summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/bcast_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcp_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcp_server.py7
-rwxr-xr-xsrc/conf_mode/dhcpv6_relay.py7
-rwxr-xr-xsrc/conf_mode/dhcpv6_server.py7
-rwxr-xr-xsrc/conf_mode/dynamic_dns.py7
-rwxr-xr-xsrc/conf_mode/firewall_options.py7
-rwxr-xr-xsrc/conf_mode/host_name.py20
-rwxr-xr-xsrc/conf_mode/http-api.py8
-rwxr-xr-xsrc/conf_mode/https.py98
-rwxr-xr-xsrc/conf_mode/igmp_proxy.py7
-rwxr-xr-xsrc/conf_mode/intel_qat.py7
-rwxr-xr-xsrc/conf_mode/interfaces-bonding.py450
-rwxr-xr-xsrc/conf_mode/interfaces-bridge.py416
-rwxr-xr-xsrc/conf_mode/interfaces-dummy.py39
-rwxr-xr-xsrc/conf_mode/interfaces-ethernet.py303
-rwxr-xr-xsrc/conf_mode/interfaces-geneve.py140
-rwxr-xr-xsrc/conf_mode/interfaces-l2tpv3.py267
-rwxr-xr-xsrc/conf_mode/interfaces-loopback.py37
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py68
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py7
-rwxr-xr-xsrc/conf_mode/interfaces-pppoe.py60
-rwxr-xr-xsrc/conf_mode/interfaces-pseudo-ethernet.py243
-rwxr-xr-xsrc/conf_mode/interfaces-tunnel.py8
-rwxr-xr-xsrc/conf_mode/interfaces-vxlan.py262
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py341
-rwxr-xr-xsrc/conf_mode/interfaces-wireless.py697
-rwxr-xr-xsrc/conf_mode/interfaces-wirelessmodem.py73
-rwxr-xr-xsrc/conf_mode/ipsec-settings.py7
-rwxr-xr-xsrc/conf_mode/le_cert.py3
-rwxr-xr-xsrc/conf_mode/lldp.py7
-rwxr-xr-xsrc/conf_mode/nat.py34
-rwxr-xr-xsrc/conf_mode/ntp.py7
-rwxr-xr-xsrc/conf_mode/protocols_bgp.py69
-rwxr-xr-xsrc/conf_mode/protocols_igmp.py7
-rwxr-xr-xsrc/conf_mode/protocols_mpls.py31
-rwxr-xr-xsrc/conf_mode/protocols_pim.py7
-rwxr-xr-xsrc/conf_mode/protocols_rip.py13
-rwxr-xr-xsrc/conf_mode/protocols_static_multicast.py7
-rwxr-xr-xsrc/conf_mode/salt-minion.py7
-rwxr-xr-xsrc/conf_mode/service_console-server.py44
-rwxr-xr-xsrc/conf_mode/service_ids_fastnetmon.py7
-rwxr-xr-xsrc/conf_mode/service_ipoe-server.py15
-rwxr-xr-xsrc/conf_mode/service_mdns-repeater.py (renamed from src/conf_mode/mdns_repeater.py)59
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py16
-rwxr-xr-xsrc/conf_mode/service_router-advert.py174
-rwxr-xr-xsrc/conf_mode/ssh.py11
-rwxr-xr-xsrc/conf_mode/system-ip.py7
-rwxr-xr-xsrc/conf_mode/system-ipv6.py7
-rwxr-xr-xsrc/conf_mode/system-login-banner.py7
-rwxr-xr-xsrc/conf_mode/system-login.py7
-rwxr-xr-xsrc/conf_mode/system-options.py38
-rwxr-xr-xsrc/conf_mode/system-syslog.py7
-rwxr-xr-xsrc/conf_mode/system-timezone.py7
-rwxr-xr-xsrc/conf_mode/system-wifi-regdom.py7
-rwxr-xr-xsrc/conf_mode/system_console.py7
-rwxr-xr-xsrc/conf_mode/system_lcd.py91
-rwxr-xr-xsrc/conf_mode/task_scheduler.py7
-rwxr-xr-xsrc/conf_mode/tftp_server.py7
-rwxr-xr-xsrc/conf_mode/vpn_anyconnect.py135
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py13
-rwxr-xr-xsrc/conf_mode/vpn_pptp.py13
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py13
-rwxr-xr-xsrc/conf_mode/vrf.py7
-rwxr-xr-xsrc/conf_mode/vrrp.py7
-rwxr-xr-xsrc/conf_mode/vyos_cert.py7
-rw-r--r--src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper9
-rw-r--r--src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup10
-rw-r--r--src/etc/systemd/system/LCDd.service.d/override.conf8
-rw-r--r--src/etc/systemd/system/ocserv.service.d/override.conf14
-rw-r--r--src/etc/systemd/system/radvd.service.d/override.conf34
-rwxr-xr-xsrc/helpers/vyos-load-config.py6
-rwxr-xr-xsrc/migration-scripts/interfaces/11-to-1258
-rwxr-xr-xsrc/migration-scripts/interfaces/7-to-817
-rwxr-xr-xsrc/migration-scripts/pppoe-server/2-to-31
-rwxr-xr-xsrc/migration-scripts/pppoe-server/3-to-454
-rwxr-xr-xsrc/op_mode/anyconnect-control.py67
-rwxr-xr-xsrc/op_mode/lldp_op.py185
-rwxr-xr-xsrc/op_mode/ping.py8
-rwxr-xr-xsrc/op_mode/show_system_integrity.py70
-rwxr-xr-xsrc/op_mode/system_integrity.py70
-rwxr-xr-xsrc/op_mode/wireguard.py17
-rwxr-xr-xsrc/services/vyos-configd224
-rwxr-xr-xsrc/services/vyos-http-api-server3
-rw-r--r--src/shim/Makefile20
-rw-r--r--src/shim/mkjson/LICENSE21
-rw-r--r--src/shim/mkjson/makefile30
-rw-r--r--src/shim/mkjson/mkjson.c307
-rw-r--r--src/shim/mkjson/mkjson.h50
-rw-r--r--src/shim/vyshim.c287
-rw-r--r--src/systemd/lcdproc.service13
-rw-r--r--src/systemd/vyos-configd.service27
-rw-r--r--src/systemd/wpa_supplicant-macsec@.service34
-rw-r--r--src/tests/test_initial_setup.py10
-rwxr-xr-xsrc/validators/dotted-decimal33
95 files changed, 2900 insertions, 3306 deletions
diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py
index a3e141a00..4a47b9246 100755
--- a/src/conf_mode/bcast_relay.py
+++ b/src/conf_mode/bcast_relay.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file_base = r'/etc/default/udp-broadcast-relay'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'broadcast-relay']
relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py
index f093a005e..352865b9d 100755
--- a/src/conf_mode/dhcp_relay.py
+++ b/src/conf_mode/dhcp_relay.py
@@ -36,9 +36,12 @@ default_config_data = {
'relay_agent_packets': 'forward'
}
-def get_config():
+def get_config(config=None):
relay = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(['service', 'dhcp-relay']):
return None
else:
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index 0eaa14c5b..fd4e2ec61 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -126,9 +126,12 @@ def dhcp_static_route(static_subnet, static_router):
return string
-def get_config():
+def get_config(config=None):
dhcp = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service dhcp-server'):
return None
else:
diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py
index 6ef290bf0..d4212b8be 100755
--- a/src/conf_mode/dhcpv6_relay.py
+++ b/src/conf_mode/dhcpv6_relay.py
@@ -35,9 +35,12 @@ default_config_data = {
'options': [],
}
-def get_config():
+def get_config(config=None):
relay = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service dhcpv6-relay'):
return None
else:
diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py
index 53c8358a5..4ce4cada1 100755
--- a/src/conf_mode/dhcpv6_server.py
+++ b/src/conf_mode/dhcpv6_server.py
@@ -37,9 +37,12 @@ default_config_data = {
'shared_network': []
}
-def get_config():
+def get_config(config=None):
dhcpv6 = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'dhcpv6-server']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/dynamic_dns.py b/src/conf_mode/dynamic_dns.py
index 5b1883c03..57c910a68 100755
--- a/src/conf_mode/dynamic_dns.py
+++ b/src/conf_mode/dynamic_dns.py
@@ -50,9 +50,12 @@ default_config_data = {
'deleted': False
}
-def get_config():
+def get_config(config=None):
dyndns = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['service', 'dns', 'dynamic']
if not conf.exists(base_level):
diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py
index 71b2a98b3..67bf5d0e2 100755
--- a/src/conf_mode/firewall_options.py
+++ b/src/conf_mode/firewall_options.py
@@ -32,9 +32,12 @@ default_config_data = {
'new_chain6': False
}
-def get_config():
+def get_config(config=None):
opts = copy.deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('firewall options'):
# bail out early
return opts
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py
index f2fa64233..f4c75c257 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/host_name.py
@@ -18,20 +18,16 @@
conf-mode script for 'system host-name' and 'system domain-name'.
"""
-import os
import re
import sys
import copy
-import glob
-import argparse
-import jinja2
import vyos.util
import vyos.hostsd_client
from vyos.config import Config
from vyos import ConfigError
-from vyos.util import cmd, call, run, process_named_running
+from vyos.util import cmd, call, process_named_running
from vyos import airbag
airbag.enable()
@@ -47,7 +43,12 @@ default_config_data = {
hostsd_tag = 'system'
-def get_config(conf):
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
hosts = copy.deepcopy(default_config_data)
hosts['hostname'] = conf.return_value("system host-name")
@@ -77,7 +78,7 @@ def get_config(conf):
return hosts
-def verify(conf, hosts):
+def verify(hosts):
if hosts is None:
return None
@@ -168,9 +169,8 @@ def apply(config):
if __name__ == '__main__':
try:
- conf = Config()
- c = get_config(conf)
- verify(conf, c)
+ c = get_config()
+ verify(c)
generate(c)
apply(c)
except ConfigError as e:
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index b8a084a40..472eb77e4 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -39,7 +39,7 @@ dependencies = [
'https.py',
]
-def get_config():
+def get_config(config=None):
http_api = deepcopy(vyos.defaults.api_data)
x = http_api.get('api_keys')
if x is None:
@@ -48,7 +48,11 @@ def get_config():
default_key = x[0]
keys_added = False
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
if not conf.exists('service https api'):
return None
else:
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 7acb629bd..de228f0f8 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -14,9 +14,8 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import os
+import sys
-from sys import exit
from copy import deepcopy
import vyos.defaults
@@ -31,7 +30,13 @@ from vyos import airbag
airbag.enable()
config_file = '/etc/nginx/sites-available/default'
+certbot_dir = vyos.defaults.directories['certbot']
+# https config needs to coordinate several subsystems: api, certbot,
+# self-signed certificate, as well as the virtual hosts defined within the
+# https config definition itself. Consequently, one needs a general dict,
+# encompassing the https and other configs, and a list of such virtual hosts
+# (server blocks in nginx terminology) to pass to the jinja2 template.
default_server_block = {
'id' : '',
'address' : '*',
@@ -42,70 +47,84 @@ default_server_block = {
'certbot' : False
}
-def get_config():
- server_block_list = []
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
if not conf.exists('service https'):
return None
- else:
- conf.set_level('service https')
- if not conf.exists('virtual-host'):
+ server_block_list = []
+ https_dict = conf.get_config_dict('service https', get_first_key=True)
+
+ # organize by vhosts
+
+ vhost_dict = https_dict.get('virtual-host', {})
+
+ if not vhost_dict:
+ # no specified virtual hosts (server blocks); use default
server_block_list.append(default_server_block)
else:
- for vhost in conf.list_nodes('virtual-host'):
+ for vhost in list(vhost_dict):
server_block = deepcopy(default_server_block)
server_block['id'] = vhost
- if conf.exists(f'virtual-host {vhost} listen-address'):
- addr = conf.return_value(f'virtual-host {vhost} listen-address')
- server_block['address'] = addr
- if conf.exists(f'virtual-host {vhost} listen-port'):
- port = conf.return_value(f'virtual-host {vhost} listen-port')
- server_block['port'] = port
- if conf.exists(f'virtual-host {vhost} server-name'):
- names = conf.return_values(f'virtual-host {vhost} server-name')
- server_block['name'] = names[:]
+ data = vhost_dict.get(vhost, {})
+ server_block['address'] = data.get('listen-address', '*')
+ server_block['port'] = data.get('listen-port', '443')
+ name = data.get('server-name', ['_'])
+ server_block['name'] = name
server_block_list.append(server_block)
+ # get certificate data
+
+ cert_dict = https_dict.get('certificates', {})
+
+ # self-signed certificate
+
vyos_cert_data = {}
- if conf.exists('certificates system-generated-certificate'):
+ if 'system-generated-certificate' in list(cert_dict):
vyos_cert_data = vyos.defaults.vyos_cert_data
if vyos_cert_data:
for block in server_block_list:
block['vyos_cert'] = vyos_cert_data
+ # letsencrypt certificate using certbot
+
certbot = False
- certbot_domains = []
- if conf.exists('certificates certbot domain-name'):
- certbot_domains = conf.return_values('certificates certbot domain-name')
- if certbot_domains:
+ cert_domains = cert_dict.get('certbot', {}).get('domain-name', [])
+ if cert_domains:
certbot = True
- for domain in certbot_domains:
+ for domain in cert_domains:
sub_list = vyos.certbot_util.choose_server_block(server_block_list,
domain)
if sub_list:
for sb in sub_list:
sb['certbot'] = True
+ sb['certbot_dir'] = certbot_dir
# certbot organizes certificates by first domain
- sb['certbot_dir'] = certbot_domains[0]
+ sb['certbot_domain_dir'] = cert_domains[0]
- api_somewhere = False
+ # get api data
+
+ api_set = False
api_data = {}
- if conf.exists('api'):
- api_somewhere = True
+ if 'api' in list(https_dict):
+ api_set = True
api_data = vyos.defaults.api_data
- if conf.exists('api port'):
- port = conf.return_value('api port')
+ api_settings = https_dict.get('api', {})
+ if api_settings:
+ port = api_settings.get('port', '')
+ if port:
api_data['port'] = port
- if conf.exists('api-restrict virtual-host'):
- vhosts = conf.return_values('api-restrict virtual-host')
+ vhosts = https_dict.get('api-restrict', {}).get('virtual-host', [])
+ if vhosts:
api_data['vhost'] = vhosts[:]
if api_data:
- # we do not want to include 'vhost' key as part of
- # vyos.defaults.api_data, so check for key existence
- vhost_list = api_data.get('vhost')
- if vhost_list is None:
+ vhost_list = api_data.get('vhost', [])
+ if not vhost_list:
for block in server_block_list:
block['api'] = api_data
else:
@@ -113,9 +132,12 @@ def get_config():
if block['id'] in vhost_list:
block['api'] = api_data
+ # return dict for use in template
+
https = {'server_block_list' : server_block_list,
- 'api_somewhere': api_somewhere,
+ 'api_set': api_set,
'certbot': certbot}
+
return https
def verify(https):
@@ -155,4 +177,4 @@ if __name__ == '__main__':
apply(c)
except ConfigError as e:
print(e)
- exit(1)
+ sys.exit(1)
diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/igmp_proxy.py
index 49aea9b7f..754f46566 100755
--- a/src/conf_mode/igmp_proxy.py
+++ b/src/conf_mode/igmp_proxy.py
@@ -36,9 +36,12 @@ default_config_data = {
'interfaces': [],
}
-def get_config():
+def get_config(config=None):
igmp_proxy = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['protocols', 'igmp-proxy']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py
index 742f09a54..1e5101a9f 100755
--- a/src/conf_mode/intel_qat.py
+++ b/src/conf_mode/intel_qat.py
@@ -30,8 +30,11 @@ airbag.enable()
# Define for recovering
gl_ipsec_conf = None
-def get_config():
- c = Config()
+def get_config(config=None):
+ if config:
+ c = config
+ else:
+ c = Config()
config_data = {
'qat_conf' : None,
'ipsec_conf' : None,
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index a16c4e105..16e6e4f6e 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -16,41 +16,25 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BondIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
from vyos.config import Config
-from vyos.util import call, cmd
-from vyos.validate import is_member, has_address_configured
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BondIf
+from vyos.validate import is_member
+from vyos.validate import has_address_configured
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'arp_mon_intvl': 0,
- 'arp_mon_tgt': [],
- 'deleted': False,
- 'hash_policy': 'layer2',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'mode': '802.3ad',
- 'member': [],
- 'shutdown_required': False,
- 'primary': '',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
-}
-
-
def get_bond_mode(mode):
if mode == 'round-robin':
return 'balance-rr'
@@ -67,339 +51,141 @@ def get_bond_mode(mode):
elif mode == 'adaptive-load-balance':
return 'balance-alb'
else:
- raise ConfigError('invalid bond mode "{}"'.format(mode))
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # initialize kernel module if not loaded
- if not os.path.isfile('/sys/class/net/bonding_masters'):
- import syslog
- syslog.syslog(syslog.LOG_NOTICE, "loading bonding kernel module")
- if call('modprobe bonding max_bonds=0 miimon=250') != 0:
- syslog.syslog(syslog.LOG_NOTICE, "failed loading bonding kernel module")
- raise ConfigError("failed loading bonding kernel module")
-
- # check if bond has been removed
- cfg_base = 'interfaces bonding ' + ifname
- if not conf.exists(cfg_base):
- bond = deepcopy(default_config_data)
- bond['intf'] = ifname
- bond['deleted'] = True
- return bond
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- bond, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP link monitoring frequency in milliseconds
- if conf.exists('arp-monitor interval'):
- bond['arp_mon_intvl'] = int(conf.return_value('arp-monitor interval'))
-
- # IP address to use for ARP monitoring
- if conf.exists('arp-monitor target'):
- bond['arp_mon_tgt'] = conf.return_values('arp-monitor target')
-
- # Bonding transmit hash policy
- if conf.exists('hash-policy'):
- bond['hash_policy'] = conf.return_value('hash-policy')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bond['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- bond['ip_proxy_arp_pvlan'] = 1
-
- # Bonding mode
- if conf.exists('mode'):
- act_mode = conf.return_value('mode')
- eff_mode = conf.return_effective_value('mode')
- if not (act_mode == eff_mode):
- bond['shutdown_required'] = True
-
- bond['mode'] = get_bond_mode(act_mode)
-
- # determine bond member interfaces (currently configured)
- bond['member'] = conf.return_values('member interface')
-
- # We can not call conf.return_effective_values() as it would not work
- # on reboots. Reboots/First boot will return that running config and
- # saved config is the same, thus on a reboot the bond members will
- # not be added all (https://phabricator.vyos.net/T2030)
- live_members = BondIf(bond['intf']).get_slaves()
- if not (bond['member'] == live_members):
- bond['shutdown_required'] = True
-
- # Primary device interface
- if conf.exists('primary'):
- bond['primary'] = conf.return_value('primary')
-
- add_to_dict(conf, disabled, bond, 'vif', 'vif')
- add_to_dict(conf, disabled, bond, 'vif-s', 'vif_s')
+ raise ConfigError(f'invalid bond mode "{mode}"')
+
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'bonding']
+ bond = get_interface_dict(conf, base)
+
+ # To make our own life easier transfor the list of member interfaces
+ # into a dictionary - we will use this to add additional information
+ # later on for wach member
+ if 'member' in bond and 'interface' in bond['member']:
+ # first convert it to a list if only one member is given
+ if isinstance(bond['member']['interface'], str):
+ bond['member']['interface'] = [bond['member']['interface']]
+
+ tmp={}
+ for interface in bond['member']['interface']:
+ tmp.update({interface: {}})
+
+ bond['member']['interface'] = tmp
+
+ if 'mode' in bond:
+ bond['mode'] = get_bond_mode(bond['mode'])
+
+ tmp = leaf_node_changed(conf, ['mode'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+
+ # determine which members have been removed
+ tmp = leaf_node_changed(conf, ['member', 'interface'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+ if 'member' in bond:
+ bond['member'].update({'interface_remove': tmp })
+ else:
+ bond.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bond and 'interface' in bond['member']:
+ for interface, interface_config in bond['member']['interface'].items():
+ # Check if we are a member of another bond device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp and tmp != bond['ifname']:
+ interface_config.update({'is_bond_member' : tmp})
+
+ # bond members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bond
def verify(bond):
- if bond['deleted']:
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{bond["intf"]}" as it is a '
- f'member of bridge "{bond["is_bridge_member"]}"!'))
-
+ if 'deleted' in bond:
+ verify_bridge_delete(bond)
return None
- if len(bond['arp_mon_tgt']) > 16:
- raise ConfigError('The maximum number of arp-monitor targets is 16')
+ if 'arp_monitor' in bond:
+ if 'target' in bond['arp_monitor'] and len(int(bond['arp_monitor']['target'])) > 16:
+ raise ConfigError('The maximum number of arp-monitor targets is 16')
+
+ if 'interval' in bond['arp_monitor'] and len(int(bond['arp_monitor']['interval'])) > 0:
+ if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
+ raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
+ 'transmit-load-balance or adaptive-load-balance')
- if bond['primary']:
+ if 'primary' in bond:
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
- raise ConfigError((
- 'Mode dependency failed, primary not supported in mode '
- f'"{bond["mode"]}"!'))
-
- if ( bond['is_bridge_member']
- and ( bond['address']
- or bond['ipv6_eui64_prefix']
- or bond['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{bond["intf"]}" '
- f'as it is a member of bridge "{bond["is_bridge_member"]}"!'))
-
- if bond['vrf']:
- if bond['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{bond["vrf"]}" does not exist')
-
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Interface "{bond["intf"]}" cannot be member of VRF '
- f'"{bond["vrf"]}" and bridge {bond["is_bridge_member"]} '
- f'at the same time!'))
+ raise ConfigError('Option primary - mode dependency failed, not'
+ 'supported in mode {mode}!'.format(**bond))
+
+ verify_address(bond)
+ verify_dhcpv6(bond)
+ verify_vrf(bond)
# use common function to verify VLAN configuration
verify_vlan_config(bond)
- conf = Config()
- for intf in bond['member']:
- # check if member interface is "real"
- if intf not in interfaces():
- raise ConfigError(f'Interface {intf} does not exist!')
-
- # a bonding member interface is only allowed to be assigned to one bond!
- all_bonds = conf.list_nodes('interfaces bonding')
- # We do not need to check our own bond
- all_bonds.remove(bond['intf'])
- for tmp in all_bonds:
- if conf.exists('interfaces bonding {tmp} member interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bond "{tmp}"!'))
-
- # can not add interfaces with an assigned address to a bond
- if has_address_configured(conf, intf):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it has an address assigned!'))
-
- # bond members are not allowed to be bridge members
- tmp = is_member(conf, intf, 'bridge')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bridge "{tmp}"!'))
-
- # bond members are not allowed to be vrrp members
- for tmp in conf.list_nodes('high-availability vrrp group'):
- if conf.exists('high-availability vrrp group {tmp} interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of VRRP group "{tmp}"!'))
-
- # bond members are not allowed to be underlaying psuedo-ethernet devices
- for tmp in conf.list_nodes('interfaces pseudo-ethernet'):
- if conf.exists('interfaces pseudo-ethernet {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of pseudo-ethernet "{tmp}"!'))
-
- # bond members are not allowed to be underlaying vxlan devices
- for tmp in conf.list_nodes('interfaces vxlan'):
- if conf.exists('interfaces vxlan {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of VXLAN "{tmp}"!'))
-
- if bond['primary']:
- if bond['primary'] not in bond['member']:
- raise ConfigError(f'Bond "{bond["intf"]}" primary interface must be a member')
+ bond_name = bond['ifname']
+ if 'member' in bond:
+ member = bond.get('member')
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bond "{bond_name}", '
+
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bond')
+
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
+
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
+
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
+
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
+
+
+ if 'primary' in bond:
+ if bond['primary'] not in bond['member']['interface']:
+ raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface')
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
raise ConfigError('primary interface only works for mode active-backup, ' \
'transmit-load-balance or adaptive-load-balance')
- if bond['arp_mon_intvl'] > 0:
- if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
- raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
- 'transmit-load-balance or adaptive-load-balance')
-
return None
def generate(bond):
return None
def apply(bond):
- b = BondIf(bond['intf'])
+ b = BondIf(bond['ifname'])
- if bond['deleted']:
+ if 'deleted' in bond:
# delete interface
b.remove()
else:
- # ARP link monitoring frequency, reset miimon when arp-montior is inactive
- # this is done inside BondIf automatically
- b.set_arp_interval(bond['arp_mon_intvl'])
-
- # ARP monitor targets need to be synchronized between sysfs and CLI.
- # Unfortunately an address can't be send twice to sysfs as this will
- # result in the following exception: OSError: [Errno 22] Invalid argument.
- #
- # We remove ALL adresses prior adding new ones, this will remove addresses
- # added manually by the user too - but as we are limited to 16 adresses
- # from the kernel side this looks valid to me. We won't run into an error
- # when a user added manual adresses which would result in having more
- # then 16 adresses in total.
- arp_tgt_addr = list(map(str, b.get_arp_ip_target().split()))
- for addr in arp_tgt_addr:
- b.set_arp_ip_target('-' + addr)
-
- # Add configured ARP target addresses
- for addr in bond['arp_mon_tgt']:
- b.set_arp_ip_target('+' + addr)
-
- # update interface description used e.g. within SNMP
- b.set_alias(bond['description'])
-
- if bond['dhcp_client_id']:
- b.dhcp.v4.options['client_id'] = bond['dhcp_client_id']
-
- if bond['dhcp_hostname']:
- b.dhcp.v4.options['hostname'] = bond['dhcp_hostname']
-
- if bond['dhcp_vendor_class_id']:
- b.dhcp.v4.options['vendor_class_id'] = bond['dhcp_vendor_class_id']
-
- if bond['dhcpv6_prm_only']:
- b.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bond['dhcpv6_temporary']:
- b.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bond['dhcpv6_pd_length']:
- b.dhcp.v6.options['dhcpv6_pd_length'] = bond['dhcpv6_pd_length']
-
- if bond['dhcpv6_pd_interfaces']:
- b.dhcp.v6.options['dhcpv6_pd_interfaces'] = bond['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- b.set_link_detect(bond['disable_link_detect'])
- # Bonding transmit hash policy
- b.set_hash_policy(bond['hash_policy'])
- # configure ARP cache timeout in milliseconds
- b.set_arp_cache_tmo(bond['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- b.set_arp_filter(bond['ip_disable_arp_filter'])
- # configure ARP accept
- b.set_arp_accept(bond['ip_enable_arp_accept'])
- # configure ARP announce
- b.set_arp_announce(bond['ip_enable_arp_announce'])
- # configure ARP ignore
- b.set_arp_ignore(bond['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- b.set_proxy_arp(bond['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- b.set_proxy_arp_pvlan(bond['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- b.set_ipv6_accept_ra(bond['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- b.set_ipv6_autoconf(bond['ipv6_autoconf'])
- # IPv6 forwarding
- b.set_ipv6_forwarding(bond['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- b.set_ipv6_dad_messages(bond['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in bond['ipv6_eui64_prefix_remove']:
- b.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if bond['mac']:
- b.set_mac(bond['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in bond['ipv6_eui64_prefix']:
- b.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- b.set_mtu(bond['mtu'])
-
- # Primary device interface
- if bond['primary']:
- b.set_primary(bond['primary'])
-
- # Some parameters can not be changed when the bond is up.
