6 files changed, 261 insertions, 144 deletions

diff --git a/debian/changelog b/debian/changelog
index c9d925253..d64c66818 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-vyos-1x (1.4dev0) unstable; urgency=medium
+vyos-1x (1.5dev0) unstable; urgency=medium
 
   * Dummy changelog entry for vyos-1x repository
     This is a internal VyOS package and the VyOS package process does not use
@@ -7,4 +7,4 @@ vyos-1x (1.4dev0) unstable; urgency=medium
     The correct verion number of this package is auto-generated by GIT
     on build-time
 
- -- VyOS maintainers and contributors <maintainers@vyos.io>  Mon, 11 Jan 2021 19:02:53 +0100
+ -- VyOS maintainers and contributors <maintainers@vyos.io>  Sun, 10 Sep 2023 15:42:53 +0200
diff --git a/debian/control b/debian/control
index ee45a5fe3..32de13f1b 100644
--- a/debian/control
+++ b/debian/control
@@ -11,15 +11,17 @@ Build-Depends:
   libvyosconfig0 (>= 0.0.7),
   libzmq3-dev,
   python3 (>= 3.10),
-  python3-coverage,
+# For generating command definitions
   python3-lxml,
+  python3-xmltodict,
+# For running tests
+  python3-coverage,
   python3-netifaces,
   python3-nose,
   python3-jinja2,
   python3-psutil,
   python3-setuptools,
   python3-sphinx,
-  python3-xmltodict,
   quilt,
   whois
 Standards-Version: 3.9.6
@@ -31,106 +33,20 @@ Pre-Depends:
   libpam-tacplus [amd64],
   libpam-radius-auth [amd64]
 Depends:
+## Fundamentals
   ${python3:Depends} (>= 3.10),
-  aardvark-dns,
-  accel-ppp,
-  auditd,
-  avahi-daemon,
-  beep,
-  bmon,
-  bsdmainutils,
-  charon-systemd,
-  conntrack,
-  conntrackd,
-  conserver-client,
-  conserver-server,
-  console-data,
-  cron,
-  curl,
-  dbus,
-  ddclient (>= 3.9.1),
-  dropbear,
-  easy-rsa,
-  etherwake,
-  ethtool,
-  fdisk,
-  fastnetmon [amd64],
-  file,
-  frr (>= 7.5),
-  frr-pythontools,
-  frr-rpki-rtrlib,
-  frr-snmp,
-  fuse-overlayfs,
-  libpam-google-authenticator,
-  grc,
-  haproxy,
-  hostapd,
-  hsflowd,
-  hvinfo,
-  igmpproxy,
-  ipaddrcheck,
-  iperf,
-  iperf3,
-  iproute2 (>= 6.0.0),
-  iptables,
-  iputils-arping,
-  isc-dhcp-client,
-  isc-dhcp-relay,
-  isc-dhcp-server,
-  iw,
-  keepalived (>=2.0.5),
-  lcdproc,
-  lcdproc-extra-drivers,
-  libatomic1,
-  libauparse0,
-  libcharon-extra-plugins (>=5.9),
-  libcharon-extauth-plugins (>=5.9),
-  libndp-tools,
-  libnetfilter-conntrack3,
-  libnfnetlink0,
-  libqmi-utils,
-  libstrongswan-extra-plugins (>=5.9),
-  libstrongswan-standard-plugins (>=5.9),
-  libvppinfra [amd64],
   libvyosconfig0,
-  linux-cpupower,
-  lldpd,
-  lm-sensors,
-  lsscsi,
-  minisign,
-  modemmanager,
-  mtr-tiny,
-  ndisc6,
-  ndppd,
-  netavark,
-  netplug,
-  nfct,
-  nftables (>= 0.9.3),
-  nginx-light,
-  chrony,
-  nvme-cli,
-  ocserv,
-  opennhrp,
-  openssh-server,
-  openssl,
-  openvpn,
-  openvpn-auth-ldap,
-  openvpn-auth-radius,
-  openvpn-otp,
-  owamp-client,
-  owamp-server,
-  pciutils,
-  pdns-recursor,
-  pmacct (>= 1.6.0),
-  podman,
-  pppoe,
-  procps,
+  vyatta-bash,
+  vyatta-cfg,
+  vyos-http-api-tools,
+  vyos-utils,
+## End of Fundamentals
+## Python libraries used in multiple modules and scripts
   python3,
   python3-certbot-nginx,
   python3-cryptography,
   python3-hurry.filesize,
