10 files changed, 31 insertions, 0 deletions

diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 6566e8863..44342f289 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -84,6 +84,18 @@ def verify_mtu_ipv6(config):
             tmp = dict_search('ipv6.address.eui64', config)
             if tmp != None: raise ConfigError(error_msg)
 
+def verify_bond_bridge_member(config):
+    """
+    Checks if interface has a VRF configured and is also part of a bond or
+    bridge, which is not allowed!
+    """
+    if 'vrf' in config:
+        ifname = config['ifname']
+        if 'is_bond_member' in config:
+            raise ConfigError(f'Can not add interface "{ifname}" to bond, it has a VRF assigned!')
+        if 'is_bridge_member' in config:
+            raise ConfigError(f'Can not add interface "{ifname}" to bridge, it has a VRF assigned!')
+
 def verify_tunnel(config):
     """
     This helper is used to verify the common part of the tunnel
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index de851262b..e8236bf89 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -30,6 +30,7 @@ from vyos.configverify import verify_mtu
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ethtool import Ethtool
 from vyos.ifconfig import EthernetIf
 from vyos.template import render
@@ -67,6 +68,7 @@ def verify(ethernet):
     verify_dhcpv6(ethernet)
     verify_address(ethernet)
     verify_vrf(ethernet)
+    verify_bond_bridge_member(ethernet)
     verify_eapol(ethernet)
     verify_mirror(ethernet)
 
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index f49d5b304..a5213fbce 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import GeneveIf
 from vyos import ConfigError
 
@@ -59,6 +60,7 @@ def verify(geneve):
 
     verify_mtu_ipv6(geneve)
     verify_address(geneve)
+    verify_bond_bridge_member(geneve)
 
     if 'remote' not in geneve:
         raise ConfigError('Remote side must be configured')
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 9b6ddd5aa..c1ed8ec59 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -25,6 +25,7 @@ from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import L2TPv3If
 from vyos.util import check_kmod
 from vyos.validate import is_addr_assigned
@@ -76,6 +77,7 @@ def verify(l2tpv3):
 
     verify_mtu_ipv6(l2tpv3)
     verify_address(l2tpv3)
+    verify_bond_bridge_member(l2tpv3)
     return None
 
 def generate(l2tpv3):
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index bfebed7e4..6ec34a961 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -30,6 +30,7 @@ from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_bond_bridge_member
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -66,6 +67,7 @@ def verify(macsec):
     verify_vrf(macsec)
     verify_mtu_ipv6(macsec)
     verify_address(macsec)
+    verify_bond_bridge_member(macsec)
 
     if not (('security' in macsec) and
             ('cipher' in macsec['security'])):
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index f7edddcbf..7d20b3fd0 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -33,6 +33,7 @@ from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_diffie_hellman_length
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import VTunIf
 from vyos.template import render
 from vyos.template import is_ipv4
@@ -425,6 +426,7 @@ def verify(openvpn):
             raise ConfigError('Username for authentication is missing')
 
     verify_vrf(openvpn)
+    verify_bond_bridge_member(openvpn)
 
     return None
 
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index c4023586a..3bfc7d665 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_interface_exists
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_tunnel
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import Interface
 from vyos.ifconfig import Section
 from vyos.ifconfig import TunnelIf
@@ -137,6 +138,7 @@ def verify(tunnel):
     verify_mtu_ipv6(tunnel)
     verify_address(tunnel)
     verify_vrf(tunnel)
+    verify_bond_bridge_member(tunnel)
 
     if 'source_interface' in tunnel:
         verify_interface_exists(tunnel['source_interface'])
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 5ee4603af..bdf47eba0 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -26,6 +26,7 @@ from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mtu_ipv6
 from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import Interface
 from vyos.ifconfig import VXLANIf
 from vyos.template import is_ipv6
@@ -113,6 +114,8 @@ def verify(vxlan):
 
     verify_mtu_ipv6(vxlan)
     verify_address(vxlan)
+    verify_bond_bridge_member(vxlan)
+
     return None
 
 def generate(vxlan):
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index 024ab8f59..34e80cca3 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -28,6 +28,7 @@ from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_mtu_ipv6
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import WireGuardIf
 from vyos.util import check_kmod
 from vyos import ConfigError
@@ -69,6 +70,7 @@ def verify(wireguard):
     verify_mtu_ipv6(wireguard)
     verify_address(wireguard)
     verify_vrf(wireguard)
+    verify_bond_bridge_member(wireguard)
 
     if not os.path.exists(wireguard['private_key']):
         raise ConfigError('Wireguard private-key not found! Execute: ' \
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index b25fcd4e0..7e967ed79 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -29,6 +29,7 @@ from vyos.configverify import verify_dhcpv6
 from vyos.configverify import verify_source_interface
 from vyos.configverify import verify_vlan_config
 from vyos.configverify import verify_vrf
+from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import WiFiIf
 from vyos.template import render
 from vyos.util import call
@@ -188,6 +189,7 @@ def verify(wifi):
 
     verify_address(wifi)
     verify_vrf(wifi)
+    verify_bond_bridge_member(wifi)
 
     # use common function to verify VLAN configuration
     verify_vlan_config(wifi)