summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorMarcus Hoff <marcus.hoff@ring2.dk>2020-09-05 09:58:03 +0200
committerMarcus Hoff <marcus.hoff@ring2.dk>2020-09-05 09:58:03 +0200
commit46fb580fa0131f6815bbcfc95631654f6fe999a8 (patch)
tree73ae9fcaa97d5cfab7883bc6fbf3ea036677c2a3 /src/conf_mode
parent0377b8e40b0d3e424da11194e97659c5066c0a1d (diff)
parentb6b61bc9ecf1328e67a0c15934f8bf3966a6b66d (diff)
downloadvyos-1x-46fb580fa0131f6815bbcfc95631654f6fe999a8.tar.gz
vyos-1x-46fb580fa0131f6815bbcfc95631654f6fe999a8.zip
Merge remote-tracking branch 'upstream/current' into current
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/bcast_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcp_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcp_server.py7
-rwxr-xr-xsrc/conf_mode/dhcpv6_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcpv6_server.py7
-rwxr-xr-xsrc/conf_mode/dynamic_dns.py7
-rwxr-xr-xsrc/conf_mode/firewall_options.py7
-rwxr-xr-xsrc/conf_mode/host_name.py20
-rwxr-xr-xsrc/conf_mode/http-api.py8
-rwxr-xr-xsrc/conf_mode/https.py98
-rwxr-xr-xsrc/conf_mode/igmp_proxy.py7
-rwxr-xr-xsrc/conf_mode/intel_qat.py7
-rwxr-xr-xsrc/conf_mode/interfaces-bonding.py450
-rwxr-xr-xsrc/conf_mode/interfaces-bridge.py416
-rwxr-xr-xsrc/conf_mode/interfaces-dummy.py39
-rwxr-xr-xsrc/conf_mode/interfaces-ethernet.py303
-rwxr-xr-xsrc/conf_mode/interfaces-geneve.py140
-rwxr-xr-xsrc/conf_mode/interfaces-l2tpv3.py267
-rwxr-xr-xsrc/conf_mode/interfaces-loopback.py37
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py68
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py7
-rwxr-xr-xsrc/conf_mode/interfaces-pppoe.py60
-rwxr-xr-xsrc/conf_mode/interfaces-pseudo-ethernet.py243
-rwxr-xr-xsrc/conf_mode/interfaces-tunnel.py8
-rwxr-xr-xsrc/conf_mode/interfaces-vxlan.py262
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py341
-rwxr-xr-xsrc/conf_mode/interfaces-wireless.py697
-rwxr-xr-xsrc/conf_mode/interfaces-wirelessmodem.py73
-rwxr-xr-xsrc/conf_mode/ipsec-settings.py7
-rwxr-xr-xsrc/conf_mode/le_cert.py3
-rwxr-xr-xsrc/conf_mode/lldp.py7
-rwxr-xr-xsrc/conf_mode/nat.py34
-rwxr-xr-xsrc/conf_mode/ntp.py7
-rwxr-xr-xsrc/conf_mode/protocols_bgp.py69
-rwxr-xr-xsrc/conf_mode/protocols_igmp.py7
-rwxr-xr-xsrc/conf_mode/protocols_mpls.py31
-rwxr-xr-xsrc/conf_mode/protocols_pim.py7
-rwxr-xr-xsrc/conf_mode/protocols_rip.py13
-rwxr-xr-xsrc/conf_mode/protocols_static_multicast.py7
-rwxr-xr-xsrc/conf_mode/salt-minion.py7
-rwxr-xr-xsrc/conf_mode/service_console-server.py44
-rwxr-xr-xsrc/conf_mode/service_ids_fastnetmon.py7
-rwxr-xr-xsrc/conf_mode/service_ipoe-server.py15
-rwxr-xr-xsrc/conf_mode/service_mdns-repeater.py (renamed from src/conf_mode/mdns_repeater.py)59
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py16
-rwxr-xr-xsrc/conf_mode/service_router-advert.py174
-rwxr-xr-xsrc/conf_mode/ssh.py11
-rwxr-xr-xsrc/conf_mode/system-ip.py7
-rwxr-xr-xsrc/conf_mode/system-ipv6.py7
-rwxr-xr-xsrc/conf_mode/system-login-banner.py7
-rwxr-xr-xsrc/conf_mode/system-login.py7
-rwxr-xr-xsrc/conf_mode/system-options.py38
-rwxr-xr-xsrc/conf_mode/system-syslog.py7
-rwxr-xr-xsrc/conf_mode/system-timezone.py7
-rwxr-xr-xsrc/conf_mode/system-wifi-regdom.py7
-rwxr-xr-xsrc/conf_mode/system_console.py7
-rwxr-xr-xsrc/conf_mode/system_lcd.py91
-rwxr-xr-xsrc/conf_mode/task_scheduler.py7
-rwxr-xr-xsrc/conf_mode/tftp_server.py7
-rwxr-xr-xsrc/conf_mode/vpn_anyconnect.py135
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py13
-rwxr-xr-xsrc/conf_mode/vpn_pptp.py13
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py13
-rwxr-xr-xsrc/conf_mode/vrf.py7
-rwxr-xr-xsrc/conf_mode/vrrp.py7
-rwxr-xr-xsrc/conf_mode/vyos_cert.py7
66 files changed, 1458 insertions, 3061 deletions
diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py
index a3e141a00..4a47b9246 100755
--- a/src/conf_mode/bcast_relay.py
+++ b/src/conf_mode/bcast_relay.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file_base = r'/etc/default/udp-broadcast-relay'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'broadcast-relay']
relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py
index f093a005e..352865b9d 100755
--- a/src/conf_mode/dhcp_relay.py
+++ b/src/conf_mode/dhcp_relay.py
@@ -36,9 +36,12 @@ default_config_data = {
'relay_agent_packets': 'forward'
}
-def get_config():
+def get_config(config=None):
relay = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(['service', 'dhcp-relay']):
return None
else:
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index 0eaa14c5b..fd4e2ec61 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -126,9 +126,12 @@ def dhcp_static_route(static_subnet, static_router):
return string
-def get_config():
+def get_config(config=None):
dhcp = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service dhcp-server'):
return None
else:
diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py
index 6ef290bf0..d4212b8be 100755
--- a/src/conf_mode/dhcpv6_relay.py
+++ b/src/conf_mode/dhcpv6_relay.py
@@ -35,9 +35,12 @@ default_config_data = {
'options': [],
}
-def get_config():
+def get_config(config=None):
relay = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service dhcpv6-relay'):
return None
else:
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py
index 53c8358a5..4ce4cada1 100755
--- a/src/conf_mode/dhcpv6_server.py
+++ b/src/conf_mode/dhcpv6_server.py
@@ -37,9 +37,12 @@ default_config_data = {
'shared_network': []
}
-def get_config():
+def get_config(config=None):
dhcpv6 = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'dhcpv6-server']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/dynamic_dns.py b/src/conf_mode/dynamic_dns.py
index 5b1883c03..57c910a68 100755
--- a/src/conf_mode/dynamic_dns.py
+++ b/src/conf_mode/dynamic_dns.py
@@ -50,9 +50,12 @@ default_config_data = {
'deleted': False
}
-def get_config():
+def get_config(config=None):
dyndns = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['service', 'dns', 'dynamic']
if not conf.exists(base_level):
diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py
index 71b2a98b3..67bf5d0e2 100755
--- a/src/conf_mode/firewall_options.py
+++ b/src/conf_mode/firewall_options.py
@@ -32,9 +32,12 @@ default_config_data = {
'new_chain6': False
}
-def get_config():
+def get_config(config=None):
opts = copy.deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('firewall options'):
# bail out early
return opts
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py
index f2fa64233..f4c75c257 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/host_name.py
@@ -18,20 +18,16 @@
conf-mode script for 'system host-name' and 'system domain-name'.
"""
-import os
import re
import sys
import copy
-import glob
-import argparse
-import jinja2
import vyos.util
import vyos.hostsd_client
from vyos.config import Config
from vyos import ConfigError
-from vyos.util import cmd, call, run, process_named_running
+from vyos.util import cmd, call, process_named_running
from vyos import airbag
airbag.enable()
@@ -47,7 +43,12 @@ default_config_data = {
hostsd_tag = 'system'
-def get_config(conf):
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
hosts = copy.deepcopy(default_config_data)
hosts['hostname'] = conf.return_value("system host-name")
@@ -77,7 +78,7 @@ def get_config(conf):
return hosts
-def verify(conf, hosts):
+def verify(hosts):
if hosts is None:
return None
@@ -168,9 +169,8 @@ def apply(config):
if __name__ == '__main__':
try:
- conf = Config()
- c = get_config(conf)
- verify(conf, c)
+ c = get_config()
+ verify(c)
generate(c)
apply(c)
except ConfigError as e:
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index b8a084a40..472eb77e4 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -39,7 +39,7 @@ dependencies = [
'https.py',
]
-def get_config():
+def get_config(config=None):
http_api = deepcopy(vyos.defaults.api_data)
x = http_api.get('api_keys')
if x is None:
@@ -48,7 +48,11 @@ def get_config():
default_key = x[0]
keys_added = False
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
if not conf.exists('service https api'):
return None
else:
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 7acb629bd..de228f0f8 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -14,9 +14,8 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import os
+import sys
-from sys import exit
from copy import deepcopy
import vyos.defaults
@@ -31,7 +30,13 @@ from vyos import airbag
airbag.enable()
config_file = '/etc/nginx/sites-available/default'
+certbot_dir = vyos.defaults.directories['certbot']
+# https config needs to coordinate several subsystems: api, certbot,
+# self-signed certificate, as well as the virtual hosts defined within the
+# https config definition itself. Consequently, one needs a general dict,
+# encompassing the https and other configs, and a list of such virtual hosts
+# (server blocks in nginx terminology) to pass to the jinja2 template.
default_server_block = {
'id' : '',
'address' : '*',
@@ -42,70 +47,84 @@ default_server_block = {
'certbot' : False
}
-def get_config():
- server_block_list = []
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
if not conf.exists('service https'):
return None
- else:
- conf.set_level('service https')
- if not conf.exists('virtual-host'):
+ server_block_list = []
+ https_dict = conf.get_config_dict('service https', get_first_key=True)
+
+ # organize by vhosts
+
+ vhost_dict = https_dict.get('virtual-host', {})
+
+ if not vhost_dict:
+ # no specified virtual hosts (server blocks); use default
server_block_list.append(default_server_block)
else:
- for vhost in conf.list_nodes('virtual-host'):
+ for vhost in list(vhost_dict):
server_block = deepcopy(default_server_block)
server_block['id'] = vhost
- if conf.exists(f'virtual-host {vhost} listen-address'):
- addr = conf.return_value(f'virtual-host {vhost} listen-address')
- server_block['address'] = addr
- if conf.exists(f'virtual-host {vhost} listen-port'):
- port = conf.return_value(f'virtual-host {vhost} listen-port')
- server_block['port'] = port
- if conf.exists(f'virtual-host {vhost} server-name'):
- names = conf.return_values(f'virtual-host {vhost} server-name')
- server_block['name'] = names[:]
+ data = vhost_dict.get(vhost, {})
+ server_block['address'] = data.get('listen-address', '*')
+ server_block['port'] = data.get('listen-port', '443')
+ name = data.get('server-name', ['_'])
+ server_block['name'] = name
server_block_list.append(server_block)
+ # get certificate data
+
+ cert_dict = https_dict.get('certificates', {})
+
+ # self-signed certificate
+
vyos_cert_data = {}
- if conf.exists('certificates system-generated-certificate'):
+ if 'system-generated-certificate' in list(cert_dict):
vyos_cert_data = vyos.defaults.vyos_cert_data
if vyos_cert_data:
for block in server_block_list:
block['vyos_cert'] = vyos_cert_data
+ # letsencrypt certificate using certbot
+
certbot = False
- certbot_domains = []
- if conf.exists('certificates certbot domain-name'):
- certbot_domains = conf.return_values('certificates certbot domain-name')
- if certbot_domains:
+ cert_domains = cert_dict.get('certbot', {}).get('domain-name', [])
+ if cert_domains:
certbot = True
- for domain in certbot_domains:
+ for domain in cert_domains:
sub_list = vyos.certbot_util.choose_server_block(server_block_list,
domain)
if sub_list:
for sb in sub_list:
sb['certbot'] = True
+ sb['certbot_dir'] = certbot_dir
# certbot organizes certificates by first domain
- sb['certbot_dir'] = certbot_domains[0]
+ sb['certbot_domain_dir'] = cert_domains[0]
- api_somewhere = False
+ # get api data
+
+ api_set = False
api_data = {}
- if conf.exists('api'):
- api_somewhere = True
+ if 'api' in list(https_dict):
+ api_set = True
api_data = vyos.defaults.api_data
- if conf.exists('api port'):
- port = conf.return_value('api port')
+ api_settings = https_dict.get('api', {})
+ if api_settings:
+ port = api_settings.get('port', '')
+ if port:
api_data['port'] = port
- if conf.exists('api-restrict virtual-host'):
- vhosts = conf.return_values('api-restrict virtual-host')
+ vhosts = https_dict.get('api-restrict', {}).get('virtual-host', [])
+ if vhosts:
api_data['vhost'] = vhosts[:]
if api_data:
- # we do not want to include 'vhost' key as part of
- # vyos.defaults.api_data, so check for key existence
- vhost_list = api_data.get('vhost')
- if vhost_list is None:
+ vhost_list = api_data.get('vhost', [])
+ if not vhost_list:
for block in server_block_list:
block['api'] = api_data
else:
@@ -113,9 +132,12 @@ def get_config():
if block['id'] in vhost_list:
block['api'] = api_data
+ # return dict for use in template
+
https = {'server_block_list' : server_block_list,
- 'api_somewhere': api_somewhere,
+ 'api_set': api_set,
'certbot': certbot}
+
return https
def verify(https):
@@ -155,4 +177,4 @@ if __name__ == '__main__':
apply(c)
except ConfigError as e:
print(e)
- exit(1)
+ sys.exit(1)
diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/igmp_proxy.py
index 49aea9b7f..754f46566 100755
--- a/src/conf_mode/igmp_proxy.py
+++ b/src/conf_mode/igmp_proxy.py
@@ -36,9 +36,12 @@ default_config_data = {
'interfaces': [],
}
-def get_config():
+def get_config(config=None):
igmp_proxy = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['protocols', 'igmp-proxy']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py
index 742f09a54..1e5101a9f 100755
--- a/src/conf_mode/intel_qat.py
+++ b/src/conf_mode/intel_qat.py
@@ -30,8 +30,11 @@ airbag.enable()
# Define for recovering
gl_ipsec_conf = None
-def get_config():
- c = Config()
+def get_config(config=None):
+ if config:
+ c = config
+ else:
+ c = Config()
config_data = {
'qat_conf' : None,
'ipsec_conf' : None,
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index a16c4e105..16e6e4f6e 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -16,41 +16,25 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BondIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
from vyos.config import Config
-from vyos.util import call, cmd
-from vyos.validate import is_member, has_address_configured
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BondIf
+from vyos.validate import is_member
+from vyos.validate import has_address_configured
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'arp_mon_intvl': 0,
- 'arp_mon_tgt': [],
- 'deleted': False,
- 'hash_policy': 'layer2',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'mode': '802.3ad',
- 'member': [],
- 'shutdown_required': False,
- 'primary': '',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
-}
-
-
def get_bond_mode(mode):
if mode == 'round-robin':
return 'balance-rr'
@@ -67,339 +51,141 @@ def get_bond_mode(mode):
elif mode == 'adaptive-load-balance':
return 'balance-alb'
else:
- raise ConfigError('invalid bond mode "{}"'.format(mode))
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # initialize kernel module if not loaded
- if not os.path.isfile('/sys/class/net/bonding_masters'):
- import syslog
- syslog.syslog(syslog.LOG_NOTICE, "loading bonding kernel module")
- if call('modprobe bonding max_bonds=0 miimon=250') != 0:
- syslog.syslog(syslog.LOG_NOTICE, "failed loading bonding kernel module")
- raise ConfigError("failed loading bonding kernel module")
-
- # check if bond has been removed
- cfg_base = 'interfaces bonding ' + ifname
- if not conf.exists(cfg_base):
- bond = deepcopy(default_config_data)
- bond['intf'] = ifname
- bond['deleted'] = True
- return bond
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- bond, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP link monitoring frequency in milliseconds
- if conf.exists('arp-monitor interval'):
- bond['arp_mon_intvl'] = int(conf.return_value('arp-monitor interval'))
-
- # IP address to use for ARP monitoring
- if conf.exists('arp-monitor target'):
- bond['arp_mon_tgt'] = conf.return_values('arp-monitor target')
-
- # Bonding transmit hash policy
- if conf.exists('hash-policy'):
- bond['hash_policy'] = conf.return_value('hash-policy')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bond['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- bond['ip_proxy_arp_pvlan'] = 1
-
- # Bonding mode
- if conf.exists('mode'):
- act_mode = conf.return_value('mode')
- eff_mode = conf.return_effective_value('mode')
- if not (act_mode == eff_mode):
- bond['shutdown_required'] = True
-
- bond['mode'] = get_bond_mode(act_mode)
-
- # determine bond member interfaces (currently configured)
- bond['member'] = conf.return_values('member interface')
-
- # We can not call conf.return_effective_values() as it would not work
- # on reboots. Reboots/First boot will return that running config and
- # saved config is the same, thus on a reboot the bond members will
- # not be added all (https://phabricator.vyos.net/T2030)
- live_members = BondIf(bond['intf']).get_slaves()
- if not (bond['member'] == live_members):
- bond['shutdown_required'] = True
-
- # Primary device interface
- if conf.exists('primary'):
- bond['primary'] = conf.return_value('primary')
-
- add_to_dict(conf, disabled, bond, 'vif', 'vif')
- add_to_dict(conf, disabled, bond, 'vif-s', 'vif_s')
+ raise ConfigError(f'invalid bond mode "{mode}"')
+
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'bonding']
+ bond = get_interface_dict(conf, base)
+
+ # To make our own life easier transfor the list of member interfaces
+ # into a dictionary - we will use this to add additional information
+ # later on for wach member
+ if 'member' in bond and 'interface' in bond['member']:
+ # first convert it to a list if only one member is given
+ if isinstance(bond['member']['interface'], str):
+ bond['member']['interface'] = [bond['member']['interface']]
+
+ tmp={}
+ for interface in bond['member']['interface']:
+ tmp.update({interface: {}})
+
+ bond['member']['interface'] = tmp
+
+ if 'mode' in bond:
+ bond['mode'] = get_bond_mode(bond['mode'])
+
+ tmp = leaf_node_changed(conf, ['mode'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+
+ # determine which members have been removed
+ tmp = leaf_node_changed(conf, ['member', 'interface'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+ if 'member' in bond:
+ bond['member'].update({'interface_remove': tmp })
+ else:
+ bond.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bond and 'interface' in bond['member']:
+ for interface, interface_config in bond['member']['interface'].items():
+ # Check if we are a member of another bond device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp and tmp != bond['ifname']:
+ interface_config.update({'is_bond_member' : tmp})
+
+ # bond members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bond
def verify(bond):
- if bond['deleted']:
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{bond["intf"]}" as it is a '
- f'member of bridge "{bond["is_bridge_member"]}"!'))