- if bond['shutdown_required']:
- # Disable bond prior changing of certain properties
- b.set_admin_state('down')
-
- # The bonding mode can not be changed when there are interfaces enslaved
- # to this bond, thus we will free all interfaces from the bond first!
- for intf in b.get_slaves():
- b.del_port(intf)
-
- # Bonding policy/mode
- b.set_mode(bond['mode'])
-
- # Add (enslave) interfaces to bond
- for intf in bond['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{intf}"')
- b.add_port(intf)
-
- # As the bond interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not bond['disable']:
- b.set_admin_state('up')
- else:
- b.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bond['address_remove']:
- b.del_addr(addr)
- for addr in bond['address']:
- b.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not bond['is_bridge_member']:
- b.set_vrf(bond['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if bond['is_bridge_member']:
- b.add_to_bridge(bond['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(b, bond)
+ b.update(bond)
return None
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 1e4fa5816..47c8c05f9 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -16,251 +16,105 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BridgeIf, Section
-from vyos.ifconfig.stp import STP
-from vyos.configdict import list_diff, interface_default_data
-from vyos.validate import is_member, has_address_configured
from vyos.config import Config
-from vyos.util import cmd, get_bridge_member_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BridgeIf
+from vyos.validate import is_member, has_address_configured
+from vyos.xml import defaults
+
+from vyos.util import cmd
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'aging': 300,
- 'arp_cache_tmo': 30,
- 'deleted': False,
- 'forwarding_delay': 14,
- 'hello_time': 2,
- 'igmp_querier': 0,
- 'intf': '',
- 'max_age': 20,
- 'member': [],
- 'member_remove': [],
- 'priority': 32768,
- 'stp': 0
-}
-
-def get_config():
- bridge = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- bridge['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if bridge has been removed
- if not conf.exists('interfaces bridge ' + bridge['intf']):
- bridge['deleted'] = True
- return bridge
-
- # set new configuration level
- conf.set_level('interfaces bridge ' + bridge['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- bridge['address'] = conf.return_values('address')
-
- # Determine interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('address')
- bridge['address_remove'] = list_diff(eff_addr, bridge['address'])
-
- # retrieve aging - how long addresses are retained
- if conf.exists('aging'):
- bridge['aging'] = int(conf.return_value('aging'))
-
- # retrieve interface description
- if conf.exists('description'):
- bridge['description'] = conf.return_value('description')
-
- # get DHCP client identifier
- if conf.exists('dhcp-options client-id'):
- bridge['dhcp_client_id'] = conf.return_value('dhcp-options client-id')
-
- # DHCP client host name (overrides the system host name)
- if conf.exists('dhcp-options host-name'):
- bridge['dhcp_hostname'] = conf.return_value('dhcp-options host-name')
-
- # DHCP client vendor identifier
- if conf.exists('dhcp-options vendor-class-id'):
- bridge['dhcp_vendor_class_id'] = conf.return_value('dhcp-options vendor-class-id')
-
- # DHCPv6 only acquire config parameters, no address
- if conf.exists('dhcpv6-options parameters-only'):
- bridge['dhcpv6_prm_only'] = True
-
- # DHCPv6 temporary IPv6 address
- if conf.exists('dhcpv6-options temporary'):
- bridge['dhcpv6_temporary'] = True
-
- # Disable this bridge interface
- if conf.exists('disable'):
- bridge['disable'] = True
-
- # Ignore link state changes
- if conf.exists('disable-link-detect'):
- bridge['disable_link_detect'] = 2
-
- # Forwarding delay
- if conf.exists('forwarding-delay'):
- bridge['forwarding_delay'] = int(conf.return_value('forwarding-delay'))
-
- # Hello packet advertisment interval
- if conf.exists('hello-time'):
- bridge['hello_time'] = int(conf.return_value('hello-time'))
-
- # Enable Internet Group Management Protocol (IGMP) querier
- if conf.exists('igmp querier'):
- bridge['igmp_querier'] = 1
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bridge['arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- bridge['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- bridge['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- bridge['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- bridge['ip_enable_arp_ignore'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- bridge['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- bridge['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Determine currently effective EUI64 addresses - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('ipv6 address eui64')
- bridge['ipv6_eui64_prefix_remove'] = list_diff(eff_addr, bridge['ipv6_eui64_prefix'])
-
- # Remove the default link-local address if set.
- if conf.exists('ipv6 address no-default-link-local'):
- bridge['ipv6_eui64_prefix_remove'].append('fe80::/64')
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
else:
- # add the link-local by default to make IPv6 work
- bridge['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- bridge['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- bridge['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # Media Access Control (MAC) address
- if conf.exists('mac'):
- bridge['mac'] = conf.return_value('mac')
-
- # Find out if MAC has changed - if so, we need to delete all IPv6 EUI64 addresses
- # before re-adding them
- if ( bridge['mac'] and bridge['intf'] in Section.interfaces(section='bridge')
- and bridge['mac'] != BridgeIf(bridge['intf'], create=False).get_mac() ):
- bridge['ipv6_eui64_prefix_remove'] += bridge['ipv6_eui64_prefix']
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if bridge['ipv6_autoconf'] or 'dhcpv6' in bridge['address']:
- bridge['ipv6_accept_ra'] = 2
-
- # Interval at which neighbor bridges are removed
- if conf.exists('max-age'):
- bridge['max_age'] = int(conf.return_value('max-age'))
-
- # Determine bridge member interface (currently configured)
- for intf in conf.list_nodes('member interface'):
- # defaults are stored in util.py (they can't be here as all interface
- # scripts use the function)
- memberconf = get_bridge_member_config(conf, bridge['intf'], intf)
- if memberconf:
- memberconf['name'] = intf
- bridge['member'].append(memberconf)
-
- # Determine bridge member interface (currently effective) - to determine which
- # interfaces is no longer assigend to the bridge and thus can be removed
- eff_intf = conf.list_effective_nodes('member interface')
- act_intf = conf.list_nodes('member interface')
- bridge['member_remove'] = list_diff(eff_intf, act_intf)
-
- # Priority for this bridge
- if conf.exists('priority'):
- bridge['priority'] = int(conf.return_value('priority'))
-
- # Enable spanning tree protocol
- if conf.exists('stp'):
- bridge['stp'] = 1
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- bridge['vrf'] = conf.return_value('vrf')
+ conf = Config()
+ base = ['interfaces', 'bridge']
+ bridge = get_interface_dict(conf, base)
+
+ # determine which members have been removed
+ tmp = node_changed(conf, ['member', 'interface'])
+ if tmp:
+ if 'member' in bridge:
+ bridge['member'].update({'interface_remove': tmp })
+ else:
+ bridge.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bridge and 'interface' in bridge['member']:
+ # XXX TT2665 we need a copy of the dict keys for iteration, else we will get:
+ # RuntimeError: dictionary changed size during iteration
+ for interface in list(bridge['member']['interface']):
+ for key in ['cost', 'priority']:
+ if interface == key:
+ del bridge['member']['interface'][key]
+ continue
+
+ # the default dictionary is not properly paged into the dict (see T2665)
+ # thus we will ammend it ourself
+ default_member_values = defaults(base + ['member', 'interface'])
+ for interface, interface_config in bridge['member']['interface'].items():
+ interface_config.update(default_member_values)
+
+ # Check if we are a member of another bridge device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp and tmp != bridge['ifname']:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp:
+ interface_config.update({'is_bond_member' : tmp})
+
+ # Bridge members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bridge
def verify(bridge):
- if bridge['dhcpv6_prm_only'] and bridge['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
+ if 'deleted' in bridge:
+ return None
- vrf_name = bridge['vrf']
- if vrf_name and vrf_name not in interfaces():
- raise ConfigError(f'VRF "{vrf_name}" does not exist')
+ verify_dhcpv6(bridge)
+ verify_vrf(bridge)
- conf = Config()
- for intf in bridge['member']:
- # the interface must exist prior adding it to a bridge
- if intf['name'] not in interfaces():
- raise ConfigError((
- f'Cannot add nonexistent interface "{intf["name"]}" '
- f'to bridge "{bridge["intf"]}"'))
+ if 'member' in bridge:
+ member = bridge.get('member')
+ bridge_name = bridge['ifname']
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bridge "{bridge_name}", '
- if intf['name'] == 'lo':
- raise ConfigError('Loopback interface "lo" can not be added to a bridge')
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bridge')
- # bridge members aren't allowed to be members of another bridge
- for br in conf.list_nodes('interfaces bridge'):
- # it makes no sense to verify ourself in this case
- if br == bridge['intf']:
- continue
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
- tmp = conf.list_nodes(f'interfaces bridge {br} member interface')
- if intf['name'] in tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bridge "{br}"!'))
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
- # bridge members are not allowed to be bond members
- tmp = is_member(conf, intf['name'], 'bonding')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bond "{tmp}"!'))
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
- # bridge members must not have an assigned address
- if has_address_configured(conf, intf['name']):
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it has an address assigned!'))
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
return None
@@ -268,120 +122,12 @@ def generate(bridge):
return None
def apply(bridge):
- br = BridgeIf(bridge['intf'])
-
- if bridge['deleted']:
+ br = BridgeIf(bridge['ifname'])
+ if 'deleted' in bridge:
# delete interface
br.remove()
else:
- # enable interface
- br.set_admin_state('up')
- # set ageing time
- br.set_ageing_time(bridge['aging'])
- # set bridge forward delay
- br.set_forward_delay(bridge['forwarding_delay'])
- # set hello time
- br.set_hello_time(bridge['hello_time'])
- # configure ARP filter configuration
- br.set_arp_filter(bridge['ip_disable_arp_filter'])
- # configure ARP accept
- br.set_arp_accept(bridge['ip_enable_arp_accept'])
- # configure ARP announce
- br.set_arp_announce(bridge['ip_enable_arp_announce'])
- # configure ARP ignore
- br.set_arp_ignore(bridge['ip_enable_arp_ignore'])
- # IPv6 accept RA
- br.set_ipv6_accept_ra(bridge['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- br.set_ipv6_autoconf(bridge['ipv6_autoconf'])
- # IPv6 forwarding
- br.set_ipv6_forwarding(bridge['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- br.set_ipv6_dad_messages(bridge['ipv6_dup_addr_detect'])
- # set max message age
- br.set_max_age(bridge['max_age'])
- # set bridge priority
- br.set_priority(bridge['priority'])
- # turn stp on/off
- br.set_stp(bridge['stp'])
- # enable or disable IGMP querier
- br.set_multicast_querier(bridge['igmp_querier'])
- # update interface description used e.g. within SNMP
- br.set_alias(bridge['description'])
-
- if bridge['dhcp_client_id']:
- br.dhcp.v4.options['client_id'] = bridge['dhcp_client_id']
-
- if bridge['dhcp_hostname']:
- br.dhcp.v4.options['hostname'] = bridge['dhcp_hostname']
-
- if bridge['dhcp_vendor_class_id']:
- br.dhcp.v4.options['vendor_class_id'] = bridge['dhcp_vendor_class_id']
-
- if bridge['dhcpv6_prm_only']:
- br.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bridge['dhcpv6_temporary']:
- br.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bridge['dhcpv6_pd_length']:
- br.dhcp.v6.options['dhcpv6_pd_length'] = br['dhcpv6_pd_length']
-
- if bridge['dhcpv6_pd_interfaces']:
- br.dhcp.v6.options['dhcpv6_pd_interfaces'] = br['dhcpv6_pd_interfaces']
-
- # assign/remove VRF
- br.set_vrf(bridge['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- # (adding members to a fresh bridge changes its MAC too)
- for addr in bridge['ipv6_eui64_prefix_remove']:
- br.del_ipv6_eui64_address(addr)
-
- # remove interface from bridge
- for intf in bridge['member_remove']:
- br.del_port(intf)
-
- # add interfaces to bridge
- for member in bridge['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{member["name"]}"')
- br.add_port(member['name'])
-
- # Change interface MAC address
- if bridge['mac']:
- br.set_mac(bridge['mac'])
-
- # Add IPv6 EUI-based addresses (must be done after adding the
- # 1st bridge member or setting its MAC)
- for addr in bridge['ipv6_eui64_prefix']:
- br.add_ipv6_eui64_address(addr)
-
- # up/down interface
- if bridge['disable']:
- br.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bridge['address_remove']:
- br.del_addr(addr)
- for addr in bridge['address']:
- br.add_addr(addr)
-
- STPBridgeIf = STP.enable(BridgeIf)
- # configure additional bridge member options
- for member in bridge['member']:
- i = STPBridgeIf(member['name'])
- # configure ARP cache timeout
- i.set_arp_cache_tmo(member['arp_cache_tmo'])
- # ignore link state changes
- i.set_link_detect(member['disable_link_detect'])
- # set bridge port path cost
- i.set_path_cost(member['cost'])
- # set bridge port path priority
- i.set_path_priority(member['priority'])
+ br.update(bridge)
return None
diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py
index 2d62420a6..44fc9cb9e 100755
--- a/src/conf_mode/interfaces-dummy.py
+++ b/src/conf_mode/interfaces-dummy.py
@@ -19,41 +19,26 @@ import os
from sys import exit
from vyos.config import Config
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import DummyIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'dummy', ifname]
-
- dummy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if dummy == {}:
- dummy.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- dummy.update({'ifname': ifname})
-
- # check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- dummy.update(tmp)
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'dummy']
+ dummy = get_interface_dict(conf, base)
return dummy
def verify(dummy):
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 8b895c4d2..a8df64cce 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -17,295 +17,68 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import interfaces
-from vyos.ifconfig import EthernetIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.validate import is_member
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_address
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import EthernetIf
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'duplex': 'auto',
- 'flow_control': 'on',
- 'hw_id': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'is_bond_member': False,
- 'intf': '',
- 'offload_gro': 'off',
- 'offload_gso': 'off',
- 'offload_sg': 'off',
- 'offload_tso': 'off',
- 'offload_ufo': 'off',
- 'speed': 'auto',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # check if ethernet interface has been removed
- cfg_base = ['interfaces', 'ethernet', ifname]
- if not conf.exists(cfg_base):
- eth = deepcopy(default_config_data)
- eth['intf'] = ifname
- eth['deleted'] = True
- # we can not bail out early as ethernet interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return eth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- eth, disabled = intf_to_dict(conf, default_config_data)
-
- # disable ethernet flow control (pause frames)
- if conf.exists('disable-flow-control'):
- eth['flow_control'] = 'off'
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- eth['hw_id'] = conf.return_value('hw-id')
-
- # interface duplex
- if conf.exists('duplex'):
- eth['duplex'] = conf.return_value('duplex')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- eth['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- eth['ip_proxy_arp_pvlan'] = 1
-
- # check if we are a member of any bond
- eth['is_bond_member'] = is_member(conf, eth['intf'], 'bonding')
-
- # GRO (generic receive offload)
- if conf.exists('offload-options generic-receive'):
- eth['offload_gro'] = conf.return_value('offload-options generic-receive')
-
- # GSO (generic segmentation offload)
- if conf.exists('offload-options generic-segmentation'):
- eth['offload_gso'] = conf.return_value('offload-options generic-segmentation')
-
- # scatter-gather option
- if conf.exists('offload-options scatter-gather'):
- eth['offload_sg'] = conf.return_value('offload-options scatter-gather')
-
- # TSO (TCP segmentation offloading)
- if conf.exists('offload-options tcp-segmentation'):
- eth['offload_tso'] = conf.return_value('offload-options tcp-segmentation')
-
- # UDP fragmentation offloading
- if conf.exists('offload-options udp-fragmentation'):
- eth['offload_ufo'] = conf.return_value('offload-options udp-fragmentation')
-
- # interface speed
- if conf.exists('speed'):
- eth['speed'] = conf.return_value('speed')
-
- # remove default IPv6 link-local address if member of a bond
- if eth['is_bond_member'] and 'fe80::/64' in eth['ipv6_eui64_prefix']:
- eth['ipv6_eui64_prefix'].remove('fe80::/64')
- eth['ipv6_eui64_prefix_remove'].append('fe80::/64')
-
- add_to_dict(conf, disabled, eth, 'vif', 'vif')
- add_to_dict(conf, disabled, eth, 'vif-s', 'vif_s')
-
- return eth
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'ethernet']
+ ethernet = get_interface_dict(conf, base)
+ return ethernet
-def verify(eth):
- if eth['deleted']:
+def verify(ethernet):
+ if 'deleted' in ethernet:
return None
- if eth['intf'] not in interfaces():
- raise ConfigError(f"Interface ethernet {eth['intf']} does not exist")
+ verify_interface_exists(ethernet)
- if eth['speed'] == 'auto':
- if eth['duplex'] != 'auto':
+ if ethernet.get('speed', None) == 'auto':
+ if ethernet.get('duplex', None) != 'auto':
raise ConfigError('If speed is hardcoded, duplex must be hardcoded, too')
- if eth['duplex'] == 'auto':
- if eth['speed'] != 'auto':
+ if ethernet.get('duplex', None) == 'auto':
+ if ethernet.get('speed', None) != 'auto':
raise ConfigError('If duplex is hardcoded, speed must be hardcoded, too')
- if eth['dhcpv6_prm_only'] and eth['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
-
- memberof = eth['is_bridge_member'] if eth['is_bridge_member'] else eth['is_bond_member']
+ verify_dhcpv6(ethernet)
+ verify_address(ethernet)
+ verify_vrf(ethernet)
- if ( memberof
- and ( eth['address']
- or eth['ipv6_eui64_prefix']
- or eth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{eth["intf"]}" '
- f'as it is a member of "{memberof}"!'))
-
- if eth['vrf']:
- if eth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{eth["vrf"]}" does not exist')
-
- if memberof:
- raise ConfigError((
- f'Interface "{eth["intf"]}" cannot be member of VRF "{eth["vrf"]}" '
- f'and "{memberof}" at the same time!'))
-
- if eth['mac'] and eth['is_bond_member']:
- print('WARNING: "mac {0}" command will be ignored because {1} is a part of {2}'\
- .format(eth['mac'], eth['intf'], eth['is_bond_member']))
+ if {'is_bond_member', 'mac'} <= set(ethernet):
+ print(f'WARNING: changing mac address "{mac}" will be ignored as "{ifname}" '
+ f'is a member of bond "{is_bond_member}"'.format(**ethernet))
# use common function to verify VLAN configuration
- verify_vlan_config(eth)
+ verify_vlan_config(ethernet)
return None
-def generate(eth):
+def generate(ethernet):
return None
-def apply(eth):
- e = EthernetIf(eth['intf'])
- if eth['deleted']:
- # apply all vlans to interface (they need removing too)
- apply_all_vlans(e, eth)
-
+def apply(ethernet):
+ e = EthernetIf(ethernet['ifname'])
+ if 'deleted' in ethernet:
# delete interface
e.remove()
else:
- # update interface description used e.g. within SNMP
- e.set_alias(eth['description'])
-
- if eth['dhcp_client_id']:
- e.dhcp.v4.options['client_id'] = eth['dhcp_client_id']
-
- if eth['dhcp_hostname']:
- e.dhcp.v4.options['hostname'] = eth['dhcp_hostname']
-
- if eth['dhcp_vendor_class_id']:
- e.dhcp.v4.options['vendor_class_id'] = eth['dhcp_vendor_class_id']
-
- if eth['dhcpv6_prm_only']:
- e.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if eth['dhcpv6_temporary']:
- e.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if eth['dhcpv6_pd_length']:
- e.dhcp.v6.options['dhcpv6_pd_length'] = eth['dhcpv6_pd_length']
-
- if eth['dhcpv6_pd_interfaces']:
- e.dhcp.v6.options['dhcpv6_pd_interfaces'] = eth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- e.set_link_detect(eth['disable_link_detect'])
- # disable ethernet flow control (pause frames)
- e.set_flow_control(eth['flow_control'])
- # configure ARP cache timeout in milliseconds
- e.set_arp_cache_tmo(eth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- e.set_arp_filter(eth['ip_disable_arp_filter'])
- # configure ARP accept
- e.set_arp_accept(eth['ip_enable_arp_accept'])
- # configure ARP announce
- e.set_arp_announce(eth['ip_enable_arp_announce'])
- # configure ARP ignore
- e.set_arp_ignore(eth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- e.set_proxy_arp(eth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- e.set_proxy_arp_pvlan(eth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- e.set_ipv6_accept_ra(eth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- e.set_ipv6_autoconf(eth['ipv6_autoconf'])
- # IPv6 forwarding
- e.set_ipv6_forwarding(eth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- e.set_ipv6_dad_messages(eth['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in eth['ipv6_eui64_prefix_remove']:
- e.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed. Skip if bond member.
- if not eth['is_bond_member']:
- if eth['mac']:
- e.set_mac(eth['mac'])
- elif eth['hw_id']:
- e.set_mac(eth['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in eth['ipv6_eui64_prefix']:
- e.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- e.set_mtu(eth['mtu'])
-
- # GRO (generic receive offload)
- e.set_gro(eth['offload_gro'])
-
- # GSO (generic segmentation offload)
- e.set_gso(eth['offload_gso'])
-
- # scatter-gather option
- e.set_sg(eth['offload_sg'])
-
- # TSO (TCP segmentation offloading)
- e.set_tso(eth['offload_tso'])
-
- # UDP fragmentation offloading
- e.set_ufo(eth['offload_ufo'])
-
- # Set physical interface speed and duplex
- e.set_speed_duplex(eth['speed'], eth['duplex'])
-
- # Enable/Disable interface
- if eth['disable']:
- e.set_admin_state('down')
- else:
- e.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in eth['address_remove']:
- e.del_addr(addr)
- for addr in eth['address']:
- e.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge or bond,
- # otherwise 'nomaster' removes it from it)
- if not ( eth['is_bridge_member'] or eth['is_bond_member'] ):
- e.set_vrf(eth['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if eth['is_bridge_member']:
- e.add_to_bridge(eth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(e, eth)
+ e.update(ethernet)
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index 31f6eb6b5..cc2cf025a 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -21,102 +21,40 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import GeneveIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp': 0,
- 'is_bridge_member': False,
- 'mtu': 1500,
- 'remote': '',
- 'vni': ''
-}
-
-def get_config():
- geneve = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- geneve['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- geneve['is_bridge_member'] = is_member(conf, geneve['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces geneve ' + geneve['intf']):
- geneve['deleted'] = True
- return geneve
-
- # set new configuration level
- conf.set_level('interfaces geneve ' + geneve['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- geneve['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- geneve['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- geneve['disable'] = True
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- geneve['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- geneve['ip_proxy_arp'] = 1
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- geneve['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of GENEVE tunnel
- if conf.exists('remote'):
- geneve['remote'] = conf.return_value('remote')
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- geneve['vni'] = conf.return_value('vni')
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'geneve']
+ geneve = get_interface_dict(conf, base)
return geneve
-
def verify(geneve):
- if geneve['deleted']:
- if geneve['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{geneve["intf"]}" as it is a '
- f'member of bridge "{geneve["is_bridge_member"]}"!'))
-
+ if 'deleted' in geneve:
+ verify_bridge_delete(geneve)
return None
- if geneve['is_bridge_member'] and geneve['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{geneve["intf"]}" '
- f'as it is a member of bridge "{geneve["is_bridge_member"]}"!'))
+ verify_address(geneve)
- if not geneve['remote']:
- raise ConfigError('GENEVE remote must be configured')
+ if 'remote' not in geneve:
+ raise ConfigError('Remote side must be configured')
- if not geneve['vni']:
- raise ConfigError('GENEVE VNI must be configured')
+ if 'vni' not in geneve:
+ raise ConfigError('VNI must be configured')
return None
@@ -127,13 +65,13 @@ def generate(geneve):
def apply(geneve):
# Check if GENEVE interface already exists
- if geneve['intf'] in interfaces():
- g = GeneveIf(geneve['intf'])
+ if geneve['ifname'] in interfaces():
+ g = GeneveIf(geneve['ifname'])
# GENEVE is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
g.remove()
- if not geneve['deleted']:
+ if 'deleted' not in geneve:
# GENEVE interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
@@ -144,32 +82,8 @@ def apply(geneve):
conf['remote'] = geneve['remote']
# Finally create the new interface
- g = GeneveIf(geneve['intf'], **conf)
- # update interface description used e.g. by SNMP
- g.set_alias(geneve['description'])
- # Maximum Transfer Unit (MTU)
- g.set_mtu(geneve['mtu'])
-
- # configure ARP cache timeout in milliseconds
- g.set_arp_cache_tmo(geneve['ip_arp_cache_tmo'])
- # Enable proxy-arp on this interface
- g.set_proxy_arp(geneve['ip_proxy_arp'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in geneve['address']:
- g.add_addr(addr)
-
- # As the GENEVE interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not geneve['disable']:
- g.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if geneve['is_bridge_member']:
- g.add_to_bridge(geneve['is_bridge_member'])
+ g = GeneveIf(geneve['ifname'], **conf)
+ g.update(geneve)
return None
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 4ff0bcb57..8250a3df8 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -21,200 +21,68 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.ifconfig import L2TPv3If, Interface
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.ifconfig import L2TPv3If
+from vyos.util import check_kmod
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
-from vyos.util import call
-from vyos.validate import is_member, is_addr_assigned
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'encapsulation': 'udp',
- 'local_address': '',
- 'local_port': 5000,
- 'intf': '',
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'mtu': 1488,
- 'peer_session_id': '',
- 'peer_tunnel_id': '',
- 'remote_address': '',
- 'remote_port': 5000,
- 'session_id': '',
- 'tunnel_id': ''
-}
-
-def check_kmod():
- modules = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-def get_config():
- l2tpv3 = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- l2tpv3['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member of a bridge
- l2tpv3['is_bridge_member'] = is_member(conf, l2tpv3['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces l2tpv3 ' + l2tpv3['intf']):
- l2tpv3['deleted'] = True
- interface = l2tpv3['intf']
-
- # to delete the l2tpv3 interface we need the current tunnel_id and session_id
- if conf.exists_effective(f'interfaces l2tpv3 {interface} tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} tunnel-id')
-
- if conf.exists_effective(f'interfaces l2tpv3 {interface} session-id'):
- l2tpv3['session_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} session-id')
-
- return l2tpv3
-
- # set new configuration level
- conf.set_level('interfaces l2tpv3 ' + l2tpv3['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- l2tpv3['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- l2tpv3['description'] = conf.return_value('description')
-
- # get tunnel destination port
- if conf.exists('destination-port'):
- l2tpv3['remote_port'] = int(conf.return_value('destination-port'))
-
- # Disable this interface
- if conf.exists('disable'):
- l2tpv3['disable'] = True
-
- # get tunnel encapsulation type
- if conf.exists('encapsulation'):
- l2tpv3['encapsulation'] = conf.return_value('encapsulation')
-
- # get tunnel local ip address
- if conf.exists('local-ip'):
- l2tpv3['local_address'] = conf.return_value('local-ip')
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- l2tpv3['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- l2tpv3['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
+k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local') or
- l2tpv3['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- l2tpv3['ipv6_eui64_prefix'].append('fe80::/64')
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- l2tpv3['ipv6_forwarding'] = 0
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'l2tpv3']
+ l2tpv3 = get_interface_dict(conf, base)
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- l2tpv3['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
+ # L2TPv3 is "special" the default MTU is 1488 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ l2tpv3['mtu'] = '1488'
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if l2tpv3['ipv6_autoconf'] or 'dhcpv6' in l2tpv3['address']:
- l2tpv3['ipv6_accept_ra'] = 2
+ # To delete an l2tpv3 interface we need the current tunnel and session-id
+ if 'deleted' in l2tpv3:
+ tmp = leaf_node_changed(conf, ['tunnel-id'])
+ l2tpv3.update({'tunnel_id': tmp})
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- l2tpv3['mtu'] = int(conf.return_value('mtu'))
-
- # Remote session id
- if conf.exists('peer-session-id'):
- l2tpv3['peer_session_id'] = conf.return_value('peer-session-id')
-
- # Remote tunnel id
- if conf.exists('peer-tunnel-id'):
- l2tpv3['peer_tunnel_id'] = conf.return_value('peer-tunnel-id')
-
- # Remote address of L2TPv3 tunnel
- if conf.exists('remote-ip'):
- l2tpv3['remote_address'] = conf.return_value('remote-ip')
-
- # Local session id
- if conf.exists('session-id'):
- l2tpv3['session_id'] = conf.return_value('session-id')
-
- # get local tunnel port
- if conf.exists('source-port'):
- l2tpv3['local_port'] = conf.return_value('source-port')
-
- # get local tunnel id
- if conf.exists('tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_value('tunnel-id')
+ tmp = leaf_node_changed(conf, ['session-id'])
+ l2tpv3.update({'session_id': tmp})
return l2tpv3
-
def verify(l2tpv3):
- interface = l2tpv3['intf']
-
- if l2tpv3['deleted']:
- if l2tpv3['is_bridge_member']:
- raise ConfigError((
- f'Interface "{l2tpv3["intf"]}" cannot be deleted as it is a '
- f'member of bridge "{l2tpv3["is_bridge_member"]}"!'))
