summaryrefslogtreecommitdiff
path: root/smoketest
diff options
context:
space:
mode:
Diffstat (limited to 'smoketest')
-rw-r--r--smoketest/configs/bgp-ixp (renamed from smoketest/configs/bgp-ix-router)0
-rw-r--r--smoketest/configs/bgp-rpki116
-rw-r--r--smoketest/configs/dmz-guest-lan-nat-pppoe-router1666
-rw-r--r--smoketest/scripts/cli/base_interfaces_test.py59
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_bonding.py4
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_bridge.py33
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_ethernet.py11
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_loopback.py14
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_tunnel.py31
-rwxr-xr-xsmoketest/scripts/cli/test_service_ssh.py10
-rwxr-xr-xsmoketest/scripts/cli/test_system_ip.py2
-rwxr-xr-xsmoketest/scripts/cli/test_system_ipv6.py102
-rwxr-xr-xsmoketest/scripts/cli/test_system_ntp.py6
-rwxr-xr-xsmoketest/scripts/cli/test_vrf.py90
14 files changed, 2092 insertions, 52 deletions
diff --git a/smoketest/configs/bgp-ix-router b/smoketest/configs/bgp-ixp
index de6213b50..de6213b50 100644
--- a/smoketest/configs/bgp-ix-router
+++ b/smoketest/configs/bgp-ixp
diff --git a/smoketest/configs/bgp-rpki b/smoketest/configs/bgp-rpki
new file mode 100644
index 000000000..e11ec9e72
--- /dev/null
+++ b/smoketest/configs/bgp-rpki
@@ -0,0 +1,116 @@
+interfaces {
+ ethernet eth0 {
+ address 192.0.2.100/25
+ address 2001:db8::ffff/64
+ }
+ ethernet eth1 {
+ }
+ loopback lo {
+ }
+}
+policy {
+ route-map ebgp-transit-rpki {
+ rule 10 {
+ action deny
+ match {
+ rpki invalid
+ }
+ }
+ rule 20 {
+ action permit
+ match {
+ rpki notfound
+ }
+ set {
+ local-preference 20
+ }
+ }
+ rule 30 {
+ action permit
+ match {
+ rpki valid
+ }
+ set {
+ local-preference 100
+ }
+ }
+ }
+}
+protocols {
+ bgp 64500 {
+ neighbor 1.2.3.4 {
+ address-family {
+ ipv4-unicast {
+ nexthop-self {
+ }
+ route-map {
+ import ebgp-transit-rpki
+ }
+ }
+ }
+ remote-as 10
+ }
+ }
+ rpki {
+ cache routinator {
+ address 192.0.2.10
+ port 3323
+ }
+ }
+ static {
+ route 0.0.0.0/0 {
+ next-hop 192.0.2.1 {
+ }
+ }
+ route6 ::/0 {
+ next-hop 2001:db8::1 {
+ }
+ }
+ }
+}
+service {
+ ssh {
+ }
+}
+system {
+ config-management {
+ commit-revisions 100
+ }
+ console {
+ device ttyS0 {
+ speed 115200
+ }
+ }
+ host-name vyos
+ login {
+ user vyos {
+ authentication {
+ encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+ plaintext-password ""
+ }
+ }
+ }
+ ntp {
+ server 0.pool.ntp.org {
+ }
+ server 1.pool.ntp.org {
+ }
+ server 2.pool.ntp.org {
+ }
+ }
+ syslog {
+ global {
+ facility all {
+ level info
+ }
+ facility protocols {
+ level debug
+ }
+ }
+ }
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
+// Release version: 1.3-rolling-202010241631
diff --git a/smoketest/configs/dmz-guest-lan-nat-pppoe-router b/smoketest/configs/dmz-guest-lan-nat-pppoe-router
new file mode 100644
index 000000000..075f18b9e
--- /dev/null
+++ b/smoketest/configs/dmz-guest-lan-nat-pppoe-router
@@ -0,0 +1,1666 @@
+firewall {
+ all-ping enable
+ broadcast-ping disable
+ config-trap disable
+ group {
+ address-group MEDIA-STREAMING-CLIENTS {
+ address 172.16.35.241
+ address 172.16.35.242
+ address 172.16.35.243
+ }
+ address-group DMZ-WEBSERVER {
+ address 172.16.36.10
+ address 172.16.36.40
+ address 172.16.36.20
+ }
+ address-group DMZ-RDP-SERVER {
+ address 172.16.33.40
+ }
+ address-group DOMAIN-CONTROLLER {
+ address 172.16.100.10
+ address 172.16.100.20
+ }
+ address-group AUDIO-STREAM {
+ address 172.16.35.20
+ address 172.16.35.21
+ address 172.16.35.22
+ address 172.16.35.23
+ }
+ ipv6-network-group LOCAL-ADDRESSES {
+ network ff02::/64
+ network fe80::/10
+ }
+ network-group SSH-IN-ALLOW {
+ network 192.0.2.0/24
+ network 10.0.0.0/8
+ network 172.16.0.0/12
+ network 192.168.0.0/16
+ }
+ port-group SMART-TV-PORTS {
+ port 5005-5006
+ port 80
+ port 443
+ port 3722
+ }
+ }
+ ipv6-name ALLOW-ALL-6 {
+ default-action accept
+ }
+ ipv6-name ALLOW-BASIC-6 {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ protocol icmpv6
+ }
+ }
+ ipv6-name ALLOW-ESTABLISHED-6 {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ destination {
+ group {
+ network-group LOCAL-ADDRESSES
+ }
+ }
+ protocol icmpv6
+ source {
+ address fe80::/10
+ }
+ }
+ rule 20 {
+ action accept
+ icmpv6 {
+ type echo-request
+ }
+ protocol icmpv6
+ }
+ rule 21 {
+ action accept
+ icmpv6 {
+ type destination-unreachable
+ }
+ protocol icmpv6
+ }
+ rule 22 {
+ action accept
+ icmpv6 {
+ type packet-too-big
+ }
+ protocol icmpv6
+ }
+ rule 23 {
+ action accept
+ icmpv6 {
+ type time-exceeded
+ }
+ protocol icmpv6
+ }
+ rule 24 {
+ action accept
+ icmpv6 {
+ type parameter-problem
+ }
+ protocol icmpv6
+ }
+ }
+ ipv6-name WAN-LOCAL-6 {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ destination {
+ address ff02::/64
+ }
+ protocol icmpv6
+ source {
+ address fe80::/10
+ }
+ }
+ rule 50 {
+ action accept
+ description DHCPv6
+ destination {
+ address fe80::/10
+ port 546
+ }
+ protocol udp
+ source {
+ address fe80::/10
+ port 547
+ }
+ }
+ }
+ ipv6-receive-redirects disable