-
+ if 'deleted' in bond:
+ verify_bridge_delete(bond)
return None
- if len(bond['arp_mon_tgt']) > 16:
- raise ConfigError('The maximum number of arp-monitor targets is 16')
+ if 'arp_monitor' in bond:
+ if 'target' in bond['arp_monitor'] and len(int(bond['arp_monitor']['target'])) > 16:
+ raise ConfigError('The maximum number of arp-monitor targets is 16')
+
+ if 'interval' in bond['arp_monitor'] and len(int(bond['arp_monitor']['interval'])) > 0:
+ if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
+ raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
+ 'transmit-load-balance or adaptive-load-balance')
- if bond['primary']:
+ if 'primary' in bond:
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
- raise ConfigError((
- 'Mode dependency failed, primary not supported in mode '
- f'"{bond["mode"]}"!'))
-
- if ( bond['is_bridge_member']
- and ( bond['address']
- or bond['ipv6_eui64_prefix']
- or bond['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{bond["intf"]}" '
- f'as it is a member of bridge "{bond["is_bridge_member"]}"!'))
-
- if bond['vrf']:
- if bond['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{bond["vrf"]}" does not exist')
-
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Interface "{bond["intf"]}" cannot be member of VRF '
- f'"{bond["vrf"]}" and bridge {bond["is_bridge_member"]} '
- f'at the same time!'))
+ raise ConfigError('Option primary - mode dependency failed, not'
+ 'supported in mode {mode}!'.format(**bond))
+
+ verify_address(bond)
+ verify_dhcpv6(bond)
+ verify_vrf(bond)
# use common function to verify VLAN configuration
verify_vlan_config(bond)
- conf = Config()
- for intf in bond['member']:
- # check if member interface is "real"
- if intf not in interfaces():
- raise ConfigError(f'Interface {intf} does not exist!')
-
- # a bonding member interface is only allowed to be assigned to one bond!
- all_bonds = conf.list_nodes('interfaces bonding')
- # We do not need to check our own bond
- all_bonds.remove(bond['intf'])
- for tmp in all_bonds:
- if conf.exists('interfaces bonding {tmp} member interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bond "{tmp}"!'))
-
- # can not add interfaces with an assigned address to a bond
- if has_address_configured(conf, intf):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it has an address assigned!'))
-
- # bond members are not allowed to be bridge members
- tmp = is_member(conf, intf, 'bridge')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bridge "{tmp}"!'))
-
- # bond members are not allowed to be vrrp members
- for tmp in conf.list_nodes('high-availability vrrp group'):
- if conf.exists('high-availability vrrp group {tmp} interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of VRRP group "{tmp}"!'))
-
- # bond members are not allowed to be underlaying psuedo-ethernet devices
- for tmp in conf.list_nodes('interfaces pseudo-ethernet'):
- if conf.exists('interfaces pseudo-ethernet {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of pseudo-ethernet "{tmp}"!'))
-
- # bond members are not allowed to be underlaying vxlan devices
- for tmp in conf.list_nodes('interfaces vxlan'):
- if conf.exists('interfaces vxlan {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of VXLAN "{tmp}"!'))
-
- if bond['primary']:
- if bond['primary'] not in bond['member']:
- raise ConfigError(f'Bond "{bond["intf"]}" primary interface must be a member')
+ bond_name = bond['ifname']
+ if 'member' in bond:
+ member = bond.get('member')
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bond "{bond_name}", '
+
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bond')
+
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
+
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
+
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
+
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
+
+
+ if 'primary' in bond:
+ if bond['primary'] not in bond['member']['interface']:
+ raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface')
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
raise ConfigError('primary interface only works for mode active-backup, ' \
'transmit-load-balance or adaptive-load-balance')
- if bond['arp_mon_intvl'] > 0:
- if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
- raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
- 'transmit-load-balance or adaptive-load-balance')
-
return None
def generate(bond):
return None
def apply(bond):
- b = BondIf(bond['intf'])
+ b = BondIf(bond['ifname'])
- if bond['deleted']:
+ if 'deleted' in bond:
# delete interface
b.remove()
else:
- # ARP link monitoring frequency, reset miimon when arp-montior is inactive
- # this is done inside BondIf automatically
- b.set_arp_interval(bond['arp_mon_intvl'])
-
- # ARP monitor targets need to be synchronized between sysfs and CLI.
- # Unfortunately an address can't be send twice to sysfs as this will
- # result in the following exception: OSError: [Errno 22] Invalid argument.
- #
- # We remove ALL adresses prior adding new ones, this will remove addresses
- # added manually by the user too - but as we are limited to 16 adresses
- # from the kernel side this looks valid to me. We won't run into an error
- # when a user added manual adresses which would result in having more
- # then 16 adresses in total.
- arp_tgt_addr = list(map(str, b.get_arp_ip_target().split()))
- for addr in arp_tgt_addr:
- b.set_arp_ip_target('-' + addr)
-
- # Add configured ARP target addresses
- for addr in bond['arp_mon_tgt']:
- b.set_arp_ip_target('+' + addr)
-
- # update interface description used e.g. within SNMP
- b.set_alias(bond['description'])
-
- if bond['dhcp_client_id']:
- b.dhcp.v4.options['client_id'] = bond['dhcp_client_id']
-
- if bond['dhcp_hostname']:
- b.dhcp.v4.options['hostname'] = bond['dhcp_hostname']
-
- if bond['dhcp_vendor_class_id']:
- b.dhcp.v4.options['vendor_class_id'] = bond['dhcp_vendor_class_id']
-
- if bond['dhcpv6_prm_only']:
- b.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bond['dhcpv6_temporary']:
- b.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bond['dhcpv6_pd_length']:
- b.dhcp.v6.options['dhcpv6_pd_length'] = bond['dhcpv6_pd_length']
-
- if bond['dhcpv6_pd_interfaces']:
- b.dhcp.v6.options['dhcpv6_pd_interfaces'] = bond['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- b.set_link_detect(bond['disable_link_detect'])
- # Bonding transmit hash policy
- b.set_hash_policy(bond['hash_policy'])
- # configure ARP cache timeout in milliseconds
- b.set_arp_cache_tmo(bond['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- b.set_arp_filter(bond['ip_disable_arp_filter'])
- # configure ARP accept
- b.set_arp_accept(bond['ip_enable_arp_accept'])
- # configure ARP announce
- b.set_arp_announce(bond['ip_enable_arp_announce'])
- # configure ARP ignore
- b.set_arp_ignore(bond['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- b.set_proxy_arp(bond['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- b.set_proxy_arp_pvlan(bond['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- b.set_ipv6_accept_ra(bond['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- b.set_ipv6_autoconf(bond['ipv6_autoconf'])
- # IPv6 forwarding
- b.set_ipv6_forwarding(bond['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- b.set_ipv6_dad_messages(bond['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in bond['ipv6_eui64_prefix_remove']:
- b.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if bond['mac']:
- b.set_mac(bond['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in bond['ipv6_eui64_prefix']:
- b.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- b.set_mtu(bond['mtu'])
-
- # Primary device interface
- if bond['primary']:
- b.set_primary(bond['primary'])
-
- # Some parameters can not be changed when the bond is up.
- if bond['shutdown_required']:
- # Disable bond prior changing of certain properties
- b.set_admin_state('down')
-
- # The bonding mode can not be changed when there are interfaces enslaved
- # to this bond, thus we will free all interfaces from the bond first!
- for intf in b.get_slaves():
- b.del_port(intf)
-
- # Bonding policy/mode
- b.set_mode(bond['mode'])
-
- # Add (enslave) interfaces to bond
- for intf in bond['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{intf}"')
- b.add_port(intf)
-
- # As the bond interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not bond['disable']:
- b.set_admin_state('up')
- else:
- b.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bond['address_remove']:
- b.del_addr(addr)
- for addr in bond['address']:
- b.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not bond['is_bridge_member']:
- b.set_vrf(bond['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if bond['is_bridge_member']:
- b.add_to_bridge(bond['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(b, bond)
+ b.update(bond)
return None
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 1e4fa5816..47c8c05f9 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -16,251 +16,105 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BridgeIf, Section
-from vyos.ifconfig.stp import STP
-from vyos.configdict import list_diff, interface_default_data
-from vyos.validate import is_member, has_address_configured
from vyos.config import Config
-from vyos.util import cmd, get_bridge_member_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BridgeIf
+from vyos.validate import is_member, has_address_configured
+from vyos.xml import defaults
+
+from vyos.util import cmd
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'aging': 300,
- 'arp_cache_tmo': 30,
- 'deleted': False,
- 'forwarding_delay': 14,
- 'hello_time': 2,
- 'igmp_querier': 0,
- 'intf': '',
- 'max_age': 20,
- 'member': [],
- 'member_remove': [],
- 'priority': 32768,
- 'stp': 0
-}
-
-def get_config():
- bridge = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- bridge['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if bridge has been removed
- if not conf.exists('interfaces bridge ' + bridge['intf']):
- bridge['deleted'] = True
- return bridge
-
- # set new configuration level
- conf.set_level('interfaces bridge ' + bridge['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- bridge['address'] = conf.return_values('address')
-
- # Determine interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('address')
- bridge['address_remove'] = list_diff(eff_addr, bridge['address'])
-
- # retrieve aging - how long addresses are retained
- if conf.exists('aging'):
- bridge['aging'] = int(conf.return_value('aging'))
-
- # retrieve interface description
- if conf.exists('description'):
- bridge['description'] = conf.return_value('description')
-
- # get DHCP client identifier
- if conf.exists('dhcp-options client-id'):
- bridge['dhcp_client_id'] = conf.return_value('dhcp-options client-id')
-
- # DHCP client host name (overrides the system host name)
- if conf.exists('dhcp-options host-name'):
- bridge['dhcp_hostname'] = conf.return_value('dhcp-options host-name')
-
- # DHCP client vendor identifier
- if conf.exists('dhcp-options vendor-class-id'):
- bridge['dhcp_vendor_class_id'] = conf.return_value('dhcp-options vendor-class-id')
-
- # DHCPv6 only acquire config parameters, no address
- if conf.exists('dhcpv6-options parameters-only'):
- bridge['dhcpv6_prm_only'] = True
-
- # DHCPv6 temporary IPv6 address
- if conf.exists('dhcpv6-options temporary'):
- bridge['dhcpv6_temporary'] = True
-
- # Disable this bridge interface
- if conf.exists('disable'):
- bridge['disable'] = True
-
- # Ignore link state changes
- if conf.exists('disable-link-detect'):
- bridge['disable_link_detect'] = 2
-
- # Forwarding delay
- if conf.exists('forwarding-delay'):
- bridge['forwarding_delay'] = int(conf.return_value('forwarding-delay'))
-
- # Hello packet advertisment interval
- if conf.exists('hello-time'):
- bridge['hello_time'] = int(conf.return_value('hello-time'))
-
- # Enable Internet Group Management Protocol (IGMP) querier
- if conf.exists('igmp querier'):
- bridge['igmp_querier'] = 1
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bridge['arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- bridge['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- bridge['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- bridge['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- bridge['ip_enable_arp_ignore'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- bridge['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- bridge['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Determine currently effective EUI64 addresses - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('ipv6 address eui64')
- bridge['ipv6_eui64_prefix_remove'] = list_diff(eff_addr, bridge['ipv6_eui64_prefix'])
-
- # Remove the default link-local address if set.
- if conf.exists('ipv6 address no-default-link-local'):
- bridge['ipv6_eui64_prefix_remove'].append('fe80::/64')
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
else:
- # add the link-local by default to make IPv6 work
- bridge['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- bridge['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- bridge['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # Media Access Control (MAC) address
- if conf.exists('mac'):
- bridge['mac'] = conf.return_value('mac')
-
- # Find out if MAC has changed - if so, we need to delete all IPv6 EUI64 addresses
- # before re-adding them
- if ( bridge['mac'] and bridge['intf'] in Section.interfaces(section='bridge')
- and bridge['mac'] != BridgeIf(bridge['intf'], create=False).get_mac() ):
- bridge['ipv6_eui64_prefix_remove'] += bridge['ipv6_eui64_prefix']
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if bridge['ipv6_autoconf'] or 'dhcpv6' in bridge['address']:
- bridge['ipv6_accept_ra'] = 2
-
- # Interval at which neighbor bridges are removed
- if conf.exists('max-age'):
- bridge['max_age'] = int(conf.return_value('max-age'))
-
- # Determine bridge member interface (currently configured)
- for intf in conf.list_nodes('member interface'):
- # defaults are stored in util.py (they can't be here as all interface
- # scripts use the function)
- memberconf = get_bridge_member_config(conf, bridge['intf'], intf)
- if memberconf:
- memberconf['name'] = intf
- bridge['member'].append(memberconf)
-
- # Determine bridge member interface (currently effective) - to determine which
- # interfaces is no longer assigend to the bridge and thus can be removed
- eff_intf = conf.list_effective_nodes('member interface')
- act_intf = conf.list_nodes('member interface')
- bridge['member_remove'] = list_diff(eff_intf, act_intf)
-
- # Priority for this bridge
- if conf.exists('priority'):
- bridge['priority'] = int(conf.return_value('priority'))
-
- # Enable spanning tree protocol
- if conf.exists('stp'):
- bridge['stp'] = 1
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- bridge['vrf'] = conf.return_value('vrf')
+ conf = Config()
+ base = ['interfaces', 'bridge']
+ bridge = get_interface_dict(conf, base)
+
+ # determine which members have been removed
+ tmp = node_changed(conf, ['member', 'interface'])
+ if tmp:
+ if 'member' in bridge:
+ bridge['member'].update({'interface_remove': tmp })
+ else:
+ bridge.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bridge and 'interface' in bridge['member']:
+ # XXX TT2665 we need a copy of the dict keys for iteration, else we will get:
+ # RuntimeError: dictionary changed size during iteration
+ for interface in list(bridge['member']['interface']):
+ for key in ['cost', 'priority']:
+ if interface == key:
+ del bridge['member']['interface'][key]
+ continue
+
+ # the default dictionary is not properly paged into the dict (see T2665)
+ # thus we will ammend it ourself
+ default_member_values = defaults(base + ['member', 'interface'])
+ for interface, interface_config in bridge['member']['interface'].items():
+ interface_config.update(default_member_values)
+
+ # Check if we are a member of another bridge device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp and tmp != bridge['ifname']:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp:
+ interface_config.update({'is_bond_member' : tmp})
+
+ # Bridge members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bridge
def verify(bridge):
- if bridge['dhcpv6_prm_only'] and bridge['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
+ if 'deleted' in bridge:
+ return None
- vrf_name = bridge['vrf']
- if vrf_name and vrf_name not in interfaces():
- raise ConfigError(f'VRF "{vrf_name}" does not exist')
+ verify_dhcpv6(bridge)
+ verify_vrf(bridge)
- conf = Config()
- for intf in bridge['member']:
- # the interface must exist prior adding it to a bridge
- if intf['name'] not in interfaces():
- raise ConfigError((
- f'Cannot add nonexistent interface "{intf["name"]}" '
- f'to bridge "{bridge["intf"]}"'))
+ if 'member' in bridge:
+ member = bridge.get('member')
+ bridge_name = bridge['ifname']
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bridge "{bridge_name}", '
- if intf['name'] == 'lo':
- raise ConfigError('Loopback interface "lo" can not be added to a bridge')
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bridge')
- # bridge members aren't allowed to be members of another bridge
- for br in conf.list_nodes('interfaces bridge'):
- # it makes no sense to verify ourself in this case
- if br == bridge['intf']:
- continue
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
- tmp = conf.list_nodes(f'interfaces bridge {br} member interface')
- if intf['name'] in tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bridge "{br}"!'))
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
- # bridge members are not allowed to be bond members
- tmp = is_member(conf, intf['name'], 'bonding')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bond "{tmp}"!'))
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
- # bridge members must not have an assigned address
- if has_address_configured(conf, intf['name']):
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it has an address assigned!'))
