summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--data/configd-include.json1
-rw-r--r--interface-definitions/include/constraint/interface-name.xml.i2
-rw-r--r--interface-definitions/service_aws_glb.xml.in127
-rwxr-xr-xop-mode-definitions/generate-system-login-user.xml.in12
-rw-r--r--python/vyos/configverify.py19
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_tunnel.py16
-rwxr-xr-xsrc/conf_mode/interfaces_tunnel.py4
-rwxr-xr-xsrc/migration-scripts/firewall/6-to-79
8 files changed, 45 insertions, 145 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index dc00f0698..fe27ae2b7 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -54,7 +54,6 @@
"protocols_static_multicast.py",
"protocols_static_neighbor-proxy.py",
"qos.py",
-"service_aws_glb.py",
"service_broadcast-relay.py",
"service_config-sync.py",
"service_conntrack-sync.py",
diff --git a/interface-definitions/include/constraint/interface-name.xml.i b/interface-definitions/include/constraint/interface-name.xml.i
index 1b14eabf5..3e7c4e667 100644
--- a/interface-definitions/include/constraint/interface-name.xml.i
+++ b/interface-definitions/include/constraint/interface-name.xml.i
@@ -1,4 +1,4 @@
<!-- include start from constraint/interface-name.xml.i -->
-<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>
+<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|ipoe|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|sstpc|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>
<validator name="file-path --lookup-path /sys/class/net --directory"/>
<!-- include end -->
diff --git a/interface-definitions/service_aws_glb.xml.in b/interface-definitions/service_aws_glb.xml.in
deleted file mode 100644
index c749fd04e..000000000
--- a/interface-definitions/service_aws_glb.xml.in
+++ /dev/null
@@ -1,127 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="service">
- <children>
- <node name="aws">
- <properties>
- <help>Amazon Web Service</help>
- <priority>1280</priority>
- </properties>
- <children>
- <node name="glb" owner="${vyos_conf_scripts_dir}/service_aws_glb.py">
- <properties>
- <help>Gateway load-balancer tunnel handler</help>
- </properties>
- <children>
- <node name="script">
- <properties>
- <help>Script executed on create or destroy tunnel</help>
- </properties>
- <children>
- <leafNode name="on-create">
- <properties>
- <help>Script to run when interface is created</help>
- <constraint>
- <validator name="script"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="on-destroy">
- <properties>
- <help>Script to run when interface is destroyed</help>
- <constraint>
- <validator name="script"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="status">
- <properties>
- <help>Status</help>
- </properties>
- <children>
- <leafNode name="format">
- <properties>
- <help>Statistic format</help>
- <completionHelp>
- <list>simple full</list>
- </completionHelp>
- <valueHelp>
- <format>simple</format>
- <description>Simple format</description>
- </valueHelp>
- <valueHelp>
- <format>full</format>
- <description>Full format</description>
- </valueHelp>
- <constraint>
- <regex>(simple|full)</regex>
- </constraint>
- </properties>
- </leafNode>
- #include <include/port-number.xml.i>
- </children>
- </node>
- <node name="threads">
- <properties>
- <help>Threads settings</help>
- </properties>
- <children>
- <leafNode name="tunnel">
- <properties>
- <help>Number of threads for each tunnel processor</help>
- <valueHelp>
- <format>u32:1-256</format>
- <description>Number of threads</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-256"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="tunnel-affinity">
- <properties>
- <help>List of cores worker threads</help>
- <valueHelp>
- <format>&lt;idN&gt;-&lt;idM&gt;</format>
- <description>CPU core id range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="udp">
- <properties>
- <help>Number of threads for UDP receiver</help>
- <valueHelp>
- <format>u32:1-256</format>
- <description>Number of threads</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-256"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="udp-affinity">
- <properties>
- <help>List of cores worker threads</help>
- <valueHelp>
- <format>&lt;idN&gt;-&lt;idM&gt;</format>
- <description>CPU core id range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index bd80840df..6f65c12b3 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -35,19 +35,19 @@
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command>
<children>
<tagNode name="rate-time">
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" </command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command>
<children>
<tagNode name="window-size">
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" --window-size "${13}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command>
</tagNode>
</children>
</tagNode>
@@ -57,19 +57,19 @@
<properties>
<help>The number of digits in the one-time password</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command>
<children>
<tagNode name="rate-limit">
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command>
<children>
<tagNode name="rate-time">
<properties>
<help>Duration of single time interval</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --rate-time "${13}" --window-size "${9}"</command>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command>
</tagNode>
</children>
</tagNode>
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 27055c863..85423142d 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -281,16 +281,22 @@ def verify_source_interface(config):
perform recurring validation of the existence of a source-interface
required by e.g. peth/MACvlan, MACsec ...
