4 files changed, 147 insertions, 2 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index b63ed4eb9..c41a442df 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -282,6 +282,16 @@ def verify_rule(firewall, rule_conf, ipv6):
                 if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
                     raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group')
 
+    if 'log_options' in rule_conf:
+        if 'log' not in rule_conf or 'enable' not in rule_conf['log']:
+            raise ConfigError('log-options defined, but log is not enable')
+
+        if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
+            raise ConfigError('log-options snapshot-length defined, but log group is not define')
+
+        if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
+            raise ConfigError('log-options queue-threshold defined, but log group is not define')
+
 def verify_nested_group(group_name, group, groups, seen):
     if 'include' not in group:
         return
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index 0582d32be..eb64afa0c 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -89,7 +89,7 @@ def get_config(config=None):
     if 'mpls_te' not in ospf:
         del default_values['mpls_te']
 
-    for protocol in ['bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']:
+    for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']:
         # table is a tagNode thus we need to clean out all occurances for the
         # default values and load them in later individually
         if protocol == 'table':
@@ -234,7 +234,7 @@ def verify(ospf):
         if list(set(global_range) & set(local_range)):
             raise ConfigError(f'Segment-Routing Global Block ({g_low_label_value}/{g_high_label_value}) '\
                               f'conflicts with Local Block ({l_low_label_value}/{l_high_label_value})!')
-        
+
     # Check for a blank or invalid value per prefix
     if dict_search('segment_routing.prefix', ospf):
         for prefix, prefix_config in ospf['segment_routing']['prefix'].items():
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 9cdfa08ef..4fabe170f 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -60,6 +60,17 @@ def verify(ipoe):
                               'Use "ipoe client-ip-pool" instead.')
 
     #verify_accel_ppp_base_service(ipoe, local_users=False)
+    # IPoE server does not have 'gateway' option in the CLI
+    # we cannot use configverify.py verify_accel_ppp_base_service for ipoe-server
+
+    if dict_search('authentication.mode', ipoe) == 'radius':
+        if not dict_search('authentication.radius.server', ipoe):
+            raise ConfigError('RADIUS authentication requires at least one server')
+
+        for server in dict_search('authentication.radius.server', ipoe):
+            radius_config = ipoe['authentication']['radius']['server'][server]
+            if 'key' not in radius_config:
+                raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
 
     if 'client_ipv6_pool' in ipoe:
         if 'delegate' in ipoe['client_ipv6_pool'] and 'prefix' not in ipoe['client_ipv6_pool']:
diff --git a/src/conf_mode/system_sflow.py b/src/conf_mode/system_sflow.py
new file mode 100755
index 000000000..a0c3fca7f
--- /dev/null
+++ b/src/conf_mode/system_sflow.py
@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.template import render
+from vyos.util import call
+from vyos.validate import is_addr_assigned
+from vyos.xml import defaults
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+hsflowd_conf_path = '/run/sflow/hsflowd.conf'
+systemd_service = 'hsflowd.service'
+systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf'
+
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['system', 'sflow']
+    if not conf.exists(base):
+        return None
+
+    sflow = conf.get_config_dict(base,
+                                 key_mangling=('-', '_'),
+                                 get_first_key=True)
+
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = defaults(base)
+
+    sflow = dict_merge(default_values, sflow)
+
+    # Ignore default XML values if config doesn't exists
+    # Delete key from dict
+    if 'port' in sflow['server']:
+        del sflow['server']['port']
+
+    # Set default values per server
+    if 'server' in sflow:
+        for server in sflow['server']:
+            default_values = defaults(base + ['server'])
+            sflow['server'][server] = dict_merge(default_values, sflow['server'][server])
+
+    return sflow
+
+
+def verify(sflow):
+    if not sflow:
+        return None
+
+    # Check if configured sflow agent-address exist in the system
+    if 'agent_address' in sflow:
+        tmp = sflow['agent_address']
+        if not is_addr_assigned(tmp):
+            raise ConfigError(
+                f'Configured "sflow agent-address {tmp}" does not exist in the system!'
+            )
+
+    # Check if at least one interface is configured
+    if 'interface' not in sflow:
+        raise ConfigError(
+            'sFlow requires at least one interface to be configured!')
+
+    # Check if at least one server is configured
+    if 'server' not in sflow:
+        raise ConfigError('You need to configure at least one sFlow server!')
+
+    # return True if all checks were passed
+    return True
+
+
+def generate(sflow):
+    if not sflow:
+        return None
+
+    render(hsflowd_conf_path, 'sflow/hsflowd.conf.j2', sflow)
+    render(systemd_override, 'sflow/override.conf.j2', sflow)
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+
+
+def apply(sflow):
+    if not sflow:
+        # Stop flow-accounting daemon and remove configuration file
+        call(f'systemctl stop {systemd_service}')
+        if os.path.exists(hsflowd_conf_path):
+            os.unlink(hsflowd_conf_path)
+        return
+
+    # Start/reload flow-accounting daemon
+    call(f'systemctl restart {systemd_service}')
+
+
+if __name__ == '__main__':
+    try:
+        config = get_config()
+        verify(config)
+        generate(config)
+        apply(config)
+    except ConfigError as e:
+        print(e)
+        exit(1)