-
+ if 'deleted' in l2tpv3:
+ verify_bridge_delete(l2tpv3)
return None
- if not l2tpv3['local_address']:
- raise ConfigError(f'Must configure the l2tpv3 local-ip for {interface}')
-
- if not is_addr_assigned(l2tpv3['local_address']):
- raise ConfigError(f'Must use a configured IP on l2tpv3 local-ip for {interface}')
+ interface = l2tpv3['ifname']
- if not l2tpv3['remote_address']:
- raise ConfigError(f'Must configure the l2tpv3 remote-ip for {interface}')
+ for key in ['local_ip', 'remote_ip', 'tunnel_id', 'peer_tunnel_id',
+ 'session_id', 'peer_session_id']:
+ if key not in l2tpv3:
+ tmp = key.replace('_', '-')
+ raise ConfigError(f'L2TPv3 {tmp} must be configured!')
- if not l2tpv3['tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 tunnel-id for {interface}')
-
- if not l2tpv3['peer_tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-tunnel-id for {interface}')
-
- if not l2tpv3['session_id']:
- raise ConfigError(f'Must configure the l2tpv3 session-id for {interface}')
-
- if not l2tpv3['peer_session_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-session-id for {interface}')
-
- if ( l2tpv3['is_bridge_member']
- and ( l2tpv3['address']
- or l2tpv3['ipv6_eui64_prefix']
- or l2tpv3['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{l2tpv3["intf"]}" '
- f'as it is a member of bridge "{l2tpv3["is_bridge_member"]}"!'))
+ if not is_addr_assigned(l2tpv3['local_ip']):
+ raise ConfigError('L2TPv3 local-ip address '
+ '"{local_ip}" is not configured!'.format(**l2tpv3))
+ verify_address(l2tpv3)
return None
-
def generate(l2tpv3):
return None
@@ -225,65 +93,34 @@ def apply(l2tpv3):
conf = deepcopy(L2TPv3If.get_config())
# Check if L2TPv3 interface already exists
- if l2tpv3['intf'] in interfaces():
+ if l2tpv3['ifname'] in interfaces():
# L2TPv3 is picky when changing tunnels/sessions, thus we can simply
# always delete it first.
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
- l = L2TPv3If(l2tpv3['intf'], **conf)
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
l.remove()
- if not l2tpv3['deleted']:
+ if 'deleted' not in l2tpv3:
conf['peer_tunnel_id'] = l2tpv3['peer_tunnel_id']
- conf['local_port'] = l2tpv3['local_port']
- conf['remote_port'] = l2tpv3['remote_port']
+ conf['local_port'] = l2tpv3['source_port']
+ conf['remote_port'] = l2tpv3['destination_port']
conf['encapsulation'] = l2tpv3['encapsulation']
- conf['local_address'] = l2tpv3['local_address']
- conf['remote_address'] = l2tpv3['remote_address']
+ conf['local_address'] = l2tpv3['local_ip']
+ conf['remote_address'] = l2tpv3['remote_ip']
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
conf['peer_session_id'] = l2tpv3['peer_session_id']
# Finally create the new interface
- l = L2TPv3If(l2tpv3['intf'], **conf)
- # update interface description used e.g. by SNMP
- l.set_alias(l2tpv3['description'])
- # Maximum Transfer Unit (MTU)
- l.set_mtu(l2tpv3['mtu'])
- # IPv6 accept RA
- l.set_ipv6_accept_ra(l2tpv3['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- l.set_ipv6_autoconf(l2tpv3['ipv6_autoconf'])
- # IPv6 forwarding
- l.set_ipv6_forwarding(l2tpv3['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- l.set_ipv6_dad_messages(l2tpv3['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in l2tpv3['address']:
- l.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in l2tpv3['ipv6_eui64_prefix']:
- l.add_ipv6_eui64_address(addr)
-
- # As the interface is always disabled first when changing parameters
- # we will only re-enable the interface if it is not administratively
- # disabled
- if not l2tpv3['disable']:
- l.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if l2tpv3['is_bridge_member']:
- l.add_to_bridge(l2tpv3['is_bridge_member'])
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
+ l.update(l2tpv3)
return None
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py
index 2368f88a9..30a27abb4 100755
--- a/src/conf_mode/interfaces-loopback.py
+++ b/src/conf_mode/interfaces-loopback.py
@@ -18,31 +18,24 @@ import os
from sys import exit
-from vyos.ifconfig import LoopbackIf
from vyos.config import Config
-from vyos import ConfigError, airbag
+from vyos.configdict import get_interface_dict
+from vyos.ifconfig import LoopbackIf
+from vyos import ConfigError
+from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'loopback', ifname]
-
- loopback = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if loopback == {}:
- loopback.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- loopback.update({'ifname': ifname})
-
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'loopback']
+ loopback = get_interface_dict(conf, base)
return loopback
def verify(loopback):
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 56273f71a..2866ccc0a 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -20,16 +20,14 @@ from copy import deepcopy
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.ifconfig import MACsecIf
from vyos.template import render
from vyos.util import call
-from vyos.validate import is_member
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_source_interface
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -37,51 +35,29 @@ airbag.enable()
# XXX: wpa_supplicant works on the source interface
wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf'
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'macsec']
- default_values = defaults(base)
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
+ macsec = get_interface_dict(conf, base)
- macsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
# Check if interface has been removed
- if macsec == {}:
- tmp = {
- 'deleted' : '',
- 'source_interface' : conf.return_effective_value(
+ if 'deleted' in macsec:
+ source_interface = conf.return_effective_value(
base + ['source-interface'])
- }
- macsec.update(tmp)
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- macsec = dict_merge(default_values, macsec)
-
- # Add interface instance name into dictionary
- macsec.update({'ifname': ifname})
-
- # Check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- macsec.update(tmp)
+ macsec.update({'source_interface': source_interface})
return macsec
def verify(macsec):
- if 'deleted' in macsec.keys():
+ if 'deleted' in macsec:
verify_bridge_delete(macsec)
return None
@@ -89,18 +65,18 @@ def verify(macsec):
verify_vrf(macsec)
verify_address(macsec)
- if not (('security' in macsec.keys()) and
- ('cipher' in macsec['security'].keys())):
+ if not (('security' in macsec) and
+ ('cipher' in macsec['security'])):
raise ConfigError(
'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec))
- if (('security' in macsec.keys()) and
- ('encrypt' in macsec['security'].keys())):
+ if (('security' in macsec) and
+ ('encrypt' in macsec['security'])):
tmp = macsec.get('security')
- if not (('mka' in tmp.keys()) and
- ('cak' in tmp['mka'].keys()) and
- ('ckn' in tmp['mka'].keys())):
+ if not (('mka' in tmp) and
+ ('cak' in tmp['mka']) and
+ ('ckn' in tmp['mka'])):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 1420b4116..958b305dd 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -192,9 +192,12 @@ def getDefaultServer(network, topology, devtype):
return server
-def get_config():
+def get_config(config=None):
openvpn = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
# determine tagNode instance
if 'VYOS_TAGNODE_VALUE' not in os.environ:
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 3ee57e83c..1b4b9e4ee 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -15,58 +15,43 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import jmespath
from sys import exit
from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'pppoe']
- default_values = defaults(base)
- # PPPoE is "special" the default MTU is 1492 - update accordingly
- default_values['mtu'] = '1492'
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
+ pppoe = get_interface_dict(conf, base)
- pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if pppoe == {}:
- pppoe.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- pppoe = dict_merge(default_values, pppoe)
-
- # Add interface instance name into dictionary
- pppoe.update({'ifname': ifname})
+ # PPPoE is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ pppoe['mtu'] = '1492'
return pppoe
def verify(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
@@ -92,7 +77,7 @@ def generate(pppoe):
config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up,
script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c]
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# stop DHCPv6-PD client
call(f'systemctl stop dhcp6c@{ifname}.service')
# Hang-up PPPoE connection
@@ -121,20 +106,19 @@ def generate(pppoe):
render(script_pppoe_ipv6_up, 'pppoe/ipv6-up.script.tmpl',
pppoe, trim_blocks=True, permission=0o755)
- tmp = jmespath.search('dhcpv6_options.prefix_delegation.interface', pppoe)
- if tmp and len(tmp) > 0:
+ if 'dhcpv6_options' in pppoe and 'pd' in pppoe['dhcpv6_options']:
# ipv6.tmpl relies on ifname - this should be made consitent in the
# future better then double key-ing the same value
- render(config_wide_dhcp6c, 'dhcp-client/ipv6_new.tmpl', pppoe, trim_blocks=True)
+ render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe, trim_blocks=True)
return None
def apply(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
- if 'disable' not in pppoe.keys():
+ if 'disable' not in pppoe:
# Dial PPPoE connection
call('systemctl restart ppp@{ifname}.service'.format(**pppoe))
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index fb8237bee..59edca1cc 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -18,115 +18,69 @@ import os
from copy import deepcopy
from sys import exit
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import MACVLANIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import MACVLANIf
+from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'source_interface': '',
- 'recreating_required': False,
- 'mode': 'private',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
-def get_config():
- peth = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- peth['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if interface has been removed
- cfg_base = ['interfaces', 'pseudo-ethernet', peth['intf']]
- if not conf.exists(cfg_base):
- peth['deleted'] = True
- return peth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- peth, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP cache entry timeout in seconds
- if conf.exists(['ip', 'arp-cache-timeout']):
- peth['ip_arp_cache_tmo'] = int(conf.return_value(['ip', 'arp-cache-timeout']))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists(['ip', 'proxy-arp-pvlan']):
- peth['ip_proxy_arp_pvlan'] = 1
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at
+ least the interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'pseudo-ethernet']
+ peth = get_interface_dict(conf, base)
- # Physical interface
- if conf.exists(['source-interface']):
- peth['source_interface'] = conf.return_value(['source-interface'])
- tmp = conf.return_effective_value(['source-interface'])
- if tmp != peth['source_interface']:
- peth['recreating_required'] = True
+ mode = leaf_node_changed(conf, ['mode'])
+ if mode:
+ peth.update({'mode_old' : mode})
- # MACvlan mode
- if conf.exists(['mode']):
- peth['mode'] = conf.return_value(['mode'])
- tmp = conf.return_effective_value(['mode'])
- if tmp != peth['mode']:
- peth['recreating_required'] = True
+ # Check if source-interface is member of a bridge device
+ if 'source_interface' in peth:
+ bridge = is_member(conf, peth['source_interface'], 'bridge')
+ if bridge:
+ peth.update({'source_interface_is_bridge_member' : bridge})
- add_to_dict(conf, disabled, peth, 'vif', 'vif')
- add_to_dict(conf, disabled, peth, 'vif-s', 'vif_s')
+ # Check if we are a member of a bond device
+ bond = is_member(conf, peth['source_interface'], 'bonding')
+ if bond:
+ peth.update({'source_interface_is_bond_member' : bond})
return peth
def verify(peth):
- if peth['deleted']:
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{peth["intf"]}" as it is a '
- f'member of bridge "{peth["is_bridge_member"]}"!'))
-
+ if 'deleted' in peth:
+ verify_bridge_delete(peth)
return None
- if not peth['source_interface']:
- raise ConfigError((
- f'Link device must be set for pseudo-ethernet "{peth["intf"]}"'))
-
- if not peth['source_interface'] in interfaces():
- raise ConfigError((
- f'Pseudo-ethernet "{peth["intf"]}" link device does not exist'))
-
- if ( peth['is_bridge_member']
- and ( peth['address']
- or peth['ipv6_eui64_prefix']
- or peth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{peth["intf"]}" '
- f'as it is a member of bridge "{peth["is_bridge_member"]}"!'))
+ verify_source_interface(peth)
+ verify_vrf(peth)
+ verify_address(peth)
- if peth['vrf']:
- if peth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{peth["vrf"]}" does not exist')
+ if 'source_interface_is_bridge_member' in peth:
+ raise ConfigError(
+ 'Source interface "{source_interface}" can not be used as it is already a '
+ 'member of bridge "{source_interface_is_bridge_member}"!'.format(**peth))
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Interface "{peth["intf"]}" cannot be member of VRF '
- f'"{peth["vrf"]}" and bridge {peth["is_bridge_member"]} '
- f'at the same time!'))
+ if 'source_interface_is_bond_member' in peth:
+ raise ConfigError(
+ 'Source interface "{source_interface}" can not be used as it is already a '
+ 'member of bond "{source_interface_is_bond_member}"!'.format(**peth))
# use common function to verify VLAN configuration
verify_vlan_config(peth)
@@ -136,17 +90,16 @@ def generate(peth):
return None
def apply(peth):
- if peth['deleted']:
+ if 'deleted' in peth:
# delete interface
- MACVLANIf(peth['intf']).remove()
+ MACVLANIf(peth['ifname']).remove()
return None
# Check if MACVLAN interface already exists. Parameters like the underlaying
- # source-interface device or mode can not be changed on the fly and the interface
- # needs to be recreated from the bottom.
- if peth['intf'] in interfaces():
- if peth['recreating_required']:
- MACVLANIf(peth['intf']).remove()
+ # source-interface device or mode can not be changed on the fly and the
+ # interface needs to be recreated from the bottom.
+ if 'mode_old' in peth:
+ MACVLANIf(peth['ifname']).remove()
# MACVLAN interface needs to be created on-block instead of passing a ton
# of arguments, I just use a dict that is managed by vyos.ifconfig
@@ -158,98 +111,8 @@ def apply(peth):
# It is safe to "re-create" the interface always, there is a sanity check
# that the interface will only be create if its non existent
- p = MACVLANIf(peth['intf'], **conf)
-
- # update interface description used e.g. within SNMP
- p.set_alias(peth['description'])
-
- if peth['dhcp_client_id']:
- p.dhcp.v4.options['client_id'] = peth['dhcp_client_id']
-
- if peth['dhcp_hostname']:
- p.dhcp.v4.options['hostname'] = peth['dhcp_hostname']
-
- if peth['dhcp_vendor_class_id']:
- p.dhcp.v4.options['vendor_class_id'] = peth['dhcp_vendor_class_id']
-
- if peth['dhcpv6_prm_only']:
- p.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if peth['dhcpv6_temporary']:
- p.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if peth['dhcpv6_pd_length']:
- p.dhcp.v6.options['dhcpv6_pd_length'] = peth['dhcpv6_pd_length']
-
- if peth['dhcpv6_pd_interfaces']:
- p.dhcp.v6.options['dhcpv6_pd_interfaces'] = peth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- p.set_link_detect(peth['disable_link_detect'])
- # configure ARP cache timeout in milliseconds
- p.set_arp_cache_tmo(peth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- p.set_arp_filter(peth['ip_disable_arp_filter'])
- # configure ARP accept
- p.set_arp_accept(peth['ip_enable_arp_accept'])
- # configure ARP announce
- p.set_arp_announce(peth['ip_enable_arp_announce'])
- # configure ARP ignore
- p.set_arp_ignore(peth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- p.set_proxy_arp(peth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- p.set_proxy_arp_pvlan(peth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- p.set_ipv6_accept_ra(peth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- p.set_ipv6_autoconf(peth['ipv6_autoconf'])
- # IPv6 forwarding
- p.set_ipv6_forwarding(peth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- p.set_ipv6_dad_messages(peth['ipv6_dup_addr_detect'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not peth['is_bridge_member']:
- p.set_vrf(peth['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in peth['ipv6_eui64_prefix_remove']:
- p.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if peth['mac']:
- p.set_mac(peth['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in peth['ipv6_eui64_prefix']:
- p.add_ipv6_eui64_address(addr)
-
- # Change interface mode
- p.set_mode(peth['mode'])
-
- # Enable/Disable interface
- if peth['disable']:
- p.set_admin_state('down')
- else:
- p.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in peth['address_remove']:
- p.del_addr(addr)
- for addr in peth['address']:
- p.add_addr(addr)
-
- # re-add ourselves to any bridge we might have fallen out of
- if peth['is_bridge_member']:
- p.add_to_bridge(peth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(p, peth)
-
+ p = MACVLANIf(peth['ifname'], **conf)
+ p.update(peth)
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index ea15a7fb7..11d8d6edc 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -397,12 +397,16 @@ def ip_proto (afi):
return 6 if afi == IP6 else 4
-def get_config():
+def get_config(config=None):
ifname = os.environ.get('VYOS_TAGNODE_VALUE','')
if not ifname:
raise ConfigError('Interface not specified')
- config = Config()
+ if config:
+ config = config
+ else:
+ config = Config()
+
conf = ConfigurationState(config, ['interfaces', 'tunnel ', ifname], default_config_data)
options = conf.options
changes = conf.changes
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 39db814b4..bea3aa25b 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -21,197 +21,64 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
from vyos.ifconfig import VXLANIf, Interface
-from vyos.validate import is_member
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'group': '',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_disable_arp_filter': 1,
- 'ip_enable_arp_accept': 0,
- 'ip_enable_arp_announce': 0,
- 'ip_enable_arp_ignore': 0,
- 'ip_proxy_arp': 0,
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'source_address': '',
- 'source_interface': '',
- 'mtu': 1450,
- 'remote': '',
- 'remote_port': 8472, # The Linux implementation of VXLAN pre-dates
- # the IANA's selection of a standard destination port
- 'vni': ''
-}
-
-def get_config():
- vxlan = deepcopy(default_config_data)
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- vxlan['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- vxlan['is_bridge_member'] = is_member(conf, vxlan['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces vxlan ' + vxlan['intf']):
- vxlan['deleted'] = True
- return vxlan
-
- # set new configuration level
- conf.set_level('interfaces vxlan ' + vxlan['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- vxlan['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- vxlan['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- vxlan['disable'] = True
-
- # VXLAN multicast grou
- if conf.exists('group'):
- vxlan['group'] = conf.return_value('group')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- vxlan['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- vxlan['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- vxlan['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- vxlan['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- vxlan['ip_enable_arp_ignore'] = 1
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- vxlan['ip_proxy_arp'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- vxlan['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- vxlan['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local')
- or vxlan['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- vxlan['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- vxlan['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- vxlan['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if vxlan['ipv6_autoconf'] or 'dhcpv6' in vxlan['address']:
- vxlan['ipv6_accept_ra'] = 2
-
- # VXLAN source address
- if conf.exists('source-address'):
- vxlan['source_address'] = conf.return_value('source-address')
-
- # VXLAN underlay interface
- if conf.exists('source-interface'):
- vxlan['source_interface'] = conf.return_value('source-interface')
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- vxlan['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of VXLAN tunnel
- if conf.exists('remote'):
- vxlan['remote'] = conf.return_value('remote')
-
- # Remote port of VXLAN tunnel
- if conf.exists('port'):
- vxlan['remote_port'] = int(conf.return_value('port'))
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- vxlan['vni'] = conf.return_value('vni')
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'vxlan']
+ vxlan = get_interface_dict(conf, base)
+
+ # VXLAN is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ vxlan['mtu'] = '1450'
return vxlan
-
def verify(vxlan):
- if vxlan['deleted']:
- if vxlan['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{vxlan["intf"]}" as it is a '
- f'member of bridge "{vxlan["is_bridge_member"]}"!'))
-
+ if 'deleted' in vxlan:
+ verify_bridge_delete(vxlan)
return None
- if vxlan['mtu'] < 1500:
+ if int(vxlan['mtu']) < 1500:
print('WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU')
- if vxlan['group']:
- if not vxlan['source_interface']:
+ if 'group' in vxlan:
+ if 'source_interface' not in vxlan:
raise ConfigError('Multicast VXLAN requires an underlaying interface ')
- if not vxlan['source_interface'] in interfaces():
- raise ConfigError('VXLAN source interface does not exist')
+ verify_source_interface(vxlan)
- if not (vxlan['group'] or vxlan['remote'] or vxlan['source_address']):
+ if not any(tmp in ['group', 'remote', 'source_address'] for tmp in vxlan):
raise ConfigError('Group, remote or source-address must be configured')
- if not vxlan['vni']:
+ if 'vni' not in vxlan:
raise ConfigError('Must configure VNI for VXLAN')
- if vxlan['source_interface']:
+ if 'source_interface' in vxlan:
# VXLAN adds a 50 byte overhead - we need to check the underlaying MTU
# if our configured MTU is at least 50 bytes less
underlay_mtu = int(Interface(vxlan['source_interface']).get_mtu())
- if underlay_mtu < (vxlan['mtu'] + 50):
+ if underlay_mtu < (int(vxlan['mtu']) + 50):
raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \
- 'MTU is to small ({})'.format(underlay_mtu))
-
- if ( vxlan['is_bridge_member']
- and ( vxlan['address']
- or vxlan['ipv6_eui64_prefix']
- or vxlan['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{vxlan["intf"]}" '
- f'as it is a member of bridge "{vxlan["is_bridge_member"]}"!'))
+ f'MTU is to small ({underlay_mtu} bytes)')
+ verify_address(vxlan)
return None
@@ -221,73 +88,26 @@ def generate(vxlan):
def apply(vxlan):
# Check if the VXLAN interface already exists
- if vxlan['intf'] in interfaces():
- v = VXLANIf(vxlan['intf'])
+ if vxlan['ifname'] in interfaces():
+ v = VXLANIf(vxlan['ifname'])
# VXLAN is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
v.remove()
- if not vxlan['deleted']:
+ if 'deleted' not in vxlan:
# VXLAN interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
conf = deepcopy(VXLANIf.get_config())
# Assign VXLAN instance configuration parameters to config dict
- conf['vni'] = vxlan['vni']
- conf['group'] = vxlan['group']
- conf['src_address'] = vxlan['source_address']
- conf['src_interface'] = vxlan['source_interface']
- conf['remote'] = vxlan['remote']
- conf['port'] = vxlan['remote_port']
+ for tmp in ['vni', 'group', 'source_address', 'source_interface', 'remote', 'port']:
+ if tmp in vxlan:
+ conf[tmp] = vxlan[tmp]
# Finally create the new interface
- v = VXLANIf(vxlan['intf'], **conf)
- # update interface description used e.g. by SNMP
- v.set_alias(vxlan['description'])
- # Maximum Transfer Unit (MTU)
- v.set_mtu(vxlan['mtu'])
-
- # configure ARP cache timeout in milliseconds
- v.set_arp_cache_tmo(vxlan['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- v.set_arp_filter(vxlan['ip_disable_arp_filter'])
- # configure ARP accept
- v.set_arp_accept(vxlan['ip_enable_arp_accept'])
- # configure ARP announce
- v.set_arp_announce(vxlan['ip_enable_arp_announce'])
- # configure ARP ignore
- v.set_arp_ignore(vxlan['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- v.set_proxy_arp(vxlan['ip_proxy_arp'])
- # IPv6 accept RA
- v.set_ipv6_accept_ra(vxlan['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- v.set_ipv6_autoconf(vxlan['ipv6_autoconf'])
- # IPv6 forwarding
- v.set_ipv6_forwarding(vxlan['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- v.set_ipv6_dad_messages(vxlan['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in vxlan['address']:
- v.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in vxlan['ipv6_eui64_prefix']:
- v.add_ipv6_eui64_address(addr)
-
- # As the VXLAN interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not vxlan['disable']:
- v.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if vxlan['is_bridge_member']:
- v.add_to_bridge(vxlan['is_bridge_member'])
+ v = VXLANIf(vxlan['ifname'], **conf)
+ v.update(vxlan)
return None
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index c24c9a7ce..e7c22da1a 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -15,308 +15,101 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
from sys import exit
from copy import deepcopy
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff
+from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import WireGuardIf
-from vyos.util import chown, chmod_750, call
-from vyos.validate import is_member, is_ipv6
+from vyos.util import check_kmod
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-kdir = r'/config/auth/wireguard'
-
-default_config_data = {
- 'intfc': '',
- 'address': [],
- 'address_remove': [],
- 'description': '',
- 'listen_port': '',
- 'deleted': False,
- 'disable': False,
- 'fwmark': 0,
- 'is_bridge_member': False,
- 'mtu': 1420,
- 'peer': [],
- 'peer_remove': [], # stores public keys of peers to remove
- 'pk': f'{kdir}/default/private.key',
- 'vrf': ''
-}
-
-def _check_kmod():
- modules = ['wireguard']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
-def _migrate_default_keys():
- if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
- location = f'{kdir}/default'
- if not os.path.exists(location):
- os.makedirs(location)
-
- chown(location, 'root', 'vyattacfg')
- chmod_750(location)
- os.rename(f'{kdir}/private.key', f'{location}/private.key')
- os.rename(f'{kdir}/public.key', f'{location}/public.key')
-
-
-def get_config():
- conf = Config()
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'wireguard']
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- wg = deepcopy(default_config_data)
- wg['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- wg['is_bridge_member'] = is_member(conf, wg['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists(base + [wg['intf']]):
- wg['deleted'] = True
- return wg
-
- conf.set_level(base + [wg['intf']])
-
- # retrieve configured interface addresses
- if conf.exists(['address']):
- wg['address'] = conf.return_values(['address'])
-
- # get interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values(['address'])
- wg['address_remove'] = list_diff(eff_addr, wg['address'])
-
- # retrieve interface description
- if conf.exists(['description']):
- wg['description'] = conf.return_value(['description'])
-
- # disable interface
- if conf.exists(['disable']):
- wg['disable'] = True
-
- # local port to listen on
- if conf.exists(['port']):
- wg['listen_port'] = conf.return_value(['port'])
-
- # fwmark value
- if conf.exists(['fwmark']):
- wg['fwmark'] = int(conf.return_value(['fwmark']))
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- wg['mtu'] = int(conf.return_value(['mtu']))
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- wg['vrf'] = conf.return_value('vrf')
-
- # private key
- if conf.exists(['private-key']):
- wg['pk'] = "{0}/{1}/private.key".format(
- kdir, conf.return_value(['private-key']))
-
- # peer removal, wg identifies peers by its pubkey
- peer_eff = conf.list_effective_nodes(['peer'])
- peer_rem = list_diff(peer_eff, conf.list_nodes(['peer']))
- for peer in peer_rem:
- wg['peer_remove'].append(
- conf.return_effective_value(['peer', peer, 'pubkey']))
-
- # peer settings
- if conf.exists(['peer']):
- for p in conf.list_nodes(['peer']):
- # set new config level for this peer
- conf.set_level(base + [wg['intf'], 'peer', p])
- peer = {
- 'allowed-ips': [],
- 'address': '',
- 'name': p,
- 'persistent_keepalive': '',
- 'port': '',
- 'psk': '',
- 'pubkey': ''
- }
-
- # peer allowed-ips
- if conf.exists(['allowed-ips']):
- peer['allowed-ips'] = conf.return_values(['allowed-ips'])
-
- # peer address
- if conf.exists(['address']):
- peer['address'] = conf.return_value(['address'])
-
- # peer port
- if conf.exists(['port']):
- peer['port'] = conf.return_value(['port'])
-
- # persistent-keepalive
- if conf.exists(['persistent-keepalive']):
- peer['persistent_keepalive'] = conf.return_value(['persistent-keepalive'])
-
- # preshared-key
- if conf.exists(['preshared-key']):
- peer['psk'] = conf.return_value(['preshared-key'])
-
- # peer pubkeys
- if conf.exists(['pubkey']):
- key_eff = conf.return_effective_value(['pubkey'])
- key_cfg = conf.return_value(['pubkey'])
- peer['pubkey'] = key_cfg
-
- # on a pubkey change we need to remove the pubkey first
- # peers are identified by pubkey, so key update means
- # peer removal and re-add
- if key_eff != key_cfg and key_eff != None:
- wg['peer_remove'].append(key_cfg)
-
- # if a peer is disabled, we have to exec a remove for it's pubkey
- if conf.exists(['disable']):
- wg['peer_remove'].append(peer['pubkey'])
- else:
- wg['peer'].append(peer)
-
- return wg
-
-
-def verify(wg):
- if wg['deleted']:
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wg["intf"]}" as it is a member '
- f'of bridge "{wg["is_bridge_member"]}"!'))
-
+ wireguard = get_interface_dict(conf, base)
+
+ # Wireguard is "special" the default MTU is 1420 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ wireguard['mtu'] = '1420'
+
+ # Mangle private key - it has a default so its always valid
+ wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard)
+
+ # Determine which Wireguard peer has been removed.
+ # Peers can only be removed with their public key!
+ tmp = node_changed(conf, ['peer'])
+ if tmp:
+ dict = {}
+ for peer in tmp:
+ peer_config = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
+ dict = dict_merge({'peer_remove' : {peer : {'pubkey' : peer_config}}}, dict)
+ wireguard.update(dict)
+
+ return wireguard
+
+def verify(wireguard):
+ if 'deleted' in wireguard:
+ verify_bridge_delete(wireguard)
return None
- if wg['is_bridge_member'] and wg['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{wg["intf"]}" '
- f'as it is a member of bridge "{wg["is_bridge_member"]}"!'))
-
- if wg['vrf']:
- if wg['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wg["vrf"]}" does not exist')
+ verify_address(wireguard)
+ verify_vrf(wireguard)
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wg["intf"]}" cannot be member of VRF '
- f'"{wg["vrf"]}" and bridge {wg["is_bridge_member"]} '
- f'at the same time!'))
+ if not os.path.exists(wireguard['private_key']):
+ raise ConfigError('Wireguard private-key not found! Execute: ' \
+ '"run generate wireguard [default-keypair|named-keypairs]"')
- if not os.path.exists(wg['pk']):
- raise ConfigError('No keys found, generate them by executing:\n' \
- '"run generate wireguard [keypair|named-keypairs]"')
+ if 'address' not in wireguard:
+ raise ConfigError('IP address required!')
- if not wg['address']:
- raise ConfigError(f'IP address required for interface "{wg["intf"]}"!')
-
- if not wg['peer']:
- raise ConfigError(f'Peer required for interface "{wg["intf"]}"!')
+ if 'peer' not in wireguard:
+ raise ConfigError('At least one Wireguard peer is required!')
# run checks on individual configured WireGuard peer
- for peer in wg['peer']:
- if not peer['allowed-ips']:
- raise ConfigError(f'Peer allowed-ips required for peer "{peer["name"]}"!')
-
- if not peer['pubkey']:
- raise ConfigError(f'Peer public-key required for peer "{peer["name"]}"!')
-
- if peer['address'] and not peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" port must be defined if address is defined!')
+ for tmp in wireguard['peer']:
+ peer = wireguard['peer'][tmp]
- if not peer['address'] and peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" address must be defined if port is defined!')
+ if 'allowed_ips' not in peer:
+ raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!')
+ if 'pubkey' not in peer:
+ raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!')
-def apply(wg):
- # init wg class
- w = WireGuardIf(wg['intf'])
+ if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer):
+ raise ConfigError('Both Wireguard port and address must be defined '
+ f'for peer "{tmp}" if either one of them is set!')
- # single interface removal
- if wg['deleted']:
- w.remove()
+def apply(wireguard):
+ if 'deleted' in wireguard:
+ WireGuardIf(wireguard['ifname']).remove()
return None
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wg['address_remove']:
- w.del_addr(addr)
- for addr in wg['address']:
- w.add_addr(addr)
-
- # Maximum Transmission Unit (MTU)
- w.set_mtu(wg['mtu'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wg['description'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wg['is_bridge_member']:
- w.set_vrf(wg['vrf'])
-
- # remove peers
- for pub_key in wg['peer_remove']:
- w.remove_peer(pub_key)
-
- # peer pubkey
- # setting up the wg interface
- w.config['private_key'] = c['pk']
-
- for peer in wg['peer']:
- # peer pubkey
- w.config['pubkey'] = peer['pubkey']
- # peer allowed-ips
- w.config['allowed-ips'] = peer['allowed-ips']
- # local listen port
- if wg['listen_port']:
- w.config['port'] = wg['listen_port']
- # fwmark
- if c['fwmark']:
- w.config['fwmark'] = wg['fwmark']
-
- # endpoint
- if peer['address'] and peer['port']:
- if is_ipv6(peer['address']):
- w.config['endpoint'] = '[{}]:{}'.format(peer['address'], peer['port'])
- else:
- w.config['endpoint'] = '{}:{}'.format(peer['address'], peer['port'])
-
- # persistent-keepalive
- if peer['persistent_keepalive']:
- w.config['keepalive'] = peer['persistent_keepalive']
-
- if peer['psk']:
- w.config['psk'] = peer['psk']
-
- w.update()
-
- # Enable/Disable interface
- if wg['disable']:
- w.set_admin_state('down')
- else:
- w.set_admin_state('up')
-
+ w = WireGuardIf(wireguard['ifname'])
+ w.update(wireguard)
return None
if __name__ == '__main__':
try:
- _check_kmod()
- _migrate_default_keys()
+ check_kmod('wireguard')
c = get_config()
verify(c)
apply(c)
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index 0162b642c..9861f72db 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -15,497 +15,166 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
+
from sys import exit
from re import findall
-
from copy import deepcopy
-
-from netifaces import interfaces
from netaddr import EUI, mac_unix_expanded
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import WiFiIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import dict_merge
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import WiFiIf
from vyos.template import render
-from vyos.util import chown, call
-from vyos.validate import is_member
+from vyos.util import call
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'cap_ht' : False,
- 'cap_ht_40mhz_incapable' : False,
- 'cap_ht_powersave' : False,
- 'cap_ht_chan_set_width' : '',
- 'cap_ht_delayed_block_ack' : False,
- 'cap_ht_dsss_cck_40' : False,
- 'cap_ht_greenfield' : False,
- 'cap_ht_ldpc' : False,
- 'cap_ht_lsig_protection' : False,
- 'cap_ht_max_amsdu' : '',
- 'cap_ht_short_gi' : [],
- 'cap_ht_smps' : '',
- 'cap_ht_stbc_rx' : '',
- 'cap_ht_stbc_tx' : False,
- 'cap_req_ht' : False,
- 'cap_req_vht' : False,
- 'cap_vht' : False,
- 'cap_vht_antenna_cnt' : '',
- 'cap_vht_antenna_fixed' : False,
- 'cap_vht_beamform' : '',
- 'cap_vht_center_freq_1' : '',
- 'cap_vht_center_freq_2' : '',
- 'cap_vht_chan_set_width' : '',
- 'cap_vht_ldpc' : False,
- 'cap_vht_link_adaptation' : '',
- 'cap_vht_max_mpdu_exp' : '',
- 'cap_vht_max_mpdu' : '',
- 'cap_vht_short_gi' : [],
- 'cap_vht_stbc_rx' : '',
- 'cap_vht_stbc_tx' : False,
- 'cap_vht_tx_powersave' : False,
- 'cap_vht_vht_cf' : False,
- 'channel': '',
- 'country_code': '',
- 'deleted': False,
- 'disable_broadcast_ssid' : False,
- 'disable_link_detect' : 1,
- 'expunge_failing_stations' : False,
- 'hw_id' : '',
- 'intf': '',
- 'isolate_stations' : False,
- 'max_stations' : '',
- 'mgmt_frame_protection' : 'disabled',
- 'mode' : 'g',
- 'phy' : '',
- 'reduce_transmit_power' : '',
- 'sec_wep' : False,
- 'sec_wep_key' : [],
- 'sec_wpa' : False,
- 'sec_wpa_cipher' : [],
- 'sec_wpa_mode' : 'both',
- 'sec_wpa_passphrase' : '',
- 'sec_wpa_radius' : [],
- 'ssid' : '',
- 'op_mode' : 'monitor',
- 'vif': {},
- 'vif_remove': [],
- 'vif_s': {},
- 'vif_s_remove': []
-}
-
# XXX: wpa_supplicant works on the source interface
-wpa_suppl_conf = '/run/wpa_supplicant/{intf}.conf'
-hostapd_conf = '/run/hostapd/{intf}.conf'
-
-def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- conf = Config()
-
- # check if wireless interface has been removed
- cfg_base = ['interfaces', 'wireless ', ifname]
- if not conf.exists(cfg_base):
- wifi = deepcopy(default_config_data)
- wifi['intf'] = ifname
- wifi['deleted'] = True
- # we need to know if we're a bridge member so we can refuse deletion
- wifi['is_bridge_member'] = is_member(conf, wifi['intf'], 'bridge')
- # we can not bail out early as wireless interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return wifi
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- # get common interface settings
- wifi, disabled = intf_to_dict(conf, default_config_data)
-
- # 40MHz intolerance, use 20MHz only
- if conf.exists('capabilities ht 40mhz-incapable'):
- wifi['cap_ht'] = True
- wifi['cap_ht_40mhz_incapable'] = True
-
- # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
- if conf.exists('capabilities ht auto-powersave'):
- wifi['cap_ht'] = True
- wifi['cap_ht_powersave'] = True
-
- # Supported channel set width
- if conf.exists('capabilities ht channel-set-width'):
- wifi['cap_ht'] = True
- wifi['cap_ht_chan_set_width'] = conf.return_values('capabilities ht channel-set-width')
-
- # HT-delayed Block Ack
- if conf.exists('capabilities ht delayed-block-ack'):
- wifi['cap_ht'] = True
- wifi['cap_ht_delayed_block_ack'] = True
-
- # DSSS/CCK Mode in 40 MHz
- if conf.exists('capabilities ht dsss-cck-40'):
- wifi['cap_ht'] = True
- wifi['cap_ht_dsss_cck_40'] = True
-
- # HT-greenfield capability
- if conf.exists('capabilities ht greenfield'):
- wifi['cap_ht'] = True
- wifi['cap_ht_greenfield'] = True
-
- # LDPC coding capability
- if conf.exists('capabilities ht ldpc'):
- wifi['cap_ht'] = True
- wifi['cap_ht_ldpc'] = True
-
- # L-SIG TXOP protection capability
- if conf.exists('capabilities ht lsig-protection'):
- wifi['cap_ht'] = True
- wifi['cap_ht_lsig_protection'] = True
-
- # Set Maximum A-MSDU length
- if conf.exists('capabilities ht max-amsdu'):
- wifi['cap_ht'] = True
- wifi['cap_ht_max_amsdu'] = conf.return_value('capabilities ht max-amsdu')
-
- # Short GI capabilities
- if conf.exists('capabilities ht short-gi'):
- wifi['cap_ht'] = True
- wifi['cap_ht_short_gi'] = conf.return_values('capabilities ht short-gi')
-
- # Spatial Multiplexing Power Save (SMPS) settings
- if conf.exists('capabilities ht smps'):
- wifi['cap_ht'] = True
- wifi['cap_ht_smps'] = conf.return_value('capabilities ht smps')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc rx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_rx'] = conf.return_value('capabilities ht stbc rx')
-
- # Support for sending PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc tx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_tx'] = True
-
- # Require stations to support HT PHY (reject association if they do not)
- if conf.exists('capabilities require-ht'):
- wifi['cap_req_ht'] = True
-
- # Require stations to support VHT PHY (reject association if they do not)
- if conf.exists('capabilities require-vht'):
- wifi['cap_req_vht'] = True
-
- # Number of antennas on this card
- if conf.exists('capabilities vht antenna-count'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_cnt'] = conf.return_value('capabilities vht antenna-count')
-
- # set if antenna pattern does not change during the lifetime of an association
- if conf.exists('capabilities vht antenna-pattern-fixed'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_fixed'] = True
-
- # Beamforming capabilities
- if conf.exists('capabilities vht beamform'):
- wifi['cap_vht'] = True
- wifi['cap_vht_beamform'] = conf.return_values('capabilities vht beamform')
-
- # VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
- if conf.exists('capabilities vht center-channel-freq freq-1'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_1'] = conf.return_value('capabilities vht center-channel-freq freq-1')
-
- # VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
- if conf.exists('capabilities vht center-channel-freq freq-2'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_2'] = conf.return_value('capabilities vht center-channel-freq freq-2')
-
- # VHT operating Channel width
- if conf.exists('capabilities vht channel-set-width'):
- wifi['cap_vht'] = True
- wifi['cap_vht_chan_set_width'] = conf.return_value('capabilities vht channel-set-width')
-
- # LDPC coding capability
- if conf.exists('capabilities vht ldpc'):
- wifi['cap_vht'] = True
- wifi['cap_vht_ldpc'] = True
-
- # VHT link adaptation capabilities
- if conf.exists('capabilities vht link-adaptation'):
- wifi['cap_vht'] = True
- wifi['cap_vht_link_adaptation'] = conf.return_value('capabilities vht link-adaptation')
-
- # Set the maximum length of A-MPDU pre-EOF padding that the station can receive
- if conf.exists('capabilities vht max-mpdu-exp'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu_exp'] = conf.return_value('capabilities vht max-mpdu-exp')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht max-mpdu'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu'] = conf.return_value('capabilities vht max-mpdu')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht short-gi'):
- wifi['cap_vht'] = True
- wifi['cap_vht_short_gi'] = conf.return_values('capabilities vht short-gi')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc rx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_rx'] = conf.return_value('capabilities vht stbc rx')
-
- # Support for the transmission of at least 2x1 STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc tx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_tx'] = True
-
- # Support for VHT TXOP Power Save Mode
- if conf.exists('capabilities vht tx-powersave'):
- wifi['cap_vht'] = True
- wifi['cap_vht_tx_powersave'] = True
-
- # STA supports receiving a VHT variant HT Control field
- if conf.exists('capabilities vht vht-cf'):
- wifi['cap_vht'] = True
- wifi['cap_vht_vht_cf'] = True
-
- # Wireless radio channel
- if conf.exists('channel'):
- wifi['channel'] = conf.return_value('channel')
-
- # Disable broadcast of SSID from access-point
- if conf.exists('disable-broadcast-ssid'):
- wifi['disable_broadcast_ssid'] = True
-
- # Disassociate stations based on excessive transmission failures
- if conf.exists('expunge-failing-stations'):
- wifi['expunge_failing_stations'] = True
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- wifi['hw_id'] = conf.return_value('hw-id')
-
- # Isolate stations on the AP so they cannot see each other
- if conf.exists('isolate-stations'):
- wifi['isolate_stations'] = True
-
- # Wireless physical device
- if conf.exists('physical-device'):
- wifi['phy'] = conf.return_value('physical-device')
-
- # Maximum number of wireless radio stations
- if conf.exists('max-stations'):
- wifi['max_stations'] = conf.return_value('max-stations')
-
- # Management Frame Protection (MFP) according to IEEE 802.11w
- if conf.exists('mgmt-frame-protection'):
- wifi['mgmt_frame_protection'] = conf.return_value('mgmt-frame-protection')
-
- # Wireless radio mode
- if conf.exists('mode'):
- wifi['mode'] = conf.return_value('mode')
-
- # Transmission power reduction in dBm
- if conf.exists('reduce-transmit-power'):
- wifi['reduce_transmit_power'] = conf.return_value('reduce-transmit-power')
-
- # WEP enabled?
- if conf.exists('security wep'):
- wifi['sec_wep'] = True
-
- # WEP encryption key(s)
- if conf.exists('security wep key'):
- wifi['sec_wep_key'] = conf.return_values('security wep key')
-
- # WPA enabled?
- if conf.exists('security wpa'):
- wifi['sec_wpa'] = True
-
- # WPA Cipher suite
- if conf.exists('security wpa cipher'):
- wifi['sec_wpa_cipher'] = conf.return_values('security wpa cipher')
-
- # WPA mode
- if conf.exists('security wpa mode'):
- wifi['sec_wpa_mode'] = conf.return_value('security wpa mode')
-
- # WPA default ciphers depend on WPA mode
- if not wifi['sec_wpa_cipher']:
- if wifi['sec_wpa_mode'] == 'wpa':
- wifi['sec_wpa_cipher'].append('TKIP')
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'wpa2':
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'both':
- wifi['sec_wpa_cipher'].append('CCMP')
- wifi['sec_wpa_cipher'].append('TKIP')
-
- # WPA Group Cipher suite
- if conf.exists('security wpa group-cipher'):
- wifi['sec_wpa_group_cipher'] = conf.return_values('security wpa group-cipher')
-
- # WPA personal shared pass phrase
- if conf.exists('security wpa passphrase'):
- wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase')
-
- # WPA RADIUS source address
- if conf.exists('security wpa radius source-address'):
- wifi['sec_wpa_radius_source'] = conf.return_value('security wpa radius source-address')
-
- # WPA RADIUS server
- for server in conf.list_nodes('security wpa radius server'):
- # set new configuration level
- conf.set_level(cfg_base + ' security wpa radius server ' + server)
- radius = {
- 'server' : server,
- 'acc_port' : '',
- 'disabled': False,
- 'port' : 1812,
- 'key' : ''
- }
-
- # RADIUS server port
- if conf.exists('port'):
- radius['port'] = int(conf.return_value('port'))
-
- # receive RADIUS accounting info
- if conf.exists('accounting'):
- radius['acc_port'] = radius['port'] + 1
-
- # Check if RADIUS server was temporary disabled
- if conf.exists(['disable']):
- radius['disabled'] = True
-
- # RADIUS server shared-secret
- if conf.exists('key'):
- radius['key'] = conf.return_value('key')
-
- # append RADIUS server to list of servers
- wifi['sec_wpa_radius'].append(radius)
-
- # re-set configuration level to parse new nodes
- conf.set_level(cfg_base)
-
- # Wireless access-point service set identifier (SSID)
- if conf.exists('ssid'):
- wifi['ssid'] = conf.return_value('ssid')
-
- # Wireless device type for this interface
- if conf.exists('type'):
- tmp = conf.return_value('type')
- if tmp == 'access-point':
- tmp = 'ap'
-
- wifi['op_mode'] = tmp
+wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
+hostapd_conf = '/run/hostapd/{ifname}.conf'
+
+def find_other_stations(conf, base, ifname):
+ """
+ Only one wireless interface per phy can be in station mode -
+ find all interfaces attached to a phy which run in station mode
+ """
+ old_level = conf.get_level()
+ conf.set_level(base)
+ dict = {}
+ for phy in os.listdir('/sys/class/ieee80211'):
+ list = []
+ for interface in conf.list_nodes([]):
+ if interface == ifname:
+ continue
+ # the following node is mandatory
+ if conf.exists([interface, 'physical-device', phy]):
+ tmp = conf.return_value([interface, 'type'])
+ if tmp == 'station':
+ list.append(interface)
+ if list:
+ dict.update({phy: list})
+ conf.set_level(old_level)
+ return dict
+
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['interfaces', 'wireless']
+ wifi = get_interface_dict(conf, base)
+
+ if 'security' in wifi and 'wpa' in wifi['security']:
+ wpa_cipher = wifi['security']['wpa'].get('cipher')
+ wpa_mode = wifi['security']['wpa'].get('mode')
+ if not wpa_cipher:
+ tmp = None
+ if wpa_mode == 'wpa':
+ tmp = {'security': {'wpa': {'cipher' : ['TKIP', 'CCMP']}}}
+ elif wpa_mode == 'wpa2':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP']}}}
+ elif wpa_mode == 'both':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP', 'TKIP']}}}
+
+ if tmp: wifi = dict_merge(tmp, wifi)
# retrieve configured regulatory domain
- conf.set_level('system')
- if conf.exists('wifi-regulatory-domain'):
- wifi['country_code'] = conf.return_value('wifi-regulatory-domain')
+ conf.set_level(['system'])
+ if conf.exists(['wifi-regulatory-domain']):
+ wifi['country_code'] = conf.return_value(['wifi-regulatory-domain'])
- return wifi
+ # Only one wireless interface per phy can be in station mode
+ tmp = find_other_stations(conf, base, wifi['ifname'])
+ if tmp: wifi['station_interfaces'] = tmp
+ return wifi
def verify(wifi):
- if wifi['deleted']:
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wifi["intf"]}" as it is a '
- f'member of bridge "{wifi["is_bridge_member"]}"!'))
-
+ if 'deleted' in wifi:
+ verify_bridge_delete(wifi)
return None
- if wifi['op_mode'] != 'monitor' and not wifi['ssid']:
- raise ConfigError('SSID must be set for {}'.format(wifi['intf']))
+ if 'physical_device' not in wifi:
+ raise ConfigError('You must specify a physical-device "phy"')
- if not wifi['phy']:
- raise ConfigError('You must specify physical-device')
-
- if not wifi['mode']:
+ if 'type' not in wifi:
raise ConfigError('You must specify a WiFi mode')
- if wifi['op_mode'] == 'ap':
- c = Config()
- if not c.exists('system wifi-regulatory-domain'):
- raise ConfigError('Wireless regulatory domain is mandatory,\n' \
- 'use "set system wifi-regulatory-domain".')
-
- if not wifi['channel']:
- raise ConfigError('Channel must be set for {}'.format(wifi['intf']))
-
- if len(wifi['sec_wep_key']) > 4:
- raise ConfigError('No more then 4 WEP keys configurable')
+ if 'ssid' not in wifi and wifi['type'] != 'monitor':
+ raise ConfigError('SSID must be configured')
- if wifi['cap_vht'] and not wifi['cap_ht']:
- raise ConfigError('Specify HT flags if you want to use VHT!')
-
- if wifi['cap_vht_beamform'] and wifi['cap_vht_antenna_cnt'] == 1:
- raise ConfigError('Cannot use beam forming with just one antenna!')
-
- if wifi['cap_vht_beamform'] == 'single-user-beamformer' and wifi['cap_vht_antenna_cnt'] < 3:
- # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
- raise ConfigError('Single-user beam former requires at least 3 antennas!')
-
- if wifi['sec_wep'] and (len(wifi['sec_wep_key']) == 0):
- raise ConfigError('Missing WEP keys')
-
- if wifi['sec_wpa'] and not (wifi['sec_wpa_passphrase'] or wifi['sec_wpa_radius']):
- raise ConfigError('Misssing WPA key or RADIUS server')
-
- for radius in wifi['sec_wpa_radius']:
- if not radius['key']:
- raise ConfigError('Misssing RADIUS shared secret key for server: {}'.format(radius['server']))
-
- if ( wifi['is_bridge_member']
- and ( wifi['address']
- or wifi['ipv6_eui64_prefix']
- or wifi['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{wifi["intf"]}" '
- f'as it is a member of bridge "{wifi["is_bridge_member"]}"!'))
-
- if wifi['vrf']:
- if wifi['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wifi["vrf"]}" does not exist')
-
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wifi["intf"]}" cannot be member of VRF '
- f'"{wifi["vrf"]}" and bridge {wifi["is_bridge_member"]} '
- f'at the same time!'))
+ if wifi['type'] == 'access-point':
+ if 'country_code' not in wifi:
+ raise ConfigError('Wireless regulatory domain is mandatory,\n' \
+ 'use "set system wifi-regulatory-domain" for configuration.')
+
+ if 'channel' not in wifi:
+ raise ConfigError('Wireless channel must be configured!')
+
+ if 'security' in wifi:
+ if {'wep', 'wpa'} <= set(wifi.get('security', {})):
+ raise ConfigError('Must either use WEP or WPA security!')
+
+ if 'wep' in wifi['security']:
+ if 'key' in wifi['security']['wep'] and len(wifi['security']['wep']) > 4:
+ raise ConfigError('No more then 4 WEP keys configurable')
+ elif 'key' not in wifi['security']['wep']:
+ raise ConfigError('Security WEP configured - missing WEP keys!')
+
+ elif 'wpa' in wifi['security']:
+ wpa = wifi['security']['wpa']
+ if not any(i in ['passphrase', 'radius'] for i in wpa):
+ raise ConfigError('Misssing WPA key or RADIUS server')
+
+ if 'radius' in wpa:
+ if 'server' in wpa['radius']:
+ for server in wpa['radius']['server']:
+ if 'key' not in wpa['radius']['server'][server]:
+ raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}')
+
+ if 'capabilities' in wifi:
+ capabilities = wifi['capabilities']
+ if 'vht' in capabilities:
+ if 'ht' not in capabilities:
+ raise ConfigError('Specify HT flags if you want to use VHT!')
+
+ if {'beamform', 'antenna_count'} <= set(capabilities.get('vht', {})):
+ if capabilities['vht']['antenna_count'] == '1':
+ raise ConfigError('Cannot use beam forming with just one antenna!')
+
+ if capabilities['vht']['beamform'] == 'single-user-beamformer':
+ if int(capabilities['vht']['antenna_count']) < 3:
+ # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
+ raise ConfigError('Single-user beam former requires at least 3 antennas!')
+
+ if 'station_interfaces' in wifi and wifi['type'] == 'station':
+ phy = wifi['physical_device']
+ if phy in wifi['station_interfaces']:
+ if len(wifi['station_interfaces'][phy]) > 0:
+ raise ConfigError('Only one station per wireless physical interface possible!')
+
+ verify_address(wifi)
+ verify_vrf(wifi)
# use common function to verify VLAN configuration
verify_vlan_config(wifi)
- conf = Config()
- # Only one wireless interface per phy can be in station mode
- base = ['interfaces', 'wireless']
- for phy in os.listdir('/sys/class/ieee80211'):
- stations = []
- for wlan in conf.list_nodes(base):
- # the following node is mandatory
- if conf.exists(base + [wlan, 'physical-device', phy]):
- tmp = conf.return_value(base + [wlan, 'type'])
- if tmp == 'station':
- stations.append(wlan)
-
- if len(stations) > 1:
- raise ConfigError('Only one station per wireless physical interface possible!')
-
return None
def generate(wifi):
- interface = wifi['intf']
+ interface = wifi['ifname']
# always stop hostapd service first before reconfiguring it
call(f'systemctl stop hostapd@{interface}.service')
@@ -513,7 +182,7 @@ def generate(wifi):
call(f'systemctl stop wpa_supplicant@{interface}.service')
# Delete config files if interface is removed
- if wifi['deleted']:
+ if 'deleted' in wifi:
if os.path.isfile(hostapd_conf.format(**wifi)):
os.unlink(hostapd_conf.format(**wifi))
@@ -522,10 +191,10 @@ def generate(wifi):
return None
- if not wifi['mac']:
+ if 'mac' not in wifi:
# http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd
# generate locally administered MAC address from used phy interface
- with open('/sys/class/ieee80211/{}/addresses'.format(wifi['phy']), 'r') as f:
+ with open('/sys/class/ieee80211/{physical_device}/addresses'.format(**wifi), 'r') as f:
# some PHYs tend to have multiple interfaces and thus supply multiple MAC
# addresses - we only need the first one for our calculation
tmp = f.readline().rstrip()
@@ -545,20 +214,18 @@ def generate(wifi):
wifi['mac'] = str(mac)
# render appropriate new config files depending on access-point or station mode
- if wifi['op_mode'] == 'ap':
- render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi)
+ if wifi['type'] == 'access-point':
+ render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi, trim_blocks=True)
- elif wifi['op_mode'] == 'station':
- render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi)
+ elif wifi['type'] == 'station':
+ render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi, trim_blocks=True)
return None
def apply(wifi):
- interface = wifi['intf']
- if wifi['deleted']:
- w = WiFiIf(interface)
- # delete interface
- w.remove()
+ interface = wifi['ifname']
+ if 'deleted' in wifi:
+ WiFiIf(interface).remove()
else:
# WiFi interface needs to be created on-block (e.g. mode or physical
# interface) instead of passing a ton of arguments, I just use a dict
@@ -566,97 +233,21 @@ def apply(wifi):
conf = deepcopy(WiFiIf.get_config())
# Assign WiFi instance configuration parameters to config dict
- conf['phy'] = wifi['phy']
+ conf['phy'] = wifi['physical_device']
# Finally create the new interface
w = WiFiIf(interface, **conf)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wifi['is_bridge_member']:
- w.set_vrf(wifi['vrf'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wifi['description'])
-
- if wifi['dhcp_client_id']:
- w.dhcp.v4.options['client_id'] = wifi['dhcp_client_id']
-
- if wifi['dhcp_hostname']:
- w.dhcp.v4.options['hostname'] = wifi['dhcp_hostname']
-
- if wifi['dhcp_vendor_class_id']:
- w.dhcp.v4.options['vendor_class_id'] = wifi['dhcp_vendor_class_id']
-
- if wifi['dhcpv6_prm_only']:
- w.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if wifi['dhcpv6_temporary']:
- w.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if wifi['dhcpv6_pd_length']:
- w.dhcp.v6.options['dhcpv6_pd_length'] = wifi['dhcpv6_pd_length']
-
- if wifi['dhcpv6_pd_interfaces']:
- w.dhcp.v6.options['dhcpv6_pd_interfaces'] = wifi['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- w.set_link_detect(wifi['disable_link_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in wifi['ipv6_eui64_prefix_remove']:
- w.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed
- if wifi['mac']:
- w.set_mac(wifi['mac'])
- elif wifi['hw_id']:
- w.set_mac(wifi['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in wifi['ipv6_eui64_prefix']:
- w.add_ipv6_eui64_address(addr)
-
- # configure ARP filter configuration
- w.set_arp_filter(wifi['ip_disable_arp_filter'])
- # configure ARP accept
- w.set_arp_accept(wifi['ip_enable_arp_accept'])
- # configure ARP announce
- w.set_arp_announce(wifi['ip_enable_arp_announce'])
- # configure ARP ignore
- w.set_arp_ignore(wifi['ip_enable_arp_ignore'])
- # IPv6 accept RA
- w.set_ipv6_accept_ra(wifi['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- w.set_ipv6_autoconf(wifi['ipv6_autoconf'])
- # IPv6 forwarding
- w.set_ipv6_forwarding(wifi['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- w.set_ipv6_dad_messages(wifi['ipv6_dup_addr_detect'])
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wifi['address_remove']:
- w.del_addr(addr)
- for addr in wifi['address']:
- w.add_addr(addr)
-
- # apply all vlans to interface
- apply_all_vlans(w, wifi)
+ w.update(wifi)
# Enable/Disable interface - interface is always placed in
# administrative down state in WiFiIf class
- if not wifi['disable']:
- w.set_admin_state('up')
-
+ if 'disable' not in wifi:
# Physical interface is now configured. Proceed by starting hostapd or
# wpa_supplicant daemon. When type is monitor we can just skip this.
- if wifi['op_mode'] == 'ap':
+ if wifi['type'] == 'access-point':
call(f'systemctl start hostapd@{interface}.service')
- elif wifi['op_mode'] == 'station':
+ elif wifi['type'] == 'station':
call(f'systemctl start wpa_supplicant@{interface}.service')
return None
diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py
index ec5a85e54..7d8110096 100755
--- a/src/conf_mode/interfaces-wirelessmodem.py
+++ b/src/conf_mode/interfaces-wirelessmodem.py
@@ -16,75 +16,42 @@
import os
-from fnmatch import fnmatch
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
+from vyos.util import check_kmod
+from vyos.util import find_device_file
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def check_kmod():
- modules = ['option', 'usb_wwan', 'usbserial']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-def find_device_file(device):
- """ Recurively search /dev for the given device file and return its full path.
- If no device file was found 'None' is returned """
- for root, dirs, files in os.walk('/dev'):
- for basename in files:
- if fnmatch(basename, device):
- return os.path.join(root, basename)
+k_mod = ['option', 'usb_wwan', 'usbserial']
- return None
-
-def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
- conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
+def get_config(config=None):
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['interfaces', 'wirelessmodem']
- default_values = defaults(base)
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
-
- wwan = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if wwan == {}:
- wwan.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- wwan = dict_merge(default_values, wwan)
-
- # Add interface instance name into dictionary
- wwan.update({'ifname': ifname})
-
+ wwan = get_interface_dict(conf, base)
return wwan
def verify(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
return None
- if not 'apn' in wwan.keys():
+ if not 'apn' in wwan:
raise ConfigError('No APN configured for "{ifname}"'.format(**wwan))
- if not 'device' in wwan.keys():
+ if not 'device' in wwan:
raise ConfigError('Physical "device" must be configured')
# we can not use isfile() here as Linux device files are no regular files
@@ -141,11 +108,11 @@ def generate(wwan):
return None
def apply(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
# bail out early
return None
- if not 'disable' in wwan.keys():
+ if not 'disable' in wwan:
# "dial" WWAN connection
call('systemctl start ppp@{ifname}.service'.format(**wwan))
@@ -153,7 +120,7 @@ def apply(wwan):
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index 015d1a480..11a5b7aaa 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -41,8 +41,11 @@ delim_ipsec_l2tp_begin = "### VyOS L2TP VPN Begin ###"
delim_ipsec_l2tp_end = "### VyOS L2TP VPN End ###"
charon_pidfile = "/var/run/charon.pid"
-def get_config():
- config = Config()
+def get_config(config=None):
+ if config:
+ config = config
+ else:
+ config = Config()
data = {"install_routes": "yes"}
if config.exists("vpn ipsec options disable-route-autoinstall"):
diff --git a/src/conf_mode/le_cert.py b/src/conf_mode/le_cert.py
index 5b965f95f..755c89966 100755
--- a/src/conf_mode/le_cert.py
+++ b/src/conf_mode/le_cert.py
@@ -27,6 +27,7 @@ from vyos import airbag
airbag.enable()
vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
+vyos_certbot_dir = vyos.defaults.directories['certbot']
dependencies = [
'https.py',
@@ -45,7 +46,7 @@ def request_certbot(cert):
else:
domain_flag = ''
- certbot_cmd = 'certbot certonly -n --nginx --agree-tos --no-eff-email --expand {0} {1}'.format(email_flag, domain_flag)
+ certbot_cmd = f'certbot certonly --config-dir {vyos_certbot_dir} -n --nginx --agree-tos --no-eff-email --expand {email_flag} {domain_flag}'
cmd(certbot_cmd,
raising=ConfigError,
diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py
index 1b539887a..6b645857a 100755
--- a/src/conf_mode/lldp.py
+++ b/src/conf_mode/lldp.py
@@ -146,9 +146,12 @@ def get_location(config):
return intfs_location
-def get_config():
+def get_config(config=None):
lldp = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(base):
return None
else:
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 2299717a8..eb634fd78 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -19,18 +19,27 @@ import json
import os
from copy import deepcopy
+from distutils.version import LooseVersion
+from platform import release as kernel_version
from sys import exit
from netifaces import interfaces
from vyos.config import Config
from vyos.template import render
-from vyos.util import call, cmd
+from vyos.util import call
+from vyos.util import cmd
+from vyos.util import check_kmod
from vyos.validate import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()
+if LooseVersion(kernel_version()) > LooseVersion('5.1'):
+ k_mod = ['nft_nat', 'nft_chain_nat']
+else:
+ k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
+
default_config_data = {
'deleted': False,
'destination': [],
@@ -44,15 +53,6 @@ default_config_data = {
iptables_nat_config = '/tmp/vyos-nat-rules.nft'
-def _check_kmod():
- """ load required Kernel modules """
- modules = ['nft_nat', 'nft_chain_nat_ipv4']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
def get_handler(json, chain, target):
""" Get nftable rule handler number of given chain/target combination.
Handler is required when adding NAT/Conntrack helper targets """
@@ -167,9 +167,12 @@ def parse_configuration(conf, source_dest):
return ruleset
-def get_config():
+def get_config(config=None):
nat = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
# read in current nftable (once) for further processing
tmp = cmd('nft -j list table raw')
@@ -237,6 +240,8 @@ def verify(nat):
addr = rule['translation_address']
if addr != 'masquerade' and not is_addr_assigned(addr):
print(f'Warning: IP address {addr} does not exist on the system!')
+ elif not rule['exclude']:
+ raise ConfigError(f'{err_msg} translation address not specified')
# common rule verification
verify_rule(rule, err_msg)
@@ -251,6 +256,9 @@ def verify(nat):
if not rule['interface_in']:
raise ConfigError(f'{err_msg} inbound-interface not specified')
+ if not rule['translation_address'] and not rule['exclude']:
+ raise ConfigError(f'{err_msg} translation address not specified')
+
# common rule verification
verify_rule(rule, err_msg)
@@ -269,7 +277,7 @@ def apply(nat):
if __name__ == '__main__':
try:
- _check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index bba8f87a4..d6453ec83 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -27,8 +27,11 @@ airbag.enable()
config_file = r'/etc/ntp.conf'
systemd_override = r'/etc/systemd/system/ntp.service.d/override.conf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'ntp']
ntp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 3aa76d866..1978adff5 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -14,83 +14,72 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import jmespath
+import os
-from copy import deepcopy
from sys import exit
from vyos.config import Config
+from vyos.util import call
from vyos.template import render
+from vyos.template import render_to_string
+from vyos import frr
from vyos import ConfigError, airbag
airbag.enable()
config_file = r'/tmp/bgp.frr'
-default_config_data = {
- 'as_number': ''
-}
-
def get_config():
- bgp = deepcopy(default_config_data)
conf = Config()
-
- # this lives in the "nbgp" tree until we switch over
base = ['protocols', 'nbgp']
+ bgp = conf.get_config_dict(base, key_mangling=('-', '_'))
if not conf.exists(base):
return None
- bgp = deepcopy(default_config_data)
- # Get full BGP configuration as dictionary - output the configuration for development
- #
- # vyos@vyos# commit
- # [ protocols nbgp 65000 ]
- # {'nbgp': {'65000': {'address-family': {'ipv4-unicast': {'aggregate-address': {'1.1.0.0/16': {},
- # '2.2.2.0/24': {}}},
- # 'ipv6-unicast': {'aggregate-address': {'2001:db8::/32': {}}}},
- # 'neighbor': {'192.0.2.1': {'password': 'foo',
- # 'remote-as': '100'}}}}}
- #
- tmp = conf.get_config_dict(base)
-
- # extract base key from dict as this is our AS number
- bgp['as_number'] = jmespath.search('nbgp | keys(@) [0]', tmp)
-
- # adjust level of dictionary returned by get_config_dict()
- # by using jmesgpath and update dictionary
- bgp.update(jmespath.search('nbgp.* | [0]', tmp))
-
from pprint import pprint
pprint(bgp)
- # resulting in e.g.
- # vyos@vyos# commit
- # [ protocols nbgp 65000 ]
- # {'address-family': {'ipv4-unicast': {'aggregate-address': {'1.1.0.0/16': {},
- # '2.2.2.0/24': {}}},
- # 'ipv6-unicast': {'aggregate-address': {'2001:db8::/32': {}}}},
- # 'as_number': '65000',
- # 'neighbor': {'192.0.2.1': {'password': 'foo', 'remote-as': '100'}},
- # 'timers': {'holdtime': '5'}}
return bgp
def verify(bgp):
- # bail out early - looks like removal from running config
if not bgp:
return None
return None
def generate(bgp):
- # bail out early - looks like removal from running config
if not bgp:
return None
+ # render(config) not needed, its only for debug
render(config_file, 'frr/bgp.frr.tmpl', bgp)
+
+ bgp['new_frr_config'] = render_to_string('frr/bgp.frr.tmpl', bgp)
+
return None
def apply(bgp):
+ if bgp is None:
+ return None
+
+ # Save original configration prior to starting any commit actions
+ bgp['original_config'] = frr.get_configuration(daemon='bgpd')
+ bgp['modified_config'] = frr.replace_section(bgp['original_config'], bgp['new_frr_config'], from_re='router bgp .*')
+
+ # Debugging
+ print('--------- DEBUGGING ----------')
+ print(f'Existing config:\n{bgp["original_config"]}\n\n')
+ print(f'Replacement config:\n{bgp["new_frr_config"]}\n\n')
+ print(f'Modified config:\n{bgp["modified_config"]}\n\n')
+
+ # Frr Mark configuration will test for syntax errors and exception out if any syntax errors are detected
+ frr.mark_configuration(bgp['modified_config'])
+
+ # Commit the resulting new configuration to frr, this will render an frr.CommitError() Exception on fail
+ frr.reload_configuration(bgp['modified_config'], daemon='bgpd')
+
return None
+
if __name__ == '__main__':
try:
c = get_config()
diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py
index ca148fd6a..6f4fc784d 100755
--- a/src/conf_mode/protocols_igmp.py
+++ b/src/conf_mode/protocols_igmp.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file = r'/tmp/igmp.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
igmp_conf = {
'igmp_conf' : False,
'old_ifaces' : {},
diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py
index 72208ffa1..e515490d0 100755
--- a/src/conf_mode/protocols_mpls.py
+++ b/src/conf_mode/protocols_mpls.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -29,8 +29,11 @@ config_file = r'/tmp/ldpd.frr'
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
mpls_conf = {
'router_id' : None,
'mpls_ldp' : False,
@@ -38,13 +41,17 @@ def get_config():
'interfaces' : [],
'neighbors' : {},
'd_transp_ipv4' : None,
- 'd_transp_ipv6' : None
+ 'd_transp_ipv6' : None,
+ 'hello_holdtime' : None,
+ 'hello_interval' : None
},
'ldp' : {
'interfaces' : [],
'neighbors' : {},
'd_transp_ipv4' : None,
- 'd_transp_ipv6' : None
+ 'd_transp_ipv6' : None,
+ 'hello_holdtime' : None,
+ 'hello_interval' : None
}
}
if not (conf.exists('protocols mpls') or conf.exists_effective('protocols mpls')):
@@ -61,6 +68,20 @@ def get_config():
if conf.exists('router-id'):
mpls_conf['router_id'] = conf.return_value('router-id')
+ # Get hello holdtime
+ if conf.exists_effective('discovery hello-holdtime'):
+ mpls_conf['old_ldp']['hello_holdtime'] = conf.return_effective_value('discovery hello-holdtime')
+
+ if conf.exists('discovery hello-holdtime'):
+ mpls_conf['ldp']['hello_holdtime'] = conf.return_value('discovery hello-holdtime')
+
+ # Get hello interval
+ if conf.exists_effective('discovery hello-interval'):
+ mpls_conf['old_ldp']['hello_interval'] = conf.return_effective_value('discovery hello-interval')
+
+ if conf.exists('discovery hello-interval'):
+ mpls_conf['ldp']['hello_interval'] = conf.return_value('discovery hello-interval')
+
# Get discovery transport-ipv4-address
if conf.exists_effective('discovery transport-ipv4-address'):
mpls_conf['old_ldp']['d_transp_ipv4'] = conf.return_effective_value('discovery transport-ipv4-address')
diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py
index 8aa324bac..6d333e19a 100755
--- a/src/conf_mode/protocols_pim.py
+++ b/src/conf_mode/protocols_pim.py
@@ -29,8 +29,11 @@ airbag.enable()
config_file = r'/tmp/pimd.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
pim_conf = {
'pim_conf' : False,
'old_pim' : {
diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py
index 4f8816d61..8ddd705f2 100755
--- a/src/conf_mode/protocols_rip.py
+++ b/src/conf_mode/protocols_rip.py
@@ -28,8 +28,11 @@ airbag.enable()
config_file = r'/tmp/ripd.frr'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['protocols', 'rip']
rip_conf = {
'rip_conf' : False,
@@ -97,7 +100,7 @@ def get_config():
# Get distribute list interface old_rip
for dist_iface in conf.list_effective_nodes('distribute-list interface'):
# Set level 'distribute-list interface ethX'
- conf.set_level((str(base)) + ' distribute-list interface ' + dist_iface)
+ conf.set_level(base + ['distribute-list', 'interface', dist_iface])
rip_conf['rip']['distribute'].update({
dist_iface : {
'iface_access_list_in': conf.return_effective_value('access-list in'.format(dist_iface)),
@@ -125,7 +128,7 @@ def get_config():
# Get distribute list interface
for dist_iface in conf.list_nodes('distribute-list interface'):
# Set level 'distribute-list interface ethX'
- conf.set_level((str(base)) + ' distribute-list interface ' + dist_iface)
+ conf.set_level(base + ['distribute-list', 'interface', dist_iface])
rip_conf['rip']['distribute'].update({
dist_iface : {
'iface_access_list_in': conf.return_value('access-list in'.format(dist_iface)),
@@ -148,7 +151,7 @@ def get_config():
if conf.exists('prefix-list out'.format(dist_iface)):
rip_conf['rip']['iface_prefix_list_out'] = conf.return_value('prefix-list out'.format(dist_iface))
- conf.set_level((str(base)) + ' distribute-list')
+ conf.set_level(base + ['distribute-list'])
# Get distribute list, access-list in
if conf.exists_effective('access-list in'):
diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py
index 232d1e181..99157835a 100755
--- a/src/conf_mode/protocols_static_multicast.py
+++ b/src/conf_mode/protocols_static_multicast.py
@@ -30,8 +30,11 @@ airbag.enable()
config_file = r'/tmp/static_mcast.frr'
# Get configuration for static multicast route
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
mroute = {
'old_mroute' : {},
'mroute' : {}
diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py
index 3343d1247..841bf6a39 100755
--- a/src/conf_mode/salt-minion.py
+++ b/src/conf_mode/salt-minion.py
@@ -44,9 +44,12 @@ default_config_data = {
'master_key': ''
}
-def get_config():
+def get_config(config=None):
salt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'salt-minion']
if not conf.exists(base):
diff --git a/src/conf_mode/service_console-server.py b/src/conf_mode/service_console-server.py
index ace6b8ca4..0e5fc75b0 100755
--- a/src/conf_mode/service_console-server.py
+++ b/src/conf_mode/service_console-server.py
@@ -27,15 +27,16 @@ from vyos import ConfigError
config_file = r'/run/conserver/conserver.cf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'console-server']
- if not conf.exists(base):
- return None
-
# Retrieve CLI representation as dictionary
- proxy = conf.get_config_dict(base, key_mangling=('-', '_'))
+ proxy = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
# The retrieved dictionary will look something like this:
#
# {'device': {'usb0b2.4p1.0': {'speed': '9600'},
@@ -47,9 +48,10 @@ def get_config():
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base + ['device'])
- for device in proxy['device'].keys():
- tmp = dict_merge(default_values, proxy['device'][device])
- proxy['device'][device] = tmp
+ if 'device' in proxy:
+ for device in proxy['device']:
+ tmp = dict_merge(default_values, proxy['device'][device])
+ proxy['device'][device] = tmp
return proxy
@@ -57,15 +59,14 @@ def verify(proxy):
if not proxy:
return None
- for device in proxy['device']:
- keys = proxy['device'][device].keys()
- if 'speed' not in keys:
- raise ConfigError(f'Serial port speed must be defined for "{tmp}"!')
+ if 'device' in proxy:
+ for device in proxy['device']:
+ if 'speed' not in proxy['device'][device]:
+ raise ConfigError(f'Serial port speed must be defined for "{device}"!')
- if 'ssh' in keys:
- ssh_keys = proxy['device'][device]['ssh'].keys()
- if 'port' not in ssh_keys:
- raise ConfigError(f'SSH port must be defined for "{tmp}"!')
+ if 'ssh' in proxy['device'][device]:
+ if 'port' not in proxy['device'][device]['ssh']:
+ raise ConfigError(f'SSH port must be defined for "{device}"!')
return None
@@ -86,10 +87,11 @@ def apply(proxy):
call('systemctl restart conserver-server.service')
- for device in proxy['device']:
- if 'ssh' in proxy['device'][device].keys():
- port = proxy['device'][device]['ssh']['port']
- call(f'systemctl restart dropbear@{device}.service')
+ if 'device' in proxy:
+ for device in proxy['device']:
+ if 'ssh' in proxy['device'][device]:
+ port = proxy['device'][device]['ssh']['port']
+ call(f'systemctl restart dropbear@{device}.service')
return None
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index d46f9578e..27d0ee60c 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -28,8 +28,11 @@ airbag.enable()
config_file = r'/etc/fastnetmon.conf'
networks_list = r'/etc/networks_list'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'ids', 'ddos-protection']
fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return fastnetmon
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index b539da98e..96cf932d1 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -55,8 +55,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['service', 'ipoe-server']
if not conf.exists(base_path):
return None
@@ -147,17 +150,21 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
if conf.exists(['fail-time']):
- radius['fail-time'] = conf.return_value(['fail-time'])
+ radius['fail_time'] = conf.return_value(['fail-time'])
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/mdns_repeater.py b/src/conf_mode/service_mdns-repeater.py
index b43f9bdd8..729518c96 100755
--- a/src/conf_mode/mdns_repeater.py
+++ b/src/conf_mode/service_mdns-repeater.py
@@ -17,69 +17,54 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import ifaddresses, AF_INET
+from netifaces import ifaddresses, interfaces, AF_INET
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
from vyos.template import render
-
+from vyos.util import call
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/etc/default/mdns-repeater'
-default_config_data = {
- 'disabled': False,
- 'interfaces': []
-}
-
-def get_config():
- mdns = deepcopy(default_config_data)
- conf = Config()
- base = ['service', 'mdns', 'repeater']
- if not conf.exists(base):
- return None
+def get_config(config=None):
+ if config:
+ conf = config
else:
- conf.set_level(base)
-
- # Service can be disabled by user
- if conf.exists(['disable']):
- mdns['disabled'] = True
- return mdns
-
- # Interface to repeat mDNS advertisements
- if conf.exists(['interface']):
- mdns['interfaces'] = conf.return_values(['interface'])
-
+ conf = Config()
+ base = ['service', 'mdns', 'repeater']
+ mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return mdns
def verify(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
return None
# We need at least two interfaces to repeat mDNS advertisments
- if len(mdns['interfaces']) < 2:
+ if 'interface' not in mdns or len(mdns['interface']) < 2:
raise ConfigError('mDNS repeater requires at least 2 configured interfaces!')
# For mdns-repeater to work it is essential that the interfaces has
# an IPv4 address assigned
- for interface in mdns['interfaces']:
- if AF_INET in ifaddresses(interface).keys():
- if len(ifaddresses(interface)[AF_INET]) < 1:
- raise ConfigError('mDNS repeater requires an IPv6 address configured on interface %s!'.format(interface))
+ for interface in mdns['interface']:
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist!')
+
+ if AF_INET not in ifaddresses(interface):
+ raise ConfigError('mDNS repeater requires an IPv4 address to be '
+ f'configured on interface "{interface}"')
return None
def generate(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
print('Warning: mDNS repeater will be deactivated because it is disabled')
return None
@@ -87,7 +72,7 @@ def generate(mdns):
return None
def apply(mdns):
- if (mdns is None) or mdns['disabled']:
+ if not mdns or 'disable' in mdns:
call('systemctl stop mdns-repeater.service')
if os.path.exists(config_file):
os.unlink(config_file)
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 3149bbb2f..45d3806d5 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -85,8 +85,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['service', 'pppoe-server']
if not conf.exists(base_path):
return None
@@ -242,7 +245,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -253,6 +257,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
@@ -417,6 +424,9 @@ def verify(pppoe):
if len(pppoe['dnsv6']) > 3:
raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
+ if not pppoe['interfaces']:
+ raise ConfigError('At least one listen interface must be defined!')
+
# local ippool and gateway settings config checks
if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']:
if not pppoe['ppp_gw']:
diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py
index ef6148ebd..687d7068f 100755
--- a/src/conf_mode/service_router-advert.py
+++ b/src/conf_mode/service_router-advert.py
@@ -16,145 +16,88 @@
import os
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from sys import exit
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
+from vyos.configdict import dict_merge
from vyos.template import render
-
+from vyos.util import call
+from vyos.xml import defaults
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/run/radvd/radvd.conf'
-default_config_data = {
- 'interfaces': []
-}
-
-def get_config():
- rtradv = default_config_data
- conf = Config()
- base_level = ['service', 'router-advert']
-
- if not conf.exists(base_level):
- return rtradv
-
- for interface in conf.list_nodes(base_level + ['interface']):
- intf = {
- 'name': interface,
- 'hop_limit' : '64',
- 'default_lifetime': '',
- 'default_preference': 'medium',
- 'dnssl': [],
- 'link_mtu': '',
- 'managed_flag': 'off',
- 'interval_max': '600',
- 'interval_min': '',
- 'name_server': [],
- 'other_config_flag': 'off',
- 'prefixes' : [],
- 'reachable_time': '0',
- 'retrans_timer': '0',
- 'send_advert': 'on'
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface])
-
- if conf.exists(['hop-limit']):
- intf['hop_limit'] = conf.return_value(['hop-limit'])
-
- if conf.exists(['default-lifetime']):
- intf['default_lifetime'] = conf.return_value(['default-lifetime'])
-
- if conf.exists(['default-preference']):
- intf['default_preference'] = conf.return_value(['default-preference'])
-
- if conf.exists(['dnssl']):
- intf['dnssl'] = conf.return_values(['dnssl'])
-
- if conf.exists(['link-mtu']):
- intf['link_mtu'] = conf.return_value(['link-mtu'])
-
- if conf.exists(['managed-flag']):
- intf['managed_flag'] = 'on'
-
- if conf.exists(['interval', 'max']):
- intf['interval_max'] = conf.return_value(['interval', 'max'])
-
- if conf.exists(['interval', 'min']):
- intf['interval_min'] = conf.return_value(['interval', 'min'])
-
- if conf.exists(['name-server']):
- intf['name_server'] = conf.return_values(['name-server'])
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['service', 'router-advert']
+ rtradv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_interface_values = defaults(base + ['interface'])
+ # we deal with prefix defaults later on
+ if 'prefix' in default_interface_values:
+ del default_interface_values['prefix']
+
+ default_prefix_values = defaults(base + ['interface', 'prefix'])
+
+ if 'interface' in rtradv:
+ for interface in rtradv['interface']:
+ rtradv['interface'][interface] = dict_merge(
+ default_interface_values, rtradv['interface'][interface])
+
+ if 'prefix' in rtradv['interface'][interface]:
+ for prefix in rtradv['interface'][interface]['prefix']:
+ rtradv['interface'][interface]['prefix'][prefix] = dict_merge(
+ default_prefix_values, rtradv['interface'][interface]['prefix'][prefix])
+
+ if 'name_server' in rtradv['interface'][interface]:
+ # always use a list when dealing with nameservers - eases the template generation
+ if isinstance(rtradv['interface'][interface]['name_server'], str):
+ rtradv['interface'][interface]['name_server'] = [
+ rtradv['interface'][interface]['name_server']]
- if conf.exists(['other-config-flag']):
- intf['other_config_flag'] = 'on'
-
- if conf.exists(['reachable-time']):
- intf['reachable_time'] = conf.return_value(['reachable-time'])
-
- if conf.exists(['retrans-timer']):
- intf['retrans_timer'] = conf.return_value(['retrans-timer'])
-
- if conf.exists(['no-send-advert']):
- intf['send_advert'] = 'off'
-
- for prefix in conf.list_nodes(['prefix']):
- tmp = {
- 'prefix' : prefix,
- 'autonomous_flag' : 'on',
- 'on_link' : 'on',
- 'preferred_lifetime': 14400,
- 'valid_lifetime' : 2592000
-
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface, 'prefix', prefix])
-
- if conf.exists(['no-autonomous-flag']):
- tmp['autonomous_flag'] = 'off'
-
- if conf.exists(['no-on-link-flag']):
- tmp['on_link'] = 'off'
-
- if conf.exists(['preferred-lifetime']):
- tmp['preferred_lifetime'] = int(conf.return_value(['preferred-lifetime']))
+ return rtradv
- if conf.exists(['valid-lifetime']):
- tmp['valid_lifetime'] = int(conf.return_value(['valid-lifetime']))
+def verify(rtradv):
+ if not rtradv:
+ return None
- intf['prefixes'].append(tmp)
+ if 'interface' not in rtradv:
+ return None
- rtradv['interfaces'].append(intf)
+ for interface in rtradv['interface']:
+ interface = rtradv['interface'][interface]
+ if 'prefix' in interface:
+ for prefix in interface['prefix']:
+ prefix = interface['prefix'][prefix]
+ valid_lifetime = prefix['valid_lifetime']
+ if valid_lifetime == 'infinity':
+ valid_lifetime = 4294967295
- return rtradv
+ preferred_lifetime = prefix['preferred_lifetime']
+ if preferred_lifetime == 'infinity':
+ preferred_lifetime = 4294967295
-def verify(rtradv):
- for interface in rtradv['interfaces']:
- for prefix in interface['prefixes']:
- if not (prefix['valid_lifetime'] > prefix['preferred_lifetime']):
- raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
+ if not (int(valid_lifetime) > int(preferred_lifetime)):
+ raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
return None
def generate(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
return None
- render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True)
-
- # adjust file permissions of new configuration file
- if os.path.exists(config_file):
- os.chmod(config_file, S_IRUSR | S_IWUSR | S_IRGRP)
-
+ render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True, permission=0o644)
return None
def apply(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
# bail out early - looks like removal from running config
call('systemctl stop radvd.service')
if os.path.exists(config_file):
@@ -163,6 +106,7 @@ def apply(rtradv):
return None
call('systemctl restart radvd.service')
+
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index ffb0b700d..a19fa72d8 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -28,11 +28,14 @@ from vyos.xml import defaults
from vyos import airbag
airbag.enable()
-config_file = r'/etc/ssh/sshd_config'
+config_file = r'/run/ssh/sshd_config'
systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'ssh']
if not conf.exists(base):
return None
@@ -42,6 +45,8 @@ def get_config():
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
ssh = dict_merge(default_values, ssh)
+ # pass config file path - used in override template
+ ssh['config_file'] = config_file
return ssh
diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py
index 85f1e3771..64c9e6d05 100755
--- a/src/conf_mode/system-ip.py
+++ b/src/conf_mode/system-ip.py
@@ -35,9 +35,12 @@ default_config_data = {
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
+def get_config(config=None):
ip_opt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level('system ip')
if conf.exists(''):
if conf.exists('arp table-size'):
diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py
index 3417c609d..f70ec2631 100755
--- a/src/conf_mode/system-ipv6.py
+++ b/src/conf_mode/system-ipv6.py
@@ -41,9 +41,12 @@ default_config_data = {
def sysctl(name, value):
call('sysctl -wq {}={}'.format(name, value))
-def get_config():
+def get_config(config=None):
ip_opt = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level('system ipv6')
if conf.exists(''):
ip_opt['disable_addr_assignment'] = conf.exists('disable')
diff --git a/src/conf_mode/system-login-banner.py b/src/conf_mode/system-login-banner.py
index 5c0adc921..569010735 100755
--- a/src/conf_mode/system-login-banner.py
+++ b/src/conf_mode/system-login-banner.py
@@ -41,9 +41,12 @@ default_config_data = {
'motd': motd
}
-def get_config():
+def get_config(config=None):
banner = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['system', 'login', 'banner']
if not conf.exists(base_level):
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index b1dd583b5..2aca199f9 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -56,9 +56,12 @@ def get_local_users():
return local_users
-def get_config():
+def get_config(config=None):
login = default_config_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_level = ['system', 'login']
# We do not need to check if the nodes exist or not and bail out early
diff --git a/src/conf_mode/system-options.py b/src/conf_mode/system-options.py
index d7c5c0443..6ac35a4ab 100755
--- a/src/conf_mode/system-options.py
+++ b/src/conf_mode/system-options.py
@@ -22,23 +22,28 @@ from sys import exit
from vyos.config import Config
from vyos.template import render
from vyos.util import call
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-config_file = r'/etc/curlrc'
+curlrc_config = r'/etc/curlrc'
+ssh_config = r'/etc/ssh/ssh_config'
systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'options']
options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return options
def verify(options):
- if 'http_client' in options.keys():
+ if 'http_client' in options:
config = options['http_client']
- if 'source_interface' in config.keys():
+ if 'source_interface' in config:
if not config['source_interface'] in interfaces():
raise ConfigError(f'Source interface {source_interface} does not '
f'exist'.format(**config))
@@ -46,10 +51,21 @@ def verify(options):
if {'source_address', 'source_interface'} <= set(config):
raise ConfigError('Can not define both HTTP source-interface and source-address')
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
+ if 'ssh_client' in options:
+ config = options['ssh_client']
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
return None
def generate(options):
- render(config_file, 'system/curlrc.tmpl', options, trim_blocks=True)
+ render(curlrc_config, 'system/curlrc.tmpl', options, trim_blocks=True)
+ render(ssh_config, 'system/ssh_config.tmpl', options, trim_blocks=True)
return None
def apply(options):
@@ -63,12 +79,20 @@ def apply(options):
if os.path.exists(systemd_action_file):
os.unlink(systemd_action_file)
- if 'ctrl_alt_del_action' in options.keys():
+ if 'ctrl_alt_del_action' in options:
if options['ctrl_alt_del_action'] == 'reboot':
os.symlink('/lib/systemd/system/reboot.target', systemd_action_file)
elif options['ctrl_alt_del_action'] == 'poweroff':
os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file)
+ if 'http_client' not in options:
+ if os.path.exists(curlrc_config):
+ os.unlink(curlrc_config)
+
+ if 'ssh_client' not in options:
+ if os.path.exists(ssh_config):
+ os.unlink(ssh_config)
+
# Reboot system on kernel panic
with open('/proc/sys/kernel/panic', 'w') as f:
if 'reboot_on_panic' in options.keys():
diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py
index cfc1ca55f..d29109c41 100755
--- a/src/conf_mode/system-syslog.py
+++ b/src/conf_mode/system-syslog.py
@@ -27,8 +27,11 @@ from vyos.template import render
from vyos import airbag
airbag.enable()
-def get_config():
- c = Config()
+def get_config(config=None):
+ if config:
+ c = config
+ else:
+ c = Config()
if not c.exists('system syslog'):
return None
c.set_level('system syslog')
diff --git a/src/conf_mode/system-timezone.py b/src/conf_mode/system-timezone.py
index 0f4513122..4d9f017a6 100755
--- a/src/conf_mode/system-timezone.py
+++ b/src/conf_mode/system-timezone.py
@@ -29,9 +29,12 @@ default_config_data = {
'name': 'UTC'
}
-def get_config():
+def get_config(config=None):
tz = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if conf.exists('system time-zone'):
tz['name'] = conf.return_value('system time-zone')
diff --git a/src/conf_mode/system-wifi-regdom.py b/src/conf_mode/system-wifi-regdom.py
index 30ea89098..874f93923 100755
--- a/src/conf_mode/system-wifi-regdom.py
+++ b/src/conf_mode/system-wifi-regdom.py
@@ -34,9 +34,12 @@ default_config_data = {
'deleted' : False
}
-def get_config():
+def get_config(config=None):
regdom = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'wifi-regulatory-domain']
# Check if interface has been removed
diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py
index 6f83335f3..b17818797 100755
--- a/src/conf_mode/system_console.py
+++ b/src/conf_mode/system_console.py
@@ -26,8 +26,11 @@ airbag.enable()
by_bus_dir = '/dev/serial/by-bus'
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['system', 'console']
# retrieve configuration at once
diff --git a/src/conf_mode/system_lcd.py b/src/conf_mode/system_lcd.py
new file mode 100755
index 000000000..a540d1b9e
--- /dev/null
+++ b/src/conf_mode/system_lcd.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+#
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.util import call
+from vyos.util import find_device_file
+from vyos.template import render
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+lcdd_conf = '/run/LCDd/LCDd.conf'
+lcdproc_conf = '/run/lcdproc/lcdproc.conf'
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['system', 'lcd']
+ lcd = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
+ # Return (possibly empty) dictionary
+ return lcd
+
+def verify(lcd):
+ if not lcd:
+ return None
+
+ if 'model' in lcd and lcd['model'] in ['sdec']:
+ # This is a fixed LCD display, no device needed - bail out early
+ return None
+
+ if not {'device', 'model'} <= set(lcd):
+ raise ConfigError('Both device and driver must be set!')
+
+ return None
+
+def generate(lcd):
+ if not lcd:
+ return None
+
+ if 'device' in lcd:
+ lcd['device'] = find_device_file(lcd['device'])
+
+ # Render config file for daemon LCDd
+ render(lcdd_conf, 'lcd/LCDd.conf.tmpl', lcd, trim_blocks=True)
+ # Render config file for client lcdproc
+ render(lcdproc_conf, 'lcd/lcdproc.conf.tmpl', lcd, trim_blocks=True)
+
+ return None
+
+def apply(lcd):
+ if not lcd:
+ call('systemctl stop lcdproc.service LCDd.service')
+
+ for file in [lcdd_conf, lcdproc_conf]:
+ if os.path.exists(file):
+ os.remove(file)
+ else:
+ # Restart server
+ call('systemctl restart LCDd.service lcdproc.service')
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ config_dict = get_config()
+ verify(config_dict)
+ generate(config_dict)
+ apply(config_dict)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/task_scheduler.py b/src/conf_mode/task_scheduler.py
index 51d8684cb..129be5d3c 100755
--- a/src/conf_mode/task_scheduler.py
+++ b/src/conf_mode/task_scheduler.py
@@ -53,8 +53,11 @@ def make_command(executable, arguments):
else:
return("sg vyattacfg \"{0}\"".format(executable))
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
conf.set_level("system task-scheduler task")
task_names = conf.list_nodes("")
tasks = []
diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/tftp_server.py
index d31851bef..ad5ee9c33 100755
--- a/src/conf_mode/tftp_server.py
+++ b/src/conf_mode/tftp_server.py
@@ -40,9 +40,12 @@ default_config_data = {
'listen': []
}
-def get_config():
+def get_config(config=None):
tftpd = deepcopy(default_config_data)
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
base = ['service', 'tftp-server']
if not conf.exists(base):
return None
diff --git a/src/conf_mode/vpn_anyconnect.py b/src/conf_mode/vpn_anyconnect.py
new file mode 100755
index 000000000..158e1a117
--- /dev/null
+++ b/src/conf_mode/vpn_anyconnect.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018-2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.xml import defaults
+from vyos.template import render
+from vyos.util import call
+from vyos import ConfigError
+from crypt import crypt, mksalt, METHOD_SHA512
+
+from vyos import airbag
+airbag.enable()
+
+cfg_dir = '/run/ocserv'
+ocserv_conf = cfg_dir + '/ocserv.conf'
+ocserv_passwd = cfg_dir + '/ocpasswd'
+radius_cfg = cfg_dir + '/radiusclient.conf'
+radius_servers = cfg_dir + '/radius_servers'
+
+
+# Generate hash from user cleartext password
+def get_hash(password):
+ return crypt(password, mksalt(METHOD_SHA512))
+
+
+def get_config():
+ conf = Config()
+ base = ['vpn', 'anyconnect']
+ if not conf.exists(base):
+ return None
+
+ ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ default_values = defaults(base)
+ ocserv = dict_merge(default_values, ocserv)
+ return ocserv
+
+
+def verify(ocserv):
+ if ocserv is None:
+ return None
+
+ # Check authentication
+ if "authentication" in ocserv:
+ if "mode" in ocserv["authentication"]:
+ if "local" in ocserv["authentication"]["mode"]:
+ if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]:
+ raise ConfigError('Anyconect mode local required at leat one user')
+ else:
+ for user in ocserv["authentication"]["local_users"]["username"]:
+ if not "password" in ocserv["authentication"]["local_users"]["username"][user]:
+ raise ConfigError(f'password required for user {user}')
+ else:
+ raise ConfigError('anyconnect authentication mode required')
+ else:
+ raise ConfigError('anyconnect authentication credentials required')
+
+ # Check ssl
+ if "ssl" in ocserv:
+ req_cert = ['ca_cert_file', 'cert_file', 'key_file']
+ for cert in req_cert:
+ if not cert in ocserv["ssl"]:
+ raise ConfigError('anyconnect ssl {0} required'.format(cert.replace('_', '-')))
+ else:
+ raise ConfigError('anyconnect ssl required')
+
+ # Check network settings
+ if "network_settings" in ocserv:
+ if "push_route" in ocserv["network_settings"]:
+ # Replace default route
+ if "0.0.0.0/0" in ocserv["network_settings"]["push_route"]:
+ ocserv["network_settings"]["push_route"].remove("0.0.0.0/0")
+ ocserv["network_settings"]["push_route"].append("default")
+ else:
+ ocserv["network_settings"]["push_route"] = "default"
+ else:
+ raise ConfigError('anyconnect network settings required')
+
+
+def generate(ocserv):
+ if not ocserv:
+ return None
+
+ if "radius" in ocserv["authentication"]["mode"]:
+ # Render radius client configuration
+ render(radius_cfg, 'ocserv/radius_conf.tmpl', ocserv["authentication"]["radius"], trim_blocks=True)
+ # Render radius servers
+ render(radius_servers, 'ocserv/radius_servers.tmpl', ocserv["authentication"]["radius"], trim_blocks=True)
+ else:
+ if "local_users" in ocserv["authentication"]:
+ for user in ocserv["authentication"]["local_users"]["username"]:
+ ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"])
+ # Render local users
+ render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"], trim_blocks=True)
+
+ # Render config
+ render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv, trim_blocks=True)
+
+
+
+def apply(ocserv):
+ if not ocserv:
+ call('systemctl stop ocserv.service')
+ for file in [ocserv_conf, ocserv_passwd]:
+ if os.path.exists(file):
+ os.unlink(file)
+ else:
+ call('systemctl restart ocserv.service')
+
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 88df2902e..13831dcd8 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -70,8 +70,11 @@ default_config_data = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['vpn', 'l2tp', 'remote-access']
if not conf.exists(base_path):
return None
@@ -151,7 +154,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -162,6 +166,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py
index 4536692d2..9f3b40534 100755
--- a/src/conf_mode/vpn_pptp.py
+++ b/src/conf_mode/vpn_pptp.py
@@ -56,8 +56,11 @@ default_pptp = {
'thread_cnt': get_half_cpus()
}
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
base_path = ['vpn', 'pptp', 'remote-access']
if not conf.exists(base_path):
return None
@@ -111,7 +114,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -122,6 +126,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 4c4d8e403..7fc370f99 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -65,10 +65,13 @@ default_config_data = {
'thread_cnt' : get_half_cpus()
}
-def get_config():
+def get_config(config=None):
sstp = deepcopy(default_config_data)
base_path = ['vpn', 'sstp']
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists(base_path):
return None
@@ -118,7 +121,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -129,6 +133,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index 56ca813ff..2f4da0240 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -76,8 +76,11 @@ def vrf_routing(c, match):
return matched
-def get_config():
- conf = Config()
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
vrf_config = deepcopy(default_config_data)
cfg_base = ['vrf']
diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py
index 292eb0c78..f1ceb261b 100755
--- a/src/conf_mode/vrrp.py
+++ b/src/conf_mode/vrrp.py
@@ -32,11 +32,14 @@ from vyos.ifconfig.vrrp import VRRP
from vyos import airbag
airbag.enable()
-def get_config():
+def get_config(config=None):
vrrp_groups = []
sync_groups = []
- config = vyos.config.Config()
+ if config:
+ config = config
+ else:
+ config = vyos.config.Config()
# Get the VRRP groups
for group_name in config.list_nodes("high-availability vrrp group"):
diff --git a/src/conf_mode/vyos_cert.py b/src/conf_mode/vyos_cert.py
index fb4644d5a..dc7c64684 100755
--- a/src/conf_mode/vyos_cert.py
+++ b/src/conf_mode/vyos_cert.py
@@ -103,10 +103,13 @@ def generate_self_signed(cert_data):
if san_config:
san_config.close()
-def get_config():
+def get_config(config=None):
vyos_cert = vyos.defaults.vyos_cert_data
- conf = Config()
+ if config:
+ conf = config
+ else:
+ conf = Config()
if not conf.exists('service https certificates system-generated-certificate'):
return None
else:
diff --git a/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper b/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
index f1167fcd2..d1161e704 100644
--- a/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
+++ b/src/etc/dhcp/dhclient-enter-hooks.d/03-vyos-ipwrapper
@@ -40,7 +40,14 @@ function iptovtysh () {
elif [ "$7" == "dev" ]; then
VTYSH_DEV=$8
fi
- VTYSH_CMD="ip route $VTYSH_NETADDR $VTYSH_GATEWAY $VTYSH_DEV tag $VTYSH_TAG $VTYSH_DISTANCE"
+
+ # Add route to VRF routing table
+ local VTYSH_VRF_NAME=$(basename /sys/class/net/$VTYSH_DEV/upper_* | sed -e 's/upper_//')
+ if [ -n $VTYSH_VRF_NAME ]; then
+ VTYSH_VRF="vrf $VTYSH_VRF_NAME"
+ fi
+ VTYSH_CMD="ip route $VTYSH_NETADDR $VTYSH_GATEWAY $VTYSH_DEV tag $VTYSH_TAG $VTYSH_DISTANCE $VTYSH_VRF"
+
# delete route if the command is "del"
if [ "$3" == "del" ] ; then
VTYSH_CMD="no $VTYSH_CMD"
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup b/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup
index 01981ad04..b768e1ae5 100644
--- a/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/01-vyos-cleanup
@@ -15,8 +15,14 @@ if [[ $reason =~ (EXPIRE|FAIL|RELEASE|STOP) ]]; then
# try to delete default ip route
for router in $old_routers; do
- logmsg info "Deleting default route: via $router dev ${interface}"
- ip -4 route del default via $router dev ${interface}
+ # check if we are bound to a VRF
+ local vrf_name=$(basename /sys/class/net/${interface}/upper_* | sed -e 's/upper_//')
+ if [ -n $vrf_name ]; then
+ vrf="vrf $vrf_name"
+ fi
+
+ logmsg info "Deleting default route: via $router dev ${interface} ${vrf}"
+ ip -4 route del default via $router dev ${interface} ${vrf}
done
# delete rfc3442 routes
diff --git a/src/etc/systemd/system/LCDd.service.d/override.conf b/src/etc/systemd/system/LCDd.service.d/override.conf
new file mode 100644
index 000000000..5f3f0dc95
--- /dev/null
+++ b/src/etc/systemd/system/LCDd.service.d/override.conf
@@ -0,0 +1,8 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/LCDd -c /run/LCDd/LCDd.conf
+
diff --git a/src/etc/systemd/system/ocserv.service.d/override.conf b/src/etc/systemd/system/ocserv.service.d/override.conf
new file mode 100644
index 000000000..89dbb153f
--- /dev/null
+++ b/src/etc/systemd/system/ocserv.service.d/override.conf
@@ -0,0 +1,14 @@
+[Unit]
+RequiresMountsFor=/run
+ConditionPathExists=/run/ocserv/ocserv.conf
+After=
+After=vyos-router.service
+After=dbus.service
+
+[Service]
+WorkingDirectory=/run/ocserv
+PIDFile=
+PIDFile=/run/ocserv/ocserv.pid
+ExecStart=
+ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv/ocserv.pid --config /run/ocserv/ocserv.conf
+
diff --git a/src/etc/systemd/system/radvd.service.d/override.conf b/src/etc/systemd/system/radvd.service.d/override.conf
index 44c4345e1..c2f640cf5 100644
--- a/src/etc/systemd/system/radvd.service.d/override.conf
+++ b/src/etc/systemd/system/radvd.service.d/override.conf
@@ -1,17 +1,17 @@
-[Unit]
-ConditionPathExists=/run/radvd/radvd.conf
-After=
-After=vyos-router.service
-
-[Service]
-WorkingDirectory=
-WorkingDirectory=/run/radvd
-ExecStartPre=
-ExecStartPre=/usr/sbin/radvd --logmethod stderr_clean --configtest --config /run/radvd/radvd.conf
-ExecStart=
-ExecStart=/usr/sbin/radvd --logmethod stderr_clean --config /run/radvd/radvd.conf --pidfile /run/radvd/radvd.pid
-ExecReload=
-ExecReload=/usr/sbin/radvd --logmethod stderr_clean --configtest --config /run/radvd/radvd.conf
-ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=
-PIDFile=/run/radvd/radvd.pid
+[Unit]
+ConditionPathExists=/run/radvd/radvd.conf
+After=
+After=vyos-router.service
+
+[Service]
+WorkingDirectory=
+WorkingDirectory=/run/radvd
+ExecStartPre=
+ExecStartPre=/usr/sbin/radvd --logmethod stderr_clean --configtest --config /run/radvd/radvd.conf
+ExecStart=
+ExecStart=/usr/sbin/radvd --logmethod stderr_clean --config /run/radvd/radvd.conf --pidfile /run/radvd/radvd.pid
+ExecReload=
+ExecReload=/usr/sbin/radvd --logmethod stderr_clean --configtest --config /run/radvd/radvd.conf
+ExecReload=/bin/kill -HUP $MAINPID
+PIDFile=
+PIDFile=/run/radvd/radvd.pid
diff --git a/src/helpers/vyos-load-config.py b/src/helpers/vyos-load-config.py
index a9fa15778..c2da1bb11 100755
--- a/src/helpers/vyos-load-config.py
+++ b/src/helpers/vyos-load-config.py
@@ -27,12 +27,12 @@ import sys
import tempfile
import vyos.defaults
import vyos.remote
-from vyos.config import Config, VyOSError
+from vyos.configsource import ConfigSourceSession, VyOSError
from vyos.migrator import Migrator, VirtualMigrator, MigratorError
-class LoadConfig(Config):
+class LoadConfig(ConfigSourceSession):
"""A subclass for calling 'loadFile'.
- This does not belong in config.py, and only has a single caller.
+ This does not belong in configsource.py, and only has a single caller.
"""
def load_config(self, path):
return self._run(['/bin/cli-shell-api','loadFile',path])
diff --git a/src/migration-scripts/interfaces/11-to-12 b/src/migration-scripts/interfaces/11-to-12
new file mode 100755
index 000000000..0dad24642
--- /dev/null
+++ b/src/migration-scripts/interfaces/11-to-12
@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# - rename 'dhcpv6-options prefix-delegation' from single node to a new tag node
+# 'dhcpv6-options pd 0'
+# - delete 'sla-len' from CLI - value is calculated on demand
+
+from sys import exit, argv
+from vyos.configtree import ConfigTree
+
+if __name__ == '__main__':
+ if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+ file_name = argv[1]
+ with open(file_name, 'r') as f:
+ config_file = f.read()
+
+ config = ConfigTree(config_file)
+
+ for type in config.list_nodes(['interfaces']):
+ for interface in config.list_nodes(['interfaces', type]):
+ # cache current config tree
+ base_path = ['interfaces', type, interface, 'dhcpv6-options']
+ old_base = base_path + ['prefix-delegation']
+ new_base = base_path + ['pd']
+ if config.exists(old_base):
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.copy(old_base, new_base + ['0'])
+ config.delete(old_base)
+
+ for pd in config.list_nodes(new_base):
+ for tmp in config.list_nodes(new_base + [pd, 'interface']):
+ sla_config = new_base + [pd, 'interface', tmp, 'sla-len']
+ if config.exists(sla_config):
+ config.delete(sla_config)
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/interfaces/7-to-8 b/src/migration-scripts/interfaces/7-to-8
index 8830ffdc7..a4051301f 100755
--- a/src/migration-scripts/interfaces/7-to-8
+++ b/src/migration-scripts/interfaces/7-to-8
@@ -17,8 +17,23 @@
# Split WireGuard endpoint into address / port nodes to make use of common
# validators
+import os
+
from sys import exit, argv
from vyos.configtree import ConfigTree
+from vyos.util import chown, chmod_750
+
+def migrate_default_keys():
+ kdir = r'/config/auth/wireguard'
+ if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
+ location = f'{kdir}/default'
+ if not os.path.exists(location):
+ os.makedirs(location)
+
+ chown(location, 'root', 'vyattacfg')
+ chmod_750(location)
+ os.rename(f'{kdir}/private.key', f'{location}/private.key')
+ os.rename(f'{kdir}/public.key', f'{location}/public.key')
if __name__ == '__main__':
if (len(argv) < 1):
@@ -32,6 +47,8 @@ if __name__ == '__main__':
config = ConfigTree(config_file)
base = ['interfaces', 'wireguard']
+ migrate_default_keys()
+
if not config.exists(base):
# Nothing to do
exit(0)
diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3
index fa6ef02da..5f9730a41 100755
--- a/src/migration-scripts/pppoe-server/2-to-3
+++ b/src/migration-scripts/pppoe-server/2-to-3
@@ -17,7 +17,6 @@
# - remove primary/secondary identifier from nameserver
import os
-import sys
from sys import argv, exit
from vyos.configtree import ConfigTree
diff --git a/src/migration-scripts/pppoe-server/3-to-4 b/src/migration-scripts/pppoe-server/3-to-4
new file mode 100755
index 000000000..ed5a01625
--- /dev/null
+++ b/src/migration-scripts/pppoe-server/3-to-4
@@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# change mppe node to a leaf node with value prefer
+
+import os
+
+from sys import argv, exit
+from vyos.configtree import ConfigTree
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'pppoe-server']
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+else:
+ mppe_base = base + ['ppp-options', 'mppe']
+ if config.exists(mppe_base):
+ # drop node first ...
+ config.delete(mppe_base)
+ # ... and set new default
+ config.set(mppe_base, value='prefer')
+
+ print(config.to_string())
+ exit(1)
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/op_mode/anyconnect-control.py b/src/op_mode/anyconnect-control.py
new file mode 100755
index 000000000..6382016b7
--- /dev/null
+++ b/src/op_mode/anyconnect-control.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import argparse
+import json
+
+from vyos.config import Config
+from vyos.util import popen, run, DEVNULL
+from tabulate import tabulate
+
+occtl = '/usr/bin/occtl'
+occtl_socket = '/run/ocserv/occtl.socket'
+
+def show_sessions():
+ out, code = popen("sudo {0} -j -s {1} show users".format(occtl, occtl_socket),stderr=DEVNULL)
+ if code:
+ sys.exit('Cannot get anyconnect users information')
+ else:
+ headers = ["interface", "username", "ip", "remote IP", "RX", "TX", "state", "uptime"]
+ sessions = json.loads(out)
+ ses_list = []
+ for ses in sessions:
+ ses_list.append([ses["Device"], ses["Username"], ses["IPv4"], ses["Remote IP"], ses["_RX"], ses["_TX"], ses["State"], ses["_Connected at"]])
+ if len(ses_list) > 0:
+ print(tabulate(ses_list, headers))
+ else:
+ print("No active anyconnect sessions")
+
+def is_ocserv_configured():
+ if not Config().exists_effective('vpn anyconnect'):
+ print("vpn anyconnect server is not configured")
+ sys.exit(1)
+
+def main():
+ #parese args
+ parser = argparse.ArgumentParser()
+ parser.add_argument('--action', help='Control action', required=True)
+ parser.add_argument('--selector', help='Selector username|ifname|sid', required=False)
+ parser.add_argument('--target', help='Target must contain username|ifname|sid', required=False)
+ args = parser.parse_args()
+
+
+ # Check is IPoE configured
+ is_ocserv_configured()
+
+ if args.action == "restart":
+ run("systemctl restart ocserv")
+ sys.exit(0)
+ elif args.action == "show_sessions":
+ show_sessions()
+
+if __name__ == '__main__':
+ main()
diff --git a/src/op_mode/lldp_op.py b/src/op_mode/lldp_op.py
index 5d48e3210..06958c605 100755
--- a/src/op_mode/lldp_op.py
+++ b/src/op_mode/lldp_op.py
@@ -14,19 +14,19 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
import argparse
import jinja2
+import json
-from xml.dom import minidom
from sys import exit
from tabulate import tabulate
-from vyos.util import popen
+from vyos.util import cmd
from vyos.config import Config
parser = argparse.ArgumentParser()
parser.add_argument("-a", "--all", action="store_true", help="Show LLDP neighbors on all interfaces")
+parser.add_argument("-d", "--detail", action="store_true", help="Show detailes LLDP neighbor information on all interfaces")
parser.add_argument("-i", "--interface", action="store", help="Show LLDP neighbors on specific interface")
# Please be careful if you edit the template.
@@ -35,108 +35,61 @@ lldp_out = """Capability Codes: R - Router, B - Bridge, W - Wlan r - Repeater, S
Device ID Local Proto Cap Platform Port ID
--------- ----- ----- --- -------- -------
-{% for n in neighbors -%}
-{{ "%-25s" | format(n.chassis) }} {{ "%-9s" | format(n.interface) }} {{ "%-6s" | format(n.proto) }} {{ "%-5s" | format(n.cap) }} {{ "%-20s" | format(n.platform) }} {{ n.port }}
-{% endfor -%}
+{% for neighbor in neighbors %}
+{% for local_if, info in neighbor.items() %}
+{{ "%-25s" | format(info.chassis) }} {{ "%-9s" | format(local_if) }} {{ "%-6s" | format(info.proto) }} {{ "%-5s" | format(info.capabilities) }} {{ "%-20s" | format(info.platform[:18]) }} {{ info.remote_if }}
+{% endfor %}
+{% endfor %}
"""
-def _get_neighbors():
- command = '/usr/sbin/lldpcli -f xml show neighbors'
- out,_ = popen(command)
- return out
-
-def extract_neighbor(neighbor):
- """
- Extract LLDP neighbor information from XML document passed as param neighbor
-
- <lldp>
- <interface label="Interface" name="eth0" via="LLDP" rid="3" age="0 day, 00:17:42">
- <chassis label="Chassis">
- <id label="ChassisID" type="mac">00:50:56:9d:a6:11</id>
- <name label="SysName">VyOS</name>
- <descr label="SysDescr">VyOS unknown</descr>
- <mgmt-ip label="MgmtIP">172.18.254.203</mgmt-ip>
- <mgmt-ip label="MgmtIP">fe80::250:56ff:fe9d:a611</mgmt-ip>
- <capability label="Capability" type="Bridge" enabled="off"/>
- <capability label="Capability" type="Router" enabled="on"/>
- <capability label="Capability" type="Wlan" enabled="off"/>
- <capability label="Capability" type="Station" enabled="off"/>
- </chassis>
- <port label="Port">
- <id label="PortID" type="mac">00:50:56:9d:a6:11</id>
- <descr label="PortDescr">eth0</descr>
- <ttl label="TTL">120</ttl>
- <auto-negotiation label="PMD autoneg" supported="no" enabled="no">
- <current label="MAU oper type">10GigBaseCX4 - X copper over 8 pair 100-Ohm balanced cable</current>
- </auto-negotiation>
- </port>
- <vlan label="VLAN" vlan-id="203">eth0.203</vlan>
- <lldp-med label="LLDP-MED">
- <device-type label="Device Type">Network Connectivity Device</device-type>
- <capability label="Capability" type="Capabilities" available="yes"/>
- <capability label="Capability" type="Policy" available="yes"/>
- <capability label="Capability" type="Location" available="yes"/>
- <capability label="Capability" type="MDI/PSE" available="yes"/>
- <capability label="Capability" type="MDI/PD" available="yes"/>
- <capability label="Capability" type="Inventory" available="yes"/>
- <inventory label="Inventory">
- <hardware label="Hardware Revision">None</hardware>
- <software label="Software Revision">4.19.54-amd64-vyos</software>
- <firmware label="Firmware Revision">6.00</firmware>
- <serial label="Serial Number">VMware-42 1d cf 87 ab 7f da 7e-3</serial>
- <manufacturer label="Manufacturer">VMware, Inc.</manufacturer>
- <model label="Model">VMware Virtual Platform</model>
- <asset label="Asset ID">No Asset Tag</asset>
- </inventory>
- </lldp-med>
- </interface>
- </lldp>
- """
-
- device = {
- 'interface' : neighbor.getAttribute('name'),
- 'chassis' : '',
- 'proto' : neighbor.getAttribute('via'),
- 'descr' : '',
- 'cap' : '',
- 'platform' : '',
- 'port' : ''
- }
-
- # first change to <chassis> node and then retrieve <name> and <descr>
- chassis = neighbor.getElementsByTagName('chassis')
- device['chassis'] = chassis[0].getElementsByTagName('name')[0].firstChild.data
- # Cisco IOS comes with a ',' remove character ....
- device['platform'] = chassis[0].getElementsByTagName('descr')[0].firstChild.data[:20].replace(',',' ')
-
- # extract capabilities
- for capability in chassis[0].getElementsByTagName('capability'):
- # we are only interested in enabled capabilities ...
- if capability.getAttribute('enabled') == "on":
- if capability.getAttribute('type') == "Router":
- device['cap'] += 'R'
- elif capability.getAttribute('type') == "Bridge":
- device['cap'] += 'B'
- elif capability.getAttribute('type') == "Wlan":
- device['cap'] += 'W'
- elif capability.getAttribute('type') == "Station":
- device['cap'] += 'S'
- elif capability.getAttribute('type') == "Repeater":
- device['cap'] += 'r'
- elif capability.getAttribute('type') == "Telephone":
- device['cap'] += 'T'
- elif capability.getAttribute('type') == "Docsis":
- device['cap'] += 'D'
- elif capability.getAttribute('type') == "Other":
- device['cap'] += 'O'
-
- # first change to <port> node and then retrieve <descr>
- port = neighbor.getElementsByTagName('port')
- port = port[0].getElementsByTagName('descr')[0].firstChild.data
- device['port'] = port
-
-
- return device
+def get_neighbors():
+ return cmd('/usr/sbin/lldpcli -f json show neighbors')
+
+def parse_data(data):
+ output = []
+ for tmp in data:
+ for local_if, values in tmp.items():
+ for chassis, c_value in values.get('chassis', {}).items():
+ capabilities = c_value['capability']
+ if isinstance(capabilities, dict):
+ capabilities = [capabilities]
+
+ cap = ''
+ for capability in capabilities:
+ if capability['enabled']:
+ if capability['type'] == 'Router':
+ cap += 'R'
+ if capability['type'] == 'Bridge':
+ cap += 'B'
+ if capability['type'] == 'Wlan':
+ cap += 'W'
+ if capability['type'] == 'Station':
+ cap += 'S'
+ if capability['type'] == 'Repeater':
+ cap += 'r'
+ if capability['type'] == 'Telephone':
+ cap += 'T'
+ if capability['type'] == 'Docsis':
+ cap += 'D'
+ if capability['type'] == 'Other':
+ cap += 'O'
+
+
+ remote_if = 'Unknown'
+ if 'descr' in values.get('port', {}):
+ remote_if = values.get('port', {}).get('descr')
+ elif 'id' in values.get('port', {}):
+ remote_if = values.get('port', {}).get('id').get('value', 'Unknown')
+
+ output.append({local_if: {'chassis': chassis,
+ 'remote_if': remote_if,
+ 'proto': values.get('via','Unknown'),
+ 'platform': c_value.get('descr', 'Unknown'),
+ 'capabilities': cap}})
+
+
+ output = {'neighbors': output}
+ return output
if __name__ == '__main__':
args = parser.parse_args()
@@ -147,24 +100,26 @@ if __name__ == '__main__':
print('Service LLDP is not configured')
exit(0)
- if args.all:
- neighbors = minidom.parseString(_get_neighbors())
- for neighbor in neighbors.getElementsByTagName('interface'):
- tmp['neighbors'].append( extract_neighbor(neighbor) )
+ if args.detail:
+ print(cmd('/usr/sbin/lldpctl -f plain'))
+ exit(0)
+ elif args.all or args.interface:
+ tmp = json.loads(get_neighbors())
- elif args.interface:
- neighbors = minidom.parseString(_get_neighbors())
- for neighbor in neighbors.getElementsByTagName('interface'):
- # check if neighbor appeared on proper interface
- if neighbor.getAttribute('name') == args.interface:
- tmp['neighbors'].append( extract_neighbor(neighbor) )
+ if args.all:
+ neighbors = tmp['lldp']['interface']
+ elif args.interface:
+ neighbors = []
+ for neighbor in tmp['lldp']['interface']:
+ if args.interface in neighbor:
+ neighbors.append(neighbor)
else:
parser.print_help()
exit(1)
- tmpl = jinja2.Template(lldp_out)
- config_text = tmpl.render(tmp)
+ tmpl = jinja2.Template(lldp_out, trim_blocks=True)
+ config_text = tmpl.render(parse_data(neighbors))
print(config_text)
exit(0)
diff --git a/src/op_mode/ping.py b/src/op_mode/ping.py
index e56952c38..29b430d53 100755
--- a/src/op_mode/ping.py
+++ b/src/op_mode/ping.py
@@ -118,7 +118,8 @@ options = {
'vrf': {
'ping': 'sudo ip vrf exec {value} {command}',
'type': '<vrf>',
- 'help': 'Use specified VRF table'
+ 'help': 'Use specified VRF table',
+ 'dflt': 'default',
},
'verbose': {
'ping': '{command} -v',
@@ -207,6 +208,11 @@ if __name__ == '__main__':
sys.stdout.write(options[matched[0]]['type'])
sys.exit(0)
+ for name,option in options.items():
+ if 'dflt' in option and name not in args:
+ args.append(name)
+ args.append(option['dflt'])
+
try:
ip = socket.gethostbyname(host)
except socket.gaierror:
diff --git a/src/op_mode/show_system_integrity.py b/src/op_mode/show_system_integrity.py
new file mode 100755
index 000000000..c34d41e80
--- /dev/null
+++ b/src/op_mode/show_system_integrity.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import re
+import json
+from datetime import datetime, timedelta
+
+version_file = r'/usr/share/vyos/version.json'
+
+
+def _get_sys_build_version():
+ if not os.path.exists(version_file):
+ return None
+ buf = open(version_file, 'r').read()
+ j = json.loads(buf)
+ if not 'built_on' in j:
+ return None
+ return datetime.strptime(j['built_on'], '%a %d %b %Y %H:%M %Z')
+
+
+def _check_pkgs(build_stamp):
+ pkg_diffs = {
+ 'buildtime': str(build_stamp),
+ 'pkg': {}
+ }
+
+ pkg_info = os.listdir('/var/lib/dpkg/info/')
+ for file in pkg_info:
+ if re.search('\.list$', file):
+ fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime
+ dt_str = (datetime.utcfromtimestamp(
+ fts).strftime('%Y-%m-%d %H:%M:%S'))
+ fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S')
+ if fdt > build_stamp:
+ pkg_diffs['pkg'].update(
+ {str(re.sub('\.list', '', file)): str(fdt)})
+
+ if len(pkg_diffs['pkg']) != 0:
+ return pkg_diffs
+ else:
+ return None
+
+
+if __name__ == '__main__':
+ built_date = _get_sys_build_version()
+ if not built_date:
+ sys.exit(1)
+ pkgs = _check_pkgs(built_date)
+ if pkgs:
+ print (
+ "The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime'])
+ for k, v in pkgs['pkg'].items():
+ print ("installed: " + v + '\t' + k)
diff --git a/src/op_mode/system_integrity.py b/src/op_mode/system_integrity.py
deleted file mode 100755
index c0e3d1095..000000000
--- a/src/op_mode/system_integrity.py
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-
-import sys
-import os
-import re
-import itertools
-from datetime import datetime, timedelta
-
-from vyos.util import cmd
-
-verf = r'/usr/libexec/vyos/op_mode/version.py'
-
-def get_sys_build_version():
- if not os.path.exists(verf):
- return None
-
- a = cmd('/usr/libexec/vyos/op_mode/version.py')
- if re.search('^Built on:.+',a, re.M) == None:
- return None
-
- dt = ( re.sub('Built on: +','', re.search('^Built on:.+',a, re.M).group(0)) )
- return datetime.strptime(dt,'%a %d %b %Y %H:%M %Z')
-
-def check_pkgs(dt):
- pkg_diffs = {
- 'buildtime' : str(dt),
- 'pkg' : {}
- }
-
- pkg_info = os.listdir('/var/lib/dpkg/info/')
- for file in pkg_info:
- if re.search('\.list$', file):
- fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime
- dt_str = (datetime.utcfromtimestamp(fts).strftime('%Y-%m-%d %H:%M:%S'))
- fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S')
- if fdt > dt:
- pkg_diffs['pkg'].update( { str(re.sub('\.list','',file)) : str(fdt)})
-
- if len(pkg_diffs['pkg']) != 0:
- return pkg_diffs
- else:
- return None
-
-def main():
- dt = get_sys_build_version()
- pkgs = check_pkgs(dt)
- if pkgs != None:
- print ("The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime'])
- for k, v in pkgs['pkg'].items():
- print ("installed: " + v + '\t' + k)
-
-if __name__ == '__main__':
- sys.exit( main() )
-
diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py
index 15bf63e81..e08bc983a 100755
--- a/src/op_mode/wireguard.py
+++ b/src/op_mode/wireguard.py
@@ -21,22 +21,17 @@ import shutil
import syslog as sl
import re
+from vyos.config import Config
from vyos.ifconfig import WireGuardIf
-
+from vyos.util import cmd
+from vyos.util import run
+from vyos.util import check_kmod
from vyos import ConfigError
-from vyos.config import Config
-from vyos.util import cmd, run
dir = r'/config/auth/wireguard'
psk = dir + '/preshared.key'
-def check_kmod():
- """ check if kmod is loaded, if not load it """
- if not os.path.exists('/sys/module/wireguard'):
- sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod")
- if run('sudo modprobe wireguard') != 0:
- sl.syslog(sl.LOG_ERR, "modprobe wireguard failed")
- raise ConfigError("modprobe wireguard failed")
+k_mod = 'wireguard'
def generate_keypair(pk, pub):
""" generates a keypair which is stored in /config/auth/wireguard """
@@ -106,7 +101,7 @@ def del_key_dir(kname):
if __name__ == '__main__':
- check_kmod()
+ check_kmod(k_mod)
parser = argparse.ArgumentParser(description='wireguard key management')
parser.add_argument(
'--genkey', action="store_true", help='generate key-pair')
diff --git a/src/services/vyos-configd b/src/services/vyos-configd
new file mode 100755
index 000000000..75f84d3df
--- /dev/null
+++ b/src/services/vyos-configd
@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import sys
+import grp
+import re
+import json
+import logging
+import signal
+import importlib.util
+import zmq
+
+from vyos.defaults import directories
+from vyos.configsource import ConfigSourceString
+from vyos.config import Config
+from vyos import ConfigError
+
+CFG_GROUP = 'vyattacfg'
+
+debug = True
+
+logger = logging.getLogger(__name__)
+logs_handler = logging.StreamHandler()
+logger.addHandler(logs_handler)
+
+if debug:
+ logger.setLevel(logging.DEBUG)
+else:
+ logger.setLevel(logging.INFO)
+
+SOCKET_PATH = "ipc:///run/vyos-configd.sock"
+
+# Response error codes
+R_SUCCESS = 1
+R_ERROR_COMMIT = 2
+R_ERROR_DAEMON = 4
+R_PASS = 8
+
+vyos_conf_scripts_dir = directories['conf_mode']
+configd_include_file = os.path.join(directories['data'], 'configd-include.json')
+configd_env_set_file = os.path.join(directories['data'], 'vyos-configd-env-set')
+configd_env_unset_file = os.path.join(directories['data'], 'vyos-configd-env-unset')
+# sourced on entering config session
+configd_env_file = '/etc/default/vyos-configd-env'
+
+active_string = ''
+session_string = ''
+
+def key_name_from_file_name(f):
+ return os.path.splitext(f)[0]
+
+def module_name_from_key(k):
+ return k.replace('-', '_')
+
+def path_from_file_name(f):
+ return os.path.join(vyos_conf_scripts_dir, f)
+
+# opt-in to be run by daemon
+with open(configd_include_file) as f:
+ try:
+ include = json.load(f)
+ except OSError as e:
+ logger.critical(f"configd include file error: {e}")
+ sys.exit(1)
+ except json.JSONDecodeError as e:
+ logger.critical(f"JSON load error: {e}")
+ sys.exit(1)
+
+# import conf_mode scripts
+(_, _, filenames) = next(iter(os.walk(vyos_conf_scripts_dir)))
+filenames.sort()
+
+load_filenames = [f for f in filenames if f in include]
+imports = [key_name_from_file_name(f) for f in load_filenames]
+module_names = [module_name_from_key(k) for k in imports]
+paths = [path_from_file_name(f) for f in load_filenames]
+to_load = list(zip(module_names, paths))
+
+modules = []
+
+for x in to_load:
+ spec = importlib.util.spec_from_file_location(x[0], x[1])
+ module = importlib.util.module_from_spec(spec)
+ spec.loader.exec_module(module)
+ modules.append(module)
+
+conf_mode_scripts = dict(zip(imports, modules))
+
+exclude_set = {key_name_from_file_name(f) for f in filenames if f not in include}
+include_set = {key_name_from_file_name(f) for f in filenames if f in include}
+
+
+def run_script(script, config) -> int:
+ config.set_level([])
+ try:
+ c = script.get_config(config)
+ script.verify(c)
+ script.generate(c)
+ script.apply(c)
+ except ConfigError as e:
+ logger.critical(e)
+ return R_ERROR_COMMIT
+ except Exception:
+ return R_ERROR_DAEMON
+
+ return R_SUCCESS
+
+def initialization(socket):
+ # Reset config strings:
+ active_string = ''
+ session_string = ''
+ # zmq synchronous for ipc from single client:
+ active_string = socket.recv().decode()
+ resp = "active"
+ socket.send(resp.encode())
+ session_string = socket.recv().decode()
+ resp = "session"
+ socket.send(resp.encode())
+
+ configsource = ConfigSourceString(running_config_text=active_string,
+ session_config_text=session_string)
+
+ config = Config(config_source=configsource)
+
+ return config
+
+def process_node_data(config, data) -> int:
+ if not config:
+ logger.critical(f"Empty config")
+ return R_ERROR_DAEMON
+
+ script_name = None
+
+ res = re.match(r'^.+\/([^/].+).py(VYOS_TAGNODE_VALUE=.+)?', data)
+ if res.group(1):
+ script_name = res.group(1)
+ if res.group(2):
+ env = res.group(2).split('=')
+ os.environ[env[0]] = env[1]
+
+ if not script_name:
+ logger.critical(f"Missing script_name")
+ return R_ERROR_DAEMON
+
+ if script_name in exclude_set:
+ return R_PASS
+
+ result = run_script(conf_mode_scripts[script_name], config)
+
+ return result
+
+def remove_if_file(f: str):
+ try:
+ os.remove(f)
+ except FileNotFoundError:
+ pass
+ except OSError:
+ raise
+
+def shutdown():
+ remove_if_file(configd_env_file)
+ os.symlink(configd_env_unset_file, configd_env_file)
+ sys.exit(0)
+
+if __name__ == '__main__':
+ context = zmq.Context()
+ socket = context.socket(zmq.REP)
+
+ # Set the right permissions on the socket, then change it back
+ o_mask = os.umask(0)
+ socket.bind(SOCKET_PATH)
+ os.umask(o_mask)
+
+ cfg_group = grp.getgrnam(CFG_GROUP)
+ os.setgid(cfg_group.gr_gid)
+
+ os.environ['SUDO_USER'] = 'vyos'
+ os.environ['SUDO_GID'] = str(cfg_group.gr_gid)
+
+ def sig_handler(signum, frame):
+ shutdown()
+
+ signal.signal(signal.SIGTERM, sig_handler)
+ signal.signal(signal.SIGINT, sig_handler)
+
+ # Define the vyshim environment variable
+ remove_if_file(configd_env_file)
+ os.symlink(configd_env_set_file, configd_env_file)
+
+ config = None
+
+ while True:
+ # Wait for next request from client
+ msg = socket.recv().decode()
+ logger.debug(f"Received message: {msg}")
+ message = json.loads(msg)
+
+ if message["type"] == "init":
+ resp = "init"
+ socket.send(resp.encode())
+ config = initialization(socket)
+ elif message["type"] == "node":
+ res = process_node_data(config, message["data"])
+ response = res.to_bytes(1, byteorder=sys.byteorder)
+ logger.debug(f"Sending response {res}")
+ socket.send(response)
+ else:
+ logger.critical(f"Unexpected message: {message}")
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 4c41fa96d..d5730d86c 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -32,7 +32,6 @@ from waitress import serve
from functools import wraps
from vyos.configsession import ConfigSession, ConfigSessionError
-from vyos.config import VyOSError
DEFAULT_CONFIG_FILE = '/etc/vyos/http-api.conf'
@@ -231,8 +230,6 @@ def retrieve_op(command):
return error(400, "\"{0}\" is not a valid config format".format(config_format))
else:
return error(400, "\"{0}\" is not a valid operation".format(op))
- except VyOSError as e:
- return error(400, str(e))
except ConfigSessionError as e:
return error(400, str(e))
except Exception as e:
diff --git a/src/shim/Makefile b/src/shim/Makefile
new file mode 100644
index 000000000..c8487e3c2
--- /dev/null
+++ b/src/shim/Makefile
@@ -0,0 +1,20 @@
+DEBUG = 0
+
+CC := gcc
+CFLAGS := -I./mkjson -L./mkjson/lib -DDEBUG=${DEBUG}
+LIBS := -lmkjson -lzmq
+
+.PHONY: vyshim
+vyshim: vyshim.c libmkjson
+ $(CC) $(CFLAGS) -o $@ $< $(LIBS)
+
+.PHONY: libmkjson
+libmkjson:
+ $(MAKE) -C mkjson
+
+all: vyshim
+
+.PHONY: clean
+clean:
+ $(MAKE) -C mkjson clean
+ rm -f vyshim
diff --git a/src/shim/mkjson/LICENSE b/src/shim/mkjson/LICENSE
new file mode 100644
index 000000000..8c4284c91
--- /dev/null
+++ b/src/shim/mkjson/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Jacek Wieczorek
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/src/shim/mkjson/makefile b/src/shim/mkjson/makefile
new file mode 100644
index 000000000..ba75399d2
--- /dev/null
+++ b/src/shim/mkjson/makefile
@@ -0,0 +1,30 @@
+CFLAGS = -Wall -Os -I.
+CC = gcc
+AR = ar
+
+#USE_ASPRINTF make flag can be used in order to encourage asprintf use inside the library
+ifeq ($(USE_ASPRINTF),1)
+CFLAGS += -D_GNU_SOURCE
+endif
+
+#Builds object and a static library file
+all: clean force
+ $(CC) $(CFLAGS) -c mkjson.c -o obj/mkjson.o
+ $(AR) -cvq lib/libmkjson.a obj/mkjson.o
+ $(AR) -t lib/libmkjson.a
+
+#Normal cleanup
+clean:
+ -rm -rf obj
+ -rm -rf lib
+
+#Environment init
+force:
+ -mkdir obj
+ -mkdir lib
+
+#Build the example snippet
+example: all
+ gcc -o example examples/example.c -I. -Llib -lmkjson
+
+
diff --git a/src/shim/mkjson/mkjson.c b/src/shim/mkjson/mkjson.c
new file mode 100644
index 000000000..1172664fb
--- /dev/null
+++ b/src/shim/mkjson/mkjson.c
@@ -0,0 +1,307 @@
+/* mkjson.c - a part of mkjson library
+ *
+ * Copyright (C) 2018 Jacek Wieczorek
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+#include <mkjson.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+
+// Works like asprintf, but it's always there
+// I don't want the name to collide with anything
+static int allsprintf( char **strp, const char *fmt, ... )
+{
+ int len;
+ va_list ap;
+ va_start( ap, fmt );
+
+ #ifdef _GNU_SOURCE
+ // Just hand everything to vasprintf, if it's available
+ len = vasprintf( strp, fmt, ap );
+ #else
+ // Or do it the manual way
+ char *buf;
+ len = vsnprintf( NULL, 0, fmt, ap );
+ if ( len >= 0 )
+ {
+ buf = malloc( ++len );
+ if ( buf != NULL )
+ {
+ // Hopefully, that's the right way to do it
+ va_end( ap );
+ va_start( ap, fmt );
+
+ // Write and return the data
+ len = vsnprintf( buf, len, fmt, ap );
+ if ( len >= 0 )
+ {
+ *strp = buf;
+ }
+ else
+ {
+ free( buf );
+ }
+ }
+ }
+ #endif
+
+ va_end( ap );
+ return len;
+}
+
+// Return JSON string built from va_arg arguments
+// If no longer needed, should be passed to free() by user
+char *mkjson( enum mkjson_container_type otype, int count, ... )
+{
+ int i, len, goodchunks = 0, failure = 0;
+ char *json, *prefix, **chunks, ign;
+
+ // Value - type and data
+ enum mkjson_value_type vtype;
+ const char *key;
+ long long int intval;
+ long double dblval;
+ const char *strval;
+
+ // Since v0.9 count cannot be a negative value and datatype is indicated by a separate argument
+ // Since I'm not sure whether it's right to put assertions in libraries, the next line is commented out
+ // assert( count >= 0 && "After v0.9 negative count is prohibited; please use otype argument instead" );
+ if ( count < 0 || ( otype != MKJSON_OBJ && otype != MKJSON_ARR ) ) return NULL;
+
+ // Allocate chunk pointer array - on standard platforms each one should be NULL
+ chunks = calloc( count, sizeof( char* ) );
+ if ( chunks == NULL ) return NULL;
+
+ // This should rather be at the point of no return
+ va_list ap;
+ va_start( ap, count );
+
+ // Create chunks
+ for ( i = 0; i < count && !failure; i++ )
+ {
+ // Get value type
+ vtype = va_arg( ap, enum mkjson_value_type );
+
+ // Get key
+ if ( otype == MKJSON_OBJ )
+ {
+ key = va_arg( ap, char* );
+ if ( key == NULL )
+ {
+ failure = 1;
+ break;
+ }
+ }
+ else key = "";
+
+ // Generate prefix
+ if ( allsprintf( &prefix, "%s%s%s",
+ otype == MKJSON_OBJ ? "\"" : "", // Quote before key
+ key, // Key
+ otype == MKJSON_OBJ ? "\": " : "" ) == -1 ) // Quote and colon after key
+ {
+ failure = 1;
+ break;
+ }
+
+ // Depending on value type
+ ign = 0;
+ switch ( vtype )
+ {
+ // Ignore string / JSON data
+ case MKJSON_IGN_STRING:
+ case MKJSON_IGN_JSON:
+ (void) va_arg( ap, const char* );
+ ign = 1;
+ break;
+
+ // Ignore string / JSON data and pass the pointer to free
+ case MKJSON_IGN_STRING_FREE:
+ case MKJSON_IGN_JSON_FREE:
+ free( va_arg( ap, char* ) );
+ ign = 1;
+ break;
+
+ // Ignore int / long long int
+ case MKJSON_IGN_INT:
+ case MKJSON_IGN_LLINT:
+ if ( vtype == MKJSON_IGN_INT )
+ (void) va_arg( ap, int );
+ else
+ (void) va_arg( ap, long long int );
+ ign = 1;
+ break;
+
+ // Ignore double / long double
+ case MKJSON_IGN_DOUBLE:
+ case MKJSON_IGN_LDOUBLE:
+ if ( vtype == MKJSON_IGN_DOUBLE )
+ (void) va_arg( ap, double );
+ else
+ (void) va_arg( ap, long double );
+ ign = 1;
+ break;
+
+ // Ignore boolean
+ case MKJSON_IGN_BOOL:
+ (void) va_arg( ap, int );
+ ign = 1;
+ break;
+
+ // Ignore null value
+ case MKJSON_IGN_NULL:
+ ign = 1;
+ break;
+
+ // A null-terminated string
+ case MKJSON_STRING:
+ case MKJSON_STRING_FREE:
+ strval = va_arg( ap, const char* );
+
+ // If the pointer points to NULL, the string will be replaced with JSON null value
+ if ( strval == NULL )
+ {
+ if ( allsprintf( chunks + i, "%snull", prefix ) == -1 )
+ chunks[i] = NULL;
+ }
+ else
+ {
+ if ( allsprintf( chunks + i, "%s\"%s\"", prefix, strval ) == -1 )
+ chunks[i] = NULL;
+ }
+
+ // Optional free
+ if ( vtype == MKJSON_STRING_FREE )
+ free( (char*) strval );
+ break;
+
+ // Embed JSON data
+ case MKJSON_JSON:
+ case MKJSON_JSON_FREE:
+ strval = va_arg( ap, const char* );
+
+ // If the pointer points to NULL, the JSON data is replaced with null value
+ if ( allsprintf( chunks + i, "%s%s", prefix, strval == NULL ? "null" : strval ) == -1 )
+ chunks[i] = NULL;
+
+ // Optional free
+ if ( vtype == MKJSON_JSON_FREE )
+ free( (char*) strval );
+ break;
+
+ // int / long long int
+ case MKJSON_INT:
+ case MKJSON_LLINT:
+ if ( vtype == MKJSON_INT )
+ intval = va_arg( ap, int );
+ else
+ intval = va_arg( ap, long long int );
+
+ if ( allsprintf( chunks + i, "%s%Ld", prefix, intval ) == -1 ) chunks[i] = NULL;
+ break;
+
+ // double / long double
+ case MKJSON_DOUBLE:
+ case MKJSON_LDOUBLE:
+ if ( vtype == MKJSON_DOUBLE )
+ dblval = va_arg( ap, double );
+ else
+ dblval = va_arg( ap, long double );
+
+ if ( allsprintf( chunks + i, "%s%Lf", prefix, dblval ) == -1 ) chunks[i] = NULL;
+ break;
+
+ // double / long double
+ case MKJSON_SCI_DOUBLE:
+ case MKJSON_SCI_LDOUBLE:
+ if ( vtype == MKJSON_SCI_DOUBLE )
+ dblval = va_arg( ap, double );
+ else
+ dblval = va_arg( ap, long double );
+
+ if ( allsprintf( chunks + i, "%s%Le", prefix, dblval ) == -1 ) chunks[i] = NULL;
+ break;
+
+ // Boolean
+ case MKJSON_BOOL:
+ intval = va_arg( ap, int );
+ if ( allsprintf( chunks + i, "%s%s", prefix, intval ? "true" : "false" ) == -1 ) chunks[i] = NULL;
+ break;
+
+ // JSON null
+ case MKJSON_NULL:
+ if ( allsprintf( chunks + i, "%snull", prefix ) == -1 ) chunks[i] = NULL;
+ break;
+
+ // Bad type specifier
+ default:
+ chunks[i] = NULL;
+ break;
+ }
+
+ // Free prefix memory
+ free( prefix );
+
+ // NULL chunk without ignore flag indicates failure
+ if ( !ign && chunks[i] == NULL ) failure = 1;
+
+ // NULL chunk now indicates ignore flag
+ if ( ign ) chunks[i] = NULL;
+ else goodchunks++;
+ }
+
+ // We won't use ap anymore
+ va_end( ap );
+
+ // If everything is fine, merge chunks and create full JSON table
+ if ( !failure )
+ {
+ // Get total length (this is without NUL byte)
+ len = 0;
+ for ( i = 0; i < count; i++ )
+ if ( chunks[i] != NULL )
+ len += strlen( chunks[i] );
+
+ // Total length = Chunks length + 2 brackets + separators
+ if ( goodchunks == 0 ) goodchunks = 1;
+ len = len + 2 + ( goodchunks - 1 ) * 2;
+
+ // Allocate memory for the whole thing
+ json = calloc( len + 1, sizeof( char ) );
+ if ( json != NULL )
+ {
+ // Merge chunks (and do not overwrite the first bracket)
+ for ( i = 0; i < count; i++ )
+ {
+ // Add separators:
+ // - not on the begining
+ // - always after valid chunk
+ // - between two valid chunks
+ // - between valid and ignored chunk if the latter isn't the last one
+ if ( i != 0 && chunks[i - 1] != NULL && ( chunks[i] != NULL || ( chunks[i] == NULL && i != count - 1 ) ) )
+ strcat( json + 1, ", ");
+
+ if ( chunks[i] != NULL )
+ strcat( json + 1, chunks[i] );
+ }
+
+ // Add proper brackets
+ json[0] = otype == MKJSON_OBJ ? '{' : '[';
+ json[len - 1] = otype == MKJSON_OBJ ? '}' : ']';
+ }
+ }
+ else json = NULL;
+
+ // Free chunks
+ for ( i = 0; i < count; i++ )
+ free( chunks[i] );
+ free( chunks );
+
+ return json;
+}
+
diff --git a/src/shim/mkjson/mkjson.h b/src/shim/mkjson/mkjson.h
new file mode 100644
index 000000000..38cc07b26
--- /dev/null
+++ b/src/shim/mkjson/mkjson.h
@@ -0,0 +1,50 @@
+/* mkjson.h - a part of mkjson library
+ *
+ * Copyright (C) 2018 Jacek Wieczorek
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+#ifndef MKJSON_H
+#define MKJSON_H
+
+// JSON container types
+enum mkjson_container_type
+{
+ MKJSON_ARR = 0, // An array
+ MKJSON_OBJ = 1 // An object (hash or whatever you call it)
+};
+
+// JSON data types
+enum mkjson_value_type
+{
+ MKJSON_STRING = (int)('s'), // const char* - String data
+ MKJSON_STRING_FREE = (int)('f'), // char* - String data, but pointer is freed
+ MKJSON_JSON = (int)('r'), // const char* - JSON data (like string, but no quotes)
+ MKJSON_JSON_FREE = (int)('j'), // char* - JSON data, but pointer is freed
+ MKJSON_INT = (int)('i'), // int - An integer
+ MKJSON_LLINT = (int)('I'), // long long int - A long integer
+ MKJSON_DOUBLE = (int)('d'), // double - A double
+ MKJSON_LDOUBLE = (int)('D'), // long double - A long double
+ MKJSON_SCI_DOUBLE = (int)('e'), // double - A double with scientific notation
+ MKJSON_SCI_LDOUBLE = (int)('E'), // long double - A long double with scientific notation
+ MKJSON_BOOL = (int)('b'), // int - A boolean value
+ MKJSON_NULL = (int)('n'), // -- - JSON null value
+
+ // These cause one argument of certain type to be ignored
+ MKJSON_IGN_STRING = (-MKJSON_STRING),
+ MKJSON_IGN_STRING_FREE = (-MKJSON_STRING_FREE),
+ MKJSON_IGN_JSON = (-MKJSON_JSON),
+ MKJSON_IGN_JSON_FREE = (-MKJSON_JSON_FREE),
+ MKJSON_IGN_INT = (-MKJSON_INT),
+ MKJSON_IGN_LLINT = (-MKJSON_LLINT),
+ MKJSON_IGN_DOUBLE = (-MKJSON_DOUBLE),
+ MKJSON_IGN_LDOUBLE = (-MKJSON_LDOUBLE),
+ MKJSON_IGN_BOOL = (-MKJSON_BOOL),
+ MKJSON_IGN_NULL = (-MKJSON_NULL)
+};
+
+extern char *mkjson( enum mkjson_container_type otype, int count, ... );
+
+#endif
diff --git a/src/shim/vyshim.c b/src/shim/vyshim.c
new file mode 100644
index 000000000..8b6feab99
--- /dev/null
+++ b/src/shim/vyshim.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) 2020 VyOS maintainers and contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or later as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/time.h>
+#include <time.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <zmq.h>
+#include "mkjson.h"
+
+/*
+ *
+ *
+ */
+
+#if DEBUG
+#define DEBUG_ON 1
+#else
+#define DEBUG_ON 0
+#endif
+#define debug_print(fmt, ...) \
+ do { if (DEBUG_ON) fprintf(stderr, fmt, ##__VA_ARGS__); } while (0)
+#define debug_call(f) \
+ do { if (DEBUG_ON) f; } while (0)
+
+#define SOCKET_PATH "ipc:///run/vyos-configd.sock"
+
+#define GET_ACTIVE "cli-shell-api --show-active-only --show-show-defaults --show-ignore-edit showConfig"
+#define GET_SESSION "cli-shell-api --show-working-only --show-show-defaults --show-ignore-edit showConfig"
+
+#define COMMIT_MARKER "/var/tmp/initial_in_commit"
+
+enum {
+ SUCCESS = 1 << 0,
+ ERROR_COMMIT = 1 << 1,
+ ERROR_DAEMON = 1 << 2,
+ PASS = 1 << 3
+};
+
+volatile int init_alarm = 0;
+volatile int timeout = 0;
+
+int initialization(void *);
+int pass_through(char **, int);
+void timer_handler(int);
+
+double get_posix_clock_time(void);
+
+int main(int argc, char* argv[])
+{
+ // string for node data: conf_mode script and tagnode, if applicable
+ char string_node_data[256];
+ string_node_data[0] = '\0';
+
+ void *context = zmq_ctx_new();
+ void *requester = zmq_socket(context, ZMQ_REQ);
+
+ int init_timeout = 0;
+
+ debug_print("Connecting to vyos-configd ...\n");
+ zmq_connect(requester, SOCKET_PATH);
+
+ if (access(COMMIT_MARKER, F_OK) != -1) {
+ init_timeout = initialization(requester);
+ if (!init_timeout) remove(COMMIT_MARKER);
+ }
+
+ int end = argc > 3 ? 2 : argc - 1;
+
+ // if initial communication failed, pass through execution of script
+ if (init_timeout) {
+ int ret = pass_through(argv, end);
+ return ret;
+ }
+
+ for (int i = end; i > 0 ; i--) {
+ strncat(&string_node_data[0], argv[i], 127);
+ }
+
+ char error_code[1];
+ debug_print("Sending node data ...\n");
+ char *string_node_data_msg = mkjson(MKJSON_OBJ, 2,
+ MKJSON_STRING, "type", "node",
+ MKJSON_STRING, "data", &string_node_data[0]);
+
+ zmq_send(requester, string_node_data_msg, strlen(string_node_data_msg), 0);
+ zmq_recv(requester, error_code, 1, 0);
+ debug_print("Received node data receipt\n");
+
+ int err = (int)error_code[0];
+
+ free(string_node_data_msg);
+
+ zmq_close(requester);
+ zmq_ctx_destroy(context);
+
+ if (err & PASS) {
+ debug_print("Received PASS\n");
+ int ret = pass_through(argv, end);
+ return ret;
+ }
+
+ if (err & ERROR_DAEMON) {
+ debug_print("Received ERROR_DAEMON\n");
+ int ret = pass_through(argv, end);
+ return ret;
+ }
+
+ if (err & ERROR_COMMIT) {
+ debug_print("Received ERROR_COMMIT\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int initialization(void* Requester)
+{
+ char *active_str = NULL;
+ size_t active_len = 0;
+
+ char *session_str = NULL;
+ size_t session_len = 0;
+
+ char *empty_string = "\n";
+
+ char buffer[16];
+
+ struct sigaction sa;
+ struct itimerval timer, none_timer;
+
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_handler = &timer_handler;
+ sigaction(SIGALRM, &sa, NULL);
+
+ timer.it_value.tv_sec = 0;
+ timer.it_value.tv_usec = 10000;
+ timer.it_interval.tv_sec = timer.it_interval.tv_usec = 0;
+ none_timer.it_value.tv_sec = none_timer.it_value.tv_usec = 0;
+ none_timer.it_interval.tv_sec = none_timer.it_interval.tv_usec = 0;
+
+ double prev_time_value, time_value;
+ double time_diff;
+
+ debug_print("Sending init announcement\n");
+ char *init_announce = mkjson(MKJSON_OBJ, 1,
+ MKJSON_STRING, "type", "init");
+
+ // check for timeout on initial contact
+ while (!init_alarm) {
+ debug_call(prev_time_value = get_posix_clock_time());
+
+ setitimer(ITIMER_REAL, &timer, NULL);
+
+ zmq_send(Requester, init_announce, strlen(init_announce), 0);
+ zmq_recv(Requester, buffer, 16, 0);
+
+ setitimer(ITIMER_REAL, &none_timer, &timer);
+
+ debug_call(time_value = get_posix_clock_time());
+
+ debug_print("Received init receipt\n");
+ debug_call(time_diff = time_value - prev_time_value);
+ debug_print("time elapse %f\n", time_diff);
+
+ break;
+ }
+
+ free(init_announce);
+
+ if (timeout) return -1;
+
+ FILE *fp_a = popen(GET_ACTIVE, "r");
+ getdelim(&active_str, &active_len, '\0', fp_a);
+ int ret = pclose(fp_a);
+
+ if (!ret) {
+ debug_print("Sending active config\n");
+ zmq_send(Requester, active_str, active_len - 1, 0);
+ zmq_recv(Requester, buffer, 16, 0);
+ debug_print("Received active receipt\n");
+ } else {
+ debug_print("Sending empty active config\n");
+ zmq_send(Requester, empty_string, 0, 0);
+ zmq_recv(Requester, buffer, 16, 0);
+ debug_print("Received active receipt\n");
+ }
+
+ free(active_str);
+
+ FILE *fp_s = popen(GET_SESSION, "r");
+ getdelim(&session_str, &session_len, '\0', fp_s);
+ pclose(fp_s);
+
+ debug_print("Sending session config\n");
+ zmq_send(Requester, session_str, session_len - 1, 0);
+ zmq_recv(Requester, buffer, 16, 0);
+ debug_print("Received session receipt\n");
+
+ free(session_str);
+
+ return 0;
+}
+
+int pass_through(char **argv, int end)
+{
+ char *newargv[] = { NULL, NULL };
+ pid_t child_pid;
+
+ newargv[0] = argv[end];
+ if (end > 1) {
+ putenv(argv[end - 1]);
+ }
+
+ debug_print("pass-through invoked\n");
+
+ if ((child_pid=fork()) < 0) {
+ debug_print("fork() failed\n");
+ return -1;
+ } else if (child_pid == 0) {
+ if (-1 == execv(argv[end], newargv)) {
+ debug_print("pass_through execve failed %s: %s\n",
+ argv[end], strerror(errno));
+ return -1;
+ }
+ } else if (child_pid > 0) {
+ int status;
+ pid_t wait_pid = waitpid(child_pid, &status, 0);
+ if (wait_pid < 0) {
+ debug_print("waitpid() failed\n");
+ return -1;
+ } else if (wait_pid == child_pid) {
+ if (WIFEXITED(status)) {
+ debug_print("child exited with code %d\n",
+ WEXITSTATUS(status));
+ return WEXITSTATUS(status);
+ }
+ }
+ }
+
+ return 0;
+}
+
+void timer_handler(int signum)
+{
+ debug_print("timer_handler invoked\n");
+ timeout = 1;
+ init_alarm = 1;
+
+ return;
+}
+
+#ifdef _POSIX_MONOTONIC_CLOCK
+double get_posix_clock_time(void)
+{
+ struct timespec ts;
+
+ if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
+ return (double) (ts.tv_sec + ts.tv_nsec / 1000000000.0);
+ } else {
+ return 0;
+ }
+}
+#else
+double get_posix_clock_time(void)
+{return (double)0;}
+#endif
diff --git a/src/systemd/lcdproc.service b/src/systemd/lcdproc.service
new file mode 100644
index 000000000..ef717667a
--- /dev/null
+++ b/src/systemd/lcdproc.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=LCDproc system status information viewer on %I
+Documentation=man:lcdproc(8) http://www.lcdproc.org/
+After=vyos-router.service LCDd.service
+Requires=LCDd.service
+
+[Service]
+User=root
+ExecStart=/usr/bin/lcdproc -f -c /run/lcdproc/lcdproc.conf
+PIDFile=/run/lcdproc/lcdproc.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/systemd/vyos-configd.service b/src/systemd/vyos-configd.service
new file mode 100644
index 000000000..274ccc787
--- /dev/null
+++ b/src/systemd/vyos-configd.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=VyOS configuration daemon
+
+# Without this option, lots of default dependencies are added,
+# among them network.target, which creates a dependency cycle
+DefaultDependencies=no
+
+# Seemingly sensible way to say "as early as the system is ready"
+# All vyos-configd needs is read/write mounted root
+After=systemd-remount-fs.service
+Before=vyos-router.service
+
+[Service]
+ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/services/vyos-configd
+Type=idle
+
+SyslogIdentifier=vyos-configd
+SyslogFacility=daemon
+
+Restart=on-failure
+
+# Does't work in Jessie but leave it here
+User=root
+Group=vyattacfg
+
+[Install]
+WantedBy=vyos.target
diff --git a/src/systemd/wpa_supplicant-macsec@.service b/src/systemd/wpa_supplicant-macsec@.service
index 21e189e4b..7e0bee8e1 100644
--- a/src/systemd/wpa_supplicant-macsec@.service
+++ b/src/systemd/wpa_supplicant-macsec@.service
@@ -1,17 +1,17 @@
-[Unit]
-Description=WPA supplicant daemon (macsec-specific version)
-Requires=sys-subsystem-net-devices-%i.device
-ConditionPathExists=/run/wpa_supplicant/%I.conf
-After=vyos-router.service
-RequiresMountsFor=/run
-
-# NetworkManager users will probably want the dbus version instead.
-
-[Service]
-Type=simple
-WorkingDirectory=/run/wpa_supplicant
-PIDFile=/run/wpa_supplicant/%I.pid
-ExecStart=/sbin/wpa_supplicant -c/run/wpa_supplicant/%I.conf -Dmacsec_linux -i%I
-
-[Install]
-WantedBy=multi-user.target
+[Unit]
+Description=WPA supplicant daemon (macsec-specific version)
+Requires=sys-subsystem-net-devices-%i.device
+ConditionPathExists=/run/wpa_supplicant/%I.conf
+After=vyos-router.service
+RequiresMountsFor=/run
+
+# NetworkManager users will probably want the dbus version instead.
+
+[Service]
+Type=simple
+WorkingDirectory=/run/wpa_supplicant
+PIDFile=/run/wpa_supplicant/%I.pid
+ExecStart=/sbin/wpa_supplicant -c/run/wpa_supplicant/%I.conf -Dmacsec_linux -i%I
+
+[Install]
+WantedBy=multi-user.target
diff --git a/src/tests/test_initial_setup.py b/src/tests/test_initial_setup.py
index c4c59b827..1597025e8 100644
--- a/src/tests/test_initial_setup.py
+++ b/src/tests/test_initial_setup.py
@@ -21,6 +21,7 @@ import tempfile
import unittest
from unittest import TestCase, mock
+from vyos import xml
import vyos.configtree
import vyos.initialsetup as vis
@@ -30,6 +31,7 @@ class TestInitialSetup(TestCase):
with open('tests/data/config.boot.default', 'r') as f:
config_string = f.read()
self.config = vyos.configtree.ConfigTree(config_string)
+ self.xml = xml.load_configuration()
def test_set_user_password(self):
vis.set_user_password(self.config, 'vyos', 'vyosvyos')
@@ -56,7 +58,7 @@ class TestInitialSetup(TestCase):
self.assertEqual(key_type, 'ssh-rsa')
self.assertEqual(key_data, 'fakedata')
- self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
+ self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
def test_set_ssh_key_without_name(self):
# If key file doesn't include a name, the function will use user name for the key name
@@ -69,7 +71,7 @@ class TestInitialSetup(TestCase):
self.assertEqual(key_type, 'ssh-rsa')
self.assertEqual(key_data, 'fakedata')
- self.assertTrue(self.config.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
+ self.assertTrue(self.xml.is_tag(["system", "login", "user", "vyos", "authentication", "public-keys"]))
def test_create_user(self):
vis.create_user(self.config, 'jrandomhacker', password='qwerty', key=" ssh-rsa fakedata jrandomhacker@foovax ")
@@ -95,8 +97,8 @@ class TestInitialSetup(TestCase):
vis.set_default_gateway(self.config, '192.0.2.1')
self.assertTrue(self.config.exists(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop', '192.0.2.1']))
- self.assertTrue(self.config.is_tag(['protocols', 'static', 'route', '0.0.0.0/0', 'next-hop']))
- self.assertTrue(self.config.is_tag(['protocols', 'static', 'route']))
+ self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route', '0.0.0.0/0', 'next-hop']))
+ self.assertTrue(self.xml.is_tag(['protocols', 'static', 'multicast', 'route']))
if __name__ == "__main__":
unittest.main()
diff --git a/src/validators/dotted-decimal b/src/validators/dotted-decimal
new file mode 100755
index 000000000..652110346
--- /dev/null
+++ b/src/validators/dotted-decimal
@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import sys
+
+area = sys.argv[1]
+
+res = re.match(r'^(\d+)\.(\d+)\.(\d+)\.(\d+)$', area)
+if not res:
+ print("\'{0}\' is not a valid dotted decimal value".format(area))
+ sys.exit(1)
+else:
+ components = res.groups()
+ for n in range(0, 4):
+ if (int(components[n]) > 255):
+ print("Invalid component of a dotted decimal value: {0} exceeds 255".format(components[n]))
+ sys.exit(1)
+
+sys.exit(0)