"""
+ import re
from netifaces import interfaces
- if 'source_interface' not in config:
- raise ConfigError('Physical source-interface required for '
- 'interface "{ifname}"'.format(**config))
- if config['source_interface'] not in interfaces():
- raise ConfigError('Specified source-interface {source_interface} does '
- 'not exist'.format(**config))
+ ifname = config['ifname']
+ if 'source_interface' not in config:
+ raise ConfigError(f'Physical source-interface required for "{ifname}"!')
src_ifname = config['source_interface']
+ # We do not allow sourcing other interfaces (e.g. tunnel) from dynamic interfaces
+ tmp = re.compile(r'(ppp|pppoe|sstpc|l2tp|ipoe)[0-9]+')
+ if tmp.match(src_ifname):
+ raise ConfigError(f'Can not source "{ifname}" from dynamic interface "{src_ifname}"!')
+
+ if src_ifname not in interfaces():
+ raise ConfigError(f'Specified source-interface {src_ifname} does not exist')
+
if 'source_interface_is_bridge_member' in config:
bridge_name = next(iter(config['source_interface_is_bridge_member']))
raise ConfigError(f'Invalid source-interface "{src_ifname}". Interface '
@@ -303,7 +309,6 @@ def verify_source_interface(config):
if 'is_source_interface' in config:
tmp = config['is_source_interface']
- src_ifname = config['source_interface']
raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \
f'belongs to interface "{tmp}"!')
diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py
index 2a7a519fd..dd9f1d2d1 100755
--- a/smoketest/scripts/cli/test_interfaces_tunnel.py
+++ b/smoketest/scripts/cli/test_interfaces_tunnel.py
@@ -393,5 +393,21 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase):
self.assertEqual(tunnel_config['encapsulation'], conf['linkinfo']['info_kind'])
self.assertEqual(tunnel_config['remote'], conf['linkinfo']['info_data']['remote'])
+ def test_tunnel_invalid_source_interface(self):
+ encapsulation = 'gre'
+ remote = '192.0.2.1'
+ interface = 'tun7543'
+
+ self.cli_set(self._base_path + [interface, 'encapsulation', encapsulation])
+ self.cli_set(self._base_path + [interface, 'remote', remote])
+
+ for dynamic_interface in ['l2tp0', 'ppp4220', 'sstpc0', 'ipoe654']:
+ self.cli_set(self._base_path + [interface, 'source-interface', dynamic_interface])
+ # verify() - we can not source from dynamic interfaces
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_set(self._base_path + [interface, 'source-interface', 'eth0'])
+ self.cli_commit()
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/interfaces_tunnel.py b/src/conf_mode/interfaces_tunnel.py
index 91aed9cc3..efa5ebc64 100755
--- a/src/conf_mode/interfaces_tunnel.py
+++ b/src/conf_mode/interfaces_tunnel.py
@@ -24,7 +24,7 @@ from vyos.configdict import get_interface_dict
from vyos.configdict import is_node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
-from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_source_interface
from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_mirror_redirect
from vyos.configverify import verify_vrf
@@ -166,7 +166,7 @@ def verify(tunnel):
verify_mirror_redirect(tunnel)
if 'source_interface' in tunnel:
- verify_interface_exists(tunnel['source_interface'])
+ verify_source_interface(tunnel)
# TTL != 0 and nopmtudisc are incompatible, parameters and ip use default
# values, thus the keys are always present.
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 9ad887acc..b918833e9 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -73,6 +73,7 @@ icmp_translations = {
# Time Exceeded
'ttl-zero-during-transit': [11, 0],
'ttl-zero-during-reassembly': [11, 1],
+ 'ttl-exceeded': 'time-exceeded',
# Parameter Problem
'ip-header-bad': [12, 0],
'required-option-missing': [12, 1]
@@ -87,8 +88,14 @@ icmpv6_translations = {
'communication-prohibited': [1, 1],
'address-unreachble': [1, 3],
'port-unreachable': [1, 4],
- # Redirect
+ # nd
'redirect': 'nd-redirect',
+ 'router-solicitation': 'nd-router-solicit',
+ 'router-advertisement': 'nd-router-advert',
+ 'neighbour-solicitation': 'nd-neighbor-solicit',
+ 'neighbor-solicitation': 'nd-neighbor-solicit',
+ 'neighbour-advertisement': 'nd-neighbor-advert',
+ 'neighbor-advertisement': 'nd-neighbor-advert',
# Time Exceeded
'ttl-zero-during-transit': [3, 0],
'ttl-zero-during-reassembly': [3, 1],
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 06:51:32 +0000