9 files changed, 179 insertions, 23 deletions

diff --git a/python/vyos/configdep.py b/python/vyos/configdep.py
index e6b82ca93..d4b2cc78f 100644
--- a/python/vyos/configdep.py
+++ b/python/vyos/configdep.py
@@ -14,11 +14,21 @@
 # along with this library.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
+import json
+import typing
 from inspect import stack
 
 from vyos.util import load_as_module
+from vyos.defaults import directories
+from vyos.configsource import VyOSError
+from vyos import ConfigError
 
-dependents = {}
+# https://peps.python.org/pep-0484/#forward-references
+# for type 'Config'
+if typing.TYPE_CHECKING:
+    from vyos.config import Config
+
+dependent_func: dict[str, list[typing.Callable]] = {}
 
 def canon_name(name: str) -> str:
     return os.path.splitext(name)[0].replace('-', '_')
@@ -30,9 +40,22 @@ def canon_name_of_path(path: str) -> str:
 def caller_name() -> str:
     return stack()[-1].filename
 
-def run_config_mode_script(script: str, config):
-    from vyos.defaults import directories
+def read_dependency_dict() -> dict:
+    path = os.path.join(directories['data'],
+                        'config-mode-dependencies.json')
+    with open(path) as f:
+        d = json.load(f)
+    return d
+
+def get_dependency_dict(config: 'Config') -> dict:
+    if hasattr(config, 'cached_dependency_dict'):
+        d = getattr(config, 'cached_dependency_dict')
+    else:
+        d = read_dependency_dict()
+        setattr(config, 'cached_dependency_dict', d)
+    return d
 
+def run_config_mode_script(script: str, config: 'Config'):
     path = os.path.join(directories['conf_mode'], script)
     name = canon_name(script)
     mod = load_as_module(name, path)
@@ -46,20 +69,27 @@ def run_config_mode_script(script: str, config):
     except (VyOSError, ConfigError) as e:
         raise ConfigError(repr(e))
 
-def def_closure(script: str, config):
+def def_closure(target: str, config: 'Config',
+                tagnode: typing.Optional[str] = None) -> typing.Callable:
+    script = target + '.py'
     def func_impl():
+        if tagnode:
+            os.environ['VYOS_TAGNODE_VALUE'] = tagnode
         run_config_mode_script(script, config)
     return func_impl
 
-def set_dependent(target: str, config):
+def set_dependents(case: str, config: 'Config',
+                   tagnode: typing.Optional[str] = None):
+    d = get_dependency_dict(config)
     k = canon_name_of_path(caller_name())
-    l = dependents.setdefault(k, [])
-    func = def_closure(target, config)
-    l.append(func)
+    l = dependent_func.setdefault(k, [])
+    for target in d[k][case]:
+        func = def_closure(target, config, tagnode)
+        l.append(func)
 
 def call_dependents():
     k = canon_name_of_path(caller_name())
-    l = dependents.get(k, [])
+    l = dependent_func.get(k, [])
     while l:
         f = l.pop(0)
         f()
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index afa0c5b33..8e0ce701e 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -388,8 +388,10 @@ def verify_accel_ppp_base_service(config, local_users=True):
     """
     # vertify auth settings
     if local_users and dict_search('authentication.mode', config) == 'local':
-        if dict_search(f'authentication.local_users', config) == None:
-            raise ConfigError('Authentication mode local requires local users to be configured!')
+        if (dict_search(f'authentication.local_users', config) is None or
+                dict_search(f'authentication.local_users', config) == {}):
+            raise ConfigError(
+                'Authentication mode local requires local users to be configured!')
 
         for user in dict_search('authentication.local_users.username', config):
             user_config = config['authentication']['local_users']['username'][user]
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 59ec4948f..429c44802 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -113,12 +113,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
         if side in rule_conf:
             prefix = side[0]
             side_conf = rule_conf[side]
+            address_mask = side_conf.get('address_mask', None)
 
             if 'address' in side_conf:
                 suffix = side_conf['address']
-                if suffix[0] == '!':
-                    suffix = f'!= {suffix[1:]}'
-                output.append(f'{ip_name} {prefix}addr {suffix}')
+                operator = ''
+                exclude = suffix[0] == '!'
+                if exclude:
+                    operator = '!= '
+                    suffix = suffix[1:]
+                if address_mask:
+                    operator = '!=' if exclude else '=='
+                    operator = f'& {address_mask} {operator} '
+                output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
 
             if 'fqdn' in side_conf:
                 fqdn = side_conf['fqdn']
@@ -168,9 +175,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 if 'address_group' in group:
                     group_name = group['address_group']
                     operator = ''
-                    if group_name[0] == '!':
+                    exclude = group_name[0] == "!"
+                    if exclude:
                         operator = '!='
                         group_name = group_name[1:]
+                    if address_mask:
+                        operator = '!=' if exclude else '=='
+                        operator = f'& {address_mask} {operator}'
                     output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
                 # Generate firewall group domain-group
                 elif 'domain_group' in group:
@@ -225,12 +236,20 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 output.append(f'ip6 hoplimit {operator} {value}')
 
     if 'inbound_interface' in rule_conf:
-        iiface = rule_conf['inbound_interface']
-        output.append(f'iifname {iiface}')
+        if 'interface_name' in rule_conf['inbound_interface']:
+            iiface = rule_conf['inbound_interface']['interface_name']
+            output.append(f'iifname {{{iiface}}}')
+        else:
+            iiface = rule_conf['inbound_interface']['interface_group']
+            output.append(f'iifname @I_{iiface}')
 