+ ipv6-src-route disable
+ ip-src-route disable
+ log-martians enable
+ name DMZ-GUEST {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+ name DMZ-LAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ description "NTP and LDAP to AD DC"
+ destination {
+ group {
+ address-group DOMAIN-CONTROLLER
+ }
+ port 123,389,636
+ }
+ protocol tcp_udp
+ }
+ rule 300 {
+ action accept
+ destination {
+ group {
+ address-group DMZ-RDP-SERVER
+ }
+ port 3389
+ }
+ protocol tcp_udp
+ source {
+ address 172.16.36.20
+ }
+ }
+ }
+ name DMZ-LOCAL {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 50 {
+ action accept
+ destination {
+ address 172.16.254.30
+ port 53
+ }
+ protocol tcp_udp
+ }
+ rule 123 {
+ action accept
+ destination {
+ port 123
+ }
+ protocol udp
+ }
+ }
+ name DMZ-WAN {
+ default-action accept
+ }
+ name GUEST-DMZ {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ destination {
+ port 80,443
+ }
+ protocol tcp
+ }
+ }
+ name GUEST-IOT {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ description "MEDIA-STREAMING-CLIENTS Devices to GUEST"
+ destination {
+ group {
+ address-group MEDIA-STREAMING-CLIENTS
+ }
+ }
+ protocol tcp_udp
+ }
+ rule 110 {
+ action accept
+ description "AUDIO-STREAM Devices to GUEST"
+ destination {
+ group {
+ address-group AUDIO-STREAM
+ }
+ }
+ protocol tcp_udp
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 300 {
+ action accept
+ description "BCAST relay"
+ destination {
+ port 1900
+ }
+ protocol udp
+ }
+ }
+ name GUEST-LAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+ name GUEST-LOCAL {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ description DNS
+ destination {
+ address 172.31.0.254
+ port 53
+ }
+ protocol tcp_udp
+ }
+ rule 11 {
+ action accept
+ description DHCP
+ destination {
+ port 67
+ }
+ protocol udp
+ }
+ rule 15 {
+ action accept
+ destination {
+ address 172.31.0.254
+ }
+ protocol icmp
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 210 {
+ action accept
+ description "AUDIO-STREAM Broadcast"
+ destination {
+ port 1900
+ }
+ protocol udp
+ }
+ }
+ name GUEST-WAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 25 {
+ action accept
+ description SMTP
+ destination {
+ port 25,587
+ }
+ protocol tcp
+ }
+ rule 53 {
+ action accept
+ destination {
+ port 53
+ }
+ protocol tcp_udp
+ }
+ rule 60 {
+ action accept
+ source {
+ address 172.31.0.200
+ }
+ }
+ rule 80 {
+ action accept
+ source {
+ address 172.31.0.200
+ }
+ }
+ rule 100 {
+ action accept
+ protocol icmp
+ }
+ rule 110 {
+ action accept
+ description POP3
+ destination {
+ port 110,995
+ }
+ protocol tcp
+ }
+ rule 123 {
+ action accept
+ description "NTP Client"
+ destination {
+ port 123
+ }
+ protocol udp
+ }
+ rule 143 {
+ action accept
+ description IMAP
+ destination {
+ port 143,993
+ }
+ protocol tcp
+ }
+ rule 200 {
+ action accept
+ destination {
+ port 80,443
+ }
+ protocol tcp
+ }
+ rule 500 {
+ action accept
+ description "L2TP IPSec"
+ destination {
+ port 500,4500
+ }
+ protocol udp
+ }
+ rule 600 {
+ action accept
+ destination {
+ port 5222-5224
+ }
+ protocol tcp
+ }
+ rule 601 {
+ action accept
+ destination {
+ port 3478-3497,4500,16384-16387,16393-16402
+ }
+ protocol udp
+ }
+ rule 1000 {
+ action accept
+ source {
+ address 172.31.0.184
+ }
+ }
+ }
+ name IOT-GUEST {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ description "MEDIA-STREAMING-CLIENTS Devices to IOT"
+ protocol tcp_udp
+ source {
+ group {
+ address-group MEDIA-STREAMING-CLIENTS
+ }
+ }
+ }
+ rule 110 {
+ action accept
+ description "AUDIO-STREAM Devices to IOT"
+ protocol tcp_udp
+ source {
+ group {
+ address-group AUDIO-STREAM
+ }
+ }
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 300 {
+ action accept
+ description "BCAST relay"
+ destination {
+ port 1900
+ }
+ protocol udp
+ }
+ }
+ name IOT-LAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ description "AppleTV to LAN"
+ destination {
+ group {
+ port-group SMART-TV-PORTS
+ }
+ }
+ protocol tcp_udp
+ source {
+ group {
+ address-group MEDIA-STREAMING-CLIENTS
+ }
+ }
+ }
+ rule 110 {
+ action accept
+ description "AUDIO-STREAM Devices to LAN"
+ protocol tcp_udp
+ source {
+ group {
+ address-group AUDIO-STREAM
+ }
+ }
+ }
+ }
+ name IOT-LOCAL {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ description DNS
+ destination {
+ address 172.16.254.30
+ port 53
+ }
+ protocol tcp_udp
+ }
+ rule 11 {
+ action accept
+ description DHCP
+ destination {
+ port 67
+ }
+ protocol udp
+ }
+ rule 15 {
+ action accept
+ destination {
+ address 172.16.35.254
+ }
+ protocol icmp
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 201 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 172.16.35.254
+ port 5353
+ }
+ protocol udp
+ }
+ rule 210 {
+ action accept
+ description "AUDIO-STREAM Broadcast"
+ destination {
+ port 1900,1902,6969
+ }
+ protocol udp
+ }
+ }
+ name IOT-WAN {
+ default-action accept
+ }
+ name LAN-DMZ {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 22 {
+ action accept
+ description "SSH into DMZ"
+ destination {
+ port 22
+ }
+ protocol tcp
+ }
+ rule 100 {
+ action accept
+ destination {
+ group {
+ address-group DMZ-WEBSERVER
+ }
+ port 22,80,443
+ }
+ protocol tcp
+ }
+ }
+ name LAN-GUEST {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+ name LAN-IOT {
+ default-action accept
+ }
+ name LAN-LOCAL {
+ default-action accept
+ }
+ name LAN-WAN {
+ default-action accept
+ }
+ name LOCAL-DMZ {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+ name LOCAL-GUEST {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 5 {
+ action accept
+ protocol icmp
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 300 {
+ action accept
+ description "BCAST relay"
+ destination {
+ port 1900
+ }
+ protocol udp
+ }
+ }
+ name LOCAL-IOT {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 5 {
+ action accept
+ protocol icmp
+ }
+ rule 200 {
+ action accept
+ description "MCAST relay"
+ destination {
+ address 224.0.0.251
+ port 5353
+ }
+ protocol udp
+ }
+ rule 300 {
+ action accept
+ description "BCAST relay"
+ destination {
+ port 1900,6969
+ }
+ protocol udp
+ }
+ }
+ name LOCAL-LAN {
+ default-action accept
+ }
+ name LOCAL-WAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 10 {
+ action accept
+ protocol icmp
+ }
+ rule 50 {
+ action accept
+ description DNS
+ destination {
+ port 53
+ }
+ protocol tcp_udp
+ }
+ rule 80 {
+ action accept
+ destination {
+ port 80,443
+ }
+ protocol tcp
+ }
+ rule 123 {
+ action accept
+ description NTP
+ destination {
+ port 123
+ }
+ protocol udp
+ }
+ }
+ name WAN-DMZ {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 100 {
+ action accept
+ destination {
+ address 172.16.36.10
+ port 80,443
+ }
+ protocol tcp
+ }
+ }
+ name WAN-GUEST {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 1000 {
+ action accept
+ destination {
+ address 172.31.0.184
+ }
+ }
+ rule 8000 {
+ action accept
+ destination {
+ address 172.31.0.200
+ port 10000
+ }
+ protocol udp
+ }
+ }
+ name WAN-IOT {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ }
+ name WAN-LAN {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 1000 {
+ action accept
+ destination {
+ address 172.16.33.40
+ port 3389
+ }
+ protocol tcp
+ source {
+ group {
+ network-group SSH-IN-ALLOW
+ }
+ }
+ }
+ }
+ name WAN-LOCAL {
+ default-action drop
+ enable-default-log
+ rule 1 {
+ action accept
+ state {
+ established enable
+ related enable
+ }
+ }
+ rule 2 {
+ action drop
+ log enable
+ state {
+ invalid enable
+ }
+ }
+ rule 22 {
+ action accept
+ destination {
+ port 22
+ }
+ protocol tcp
+ source {
+ group {
+ network-group SSH-IN-ALLOW
+ }
+ }
+ }
+ }
+ options {
+ interface pppoe0 {
+ adjust-mss 1452
+ adjust-mss6 1432
+ }
+ }
+ receive-redirects disable
+ send-redirects enable
+ source-validation disable
+ syn-cookies enable
+ twa-hazards-protection disable
+}
+interfaces {
+ dummy dum0 {
+ address 172.16.254.30/32
+ }
+ ethernet eth0 {
+ duplex auto
+ speed auto
+ vif 5 {
+ address 172.16.37.254/24
+ }
+ vif 10 {
+ address 172.16.33.254/24
+ }
+ vif 20 {
+ address 172.31.0.254/24
+ }
+ vif 35 {
+ address 172.16.35.254/24
+ }
+ vif 50 {
+ address 172.16.36.254/24
+ }
+ vif 100 {
+ address 172.16.100.254/24
+ }
+ vif 201 {
+ address 172.18.201.254/24
+ }
+ vif 202 {
+ address 172.18.202.254/24
+ }
+ vif 203 {
+ address 172.18.203.254/24
+ }
+ vif 204 {
+ address 172.18.204.254/24
+ }
+ }
+ ethernet eth1 {
+ vif 7 {
+ description FTTH-PPPoE
+ }
+ }
+ loopback lo {
+ address 172.16.254.30/32
+ }
+ pppoe pppoe0 {
+ authentication {
+ password vyos
+ user vyos
+ }
+ default-route auto
+ description "FTTH 100/50MBit"
+ dhcpv6-options {
+ pd 0 {
+ interface eth0.10 {
+ address 1
+ sla-id 10
+ }
+ interface eth0.20 {
+ address 1
+ sla-id 20
+ }
+ length 56
+ }
+ }
+ ipv6 {
+ address {
+ autoconf
+ }
+ }
+ mtu 1492
+ no-peer-dns
+ source-interface eth1.7
+ }
+}
+nat {
+ destination {
+ rule 100 {
+ description HTTP(S)
+ destination {
+ port 80,443
+ }
+ inbound-interface pppoe0
+ log
+ protocol tcp
+ translation {
+ address 172.16.36.10
+ }
+ }
+ rule 1000 {
+ destination {
+ port 3389
+ }
+ disable
+ inbound-interface pppoe0
+ protocol tcp
+ translation {
+ address 172.16.33.40
+ }
+ }
+ rule 8000 {
+ destination {
+ port 10000
+ }
+ inbound-interface pppoe0
+ log
+ protocol udp
+ translation {
+ address 172.31.0.200
+ }
+ }
+ }
+ source {
+ rule 100 {
+ log
+ outbound-interface pppoe0
+ source {
+ address 172.16.32.0/19
+ }
+ translation {
+ address masquerade
+ }
+ }
+ rule 200 {
+ outbound-interface pppoe0
+ source {
+ address 172.16.100.0/24
+ }
+ translation {
+ address masquerade
+ }
+ }
+ rule 300 {
+ outbound-interface pppoe0
+ source {
+ address 172.31.0.0/24
+ }
+ translation {
+ address masquerade
+ }
+ }
+ rule 400 {
+ outbound-interface pppoe0
+ source {
+ address 172.18.200.0/21
+ }
+ translation {
+ address masquerade
+ }
+ }
+ }
+}
+protocols {
+ static {
+ interface-route6 2000::/3 {
+ next-hop-interface pppoe0 {
+ }
+ }
+ route 10.0.0.0/8 {
+ blackhole {
+ distance 254
+ }
+ }
+ route 169.254.0.0/16 {
+ blackhole {
+ distance 254
+ }
+ }
+ route 172.16.0.0/12 {
+ blackhole {
+ distance 254
+ }
+ }
+ route 192.168.0.0/16 {
+ blackhole {
+ distance 254
+ }
+ }
+ }
+}
+service {
+ dhcp-server {
+ shared-network-name BACKBONE {
+ authoritative
+ subnet 172.16.37.0/24 {
+ default-router 172.16.37.254
+ dns-server 172.16.254.30
+ domain-name vyos.net
+ domain-search vyos.net
+ lease 86400
+ ntp-server 172.16.254.30
+ range 0 {
+ start 172.16.37.120
+ stop 172.16.37.149
+ }
+ static-mapping AP1.wue3 {
+ ip-address 172.16.37.231
+ mac-address 18:e8:29:6c:c3:a5
+ }
+ }
+ }
+ shared-network-name GUEST {
+ authoritative
+ subnet 172.31.0.0/24 {
+ default-router 172.31.0.254
+ dns-server 172.31.0.254
+ domain-name vyos.net
+ domain-search vyos.net
+ lease 86400
+ range 0 {
+ start 172.31.0.100
+ stop 172.31.0.199
+ }
+ static-mapping host01 {
+ ip-address 172.31.0.200
+ mac-address 00:50:00:00:00:01
+ }
+ static-mapping host02 {
+ ip-address 172.31.0.184
+ mac-address 00:50:00:00:00:02
+ }
+ }
+ }
+ shared-network-name IOT {
+ authoritative
+ subnet 172.16.35.0/24 {
+ default-router 172.16.35.254
+ dns-server 172.16.254.30
+ domain-name vyos.net
+ domain-search vyos.net
+ lease 86400
+ ntp-server 172.16.254.30
+ range 0 {
+ start 172.16.35.101
+ stop 172.16.35.149
+ }
+ }
+ }
+ shared-network-name LAN {
+ authoritative
+ subnet 172.16.33.0/24 {
+ default-router 172.16.33.254
+ dns-server 172.16.254.30
+ domain-name vyos.net
+ domain-search vyos.net
+ lease 86400
+ ntp-server 172.16.254.30
+ range 0 {
+ start 172.16.33.100
+ stop 172.16.33.189
+ }
+ }
+ }
+ }
+ dns {
+ forwarding {
+ allow-from 172.16.0.0/12
+ cache-size 0
+ domain 16.172.in-addr.arpa {
+ addnta
+ recursion-desired
+ server 172.16.100.10
+ server 172.16.100.20
+ server 172.16.110.30
+ }
+ domain 18.172.in-addr.arpa {
+ addnta
+ recursion-desired
+ server 172.16.100.10
+ server 172.16.100.20
+ server 172.16.110.30
+ }
+ domain vyos.net {
+ addnta
+ recursion-desired
+ server 172.16.100.20
+ server 172.16.100.10
+ server 172.16.110.30
+ }
+ ignore-hosts-file
+ listen-address 172.16.254.30
+ listen-address 172.31.0.254
+ negative-ttl 60
+ }
+ }
+ lldp {
+ legacy-protocols {
+ cdp
+ }
+ snmp {
+ enable
+ }
+ }
+ mdns {
+ repeater {
+ interface eth0.35
+ interface eth0.10
+ }
+ }
+ router-advert {
+ interface eth0.10 {
+ prefix ::/64 {
+ preferred-lifetime 2700
+ valid-lifetime 5400
+ }
+ }
+ interface eth0.20 {
+ prefix ::/64 {
+ preferred-lifetime 2700
+ valid-lifetime 5400
+ }
+ }
+ }
+ snmp {
+ community fooBar {
+ authorization ro
+ network 172.16.100.0/24
+ }
+ contact "VyOS maintainers and contributors <maintainers@vyos.io>"
+ listen-address 172.16.254.30 {
+ port 161
+ }
+ location "The Internet"
+ }
+ ssh {
+ disable-host-validation
+ port 22
+ }
+}
+system {
+ config-management {
+ commit-archive {
+ location tftp://172.16.20.200/CONFIGS/vyos
+ }
+ commit-revisions 200
+ }
+ conntrack {
+ expect-table-size 2048
+ hash-size 32768
+ modules {
+ sip {
+ disable
+ }
+ }
+ table-size 262144
+ timeout {
+ icmp 30
+ other 600
+ udp {
+ other 300
+ stream 300
+ }
+ }
+ }
+ console {
+ device ttyS0 {
+ speed 115200
+ }
+ }
+ domain-name vyos.net
+ host-name vyos
+ login {
+ user vyos {
+ authentication {
+ encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+ plaintext-password ""
+ }
+ }
+ }
+ name-server 172.16.254.30
+ ntp {
+ allow-clients {
+ address 172.16.0.0/12
+ }
+ server 0.pool.ntp.org {
+ }
+ server 1.pool.ntp.org {
+ }
+ server 2.pool.ntp.org {
+ }
+ }
+ option {
+ ctrl-alt-delete ignore
+ reboot-on-panic
+ startup-beep
+ }
+ syslog {
+ global {
+ facility all {
+ level debug
+ }
+ facility protocols {
+ level debug
+ }
+ }
+ host 172.16.100.1 {
+ facility all {
+ level warning
+ }
+ }
+ }
+ time-zone Europe/Berlin
+}
+traffic-policy {
+ shaper QoS {
+ bandwidth 50mbit
+ default {
+ bandwidth 100%
+ burst 15k
+ queue-limit 1000
+ queue-type fq-codel
+ }
+ }
+}
+zone-policy {
+ zone DMZ {
+ default-action drop
+ from GUEST {
+ firewall {
+ name GUEST-DMZ
+ }
+ }
+ from LAN {
+ firewall {
+ name LAN-DMZ
+ }
+ }
+ from LOCAL {
+ firewall {
+ name LOCAL-DMZ
+ }
+ }
+ from WAN {
+ firewall {
+ name WAN-DMZ
+ }
+ }
+ interface eth0.50
+ }
+ zone GUEST {
+ default-action drop
+ from DMZ {
+ firewall {
+ name DMZ-GUEST
+ }
+ }
+ from IOT {
+ firewall {
+ name IOT-GUEST
+ }
+ }
+ from LAN {
+ firewall {
+ name LAN-GUEST
+ }
+ }
+ from LOCAL {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name LOCAL-GUEST
+ }
+ }
+ from WAN {
+ firewall {
+ ipv6-name ALLOW-ESTABLISHED-6
+ name WAN-GUEST
+ }
+ }
+ interface eth0.20
+ }
+ zone IOT {
+ default-action drop
+ from GUEST {
+ firewall {
+ name GUEST-IOT
+ }
+ }
+ from LAN {
+ firewall {
+ name LAN-IOT
+ }
+ }
+ from LOCAL {
+ firewall {
+ name LOCAL-IOT
+ }
+ }
+ from WAN {
+ firewall {
+ name WAN-IOT
+ }
+ }
+ interface eth0.35
+ }
+ zone LAN {
+ default-action drop
+ from DMZ {
+ firewall {
+ name DMZ-LAN
+ }
+ }
+ from GUEST {
+ firewall {
+ name GUEST-LAN
+ }
+ }
+ from IOT {
+ firewall {
+ name IOT-LAN
+ }
+ }
+ from LOCAL {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name LOCAL-LAN
+ }
+ }
+ from WAN {
+ firewall {
+ ipv6-name ALLOW-ESTABLISHED-6
+ name WAN-LAN
+ }
+ }
+ interface eth0.5
+ interface eth0.10
+ interface eth0.100
+ interface eth0.201
+ interface eth0.202
+ interface eth0.203
+ interface eth0.204
+ }
+ zone LOCAL {
+ default-action drop
+ from DMZ {
+ firewall {
+ name DMZ-LOCAL
+ }
+ }
+ from GUEST {
+ firewall {
+ ipv6-name ALLOW-ESTABLISHED-6
+ name GUEST-LOCAL
+ }
+ }
+ from IOT {
+ firewall {
+ name IOT-LOCAL
+ }
+ }
+ from LAN {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name LAN-LOCAL
+ }
+ }
+ from WAN {
+ firewall {
+ ipv6-name WAN-LOCAL-6
+ name WAN-LOCAL
+ }
+ }
+ local-zone
+ }
+ zone WAN {
+ default-action drop
+ from DMZ {
+ firewall {
+ name DMZ-WAN
+ }
+ }
+ from GUEST {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name GUEST-WAN
+ }
+ }
+ from IOT {
+ firewall {
+ name IOT-WAN
+ }
+ }
+ from LAN {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name LAN-WAN
+ }
+ }
+ from LOCAL {
+ firewall {
+ ipv6-name ALLOW-ALL-6
+ name LOCAL-WAN
+ }
+ }
+ interface pppoe0
+ }
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3-beta-202101091250
+
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 8a09dd96f..6a68bcc26 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -18,9 +18,10 @@ import json
from binascii import hexlify
-from netifaces import ifaddresses
from netifaces import AF_INET
from netifaces import AF_INET6
+from netifaces import ifaddresses
+from netifaces import interfaces
from vyos.configsession import ConfigSession
from vyos.ifconfig import Interface
@@ -81,21 +82,22 @@ class BasicInterfaceTest:
self.session.set(['interfaces', section, span])
def tearDown(self):
- # Ethernet is handled in its derived class
- if 'ethernet' not in self._base_path:
- self.session.delete(self._base_path)
-
# Tear down mirror interfaces for SPAN (Switch Port Analyzer)
for span in self._mirror_interfaces:
section = Section.section(span)
self.session.delete(['interfaces', section, span])
+ self.session.delete(self._base_path)
self.session.commit()
del self.session
+ # Verify that no previously interface remained on the system
+ for intf in self._interfaces:
+ self.assertNotIn(intf, interfaces())
+
def test_span_mirror(self):
if not self._mirror_interfaces:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
# Check the two-way mirror rules of ingress and egress
for mirror in self._mirror_interfaces:
@@ -111,6 +113,19 @@ class BasicInterfaceTest:
self.assertTrue(is_mirrored_to(interface, mirror, 'ffff'))
self.assertTrue(is_mirrored_to(interface, mirror, '1'))
+ def test_interface_disable(self):
+ # Check if description can be added to interface and
+ # can be read back
+ for intf in self._interfaces:
+ self.session.set(self._base_path + [intf, 'disable'])
+ for option in self._options.get(intf, []):
+ self.session.set(self._base_path + [intf] + option.split())
+
+ self.session.commit()
+
+ # Validate interface description
+ for intf in self._interfaces:
+ self.assertEqual(Interface(intf).get_admin_state(), 'down')
def test_interface_description(self):
# Check if description can be added to interface and
@@ -150,6 +165,7 @@ class BasicInterfaceTest:
for intf in self._interfaces:
self.assertTrue(is_intf_addr_assigned(intf, addr))
+ self.assertEqual(Interface(intf).get_admin_state(), 'up')
def test_add_multiple_ip_addresses(self):
# Add address
@@ -174,7 +190,7 @@ class BasicInterfaceTest:
def test_ipv6_link_local_address(self):
# Common function for IPv6 link-local address assignemnts
if not self._test_ipv6:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for interface in self._interfaces:
base = self._base_path + [interface]
@@ -201,7 +217,7 @@ class BasicInterfaceTest:
def test_interface_mtu(self):
if not self._test_mtu:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for intf in self._interfaces:
base = self._base_path + [intf]
@@ -221,7 +237,7 @@ class BasicInterfaceTest:
# Testcase if MTU can be changed to 1200 on non IPv6
# enabled interfaces
if not self._test_mtu:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
old_mtu = self._mtu
self._mtu = '1200'
@@ -244,9 +260,13 @@ class BasicInterfaceTest:
self._mtu = old_mtu
- def test_8021q_vlan_interfaces(self):
+ def test_vif_8021q_interfaces(self):
+ # XXX: This testcase is not allowed to run as first testcase, reason
+ # is the Wireless test will first load the wifi kernel hwsim module
+ # which creates a wlan0 and wlan1 interface which will fail the
+ # tearDown() test in the end that no interface is allowed to survive!
if not self._test_vlan:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for interface in self._interfaces:
base = self._base_path + [interface]
@@ -269,11 +289,16 @@ class BasicInterfaceTest:
tmp = read_file(f'/sys/class/net/{vif}/mtu')
self.assertEqual(tmp, self._mtu)
+ self.assertEqual(Interface(vif).get_admin_state(), 'up')
- def test_8021ad_qinq_vlan_interfaces(self):
+ def test_vif_s_8021ad_vlan_interfaces(self):
+ # XXX: This testcase is not allowed to run as first testcase, reason
+ # is the Wireless test will first load the wifi kernel hwsim module
+ # which creates a wlan0 and wlan1 interface which will fail the
+ # tearDown() test in the end that no interface is allowed to survive!
if not self._test_qinq:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for interface in self._interfaces:
base = self._base_path + [interface]
@@ -304,7 +329,7 @@ class BasicInterfaceTest:
def test_interface_ip_options(self):
if not self._test_ip:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for interface in self._interfaces:
arp_tmo = '300'
@@ -355,7 +380,7 @@ class BasicInterfaceTest:
def test_interface_ipv6_options(self):
if not self._test_ipv6:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
for interface in self._interfaces:
dad_transmits = '10'
@@ -379,7 +404,7 @@ class BasicInterfaceTest:
def test_dhcpv6pd_auto_sla_id(self):
if not self._test_ipv6_pd:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
prefix_len = '56'
sla_len = str(64 - int(prefix_len))
@@ -435,7 +460,7 @@ class BasicInterfaceTest:
def test_dhcpv6pd_manual_sla_id(self):
if not self._test_ipv6_pd:
- self.skipTest('not enabled')
+ self.skipTest('not supported')
prefix_len = '56'
sla_len = str(64 - int(prefix_len))
diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py
index f42ec3e9b..560bfb92b 100755
--- a/smoketest/scripts/cli/test_interfaces_bonding.py
+++ b/smoketest/scripts/cli/test_interfaces_bonding.py
@@ -60,8 +60,8 @@ class BondingInterfaceTest(BasicInterfaceTest.BaseTest):
slaves = read_file(f'/sys/class/net/{interface}/bonding/slaves').split()
self.assertListEqual(slaves, self._members)
- def test_8021q_vlan_interfaces(self):
- super().test_8021q_vlan_interfaces()
+ def test_vif_8021q_interfaces(self):
+ super().test_vif_8021q_interfaces()
for interface in self._interfaces:
slaves = read_file(f'/sys/class/net/{interface}/bonding/slaves').split()
diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py
index 464226b6f..8f03290be 100755
--- a/smoketest/scripts/cli/test_interfaces_bridge.py
+++ b/smoketest/scripts/cli/test_interfaces_bridge.py
@@ -25,6 +25,7 @@ from netifaces import interfaces
from vyos.ifconfig import Section
from vyos.util import cmd
from vyos.util import read_file
+from vyos.validate import is_intf_addr_assigned
class BridgeInterfaceTest(BasicInterfaceTest.BaseTest):
def setUp(self):
@@ -32,7 +33,6 @@ class BridgeInterfaceTest(BasicInterfaceTest.BaseTest):
self._test_ipv6 = True
self._test_ipv6_pd = True
self._test_vlan = True
- self._test_qinq = True
self._base_path = ['interfaces', 'bridge']
self._mirror_interfaces = ['dum21354']
self._members = []
@@ -53,6 +53,12 @@ class BridgeInterfaceTest(BasicInterfaceTest.BaseTest):
super().setUp()
+ def tearDown(self):
+ for intf in self._interfaces:
+ self.session.delete(self._base_path + [intf])
+
+ super().tearDown()
+
def test_add_remove_bridge_member(self):
# Add member interfaces to bridge and set STP cost/priority
for interface in self._interfaces:
@@ -87,12 +93,22 @@ class BridgeInterfaceTest(BasicInterfaceTest.BaseTest):
self.session.commit()
+ def test_vif_8021q_interfaces(self):
+ for interface in self._interfaces:
+ base = self._base_path + [interface]
+ self.session.set(base + ['enable-vlan'])
+ super().test_vif_8021q_interfaces()
+
def test_bridge_vlan_filter(self):
+
+ vif_vlan = 2
# Add member interface to bridge and set VLAN filter
for interface in self._interfaces:
base = self._base_path + [interface]
- self.session.set(base + ['vif', '1', 'address', '192.0.2.1/24'])
- self.session.set(base + ['vif', '2', 'address', '192.0.3.1/24'])
+ self.session.set(base + ['enable-vlan'])
+ self.session.set(base + ['address', '192.0.2.1/24'])
+ self.session.set(base + ['vif', str(vif_vlan), 'address', '192.0.3.1/24'])
+ self.session.set(base + ['vif', str(vif_vlan), 'mtu', self._mtu])
vlan_id = 101
allowed_vlan = 2
@@ -182,10 +198,13 @@ class BridgeInterfaceTest(BasicInterfaceTest.BaseTest):
for vif in vifs:
# member interface must be assigned to the bridge
self.assertTrue(os.path.exists(f'/sys/class/net/{interface}/lower_{member}.{vif}'))
-
- # remove VLAN interfaces
- for vif in vifs:
- self.session.delete(['interfaces', 'ethernet', member, 'vif', vif])
+
+ # delete all members
+ for interface in self._interfaces:
+ for member in self._members:
+ for vif in vifs:
+ self.session.delete(['interfaces', 'ethernet', member, 'vif', vif])
+ self.session.delete(['interfaces', 'bridge', interface, 'member', 'interface', f'{member}.{vif}'])
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py
index 42c1f15df..9d896f690 100755
--- a/smoketest/scripts/cli/test_interfaces_ethernet.py
+++ b/smoketest/scripts/cli/test_interfaces_ethernet.py
@@ -78,8 +78,13 @@ class EthernetInterfaceTest(BasicInterfaceTest.BaseTest):
self.session.set(self._base_path + [interface, 'speed', 'auto'])
self.session.set(self._base_path + [interface, 'hw-id', self._macs[interface]])
- super().tearDown()
+ # Tear down mirror interfaces for SPAN (Switch Port Analyzer)
+ for span in self._mirror_interfaces:
+ section = Section.section(span)
+ self.session.delete(['interfaces', section, span])
+ self.session.commit()
+ del self.session
def test_dhcp_disable_interface(self):
# When interface is configured as admin down, it must be admin down
@@ -193,12 +198,12 @@ if __name__ == '__main__':
# Generate mandatory SSL certificate
tmp = f'openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 '\
f'-keyout {ssl_key} -out {ssl_cert} -subj {subject}'
- print(cmd(tmp))
+ cmd(tmp)
if not os.path.isfile(ca_cert):
# Generate "CA"
tmp = f'openssl req -new -x509 -key {ssl_key} -out {ca_cert} -subj {subject}'
- print(cmd(tmp))
+ cmd(tmp)
for file in [ca_cert, ssl_cert, ssl_key]:
cmd(f'sudo chown radius_priv_user:vyattacfg {file}')
diff --git a/smoketest/scripts/cli/test_interfaces_loopback.py b/smoketest/scripts/cli/test_interfaces_loopback.py
index 79225a1bd..36000c3ff 100755
--- a/smoketest/scripts/cli/test_interfaces_loopback.py
+++ b/smoketest/scripts/cli/test_interfaces_loopback.py
@@ -17,6 +17,8 @@
import unittest
from base_interfaces_test import BasicInterfaceTest
+from netifaces import interfaces
+
from vyos.validate import is_intf_addr_assigned
class LoopbackInterfaceTest(BasicInterfaceTest.BaseTest):
@@ -27,6 +29,15 @@ class LoopbackInterfaceTest(BasicInterfaceTest.BaseTest):
self._base_path = ['interfaces', 'loopback']
self._interfaces = ['lo']
+ def tearDown(self):
+ self.session.delete(self._base_path)
+ self.session.commit()
+ del self.session
+
+ # loopback interface must persist!
+ for intf in self._interfaces:
+ self.assertIn(intf, interfaces())
+
def test_add_single_ip_address(self):
super().test_add_single_ip_address()
for addr in self._loopback_addresses:
@@ -37,5 +48,8 @@ class LoopbackInterfaceTest(BasicInterfaceTest.BaseTest):
for addr in self._loopback_addresses:
self.assertTrue(is_intf_addr_assigned('lo', addr))
+ def test_interface_disable(self):
+ self.skipTest('not supported')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py
index f67b813af..8405fc7d0 100755
--- a/smoketest/scripts/cli/test_interfaces_tunnel.py
+++ b/smoketest/scripts/cli/test_interfaces_tunnel.py
@@ -84,7 +84,6 @@ class TunnelInterfaceTest(BasicInterfaceTest.BaseTest):
self.session.delete(['interfaces', 'dummy', source_if])
super().tearDown()
-
def test_ipv4_encapsulations(self):
# When running tests ensure that for certain encapsulation types the
# local and remote IP address is actually an IPv4 address
@@ -106,7 +105,6 @@ class TunnelInterfaceTest(BasicInterfaceTest.BaseTest):
with self.assertRaises(ConfigSessionError):
self.session.commit()
self.session.set(self._base_path + [interface, 'remote-ip', remote_ip4])
-
self.session.set(self._base_path + [interface, 'source-interface', source_if])
# Source interface can not be used with sit and gre-bridge
@@ -130,6 +128,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.BaseTest):
self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local'])
self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote'])
+ self.assertTrue(conf['linkinfo']['info_data']['pmtudisc'])
# cleanup this instance
self.session.delete(self._base_path + [interface])
@@ -177,7 +176,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.BaseTest):
self.assertEqual(encapsulation, conf['link_type'])
self.assertEqual(self.local_v6, conf['linkinfo']['info_data']['local'])
- self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote'])
+ self.assertEqual(remote_ip6, conf['linkinfo']['info_data']['remote'])
# cleanup this instance
self.session.delete(self._base_path + [interface])
@@ -203,5 +202,31 @@ class TunnelInterfaceTest(BasicInterfaceTest.BaseTest):
# Check if commit is ok
self.session.commit()
+ def test_tunnel_parameters_gre(self):
+ interface = f'tun1030'
+ gre_key = '10'
+ encapsulation = 'gre'
+ tos = '20'
+
+ self.session.set(self._base_path + [interface, 'encapsulation', encapsulation])
+ self.session.set(self._base_path + [interface, 'local-ip', self.local_v4])
+ self.session.set(self._base_path + [interface, 'remote-ip', remote_ip4])
+
+ self.session.set(self._base_path + [interface, 'parameters', 'ip', 'no-pmtu-discovery'])
+ self.session.set(self._base_path + [interface, 'parameters', 'ip', 'key', gre_key])
+ self.session.set(self._base_path + [interface, 'parameters', 'ip', 'tos', tos])
+
+ # Check if commit is ok
+ self.session.commit()
+
+ conf = tunnel_conf(interface)
+ self.assertEqual(mtu, conf['mtu'])
+ self.assertEqual(interface, conf['ifname'])
+ self.assertEqual(encapsulation, conf['link_type'])
+ self.assertEqual(self.local_v4, conf['linkinfo']['info_data']['local'])
+ self.assertEqual(remote_ip4, conf['linkinfo']['info_data']['remote'])
+ self.assertEqual(0, conf['linkinfo']['info_data']['ttl'])
+ self.assertFalse( conf['linkinfo']['info_data']['pmtudisc'])
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index eede042de..68081e56f 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -27,7 +27,11 @@ from vyos.util import read_file
PROCESS_NAME = 'sshd'
SSHD_CONF = '/run/sshd/sshd_config'
base_path = ['service', 'ssh']
-vrf = 'ssh-test'
+vrf = 'mgmt'
+
+key_rsa = '/etc/ssh/ssh_host_rsa_key'
+key_dsa = '/etc/ssh/ssh_host_dsa_key'
+key_ed25519 = '/etc/ssh/ssh_host_ed25519_key'
def get_config_value(key):
tmp = read_file(SSHD_CONF)
@@ -47,6 +51,10 @@ class TestServiceSSH(unittest.TestCase):
self.session.commit()
del self.session
+ self.assertTrue(os.path.isfile(key_rsa))
+ self.assertTrue(os.path.isfile(key_dsa))
+ self.assertTrue(os.path.isfile(key_ed25519))
+
def test_ssh_default(self):
# Check if SSH service runs with default settings - used for checking
# behavior of <defaultValue> in XML definition
diff --git a/smoketest/scripts/cli/test_system_ip.py b/smoketest/scripts/cli/test_system_ip.py
index 8fc18ba88..4ad8d537d 100755
--- a/smoketest/scripts/cli/test_system_ip.py
+++ b/smoketest/scripts/cli/test_system_ip.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 Francois Mertz fireboxled@gmail.com
+# Copyright (C) 2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py
new file mode 100755
index 000000000..df69739eb
--- /dev/null
+++ b/smoketest/scripts/cli/test_system_ipv6.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import unittest
+
+from vyos.configsession import ConfigSession
+from vyos.util import read_file
+
+base_path = ['system', 'ipv6']
+
+file_forwarding = '/proc/sys/net/ipv6/conf/all/forwarding'
+file_disable = '/etc/modprobe.d/vyos_disable_ipv6.conf'
+file_dad = '/proc/sys/net/ipv6/conf/all/accept_dad'
+file_multipath = '/proc/sys/net/ipv6/fib_multipath_hash_policy'
+
+class TestSystemIPv6(unittest.TestCase):
+ def setUp(self):
+ self.session = ConfigSession(os.getpid())
+
+ def tearDown(self):
+ self.session.delete(base_path)
+ self.session.commit()
+ del self.session
+
+ def test_system_ipv6_forwarding(self):
+ # Test if IPv6 forwarding can be disabled globally, default is '1'
+ # which means forwearding enabled
+ self.assertEqual(read_file(file_forwarding), '1')
+
+ self.session.set(base_path + ['disable-forwarding'])
+ self.session.commit()
+
+ self.assertEqual(read_file(file_forwarding), '0')
+
+ def test_system_ipv6_disable(self):
+ # Do not assign any IPv6 address on interfaces, this requires a reboot
+ # which can not be tested, but we can read the config file :)
+ self.session.set(base_path + ['disable'])
+ self.session.commit()
+
+ # Verify configuration file
+ self.assertEqual(read_file(file_disable), 'options ipv6 disable_ipv6=1')
+
+ def test_system_ipv6_strict_dad(self):
+ # This defaults to 1
+ self.assertEqual(read_file(file_dad), '1')
+
+ # Do not assign any IPv6 address on interfaces, this requires a reboot
+ # which can not be tested, but we can read the config file :)
+ self.session.set(base_path + ['strict-dad'])
+ self.session.commit()
+
+ # Verify configuration file
+ self.assertEqual(read_file(file_dad), '2')
+
+ def test_system_ipv6_multipath(self):
+ # This defaults to 0
+ self.assertEqual(read_file(file_multipath), '0')
+
+ # Do not assign any IPv6 address on interfaces, this requires a reboot
+ # which can not be tested, but we can read the config file :)
+ self.session.set(base_path + ['multipath', 'layer4-hashing'])
+ self.session.commit()
+
+ # Verify configuration file
+ self.assertEqual(read_file(file_multipath), '1')
+
+ def test_system_ipv6_neighbor_table_size(self):
+ # Maximum number of entries to keep in the ARP cache, the
+ # default is 8192
+
+ gc_thresh3 = '/proc/sys/net/ipv6/neigh/default/gc_thresh3'
+ gc_thresh2 = '/proc/sys/net/ipv6/neigh/default/gc_thresh2'
+ gc_thresh1 = '/proc/sys/net/ipv6/neigh/default/gc_thresh1'
+ self.assertEqual(read_file(gc_thresh3), '8192')
+ self.assertEqual(read_file(gc_thresh2), '4096')
+ self.assertEqual(read_file(gc_thresh1), '1024')
+
+ for size in [1024, 2048, 4096, 8192, 16384, 32768]:
+ self.session.set(base_path + ['neighbor', 'table-size', str(size)])
+ self.session.commit()
+
+ self.assertEqual(read_file(gc_thresh3), str(size))
+ self.assertEqual(read_file(gc_thresh2), str(size // 2))
+ self.assertEqual(read_file(gc_thresh1), str(size // 8))
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_ntp.py b/smoketest/scripts/cli/test_system_ntp.py
index 986c8dfb2..edb6ad94d 100755
--- a/smoketest/scripts/cli/test_system_ntp.py
+++ b/smoketest/scripts/cli/test_system_ntp.py
@@ -26,7 +26,7 @@ from vyos.util import read_file
from vyos.util import process_named_running
PROCESS_NAME = 'ntpd'
-NTP_CONF = '/etc/ntp.conf'
+NTP_CONF = '/run/ntpd/ntpd.conf'
base_path = ['system', 'ntp']
def get_config_value(key):
@@ -47,6 +47,8 @@ class TestSystemNTP(unittest.TestCase):
self.session.commit()
del self.session
+ self.assertFalse(process_named_running(PROCESS_NAME))
+
def test_ntp_options(self):
# Test basic NTP support with multiple servers and their options
servers = ['192.0.2.1', '192.0.2.2']
@@ -76,7 +78,7 @@ class TestSystemNTP(unittest.TestCase):
self.assertTrue(process_named_running(PROCESS_NAME))
def test_ntp_clients(self):
- """ Test the allowed-networks statement """
+ # Test the allowed-networks statement
listen_address = ['127.0.0.1', '::1']
for listen in listen_address:
self.session.set(base_path + ['listen-address', listen])
diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py
index 7bcfea861..5270e758a 100755
--- a/smoketest/scripts/cli/test_vrf.py
+++ b/smoketest/scripts/cli/test_vrf.py
@@ -14,53 +14,111 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import re
import os
import unittest
+from netifaces import interfaces
-from vyos.configsession import ConfigSession, ConfigSessionError
+from vyos.configsession import ConfigSession
+from vyos.configsession import ConfigSessionError
from vyos.util import read_file
from vyos.validate import is_intf_addr_assigned
+from vyos.ifconfig import Interface
+
+base_path = ['vrf']
+vrfs = ['red', 'green', 'blue', 'foo-bar', 'baz_foo']
class VRFTest(unittest.TestCase):
def setUp(self):
self.session = ConfigSession(os.getpid())
- self._vrfs = ['red', 'green', 'blue']
def tearDown(self):
# delete all VRFs
- self.session.delete(['vrf'])
+ self.session.delete(base_path)
self.session.commit()
- del self.session
+ for vrf in vrfs:
+ self.assertNotIn(vrf, interfaces())
def test_vrf_table_id(self):
- table = 1000
- for vrf in self._vrfs:
- base = ['vrf', 'name', vrf]
- description = "VyOS-VRF-" + vrf
+ table = '1000'
+ for vrf in vrfs:
+ base = base_path + ['name', vrf]
+ description = f'VyOS-VRF-{vrf}'
self.session.set(base + ['description', description])
# check validate() - a table ID is mandatory
with self.assertRaises(ConfigSessionError):
self.session.commit()
- self.session.set(base + ['table', str(table)])
- table += 1
+ self.session.set(base + ['table', table])
+ if vrf == 'green':
+ self.session.set(base + ['disable'])
+
+ table = str(int(table) + 1)
# commit changes
self.session.commit()
+ # Verify VRF configuration
+ table = '1000'
+ iproute2_config = read_file('/etc/iproute2/rt_tables.d/vyos-vrf.conf')
+ for vrf in vrfs:
+ description = f'VyOS-VRF-{vrf}'
+ self.assertTrue(vrf in interfaces())
+ vrf_if = Interface(vrf)
+ # validate proper interface description
+ self.assertEqual(vrf_if.get_alias(), description)
+ # validate admin up/down state of VRF
+ state = 'up'
+ if vrf == 'green':
+ state = 'down'
+ self.assertEqual(vrf_if.get_admin_state(), state)
+
+ # Test the iproute2 lookup file, syntax is as follows:
+ #
+ # # id vrf name comment
+ # 1000 red # VyOS-VRF-red
+ # 1001 green # VyOS-VRF-green
+ # ...
+ regex = f'{table}\s+{vrf}\s+#\s+{description}'
+ self.assertTrue(re.findall(regex, iproute2_config))
+ table = str(int(table) + 1)
+
def test_vrf_loopback_ips(self):
- table = 1000
- for vrf in self._vrfs:
- base = ['vrf', 'name', vrf]
+ table = '2000'
+ for vrf in vrfs:
+ base = base_path + ['name', vrf]
self.session.set(base + ['table', str(table)])
- table += 1
+ table = str(int(table) + 1)
# commit changes
self.session.commit()
- for vrf in self._vrfs:
+
+ # Verify VRF configuration
+ for vrf in vrfs:
+ self.assertTrue(vrf in interfaces())
self.assertTrue(is_intf_addr_assigned(vrf, '127.0.0.1'))
self.assertTrue(is_intf_addr_assigned(vrf, '::1'))
+ def test_vrf_table_id_is_unalterable(self):
+ # Linux Kernel prohibits the change of a VRF table on the fly.
+ # VRF must be deleted and recreated!
+ table = '1000'
+ vrf = vrfs[0]
+ base = base_path + ['name', vrf]
+ self.session.set(base + ['table', table])
+
+ # commit changes
+ self.session.commit()
+
+ # Check if VRF has been created
+ self.assertTrue(vrf in interfaces())
+
+ table = str(int(table) + 1)
+ self.session.set(base + ['table', table])
+ # check validate() - table ID can not be altered!
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+
if __name__ == '__main__':
- unittest.main(verbosity=2)
+ unittest.main(verbosity=2, failfast=True)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 19:56:29 +0000