6 files changed, 120 insertions, 23 deletions

diff --git a/src/conf_mode/protocols_pim6.py b/src/conf_mode/protocols_pim6.py
new file mode 100755
index 000000000..6a1235ba5
--- /dev/null
+++ b/src/conf_mode/protocols_pim6.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaddress import IPv6Address
+from sys import exit
+from typing import Optional
+
+from vyos import ConfigError, airbag, frr
+from vyos.config import Config, ConfigDict
+from vyos.configdict import node_changed
+from vyos.configverify import verify_interface_exists
+from vyos.template import render_to_string
+
+airbag.enable()
+
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['protocols', 'pim6']
+    pim6 = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                 get_first_key=True, with_recursive_defaults=True)
+
+    # FRR has VRF support for different routing daemons. As interfaces belong
+    # to VRFs - or the global VRF, we need to check for changed interfaces so
+    # that they will be properly rendered for the FRR config. Also this eases
+    # removal of interfaces from the running configuration.
+    interfaces_removed = node_changed(conf, base + ['interface'])
+    if interfaces_removed:
+        pim6['interface_removed'] = list(interfaces_removed)
+
+    return pim6
+
+
+def verify(pim6):
+    if pim6 is None:
+        return
+
+    for interface, interface_config in pim6.get('interface', {}).items():
+        verify_interface_exists(interface)
+        if 'mld' in interface_config:
+            mld = interface_config['mld']
+            for group in mld.get('join', {}).keys():
+                # Validate multicast group address
+                if not IPv6Address(group).is_multicast:
+                    raise ConfigError(f"{group} is not a multicast group")
+
+
+def generate(pim6):
+    if pim6 is None:
+        return
+
+    pim6['new_frr_config'] = render_to_string('frr/pim6d.frr.j2', pim6)
+
+
+def apply(pim6):
+    if pim6 is None:
+        return
+
+    pim6_daemon = 'pim6d'
+
+    # Save original configuration prior to starting any commit actions
+    frr_cfg = frr.FRRConfig()
+
+    frr_cfg.load_configuration(pim6_daemon)
+
+    for key in ['interface', 'interface_removed']:
+        if key not in pim6:
+            continue
+        for interface in pim6[key]:
+            frr_cfg.modify_section(
+                f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True)
+
+    if 'new_frr_config' in pim6:
+        frr_cfg.add_before(frr.default_add_before, pim6['new_frr_config'])
+    frr_cfg.commit_configuration(pim6_daemon)
+
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/system_frr.py b/src/conf_mode/system_frr.py
index fb252238a..d8224b3c3 100755
--- a/src/conf_mode/system_frr.py
+++ b/src/conf_mode/system_frr.py
@@ -22,17 +22,14 @@ from vyos import airbag
 from vyos.config import Config
 from vyos.logger import syslog
 from vyos.template import render_to_string
+from vyos.utils.boot import boot_configuration_complete
 from vyos.utils.file import read_file
 from vyos.utils.file import write_file
-from vyos.utils.process import run
+from vyos.utils.process import call
 airbag.enable()
 
 # path to daemons config and config status files
 config_file = '/etc/frr/daemons'
-vyos_status_file = '/tmp/vyos-config-status'
-# path to watchfrr for FRR control
-watchfrr = '/usr/lib/frr/watchfrr.sh'
-
 
 def get_config(config=None):
     if config:
@@ -45,12 +42,10 @@ def get_config(config=None):
 
     return frr_config
 
-
 def verify(frr_config):
     # Nothing to verify here
     pass
 
-
 def generate(frr_config):
     # read daemons config file
     daemons_config_current = read_file(config_file)
@@ -62,25 +57,21 @@ def generate(frr_config):
         write_file(config_file, daemons_config_new)
         frr_config['config_file_changed'] = True
 
-
 def apply(frr_config):
-    # check if this is initial commit during boot or intiated by CLI
-    # if the file exists, this must be CLI commit
-    commit_type_cli = Path(vyos_status_file).exists()
     # display warning to user
-    if commit_type_cli and frr_config.get('config_file_changed'):
+    if boot_configuration_complete() and frr_config.get('config_file_changed'):
         # Since FRR restart is not safe thing, better to give
         # control over this to users
         print('''
         You need to reboot a router (preferred) or restart FRR
         to apply changes in modules settings
         ''')
-    # restart FRR automatically. DUring the initial boot this should be
-    # safe in most cases
-    if not commit_type_cli and frr_config.get('config_file_changed'):
-        syslog.warning('Restarting FRR to apply changes in modules')
-        run(f'{watchfrr} restart')
 
+    # restart FRR automatically
+    # During initial boot this should be safe in most cases
+    if not boot_configuration_complete() and frr_config.get('config_file_changed'):
+        syslog.warning('Restarting FRR to apply changes in modules')
+        call(f'systemctl restart frr.service')
 
 if __name__ == '__main__':
     try:
diff --git a/src/init/vyos-router b/src/init/vyos-router
index a5d1a31fa..1bbb9c869 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -340,10 +340,6 @@ start ()
     nfct helper add tns inet6 tcp
     nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
 
-    rm -f /etc/hostname
-    ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name"
-    systemctl start frr.service
-
     # As VyOS does not execute commands that are not present in the CLI we call
     # the script by hand to have a single source for the login banner and MOTD
     ${vyos_conf_scripts_dir}/system_console.py || log_failure_msg "could not reset serial console"
@@ -376,6 +372,13 @@ start ()
       && chgrp ${GROUP} ${vyatta_configdir}
     log_action_end_msg $?
 
+    rm -f /etc/hostname
+    ${vyos_conf_scripts_dir}/host_name.py || log_failure_msg "could not reset host-name"
+    ${vyos_conf_scripts_dir}/system_frr.py || log_failure_msg "could not reset FRR config"
+    # If for any reason FRR was not started by system_frr.py - start it anyways.
+    # This is a safety net!
+    systemctl start frr.service
+
     disabled bootfile || init_bootfile
 
     cleanup_post_commit_hooks
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 23b4b8459..11cbd977d 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -300,6 +300,8 @@ def show_firewall_group(name=None):
                     for priority, priority_conf in firewall[item][name_type].items():
                         if priority not in firewall[item][name_type]:
                             continue
+                        if 'rule' not in priority_conf:
+                            continue
                         for rule_id, rule_conf in priority_conf['rule'].items():
                             source_group = dict_search_args(rule_conf, 'source', 'group', group_type)
                             dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type)
diff --git a/src/op_mode/otp.py b/src/op_mode/otp.py
index c472a1ed3..6d4298894 100755
--- a/src/op_mode/otp.py
+++ b/src/op_mode/otp.py
@@ -23,7 +23,7 @@ from jinja2 import Template
 from vyos.configquery import ConfigTreeQuery
 from vyos.xml import defaults
 from vyos.configdict import dict_merge
-from vyos.util import popen
+from vyos.utils.process import popen
 
 
 users_otp_template = Template("""
diff --git a/src/systemd/vyos-router.service b/src/systemd/vyos-router.service
index 6f683cebb..7a1638f11 100644
--- a/src/systemd/vyos-router.service
+++ b/src/systemd/vyos-router.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=VyOS Router
 After=systemd-journald-dev-log.socket time-sync.target local-fs.target cloud-config.service
-Requires=frr.service
 Conflicts=shutdown.target
 Before=systemd-user-sessions.service