     if 'outbound_interface' in rule_conf:
-        oiface = rule_conf['outbound_interface']
-        output.append(f'oifname {oiface}')
+        if 'interface_name' in rule_conf['outbound_interface']:
+            oiface = rule_conf['outbound_interface']['interface_name']
+            output.append(f'oifname {{{oiface}}}')
+        else:
+            oiface = rule_conf['outbound_interface']['interface_group']
+            output.append(f'oifname @I_{oiface}')
 
     if 'ttl' in rule_conf:
         operators = {'eq': '==', 'gt': '>', 'lt': '<'}
diff --git a/python/vyos/frr.py b/python/vyos/frr.py
index 0ffd5cba9..ccb132dd5 100644
--- a/python/vyos/frr.py
+++ b/python/vyos/frr.py
@@ -477,7 +477,7 @@ class FRRConfig:
                 # for the listed FRR issues above
                 pass
         if count >= count_max:
-            raise ConfigurationNotValid(f'Config commit retry counter ({count_max}) exceeded')
+            raise ConfigurationNotValid(f'Config commit retry counter ({count_max}) exceeded for {daemon} dameon!')
 
         # Save configuration to /run/frr/config/frr.conf
         save_configuration()
diff --git a/python/vyos/ifconfig/__init__.py b/python/vyos/ifconfig/__init__.py
index a37615c8f..206b2bba1 100644
--- a/python/vyos/ifconfig/__init__.py
+++ b/python/vyos/ifconfig/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2019-2021 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2019-2022 VyOS maintainers and contributors <maintainers@vyos.io>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -36,4 +36,6 @@ from vyos.ifconfig.tunnel import TunnelIf
 from vyos.ifconfig.wireless import WiFiIf
 from vyos.ifconfig.l2tpv3 import L2TPv3If
 from vyos.ifconfig.macsec import MACsecIf
+from vyos.ifconfig.veth import VethIf
 from vyos.ifconfig.wwan import WWANIf
+from vyos.ifconfig.sstpc import SSTPCIf
diff --git a/python/vyos/ifconfig/sstpc.py b/python/vyos/ifconfig/sstpc.py
new file mode 100644
index 000000000..50fc6ee6b
--- /dev/null
+++ b/python/vyos/ifconfig/sstpc.py
@@ -0,0 +1,40 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.ifconfig.interface import Interface
+
+@Interface.register
+class SSTPCIf(Interface):
+    iftype = 'sstpc'
+    definition = {
+        **Interface.definition,
+        **{
+            'section': 'sstpc',
+            'prefixes': ['sstpc', ],
+            'eternal': 'sstpc[0-9]+$',
+        },
+    }
+
+    def _create(self):
+        # we can not create this interface as it is managed outside
+        pass
+
+    def _delete(self):
+        # we can not create this interface as it is managed outside
+        pass
+
+    def get_mac(self):
+        """ Get a synthetic MAC address. """
+        return self.get_mac_synthetic()
diff --git a/python/vyos/ifconfig/veth.py b/python/vyos/ifconfig/veth.py
new file mode 100644
index 000000000..aafbf226a
--- /dev/null
+++ b/python/vyos/ifconfig/veth.py
@@ -0,0 +1,54 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.ifconfig.interface import Interface
+
+
+@Interface.register
+class VethIf(Interface):
+    """
+    Abstraction of a Linux veth interface
+    """
+    iftype = 'veth'
+    definition = {
+        **Interface.definition,
+        **{
+            'section': 'virtual-ethernet',
+            'prefixes': ['veth', ],
+            'bridgeable': True,
+        },
+    }
+
+    def _create(self):
+        """
+        Create veth interface in OS kernel. Interface is administrative
+        down by default.
+        """
+        # check before create, as we have 2 veth interfaces in our CLI
+        # interface virtual-ethernet veth0 peer-name 'veth1'
+        # interface virtual-ethernet veth1 peer-name 'veth0'
+        #
+        # but iproute2 creates the pair with one command:
+        # ip link add vet0 type veth peer name veth1
+        if self.exists(self.config['peer_name']):
+            return
+
+        # create virtual-ethernet interface
+        cmd = 'ip link add {ifname} type {type}'.format(**self.config)
+        cmd += f' peer name {self.config["peer_name"]}'
+        self._cmd(cmd)
+
+        # interface is always A/D down. It needs to be enabled explicitly
+        self.set_admin_state('down')
diff --git a/python/vyos/opmode.py b/python/vyos/opmode.py
index 9dba8d30f..5ff768859 100644
--- a/python/vyos/opmode.py
+++ b/python/vyos/opmode.py
@@ -51,6 +51,12 @@ class IncorrectValue(Error):
     """
     pass
 
+class CommitInProgress(Error):
+    """ Requested operation is valid, but not possible at the time due
+    to a commit being in progress.
+    """
+    pass
+
 class InternalError(Error):
     """ Any situation when VyOS detects that it could not perform
         an operation correctly due to logic errors in its own code
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 9ebe69b6c..6a828c0ac 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -539,13 +539,16 @@ def seconds_to_human(s, separator=""):
 
     return result
 
-def bytes_to_human(bytes, initial_exponent=0):
+def bytes_to_human(bytes, initial_exponent=0, precision=2):
     """ Converts a value in bytes to a human-readable size string like 640 KB
 
     The initial_exponent parameter is the exponent of 2,
     e.g. 10 (1024) for kilobytes, 20 (1024 * 1024) for megabytes.
     """
 
+    if bytes == 0:
+        return "0 B"
+
     from math import log2
 
     bytes = bytes * (2**initial_exponent)
@@ -571,7 +574,7 @@ def bytes_to_human(bytes, initial_exponent=0):
     # Add a new case when the first machine with petabyte RAM
     # hits the market.
 
-    size_string = "{0:.2f} {1}".format(value, suffix)
+    size_string = "{0:.{1}f} {2}".format(value, precision, suffix)
     return size_string
 
 def human_to_bytes(value):