1')
+ if c.exists('dns-server server-2'):
+ config_data['dns']['server2'] = c.return_value('dns-server server-2')
+ if c.exists('dnsv6-server server-1'):
+ config_data['dnsv6']['server1'] = c.return_value('dnsv6-server server-1')
+ if c.exists('dnsv6-server server-2'):
+ config_data['dnsv6']['server2'] = c.return_value('dnsv6-server server-2')
+ if c.exists('dnsv6-server server-3'):
+ config_data['dnsv6']['server3'] = c.return_value('dnsv6-server server-3')
+ if not c.exists('authentication mode noauth'):
+ config_data['auth']['mech'] = c.return_value('authentication mode')
+ if c.exists('authentication mode local'):
+ for auth_int in c.list_nodes('authentication interface'):
+ for mac in c.list_nodes('authentication interface ' + auth_int + ' mac-address'):
+ config_data['auth']['auth_if'][auth_int] = {}
+ if c.exists('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit'):
+ config_data['auth']['auth_if'][auth_int][mac] = {}
+ config_data['auth']['auth_if'][auth_int][mac]['up'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit upload')
+ config_data['auth']['auth_if'][auth_int][mac]['down'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit download')
+ else:
+ config_data['auth']['auth_if'][auth_int][mac] = {}
+ config_data['auth']['auth_if'][auth_int][mac]['up'] = None
+ config_data['auth']['auth_if'][auth_int][mac]['down'] = None
+ if c.exists('authentication mode radius'):
+ for rsrv in c.list_nodes('authentication radius-server'):
+ config_data['auth']['radius'][rsrv] = {}
+ if c.exists('authentication radius-server ' + rsrv + ' secret'):
+ config_data['auth']['radius'][rsrv]['secret'] = c.return_value('authentication radius-server ' + rsrv + ' secret')
+ else:
+ config_data['auth']['radius'][rsrv]['secret'] = None
+ if c.exists('authentication radius-server ' + rsrv + ' fail-time'):
+ config_data['auth']['radius'][rsrv]['fail-time'] = c.return_value('authentication radius-server ' + rsrv + ' fail-time')
+ else:
+ config_data['auth']['radius'][rsrv]['fail-time'] = '0'
+ if c.exists('authentication radius-server ' + rsrv + ' req-limit'):
+ config_data['auth']['radius'][rsrv]['req-limit'] = c.return_value('authentication radius-server ' + rsrv + ' req-limit')
+ else:
+ config_data['auth']['radius'][rsrv]['req-limit'] = '0'
+ if c.exists('authentication radius-settings'):
+ if c.exists('authentication radius-settings timeout'):
+ config_data['auth']['radsettings']['timeout'] = c.return_value('authentication radius-settings timeout')
+ if c.exists('authentication radius-settings nas-ip-address'):
+ config_data['auth']['radsettings']['nas-ip-address'] = c.return_value('authentication radius-settings nas-ip-address')
+ if c.exists('authentication radius-settings nas-identifier'):
+ config_data['auth']['radsettings']['nas-identifier'] = c.return_value('authentication radius-settings nas-identifier')
+ if c.exists('authentication radius-settings max-try'):
+ config_data['auth']['radsettings']['max-try'] = c.return_value('authentication radius-settings max-try')
+ if c.exists('authentication radius-settings acct-timeout'):
+ config_data['auth']['radsettings']['acct-timeout'] = c.return_value('authentication radius-settings acct-timeout')
+ if c.exists('authentication radius-settings dae-server ip-address'):
+ config_data['auth']['radsettings']['dae-server']['ip-address'] = c.return_value('authentication radius-settings dae-server ip-address')
+ if c.exists('authentication radius-settings dae-server port'):
+ config_data['auth']['radsettings']['dae-server']['port'] = c.return_value('authentication radius-settings dae-server port')
+ if c.exists('authentication radius-settings dae-server secret'):
+ config_data['auth']['radsettings']['dae-server']['secret'] = c.return_value('authentication radius-settings dae-server secret')
+
+ if c.exists('client-ipv6-pool prefix'):
+ config_data['ipv6']['prfx'] = c.return_values('client-ipv6-pool prefix')
+ if c.exists('client-ipv6-pool delegate-prefix'):
+ config_data['ipv6']['pd'] = c.return_values('client-ipv6-pool delegate-prefix')
+
+ return config_data
+
+def generate(c):
+ if c == None or not c:
+ return None
+
+ c['thread_cnt'] = get_cpu()
+
+ if c['auth']['mech'] == 'local':
+ gen_chap_secrets(c)
+
+ tmpl = jinja2.Template(ipoe_config, trim_blocks=True)
+ config_text = tmpl.render(c)
+ open(ipoe_cnf,'w').write(config_text)
+ return c
+
+def verify(c):
+ if c == None or not c:
+ return None
+
+ for intfc in c['interfaces']:
+ if not c['interfaces'][intfc]['range']:
+ raise ConfigError("service ipoe-server interface " + intfc + " client-subnet needs a value")
+
+ if c['auth']['mech'] == 'radius':
+ if not c['auth']['radius']:
+ raise ConfigError("service ipoe-server authentication radius-server requires a value for authentication mode radius")
+ else:
+ for radsrv in c['auth']['radius']:
+ if not c['auth']['radius'][radsrv]['secret']:
+ raise ConfigError("service ipoe-server authentication radius-server " + radsrv + " secret requires a value")
+
+ if c['auth']['radsettings']['dae-server']:
+ try:
+ if c['auth']['radsettings']['dae-server']['ip-address']:
+ pass
+ except:
+ raise ConfigError("service ipoe-server authentication radius-settings dae-server ip-address value required")
+ try:
+ if c['auth']['radsettings']['dae-server']['secret']:
+ pass
+ except:
+ raise ConfigError("service ipoe-server authentication radius-settings dae-server secret value required")
+ try:
+ if c['auth']['radsettings']['dae-server']['port']:
+ pass
+ except:
+ raise ConfigError("service ipoe-server authentication radius-settings dae-server port value required")
+
+ if len(c['ipv6']['pd']) != 0 and len(c['ipv6']['prfx']) == 0:
+ raise ConfigError("service ipoe-server client-ipv6-pool prefix needs a value")
+
+ return c
+
+def apply(c):
+ if c == None:
+ if os.path.exists(pidfile):
+ accel_cmd('shutdown hard')
+ if os.path.exists(pidfile):
+ os.remove(pidfile)
+ return None
+
+ if not os.path.exists(pidfile):
+ ret = subprocess.call(['/usr/sbin/accel-pppd', '-c', ipoe_cnf, '-p', pidfile, '-d'])
+ chk_con()
+ if ret !=0 and os.path.exists(pidfile):
+ os.remove(pidfile)
+ raise ConfigError('accel-pppd failed to start')
+ else:
+ accel_cmd('restart')
+ sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart")
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py
new file mode 100755
index 000000000..04549f4b4
--- /dev/null
+++ b/src/conf_mode/protocols_bfd.py
@@ -0,0 +1,166 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import jinja2
+import copy
+import os
+import vyos.validate
+
+from vyos import ConfigError
+from vyos.config import Config
+
+config_file = r'/tmp/bfd.frr'
+
+# Please be careful if you edit the template.
+config_tmpl = """
+!
+bfd
+{% for peer in old_peers -%}
+ no peer {{ peer }}
+{% endfor -%}
+!
+{% for peer in new_peers -%}
+ peer {{ peer.remote }}{% if peer.multihop %} multihop{% endif %}{% if peer.src_addr %} local-address {{ peer.src_addr }}{% endif %}{% if peer.src_if %} interface {{ peer.src_if }}{% endif %}
+ detect-multiplier {{ peer.multiplier }}
+ receive-interval {{ peer.rx_interval }}
+ transmit-interval {{ peer.tx_interval }}
+ {% if not peer.shutdown %}no {% endif %}shutdown
+{% endfor -%}
+!
+"""
+
+default_config_data = {
+ 'new_peers': [],
+ 'old_peers' : []
+}
+
+def get_config():
+ bfd = copy.deepcopy(default_config_data)
+ conf = Config()
+ if not (conf.exists('protocols bfd') or conf.exists_effective('protocols bfd')):
+ return None
+ else:
+ conf.set_level('protocols bfd')
+
+ # as we have to use vtysh to talk to FRR we also need to know
+ # which peers are gone due to a config removal - thus we read in
+ # all peers (active or to delete)
+ bfd['old_peers'] = conf.list_effective_nodes('peer')
+
+ for peer in conf.list_nodes('peer'):
+ conf.set_level('protocols bfd peer {0}'.format(peer))
+ bfd_peer = {
+ 'remote': peer,
+ 'shutdown': False,
+ 'src_if': '',
+ 'src_addr': '',
+ 'multiplier': '3',
+ 'rx_interval': '300',
+ 'tx_interval': '300',
+ 'multihop': False
+ }
+
+ # Check if individual peer is disabled
+ if conf.exists('shutdown'):
+ bfd_peer['shutdown'] = True
+
+ # Check if peer has a local source interface configured
+ if conf.exists('source interface'):
+ bfd_peer['src_if'] = conf.return_value('source interface')
+
+ # Check if peer has a local source address configured - this is mandatory for IPv6
+ if conf.exists('source address'):
+ bfd_peer['src_addr'] = conf.return_value('source address')
+
+ # Tell BFD daemon that we should expect packets with TTL less than 254
+ # (because it will take more than one hop) and to listen on the multihop
+ # port (4784)
+ if conf.exists('multihop'):
+ bfd_peer['multihop'] = True
+
+ # Configures the minimum interval that this system is capable of receiving
+ # control packets. The default value is 300 milliseconds.
+ if conf.exists('interval receive'):
+ bfd_peer['rx_interval'] = conf.return_value('interval receive')
+
+ # The minimum transmission interval (less jitter) that this system wants
+ # to use to send BFD control packets.
+ if conf.exists('interval transmit'):
+ bfd_peer['tx_interval'] = conf.return_value('interval transmit')
+
+ # Configures the detection multiplier to determine packet loss. The remote
+ # transmission interval will be multiplied by this value to determine the
+ # connection loss detection timer. The default value is 3.
+ if conf.exists('interval multiplier'):
+ bfd_peer['multiplier'] = conf.return_value('interval multiplier')
+
+ bfd['new_peers'].append(bfd_peer)
+
+ return bfd
+
+def verify(bfd):
+ if bfd is None:
+ return None
+
+ for peer in bfd['new_peers']:
+ # Bail out early if peer is shutdown
+ if peer['shutdown']:
+ continue
+
+ # IPv6 peers require an explicit local address/interface combination
+ if vyos.validate.is_ipv6(peer['remote']):
+ if not (peer['src_if'] and peer['src_addr']):
+ raise ConfigError('BFD IPv6 peers require explicit local address/interface setting')
+
+ # multihop doesn't accept interface names
+ if peer['multihop'] and peer['src_if']:
+ raise ConfigError('multihop does not accept interface names')
+
+
+ return None
+
+def generate(bfd):
+ if bfd is None:
+ return None
+
+ return None
+
+def apply(bfd):
+ if bfd is None:
+ return None
+
+ tmpl = jinja2.Template(config_tmpl)
+ config_text = tmpl.render(bfd)
+ with open(config_file, 'w') as f:
+ f.write(config_text)
+
+ os.system("sudo vtysh -d bfdd -f " + config_file)
+ if os.path.exists(config_file):
+ os.remove(config_file)
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index 06d2e253a..0ddab2129 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -206,6 +206,13 @@ group {{ u.group }} usm {{ u.name }}
group {{ u.group }} tsm {{ u.name }}
{% endfor %}
{%- endif %}
+
+{% if script_ext %}
+# extension scripts
+{%- for ext in script_ext|sort %}
+extend\t{{ext}}\t{{script_ext[ext]}}
+{%- endfor %}
+{% endif %}
"""
# SNMP template (/etc/default/snmpd) - be careful if you edit the template.
@@ -240,7 +247,8 @@ default_config_data = {
'v3_tsm_key': '',
'v3_tsm_port': '10161',
'v3_users': [],
- 'v3_views': []
+ 'v3_views': [],
+ 'script_ext': {}
}
def rmfile(file):
@@ -345,6 +353,14 @@ def get_config():
snmp['trap_targets'].append(trap_tgt)
+ #
+ # 'set service snmp script-extensions'
+ #
+ if conf.exists('script-extensions'):
+ for extname in conf.list_nodes('script-extensions extension-name'):
+ snmp['script_ext'][extname] = '/config/user-data/' + conf.return_value('script-extensions extension-name ' + extname + ' script')
+
+
#########################################################################
# ____ _ _ __ __ ____ _____ #
# / ___|| \ | | \/ | _ \ __ _|___ / #
@@ -581,6 +597,14 @@ def verify(snmp):
if snmp is None:
return None
+ ### check if the configured script actually exist under /config/user-data
+ if snmp['script_ext']:
+ for ext in snmp['script_ext']:
+ if not os.path.isfile(snmp['script_ext'][ext]):
+ print ("WARNING: script: " + snmp['script_ext'][ext] + " doesn\'t exist")
+ else:
+ os.chmod(snmp['script_ext'][ext], 0o555)
+
# bail out early if SNMP v3 is not configured
if not snmp['v3_enabled']:
return None
@@ -633,7 +657,6 @@ def verify(snmp):
if not 'seclevel' in group.keys():
raise ConfigError('"seclevel" must be specified')
-
if 'v3_traps' in snmp.keys():
for trap in snmp['v3_traps']:
if trap['authPassword'] and trap['authMasterKey']:
diff --git a/src/conf_mode/syslog.py b/src/conf_mode/syslog.py
index c8541a4a0..7b79c701b 100755
--- a/src/conf_mode/syslog.py
+++ b/src/conf_mode/syslog.py
@@ -72,8 +72,8 @@ logrotate_configs = '''
missingok
notifempty
create
- rotate {{files[file]['max-files']}}
- size={{ files[file]['max-size']//1024}}k
+ rotate {{files[file]['max-files']}}
+ size={{files[file]['max-size']//1024}}k
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
@@ -120,8 +120,8 @@ def get_config():
config_data['files']['global']['selectors'] = generate_selectors(c, 'global facility')
if c.exists('global archive size'):
config_data['files']['global']['max-size'] = int(c.return_value('global archive size'))* 1024
- if c.exists('global archive files'):
- config_data['files']['global']['max-files'] = c.return_value('global archive files')
+ if c.exists('global archive file'):
+ config_data['files']['global']['max-files'] = c.return_value('global archive file')
if c.exists('global preserve-fqdn'):
config_data['files']['global']['preserver_fqdn'] = True
@@ -196,7 +196,7 @@ def get_config():
}
}
)
-
+
return config_data
def generate_selectors(c, config_node):
@@ -279,7 +279,7 @@ def verify(c):
raise ConfigError('Invalid logging level ' + s + ' set in '+ conf + ' ' + item)
def apply(c):
- if not os.path.exits('/var/run/rsyslogd.pid'):
+ if not os.path.exists('/var/run/rsyslogd.pid'):
os.system("sudo systemctl start rsyslog >/dev/null")
else:
os.system("sudo systemctl restart rsyslog >/dev/null")
diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py
index bc833b63f..a08493309 100755
--- a/src/conf_mode/vrrp.py
+++ b/src/conf_mode/vrrp.py
@@ -39,7 +39,7 @@ config_tmpl = """
{% if group.health_check_script -%}
vrrp_script healthcheck_{{ group.name }} {
- script {{ group.health_check_script }}
+ script "{{ group.health_check_script }}"
interval {{ group.health_check_interval }}
fall {{ group.health_check_count }}
rise 1
@@ -85,7 +85,7 @@ vrrp_instance {{ group.name }} {
{% if group.auth_password -%}
authentication {
- auth_pass {{ group.auth_password }}
+ auth_pass "{{ group.auth_password }}"
auth_type {{ group.auth_type }}
}
{% endif -%}
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index e893dba47..8234fad0b 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -63,6 +63,7 @@ def get_config():
'lport' : '',
'status' : 'exists',
'state' : 'enabled',
+ 'fwmark' : 0x00,
'mtu' : '1420',
'peer' : {}
}
@@ -95,6 +96,9 @@ def get_config():
### listen port
if c.exists(cnf + ' port'):
config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port')
+ ### fwmark
+ if c.exists(cnf + ' fwmark'):
+ config_data['interfaces'][intfc]['fwmark'] = c.return_value(cnf + ' fwmark')
### description
if c.exists(cnf + ' description'):
config_data['interfaces'][intfc]['descr'] = c.return_value(cnf + ' description')
@@ -221,7 +225,7 @@ def apply(c):
### config updates
if c['interfaces'][intf]['status'] == 'exists':
### IP address change
- addr_eff = re.sub("\'", "", c_eff.return_effective_values(intf + ' address')).split()
+ addr_eff = c_eff.return_effective_values(intf + ' address')
addr_rem = list(set(addr_eff) - set(c['interfaces'][intf]['addr']))
addr_add = list(set(c['interfaces'][intf]['addr']) - set(addr_eff))
@@ -296,6 +300,10 @@ def configure_interface(c, intf):
if c['interfaces'][intf]['lport']:
wg_config['port'] = c['interfaces'][intf]['lport']
+ ## fwmark
+ if c['interfaces'][intf]['fwmark']:
+ wg_config['fwmark'] = c['interfaces'][intf]['fwmark']
+
## endpoint
if c['interfaces'][intf]['peer'][p]['endpoint']:
wg_config['endpoint'] = c['interfaces'][intf]['peer'][p]['endpoint']
@@ -314,6 +322,7 @@ def configure_interface(c, intf):
### assemble wg command
cmd = "sudo wg set " + intf
cmd += " listen-port " + str(wg_config['port'])
+ cmd += " fwmark " + str(wg_config['fwmark'])
cmd += " private-key " + wg_config['private-key']
cmd += " peer " + wg_config['pubkey']
cmd += " preshared-key " + wg_config['psk']
diff --git a/src/helpers/run-config-migration.py b/src/helpers/run-config-migration.py
new file mode 100755
index 000000000..a57a19cdf
--- /dev/null
+++ b/src/helpers/run-config-migration.py
@@ -0,0 +1,83 @@
+#!/usr/bin/python3
+
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import argparse
+import datetime
+import subprocess
+from vyos.migrator import Migrator, VirtualMigrator
+
+def main():
+ argparser = argparse.ArgumentParser(
+ formatter_class=argparse.RawTextHelpFormatter)
+ argparser.add_argument('config_file', type=str,
+ help="configuration file to migrate")
+ argparser.add_argument('--force', action='store_true',
+ help="Force calling of all migration scripts.")
+ argparser.add_argument('--set-vintage', type=str,
+ choices=['vyatta', 'vyos'],
+ help="Set the format for the config version footer in config"
+ " file:\n"
+ "set to 'vyatta':\n"
+ "(for '/* === vyatta-config-version ... */' format)\n"
+ "or 'vyos':\n"
+ "(for '// vyos-config-version ...' format).")
+ argparser.add_argument('--virtual', action='store_true',
+ help="Update the format of the trailing comments in"
+ " config file,\nfrom 'vyatta' to 'vyos'; no migration"
+ " scripts are run.")
+ args = argparser.parse_args()
+
+ config_file_name = args.config_file
+ force_on = args.force
+ vintage = args.set_vintage
+ virtual = args.virtual
+
+ if not os.access(config_file_name, os.R_OK):
+ print("Read error: {}.".format(config_file_name))
+ sys.exit(1)
+
+ if not os.access(config_file_name, os.W_OK):
+ print("Write error: {}.".format(config_file_name))
+ sys.exit(1)
+
+ separator = "."
+ backup_file_name = separator.join([config_file_name,
+ '{0:%Y-%m-%d-%H%M%S}'.format(datetime.datetime.now()),
+ 'pre-migration'])
+
+ try:
+ subprocess.check_call(['cp', '-p', config_file_name,
+ backup_file_name])
+ except subprocess.CalledProcessError as err:
+ print("Called process error: {}.".format(err))
+ sys.exit(1)
+
+ if not virtual:
+ migration = Migrator(config_file_name, force=force_on,
+ set_vintage=vintage)
+ else:
+ migration = VirtualMigrator(config_file_name)
+
+ migration.run()
+
+ if not migration._changed:
+ os.remove(backup_file_name)
+
+if __name__ == '__main__':
+ main()
diff --git a/src/helpers/system-versions-foot.py b/src/helpers/system-versions-foot.py
new file mode 100755
index 000000000..c33e41d79
--- /dev/null
+++ b/src/helpers/system-versions-foot.py
@@ -0,0 +1,39 @@
+#!/usr/bin/python3
+
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import vyos.formatversions as formatversions
+import vyos.systemversions as systemversions
+import vyos.defaults
+import vyos.version
+
+sys_versions = systemversions.get_system_versions()
+
+component_string = formatversions.format_versions_string(sys_versions)
+
+os_version_string = vyos.version.get_version()
+
+sys.stdout.write("\n\n")
+if vyos.defaults.cfg_vintage == 'vyos':
+ formatversions.write_vyos_versions_foot(None, component_string,
+ os_version_string)
+elif vyos.defaults.cfg_vintage == 'vyatta':
+ formatversions.write_vyatta_versions_foot(None, component_string,
+ os_version_string)
+else:
+ formatversions.write_vyatta_versions_foot(None, component_string,
+ os_version_string)
diff --git a/src/helpers/vyos-merge-config.py b/src/helpers/vyos-merge-config.py
new file mode 100755
index 000000000..e9a14ae98
--- /dev/null
+++ b/src/helpers/vyos-merge-config.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python3
+
+# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import os
+import subprocess
+import tempfile
+import vyos.defaults
+import vyos.remote
+import vyos.migrator
+from vyos.config import Config
+from vyos.configtree import ConfigTree
+
+
+if (len(sys.argv) < 2):
+ print("Need config file name to merge.")
+ print("Usage: merge <config file> [config path]")
+ sys.exit(0)
+
+file_name = sys.argv[1]
+
+configdir = vyos.defaults.directories['config']
+
+protocols = ['scp', 'sftp', 'http', 'https', 'ftp', 'tftp']
+
+if any(x in file_name for x in protocols):
+ config_file = vyos.remote.get_remote_config(file_name)
+ if not config_file:
+ sys.exit("No config file by that name.")
+else:
+ canonical_path = "{0}/{1}".format(configdir, file_name)
+ first_err = None
+ try:
+ with open(canonical_path, 'r') as f:
+ config_file = f.read()
+ except Exception as err:
+ first_err = err
+ try:
+ with open(file_name, 'r') as f:
+ config_file = f.read()
+ except Exception as err:
+ print(first_err)
+ print(err)
+ sys.exit(1)
+
+with tempfile.NamedTemporaryFile() as file_to_migrate:
+ with open(file_to_migrate.name, 'w') as fd:
+ fd.write(config_file)
+
+ migration = vyos.migrator.Migrator(file_to_migrate.name)
+ migration.run()
+ if migration.config_changed():
+ with open(file_to_migrate.name, 'r') as fd:
+ config_file = fd.read()
+
+merge_config_tree = ConfigTree(config_file)
+
+effective_config = Config()
+
+output_effective_config = effective_config.show_config()
+# showConfig (called by config.show_config() does not escape
+# backslashes, which configtree expects; cf. T1001.
+output_effective_config = output_effective_config.replace("\\", "\\\\")
+
+effective_config_tree = ConfigTree(output_effective_config)
+
+effective_cmds = effective_config_tree.to_commands()
+merge_cmds = merge_config_tree.to_commands()
+
+effective_cmd_list = effective_cmds.splitlines()
+merge_cmd_list = merge_cmds.splitlines()
+
+effective_cmd_set = set(effective_cmd_list)
+add_cmds = [ cmd for cmd in merge_cmd_list if cmd not in effective_cmd_set ]
+
+path = None
+if (len(sys.argv) > 2):
+ path = sys.argv[2:]
+ if (not effective_config_tree.exists(path) and not
+ merge_config_tree.exists(path)):
+ print("path {} does not exist in either effective or merge"
+ " config; will use root.".format(path))
+ path = None
+ else:
+ path = " ".join(path)
+
+if path:
+ add_cmds = [ cmd for cmd in add_cmds if path in cmd ]
+
+for cmd in add_cmds:
+ cmd = "/opt/vyatta/sbin/my_" + cmd
+
+ try:
+ subprocess.check_call(cmd, shell=True)
+ except subprocess.CalledProcessError as err:
+ print("Called process error: {}.".format(err))
+
+if effective_config.session_changed():
+ print("Merge complete. Use 'commit' to make changes effective.")
+else:
+ print("No configuration changes to commit.")
diff --git a/src/migration-scripts/pppoe-server/1-to-2 b/src/migration-scripts/pppoe-server/1-to-2
new file mode 100755
index 000000000..fa83896d3
--- /dev/null
+++ b/src/migration-scripts/pppoe-server/1-to-2
@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+
+# Convert "service pppoe-server interface ethX"
+# to:
+# "service pppoe-server interface ethX {}"
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+ctree = ConfigTree(config_file)
+cbase = ['service', 'pppoe-server','interface']
+
+if not ctree.exists(cbase):
+ sys.exit(0)
+else:
+ nics = ctree.return_values(cbase)
+ # convert leafNode to a tagNode
+ ctree.set(cbase)
+ ctree.set_tag(cbase)
+ for nic in nics:
+ ctree.set(cbase + [nic])
+
+ try:
+ open(file_name,'w').write(ctree.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)
+
diff --git a/src/migration-scripts/system/6-to-7 b/src/migration-scripts/system/6-to-7
new file mode 100755
index 000000000..bf07abf3a
--- /dev/null
+++ b/src/migration-scripts/system/6-to-7
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+
+# Change smp_affinity to smp-affinity
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+
+update_required = False
+
+intf_types = config.list_nodes(["interfaces"])
+
+for intf_type in intf_types:
+ intf_type_path = ["interfaces", intf_type]
+ intfs = config.list_nodes(intf_type_path)
+
+ for intf in intfs:
+ intf_path = intf_type_path + [intf]
+ if not config.exists(intf_path + ["smp_affinity"]):
+ # Nothing to do.
+ continue
+ else:
+ # Rename the node.
+ old_smp_affinity_path = intf_path + ["smp_affinity"]
+ config.rename(old_smp_affinity_path, "smp-affinity")
+ update_required = True
+
+if update_required:
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("failed to save the modified config: {}".format(e))
+ sys.exit(1)
+
+
+
diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py
index 4c4ee6355..c2a05f516 100755
--- a/src/op_mode/show_dhcp.py
+++ b/src/op_mode/show_dhcp.py
@@ -20,6 +20,9 @@ import argparse
import ipaddress
import tabulate
import sys
+import collections
+import os
+from datetime import datetime
from vyos.config import Config
from isc_dhcp_leases import Lease, IscDhcpLeases
@@ -27,6 +30,18 @@ from isc_dhcp_leases import Lease, IscDhcpLeases
lease_file = "/config/dhcpd.leases"
pool_key = "shared-networkname"
+lease_display_fields = collections.OrderedDict()
+lease_display_fields['ip'] = 'IP address'
+lease_display_fields['hardware_address'] = 'Hardware address'
+lease_display_fields['state'] = 'State'
+lease_display_fields['start'] = 'Lease start'
+lease_display_fields['end'] = 'Lease expiration'
+lease_display_fields['remaining'] = 'Remaining'
+lease_display_fields['pool'] = 'Pool'
+lease_display_fields['hostname'] = 'Hostname'
+
+lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
+
def in_pool(lease, pool):
if pool_key in lease.sets:
if lease.sets[pool_key] == pool:
@@ -34,17 +49,47 @@ def in_pool(lease, pool):
return False
+def utc_to_local(utc_dt):
+ return datetime.fromtimestamp((utc_dt - datetime(1970,1,1)).total_seconds())
+
def get_lease_data(lease):
data = {}
- # End time may not be present in backup leases
+ # isc-dhcp lease times are in UTC so we need to convert them to local time to display
+ try:
+ data["start"] = utc_to_local(lease.start).strftime("%Y/%m/%d %H:%M:%S")
+ except:
+ data["start"] = ""
+
+ try:
+ data["end"] = utc_to_local(lease.end).strftime("%Y/%m/%d %H:%M:%S")
+ except:
+ data["end"] = ""
+
try:
- data["expires"] = lease.end.strftime("%Y/%m/%d %H:%M:%S")
+ data["remaining"] = lease.end - datetime.utcnow()
+ # negative timedelta prints wrong so bypass it
+ if (data["remaining"].days >= 0):
+ # substraction gives us a timedelta object which can't be formatted with strftime
+ # so we use str(), split gets rid of the microseconds
+ data["remaining"] = str(data["remaining"]).split('.')[0]
+ else:
+ data["remaining"] = ""
except:
- data["expires"] = ""
+ data["remaining"] = ""
+
+ # currently not used but might come in handy
+ # todo: parse into datetime string
+ for prop in ['tstp', 'tsfp', 'atsfp', 'cltt']:
+ if prop in lease.data:
+ data[prop] = lease.data[prop]
+ else:
+ data[prop] = ''
data["hardware_address"] = lease.ethernet
data["hostname"] = lease.hostname
+
+ data["state"] = lease.binding_state
data["ip"] = lease.ip
try:
@@ -54,26 +99,54 @@ def get_lease_data(lease):
return data
-def get_leases(leases, state=None, pool=None):
+def get_leases(leases, state, pool=None, sort='ip'):
+ # get leases from file
leases = IscDhcpLeases(lease_file).get()
- if state is not None:
- leases = list(filter(lambda x: x.binding_state == 'active', leases))
+ # filter leases by state
+ if 'all' not in state:
+ leases = list(filter(lambda x: x.binding_state in state, leases))
+ # filter leases by pool name
if pool is not None:
- leases = list(filter(lambda x: in_pool(x, pool), leases))
+ if config.exists_effective("service dhcp-server shared-network-name {0}".format(pool)):
+ leases = list(filter(lambda x: in_pool(x, pool), leases))
+ else:
+ print("Pool {0} does not exist.".format(pool))
+ sys.exit(0)
- return list(map(get_lease_data, leases))
+ # should maybe filter all state=active by lease.valid here?
-def show_leases(leases):
- headers = ["IP address", "Hardware address", "Lease expiration", "Pool", "Client Name"]
+ # sort by start time to dedupe (newest lease overrides older)
+ leases = sorted(leases, key = lambda lease: lease.start)
+
+ # dedupe by converting to dict
+ leases_dict = {}
+ for lease in leases:
+ # dedupe by IP
+ leases_dict[lease.ip] = lease
+ # convert the lease data
+ leases = list(map(get_lease_data, leases_dict.values()))
+
+ # apply output/display sort
+ if sort == 'ip':
+ leases = sorted(leases, key = lambda lease: int(ipaddress.ip_address(lease['ip'])))
+ else:
+ leases = sorted(leases, key = lambda lease: lease[sort])
+
+ return leases
+
+def show_leases(leases):
lease_list = []
for l in leases:
- lease_list.append([l["ip"], l["hardware_address"], l["expires"], l["pool"], l["hostname"]])
+ lease_list_params = []
+ for k in lease_display_fields.keys():
+ lease_list_params.append(l[k])
+ lease_list.append(lease_list_params)
+
+ output = tabulate.tabulate(lease_list, lease_display_fields.values())
- output = tabulate.tabulate(lease_list, headers)
-
print(output)
def get_pool_size(config, pool):
@@ -85,7 +158,7 @@ def get_pool_size(config, pool):
start = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} start".format(pool, s, r))
stop = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} stop".format(pool, s, r))
- size += int(ipaddress.IPv4Address(stop)) - int(ipaddress.IPv4Address(start))
+ size += int(ipaddress.ip_address(stop)) - int(ipaddress.ip_address(start))
return size
@@ -101,35 +174,33 @@ if __name__ == '__main__':
group = parser.add_mutually_exclusive_group()
group.add_argument("-l", "--leases", action="store_true", help="Show DHCP leases")
group.add_argument("-s", "--statistics", action="store_true", help="Show DHCP statistics")
+ group.add_argument("--allowed", type=str, choices=["pool", "sort", "state"], help="Show allowed values for argument")
- parser.add_argument("-e", "--expired", action="store_true", help="Show expired leases")
- parser.add_argument("-p", "--pool", type=str, action="store", help="Show lease for specific pool")
- parser.add_argument("-j", "--json", action="store_true", default=False, help="Product JSON output")
+ parser.add_argument("-p", "--pool", type=str, help="Show lease for specific pool")
+ parser.add_argument("-S", "--sort", type=str, choices=lease_display_fields.keys(), default='ip', help="Sort by")
+ parser.add_argument("-t", "--state", type=str, nargs="+", choices=lease_valid_states, default="active", help="Lease state to show (can specify multiple with spaces)")
+ parser.add_argument("-j", "--json", action="store_true", default=False, help="Produce JSON output")
args = parser.parse_args()
# Do nothing if service is not configured
config = Config()
if not config.exists_effective('service dhcp-server'):
- print("DHCP service is not configured")
+ print("DHCP service is not configured.")
sys.exit(0)
+ # if dhcp server is down, inactive leases may still be shown as active, so warn the user.
+ if os.system('systemctl -q is-active isc-dhcp-server.service') != 0:
+ print("WARNING: DHCP server is configured but not started. Data may be stale.")
+
if args.leases:
- if args.expired:
- if args.pool:
- leases = get_leases(lease_file, state='free', pool=args.pool)
- else:
- leases = get_leases(lease_file, state='free')
- else:
- if args.pool:
- leases = get_leases(lease_file, state='active', pool=args.pool)
- else:
- leases = get_leases(lease_file, state='active')
+ leases = get_leases(lease_file, args.state, args.pool, args.sort)
if args.json:
print(json.dumps(leases, indent=4))
else:
show_leases(leases)
+
elif args.statistics:
pools = []
@@ -143,10 +214,10 @@ if __name__ == '__main__':
stats = []
for p in pools:
size = get_pool_size(config, p)
- leases = len(get_leases(lease_file, state='active', pool=args.pool))
+ leases = len(get_leases(lease_file, state='active', pool=p))
if size != 0:
- use_percentage = round(leases / size) * 100
+ use_percentage = round(leases / size * 100)
else:
use_percentage = 0
@@ -163,5 +234,12 @@ if __name__ == '__main__':
print(json.dumps(stats, indent=4))
else:
show_pool_stats(stats)
+
+ elif args.allowed == 'pool':
+ print(' '.join(config.list_effective_nodes("service dhcp-server shared-network-name")))
+ elif args.allowed == 'sort':
+ print(' '.join(lease_display_fields.keys()))
+ elif args.allowed == 'state':
+ print(' '.join(lease_valid_states))
else:
- print("Use either --leases or --statistics option")
+ parser.print_help()
diff --git a/src/op_mode/show_dhcpv6.py b/src/op_mode/show_dhcpv6.py
index bf73b92ea..1a6ee62e6 100755
--- a/src/op_mode/show_dhcpv6.py
+++ b/src/op_mode/show_dhcpv6.py
@@ -20,42 +20,138 @@ import argparse
import ipaddress
import tabulate
import sys
+import collections
+import os
+from datetime import datetime
from vyos.config import Config
from isc_dhcp_leases import Lease, IscDhcpLeases
lease_file = "/config/dhcpdv6.leases"
+pool_key = "shared-networkname"
+
+lease_display_fields = collections.OrderedDict()
+lease_display_fields['ip'] = 'IPv6 address'
+lease_display_fields['state'] = 'State'
+lease_display_fields['last_comm'] = 'Last communication'
+lease_display_fields['expires'] = 'Lease expiration'
+lease_display_fields['remaining'] = 'Remaining'
+lease_display_fields['type'] = 'Type'
+lease_display_fields['pool'] = 'Pool'
+lease_display_fields['iaid_duid'] = 'IAID_DUID'
+
+lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
+
+def in_pool(lease, pool):
+ if pool_key in lease.sets:
+ if lease.sets[pool_key] == pool:
+ return True
+
+ return False
+
+def format_hex_string(in_str):
+ out_str = ""
+
+ # if input is divisible by 2, add : every 2 chars
+ if len(in_str) > 0 and len(in_str) % 2 == 0:
+ out_str = ':'.join(a+b for a,b in zip(in_str[::2], in_str[1::2]))
+ else:
+ out_str = in_str
+
+ return out_str
+
+def utc_to_local(utc_dt):
+ return datetime.fromtimestamp((utc_dt - datetime(1970,1,1)).total_seconds())
def get_lease_data(lease):
data = {}
- # End time may not be present in backup leases
+ # isc-dhcp lease times are in UTC so we need to convert them to local time to display
try:
- data["expires"] = lease.end.strftime("%Y/%m/%d %H:%M:%S")
+ data["expires"] = utc_to_local(lease.end).strftime("%Y/%m/%d %H:%M:%S")
except:
data["expires"] = ""
- data["duid"] = lease.host_identifier_string
+ try:
+ data["last_comm"] = utc_to_local(lease.last_communication).strftime("%Y/%m/%d %H:%M:%S")
+ except:
+ data["last_comm"] = ""
+
+ try:
+ data["remaining"] = lease.end - datetime.utcnow()
+ # negative timedelta prints wrong so bypass it
+ if (data["remaining"].days >= 0):
+ # substraction gives us a timedelta object which can't be formatted with strftime
+ # so we use str(), split gets rid of the microseconds
+ data["remaining"] = str(data["remaining"]).split('.')[0]
+ else:
+ data["remaining"] = ""
+ except:
+ data["remaining"] = ""
+
+ # isc-dhcp records lease declarations as ia_{na|ta|pd} IAID_DUID {...}
+ # where IAID_DUID is the combined IAID and DUID
+ data["iaid_duid"] = format_hex_string(lease.host_identifier_string)
+
+ lease_types_long = {"na": "non-temporary", "ta": "temporary", "pd": "prefix delegation"}
+ data["type"] = lease_types_long[lease.type]
+
+ data["state"] = lease.binding_state
data["ip"] = lease.ip
+ try:
+ data["pool"] = lease.sets[pool_key]
+ except:
+ data["pool"] = ""
+
return data
-def get_leases(leases, state=None):
+def get_leases(leases, state, pool=None, sort='ip'):
leases = IscDhcpLeases(lease_file).get()
- if state is not None:
- leases = list(filter(lambda x: x.binding_state == 'active', leases))
+ # filter leases by state
+ if 'all' not in state:
+ leases = list(filter(lambda x: x.binding_state in state, leases))
- return list(map(get_lease_data, leases))
+ # filter leases by pool name
+ if pool is not None:
+ if config.exists_effective("service dhcp-server shared-network-name {0}".format(pool)):
+ leases = list(filter(lambda x: in_pool(x, pool), leases))
+ else:
+ print("Pool {0} does not exist.".format(pool))
+ sys.exit(0)
-def show_leases(leases):
- headers = ["IPv6 address", "Lease expiration", "DUID"]
+ # should maybe filter all state=active by lease.valid here?
+
+ # sort by last_comm time to dedupe (newest lease overrides older)
+ leases = sorted(leases, key = lambda lease: lease.last_communication)
+
+ # dedupe by converting to dict
+ leases_dict = {}
+ for lease in leases:
+ # dedupe by IP
+ leases_dict[lease.ip] = lease
+ # convert the lease data
+ leases = list(map(get_lease_data, leases_dict.values()))
+
+ # apply output/display sort
+ if sort == 'ip':
+ leases = sorted(leases, key = lambda k: int(ipaddress.ip_address(k['ip'])))
+ else:
+ leases = sorted(leases, key = lambda k: k[sort])
+
+ return leases
+
+def show_leases(leases):
lease_list = []
for l in leases:
- lease_list.append([l["ip"], l["expires"], l["duid"]])
+ lease_list_params = []
+ for k in lease_display_fields.keys():
+ lease_list_params.append(l[k])
+ lease_list.append(lease_list_params)
- output = tabulate.tabulate(lease_list, headers)
+ output = tabulate.tabulate(lease_list, lease_display_fields.values())
print(output)
@@ -63,11 +159,14 @@ if __name__ == '__main__':
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group()
- group.add_argument("-l", "--leases", action="store_true", help="Show DHCP leases")
- group.add_argument("-s", "--statistics", action="store_true", help="Show DHCP statistics")
+ group.add_argument("-l", "--leases", action="store_true", help="Show DHCPv6 leases")
+ group.add_argument("-s", "--statistics", action="store_true", help="Show DHCPv6 statistics")
+ group.add_argument("--allowed", type=str, choices=["pool", "sort", "state"], help="Show allowed values for argument")
- parser.add_argument("-p", "--pool", type=str, action="store", help="Show lease for specific pool")
- parser.add_argument("-j", "--json", action="store_true", default=False, help="Product JSON output")
+ parser.add_argument("-p", "--pool", type=str, help="Show lease for specific pool")
+ parser.add_argument("-S", "--sort", type=str, choices=lease_display_fields.keys(), default='ip', help="Sort by")
+ parser.add_argument("-t", "--state", type=str, nargs="+", choices=lease_valid_states, default="active", help="Lease state to show (can specify multiple with spaces)")
+ parser.add_argument("-j", "--json", action="store_true", default=False, help="Produce JSON output")
args = parser.parse_args()
@@ -77,10 +176,24 @@ if __name__ == '__main__':
print("DHCPv6 service is not configured")
sys.exit(0)
+ # if dhcp server is down, inactive leases may still be shown as active, so warn the user.
+ if os.system('systemctl -q is-active isc-dhcpv6-server.service') != 0:
+ print("WARNING: DHCPv6 server is configured but not started. Data may be stale.")
+
if args.leases:
- leases = get_leases(lease_file, state='active')
- show_leases(leases)
+ leases = get_leases(lease_file, args.state, args.pool, args.sort)
+
+ if args.json:
+ print(json.dumps(leases, indent=4))
+ else:
+ show_leases(leases)
elif args.statistics:
print("DHCPv6 statistics option is not available")
+ elif args.allowed == 'pool':
+ print(' '.join(c.list_effective_nodes("service dhcpv6-server shared-network-name")))
+ elif args.allowed == 'sort':
+ print(' '.join(lease_display_fields.keys()))
+ elif args.allowed == 'state':
+ print(' '.join(lease_valid_states))
else:
- print("Invalid option")
+ parser.print_help()
diff --git a/src/op_mode/version.py b/src/op_mode/version.py
index ce3b3b54f..5aff0f767 100755
--- a/src/op_mode/version.py
+++ b/src/op_mode/version.py
@@ -51,7 +51,8 @@ version_output_tmpl = """
Version: VyOS {{version}}
Built by: {{built_by}}
Built on: {{built_on}}
-Build ID: {{build_id}}
+Build UUID: {{build_uuid}}
+Build Commit ID: {{build_git}}
Architecture: {{system_arch}}
Boot via: {{boot_via}}
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
new file mode 100755
index 000000000..e11eb6d52
--- /dev/null
+++ b/src/services/vyos-http-api-server
@@ -0,0 +1,237 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import sys
+import grp
+import json
+import traceback
+import threading
+
+import vyos.config
+
+import bottle
+
+from vyos.configsession import ConfigSession, ConfigSessionError
+from vyos.config import VyOSError
+
+
+DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf'
+
+CFG_GROUP = 'vyattacfg'
+
+app = bottle.default_app()
+
+# Giant lock!
+lock = threading.Lock()
+
+def load_server_config():
+ with open(DEFAULT_CONFIG_FILE) as f:
+ config = json.load(f)
+ return config
+
+def check_auth(key_list, key):
+ id = None
+ for k in key_list:
+ if k['key'] == key:
+ id = k['id']
+ return id
+
+def error(code, msg):
+ bottle.response.status = code
+ resp = {"success": False, "error": msg, "data": None}
+ return json.dumps(resp)
+
+def success(data):
+ resp = {"success": True, "data": data, "error": None}
+ return json.dumps(resp)
+
+@app.route('/configure', method='POST')
+def configure():
+ session = app.config['vyos_session']
+ config = app.config['vyos_config']
+ api_keys = app.config['vyos_keys']
+
+ key = bottle.request.forms.get("key")
+ id = check_auth(api_keys, key)
+ if not id:
+ return error(401, "Valid API key is required")
+
+ strict_field = bottle.request.forms.get("strict")
+ if strict_field == "true":
+ strict = True
+ else:
+ strict = False
+
+ commands = bottle.request.forms.get("data")
+ if not commands:
+ return error(400, "Non-empty data field is required")
+ else:
+ try:
+ commands = json.loads(commands)
+ except Exception as e:
+ return error(400, "Failed to parse JSON: {0}".format(e))
+
+ # Allow users to pass just one command
+ if not isinstance(commands, list):
+ commands = [commands]
+
+ # We don't want multiple people/apps to be able to commit at once,
+ # or modify the shared session while someone else is doing the same,
+ # so the lock is really global
+ lock.acquire()
+
+ status = 200
+ error_msg = None
+ try:
+ for c in commands:
+ # What we've got may not even be a dict
+ if not isinstance(c, dict):
+ raise ConfigSessionError("Malformed command \"{0}\": any command must be a dict".format(json.dumps(c)))
+
+ # Missing op or path is a show stopper
+ if not ('op' in c):
+ raise ConfigSessionError("Malformed command \"{0}\": missing \"op\" field".format(json.dumps(c)))
+ if not ('path' in c):
+ raise ConfigSessionError("Malformed command \"{0}\": missing \"path\" field".format(json.dumps(c)))
+
+ # Missing value is fine, substitute for empty string
+ if 'value' in c:
+ value = c['value']
+ else:
+ value = ""
+
+ op = c['op']
+ path = c['path']
+
+ if not path:
+ raise ConfigSessionError("Malformed command \"{0}\": empty path".format(json.dumps(c)))
+
+ # Type checking
+ if not isinstance(path, list):
+ raise ConfigSessionError("Malformed command \"{0}\": \"path\" field must be a list".format(json.dumps(c)))
+
+ if not isinstance(value, str):
+ raise ConfigSessionError("Malformed command \"{0}\": \"value\" field must be a string".format(json.dumps(c)))
+
+ # Account for the case when value field is present and set to null
+ if not value:
+ value = ""
+
+ # For vyos.configsessios calls that have no separate value arguments,
+ # and for type checking too
+ try:
+ cfg_path = " ".join(path + [value]).strip()
+ except TypeError:
+ raise ConfigSessionError("Malformed command \"{0}\": \"path\" field must be a list of strings".format(json.dumps(c)))
+
+ if op == 'set':
+ # XXX: it would be nice to do a strict check for "path already exists",
+ # but there's probably no way to do that
+ session.set(path, value=value)
+ elif op == 'delete':
+ if strict and not config.exists(cfg_path):
+ raise ConfigSessionError("Cannot delete [{0}]: path/value does not exist".format(cfg_path))
+ session.delete(path, value=value)
+ elif op == 'comment':
+ session.comment(path, value=value)
+ else:
+ raise ConfigSessionError("\"{0}\" is not a valid operation".format(op))
+ # end for
+ session.commit()
+ print("Configuration modified via HTTP API using key \"{0}\"".format(id))
+ except ConfigSessionError as e:
+ session.discard()
+ status = 400
+ if app.config['vyos_debug']:
+ print(traceback.format_exc(), file=sys.stderr)
+ error_msg = str(e)
+ except Exception as e:
+ session.discard()
+ print(traceback.format_exc(), file=sys.stderr)
+ status = 500
+
+ # Don't give the details away to the outer world
+ error_msg = "An internal error occured. Check the logs for details."
+ finally:
+ lock.release()
+
+ if status != 200:
+ return error(status, error_msg)
+ else:
+ return success(None)
+
+@app.route('/retrieve', method='POST')
+def get_value():
+ config = app.config['vyos_config']
+
+ api_keys = app.config['vyos_keys']
+
+ key = bottle.request.forms.get("key")
+ id = check_auth(api_keys, key)
+ if not id:
+ return error(401, "Valid API key is required")
+
+ command = bottle.request.forms.get("data")
+ command = json.loads(command)
+
+ op = command['op']
+ path = " ".join(command['path'])
+
+ try:
+ if op == 'returnValue':
+ res = config.return_value(path)
+ elif op == 'returnValues':
+ res = config.return_values(path)
+ elif op == 'exists':
+ res = config.exists(path)
+ else:
+ return error(400, "\"{0}\" is not a valid operation".format(op))
+ except VyOSError as e:
+ return error(400, str(e))
+ except Exception as e:
+ print(traceback.format_exc(), file=sys.stderr)
+ return error(500, "An internal error occured. Check the logs for details.")
+
+ return success(res)
+
+if __name__ == '__main__':
+ # systemd's user and group options don't work, do it by hand here,
+ # else no one else will be able to commit
+ cfg_group = grp.getgrnam(CFG_GROUP)
+ os.setgid(cfg_group.gr_gid)
+
+ # Need to set file permissions to 775 too so that every vyattacfg group member
+ # has write access to the running config
+ os.umask(0o002)
+
+ try:
+ server_config = load_server_config()
+ except Exception as e:
+ print("Failed to load the HTTP API server config: {0}".format(e))
+
+ session = ConfigSession(os.getpid())
+ env = session.get_session_env()
+ config = vyos.config.Config(session_env=env)
+
+ app.config['vyos_session'] = session
+ app.config['vyos_config'] = config
+ app.config['vyos_keys'] = server_config['api_keys']
+ app.config['vyos_debug'] = server_config['debug']
+
+ bottle.run(app, host=server_config["listen_address"], port=server_config["port"], debug=True)
diff --git a/src/systemd/vyos-http-api.service b/src/systemd/vyos-http-api.service
new file mode 100644
index 000000000..4fa68b4ff
--- /dev/null
+++ b/src/systemd/vyos-http-api.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=VyOS HTTP API service
+After=auditd.service systemd-user-sessions.service time-sync.target vyos-router.service
+Requires=vyos-router.service
+
+[Service]
+ExecStartPre=/usr/libexec/vyos/init/vyos-config
+ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/services/vyos-http-api-server
+Type=idle
+KillMode=process
+
+SyslogIdentifier=vyos-http-api
+SyslogFacility=daemon
+
+Restart=on-failure
+
+# Does't work but leave it here
+User=root
+Group=vyattacfg
+
+[Install]
+# Installing in a earlier target leaves ExecStartPre waiting
+WantedBy=getty.target
+
diff --git a/src/utils/vyos-config-file-query b/src/utils/vyos-config-file-query
new file mode 100755
index 000000000..a10c7e9b3
--- /dev/null
+++ b/src/utils/vyos-config-file-query
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import re
+import os
+import sys
+import json
+import argparse
+
+import vyos.configtree
+
+
+arg_parser = argparse.ArgumentParser()
+arg_parser.add_argument('-p', '--path', type=str,
+ help="VyOS config node, e.g. \"system config-management commit-revisions\"", required=True)
+arg_parser.add_argument('-f', '--file', type=str, help="VyOS config file, e.g. /config/config.boot", required=True)
+
+arg_parser.add_argument('-s', '--separator', type=str, default=' ', help="Value separator for the plain format")
+arg_parser.add_argument('-j', '--json', action='store_true')
+
+op_group = arg_parser.add_mutually_exclusive_group(required=True)
+op_group.add_argument('--return-value', action='store_true', help="Return a single node value")
+op_group.add_argument('--return-values', action='store_true', help="Return all values of a multi-value node")
+op_group.add_argument('--list-nodes', action='store_true', help="List children of a node")
+op_group.add_argument('--exists', action='store_true', help="Check if a node exists")
+
+args = arg_parser.parse_args()
+
+
+try:
+ with open(args.file, 'r') as f:
+ config_file = f.read()
+except OSError as e:
+ print("Could not read the config file: {0}".format(e))
+ sys.exit(1)
+
+try:
+ config = vyos.configtree.ConfigTree(config_file)
+except Exception as e:
+ print(e)
+ sys.exit(1)
+
+
+path = re.split(r'\s+', args.path)
+values = None
+
+if args.exists:
+ if config.exists(path):
+ sys.exit(0)
+ else:
+ sys.exit(1)
+elif args.return_value:
+ try:
+ values = [config.return_value(path)]
+ except vyos.configtree.ConfigTreeError as e:
+ print(e)
+ sys.exit(1)
+elif args.return_values:
+ try:
+ values = config.return_values(path)
+ except vyos.configtree.ConfigTreeError as e:
+ print(e)
+ sys.exit(1)
+elif args.list_nodes:
+ values = config.list_nodes(path)
+ if not values:
+ values = []
+else:
+ # Can't happen
+ print("Operation required")
+ sys.exit(1)
+
+
+if values:
+ if args.json:
+ print(json.dumps(values))
+ else:
+ if len(values) == 1:
+ print(values[0])
+ else:
+ # XXX: assuming values never contain quotes
+ values = list(map(lambda s: "\'{0}\'".format(s), values))
+ values_str = args.separator.join(values)
+ print(values_str)
+
+sys.exit(0)
diff --git a/src/validators/cidr b/src/validators/cidr
new file mode 100755
index 000000000..815aa8ba1
--- /dev/null
+++ b/src/validators/cidr
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+ipaddrcheck --is-any-cidr $1