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
return None
@@ -268,120 +122,12 @@ def generate(bridge):
return None
def apply(bridge):
- br = BridgeIf(bridge['intf'])
-
- if bridge['deleted']:
+ br = BridgeIf(bridge['ifname'])
+ if 'deleted' in bridge:
# delete interface
br.remove()
else:
- # enable interface
- br.set_admin_state('up')
- # set ageing time
- br.set_ageing_time(bridge['aging'])
- # set bridge forward delay
- br.set_forward_delay(bridge['forwarding_delay'])
- # set hello time
- br.set_hello_time(bridge['hello_time'])
- # configure ARP filter configuration
- br.set_arp_filter(bridge['ip_disable_arp_filter'])
- # configure ARP accept
- br.set_arp_accept(bridge['ip_enable_arp_accept'])
- # configure ARP announce
- br.set_arp_announce(bridge['ip_enable_arp_announce'])
- # configure ARP ignore
- br.set_arp_ignore(bridge['ip_enable_arp_ignore'])
- # IPv6 accept RA
- br.set_ipv6_accept_ra(bridge['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- br.set_ipv6_autoconf(bridge['ipv6_autoconf'])
- # IPv6 forwarding
- br.set_ipv6_forwarding(bridge['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- br.set_ipv6_dad_messages(bridge['ipv6_dup_addr_detect'])
- # set max message age
- br.set_max_age(bridge['max_age'])
- # set bridge priority
- br.set_priority(bridge['priority'])
- # turn stp on/off
- br.set_stp(bridge['stp'])
- # enable or disable IGMP querier
- br.set_multicast_querier(bridge['igmp_querier'])
- # update interface description used e.g. within SNMP
- br.set_alias(bridge['description'])
-
- if bridge['dhcp_client_id']:
- br.dhcp.v4.options['client_id'] = bridge['dhcp_client_id']
-
- if bridge['dhcp_hostname']:
- br.dhcp.v4.options['hostname'] = bridge['dhcp_hostname']
-
- if bridge['dhcp_vendor_class_id']:
- br.dhcp.v4.options['vendor_class_id'] = bridge['dhcp_vendor_class_id']
-
- if bridge['dhcpv6_prm_only']:
- br.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bridge['dhcpv6_temporary']:
- br.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bridge['dhcpv6_pd_length']:
- br.dhcp.v6.options['dhcpv6_pd_length'] = br['dhcpv6_pd_length']
-
- if bridge['dhcpv6_pd_interfaces']:
- br.dhcp.v6.options['dhcpv6_pd_interfaces'] = br['dhcpv6_pd_interfaces']
-
- # assign/remove VRF
- br.set_vrf(bridge['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- # (adding members to a fresh bridge changes its MAC too)
- for addr in bridge['ipv6_eui64_prefix_remove']:
- br.del_ipv6_eui64_address(addr)
-
- # remove interface from bridge
- for intf in bridge['member_remove']:
- br.del_port(intf)
-
- # add interfaces to bridge
- for member in bridge['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{member["name"]}"')
- br.add_port(member['name'])
-
- # Change interface MAC address
- if bridge['mac']:
- br.set_mac(bridge['mac'])
-
- # Add IPv6 EUI-based addresses (must be done after adding the
- # 1st bridge member or setting its MAC)
- for addr in bridge['ipv6_eui64_prefix']:
- br.add_ipv6_eui64_address(addr)
-
- # up/down interface
- if bridge['disable']:
- br.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bridge['address_remove']:
- br.del_addr(addr)
- for addr in bridge['address']:
- br.add_addr(addr)
-
- STPBridgeIf = STP.enable(BridgeIf)
- # configure additional bridge member options
- for member in bridge['member']:
- i = STPBridgeIf(member['name'])
- # configure ARP cache timeout
- i.set_arp_cache_tmo(member['arp_cache_tmo'])
- # ignore link state changes
- i.set_link_detect(member['disable_link_detect'])
- # set bridge port path cost
- i.set_path_cost(member['cost'])
- # set bridge port path priority
- i.set_path_priority(member['priority'])
+ br.update(bridge)
return None
diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py
index 2d62420a6..44fc9cb9e 100755
--- a/src/conf_mode/interfaces-dummy.py
+++ b/src/conf_mode/interfaces-dummy.py
@@ -19,41 +19,26 @@ import os
from sys import exit
from vyos.config import Config
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import DummyIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'dummy', ifname]
-
- dummy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if dummy == {}:
- dummy.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- dummy.update({'ifname': ifname})
-
- # check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- dummy.update(tmp)
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'dummy']
+ dummy = get_interface_dict(conf, base)
return dummy
def verify(dummy):
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 8b895c4d2..a8df64cce 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -17,295 +17,68 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import interfaces
-from vyos.ifconfig import EthernetIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.validate import is_member
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_address
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import EthernetIf
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'duplex': 'auto',
- 'flow_control': 'on',
- 'hw_id': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'is_bond_member': False,
- 'intf': '',
- 'offload_gro': 'off',
- 'offload_gso': 'off',
- 'offload_sg': 'off',
- 'offload_tso': 'off',
- 'offload_ufo': 'off',
- 'speed': 'auto',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # check if ethernet interface has been removed
- cfg_base = ['interfaces', 'ethernet', ifname]
- if not conf.exists(cfg_base):
- eth = deepcopy(default_config_data)
- eth['intf'] = ifname
- eth['deleted'] = True
- # we can not bail out early as ethernet interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return eth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- eth, disabled = intf_to_dict(conf, default_config_data)
-
- # disable ethernet flow control (pause frames)
- if conf.exists('disable-flow-control'):
- eth['flow_control'] = 'off'
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- eth['hw_id'] = conf.return_value('hw-id')
-
- # interface duplex
- if conf.exists('duplex'):
- eth['duplex'] = conf.return_value('duplex')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- eth['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- eth['ip_proxy_arp_pvlan'] = 1
-
- # check if we are a member of any bond
- eth['is_bond_member'] = is_member(conf, eth['intf'], 'bonding')
-
- # GRO (generic receive offload)
- if conf.exists('offload-options generic-receive'):
- eth['offload_gro'] = conf.return_value('offload-options generic-receive')
-
- # GSO (generic segmentation offload)
- if conf.exists('offload-options generic-segmentation'):
- eth['offload_gso'] = conf.return_value('offload-options generic-segmentation')
-
- # scatter-gather option
- if conf.exists('offload-options scatter-gather'):
- eth['offload_sg'] = conf.return_value('offload-options scatter-gather')
-
- # TSO (TCP segmentation offloading)
- if conf.exists('offload-options tcp-segmentation'):
- eth['offload_tso'] = conf.return_value('offload-options tcp-segmentation')
-
- # UDP fragmentation offloading
- if conf.exists('offload-options udp-fragmentation'):
- eth['offload_ufo'] = conf.return_value('offload-options udp-fragmentation')
-
- # interface speed
- if conf.exists('speed'):
- eth['speed'] = conf.return_value('speed')
-
- # remove default IPv6 link-local address if member of a bond
- if eth['is_bond_member'] and 'fe80::/64' in eth['ipv6_eui64_prefix']:
- eth['ipv6_eui64_prefix'].remove('fe80::/64')
- eth['ipv6_eui64_prefix_remove'].append('fe80::/64')
-
- add_to_dict(conf, disabled, eth, 'vif', 'vif')
- add_to_dict(conf, disabled, eth, 'vif-s', 'vif_s')
-
- return eth
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'ethernet']
+ ethernet = get_interface_dict(conf, base)
+ return ethernet
-def verify(eth):
- if eth['deleted']:
+def verify(ethernet):
+ if 'deleted' in ethernet:
return None
- if eth['intf'] not in interfaces():
- raise ConfigError(f"Interface ethernet {eth['intf']} does not exist")
+ verify_interface_exists(ethernet)
- if eth['speed'] == 'auto':
- if eth['duplex'] != 'auto':
+ if ethernet.get('speed', None) == 'auto':
+ if ethernet.get('duplex', None) != 'auto':
raise ConfigError('If speed is hardcoded, duplex must be hardcoded, too')
- if eth['duplex'] == 'auto':
- if eth['speed'] != 'auto':
+ if ethernet.get('duplex', None) == 'auto':
+ if ethernet.get('speed', None) != 'auto':
raise ConfigError('If duplex is hardcoded, speed must be hardcoded, too')
- if eth['dhcpv6_prm_only'] and eth['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
-
- memberof = eth['is_bridge_member'] if eth['is_bridge_member'] else eth['is_bond_member']
+ verify_dhcpv6(ethernet)
+ verify_address(ethernet)
+ verify_vrf(ethernet)
- if ( memberof
- and ( eth['address']
- or eth['ipv6_eui64_prefix']
- or eth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{eth["intf"]}" '
- f'as it is a member of "{memberof}"!'))
-
- if eth['vrf']:
- if eth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{eth["vrf"]}" does not exist')
-
- if memberof:
- raise ConfigError((
- f'Interface "{eth["intf"]}" cannot be member of VRF "{eth["vrf"]}" '
- f'and "{memberof}" at the same time!'))
-
- if eth['mac'] and eth['is_bond_member']:
- print('WARNING: "mac {0}" command will be ignored because {1} is a part of {2}'\
- .format(eth['mac'], eth['intf'], eth['is_bond_member']))
+ if {'is_bond_member', 'mac'} <= set(ethernet):
+ print(f'WARNING: changing mac address "{mac}" will be ignored as "{ifname}" '
+ f'is a member of bond "{is_bond_member}"'.format(**ethernet))
# use common function to verify VLAN configuration
- verify_vlan_config(eth)
+ verify_vlan_config(ethernet)
return None
-def generate(eth):
+def generate(ethernet):
return None
-def apply(eth):
- e = EthernetIf(eth['intf'])
- if eth['deleted']:
- # apply all vlans to interface (they need removing too)
- apply_all_vlans(e, eth)
-
+def apply(ethernet):
+ e = EthernetIf(ethernet['ifname'])
+ if 'deleted' in ethernet:
# delete interface
e.remove()
else:
- # update interface description used e.g. within SNMP
- e.set_alias(eth['description'])
-
- if eth['dhcp_client_id']:
- e.dhcp.v4.options['client_id'] = eth['dhcp_client_id']
-
- if eth['dhcp_hostname']:
- e.dhcp.v4.options['hostname'] = eth['dhcp_hostname']
-
- if eth['dhcp_vendor_class_id']:
- e.dhcp.v4.options['vendor_class_id'] = eth['dhcp_vendor_class_id']
-
- if eth['dhcpv6_prm_only']:
- e.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if eth['dhcpv6_temporary']:
- e.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if eth['dhcpv6_pd_length']:
- e.dhcp.v6.options['dhcpv6_pd_length'] = eth['dhcpv6_pd_length']
-
- if eth['dhcpv6_pd_interfaces']:
- e.dhcp.v6.options['dhcpv6_pd_interfaces'] = eth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- e.set_link_detect(eth['disable_link_detect'])
- # disable ethernet flow control (pause frames)
- e.set_flow_control(eth['flow_control'])
- # configure ARP cache timeout in milliseconds
- e.set_arp_cache_tmo(eth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- e.set_arp_filter(eth['ip_disable_arp_filter'])
- # configure ARP accept
- e.set_arp_accept(eth['ip_enable_arp_accept'])
- # configure ARP announce
- e.set_arp_announce(eth['ip_enable_arp_announce'])
- # configure ARP ignore
- e.set_arp_ignore(eth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- e.set_proxy_arp(eth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- e.set_proxy_arp_pvlan(eth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- e.set_ipv6_accept_ra(eth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- e.set_ipv6_autoconf(eth['ipv6_autoconf'])
- # IPv6 forwarding
- e.set_ipv6_forwarding(eth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- e.set_ipv6_dad_messages(eth['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in eth['ipv6_eui64_prefix_remove']:
- e.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed. Skip if bond member.
- if not eth['is_bond_member']:
- if eth['mac']:
- e.set_mac(eth['mac'])
- elif eth['hw_id']:
- e.set_mac(eth['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in eth['ipv6_eui64_prefix']:
- e.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- e.set_mtu(eth['mtu'])
-
- # GRO (generic receive offload)
- e.set_gro(eth['offload_gro'])
-
- # GSO (generic segmentation offload)
- e.set_gso(eth['offload_gso'])
-
- # scatter-gather option
- e.set_sg(eth['offload_sg'])
-
- # TSO (TCP segmentation offloading)
- e.set_tso(eth['offload_tso'])
-
- # UDP fragmentation offloading
- e.set_ufo(eth['offload_ufo'])
-
- # Set physical interface speed and duplex
- e.set_speed_duplex(eth['speed'], eth['duplex'])
-
- # Enable/Disable interface
- if eth['disable']:
- e.set_admin_state('down')
- else:
- e.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in eth['address_remove']:
- e.del_addr(addr)
- for addr in eth['address']:
- e.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge or bond,
- # otherwise 'nomaster' removes it from it)
- if not ( eth['is_bridge_member'] or eth['is_bond_member'] ):
- e.set_vrf(eth['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if eth['is_bridge_member']:
- e.add_to_bridge(eth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(e, eth)
+ e.update(ethernet)
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index 31f6eb6b5..cc2cf025a 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -21,102 +21,40 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import GeneveIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp': 0,
- 'is_bridge_member': False,
- 'mtu': 1500,
- 'remote': '',
- 'vni': ''
-}
-
-def get_config():
- geneve = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- geneve['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- geneve['is_bridge_member'] = is_member(conf, geneve['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces geneve ' + geneve['intf']):
- geneve['deleted'] = True
- return geneve
-
- # set new configuration level
- conf.set_level('interfaces geneve ' + geneve['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- geneve['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- geneve['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- geneve['disable'] = True
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- geneve['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- geneve['ip_proxy_arp'] = 1
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- geneve['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of GENEVE tunnel
- if conf.exists('remote'):
- geneve['remote'] = conf.return_value('remote')
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- geneve['vni'] = conf.return_value('vni')
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'geneve']
+ geneve = get_interface_dict(conf, base)
return geneve
-
def verify(geneve):
- if geneve['deleted']:
- if geneve['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{geneve["intf"]}" as it is a '
- f'member of bridge "{geneve["is_bridge_member"]}"!'))
-
+ if 'deleted' in geneve:
+ verify_bridge_delete(geneve)
return None
- if geneve['is_bridge_member'] and geneve['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{geneve["intf"]}" '
- f'as it is a member of bridge "{geneve["is_bridge_member"]}"!'))
+ verify_address(geneve)
- if not geneve['remote']:
- raise ConfigError('GENEVE remote must be configured')
+ if 'remote' not in geneve:
+ raise ConfigError('Remote side must be configured')
- if not geneve['vni']:
- raise ConfigError('GENEVE VNI must be configured')
+ if 'vni' not in geneve:
+ raise ConfigError('VNI must be configured')
return None
@@ -127,13 +65,13 @@ def generate(geneve):
def apply(geneve):
# Check if GENEVE interface already exists
- if geneve['intf'] in interfaces():
- g = GeneveIf(geneve['intf'])
+ if geneve['ifname'] in interfaces():
+ g = GeneveIf(geneve['ifname'])
# GENEVE is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
g.remove()
- if not geneve['deleted']:
+ if 'deleted' not in geneve:
# GENEVE interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
@@ -144,32 +82,8 @@ def apply(geneve):
conf['remote'] = geneve['remote']
# Finally create the new interface
- g = GeneveIf(geneve['intf'], **conf)
- # update interface description used e.g. by SNMP
- g.set_alias(geneve['description'])
- # Maximum Transfer Unit (MTU)
- g.set_mtu(geneve['mtu'])
-
- # configure ARP cache timeout in milliseconds
- g.set_arp_cache_tmo(geneve['ip_arp_cache_tmo'])
- # Enable proxy-arp on this interface
- g.set_proxy_arp(geneve['ip_proxy_arp'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in geneve['address']:
- g.add_addr(addr)
-
- # As the GENEVE interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not geneve['disable']:
- g.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if geneve['is_bridge_member']:
- g.add_to_bridge(geneve['is_bridge_member'])
+ g = GeneveIf(geneve['ifname'], **conf)
+ g.update(geneve)
return None
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 4ff0bcb57..8250a3df8 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -21,200 +21,68 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.ifconfig import L2TPv3If, Interface
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.ifconfig import L2TPv3If
+from vyos.util import check_kmod
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
-from vyos.util import call
-from vyos.validate import is_member, is_addr_assigned
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'encapsulation': 'udp',
- 'local_address': '',
- 'local_port': 5000,
- 'intf': '',
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'mtu': 1488,
- 'peer_session_id': '',
- 'peer_tunnel_id': '',
- 'remote_address': '',
- 'remote_port': 5000,
- 'session_id': '',
- 'tunnel_id': ''
-}
-
-def check_kmod():
- modules = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-def get_config():
- l2tpv3 = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- l2tpv3['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member of a bridge
- l2tpv3['is_bridge_member'] = is_member(conf, l2tpv3['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces l2tpv3 ' + l2tpv3['intf']):
- l2tpv3['deleted'] = True
- interface = l2tpv3['intf']
-
- # to delete the l2tpv3 interface we need the current tunnel_id and session_id
- if conf.exists_effective(f'interfaces l2tpv3 {interface} tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} tunnel-id')
-
- if conf.exists_effective(f'interfaces l2tpv3 {interface} session-id'):
- l2tpv3['session_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} session-id')
-
- return l2tpv3
-
- # set new configuration level
- conf.set_level('interfaces l2tpv3 ' + l2tpv3['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- l2tpv3['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- l2tpv3['description'] = conf.return_value('description')
-
- # get tunnel destination port
- if conf.exists('destination-port'):
- l2tpv3['remote_port'] = int(conf.return_value('destination-port'))
-
- # Disable this interface
- if conf.exists('disable'):
- l2tpv3['disable'] = True
-
- # get tunnel encapsulation type
- if conf.exists('encapsulation'):
- l2tpv3['encapsulation'] = conf.return_value('encapsulation')
-
- # get tunnel local ip address
- if conf.exists('local-ip'):
- l2tpv3['local_address'] = conf.return_value('local-ip')
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- l2tpv3['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- l2tpv3['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
+k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local') or
- l2tpv3['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- l2tpv3['ipv6_eui64_prefix'].append('fe80::/64')
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- l2tpv3['ipv6_forwarding'] = 0
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'l2tpv3']
+ l2tpv3 = get_interface_dict(conf, base)
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- l2tpv3['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
+ # L2TPv3 is "special" the default MTU is 1488 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ l2tpv3['mtu'] = '1488'
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if l2tpv3['ipv6_autoconf'] or 'dhcpv6' in l2tpv3['address']:
- l2tpv3['ipv6_accept_ra'] = 2
+ # To delete an l2tpv3 interface we need the current tunnel and session-id
+ if 'deleted' in l2tpv3:
+ tmp = leaf_node_changed(conf, ['tunnel-id'])
+ l2tpv3.update({'tunnel_id': tmp})
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- l2tpv3['mtu'] = int(conf.return_value('mtu'))
-
- # Remote session id
- if conf.exists('peer-session-id'):
- l2tpv3['peer_session_id'] = conf.return_value('peer-session-id')
-
- # Remote tunnel id
- if conf.exists('peer-tunnel-id'):
- l2tpv3['peer_tunnel_id'] = conf.return_value('peer-tunnel-id')
-
- # Remote address of L2TPv3 tunnel
- if conf.exists('remote-ip'):
- l2tpv3['remote_address'] = conf.return_value('remote-ip')
-
- # Local session id
- if conf.exists('session-id'):
- l2tpv3['session_id'] = conf.return_value('session-id')
-
- # get local tunnel port
- if conf.exists('source-port'):
- l2tpv3['local_port'] = conf.return_value('source-port')
-
- # get local tunnel id
- if conf.exists('tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_value('tunnel-id')
+ tmp = leaf_node_changed(conf, ['session-id'])
+ l2tpv3.update({'session_id': tmp})
return l2tpv3
-
def verify(l2tpv3):
- interface = l2tpv3['intf']
-
- if l2tpv3['deleted']:
- if l2tpv3['is_bridge_member']:
- raise ConfigError((
- f'Interface "{l2tpv3["intf"]}" cannot be deleted as it is a '
- f'member of bridge "{l2tpv3["is_bridge_member"]}"!'))
-
+ if 'deleted' in l2tpv3:
+ verify_bridge_delete(l2tpv3)
return None
- if not l2tpv3['local_address']:
- raise ConfigError(f'Must configure the l2tpv3 local-ip for {interface}')
-
- if not is_addr_assigned(l2tpv3['local_address']):
- raise ConfigError(f'Must use a configured IP on l2tpv3 local-ip for {interface}')
+ interface = l2tpv3['ifname']
- if not l2tpv3['remote_address']:
- raise ConfigError(f'Must configure the l2tpv3 remote-ip for {interface}')
+ for key in ['local_ip', 'remote_ip', 'tunnel_id', 'peer_tunnel_id',
+ 'session_id', 'peer_session_id']:
+ if key not in l2tpv3:
+ tmp = key.replace('_', '-')
+ raise ConfigError(f'L2TPv3 {tmp} must be configured!')
- if not l2tpv3['tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 tunnel-id for {interface}')
-
- if not l2tpv3['peer_tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-tunnel-id for {interface}')
-
- if not l2tpv3['session_id']:
- raise ConfigError(f'Must configure the l2tpv3 session-id for {interface}')
-
- if not l2tpv3['peer_session_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-session-id for {interface}')
-
- if ( l2tpv3['is_bridge_member']
- and ( l2tpv3['address']
- or l2tpv3['ipv6_eui64_prefix']
- or l2tpv3['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{l2tpv3["intf"]}" '
- f'as it is a member of bridge "{l2tpv3["is_bridge_member"]}"!'))