   python3-inotify,
-  python3-isc-dhcp-leases,
   python3-jinja2,
   python3-jmespath,
   python3-netaddr,
@@ -143,57 +59,257 @@ Depends:
   python3-pyudev,
   python3-six,
   python3-tabulate,
-  python3-vici (>= 5.7.2),
   python3-voluptuous,
-  python3-vpp-api [amd64],
   python3-xmltodict,
   python3-zmq,
+## End of Python libraries
+## Basic System services and utilities
+  sudo,
+  systemd,
+  bsdmainutils,
+  openssl,
+  curl,
+  dbus,
+  file,
+  iproute2 (>= 6.0.0),
+  linux-cpupower,
+# ipaddrcheck is widely used in IP value validators
+  ipaddrcheck,
+  ethtool,
+  fdisk,
+  lm-sensors,
+  procps,
+  netplug,
+  sed,
+  ssl-cert,
+  tuned,
+  beep,
+  wide-dhcpv6-client,
+# Generic colorizer
+  grc,
+## End of System services and utilities
+## For the installer
+# Image signature verification tool
+  minisign,
+# Live filesystem tools
+  squashfs-tools,
+  fuse-overlayfs,
+## End installer
+  auditd,
+  iputils-arping,
+  isc-dhcp-client,
+# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
+  accel-ppp,
+# End "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
+  avahi-daemon,
+  conntrack,
+  conntrackd,
+## Conf mode features
+# For "interfaces wireless"
+  hostapd,
+  hsflowd,
+  iw,
+  wireless-regdb,
+  wpasupplicant (>= 0.6.7),
+# End "interfaces wireless"
+# For "interfaces wwan"
+  modemmanager,
+  usb-modeswitch,
+  libqmi-utils,
+# End "interfaces wwan"
+# For "interfaces openvpn"
+  openvpn,
+  openvpn-auth-ldap,
+  openvpn-auth-radius,
+  openvpn-otp,
+  libpam-google-authenticator,
+# End "interfaces openvpn"
+# For "interfaces wireguard"
+  wireguard-tools,
   qrencode,
+# End "interfaces wireguard"
+# For "interfaces pppoe"
+  pppoe,
+# End "interfaces pppoe"
+# For "interfaces sstpc"
+  sstp-client,
+# End "interfaces sstpc"
+# For "protocols *"
+  frr (>= 7.5),
+  frr-pythontools,
+  frr-rpki-rtrlib,
+  frr-snmp,
+# End "protocols *"
+# For "protocols nhrp" (part of DMVPN)
+  opennhrp,
+# End "protocols nhrp"
+# For "protocols igmp-proxy"
+  igmpproxy,
+# End "protocols igmp-proxy"
+# For "service console-server"
+  conserver-client,
+  conserver-server,
+  console-data,
+  dropbear,
+# End "service console-server"
+# For "set service aws glb"
+  aws-gwlbtun,
+# For "service dns dynamic"
+  ddclient (>= 3.9.1),
+# End "service dns dynamic"
+# # For "service ids"
+  fastnetmon [amd64],
+# End "service ids"
+# For "service router-advert"
   radvd,
+# End "service route-advert"
+# For "high-availability reverse-proxy"
+  haproxy,
+# End "high-availability reverse-proxy"
+# For "service dhcp-relay"
+  isc-dhcp-relay,
+# For "service dhcp-server"
+  isc-dhcp-server,
+  python3-isc-dhcp-leases,
+# End "service dhcp-server"
+# For "service lldp"
+  lldpd,
+# End "service lldp"
+# For "service https"
+  nginx-light,
+# End "service https"
+# For "service ssh"
+  openssh-server,
+  sshguard,
+# End "service ssh"
+# For "service salt-minion"
   salt-minion,
-  sed,
-  smartmontools,
+# End "service salt-minion"
+# For "service snmp"
   snmp,
   snmpd,
-  squashfs-tools,
+# End "service snmp"
+# For "service upnp"
+  miniupnpd-nftables,
+# End "service upnp"
+# For "service webproxy"
   squid,
   squidclient,
   squidguard,
-  sshguard,
-  ssl-cert,
-  sstp-client,
-  strongswan (>= 5.9),
-  strongswan-swanctl (>= 5.9),
-  stunnel4,
-  sudo,
-  systemd,
+# End "service webproxy"
+# For "service monitoring telegraf"
   telegraf (>= 1.20),
-  tcpdump,
-  tcptraceroute,
-  telnet,
+# End "service monitoring telegraf"
+# For "service monitoring zabbix-agent"
+  zabbix-agent2,
+# End "service monitoring zabbix-agent"
+# For "service tftp-server"
   tftpd-hpa,
-  traceroute,
-  tuned,
+# End "service tftp-server"
+# For "service dns forwarding"
+  pdns-recursor,
+# End "service dns forwarding"
+# For "service sla owamp"
+  owamp-client,
+  owamp-server,
+# End "service sla owamp"
+# For "service sla twamp"
   twamp-client,
   twamp-server,
+# End "service sla twamp"
+# For "service broadcast-relay"
   udp-broadcast-relay,
-  uidmap,
-  usb-modeswitch,
+# End "service broadcast-relay"
+# For "high-availability vrrp"
+  keepalived (>=2.0.5),
+# End "high-availability-vrrp"
+# For "system task-scheduler"
+  cron,
+# End "system task-scheduler"
+# For "system lcd"
+  lcdproc,
+  lcdproc-extra-drivers,
+# End "system lcd"
+# For firewall
+  libndp-tools,
+  libnetfilter-conntrack3,
+  libnfnetlink0,
+  nfct,
+  nftables (>= 0.9.3),
+# For "vpn ipsec"
+  strongswan (>= 5.9),
+  strongswan-swanctl (>= 5.9),
+  charon-systemd,
+  libcharon-extra-plugins (>=5.9),
+  libcharon-extauth-plugins (>=5.9),
+  libstrongswan-extra-plugins (>=5.9),
+  libstrongswan-standard-plugins (>=5.9),
+  python3-vici (>= 5.7.2),
+# End "vpn ipsec"
+# For nat66
+  ndppd,
+# End nat66
+# For "system ntp"
+  chrony,
+# End "system ntp"
+# For "vpn openconnect"
+  ocserv,
+# End "vpn openconnect"
+# For "set system flow-accounting"
+  pmacct (>= 1.6.0),
+# End "set system flow-accounting"
+# For container
+  podman,
+  netavark,
+  aardvark-dns,
+# iptables is only used for containers now, not the the firewall CLI
+  iptables,
+# End container
+## End Configuration mode
+## Operational mode
+# Used for hypervisor model in "run show version"
+  hvinfo,
+# For "run traceroute"
+  traceroute,
+# For "run monitor traffic"
+  tcpdump,
+# End "run monitor traffic"
+# For "run show hardware storage smart"
+  smartmontools,
+# For "run show hardware scsi"
+  lsscsi,
+# For "run show hardware pci"
+  pciutils,
+# For "show hardware usb"
   usbutils,
+# For "run show hardware storage nvme"
+  nvme-cli,
+# For "run monitor bandwidth-test"
+  iperf,
+  iperf3,
+# End "run monitor bandwidth-test"
+# For "run wake-on-lan"
+  etherwake,
+# For "run force ipv6-nd"
+  ndisc6,
+# For "run monitor bandwidth"
+  bmon,
+# End Operational mode
+## VPP
   vpp [amd64],
   vpp-plugin-core [amd64],
   vpp-plugin-dpdk [amd64],
-  vyatta-bash,
-  vyatta-cfg,
-  vyos-http-api-tools,
-  vyos-utils,
-  wide-dhcpv6-client,
-  wireguard-tools,
-  wireless-regdb,
-  wpasupplicant (>= 0.6.7),
-  zabbix-agent2,
-  ndppd,
-  miniupnpd-nftables
+  python3-vpp-api [amd64],
+  libvppinfra [amd64],
+## End VPP
+## Optional utilities
+  easy-rsa,
+  tcptraceroute,
+  mtr-tiny,
+  telnet,
+  stunnel4,
+  uidmap
+## End optional utilities
 Description: VyOS configuration scripts and data
  VyOS configuration scripts, interface definitions, and everything
 
diff --git a/debian/rules b/debian/rules
index e6bbeeafb..9a6ab2996 100755
--- a/debian/rules
+++ b/debian/rules
@@ -117,6 +117,10 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config/
 	cp -r smoketest/configs/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config
 
+	# Install smoke test config tests
+	mkdir -p $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests/
+	cp -r smoketest/config-tests/* $(DIR)/$(VYOS_LIBEXEC_DIR)/tests/config-tests
+
 	# Install system programs
 	mkdir -p $(DIR)/$(VYOS_BIN_DIR)
 	cp -r smoketest/bin/* $(DIR)/$(VYOS_BIN_DIR)
diff --git a/debian/vyos-1x-smoketest.install b/debian/vyos-1x-smoketest.install
index 406fef4be..739cb189b 100644
--- a/debian/vyos-1x-smoketest.install
+++ b/debian/vyos-1x-smoketest.install
@@ -3,3 +3,4 @@ usr/bin/vyos-configtest
 usr/bin/vyos-configtest-pki
 usr/libexec/vyos/tests/smoke
 usr/libexec/vyos/tests/config
+usr/libexec/vyos/tests/config-tests
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index b43416152..860319edf 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,14 +29,9 @@ do
     sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
 done
 
-# We do not make use of a TACACS UNIX group - drop it
-if grep -q '^tacacs' /etc/group; then
-    delgroup tacacs
-fi
-
-# Both RADIUS and TACACS users belong to aaa group - this must be added first
-if ! grep -q '^aaa' /etc/group; then
-    addgroup --firstgid 1000 --quiet aaa
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --firstgid 1000 --quiet radius
 fi
 
 # Remove TACACS user added by base package - we use our own UID range and group
@@ -53,6 +48,11 @@ if grep -q '^tacacs' /etc/passwd; then
     fi
 fi
 
+# Remove TACACS+ PAM default profile
+if [[ -e /usr/share/pam-configs/tacplus ]]; then
+    rm /usr/share/pam-configs/tacplus
+fi
+
 # Add TACACS system users required for TACACS based system authentication
 if ! grep -q '^tacacs' /etc/passwd; then
     # Add the tacacs group and all 16 possible tacacs privilege-level users to
@@ -64,14 +64,13 @@ if ! grep -q '^tacacs' /etc/passwd; then
     level=0
     vyos_group=vyattaop
     while [ $level -lt 16 ]; do
-        adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
             --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
             --shell /bin/vbash tacacs${level}
         adduser --quiet tacacs${level} frrvty
         adduser --quiet tacacs${level} adm
         adduser --quiet tacacs${level} dip
         adduser --quiet tacacs${level} users
-        adduser --quiet tacacs${level} aaa
         if [ $level -lt 15 ]; then
             adduser --quiet tacacs${level} vyattaop
             adduser --quiet tacacs${level} operator
@@ -87,7 +86,7 @@ fi
 
 # Add RADIUS operator user for RADIUS authenticated users to map to
 if ! grep -q '^radius_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
         --shell /sbin/radius_shell radius_user
     adduser --quiet radius_user frrvty
@@ -96,12 +95,11 @@ if ! grep -q '^radius_user' /etc/passwd; then
     adduser --quiet radius_user adm
     adduser --quiet radius_user dip
     adduser --quiet radius_user users
-    adduser --quiet radius_user aaa
 fi
 
 # Add RADIUS admin user for RADIUS authenticated users to map to
 if ! grep -q '^radius_priv_user' /etc/passwd; then
-    adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
         --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
         --shell /sbin/radius_shell radius_priv_user
     adduser --quiet radius_priv_user frrvty
@@ -112,7 +110,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
     adduser --quiet radius_priv_user disk
     adduser --quiet radius_priv_user users
     adduser --quiet radius_priv_user frr
-    adduser --quiet radius_priv_user aaa
 fi
 
 # add hostsd group for vyos-hostsd
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index e355ffa84..9bd6331a8 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -2,11 +2,10 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty
 dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
 dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
 dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
-dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
 dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
 dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile
 dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplugd.conf
 dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplug
+dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.d/45-frr.conf