6 files changed, 70 insertions, 36 deletions

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 2e4bea377..3bef9b8f6 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -88,32 +88,45 @@ def get_config(config=None):
         conf = Config()
     base = ['interfaces', 'openvpn']
 
-    tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
-
     ifname, openvpn = get_interface_dict(conf, base)
-
-    if 'deleted' not in openvpn:
-        openvpn['pki'] = tmp_pki
-        if is_node_changed(conf, base + [ifname, 'openvpn-option']):
-            openvpn.update({'restart_required': {}})
-        if is_node_changed(conf, base + [ifname, 'enable-dco']):
-            openvpn.update({'restart_required': {}})
-
-        # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict'
-        # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there.
-        tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True)
-
-        # We have to cleanup the config dict, as default values could enable features
-        # which are not explicitly enabled on the CLI. Example: server mfa totp
-        # originate comes with defaults, which will enable the
-        # totp plugin, even when not set via CLI so we
-        # need to check this first and drop those keys
-        if dict_search('server.mfa.totp', tmp) == None:
-            del openvpn['server']['mfa']
-
     openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
 
+    if 'deleted' in openvpn:
+        return openvpn
+
+    openvpn['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+                                        get_first_key=True,
+                                        no_tag_node_value_mangle=True)
+
+    if is_node_changed(conf, base + [ifname, 'openvpn-option']):
+        openvpn.update({'restart_required': {}})
+    if is_node_changed(conf, base + [ifname, 'enable-dco']):
+        openvpn.update({'restart_required': {}})
+
+    # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict'
+    # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there.
+    tmp = conf.get_config_dict(base + [openvpn['ifname']], get_first_key=True)
+
+    # We have to cleanup the config dict, as default values could enable features
+    # which are not explicitly enabled on the CLI. Example: server mfa totp
+    # originate comes with defaults, which will enable the
+    # totp plugin, even when not set via CLI so we
+    # need to check this first and drop those keys
+    if dict_search('server.mfa.totp', tmp) == None:
+        del openvpn['server']['mfa']
+
+    # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all
+    # OpenVPN interfaces. Check if DCO is used by any other interface instance.
+    tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+    for interface, interface_config in tmp.items():
+        # If one interface has DCO configured, enable it. No need to further check
+        # all other OpenVPN interfaces. We must use a dedicated key to indicate
+        # the Kernel module must be loaded or not. The per interface "offload.dco"
+        # key is required per OpenVPN interface instance.
+        if dict_search('offload.dco', interface_config) != None:
+            openvpn['module_load_dco'] = {}
+            break
+
     return openvpn
 
 def is_ec_private_key(pki, cert_name):
@@ -674,6 +687,15 @@ def apply(openvpn):
         if interface in interfaces():
             VTunIf(interface).remove()
 
+    # dynamically load/unload DCO Kernel extension if requested
+    dco_module = 'ovpn_dco_v2'
+    if 'module_load_dco' in openvpn:
+        check_kmod(dco_module)
+    else:
+        unload_kmod(dco_module)
+
+    # Now bail out early if interface is disabled or got deleted
+    if 'deleted' in openvpn or 'disable' in openvpn:
         return None
 
     # verify specified IP address is present on any interface on this system
@@ -683,13 +705,6 @@ def apply(openvpn):
         if not is_addr_assigned(openvpn['local_host']):
             cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1')
 
-    # dynamically load/unload DCO Kernel extension if requested
-    dco_module = 'ovpn_dco_v2'
-    if 'enable_dco' in openvpn:
-        check_kmod(dco_module)
-    else:
-        unload_kmod(dco_module)
-
     # No matching OpenVPN process running - maybe it got killed or none
     # existed - nevertheless, spawn new OpenVPN process
     action = 'reload-or-restart'
diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py
index 6658ca86a..2515dc838 100755
--- a/src/conf_mode/interfaces-wwan.py
+++ b/src/conf_mode/interfaces-wwan.py
@@ -75,7 +75,6 @@ def get_config(config=None):
 
     # We need to know the amount of other WWAN interfaces as ModemManager needs
     # to be started or stopped.
-    conf.set_level(base)
     wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'),
                                                        get_first_key=True,
                                                        no_tag_node_value_mangle=True)
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index cec025fea..7b9f15505 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -475,6 +475,8 @@ def verify(bgp):
                     if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']):
                         raise ConfigError(
                             'Command "import vrf" conflicts with "rd vpn export" command!')
+                    if not dict_search('parameters.router_id', bgp):
+                        Warning(f'BGP "router-id" is required when using "rd" and "route-target"!')
 
                 if dict_search('route_target.vpn.both', afi_config):
                     if verify_vrf_as_import(vrf_name, afi, bgp['dependent_vrfs']):
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 2e678cf0b..f6b80552b 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -30,6 +30,7 @@ airbag.enable()
 config_file = r'/run/fastnetmon/fastnetmon.conf'
 networks_list = r'/run/fastnetmon/networks_list'
 excluded_networks_list = r'/run/fastnetmon/excluded_networks_list'
+attack_dir = '/var/log/fastnetmon_attacks'
 
 def get_config(config=None):
     if config:
@@ -55,8 +56,11 @@ def verify(fastnetmon):
     if 'mode' not in fastnetmon:
         raise ConfigError('Specify operating mode!')
 
-    if 'listen_interface' not in fastnetmon:
-        raise ConfigError('Specify interface(s) for traffic capture')
+    if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon:
+        raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring")
+
+    if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}):
+        raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'")
 
     if 'alert_script' in fastnetmon:
         if os.path.isfile(fastnetmon['alert_script']):
@@ -74,6 +78,10 @@ def generate(fastnetmon):
 
         return None
 
+    # Create dir for log attack details
+    if not os.path.exists(attack_dir):
+        os.mkdir(attack_dir)
+
     render(config_file, 'ids/fastnetmon.j2', fastnetmon)
     render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon)
     render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon)
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index afd75913e..82941e0c0 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -54,7 +54,7 @@ MAX_USER_UID: int = 59999
 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
 MAX_RADIUS_TIMEOUT: int = 50
 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
-MAX_RADIUS_COUNT: int = 25
+MAX_RADIUS_COUNT: int = 8
 # Maximum number of supported TACACS servers
 MAX_TACACS_COUNT: int = 8
 
diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py
index 5172b492e..1495e9223 100755
--- a/src/conf_mode/system-option.py
+++ b/src/conf_mode/system-option.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2022 VyOS maintainers and contributors
+# Copyright (C) 2019-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -36,6 +36,11 @@ airbag.enable()
 curlrc_config = r'/etc/curlrc'
 ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf'
 systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target'
+time_format_to_locale = {
+    '12-hour': 'en_US.UTF-8',
+    '24-hour': 'en_GB.UTF-8'
+}
+
 
 def get_config(config=None):
     if config:
@@ -143,6 +148,11 @@ def apply(options):
     else:
       cmd('systemctl disable root-partition-auto-resize.service')
 
+    # Time format 12|24-hour
+    if 'time_format' in options:
+        time_format = time_format_to_locale.get(options['time_format'])
+        cmd(f'localectl set-locale LC_TIME={time_format}')
+
 if __name__ == '__main__':
     try:
         c = get_config()