+ if not is_addr_assigned(l2tpv3['local_ip']):
+ raise ConfigError('L2TPv3 local-ip address '
+ '"{local_ip}" is not configured!'.format(**l2tpv3))
+ verify_address(l2tpv3)
return None
-
def generate(l2tpv3):
return None
@@ -225,65 +93,34 @@ def apply(l2tpv3):
conf = deepcopy(L2TPv3If.get_config())
# Check if L2TPv3 interface already exists
- if l2tpv3['intf'] in interfaces():
+ if l2tpv3['ifname'] in interfaces():
# L2TPv3 is picky when changing tunnels/sessions, thus we can simply
# always delete it first.
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
- l = L2TPv3If(l2tpv3['intf'], **conf)
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
l.remove()
- if not l2tpv3['deleted']:
+ if 'deleted' not in l2tpv3:
conf['peer_tunnel_id'] = l2tpv3['peer_tunnel_id']
- conf['local_port'] = l2tpv3['local_port']
- conf['remote_port'] = l2tpv3['remote_port']
+ conf['local_port'] = l2tpv3['source_port']
+ conf['remote_port'] = l2tpv3['destination_port']
conf['encapsulation'] = l2tpv3['encapsulation']
- conf['local_address'] = l2tpv3['local_address']
- conf['remote_address'] = l2tpv3['remote_address']
+ conf['local_address'] = l2tpv3['local_ip']
+ conf['remote_address'] = l2tpv3['remote_ip']
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
conf['peer_session_id'] = l2tpv3['peer_session_id']
# Finally create the new interface
- l = L2TPv3If(l2tpv3['intf'], **conf)
- # update interface description used e.g. by SNMP
- l.set_alias(l2tpv3['description'])
- # Maximum Transfer Unit (MTU)
- l.set_mtu(l2tpv3['mtu'])
- # IPv6 accept RA
- l.set_ipv6_accept_ra(l2tpv3['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- l.set_ipv6_autoconf(l2tpv3['ipv6_autoconf'])
- # IPv6 forwarding
- l.set_ipv6_forwarding(l2tpv3['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- l.set_ipv6_dad_messages(l2tpv3['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in l2tpv3['address']:
- l.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in l2tpv3['ipv6_eui64_prefix']:
- l.add_ipv6_eui64_address(addr)
-
- # As the interface is always disabled first when changing parameters
- # we will only re-enable the interface if it is not administratively
- # disabled
- if not l2tpv3['disable']:
- l.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if l2tpv3['is_bridge_member']:
- l.add_to_bridge(l2tpv3['is_bridge_member'])
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
+ l.update(l2tpv3)
return None
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py
index 2368f88a9..30a27abb4 100755
--- a/src/conf_mode/interfaces-loopback.py
+++ b/src/conf_mode/interfaces-loopback.py
@@ -18,31 +18,24 @@ import os
from sys import exit
-from vyos.ifconfig import LoopbackIf
from vyos.config import Config
-from vyos import ConfigError, airbag
+from vyos.configdict import get_interface_dict
+from vyos.ifconfig import LoopbackIf
+from vyos import ConfigError
+from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'loopback', ifname]
-
- loopback = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if loopback == {}:
- loopback.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- loopback.update({'ifname': ifname})
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'loopback']
+ loopback = get_interface_dict(conf, base)
return loopback
def verify(loopback):
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 56273f71a..2866ccc0a 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -20,16 +20,14 @@ from copy import deepcopy
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.ifconfig import MACsecIf
from vyos.template import render
from vyos.util import call
-from vyos.validate import is_member
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_source_interface
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -37,51 +35,29 @@ airbag.enable()
# XXX: wpa_supplicant works on the source interface
wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf'
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'macsec']
- default_values = defaults(base)
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
+ macsec = get_interface_dict(conf, base)
- macsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
# Check if interface has been removed
- if macsec == {}:
- tmp = {
- 'deleted' : '',
- 'source_interface' : conf.return_effective_value(
+ if 'deleted' in macsec:
+ source_interface = conf.return_effective_value(
base + ['source-interface'])
- }
- macsec.update(tmp)
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- macsec = dict_merge(default_values, macsec)
-
- # Add interface instance name into dictionary
- macsec.update({'ifname': ifname})
-
- # Check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- macsec.update(tmp)
+ macsec.update({'source_interface': source_interface})
return macsec
def verify(macsec):
- if 'deleted' in macsec.keys():
+ if 'deleted' in macsec:
verify_bridge_delete(macsec)
return None
@@ -89,18 +65,18 @@ def verify(macsec):
verify_vrf(macsec)
verify_address(macsec)
- if not (('security' in macsec.keys()) and
- ('cipher' in macsec['security'].keys())):
+ if not (('security' in macsec) and
+ ('cipher' in macsec['security'])):
raise ConfigError(
'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec))
- if (('security' in macsec.keys()) and
- ('encrypt' in macsec['security'].keys())):
+ if (('security' in macsec) and
+ ('encrypt' in macsec['security'])):
tmp = macsec.get('security')
- if not (('mka' in tmp.keys()) and
- ('cak' in tmp['mka'].keys()) and
- ('ckn' in tmp['mka'].keys())):
+ if not (('mka' in tmp) and
+ ('cak' in tmp['mka']) and
+ ('ckn' in tmp['mka'])):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 1420b4116..958b305dd 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -192,9 +192,12 @@ def getDefaultServer(network, topology, devtype):
return server
-def get_config():
+def get_config(config=None):
openvpn = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
# determine tagNode instance
if 'VYOS_TAGNODE_VALUE' not in os.environ:
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 3ee57e83c..1b4b9e4ee 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -15,58 +15,43 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import jmespath
from sys import exit
from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'pppoe']
- default_values = defaults(base)
- # PPPoE is "special" the default MTU is 1492 - update accordingly
- default_values['mtu'] = '1492'
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
+ pppoe = get_interface_dict(conf, base)
- pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if pppoe == {}:
- pppoe.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- pppoe = dict_merge(default_values, pppoe)
-
- # Add interface instance name into dictionary
- pppoe.update({'ifname': ifname})
+ # PPPoE is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ pppoe['mtu'] = '1492'
return pppoe
def verify(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
@@ -92,7 +77,7 @@ def generate(pppoe):
config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up,
script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c]
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# stop DHCPv6-PD client
call(f'systemctl stop dhcp6c@{ifname}.service')
# Hang-up PPPoE connection
@@ -121,20 +106,19 @@ def generate(pppoe):
render(script_pppoe_ipv6_up, 'pppoe/ipv6-up.script.tmpl',
pppoe, trim_blocks=True, permission=0o755)
- tmp = jmespath.search('dhcpv6_options.prefix_delegation.interface', pppoe)
- if tmp and len(tmp) > 0:
+ if 'dhcpv6_options' in pppoe and 'pd' in pppoe['dhcpv6_options']:
# ipv6.tmpl relies on ifname - this should be made consitent in the
# future better then double key-ing the same value
- render(config_wide_dhcp6c, 'dhcp-client/ipv6_new.tmpl', pppoe, trim_blocks=True)
+ render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe, trim_blocks=True)
return None
def apply(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
- if 'disable' not in pppoe.keys():
+ if 'disable' not in pppoe:
# Dial PPPoE connection
call('systemctl restart ppp@{ifname}.service'.format(**pppoe))
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index fb8237bee..59edca1cc 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -18,115 +18,69 @@ import os
from copy import deepcopy
from sys import exit
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import MACVLANIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import MACVLANIf
+from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'source_interface': '',
- 'recreating_required': False,
- 'mode': 'private',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
-def get_config():
- peth = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- peth['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if interface has been removed
- cfg_base = ['interfaces', 'pseudo-ethernet', peth['intf']]
- if not conf.exists(cfg_base):
- peth['deleted'] = True
- return peth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- peth, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP cache entry timeout in seconds
- if conf.exists(['ip', 'arp-cache-timeout']):
- peth['ip_arp_cache_tmo'] = int(conf.return_value(['ip', 'arp-cache-timeout']))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists(['ip', 'proxy-arp-pvlan']):
- peth['ip_proxy_arp_pvlan'] = 1
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at
+ least the interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'pseudo-ethernet']
+ peth = get_interface_dict(conf, base)
- # Physical interface
- if conf.exists(['source-interface']):
- peth['source_interface'] = conf.return_value(['source-interface'])
- tmp = conf.return_effective_value(['source-interface'])
- if tmp != peth['source_interface']:
- peth['recreating_required'] = True
+ mode = leaf_node_changed(conf, ['mode'])
+ if mode:
+ peth.update({'mode_old' : mode})
- # MACvlan mode
- if conf.exists(['mode']):
- peth['mode'] = conf.return_value(['mode'])
- tmp = conf.return_effective_value(['mode'])
- if tmp != peth['mode']:
- peth['recreating_required'] = True
+ # Check if source-interface is member of a bridge device
+ if 'source_interface' in peth:
+ bridge = is_member(conf, peth['source_interface'], 'bridge')
+ if bridge:
+ peth.update({'source_interface_is_bridge_member' : bridge})
- add_to_dict(conf, disabled, peth, 'vif', 'vif')
- add_to_dict(conf, disabled, peth, 'vif-s', 'vif_s')
+ # Check if we are a member of a bond device
+ bond = is_member(conf, peth['source_interface'], 'bonding')
+ if bond:
+ peth.update({'source_interface_is_bond_member' : bond})
return peth
def verify(peth):
- if peth['deleted']:
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{peth["intf"]}" as it is a '
- f'member of bridge "{peth["is_bridge_member"]}"!'))
-
+ if 'deleted' in peth:
+ verify_bridge_delete(peth)
return None
- if not peth['source_interface']:
- raise ConfigError((
- f'Link device must be set for pseudo-ethernet "{peth["intf"]}"'))
-
- if not peth['source_interface'] in interfaces():
- raise ConfigError((
- f'Pseudo-ethernet "{peth["intf"]}" link device does not exist'))
-
- if ( peth['is_bridge_member']
- and ( peth['address']
- or peth['ipv6_eui64_prefix']
- or peth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{peth["intf"]}" '
- f'as it is a member of bridge "{peth["is_bridge_member"]}"!'))
+ verify_source_interface(peth)
+ verify_vrf(peth)
+ verify_address(peth)
- if peth['vrf']:
- if peth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{peth["vrf"]}" does not exist')
+ if 'source_interface_is_bridge_member' in peth:
+ raise ConfigError(
+ 'Source interface "{source_interface}" can not be used as it is already a '
+ 'member of bridge "{source_interface_is_bridge_member}"!'.format(**peth))
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Interface "{peth["intf"]}" cannot be member of VRF '
- f'"{peth["vrf"]}" and bridge {peth["is_bridge_member"]} '
- f'at the same time!'))
+ if 'source_interface_is_bond_member' in peth:
+ raise ConfigError(
+ 'Source interface "{source_interface}" can not be used as it is already a '
+ 'member of bond "{source_interface_is_bond_member}"!'.format(**peth))
# use common function to verify VLAN configuration
verify_vlan_config(peth)
@@ -136,17 +90,16 @@ def generate(peth):
return None
def apply(peth):
- if peth['deleted']:
+ if 'deleted' in peth:
# delete interface
- MACVLANIf(peth['intf']).remove()
+ MACVLANIf(peth['ifname']).remove()
return None
# Check if MACVLAN interface already exists. Parameters like the underlaying
- # source-interface device or mode can not be changed on the fly and the interface
- # needs to be recreated from the bottom.
- if peth['intf'] in interfaces():
- if peth['recreating_required']:
- MACVLANIf(peth['intf']).remove()
+ # source-interface device or mode can not be changed on the fly and the
+ # interface needs to be recreated from the bottom.
+ if 'mode_old' in peth:
+ MACVLANIf(peth['ifname']).remove()
# MACVLAN interface needs to be created on-block instead of passing a ton
# of arguments, I just use a dict that is managed by vyos.ifconfig
@@ -158,98 +111,8 @@ def apply(peth):
# It is safe to "re-create" the interface always, there is a sanity check
# that the interface will only be create if its non existent
- p = MACVLANIf(peth['intf'], **conf)
-
- # update interface description used e.g. within SNMP
- p.set_alias(peth['description'])
-
- if peth['dhcp_client_id']:
- p.dhcp.v4.options['client_id'] = peth['dhcp_client_id']
-
- if peth['dhcp_hostname']:
- p.dhcp.v4.options['hostname'] = peth['dhcp_hostname']
-
- if peth['dhcp_vendor_class_id']:
- p.dhcp.v4.options['vendor_class_id'] = peth['dhcp_vendor_class_id']
-
- if peth['dhcpv6_prm_only']:
- p.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if peth['dhcpv6_temporary']:
- p.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if peth['dhcpv6_pd_length']:
- p.dhcp.v6.options['dhcpv6_pd_length'] = peth['dhcpv6_pd_length']
-
- if peth['dhcpv6_pd_interfaces']:
- p.dhcp.v6.options['dhcpv6_pd_interfaces'] = peth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- p.set_link_detect(peth['disable_link_detect'])
- # configure ARP cache timeout in milliseconds
- p.set_arp_cache_tmo(peth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- p.set_arp_filter(peth['ip_disable_arp_filter'])
- # configure ARP accept
- p.set_arp_accept(peth['ip_enable_arp_accept'])
- # configure ARP announce
- p.set_arp_announce(peth['ip_enable_arp_announce'])
- # configure ARP ignore
- p.set_arp_ignore(peth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- p.set_proxy_arp(peth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- p.set_proxy_arp_pvlan(peth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- p.set_ipv6_accept_ra(peth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- p.set_ipv6_autoconf(peth['ipv6_autoconf'])
- # IPv6 forwarding
- p.set_ipv6_forwarding(peth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- p.set_ipv6_dad_messages(peth['ipv6_dup_addr_detect'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not peth['is_bridge_member']:
- p.set_vrf(peth['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in peth['ipv6_eui64_prefix_remove']:
- p.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if peth['mac']:
- p.set_mac(peth['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in peth['ipv6_eui64_prefix']:
- p.add_ipv6_eui64_address(addr)
-
- # Change interface mode
- p.set_mode(peth['mode'])
-
- # Enable/Disable interface
- if peth['disable']:
- p.set_admin_state('down')
- else:
- p.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in peth['address_remove']:
- p.del_addr(addr)
- for addr in peth['address']:
- p.add_addr(addr)
-
- # re-add ourselves to any bridge we might have fallen out of
- if peth['is_bridge_member']:
- p.add_to_bridge(peth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(p, peth)
-
+ p = MACVLANIf(peth['ifname'], **conf)
+ p.update(peth)
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index ea15a7fb7..11d8d6edc 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -397,12 +397,16 @@ def ip_proto (afi):
return 6 if afi == IP6 else 4
-def get_config():
+def get_config(config=None):
ifname = os.environ.get('VYOS_TAGNODE_VALUE','')
if not ifname:
raise ConfigError('Interface not specified')
- config = Config()
+ if config:
+ config = config
+ else:
+ config = Config()
+
conf = ConfigurationState(config, ['interfaces', 'tunnel ', ifname], default_config_data)
options = conf.options
changes = conf.changes
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 39db814b4..bea3aa25b 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -21,197 +21,64 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
from vyos.ifconfig import VXLANIf, Interface
-from vyos.validate import is_member
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'group': '',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_disable_arp_filter': 1,
- 'ip_enable_arp_accept': 0,
- 'ip_enable_arp_announce': 0,
- 'ip_enable_arp_ignore': 0,
- 'ip_proxy_arp': 0,
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'source_address': '',
- 'source_interface': '',
- 'mtu': 1450,
- 'remote': '',
- 'remote_port': 8472, # The Linux implementation of VXLAN pre-dates
- # the IANA's selection of a standard destination port
- 'vni': ''
-}
-
-def get_config():
- vxlan = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- vxlan['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- vxlan['is_bridge_member'] = is_member(conf, vxlan['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces vxlan ' + vxlan['intf']):
- vxlan['deleted'] = True
- return vxlan
-
- # set new configuration level
- conf.set_level('interfaces vxlan ' + vxlan['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- vxlan['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- vxlan['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- vxlan['disable'] = True
-
- # VXLAN multicast grou
- if conf.exists('group'):
- vxlan['group'] = conf.return_value('group')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- vxlan['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- vxlan['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- vxlan['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- vxlan['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- vxlan['ip_enable_arp_ignore'] = 1
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- vxlan['ip_proxy_arp'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- vxlan['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- vxlan['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local')
- or vxlan['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- vxlan['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- vxlan['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- vxlan['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if vxlan['ipv6_autoconf'] or 'dhcpv6' in vxlan['address']:
- vxlan['ipv6_accept_ra'] = 2
-
- # VXLAN source address
- if conf.exists('source-address'):
- vxlan['source_address'] = conf.return_value('source-address')
-
- # VXLAN underlay interface
- if conf.exists('source-interface'):
- vxlan['source_interface'] = conf.return_value('source-interface')
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- vxlan['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of VXLAN tunnel
- if conf.exists('remote'):
- vxlan['remote'] = conf.return_value('remote')
-
- # Remote port of VXLAN tunnel
- if conf.exists('port'):
- vxlan['remote_port'] = int(conf.return_value('port'))
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- vxlan['vni'] = conf.return_value('vni')
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'vxlan']
+ vxlan = get_interface_dict(conf, base)
+
+ # VXLAN is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ vxlan['mtu'] = '1450'
return vxlan
-
def verify(vxlan):
- if vxlan['deleted']:
- if vxlan['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{vxlan["intf"]}" as it is a '
- f'member of bridge "{vxlan["is_bridge_member"]}"!'))
-
+ if 'deleted' in vxlan:
+ verify_bridge_delete(vxlan)
return None
- if vxlan['mtu'] < 1500:
+ if int(vxlan['mtu']) < 1500:
print('WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU')
- if vxlan['group']:
- if not vxlan['source_interface']:
+ if 'group' in vxlan:
+ if 'source_interface' not in vxlan:
raise ConfigError('Multicast VXLAN requires an underlaying interface ')
- if not vxlan['source_interface'] in interfaces():
- raise ConfigError('VXLAN source interface does not exist')
+ verify_source_interface(vxlan)
- if not (vxlan['group'] or vxlan['remote'] or vxlan['source_address']):
+ if not any(tmp in ['group', 'remote', 'source_address'] for tmp in vxlan):
raise ConfigError('Group, remote or source-address must be configured')
- if not vxlan['vni']:
+ if 'vni' not in vxlan:
raise ConfigError('Must configure VNI for VXLAN')
- if vxlan['source_interface']:
+ if 'source_interface' in vxlan:
# VXLAN adds a 50 byte overhead - we need to check the underlaying MTU
# if our configured MTU is at least 50 bytes less
underlay_mtu = int(Interface(vxlan['source_interface']).get_mtu())
- if underlay_mtu < (vxlan['mtu'] + 50):
+ if underlay_mtu < (int(vxlan['mtu']) + 50):
raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \
- 'MTU is to small ({})'.format(underlay_mtu))
-
- if ( vxlan['is_bridge_member']
- and ( vxlan['address']
- or vxlan['ipv6_eui64_prefix']
- or vxlan['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{vxlan["intf"]}" '
- f'as it is a member of bridge "{vxlan["is_bridge_member"]}"!'))
+ f'MTU is to small ({underlay_mtu} bytes)')
+ verify_address(vxlan)
return None
@@ -221,73 +88,26 @@ def generate(vxlan):
def apply(vxlan):
# Check if the VXLAN interface already exists
- if vxlan['intf'] in interfaces():
- v = VXLANIf(vxlan['intf'])
+ if vxlan['ifname'] in interfaces():
+ v = VXLANIf(vxlan['ifname'])
# VXLAN is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
v.remove()
- if not vxlan['deleted']:
+ if 'deleted' not in vxlan:
# VXLAN interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
conf = deepcopy(VXLANIf.get_config())
# Assign VXLAN instance configuration parameters to config dict
- conf['vni'] = vxlan['vni']
- conf['group'] = vxlan['group']
- conf['src_address'] = vxlan['source_address']
- conf['src_interface'] = vxlan['source_interface']
- conf['remote'] = vxlan['remote']
- conf['port'] = vxlan['remote_port']
+ for tmp in ['vni', 'group', 'source_address', 'source_interface', 'remote', 'port']:
+ if tmp in vxlan:
+ conf[tmp] = vxlan[tmp]
# Finally create the new interface
- v = VXLANIf(vxlan['intf'], **conf)
- # update interface description used e.g. by SNMP
- v.set_alias(vxlan['description'])
- # Maximum Transfer Unit (MTU)
- v.set_mtu(vxlan['mtu'])
-
- # configure ARP cache timeout in milliseconds
- v.set_arp_cache_tmo(vxlan['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- v.set_arp_filter(vxlan['ip_disable_arp_filter'])
- # configure ARP accept
- v.set_arp_accept(vxlan['ip_enable_arp_accept'])
- # configure ARP announce
- v.set_arp_announce(vxlan['ip_enable_arp_announce'])
- # configure ARP ignore
- v.set_arp_ignore(vxlan['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- v.set_proxy_arp(vxlan['ip_proxy_arp'])
- # IPv6 accept RA
- v.set_ipv6_accept_ra(vxlan['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- v.set_ipv6_autoconf(vxlan['ipv6_autoconf'])
- # IPv6 forwarding
- v.set_ipv6_forwarding(vxlan['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- v.set_ipv6_dad_messages(vxlan['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in vxlan['address']:
- v.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in vxlan['ipv6_eui64_prefix']:
- v.add_ipv6_eui64_address(addr)
-
- # As the VXLAN interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not vxlan['disable']:
- v.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if vxlan['is_bridge_member']:
- v.add_to_bridge(vxlan['is_bridge_member'])
+ v = VXLANIf(vxlan['ifname'], **conf)
+ v.update(vxlan)
return None
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index c24c9a7ce..e7c22da1a 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -15,308 +15,101 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
from sys import exit
from copy import deepcopy
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff
+from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import WireGuardIf
-from vyos.util import chown, chmod_750, call
-from vyos.validate import is_member, is_ipv6
+from vyos.util import check_kmod
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-kdir = r'/config/auth/wireguard'
-
-default_config_data = {
- 'intfc': '',
- 'address': [],
- 'address_remove': [],
- 'description': '',
- 'listen_port': '',
- 'deleted': False,
- 'disable': False,
- 'fwmark': 0,
- 'is_bridge_member': False,
- 'mtu': 1420,
- 'peer': [],
- 'peer_remove': [], # stores public keys of peers to remove
- 'pk': f'{kdir}/default/private.key',
- 'vrf': ''
-}
-
-def _check_kmod():
- modules = ['wireguard']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
-def _migrate_default_keys():
- if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
- location = f'{kdir}/default'
- if not os.path.exists(location):
- os.makedirs(location)
-
- chown(location, 'root', 'vyattacfg')
- chmod_750(location)
- os.rename(f'{kdir}/private.key', f'{location}/private.key')
- os.rename(f'{kdir}/public.key', f'{location}/public.key')
-
-
-def get_config():
- conf = Config()
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'wireguard']
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- wg = deepcopy(default_config_data)
- wg['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- wg['is_bridge_member'] = is_member(conf, wg['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists(base + [wg['intf']]):
- wg['deleted'] = True
- return wg
-
- conf.set_level(base + [wg['intf']])
-
- # retrieve configured interface addresses
- if conf.exists(['address']):
- wg['address'] = conf.return_values(['address'])
-
- # get interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values(['address'])
- wg['address_remove'] = list_diff(eff_addr, wg['address'])
-
- # retrieve interface description
- if conf.exists(['description']):
- wg['description'] = conf.return_value(['description'])
-
- # disable interface
- if conf.exists(['disable']):
- wg['disable'] = True
-
- # local port to listen on
- if conf.exists(['port']):
- wg['listen_port'] = conf.return_value(['port'])
-
- # fwmark value
- if conf.exists(['fwmark']):
- wg['fwmark'] = int(conf.return_value(['fwmark']))
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- wg['mtu'] = int(conf.return_value(['mtu']))
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- wg['vrf'] = conf.return_value('vrf')
-
- # private key
- if conf.exists(['private-key']):
- wg['pk'] = "{0}/{1}/private.key".format(
- kdir, conf.return_value(['private-key']))
-
- # peer removal, wg identifies peers by its pubkey
- peer_eff = conf.list_effective_nodes(['peer'])
- peer_rem = list_diff(peer_eff, conf.list_nodes(['peer']))
- for peer in peer_rem:
- wg['peer_remove'].append(
- conf.return_effective_value(['peer', peer, 'pubkey']))
-
- # peer settings
- if conf.exists(['peer']):
- for p in conf.list_nodes(['peer']):
- # set new config level for this peer
- conf.set_level(base + [wg['intf'], 'peer', p])
- peer = {
- 'allowed-ips': [],
- 'address': '',
- 'name': p,
- 'persistent_keepalive': '',
- 'port': '',
- 'psk': '',
- 'pubkey': ''
- }
-
- # peer allowed-ips
- if conf.exists(['allowed-ips']):
- peer['allowed-ips'] = conf.return_values(['allowed-ips'])
-
- # peer address
- if conf.exists(['address']):
- peer['address'] = conf.return_value(['address'])
-
- # peer port
- if conf.exists(['port']):
- peer['port'] = conf.return_value(['port'])
-
- # persistent-keepalive
- if conf.exists(['persistent-keepalive']):
- peer['persistent_keepalive'] = conf.return_value(['persistent-keepalive'])
-
- # preshared-key
- if conf.exists(['preshared-key']):
- peer['psk'] = conf.return_value(['preshared-key'])
-
- # peer pubkeys
- if conf.exists(['pubkey']):
- key_eff = conf.return_effective_value(['pubkey'])
- key_cfg = conf.return_value(['pubkey'])
- peer['pubkey'] = key_cfg
-
- # on a pubkey change we need to remove the pubkey first
- # peers are identified by pubkey, so key update means
- # peer removal and re-add
- if key_eff != key_cfg and key_eff != None:
- wg['peer_remove'].append(key_cfg)
-
- # if a peer is disabled, we have to exec a remove for it's pubkey
- if conf.exists(['disable']):
- wg['peer_remove'].append(peer['pubkey'])
- else:
- wg['peer'].append(peer)
-
- return wg
-
-
-def verify(wg):
- if wg['deleted']:
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wg["intf"]}" as it is a member '
- f'of bridge "{wg["is_bridge_member"]}"!'))
-
+ wireguard = get_interface_dict(conf, base)
+
+ # Wireguard is "special" the default MTU is 1420 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ wireguard['mtu'] = '1420'
+
+ # Mangle private key - it has a default so its always valid
+ wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard)
+
+ # Determine which Wireguard peer has been removed.
+ # Peers can only be removed with their public key!
+ tmp = node_changed(conf, ['peer'])
+ if tmp:
+ dict = {}
+ for peer in tmp:
+ peer_config = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
+ dict = dict_merge({'peer_remove' : {peer : {'pubkey' : peer_config}}}, dict)
+ wireguard.update(dict)
+
+ return wireguard
+
+def verify(wireguard):
+ if 'deleted' in wireguard:
+ verify_bridge_delete(wireguard)
return None
- if wg['is_bridge_member'] and wg['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{wg["intf"]}" '
- f'as it is a member of bridge "{wg["is_bridge_member"]}"!'))
-
- if wg['vrf']:
- if wg['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wg["vrf"]}" does not exist')
+ verify_address(wireguard)
+ verify_vrf(wireguard)
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wg["intf"]}" cannot be member of VRF '
- f'"{wg["vrf"]}" and bridge {wg["is_bridge_member"]} '
- f'at the same time!'))
+ if not os.path.exists(wireguard['private_key']):
+ raise ConfigError('Wireguard private-key not found! Execute: ' \
+ '"run generate wireguard [default-keypair|named-keypairs]"')
- if not os.path.exists(wg['pk']):
- raise ConfigError('No keys found, generate them by executing:\n' \
- '"run generate wireguard [keypair|named-keypairs]"')
+ if 'address' not in wireguard:
+ raise ConfigError('IP address required!')
- if not wg['address']:
- raise ConfigError(f'IP address required for interface "{wg["intf"]}"!')
-
- if not wg['peer']:
- raise ConfigError(f'Peer required for interface "{wg["intf"]}"!')
+ if 'peer' not in wireguard:
+ raise ConfigError('At least one Wireguard peer is required!')
# run checks on individual configured WireGuard peer
- for peer in wg['peer']:
- if not peer['allowed-ips']:
- raise ConfigError(f'Peer allowed-ips required for peer "{peer["name"]}"!')
-
- if not peer['pubkey']:
- raise ConfigError(f'Peer public-key required for peer "{peer["name"]}"!')
-
- if peer['address'] and not peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" port must be defined if address is defined!')
+ for tmp in wireguard['peer']:
+ peer = wireguard['peer'][tmp]
- if not peer['address'] and peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" address must be defined if port is defined!')
+ if 'allowed_ips' not in peer:
+ raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!')
+ if 'pubkey' not in peer:
+ raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!')
-def apply(wg):
- # init wg class
- w = WireGuardIf(wg['intf'])
+ if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer):
+ raise ConfigError('Both Wireguard port and address must be defined '
+ f'for peer "{tmp}" if either one of them is set!')
- # single interface removal
- if wg['deleted']:
- w.remove()
+def apply(wireguard):
+ if 'deleted' in wireguard:
+ WireGuardIf(wireguard['ifname']).remove()
return None
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wg['address_remove']:
- w.del_addr(addr)
- for addr in wg['address']:
- w.add_addr(addr)
-
- # Maximum Transmission Unit (MTU)
- w.set_mtu(wg['mtu'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wg['description'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wg['is_bridge_member']:
- w.set_vrf(wg['vrf'])
-
- # remove peers
- for pub_key in wg['peer_remove']:
- w.remove_peer(pub_key)
-
- # peer pubkey
- # setting up the wg interface
- w.config['private_key'] = c['pk']
-
- for peer in wg['peer']:
- # peer pubkey
- w.config['pubkey'] = peer['pubkey']
- # peer allowed-ips
- w.config['allowed-ips'] = peer['allowed-ips']
- # local listen port
- if wg['listen_port']:
- w.config['port'] = wg['listen_port']
- # fwmark
- if c['fwmark']:
- w.config['fwmark'] = wg['fwmark']
-
- # endpoint
- if peer['address'] and peer['port']:
- if is_ipv6(peer['address']):
- w.config['endpoint'] = '[{}]:{}'.format(peer['address'], peer['port'])
- else:
- w.config['endpoint'] = '{}:{}'.format(peer['address'], peer['port'])
-
- # persistent-keepalive
- if peer['persistent_keepalive']:
- w.config['keepalive'] = peer['persistent_keepalive']
-
- if peer['psk']:
- w.config['psk'] = peer['psk']
-
- w.update()
-
- # Enable/Disable interface
- if wg['disable']:
- w.set_admin_state('down')
- else:
- w.set_admin_state('up')
-
+ w = WireGuardIf(wireguard['ifname'])
+ w.update(wireguard)
return None
if __name__ == '__main__':
try:
- _check_kmod()
- _migrate_default_keys()
+ check_kmod('wireguard')
c = get_config()
verify(c)
apply(c)
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index 0162b642c..9861f72db 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -15,497 +15,166 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
+
from sys import exit
from re import findall
-
from copy import deepcopy
-
-from netifaces import interfaces
from netaddr import EUI, mac_unix_expanded
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import WiFiIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import dict_merge
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import WiFiIf
from vyos.template import render
-from vyos.util import chown, call
-from vyos.validate import is_member
+from vyos.util import call
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'cap_ht' : False,
- 'cap_ht_40mhz_incapable' : False,
- 'cap_ht_powersave' : False,
- 'cap_ht_chan_set_width' : '',
- 'cap_ht_delayed_block_ack' : False,
- 'cap_ht_dsss_cck_40' : False,
- 'cap_ht_greenfield' : False,
- 'cap_ht_ldpc' : False,
- 'cap_ht_lsig_protection' : False,
- 'cap_ht_max_amsdu' : '',
- 'cap_ht_short_gi' : [],
- 'cap_ht_smps' : '',
- 'cap_ht_stbc_rx' : '',
- 'cap_ht_stbc_tx' : False,
- 'cap_req_ht' : False,
- 'cap_req_vht' : False,
- 'cap_vht' : False,
- 'cap_vht_antenna_cnt' : '',
- 'cap_vht_antenna_fixed' : False,
- 'cap_vht_beamform' : '',
- 'cap_vht_center_freq_1' : '',
- 'cap_vht_center_freq_2' : '',
- 'cap_vht_chan_set_width' : '',
- 'cap_vht_ldpc' : False,
- 'cap_vht_link_adaptation' : '',
- 'cap_vht_max_mpdu_exp' : '',
- 'cap_vht_max_mpdu' : '',
- 'cap_vht_short_gi' : [],
- 'cap_vht_stbc_rx' : '',
- 'cap_vht_stbc_tx' : False,
- 'cap_vht_tx_powersave' : False,
- 'cap_vht_vht_cf' : False,
- 'channel': '',
- 'country_code': '',
- 'deleted': False,
- 'disable_broadcast_ssid' : False,
- 'disable_link_detect' : 1,
- 'expunge_failing_stations' : False,
- 'hw_id' : '',
- 'intf': '',
- 'isolate_stations' : False,
- 'max_stations' : '',
- 'mgmt_frame_protection' : 'disabled',
- 'mode' : 'g',
- 'phy' : '',
- 'reduce_transmit_power' : '',
- 'sec_wep' : False,
- 'sec_wep_key' : [],
- 'sec_wpa' : False,
- 'sec_wpa_cipher' : [],
- 'sec_wpa_mode' : 'both',
- 'sec_wpa_passphrase' : '',
- 'sec_wpa_radius' : [],
- 'ssid' : '',
- 'op_mode' : 'monitor',
- 'vif': {},
- 'vif_remove': [],
- 'vif_s': {},
- 'vif_s_remove': []
-}
-
# XXX: wpa_supplicant works on the source interface
-wpa_suppl_conf = '/run/wpa_supplicant/{intf}.conf'
-hostapd_conf = '/run/hostapd/{intf}.conf'
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # check if wireless interface has been removed
- cfg_base = ['interfaces', 'wireless ', ifname]
- if not conf.exists(cfg_base):
- wifi = deepcopy(default_config_data)
- wifi['intf'] = ifname
- wifi['deleted'] = True
- # we need to know if we're a bridge member so we can refuse deletion
- wifi['is_bridge_member'] = is_member(conf, wifi['intf'], 'bridge')
- # we can not bail out early as wireless interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return wifi
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- # get common interface settings
- wifi, disabled = intf_to_dict(conf, default_config_data)
-
- # 40MHz intolerance, use 20MHz only
- if conf.exists('capabilities ht 40mhz-incapable'):
- wifi['cap_ht'] = True
- wifi['cap_ht_40mhz_incapable'] = True
-
- # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
- if conf.exists('capabilities ht auto-powersave'):
- wifi['cap_ht'] = True
- wifi['cap_ht_powersave'] = True
-
- # Supported channel set width
- if conf.exists('capabilities ht channel-set-width'):
- wifi['cap_ht'] = True
- wifi['cap_ht_chan_set_width'] = conf.return_values('capabilities ht channel-set-width')
-
- # HT-delayed Block Ack
- if conf.exists('capabilities ht delayed-block-ack'):
- wifi['cap_ht'] = True
- wifi['cap_ht_delayed_block_ack'] = True
-
- # DSSS/CCK Mode in 40 MHz
- if conf.exists('capabilities ht dsss-cck-40'):
- wifi['cap_ht'] = True
- wifi['cap_ht_dsss_cck_40'] = True
-
- # HT-greenfield capability
- if conf.exists('capabilities ht greenfield'):
- wifi['cap_ht'] = True
- wifi['cap_ht_greenfield'] = True
-
- # LDPC coding capability
- if conf.exists('capabilities ht ldpc'):
- wifi['cap_ht'] = True
- wifi['cap_ht_ldpc'] = True
-
- # L-SIG TXOP protection capability
- if conf.exists('capabilities ht lsig-protection'):
- wifi['cap_ht'] = True
- wifi['cap_ht_lsig_protection'] = True
-
- # Set Maximum A-MSDU length
- if conf.exists('capabilities ht max-amsdu'):
- wifi['cap_ht'] = True
- wifi['cap_ht_max_amsdu'] = conf.return_value('capabilities ht max-amsdu')
-
- # Short GI capabilities
- if conf.exists('capabilities ht short-gi'):
- wifi['cap_ht'] = True
- wifi['cap_ht_short_gi'] = conf.return_values('capabilities ht short-gi')
-
- # Spatial Multiplexing Power Save (SMPS) settings
- if conf.exists('capabilities ht smps'):
- wifi['cap_ht'] = True
- wifi['cap_ht_smps'] = conf.return_value('capabilities ht smps')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc rx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_rx'] = conf.return_value('capabilities ht stbc rx')
-
- # Support for sending PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc tx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_tx'] = True
-
- # Require stations to support HT PHY (reject association if they do not)
- if conf.exists('capabilities require-ht'):
- wifi['cap_req_ht'] = True
-
- # Require stations to support VHT PHY (reject association if they do not)
- if conf.exists('capabilities require-vht'):
- wifi['cap_req_vht'] = True
-
- # Number of antennas on this card
- if conf.exists('capabilities vht antenna-count'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_cnt'] = conf.return_value('capabilities vht antenna-count')
-
- # set if antenna pattern does not change during the lifetime of an association
- if conf.exists('capabilities vht antenna-pattern-fixed'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_fixed'] = True
-
- # Beamforming capabilities
- if conf.exists('capabilities vht beamform'):
- wifi['cap_vht'] = True
- wifi['cap_vht_beamform'] = conf.return_values('capabilities vht beamform')
-
- # VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
- if conf.exists('capabilities vht center-channel-freq freq-1'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_1'] = conf.return_value('capabilities vht center-channel-freq freq-1')
-
- # VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
- if conf.exists('capabilities vht center-channel-freq freq-2'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_2'] = conf.return_value('capabilities vht center-channel-freq freq-2')
-
- # VHT operating Channel width
- if conf.exists('capabilities vht channel-set-width'):
- wifi['cap_vht'] = True
- wifi['cap_vht_chan_set_width'] = conf.return_value('capabilities vht channel-set-width')
-
- # LDPC coding capability
- if conf.exists('capabilities vht ldpc'):
- wifi['cap_vht'] = True
- wifi['cap_vht_ldpc'] = True
-
- # VHT link adaptation capabilities
- if conf.exists('capabilities vht link-adaptation'):
- wifi['cap_vht'] = True
- wifi['cap_vht_link_adaptation'] = conf.return_value('capabilities vht link-adaptation')
-
- # Set the maximum length of A-MPDU pre-EOF padding that the station can receive
- if conf.exists('capabilities vht max-mpdu-exp'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu_exp'] = conf.return_value('capabilities vht max-mpdu-exp')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht max-mpdu'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu'] = conf.return_value('capabilities vht max-mpdu')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht short-gi'):
- wifi['cap_vht'] = True
- wifi['cap_vht_short_gi'] = conf.return_values('capabilities vht short-gi')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc rx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_rx'] = conf.return_value('capabilities vht stbc rx')
-
- # Support for the transmission of at least 2x1 STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc tx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_tx'] = True
-
- # Support for VHT TXOP Power Save Mode
- if conf.exists('capabilities vht tx-powersave'):
- wifi['cap_vht'] = True
- wifi['cap_vht_tx_powersave'] = True
-
- # STA supports receiving a VHT variant HT Control field
- if conf.exists('capabilities vht vht-cf'):
- wifi['cap_vht'] = True
- wifi['cap_vht_vht_cf'] = True
-
- # Wireless radio channel
- if conf.exists('channel'):
- wifi['channel'] = conf.return_value('channel')
-
- # Disable broadcast of SSID from access-point
- if conf.exists('disable-broadcast-ssid'):
- wifi['disable_broadcast_ssid'] = True
-
- # Disassociate stations based on excessive transmission failures
- if conf.exists('expunge-failing-stations'):
- wifi['expunge_failing_stations'] = True
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- wifi['hw_id'] = conf.return_value('hw-id')
-
- # Isolate stations on the AP so they cannot see each other
- if conf.exists('isolate-stations'):
- wifi['isolate_stations'] = True
-
- # Wireless physical device
- if conf.exists('physical-device'):
- wifi['phy'] = conf.return_value('physical-device')
-
- # Maximum number of wireless radio stations
- if conf.exists('max-stations'):
- wifi['max_stations'] = conf.return_value('max-stations')
-
- # Management Frame Protection (MFP) according to IEEE 802.11w
- if conf.exists('mgmt-frame-protection'):
- wifi['mgmt_frame_protection'] = conf.return_value('mgmt-frame-protection')
-
- # Wireless radio mode
- if conf.exists('mode'):
- wifi['mode'] = conf.return_value('mode')
-
- # Transmission power reduction in dBm
- if conf.exists('reduce-transmit-power'):
- wifi['reduce_transmit_power'] = conf.return_value('reduce-transmit-power')
-
- # WEP enabled?
- if conf.exists('security wep'):
- wifi['sec_wep'] = True
-
- # WEP encryption key(s)
- if conf.exists('security wep key'):
- wifi['sec_wep_key'] = conf.return_values('security wep key')
-
- # WPA enabled?
- if conf.exists('security wpa'):
- wifi['sec_wpa'] = True
-
- # WPA Cipher suite
- if conf.exists('security wpa cipher'):
- wifi['sec_wpa_cipher'] = conf.return_values('security wpa cipher')
-
- # WPA mode
- if conf.exists('security wpa mode'):
- wifi['sec_wpa_mode'] = conf.return_value('security wpa mode')
-
- # WPA default ciphers depend on WPA mode
- if not wifi['sec_wpa_cipher']:
- if wifi['sec_wpa_mode'] == 'wpa':
- wifi['sec_wpa_cipher'].append('TKIP')
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'wpa2':
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'both':
- wifi['sec_wpa_cipher'].append('CCMP')
- wifi['sec_wpa_cipher'].append('TKIP')
-
- # WPA Group Cipher suite
- if conf.exists('security wpa group-cipher'):
- wifi['sec_wpa_group_cipher'] = conf.return_values('security wpa group-cipher')
-
- # WPA personal shared pass phrase
- if conf.exists('security wpa passphrase'):
- wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase')
-
- # WPA RADIUS source address
- if conf.exists('security wpa radius source-address'):
- wifi['sec_wpa_radius_source'] = conf.return_value('security wpa radius source-address')
-
- # WPA RADIUS server
- for server in conf.list_nodes('security wpa radius server'):
- # set new configuration level
- conf.set_level(cfg_base + ' security wpa radius server ' + server)
- radius = {
- 'server' : server,
- 'acc_port' : '',
- 'disabled': False,
- 'port' : 1812,
- 'key' : ''
- }
-
- # RADIUS server port
- if conf.exists('port'):
- radius['port'] = int(conf.return_value('port'))
-
- # receive RADIUS accounting info
- if conf.exists('accounting'):
- radius['acc_port'] = radius['port'] + 1
-
- # Check if RADIUS server was temporary disabled
- if conf.exists(['disable']):
- radius['disabled'] = True
-
- # RADIUS server shared-secret
- if conf.exists('key'):
- radius['key'] = conf.return_value('key')
-
- # append RADIUS server to list of servers
- wifi['sec_wpa_radius'].append(radius)
-
- # re-set configuration level to parse new nodes
- conf.set_level(cfg_base)
-
- # Wireless access-point service set identifier (SSID)
- if conf.exists('ssid'):
- wifi['ssid'] = conf.return_value('ssid')
-
- # Wireless device type for this interface
- if conf.exists('type'):
- tmp = conf.return_value('type')
- if tmp == 'access-point':
- tmp = 'ap'
-
- wifi['op_mode'] = tmp
+wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
+hostapd_conf = '/run/hostapd/{ifname}.conf'
+
+def find_other_stations(conf, base, ifname):
+ """
+ Only one wireless interface per phy can be in station mode -
+ find all interfaces attached to a phy which run in station mode
+ """
+ old_level = conf.get_level()
+ conf.set_level(base)
+ dict = {}
+ for phy in os.listdir('/sys/class/ieee80211'):
+ list = []
+ for interface in conf.list_nodes([]):
+ if interface == ifname:
+ continue
+ # the following node is mandatory
+ if conf.exists([interface, 'physical-device', phy]):
+ tmp = conf.return_value([interface, 'type'])
+ if tmp == 'station':
+ list.append(interface)
+ if list:
+ dict.update({phy: list})
+ conf.set_level(old_level)
+ return dict
+
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'wireless']
+ wifi = get_interface_dict(conf, base)
+
+ if 'security' in wifi and 'wpa' in wifi['security']:
+ wpa_cipher = wifi['security']['wpa'].get('cipher')
+ wpa_mode = wifi['security']['wpa'].get('mode')
+ if not wpa_cipher:
+ tmp = None
+ if wpa_mode == 'wpa':
+ tmp = {'security': {'wpa': {'cipher' : ['TKIP', 'CCMP']}}}
+ elif wpa_mode == 'wpa2':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP']}}}
+ elif wpa_mode == 'both':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP', 'TKIP']}}}
+
+ if tmp: wifi = dict_merge(tmp, wifi)
# retrieve configured regulatory domain
- conf.set_level('system')
- if conf.exists('wifi-regulatory-domain'):
- wifi['country_code'] = conf.return_value('wifi-regulatory-domain')
+ conf.set_level(['system'])
+ if conf.exists(['wifi-regulatory-domain']):
+ wifi['country_code'] = conf.return_value(['wifi-regulatory-domain'])
- return wifi
+ # Only one wireless interface per phy can be in station mode
+ tmp = find_other_stations(conf, base, wifi['ifname'])
+ if tmp: wifi['station_interfaces'] = tmp
+ return wifi
def verify(wifi):
- if wifi['deleted']:
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wifi["intf"]}" as it is a '
- f'member of bridge "{wifi["is_bridge_member"]}"!'))
-
+ if 'deleted' in wifi:
+ verify_bridge_delete(wifi)
return None
- if wifi['op_mode'] != 'monitor' and not wifi['ssid']:
- raise ConfigError('SSID must be set for {}'.format(wifi['intf']))
+ if 'physical_device' not in wifi:
+ raise ConfigError('You must specify a physical-device "phy"')
- if not wifi['phy']:
- raise ConfigError('You must specify physical-device')
-
- if not wifi['mode']:
+ if 'type' not in wifi:
raise ConfigError('You must specify a WiFi mode')
- if wifi['op_mode'] == 'ap':
- c = Config()
- if not c.exists('system wifi-regulatory-domain'):
- raise ConfigError('Wireless regulatory domain is mandatory,\n' \
- 'use "set system wifi-regulatory-domain".')
-
- if not wifi['channel']:
- raise ConfigError('Channel must be set for {}'.format(wifi['intf']))
-
- if len(wifi['sec_wep_key']) > 4:
- raise ConfigError('No more then 4 WEP keys configurable')
+ if 'ssid' not in wifi and wifi['type'] != 'monitor':
+ raise ConfigError('SSID must be configured')
- if wifi['cap_vht'] and not wifi['cap_ht']:
- raise ConfigError('Specify HT flags if you want to use VHT!')
-
- if wifi['cap_vht_beamform'] and wifi['cap_vht_antenna_cnt'] == 1:
- raise ConfigError('Cannot use beam forming with just one antenna!')
-
- if wifi['cap_vht_beamform'] == 'single-user-beamformer' and wifi['cap_vht_antenna_cnt'] < 3:
- # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
- raise ConfigError('Single-user beam former requires at least 3 antennas!')
-
- if wifi['sec_wep'] and (len(wifi['sec_wep_key']) == 0):
- raise ConfigError('Missing WEP keys')
-
- if wifi['sec_wpa'] and not (wifi['sec_wpa_passphrase'] or wifi['sec_wpa_radius']):
- raise ConfigError('Misssing WPA key or RADIUS server')
-
- for radius in wifi['sec_wpa_radius']:
- if not radius['key']:
- raise ConfigError('Misssing RADIUS shared secret key for server: {}'.format(radius['server']))
-
- if ( wifi['is_bridge_member']
- and ( wifi['address']
- or wifi['ipv6_eui64_prefix']
- or wifi['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{wifi["intf"]}" '
- f'as it is a member of bridge "{wifi["is_bridge_member"]}"!'))
-
- if wifi['vrf']:
- if wifi['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wifi["vrf"]}" does not exist')
-
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wifi["intf"]}" cannot be member of VRF '
- f'"{wifi["vrf"]}" and bridge {wifi["is_bridge_member"]} '
- f'at the same time!'))
+ if wifi['type'] == 'access-point':
+ if 'country_code' not in wifi:
+ raise ConfigError('Wireless regulatory domain is mandatory,\n' \
+ 'use "set system wifi-regulatory-domain" for configuration.')
+
+ if 'channel' not in wifi:
+ raise ConfigError('Wireless channel must be configured!')
+
+ if 'security' in wifi:
+ if {'wep', 'wpa'} <= set(wifi.get('security', {})):
+ raise ConfigError('Must either use WEP or WPA security!')
+
+ if 'wep' in wifi['security']:
+ if 'key' in wifi['security']['wep'] and len(wifi['security']['wep']) > 4:
+ raise ConfigError('No more then 4 WEP keys configurable')
+ elif 'key' not in wifi['security']['wep']:
+ raise ConfigError('Security WEP configured - missing WEP keys!')
+
+ elif 'wpa' in wifi['security']:
+ wpa = wifi['security']['wpa']
+ if not any(i in ['passphrase', 'radius'] for i in wpa):
+ raise ConfigError('Misssing WPA key or RADIUS server')
+
+ if 'radius' in wpa:
+ if 'server' in wpa['radius']:
+ for server in wpa['radius']['server']:
+ if 'key' not in wpa['radius']['server'][server]:
+ raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}')
+
+ if 'capabilities' in wifi:
+ capabilities = wifi['capabilities']
+ if 'vht' in capabilities:
+ if 'ht' not in capabilities:
+ raise ConfigError('Specify HT flags if you want to use VHT!')
+
+ if {'beamform', 'antenna_count'} <= set(capabilities.get('vht', {})):
+ if capabilities['vht']['antenna_count'] == '1':
+ raise ConfigError('Cannot use beam forming with just one antenna!')
+
+ if capabilities['vht']['beamform'] == 'single-user-beamformer':
+ if int(capabilities['vht']['antenna_count']) < 3:
+ # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
+ raise ConfigError('Single-user beam former requires at least 3 antennas!')
+
+ if 'station_interfaces' in wifi and wifi['type'] == 'station':
+ phy = wifi['physical_device']
+ if phy in wifi['station_interfaces']:
+ if len(wifi['station_interfaces'][phy]) > 0:
+ raise ConfigError('Only one station per wireless physical interface possible!')
+
+ verify_address(wifi)
+ verify_vrf(wifi)
# use common function to verify VLAN configuration
verify_vlan_config(wifi)
- conf = Config()
- # Only one wireless interface per phy can be in station mode
- base = ['interfaces', 'wireless']
- for phy in os.listdir('/sys/class/ieee80211'):
- stations = []
- for wlan in conf.list_nodes(base):
- # the following node is mandatory
- if conf.exists(base + [wlan, 'physical-device', phy]):
- tmp = conf.return_value(base + [wlan, 'type'])
- if tmp == 'station':
- stations.append(wlan)
-
- if len(stations) > 1:
- raise ConfigError('Only one station per wireless physical interface possible!')
-
return None
def generate(wifi):
- interface = wifi['intf']
+ interface = wifi['ifname']
# always stop hostapd service first before reconfiguring it
call(f'systemctl stop hostapd@{interface}.service')
@@ -513,7 +182,7 @@ def generate(wifi):
call(f'systemctl stop wpa_supplicant@{interface}.service')
# Delete config files if interface is removed
- if wifi['deleted']:
+ if 'deleted' in wifi:
if os.path.isfile(hostapd_conf.format(**wifi)):
os.unlink(hostapd_conf.format(**wifi))
@@ -522,10 +191,10 @@ def generate(wifi):
return None
- if not wifi['mac']:
+ if 'mac' not in wifi:
# http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd
# generate locally administered MAC address from used phy interface
- with open('/sys/class/ieee80211/{}/addresses'.format(wifi['phy']), 'r') as f:
+ with open('/sys/class/ieee80211/{physical_device}/addresses'.format(**wifi), 'r') as f:
# some PHYs tend to have multiple interfaces and thus supply multiple MAC
# addresses - we only need the first one for our calculation
tmp = f.readline().rstrip()
@@ -545,20 +214,18 @@ def generate(wifi):
wifi['mac'] = str(mac)
# render appropriate new config files depending on access-point or station mode
- if wifi['op_mode'] == 'ap':
- render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi)
+ if wifi['type'] == 'access-point':
+ render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi, trim_blocks=True)
- elif wifi['op_mode'] == 'station':
- render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi)
+ elif wifi['type'] == 'station':
+ render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi, trim_blocks=True)
return None
def apply(wifi):
- interface = wifi['intf']
- if wifi['deleted']:
- w = WiFiIf(interface)
- # delete interface
- w.remove()
+ interface = wifi['ifname']
+ if 'deleted' in wifi:
+ WiFiIf(interface).remove()
else:
# WiFi interface needs to be created on-block (e.g. mode or physical
# interface) instead of passing a ton of arguments, I just use a dict
@@ -566,97 +233,21 @@ def apply(wifi):
conf = deepcopy(WiFiIf.get_config())
# Assign WiFi instance configuration parameters to config dict
- conf['phy'] = wifi['phy']
+ conf['phy'] = wifi['physical_device']
# Finally create the new interface
w = WiFiIf(interface, **conf)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wifi['is_bridge_member']:
- w.set_vrf(wifi['vrf'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wifi['description'])
-
- if wifi['dhcp_client_id']:
- w.dhcp.v4.options['client_id'] = wifi['dhcp_client_id']
-
- if wifi['dhcp_hostname']:
- w.dhcp.v4.options['hostname'] = wifi['dhcp_hostname']
-
- if wifi['dhcp_vendor_class_id']:
- w.dhcp.v4.options['vendor_class_id'] = wifi['dhcp_vendor_class_id']
-
- if wifi['dhcpv6_prm_only']:
- w.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if wifi['dhcpv6_temporary']:
- w.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if wifi['dhcpv6_pd_length']:
- w.dhcp.v6.options['dhcpv6_pd_length'] = wifi['dhcpv6_pd_length']
-
- if wifi['dhcpv6_pd_interfaces']:
- w.dhcp.v6.options['dhcpv6_pd_interfaces'] = wifi['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- w.set_link_detect(wifi['disable_link_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in wifi['ipv6_eui64_prefix_remove']:
- w.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed
- if wifi['mac']:
- w.set_mac(wifi['mac'])
- elif wifi['hw_id']:
- w.set_mac(wifi['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in wifi['ipv6_eui64_prefix']:
- w.add_ipv6_eui64_address(addr)
-
- # configure ARP filter configuration
- w.set_arp_filter(wifi['ip_disable_arp_filter'])
- # configure ARP accept
- w.set_arp_accept(wifi['ip_enable_arp_accept'])
- # configure ARP announce
- w.set_arp_announce(wifi['ip_enable_arp_announce'])
- # configure ARP ignore
- w.set_arp_ignore(wifi['ip_enable_arp_ignore'])
- # IPv6 accept RA
- w.set_ipv6_accept_ra(wifi['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- w.set_ipv6_autoconf(wifi['ipv6_autoconf'])
- # IPv6 forwarding
- w.set_ipv6_forwarding(wifi['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- w.set_ipv6_dad_messages(wifi['ipv6_dup_addr_detect'])
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wifi['address_remove']:
- w.del_addr(addr)
- for addr in wifi['address']:
- w.add_addr(addr)
-
- # apply all vlans to interface
- apply_all_vlans(w, wifi)
+ w.update(wifi)
# Enable/Disable interface - interface is always placed in
# administrative down state in WiFiIf class
- if not wifi['disable']:
- w.set_admin_state('up')
-
+ if 'disable' not in wifi:
# Physical interface is now configured. Proceed by starting hostapd or
# wpa_supplicant daemon. When type is monitor we can just skip this.
- if wifi['op_mode'] == 'ap':
+ if wifi['type'] == 'access-point':
call(f'systemctl start hostapd@{interface}.service')
- elif wifi['op_mode'] == 'station':
+ elif wifi['type'] == 'station':
call(f'systemctl start wpa_supplicant@{interface}.service')
return None
diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py
index ec5a85e54..7d8110096 100755
--- a/src/conf_mode/interfaces-wirelessmodem.py
+++ b/src/conf_mode/interfaces-wirelessmodem.py
@@ -16,75 +16,42 @@
import os
-from fnmatch import fnmatch
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
+from vyos.util import check_kmod
+from vyos.util import find_device_file
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def check_kmod():
- modules = ['option', 'usb_wwan', 'usbserial']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-def find_device_file(device):
- """ Recurively search /dev for the given device file and return its full path.
- If no device file was found 'None' is returned """
- for root, dirs, files in os.walk('/dev'):
- for basename in files:
- if fnmatch(basename, device):
- return os.path.join(root, basename)
+k_mod = ['option', 'usb_wwan', 'usbserial']
- return None
-
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'wirelessmodem']
- default_values = defaults(base)
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
-
- wwan = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if wwan == {}:
- wwan.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- wwan = dict_merge(default_values, wwan)
-
- # Add interface instance name into dictionary
- wwan.update({'ifname': ifname})
-
+ wwan = get_interface_dict(conf, base)
return wwan
def verify(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
return None
- if not 'apn' in wwan.keys():
+ if not 'apn' in wwan:
raise ConfigError('No APN configured for "{ifname}"'.format(**wwan))
- if not 'device' in wwan.keys():
+ if not 'device' in wwan:
raise ConfigError('Physical "device" must be configured')
# we can not use isfile() here as Linux device files are no regular files
@@ -141,11 +108,11 @@ def generate(wwan):
return None
def apply(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
# bail out early
return None
- if not 'disable' in wwan.keys():
+ if not 'disable' in wwan:
# "dial" WWAN connection
call('systemctl start ppp@{ifname}.service'.format(**wwan))
@@ -153,7 +120,7 @@ def apply(wwan):
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index 015d1a480..11a5b7aaa 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -41,8 +41,11 @@ delim_ipsec_l2tp_begin = "### VyOS L2TP VPN Begin ###"
delim_ipsec_l2tp_end = "### VyOS L2TP VPN End ###"
charon_pidfile = "/var/run/charon.pid"
-def get_config():
- config = Config()
+def get_config(config=None):
+ if config:
+ config = config
+ else:
+ config = Config()
data = {"install_routes": "yes"}
if config.exists("vpn ipsec options disable-route-autoinstall"):
diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py
index 5b965f95f..755c89966 100755
--- a/src/conf_mode/le_cert.py
+++ b/src/conf_mode/le_cert.py
@@ -27,6 +27,7 @@ from vyos import airbag
airbag.enable()
vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
+vyos_certbot_dir = vyos.defaults.directories['certbot']
dependencies = [
'https.py',
@@ -45,7 +46,7 @@ def request_certbot(cert):
else:
domain_flag = ''
- certbot_cmd = 'certbot certonly -n --nginx --agree-tos --no-eff-email --expand {0} {1}'.format(email_flag, domain_flag)
+ certbot_cmd = f'certbot certonly --config-dir {vyos_certbot_dir} -n --nginx --agree-tos --no-eff-email --expand {email_flag} {domain_flag}'
cmd(certbot_cmd,
raising=ConfigError,
diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py
index 1b539887a..6b645857a 100755
--- a/src/conf_mode/lldp.py
+++ b/src/conf_mode/lldp.py
@@ -146,9 +146,12 @@ def get_location(config):
return intfs_location
-def get_config():
+def get_config(config=None):
lldp = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(base):
return None
else:
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 2299717a8..eb634fd78 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -19,18 +19,27 @@ import json
import os
from copy import deepcopy
+from distutils.version import LooseVersion
+from platform import release as kernel_version
from sys import exit
from netifaces import interfaces
from vyos.config import Config
from vyos.template import render
-from vyos.util import call, cmd
+from vyos.util import call
+from vyos.util import cmd
+from vyos.util import check_kmod
from vyos.validate import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()
+if LooseVersion(kernel_version()) > LooseVersion('5.1'):
+ k_mod = ['nft_nat', 'nft_chain_nat']
+else:
+ k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
+
default_config_data = {
'deleted': False,
'destination': [],
@@ -44,15 +53,6 @@ default_config_data = {
iptables_nat_config = '/tmp/vyos-nat-rules.nft'
-def _check_kmod():
- """ load required Kernel modules """
- modules = ['nft_nat', 'nft_chain_nat_ipv4']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
def get_handler(json, chain, target):
""" Get nftable rule handler number of given chain/target combination.
Handler is required when adding NAT/Conntrack helper targets """
@@ -167,9 +167,12 @@ def parse_configuration(conf, source_dest):
return ruleset
-def get_config():
+def get_config(config=None):
nat = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
# read in current nftable (once) for further processing
tmp = cmd('nft -j list table raw')
@@ -237,6 +240,8 @@ def verify(nat):
addr = rule['translation_address']
if addr != 'masquerade' and not is_addr_assigned(addr):
print(f'Warning: IP address {addr} does not exist on the system!')
+ elif not rule['exclude']:
+ raise ConfigError(f'{err_msg} translation address not specified')
# common rule verification
verify_rule(rule, err_msg)
@@ -251,6 +256,9 @@ def verify(nat):
if not rule['interface_in']:
raise ConfigError(f'{err_msg} inbound-interface not specified')
+ if not rule['translation_address'] and not rule['exclude']:
+ raise ConfigError(f'{err_msg} translation address not specified')
+
# common rule verification
verify_rule(rule, err_msg)
@@ -269,7 +277,7 @@ def apply(nat):
if __name__ == '__main__':
try:
- _check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index bba8f87a4..d6453ec83 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -27,8 +27,11 @@ airbag.enable()
config_file = r'/etc/ntp.conf'
systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'ntp']
ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 3aa76d866..1978adff5 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -14,83 +14,72 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import jmespath
+import os
-from copy import deepcopy
from sys import exit
from vyos.config import Config
+from vyos.util import call
from vyos.template import render
+from vyos.template import render_to_string
+from vyos import frr
from vyos import ConfigError, airbag
airbag.enable()
config_file = r'/tmp/bgp.frr'
-default_config_data = {
- 'as_number': ''
-}
-
def get_config():
- bgp = deepcopy(default_config_data)
conf = Config()
-
- # this lives in the "nbgp" tree until we switch over
base = ['protocols', 'nbgp']
+ bgp = conf.get_config_dict(base, key_mangling=('-', '_'))
if not conf.exists(base):
return None
- bgp = deepcopy(default_config_data)
- # Get full BGP configuration as dictionary - output the configuration for development
- #
- # vyos@vyos# commit
- # [ protocols nbgp 65000 ]
- # {'nbgp': {'65000': {'address-family': {'ipv4-unicast': {'aggregate-address': {'1.1.0.0/16': {},
- # '2.2.2.0/24': {}}},
- # 'ipv6-unicast': {'aggregate-address': {'2001:db8::/32': {}}}},
- # 'neighbor': {'192.0.2.1': {'password': 'foo',
- # 'remote-as': '100'}}}}}
- #
- tmp = conf.get_config_dict(base)
-
- # extract base key from dict as this is our AS number
- bgp['as_number'] = jmespath.search('nbgp | keys(@) [0]', tmp)
-
- # adjust level of dictionary returned by get_config_dict()
- # by using jmesgpath and update dictionary
- bgp.update(jmespath.search('nbgp.* | [0]', tmp))
-
from pprint import pprint
pprint(bgp)
- # resulting in e.g.
- # vyos@vyos# commit
- # [ protocols nbgp 65000 ]
- # {'address-family': {'ipv4-unicast': {'aggregate-address': {'1.1.0.0/16': {},
- # '2.2.2.0/24': {}}},
- # 'ipv6-unicast': {'aggregate-address': {'2001:db8::/32': {}}}},
- # 'as_number': '65000',
- # 'neighbor': {'192.0.2.1': {'password': 'foo', 'remote-as': '100'}},
- # 'timers': {'holdtime': '5'}}
return bgp
def verify(bgp):
- # bail out early - looks like removal from running config
if not bgp:
return None
return None
def generate(bgp):
- # bail out early - looks like removal from running config
if not bgp:
return None
+ # render(config) not needed, its only for debug
render(config_file, 'frr/bgp.frr.tmpl', bgp)
+
+ bgp['new_frr_config'] = render_to_string('frr/bgp.frr.tmpl', bgp)
+
return None
def apply(bgp):
+ if bgp is None:
+ return None
+
+ # Save original configration prior to starting any commit actions
+ bgp['original_config'] = frr.get_configuration(daemon='bgpd')
+ bgp['modified_config'] = frr.replace_section(bgp['original_config'], bgp['new_frr_config'], from_re='router bgp .*')
+
+ # Debugging
+ print('--------- DEBUGGING ----------')
+ print(f'Existing config:\n{bgp["original_config"]}\n\n')
+ print(f'Replacement config:\n{bgp["new_frr_config"]}\n\n')
+ print(f'Modified config:\n{bgp["modified_config"]}\n\n')
+
+ # Frr Mark configuration will test for syntax errors and exception out if any syntax errors are detected
+ frr.mark_configuration(bgp['modified_config'])
+
+ # Commit the resulting new configuration to frr, this will render an frr.CommitError() Exception on fail
+ frr.reload_configuration(bgp['modified_config'], daemon='bgpd')
+
return None
+
if __name__ == '__main__':
try:
c = get_config()
diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py
index ca148fd6a..6f4fc784d 100755
--- a/src/conf_mode/protocols_igmp.py
+++ b/src/conf_mode/protocols_igmp.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file = r'/tmp/igmp.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
igmp_conf = {
'igmp_conf' : False,
'old_ifaces' : {},
diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py
index 72208ffa1..e515490d0 100755
--- a/src/conf_mode/protocols_mpls.py
+++ b/src/conf_mode/protocols_mpls.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -29,8 +29,11 @@ config_file = r'/tmp/ldpd.frr'
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
mpls_conf = {
'router_id' : None,
'mpls_ldp' : False,
@@ -38,13 +41,17 @@ def get_config():
'interfaces' : [],
'neighbors' : {},
'd_transp_ipv4' : None,
- 'd_transp_ipv6' : None
+ 'd_transp_ipv6' : None,
+ 'hello_holdtime' : None,
+ 'hello_interval' : None
},
'ldp' : {
'interfaces' : [],
'neighbors' : {},
'd_transp_ipv4' : None,
- 'd_transp_ipv6' : None
+ 'd_transp_ipv6' : None,
+ 'hello_holdtime' : None,
+ 'hello_interval' : None
}
}
if not (conf.exists('protocols mpls') or conf.exists_effective('protocols mpls')):
@@ -61,6 +68,20 @@ def get_config():
if conf.exists('router-id'):
mpls_conf['router_id'] = conf.return_value('router-id')
+ # Get hello holdtime
+ if conf.exists_effective('discovery hello-holdtime'):
+ mpls_conf['old_ldp']['hello_holdtime'] = conf.return_effective_value('discovery hello-holdtime')
+
+ if conf.exists('discovery hello-holdtime'):
+ mpls_conf['ldp']['hello_holdtime'] = conf.return_value('discovery hello-holdtime')
+
+ # Get hello interval
+ if conf.exists_effective('discovery hello-interval'):
+ mpls_conf['old_ldp']['hello_interval'] = conf.return_effective_value('discovery hello-interval')
+
+ if conf.exists('discovery hello-interval'):
+ mpls_conf['ldp']['hello_interval'] = conf.return_value('discovery hello-interval')
+
# Get discovery transport-ipv4-address
if conf.exists_effective('discovery transport-ipv4-address'):
mpls_conf['old_ldp']['d_transp_ipv4'] = conf.return_effective_value('discovery transport-ipv4-address')
diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py
index 8aa324bac..6d333e19a 100755
--- a/src/conf_mode/protocols_pim.py
+++ b/src/conf_mode/protocols_pim.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file = r'/tmp/pimd.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
pim_conf = {
'pim_conf' : False,
'old_pim' : {
diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py
index 4f8816d61..8ddd705f2 100755
--- a/src/conf_mode/protocols_rip.py
+++ b/src/conf_mode/protocols_rip.py
@@ -28,8 +28,11 @@ airbag.enable()
config_file = r'/tmp/ripd.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['protocols', 'rip']
rip_conf = {
'rip_conf' : False,
@@ -97,7 +100,7 @@ def get_config():
# Get distribute list interface old_rip
for dist_iface in conf.list_effective_nodes('distribute-list interface'):
# Set level 'distribute-list interface ethX'
- conf.set_level((str(base)) + ' distribute-list interface ' + dist_iface)
+ conf.set_level(base + ['distribute-list', 'interface', dist_iface])
rip_conf['rip']['distribute'].update({
dist_iface : {
'iface_access_list_in': conf.return_effective_value('access-list in'.format(dist_iface)),
@@ -125,7 +128,7 @@ def get_config():
# Get distribute list interface
for dist_iface in conf.list_nodes('distribute-list interface'):
# Set level 'distribute-list interface ethX'
- conf.set_level((str(base)) + ' distribute-list interface ' + dist_iface)
+ conf.set_level(base + ['distribute-list', 'interface', dist_iface])
rip_conf['rip']['distribute'].update({
dist_iface : {
'iface_access_list_in': conf.return_value('access-list in'.format(dist_iface)),
@@ -148,7 +151,7 @@ def get_config():
if conf.exists('prefix-list out'.format(dist_iface)):
rip_conf['rip']['iface_prefix_list_out'] = conf.return_value('prefix-list out'.format(dist_iface))
- conf.set_level((str(base)) + ' distribute-list')
+ conf.set_level(base + ['distribute-list'])
# Get distribute list, access-list in
if conf.exists_effective('access-list in'):
diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py
index 232d1e181..99157835a 100755
--- a/src/conf_mode/protocols_static_multicast.py
+++ b/src/conf_mode/protocols_static_multicast.py
@@ -30,8 +30,11 @@ airbag.enable()
config_file = r'/tmp/static_mcast.frr'
# Get configuration for static multicast route
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
mroute = {
'old_mroute' : {},
'mroute' : {}
diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py
index 3343d1247..841bf6a39 100755
--- a/src/conf_mode/salt-minion.py
+++ b/src/conf_mode/salt-minion.py
@@ -44,9 +44,12 @@ default_config_data = {
'master_key': ''
}
-def get_config():
+def get_config(config=None):
salt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'salt-minion']
if not conf.exists(base):
diff --git a/src/conf_mode/service_console-server.py b/src/conf_mode/service_console-server.py
index ace6b8ca4..0e5fc75b0 100755
--- a/src/conf_mode/service_console-server.py
+++ b/src/conf_mode/service_console-server.py
@@ -27,15 +27,16 @@ from vyos import ConfigError
config_file = r'/run/conserver/conserver.cf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'console-server']
- if not conf.exists(base):
- return None
-
# Retrieve CLI representation as dictionary
- proxy = conf.get_config_dict(base, key_mangling=('-', '_'))
+ proxy = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
# The retrieved dictionary will look something like this:
#
# {'device': {'usb0b2.4p1.0': {'speed': '9600'},
@@ -47,9 +48,10 @@ def get_config():
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base + ['device'])
- for device in proxy['device'].keys():
- tmp = dict_merge(default_values, proxy['device'][device])
- proxy['device'][device] = tmp
+ if 'device' in proxy:
+ for device in proxy['device']:
+ tmp = dict_merge(default_values, proxy['device'][device])
+ proxy['device'][device] = tmp
return proxy
@@ -57,15 +59,14 @@ def verify(proxy):
if not proxy:
return None
- for device in proxy['device']:
- keys = proxy['device'][device].keys()
- if 'speed' not in keys:
- raise ConfigError(f'Serial port speed must be defined for "{tmp}"!')
+ if 'device' in proxy:
+ for device in proxy['device']:
+ if 'speed' not in proxy['device'][device]:
+ raise ConfigError(f'Serial port speed must be defined for "{device}"!')
- if 'ssh' in keys:
- ssh_keys = proxy['device'][device]['ssh'].keys()
- if 'port' not in ssh_keys:
- raise ConfigError(f'SSH port must be defined for "{tmp}"!')
+ if 'ssh' in proxy['device'][device]:
+ if 'port' not in proxy['device'][device]['ssh']:
+ raise ConfigError(f'SSH port must be defined for "{device}"!')
return None
@@ -86,10 +87,11 @@ def apply(proxy):
call('systemctl restart conserver-server.service')
- for device in proxy['device']:
- if 'ssh' in proxy['device'][device].keys():
- port = proxy['device'][device]['ssh']['port']
- call(f'systemctl restart dropbear@{device}.service')
+ if 'device' in proxy:
+ for device in proxy['device']:
+ if 'ssh' in proxy['device'][device]:
+ port = proxy['device'][device]['ssh']['port']
+ call(f'systemctl restart dropbear@{device}.service')
return None
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index d46f9578e..27d0ee60c 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -28,8 +28,11 @@ airbag.enable()
config_file = r'/etc/fastnetmon.conf'
networks_list = r'/etc/networks_list'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'ids', 'ddos-protection']
fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return fastnetmon
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index b539da98e..96cf932d1 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -55,8 +55,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['service', 'ipoe-server']
if not conf.exists(base_path):
return None
@@ -147,17 +150,21 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
if conf.exists(['fail-time']):
- radius['fail-time'] = conf.return_value(['fail-time'])
+ radius['fail_time'] = conf.return_value(['fail-time'])
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/mdns_repeater.py b/src/conf_mode/service_mdns-repeater.py
index b43f9bdd8..729518c96 100755
--- a/src/conf_mode/mdns_repeater.py
+++ b/src/conf_mode/service_mdns-repeater.py
@@ -17,69 +17,54 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import ifaddresses, AF_INET
+from netifaces import ifaddresses, interfaces, AF_INET
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
from vyos.template import render
-
+from vyos.util import call
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/etc/default/mdns-repeater'
-default_config_data = {
- 'disabled': False,
- 'interfaces': []
-}
-
-def get_config():
- mdns = deepcopy(default_config_data)
- conf = Config()
- base = ['service', 'mdns', 'repeater']
- if not conf.exists(base):
- return None
+def get_config(config=None):
+ if config:
+ conf = config
else:
- conf.set_level(base)
-
- # Service can be disabled by user
- if conf.exists(['disable']):
- mdns['disabled'] = True
- return mdns
-
- # Interface to repeat mDNS advertisements
- if conf.exists(['interface']):
- mdns['interfaces'] = conf.return_values(['interface'])
-
+ conf = Config()
+ base = ['service', 'mdns', 'repeater']
+ mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return mdns
def verify(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
return None
# We need at least two interfaces to repeat mDNS advertisments
- if len(mdns['interfaces']) < 2:
+ if 'interface' not in mdns or len(mdns['interface']) < 2:
raise ConfigError('mDNS repeater requires at least 2 configured interfaces!')
# For mdns-repeater to work it is essential that the interfaces has
# an IPv4 address assigned
- for interface in mdns['interfaces']:
- if AF_INET in ifaddresses(interface).keys():
- if len(ifaddresses(interface)[AF_INET]) < 1:
- raise ConfigError('mDNS repeater requires an IPv6 address configured on interface %s!'.format(interface))
+ for interface in mdns['interface']:
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist!')
+
+ if AF_INET not in ifaddresses(interface):
+ raise ConfigError('mDNS repeater requires an IPv4 address to be '
+ f'configured on interface "{interface}"')
return None
def generate(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
print('Warning: mDNS repeater will be deactivated because it is disabled')
return None
@@ -87,7 +72,7 @@ def generate(mdns):
return None
def apply(mdns):
- if (mdns is None) or mdns['disabled']:
+ if not mdns or 'disable' in mdns:
call('systemctl stop mdns-repeater.service')
if os.path.exists(config_file):
os.unlink(config_file)
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 3149bbb2f..45d3806d5 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -85,8 +85,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['service', 'pppoe-server']
if not conf.exists(base_path):
return None
@@ -242,7 +245,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -253,6 +257,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
@@ -417,6 +424,9 @@ def verify(pppoe):
if len(pppoe['dnsv6']) > 3:
raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
+ if not pppoe['interfaces']:
+ raise ConfigError('At least one listen interface must be defined!')
+
# local ippool and gateway settings config checks
if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']:
if not pppoe['ppp_gw']:
diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py
index ef6148ebd..687d7068f 100755
--- a/src/conf_mode/service_router-advert.py
+++ b/src/conf_mode/service_router-advert.py
@@ -16,145 +16,88 @@
import os
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from sys import exit
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
+from vyos.configdict import dict_merge
from vyos.template import render
-
+from vyos.util import call
+from vyos.xml import defaults
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/run/radvd/radvd.conf'
-default_config_data = {
- 'interfaces': []
-}
-
-def get_config():
- rtradv = default_config_data
- conf = Config()
- base_level = ['service', 'router-advert']
-
- if not conf.exists(base_level):
- return rtradv
-
- for interface in conf.list_nodes(base_level + ['interface']):
- intf = {
- 'name': interface,
- 'hop_limit' : '64',
- 'default_lifetime': '',
- 'default_preference': 'medium',
- 'dnssl': [],
- 'link_mtu': '',
- 'managed_flag': 'off',
- 'interval_max': '600',
- 'interval_min': '',
- 'name_server': [],
- 'other_config_flag': 'off',
- 'prefixes' : [],
- 'reachable_time': '0',
- 'retrans_timer': '0',
- 'send_advert': 'on'
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface])
-
- if conf.exists(['hop-limit']):
- intf['hop_limit'] = conf.return_value(['hop-limit'])
-
- if conf.exists(['default-lifetime']):
- intf['default_lifetime'] = conf.return_value(['default-lifetime'])
-
- if conf.exists(['default-preference']):
- intf['default_preference'] = conf.return_value(['default-preference'])
-
- if conf.exists(['dnssl']):
- intf['dnssl'] = conf.return_values(['dnssl'])
-
- if conf.exists(['link-mtu']):
- intf['link_mtu'] = conf.return_value(['link-mtu'])
-
- if conf.exists(['managed-flag']):
- intf['managed_flag'] = 'on'
-
- if conf.exists(['interval', 'max']):
- intf['interval_max'] = conf.return_value(['interval', 'max'])
-
- if conf.exists(['interval', 'min']):
- intf['interval_min'] = conf.return_value(['interval', 'min'])
-
- if conf.exists(['name-server']):
- intf['name_server'] = conf.return_values(['name-server'])
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['service', 'router-advert']
+ rtradv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_interface_values = defaults(base + ['interface'])
+ # we deal with prefix defaults later on
+ if 'prefix' in default_interface_values:
+ del default_interface_values['prefix']
+
+ default_prefix_values = defaults(base + ['interface', 'prefix'])
+
+ if 'interface' in rtradv:
+ for interface in rtradv['interface']:
+ rtradv['interface'][interface] = dict_merge(
+ default_interface_values, rtradv['interface'][interface])
+
+ if 'prefix' in rtradv['interface'][interface]:
+ for prefix in rtradv['interface'][interface]['prefix']:
+ rtradv['interface'][interface]['prefix'][prefix] = dict_merge(
+ default_prefix_values, rtradv['interface'][interface]['prefix'][prefix])
+
+ if 'name_server' in rtradv['interface'][interface]:
+ # always use a list when dealing with nameservers - eases the template generation
+ if isinstance(rtradv['interface'][interface]['name_server'], str):
+ rtradv['interface'][interface]['name_server'] = [
+ rtradv['interface'][interface]['name_server']]
- if conf.exists(['other-config-flag']):
- intf['other_config_flag'] = 'on'
-
- if conf.exists(['reachable-time']):
- intf['reachable_time'] = conf.return_value(['reachable-time'])
-
- if conf.exists(['retrans-timer']):
- intf['retrans_timer'] = conf.return_value(['retrans-timer'])
-
- if conf.exists(['no-send-advert']):
- intf['send_advert'] = 'off'
-
- for prefix in conf.list_nodes(['prefix']):
- tmp = {
- 'prefix' : prefix,
- 'autonomous_flag' : 'on',
- 'on_link' : 'on',
- 'preferred_lifetime': 14400,
- 'valid_lifetime' : 2592000
-
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface, 'prefix', prefix])
-
- if conf.exists(['no-autonomous-flag']):
- tmp['autonomous_flag'] = 'off'
-
- if conf.exists(['no-on-link-flag']):
- tmp['on_link'] = 'off'
-
- if conf.exists(['preferred-lifetime']):
- tmp['preferred_lifetime'] = int(conf.return_value(['preferred-lifetime']))
+ return rtradv
- if conf.exists(['valid-lifetime']):
- tmp['valid_lifetime'] = int(conf.return_value(['valid-lifetime']))
+def verify(rtradv):
+ if not rtradv:
+ return None
- intf['prefixes'].append(tmp)
+ if 'interface' not in rtradv:
+ return None
- rtradv['interfaces'].append(intf)
+ for interface in rtradv['interface']:
+ interface = rtradv['interface'][interface]
+ if 'prefix' in interface:
+ for prefix in interface['prefix']:
+ prefix = interface['prefix'][prefix]
+ valid_lifetime = prefix['valid_lifetime']
+ if valid_lifetime == 'infinity':
+ valid_lifetime = 4294967295
- return rtradv
+ preferred_lifetime = prefix['preferred_lifetime']
+ if preferred_lifetime == 'infinity':
+ preferred_lifetime = 4294967295
-def verify(rtradv):
- for interface in rtradv['interfaces']:
- for prefix in interface['prefixes']:
- if not (prefix['valid_lifetime'] > prefix['preferred_lifetime']):
- raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
+ if not (int(valid_lifetime) > int(preferred_lifetime)):
+ raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
return None
def generate(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
return None
- render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True)
-
- # adjust file permissions of new configuration file
- if os.path.exists(config_file):
- os.chmod(config_file, S_IRUSR | S_IWUSR | S_IRGRP)
-
+ render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True, permission=0o644)
return None
def apply(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
# bail out early - looks like removal from running config
call('systemctl stop radvd.service')
if os.path.exists(config_file):
@@ -163,6 +106,7 @@ def apply(rtradv):
return None
call('systemctl restart radvd.service')
+
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index ffb0b700d..a19fa72d8 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -28,11 +28,14 @@ from vyos.xml import defaults
from vyos import airbag
airbag.enable()
-config_file = r'/etc/ssh/sshd_config'
+config_file = r'/run/ssh/sshd_config'
systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'ssh']
if not conf.exists(base):
return None
@@ -42,6 +45,8 @@ def get_config():
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
ssh = dict_merge(default_values, ssh)
+ # pass config file path - used in override template
+ ssh['config_file'] = config_file
return ssh
diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py
index 85f1e3771..64c9e6d05 100755
--- a/src/conf_mode/system-ip.py
+++ b/src/conf_mode/system-ip.py
@@ -35,9 +35,12 @@ default_config_data = {
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
+def get_config(config=None):
ip_opt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level('system ip')
if conf.exists(''):
if conf.exists('arp table-size'):
diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py
index 3417c609d..f70ec2631 100755
--- a/src/conf_mode/system-ipv6.py
+++ b/src/conf_mode/system-ipv6.py
@@ -41,9 +41,12 @@ default_config_data = {
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
+def get_config(config=None):
ip_opt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level('system ipv6')
if conf.exists(''):
ip_opt['disable_addr_assignment'] = conf.exists('disable')
diff --git a/src/conf_mode/system-login-banner.py b/src/conf_mode/system-login-banner.py
index 5c0adc921..569010735 100755
--- a/src/conf_mode/system-login-banner.py
+++ b/src/conf_mode/system-login-banner.py
@@ -41,9 +41,12 @@ default_config_data = {
'motd': motd
}
-def get_config():
+def get_config(config=None):
banner = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['system', 'login', 'banner']
if not conf.exists(base_level):
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index b1dd583b5..2aca199f9 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -56,9 +56,12 @@ def get_local_users():
return local_users
-def get_config():
+def get_config(config=None):
login = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['system', 'login']
# We do not need to check if the nodes exist or not and bail out early
diff --git a/src/conf_mode/system-options.py b/src/conf_mode/system-options.py
index d7c5c0443..6ac35a4ab 100755
--- a/src/conf_mode/system-options.py
+++ b/src/conf_mode/system-options.py
@@ -22,23 +22,28 @@ from sys import exit
from vyos.config import Config
from vyos.template import render
from vyos.util import call
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-config_file = r'/etc/curlrc'
+curlrc_config = r'/etc/curlrc'
+ssh_config = r'/etc/ssh/ssh_config'
systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'options']
options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return options
def verify(options):
- if 'http_client' in options.keys():
+ if 'http_client' in options:
config = options['http_client']
- if 'source_interface' in config.keys():
+ if 'source_interface' in config:
if not config['source_interface'] in interfaces():
raise ConfigError(f'Source interface {source_interface} does not '
f'exist'.format(**config))
@@ -46,10 +51,21 @@ def verify(options):
if {'source_address', 'source_interface'} <= set(config):
raise ConfigError('Can not define both HTTP source-interface and source-address')
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
+ if 'ssh_client' in options:
+ config = options['ssh_client']
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
return None
def generate(options):
- render(config_file, 'system/curlrc.tmpl', options, trim_blocks=True)
+ render(curlrc_config, 'system/curlrc.tmpl', options, trim_blocks=True)
+ render(ssh_config, 'system/ssh_config.tmpl', options, trim_blocks=True)
return None
def apply(options):
@@ -63,12 +79,20 @@ def apply(options):
if os.path.exists(systemd_action_file):
os.unlink(systemd_action_file)
- if 'ctrl_alt_del_action' in options.keys():
+ if 'ctrl_alt_del_action' in options:
if options['ctrl_alt_del_action'] == 'reboot':
os.symlink('/lib/systemd/system/reboot.target', systemd_action_file)
elif options['ctrl_alt_del_action'] == 'poweroff':
os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file)
+ if 'http_client' not in options:
+ if os.path.exists(curlrc_config):
+ os.unlink(curlrc_config)
+
+ if 'ssh_client' not in options:
+ if os.path.exists(ssh_config):
+ os.unlink(ssh_config)
+
# Reboot system on kernel panic
with open('/proc/sys/kernel/panic', 'w') as f:
if 'reboot_on_panic' in options.keys():
diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py
index cfc1ca55f..d29109c41 100755
--- a/src/conf_mode/system-syslog.py
+++ b/src/conf_mode/system-syslog.py
@@ -27,8 +27,11 @@ from vyos.template import render
from vyos import airbag
airbag.enable()
-def get_config():
- c = Config()
+def get_config(config=None):
+ if config:
+ c = config
+ else:
+ c = Config()
if not c.exists('system syslog'):
return None
c.set_level('system syslog')
diff --git a/src/conf_mode/system-timezone.py b/src/conf_mode/system-timezone.py
index 0f4513122..4d9f017a6 100755
--- a/src/conf_mode/system-timezone.py
+++ b/src/conf_mode/system-timezone.py
@@ -29,9 +29,12 @@ default_config_data = {
'name': 'UTC'
}
-def get_config():
+def get_config(config=None):
tz = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if conf.exists('system time-zone'):
tz['name'] = conf.return_value('system time-zone')
diff --git a/src/conf_mode/system-wifi-regdom.py b/src/conf_mode/system-wifi-regdom.py
index 30ea89098..874f93923 100755
--- a/src/conf_mode/system-wifi-regdom.py
+++ b/src/conf_mode/system-wifi-regdom.py
@@ -34,9 +34,12 @@ default_config_data = {
'deleted' : False
}
-def get_config():
+def get_config(config=None):
regdom = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'wifi-regulatory-domain']
# Check if interface has been removed
diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py
index 6f83335f3..b17818797 100755
--- a/src/conf_mode/system_console.py
+++ b/src/conf_mode/system_console.py
@@ -26,8 +26,11 @@ airbag.enable()
by_bus_dir = '/dev/serial/by-bus'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'console']
# retrieve configuration at once
diff --git a/src/conf_mode/system_lcd.py b/src/conf_mode/system_lcd.py
new file mode 100755
index 000000000..a540d1b9e
--- /dev/null
+++ b/src/conf_mode/system_lcd.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+#
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.util import call
+from vyos.util import find_device_file
+from vyos.template import render
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+lcdd_conf = '/run/LCDd/LCDd.conf'
+lcdproc_conf = '/run/lcdproc/lcdproc.conf'
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['system', 'lcd']
+ lcd = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
+ # Return (possibly empty) dictionary
+ return lcd
+
+def verify(lcd):
+ if not lcd:
+ return None
+
+ if 'model' in lcd and lcd['model'] in ['sdec']:
+ # This is a fixed LCD display, no device needed - bail out early
+ return None
+
+ if not {'device', 'model'} <= set(lcd):
+ raise ConfigError('Both device and driver must be set!')
+
+ return None
+
+def generate(lcd):
+ if not lcd:
+ return None
+
+ if 'device' in lcd:
+ lcd['device'] = find_device_file(lcd['device'])
+
+ # Render config file for daemon LCDd
+ render(lcdd_conf, 'lcd/LCDd.conf.tmpl', lcd, trim_blocks=True)
+ # Render config file for client lcdproc
+ render(lcdproc_conf, 'lcd/lcdproc.conf.tmpl', lcd, trim_blocks=True)
+
+ return None
+
+def apply(lcd):
+ if not lcd:
+ call('systemctl stop lcdproc.service LCDd.service')
+
+ for file in [lcdd_conf, lcdproc_conf]:
+ if os.path.exists(file):
+ os.remove(file)
+ else:
+ # Restart server
+ call('systemctl restart LCDd.service lcdproc.service')
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ config_dict = get_config()
+ verify(config_dict)
+ generate(config_dict)
+ apply(config_dict)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/task_scheduler.py b/src/conf_mode/task_scheduler.py
index 51d8684cb..129be5d3c 100755
--- a/src/conf_mode/task_scheduler.py
+++ b/src/conf_mode/task_scheduler.py
@@ -53,8 +53,11 @@ def make_command(executable, arguments):
else:
return("sg vyattacfg \"{0}\"".format(executable))
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level("system task-scheduler task")
task_names = conf.list_nodes("")
tasks = []
diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/tftp_server.py
index d31851bef..ad5ee9c33 100755
--- a/src/conf_mode/tftp_server.py
+++ b/src/conf_mode/tftp_server.py
@@ -40,9 +40,12 @@ default_config_data = {
'listen': []
}
-def get_config():
+def get_config(config=None):
tftpd = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'tftp-server']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/vpn_anyconnect.py b/src/conf_mode/vpn_anyconnect.py
new file mode 100755
index 000000000..158e1a117
--- /dev/null
+++ b/src/conf_mode/vpn_anyconnect.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018-2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.xml import defaults
+from vyos.template import render
+from vyos.util import call
+from vyos import ConfigError
+from crypt import crypt, mksalt, METHOD_SHA512
+
+from vyos import airbag
+airbag.enable()
+
+cfg_dir = '/run/ocserv'
+ocserv_conf = cfg_dir + '/ocserv.conf'
+ocserv_passwd = cfg_dir + '/ocpasswd'
+radius_cfg = cfg_dir + '/radiusclient.conf'
+radius_servers = cfg_dir + '/radius_servers'
+
+
+# Generate hash from user cleartext password
+def get_hash(password):
+ return crypt(password, mksalt(METHOD_SHA512))
+
+
+def get_config():
+ conf = Config()
+ base = ['vpn', 'anyconnect']
+ if not conf.exists(base):
+ return None
+
+ ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ default_values = defaults(base)
+ ocserv = dict_merge(default_values, ocserv)
+ return ocserv
+
+
+def verify(ocserv):
+ if ocserv is None:
+ return None
+
+ # Check authentication
+ if "authentication" in ocserv:
+ if "mode" in ocserv["authentication"]:
+ if "local" in ocserv["authentication"]["mode"]:
+ if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
+ raise ConfigError('Anyconect mode local required at leat one user')
+ else:
+ for user in ocserv["authentication"]["local_users"]["username"]:
+ if not "password" in ocserv["authentication"]["local_users"]["username"][user]:
+ raise ConfigError(f'password required for user {user}')
+ else:
+ raise ConfigError('anyconnect authentication mode required')
+ else:
+ raise ConfigError('anyconnect authentication credentials required')
+
+ # Check ssl
+ if "ssl" in ocserv:
+ req_cert = ['ca_cert_file', 'cert_file', 'key_file']
+ for cert in req_cert:
+ if not cert in ocserv["ssl"]:
+ raise ConfigError('anyconnect ssl {0} required'.format(cert.replace('_', '-')))
+ else:
+ raise ConfigError('anyconnect ssl required')
+
+ # Check network settings
+ if "network_settings" in ocserv:
+ if "push_route" in ocserv["network_settings"]:
+ # Replace default route
+ if "0.0.0.0/0" in ocserv["network_settings"]["push_route"]:
+ ocserv["network_settings"]["push_route"].remove("0.0.0.0/0")
+ ocserv["network_settings"]["push_route"].append("default")
+ else:
+ ocserv["network_settings"]["push_route"] = "default"
+ else:
+ raise ConfigError('anyconnect network settings required')
+
+
+def generate(ocserv):
+ if not ocserv:
+ return None
+
+ if "radius" in ocserv["authentication"]["mode"]:
+ # Render radius client configuration
+ render(radius_cfg, 'ocserv/radius_conf.tmpl', ocserv["authentication"]["radius"], trim_blocks=True)
+ # Render radius servers
+ render(radius_servers, 'ocserv/radius_servers.tmpl', ocserv["authentication"]["radius"], trim_blocks=True)
+ else:
+ if "local_users" in ocserv["authentication"]:
+ for user in ocserv["authentication"]["local_users"]["username"]:
+ ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"])
+ # Render local users
+ render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"], trim_blocks=True)
+
+ # Render config
+ render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv, trim_blocks=True)
+
+
+
+def apply(ocserv):
+ if not ocserv:
+ call('systemctl stop ocserv.service')
+ for file in [ocserv_conf, ocserv_passwd]:
+ if os.path.exists(file):
+ os.unlink(file)
+ else:
+ call('systemctl restart ocserv.service')
+
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 88df2902e..13831dcd8 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -70,8 +70,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['vpn', 'l2tp', 'remote-access']
if not conf.exists(base_path):
return None
@@ -151,7 +154,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -162,6 +166,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py
index 4536692d2..9f3b40534 100755
--- a/src/conf_mode/vpn_pptp.py
+++ b/src/conf_mode/vpn_pptp.py
@@ -56,8 +56,11 @@ default_pptp = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['vpn', 'pptp', 'remote-access']
if not conf.exists(base_path):
return None
@@ -111,7 +114,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -122,6 +126,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 4c4d8e403..7fc370f99 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -65,10 +65,13 @@ default_config_data = {
'thread_cnt' : get_half_cpus()
}
-def get_config():
+def get_config(config=None):
sstp = deepcopy(default_config_data)
base_path = ['vpn', 'sstp']
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(base_path):
return None
@@ -118,7 +121,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -129,6 +133,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index 56ca813ff..2f4da0240 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -76,8 +76,11 @@ def vrf_routing(c, match):
return matched
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
vrf_config = deepcopy(default_config_data)
cfg_base = ['vrf']
diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py
index 292eb0c78..f1ceb261b 100755
--- a/src/conf_mode/vrrp.py
+++ b/src/conf_mode/vrrp.py
@@ -32,11 +32,14 @@ from vyos.ifconfig.vrrp import VRRP
from vyos import airbag
airbag.enable()
-def get_config():
+def get_config(config=None):
vrrp_groups = []
sync_groups = []
- config = vyos.config.Config()
+ if config:
+ config = config
+ else:
+ config = vyos.config.Config()
# Get the VRRP groups
for group_name in config.list_nodes("high-availability vrrp group"):
diff --git a/src/conf_mode/vyos_cert.py b/src/conf_mode/vyos_cert.py
index fb4644d5a..dc7c64684 100755
--- a/src/conf_mode/vyos_cert.py
+++ b/src/conf_mode/vyos_cert.py
@@ -103,10 +103,13 @@ def generate_self_signed(cert_data):
if san_config:
san_config.close()
-def get_config():
+def get_config(config=None):
vyos_cert = vyos.defaults.vyos_cert_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service https certificates system-generated-certificate'):
return None
else: