4 files changed, 158 insertions, 12 deletions
diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py
index ed0a8fba2..1e2c02d03 100755
--- a/src/conf_mode/protocols_ospfv3.py
+++ b/src/conf_mode/protocols_ospfv3.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -146,15 +146,25 @@ def generate(ospfv3):
     if not ospfv3 or 'deleted' in ospfv3:
         return None
 
+    ospfv3['protocol'] = 'ospf6' # required for frr/vrf.route-map.v6.frr.j2
+    ospfv3['frr_zebra_config'] = render_to_string('frr/vrf.route-map.v6.frr.j2', ospfv3)
     ospfv3['new_frr_config'] = render_to_string('frr/ospf6d.frr.j2', ospfv3)
     return None
 
 def apply(ospfv3):
     ospf6_daemon = 'ospf6d'
+    zebra_daemon = 'zebra'
 
     # Save original configuration prior to starting any commit actions
     frr_cfg = frr.FRRConfig()
 
+    # The route-map used for the FIB (zebra) is part of the zebra daemon
+    frr_cfg.load_configuration(zebra_daemon)
+    frr_cfg.modify_section('(\s+)?ipv6 protocol ospf6 route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)')
+    if 'frr_zebra_config' in ospfv3:
+        frr_cfg.add_before(frr.default_add_before, ospfv3['frr_zebra_config'])
+    frr_cfg.commit_configuration(zebra_daemon)
+
     # Generate empty helper string which can be ammended to FRR commands, it
     # will be either empty (default VRF) or contain the "vrf <name" statement
     vrf = ''
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 9cdfa08ef..4fabe170f 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -60,6 +60,17 @@ def verify(ipoe):
                               'Use "ipoe client-ip-pool" instead.')
 
     #verify_accel_ppp_base_service(ipoe, local_users=False)
+    # IPoE server does not have 'gateway' option in the CLI
+    # we cannot use configverify.py verify_accel_ppp_base_service for ipoe-server
+
+    if dict_search('authentication.mode', ipoe) == 'radius':
+        if not dict_search('authentication.radius.server', ipoe):
+            raise ConfigError('RADIUS authentication requires at least one server')
+
+        for server in dict_search('authentication.radius.server', ipoe):
+            radius_config = ipoe['authentication']['radius']['server'][server]
+            if 'key' not in radius_config:
+                raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
 
     if 'client_ipv6_pool' in ipoe:
         if 'delegate' in ipoe['client_ipv6_pool'] and 'prefix' not in ipoe['client_ipv6_pool']:
diff --git a/src/conf_mode/system_sflow.py b/src/conf_mode/system_sflow.py
new file mode 100755
index 000000000..a0c3fca7f
--- /dev/null
+++ b/src/conf_mode/system_sflow.py
@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.template import render
+from vyos.util import call
+from vyos.validate import is_addr_assigned
+from vyos.xml import defaults
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+hsflowd_conf_path = '/run/sflow/hsflowd.conf'
+systemd_service = 'hsflowd.service'
+systemd_override = f'/run/systemd/system/{systemd_service}.d/override.conf'
+
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['system', 'sflow']
+    if not conf.exists(base):
+        return None
+
+    sflow = conf.get_config_dict(base,
+                                 key_mangling=('-', '_'),
+                                 get_first_key=True)
+
+    # We have gathered the dict representation of the CLI, but there are default
+    # options which we need to update into the dictionary retrived.
+    default_values = defaults(base)
+
+    sflow = dict_merge(default_values, sflow)
+
+    # Ignore default XML values if config doesn't exists
+    # Delete key from dict
+    if 'port' in sflow['server']:
+        del sflow['server']['port']
+
+    # Set default values per server
+    if 'server' in sflow:
+        for server in sflow['server']:
+            default_values = defaults(base + ['server'])
+            sflow['server'][server] = dict_merge(default_values, sflow['server'][server])
+
+    return sflow
+
+
+def verify(sflow):
+    if not sflow:
+        return None
+
+    # Check if configured sflow agent-address exist in the system
+    if 'agent_address' in sflow:
+        tmp = sflow['agent_address']
+        if not is_addr_assigned(tmp):
+            raise ConfigError(
+                f'Configured "sflow agent-address {tmp}" does not exist in the system!'
+            )
+
+    # Check if at least one interface is configured
+    if 'interface' not in sflow:
+        raise ConfigError(
+            'sFlow requires at least one interface to be configured!')
+
+    # Check if at least one server is configured
+    if 'server' not in sflow:
+        raise ConfigError('You need to configure at least one sFlow server!')
+
+    # return True if all checks were passed
+    return True
+
+
+def generate(sflow):
+    if not sflow:
+        return None
+
+    render(hsflowd_conf_path, 'sflow/hsflowd.conf.j2', sflow)
+    render(systemd_override, 'sflow/override.conf.j2', sflow)
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
+
+
+def apply(sflow):
+    if not sflow:
+        # Stop flow-accounting daemon and remove configuration file
+        call(f'systemctl stop {systemd_service}')
+        if os.path.exists(hsflowd_conf_path):
+            os.unlink(hsflowd_conf_path)
+        return
+
+    # Start/reload flow-accounting daemon
+    call(f'systemctl restart {systemd_service}')
+
+
+if __name__ == '__main__':
+    try:
+        config = get_config()
+        verify(config)
+        generate(config)
+        apply(config)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py
index 8f88ab422..7ae49472e 100755
--- a/src/op_mode/openvpn.py
+++ b/src/op_mode/openvpn.py
@@ -53,7 +53,7 @@ def _get_tunnel_address(peer_host, peer_port, status_file):
 def _get_interface_status(mode: str, interface: str) -> dict:
     status_file = f'/run/openvpn/{interface}.status'
 
-    data = {
+    data: dict = {
         'mode': mode,
         'intf': interface,
         'local_host': '',
@@ -142,8 +142,8 @@ def _get_interface_status(mode: str, interface: str) -> dict:
 
     return data
 
-def _get_raw_data(mode: str) -> dict:
-    data = {}
+def _get_raw_data(mode: str) -> list:
+    data: list = []
     conf = Config()
     conf_dict = conf.get_config_dict(['interfaces', 'openvpn'],
                                      get_first_key=True)
@@ -152,8 +152,7 @@ def _get_raw_data(mode: str) -> dict:
 
     interfaces = [x for x in list(conf_dict) if conf_dict[x]['mode'] == mode]
     for intf in interfaces:
-        data[intf] = _get_interface_status(mode, intf)
-        d = data[intf]
+        d = _get_interface_status(mode, intf)
         d['local_host'] = conf_dict[intf].get('local-host', '')
         d['local_port'] = conf_dict[intf].get('local-port', '')
         if conf.exists(f'interfaces openvpn {intf} server client'):
@@ -164,10 +163,11 @@ def _get_raw_data(mode: str) -> dict:
                     client['name'] = 'None (PSK)'
                 client['remote_host'] = conf_dict[intf].get('remote-host', [''])[0]
                 client['remote_port'] = conf_dict[intf].get('remote-port', '1194')
+        data.append(d)
 
     return data
 
-def _format_openvpn(data: dict) -> str:
+def _format_openvpn(data: list) -> str:
     if not data:
         out = 'No OpenVPN interfaces configured'
         return out
@@ -176,11 +176,12 @@ def _format_openvpn(data: dict) -> str:
                'TX bytes', 'RX bytes', 'Connected Since']
 
     out = ''
-    for intf in list(data):
+    for d in data:
         data_out = []
-        l_host = data[intf]['local_host']
-        l_port = data[intf]['local_port']
-        for client in list(data[intf]['clients']):
+        intf = d['intf']
+        l_host = d['local_host']
+        l_port = d['local_port']
+        for client in d['clients']:
             r_host = client['remote_host']
             r_port = client['remote_port']
 
@@ -201,7 +202,7 @@ def _format_openvpn(data: dict) -> str:
 
     return out
 
-def show(raw: bool, mode: ArgMode) -> str:
+def show(raw: bool, mode: ArgMode) -> typing.Union[list,str]:
     openvpn_data = _get_raw_data(mode)
 
     if raw: