From ecdc9b1f0bf47b762669d8600aaddc5cfa5ed206 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 16 Mar 2023 12:33:18 +0200 Subject: ipsec: T5043: Rewritten and fixed 'reset vpn' commands 1. Rewritten CLI of 'reset vpn' commands. 2. Created 'reset vpn ipsec remote-access' commands to reset RA IKEv2 session. 3. Created 'reset vpn ipsec site-to-site all' command to reset all configured IPSec site-to-site peers sessions. 4. Rewritten 'reset vpn l2t|pptp|sstp' commands to new opmode style. --- data/op-mode-standardized.json | 1 + op-mode-definitions/reset-vpn.xml.in | 120 +++++++++++++++++------------------ op-mode-definitions/vpn-ipsec.xml.in | 97 +++++++++++++++++++--------- src/op_mode/ipsec.py | 81 ++++++++++++++++++++--- src/op_mode/reset_vpn.py | 75 ++++++++++------------ 5 files changed, 230 insertions(+), 144 deletions(-) diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index 3b2599790..c7c67198e 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -17,6 +17,7 @@ "nhrp.py", "openconnect.py", "openvpn.py", +"reset_vpn.py", "route.py", "system.py", "ipsec.py", diff --git a/op-mode-definitions/reset-vpn.xml.in b/op-mode-definitions/reset-vpn.xml.in index 94ee1c7df..8de95d1cc 100644 --- a/op-mode-definitions/reset-vpn.xml.in +++ b/op-mode-definitions/reset-vpn.xml.in @@ -7,82 +7,78 @@ Reset Virtual Private Network (VPN) information - + - Reset remote access VPN connections + Reset L2TP server VPN sessions - Terminate all users current remote access VPN session(s) + Reset all L2TP server VPN sessions - - - - Terminate specified users current remote access VPN session(s) with specified protocol - - - - - Terminate all users current remote access VPN session(s) with L2TP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="l2tp" - - - - Terminate all users current remote access VPN session(s) with PPTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="pptp" - - - - Terminate all users current remote access VPN session(s) with SSTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="sstp" - - - - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" - Terminate a remote access VPN interface + Reset specified interface on L2TP VPN server - sudo ${vyos_op_scripts_dir}/reset_vpn.py --interface="$5" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --interface="$5" - Terminate specified users current remote access VPN session(s) + Reset specified user on L2TP VPN server - - - - Terminate specified users current remote access VPN session(s) with specified protocol - - - - - Terminate all users current remote access VPN session(s) with L2TP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="l2tp" - - - - Terminate all users current remote access VPN session(s) with PPTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="pptp" - - - - Terminate all users current remote access VPN session(s) with SSTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="sstp" - - - - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --username="$5" + + + + + + Reset PPTP server VPN sessions + + + + + Reset all PPTP server VPN sessions + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" + + + + Reset specified interface on PPTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --interface="$5" + + + + Reset specified user on PPTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --username="$5" + + + + + + Reset SSTP server VPN sessions + + + + + Reset all SSTP server VPN sessions + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" + + + + Reset specified interface on SSTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --interface="$5" + + + + Reset specified user on SSTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --username="$5" diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index ee006a2d5..5baaec7ce 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -7,49 +7,88 @@ Reset Virtual Private Network (VPN) information - + - Reset all tunnels for given peer - - vpn ipsec site-to-site peer - + Reset IPSec VPN sessions - + - Reset a specific tunnel for given peer + Reset all tunnels for given DMVPN profile - vpn ipsec site-to-site peer ${COMP_WORDS[3]} tunnel + vpn ipsec profile - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="$6" + + + + Reset a specific tunnel for given DMVPN profile + + sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="$8" + + + sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="all" - + - Reset the VTI tunnel for given peer + Reset remote access IPSec VPN connections - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="vti" + + + + Reset all users current remote access IPSec VPN sessions + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra + + + + Reset specified user current remote access IPsec VPN session(s) + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra --user="$6" + + - - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" - - - - Reset all tunnels for given DMVPN profile - - vpn ipsec profile - - - - + - Reset a specific tunnel for given DMVPN profile + Reset site-to-site IPSec VPN connections - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="$6" - + + + + Reset all site-to-site IPSec VPN sessions + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_all_peers + + + + Reset all tunnels for given peer + + vpn ipsec site-to-site peer + + + + + + Reset a specific tunnel for given peer + + vpn ipsec site-to-site peer ${COMP_WORDS[5]} tunnel + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="$8" + + + + Reset the VTI tunnel for given peer + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="vti" + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" + + + - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="all" - + diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py index 8e76f4cc0..6acde08ea 100755 --- a/src/op_mode/ipsec.py +++ b/src/op_mode/ipsec.py @@ -13,7 +13,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import re import sys import typing @@ -24,6 +23,7 @@ from tabulate import tabulate from vyos.util import convert_data from vyos.util import seconds_to_human +from vyos.configquery import ConfigTreeQuery import vyos.opmode import vyos.ipsec @@ -401,30 +401,91 @@ def _get_childsa_id_list(ike_sas: list) -> list: return list_childsa_id +def _get_all_sitetosite_peers_name_list() -> list: + """ + Return site-to-site peers configuration + :return: site-to-site peers configuration + :rtype: list + """ + conf: ConfigTreeQuery = ConfigTreeQuery() + config_path = ['vpn', 'ipsec', 'site-to-site', 'peer'] + peers_config = conf.get_config_dict(config_path, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + peers_list: list = [] + for name in peers_config: + peers_list.append(name) + return peers_list + + def reset_peer(peer: str, tunnel: typing.Optional[str] = None): # Convert tunnel to Strongwan format of CHILD_SA + tunnel_sw = None if tunnel: if tunnel.isnumeric(): - tunnel = f'{peer}-tunnel-{tunnel}' + tunnel_sw = f'{peer}-tunnel-{tunnel}' elif tunnel == 'vti': - tunnel = f'{peer}-vti' + tunnel_sw = f'{peer}-vti' try: - sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel) - + sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel_sw) if not sa_list: - raise vyos.opmode.IncorrectValue('Peer not found, aborting') + raise vyos.opmode.IncorrectValue( + f'Peer\'s {peer} SA(s) not found, aborting') if tunnel and sa_list: childsa_id_list: list = _get_childsa_id_list(sa_list) if not childsa_id_list: raise vyos.opmode.IncorrectValue( - 'Peer or tunnel(s) not found, aborting') - vyos.ipsec.terminate_vici_by_name(peer, tunnel) - print('Peer reset result: success') + f'Peer {peer} tunnel {tunnel} SA(s) not found, aborting') + vyos.ipsec.terminate_vici_by_name(peer, tunnel_sw) + print(f'Peer {peer} reset result: success') except (vyos.ipsec.ViciInitiateError) as err: raise vyos.opmode.UnconfiguredSubsystem(err) - except (vyos.ipsec.ViciInitiateError) as err: + except (vyos.ipsec.ViciCommandError) as err: raise vyos.opmode.IncorrectValue(err) +def reset_all_peers(): + sitetosite_list = _get_all_sitetosite_peers_name_list() + if sitetosite_list: + for peer_name in sitetosite_list: + try: + reset_peer(peer_name) + except (vyos.opmode.IncorrectValue) as err: + print(err) + print('Peers reset result: success') + else: + raise vyos.opmode.UnconfiguredSubsystem( + 'VPN IPSec site-to-site is not configured, aborting') + +def _get_ra_session_list_by_username(username: typing.Optional[str] = None): + """ + Return list of remote-access IKE_SAs uniqueids + :param username: + :type username: + :return: + :rtype: + """ + list_sa_id = [] + sa_list = vyos.ipsec.get_vici_sas() + for sa_val in sa_list: + for sa in sa_val.values(): + if 'remote-eap-id' in sa: + if username: + if username == sa['remote-eap-id'].decode(): + list_sa_id.append(sa['uniqueid'].decode()) + else: + list_sa_id.append(sa['uniqueid'].decode()) + return list_sa_id + + +def reset_ra(username: typing.Optional[str] = None): + #Reset remote-access ipsec sessions + if username: + list_sa_id = _get_ra_session_list_by_username(username) + else: + list_sa_id = _get_ra_session_list_by_username() + if list_sa_id: + vyos.ipsec.terminate_vici_ikeid_list(list_sa_id) + def show_sa(raw: bool): sa_data = _get_raw_data_sas() diff --git a/src/op_mode/reset_vpn.py b/src/op_mode/reset_vpn.py index 3a0ad941c..46195d6cd 100755 --- a/src/op_mode/reset_vpn.py +++ b/src/op_mode/reset_vpn.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,60 +13,49 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import sys -import argparse +import typing from vyos.util import run +import vyos.opmode + cmd_dict = { - 'cmd_base' : '/usr/bin/accel-cmd -p {} terminate {} {}', - 'vpn_types' : { - 'pptp' : 2003, - 'l2tp' : 2004, - 'sstp' : 2005 + 'cmd_base': '/usr/bin/accel-cmd -p {} terminate {} {}', + 'vpn_types': { + 'pptp': 2003, + 'l2tp': 2004, + 'sstp': 2005 } } -def terminate_sessions(username='', interface='', protocol=''): - # Reset vpn connections by username +def reset_conn(protocol: str, username: typing.Optional[str] = None, + interface: typing.Optional[str] = None): if protocol in cmd_dict['vpn_types']: - if username == "all_users": - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'all', '')) - else: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'username', username)) - - # Reset vpn connections by ifname - elif interface: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'if', interface)) - - elif username: - # Reset all vpn connections - if username == "all_users": - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'all', '')) + # Reset by Interface + if interface: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'if', interface)) + return + # Reset by username + if username: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'username', username)) + # Reset all else: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'username', username)) - -def main(): - #parese args - parser = argparse.ArgumentParser() - parser.add_argument('--username', help='Terminate by username (all_users used for disconnect all users)', required=False) - parser.add_argument('--interface', help='Terminate by interface', required=False) - parser.add_argument('--protocol', help='Set protocol (pptp|l2tp|sstp)', required=False) - args = parser.parse_args() - - if args.username or args.interface: - terminate_sessions(username=args.username, interface=args.interface, protocol=args.protocol) + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'all', + '')) else: - print("Param --username or --interface required") - sys.exit(1) - - terminate_sessions() + vyos.opmode.IncorrectValue('Unknown VPN Protocol, aborting') if __name__ == '__main__': - main() + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From 15bf5d64440abaf50083ed5a4e1efdbf0d6cbad5 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 16 Mar 2023 12:35:13 -0500 Subject: openvpn: T5095: raw output should return list instead of dict --- src/op_mode/openvpn.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py index 8f88ab422..7ae49472e 100755 --- a/src/op_mode/openvpn.py +++ b/src/op_mode/openvpn.py @@ -53,7 +53,7 @@ def _get_tunnel_address(peer_host, peer_port, status_file): def _get_interface_status(mode: str, interface: str) -> dict: status_file = f'/run/openvpn/{interface}.status' - data = { + data: dict = { 'mode': mode, 'intf': interface, 'local_host': '', @@ -142,8 +142,8 @@ def _get_interface_status(mode: str, interface: str) -> dict: return data -def _get_raw_data(mode: str) -> dict: - data = {} +def _get_raw_data(mode: str) -> list: + data: list = [] conf = Config() conf_dict = conf.get_config_dict(['interfaces', 'openvpn'], get_first_key=True) @@ -152,8 +152,7 @@ def _get_raw_data(mode: str) -> dict: interfaces = [x for x in list(conf_dict) if conf_dict[x]['mode'] == mode] for intf in interfaces: - data[intf] = _get_interface_status(mode, intf) - d = data[intf] + d = _get_interface_status(mode, intf) d['local_host'] = conf_dict[intf].get('local-host', '') d['local_port'] = conf_dict[intf].get('local-port', '') if conf.exists(f'interfaces openvpn {intf} server client'): @@ -164,10 +163,11 @@ def _get_raw_data(mode: str) -> dict: client['name'] = 'None (PSK)' client['remote_host'] = conf_dict[intf].get('remote-host', [''])[0] client['remote_port'] = conf_dict[intf].get('remote-port', '1194') + data.append(d) return data -def _format_openvpn(data: dict) -> str: +def _format_openvpn(data: list) -> str: if not data: out = 'No OpenVPN interfaces configured' return out @@ -176,11 +176,12 @@ def _format_openvpn(data: dict) -> str: 'TX bytes', 'RX bytes', 'Connected Since'] out = '' - for intf in list(data): + for d in data: data_out = [] - l_host = data[intf]['local_host'] - l_port = data[intf]['local_port'] - for client in list(data[intf]['clients']): + intf = d['intf'] + l_host = d['local_host'] + l_port = d['local_port'] + for client in d['clients']: r_host = client['remote_host'] r_port = client['remote_port'] @@ -201,7 +202,7 @@ def _format_openvpn(data: dict) -> str: return out -def show(raw: bool, mode: ArgMode) -> str: +def show(raw: bool, mode: ArgMode) -> typing.Union[list,str]: openvpn_data = _get_raw_data(mode) if raw: -- cgit v1.2.3 From 616c5b38ec2f26fd589b3a01dbc4c2bf9b4d22c1 Mon Sep 17 00:00:00 2001 From: Zhiyuan Wan Date: Mon, 20 Mar 2023 11:33:33 +0800 Subject: pppoe: T5098: allow user to set pppd holdoff option --- data/templates/pppoe/peer.j2 | 4 ++++ interface-definitions/interfaces-pppoe.xml.in | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2 index 5e650fa3b..f30cefe63 100644 --- a/data/templates/pppoe/peer.j2 +++ b/data/templates/pppoe/peer.j2 @@ -65,6 +65,10 @@ mru {{ mtu }} noipv6 {% endif %} +{% if holdoff is vyos_defined %} +holdoff {{ holdoff }} +{% endif %} + {% if connect_on_demand is vyos_defined %} demand # See T2249. PPP default route options should only be set when in on-demand diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index c6fd7096b..b78f92c85 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -50,6 +50,20 @@ Host-uniq must be specified as hex-adecimal byte-string (even number of HEX characters) + + + Delay before re-dial to the access concentrator when PPP session terminated by peer (in seconds) + + u32:0-86400 + Holdoff time in seconds + + + + + Holdoff must be in range 0 to 86400 + + 30 + IPv4 routing parameters -- cgit v1.2.3 From 9a9f6e346beb209c819d859e2c7081f145060ac1 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 14 Mar 2023 14:59:58 +0000 Subject: T5050: Firewall: Add log options --- .../include/firewall/common-rule.xml.i | 2 +- .../include/firewall/rule-log-options.xml.i | 89 ++++++++++++++++++++++ python/vyos/firewall.py | 17 ++++- smoketest/scripts/cli/test_firewall.py | 18 +++-- src/conf_mode/firewall.py | 10 +++ src/migration-scripts/firewall/9-to-10 | 80 +++++++++++++++++++ 6 files changed, 205 insertions(+), 11 deletions(-) create mode 100644 interface-definitions/include/firewall/rule-log-options.xml.i create mode 100755 src/migration-scripts/firewall/9-to-10 diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 3fe3ca872..7417a3c58 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -119,7 +119,7 @@ -#include +#include Connection status diff --git a/interface-definitions/include/firewall/rule-log-options.xml.i b/interface-definitions/include/firewall/rule-log-options.xml.i new file mode 100644 index 000000000..e8b0cdec3 --- /dev/null +++ b/interface-definitions/include/firewall/rule-log-options.xml.i @@ -0,0 +1,89 @@ + + + + Log options + + + + + Set log group + + u32:0-65535 + Log group to send messages to + + + + + + + + + Length of packet payload to include in netlink message + + u32:0-9000 + Length of packet payload to include in netlink message + + + + + + + + + Number of packets to queue inside the kernel before sending them to userspace + + u32:0-65535 + Number of packets to queue inside the kernel before sending them to userspace + + + + + + + + + Set log-level + + emerg alert crit err warn notice info debug + + + emerg + Emerg log level + + + alert + Alert log level + + + crit + Critical log level + + + err + Error log level + + + warn + Warning log level + + + notice + Notice log level + + + info + Info log level + + + debug + Debug log level + + + (emerg|alert|crit|err|warn|notice|info|debug) + + level must be alert, crit, debug, emerg, err, info, notice or warn + + + + + \ No newline at end of file diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 5be897d5f..137fd2c56 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -223,10 +223,21 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): action = rule_conf['action'] if 'action' in rule_conf else 'accept' output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') - if 'log_level' in rule_conf: - log_level = rule_conf['log_level'] - output.append(f'level {log_level}') + if 'level' in rule_conf['log_options']: + log_level = rule_conf['log_options']['level'] + output.append(f'log level {log_level}') + if 'group' in rule_conf['log_options']: + log_group = rule_conf['log_options']['group'] + output.append(f'log group {log_group}') + + if 'queue_threshold' in rule_conf['log_options']: + queue_threshold = rule_conf['log_options']['queue_threshold'] + output.append(f'queue-threshold {queue_threshold}') + + if 'snapshot_length' in rule_conf['log_options']: + log_snaplen = rule_conf['log_options']['snapshot_length'] + output.append(f'snaplen {log_snaplen}') if 'hop_limit' in rule_conf: operators = {'eq': '==', 'gt': '>', 'lt': '<'} diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index d61534d87..e071b7df9 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -207,13 +207,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-level', 'debug']) + self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) self.cli_set(['firewall', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'protocol', 'tcp']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'destination', 'port', '8888']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-level', 'err']) + self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) self.cli_set(['firewall', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) @@ -247,8 +247,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME_{name}'], - ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'], - ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" level err', 'ip ttl > 102', 'reject'], + ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'], + ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'], ['tcp dport 22', 'limit rate 5/minute', 'return'], ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'], ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'], @@ -272,6 +272,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024']) self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '17']) self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '52']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log', 'enable']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'group', '66']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept']) self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000']) @@ -301,7 +305,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME_{name}'], - ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', 'return'], + ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'return'], ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'return'], [f'log prefix "[{name}-default-D]"', 'drop'], ['ip saddr 198.51.100.1', f'jump NAME_{name}'], @@ -357,7 +361,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-level', 'crit']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp']) @@ -374,7 +378,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME6_{name}'], - ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" level crit', 'return'], + ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'return'], ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'], ['meta l4proto gre', f'oifname "{interface}"', 'return'], ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop'] diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index b63ed4eb9..c41a442df 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -282,6 +282,16 @@ def verify_rule(firewall, rule_conf, ipv6): if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') + if 'log_options' in rule_conf: + if 'log' not in rule_conf or 'enable' not in rule_conf['log']: + raise ConfigError('log-options defined, but log is not enable') + + if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: + raise ConfigError('log-options snapshot-length defined, but log group is not define') + + if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: + raise ConfigError('log-options queue-threshold defined, but log group is not define') + def verify_nested_group(group_name, group, groups, seen): if 'include' not in group: return diff --git a/src/migration-scripts/firewall/9-to-10 b/src/migration-scripts/firewall/9-to-10 new file mode 100755 index 000000000..6f67cc512 --- /dev/null +++ b/src/migration-scripts/firewall/9-to-10 @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5050: Log options +# cli changes from: +# set firewall [name | ipv6-name] rule log-level +# To +# set firewall [name | ipv6-name] rule log-options level + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['firewall'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +if config.exists(base + ['name']): + for name in config.list_nodes(base + ['name']): + if not config.exists(base + ['name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['name', name, 'rule']): + log_options_base = base + ['name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) + +if config.exists(base + ['ipv6-name']): + for name in config.list_nodes(base + ['ipv6-name']): + if not config.exists(base + ['ipv6-name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) \ No newline at end of file -- cgit v1.2.3 From 7cb95a6bc9801abcc70f8d4cfbcc79718148de1c Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 21 Mar 2023 14:47:48 +0000 Subject: T5099: IPoE-server add option next-pool for named ip pools In cases with multiple named IP pools, it is required the option 'next' to be sure that if IP addresses ended in one pool, then they would begin to be allocated from the next named pool. For accel-ppp it requires specific order as pool must be defined before we can use it with the 'next-option' set service ipoe-server client-ip-pool name first-pool subnet '192.0.2.0/25' set service ipoe-server client-ip-pool name first-pool next-pool 'second-pool' set service ipoe-server client-ip-pool name second-pool subnet '203.0.113.0/25' [ip-pool] 203.0.113.0/25,name=second-pool 192.0.2.0/25,name=first-pool,next=second-pool --- data/templates/accel-ppp/ipoe.config.j2 | 27 ++++-- .../include/accel-ppp/client-ip-pool-name.xml.i | 12 +++ smoketest/scripts/cli/test_service_ipoe-server.py | 93 +++++++++++++++++++++ src/conf_mode/service_ipoe-server.py | 97 ++++++++++++++++++++++ 4 files changed, 222 insertions(+), 7 deletions(-) diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index ac83c3dbd..add3dc7e4 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -49,22 +49,35 @@ username=ifname password=csid {% endif %} {% if client_ip_pool.name is vyos_defined %} -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} +{% if first_named_pool is vyos_defined %} +ip-pool={{ first_named_pool }} +{% else %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.subnet is vyos_defined %} ip-pool={{ pool }} +{% endif %} +{% endfor %} +{% endif %} +{% for pool, pool_options in client_ip_pool.name.items() %} +{% if pool_options.gateway_address is vyos_defined %} gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} {% endif %} {% endfor %} {% endif %} proxy-arp=1 -{% if client_ip_pool.name is vyos_defined %} +{% if ordered_named_pools is vyos_defined %} [ip-pool] -{% for pool, pool_options in client_ip_pool.name.items() %} -{% if pool_options.subnet is vyos_defined and pool_options.gateway_address is vyos_defined %} -{{ pool_options.subnet }},name={{ pool }} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} +{% set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %} +{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }} +{% endfor %} +{% endfor %} +{% for p in ordered_named_pools %} +{% for pool, pool_options in p.items() %} gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }} -{% endif %} +{% endfor %} {% endfor %} {% endif %} diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i index 654b6727e..b442a15b9 100644 --- a/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i +++ b/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i @@ -13,6 +13,18 @@ #include #include + + + Next pool name + + txt + Name of IP pool + + + [-_a-zA-Z0-9.]+ + + + diff --git a/smoketest/scripts/cli/test_service_ipoe-server.py b/smoketest/scripts/cli/test_service_ipoe-server.py index bdab35834..8a141b8f0 100755 --- a/smoketest/scripts/cli/test_service_ipoe-server.py +++ b/smoketest/scripts/cli/test_service_ipoe-server.py @@ -26,6 +26,13 @@ from configparser import ConfigParser ac_name = 'ACN' interface = 'eth0' + +def getConfig(string, end='cli'): + command = f'cat /run/accel-pppd/ipoe.conf | sed -n "/^{string}/,/^{end}/p"' + out = cmd(command) + return out + + class TestServiceIPoEServer(BasicAccelPPPTest.TestCase): @classmethod def setUpClass(cls): @@ -86,6 +93,92 @@ class TestServiceIPoEServer(BasicAccelPPPTest.TestCase): tmp = re.findall(regex, tmp) self.assertTrue(tmp) + def test_accel_named_pool(self): + first_pool = 'VyOS-pool1' + first_subnet = '192.0.2.0/25' + first_gateway = '192.0.2.1' + second_pool = 'Vyos-pool2' + second_subnet = '203.0.113.0/25' + second_gateway = '203.0.113.1' + + self.set(['authentication', 'mode', 'noauth']) + self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway]) + self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet]) + self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway]) + self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet]) + self.set(['interface', interface]) + + # commit changes + self.cli_commit() + + + # Validate configuration values + conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False) + conf.read(self._config_file) + + self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1') + self.assertTrue(conf['ipoe']['noauth'], '1') + self.assertTrue(conf['ipoe']['ip-pool'], first_pool) + self.assertTrue(conf['ipoe']['ip-pool'], second_pool) + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25') + + config = getConfig('[ip-pool]') + pool_config = f'''{second_subnet},name={second_pool} +{first_subnet},name={first_pool} +gw-ip-address={second_gateway}/25 +gw-ip-address={first_gateway}/25''' + self.assertIn(pool_config, config) + + + def test_accel_next_pool(self): + first_pool = 'VyOS-pool1' + first_subnet = '192.0.2.0/25' + first_gateway = '192.0.2.1' + second_pool = 'Vyos-pool2' + second_subnet = '203.0.113.0/25' + second_gateway = '203.0.113.1' + third_pool = 'Vyos-pool3' + third_subnet = '198.51.100.0/24' + third_gateway = '198.51.100.1' + + self.set(['authentication', 'mode', 'noauth']) + self.set(['client-ip-pool', 'name', first_pool, 'gateway-address', first_gateway]) + self.set(['client-ip-pool', 'name', first_pool, 'subnet', first_subnet]) + self.set(['client-ip-pool', 'name', first_pool, 'next-pool', second_pool]) + self.set(['client-ip-pool', 'name', second_pool, 'gateway-address', second_gateway]) + self.set(['client-ip-pool', 'name', second_pool, 'subnet', second_subnet]) + self.set(['client-ip-pool', 'name', second_pool, 'next-pool', third_pool]) + self.set(['client-ip-pool', 'name', third_pool, 'gateway-address', third_gateway]) + self.set(['client-ip-pool', 'name', third_pool, 'subnet', third_subnet]) + self.set(['interface', interface]) + + # commit changes + self.cli_commit() + + + # Validate configuration values + conf = ConfigParser(allow_no_value=True, delimiters='=', strict=False) + conf.read(self._config_file) + + self.assertTrue(conf['ipoe']['interface'], f'{interface},shared=1,mode=L2,ifcfg=1,start=dhcpv4,ipv6=1') + self.assertTrue(conf['ipoe']['noauth'], '1') + self.assertTrue(conf['ipoe']['ip-pool'], first_pool) + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{first_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{second_gateway}/25') + self.assertTrue(conf['ipoe']['gw-ip-address'], f'{third_gateway}/24') + + config = getConfig('[ip-pool]') + # T5099 required specific order + pool_config = f'''{third_subnet},name={third_pool} +{second_subnet},name={second_pool},next={third_pool} +{first_subnet},name={first_pool},next={second_pool} +gw-ip-address={third_gateway}/24 +gw-ip-address={second_gateway}/25 +gw-ip-address={first_gateway}/25''' + self.assertIn(pool_config, config) + + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 4fabe170f..95c72df47 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import os +import jmespath from sys import exit @@ -29,9 +30,92 @@ from vyos import ConfigError from vyos import airbag airbag.enable() + ipoe_conf = '/run/accel-pppd/ipoe.conf' ipoe_chap_secrets = '/run/accel-pppd/ipoe.chap-secrets' + +def get_pools_in_order(data: dict) -> list: + """Return a list of dictionaries representing pool data in the order + in which they should be allocated. Pool must be defined before we can + use it with 'next-pool' option. + + Args: + data: A dictionary of pool data, where the keys are pool names and the + values are dictionaries containing the 'subnet' key and the optional + 'next_pool' key. + + Returns: + list: A list of dictionaries + + Raises: + ValueError: If a 'next_pool' key references a pool name that + has not been defined. + ValueError: If a circular reference is found in the 'next_pool' keys. + + Example: + config_data = { + ... 'first-pool': { + ... 'next_pool': 'second-pool', + ... 'subnet': '192.0.2.0/25' + ... }, + ... 'second-pool': { + ... 'next_pool': 'third-pool', + ... 'subnet': '203.0.113.0/25' + ... }, + ... 'third-pool': { + ... 'subnet': '198.51.100.0/24' + ... }, + ... 'foo': { + ... 'subnet': '100.64.0.0/24', + ... 'next_pool': 'second-pool' + ... } + ... } + + % get_pools_in_order(config_data) + [{'third-pool': {'subnet': '198.51.100.0/24'}}, + {'second-pool': {'next_pool': 'third-pool', 'subnet': '203.0.113.0/25'}}, + {'first-pool': {'next_pool': 'second-pool', 'subnet': '192.0.2.0/25'}}, + {'foo': {'next_pool': 'second-pool', 'subnet': '100.64.0.0/24'}}] + """ + pools = [] + unresolved_pools = {} + + for pool, pool_config in data.items(): + if 'next_pool' not in pool_config: + pools.insert(0, {pool: pool_config}) + else: + unresolved_pools[pool] = pool_config + + while unresolved_pools: + resolved_pools = [] + + for pool, pool_config in unresolved_pools.items(): + next_pool_name = pool_config['next_pool'] + + if any(p for p in pools if next_pool_name in p): + index = next( + (i for i, p in enumerate(pools) if next_pool_name in p), + None) + pools.insert(index + 1, {pool: pool_config}) + resolved_pools.append(pool) + elif next_pool_name in unresolved_pools: + # next pool not yet resolved + pass + else: + raise ValueError( + f"Pool '{next_pool_name}' not defined in configuration data" + ) + + if not resolved_pools: + raise ValueError("Circular reference in configuration data") + + for pool in resolved_pools: + unresolved_pools.pop(pool) + + return pools + + def get_config(config=None): if config: conf = config @@ -43,6 +127,19 @@ def get_config(config=None): # retrieve common dictionary keys ipoe = get_accel_dict(conf, base, ipoe_chap_secrets) + + if jmespath.search('client_ip_pool.name', ipoe): + dict_named_pools = jmespath.search('client_ip_pool.name', ipoe) + # Multiple named pools require ordered values T5099 + ipoe['ordered_named_pools'] = get_pools_in_order(dict_named_pools) + # T5099 'next-pool' option + if jmespath.search('client_ip_pool.name.*.next_pool', ipoe): + for pool, pool_config in ipoe['client_ip_pool']['name'].items(): + if 'next_pool' in pool_config: + ipoe['first_named_pool'] = pool + ipoe['first_named_pool_subnet'] = pool_config + break + return ipoe -- cgit v1.2.3 From 88d6dcca6b940ab67fc1607b75276a64436df4d3 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 21 Mar 2023 17:21:38 +0000 Subject: T5050: fix smoketest policy_route, which was failing after previos commit was merged --- python/vyos/firewall.py | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 137fd2c56..919032a41 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -223,21 +223,23 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): action = rule_conf['action'] if 'action' in rule_conf else 'accept' output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') - if 'level' in rule_conf['log_options']: - log_level = rule_conf['log_options']['level'] - output.append(f'log level {log_level}') + if 'log_options' in rule_conf: - if 'group' in rule_conf['log_options']: - log_group = rule_conf['log_options']['group'] - output.append(f'log group {log_group}') + if 'level' in rule_conf['log_options']: + log_level = rule_conf['log_options']['level'] + output.append(f'log level {log_level}') - if 'queue_threshold' in rule_conf['log_options']: - queue_threshold = rule_conf['log_options']['queue_threshold'] - output.append(f'queue-threshold {queue_threshold}') + if 'group' in rule_conf['log_options']: + log_group = rule_conf['log_options']['group'] + output.append(f'log group {log_group}') - if 'snapshot_length' in rule_conf['log_options']: - log_snaplen = rule_conf['log_options']['snapshot_length'] - output.append(f'snaplen {log_snaplen}') + if 'queue_threshold' in rule_conf['log_options']: + queue_threshold = rule_conf['log_options']['queue_threshold'] + output.append(f'queue-threshold {queue_threshold}') + + if 'snapshot_length' in rule_conf['log_options']: + log_snaplen = rule_conf['log_options']['snapshot_length'] + output.append(f'snaplen {log_snaplen}') if 'hop_limit' in rule_conf: operators = {'eq': '==', 'gt': '>', 'lt': '<'} -- cgit v1.2.3 From c376ddedfc1a55dbf8a18ea2bdf6974a6fb665e8 Mon Sep 17 00:00:00 2001 From: Brandon Stepler Date: Tue, 21 Mar 2023 14:20:00 -0400 Subject: dhcp: pppoe: T5104: fix VRF comparisons --- python/vyos/configdict.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 434ff99d7..6ab5c252c 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -333,8 +333,9 @@ def get_dhcp_interfaces(conf, vrf=None): if dict_search('dhcp_options.default_route_distance', config) != None: options.update({'dhcp_options' : config['dhcp_options']}) if 'vrf' in config: - if vrf is config['vrf']: tmp.update({ifname : options}) - else: tmp.update({ifname : options}) + if vrf == config['vrf']: tmp.update({ifname : options}) + else: + if vrf is None: tmp.update({ifname : options}) return tmp @@ -382,8 +383,9 @@ def get_pppoe_interfaces(conf, vrf=None): if 'no_default_route' in ifconfig: options.update({'no_default_route' : {}}) if 'vrf' in ifconfig: - if vrf is ifconfig['vrf']: pppoe_interfaces.update({ifname : options}) - else: pppoe_interfaces.update({ifname : options}) + if vrf == ifconfig['vrf']: pppoe_interfaces.update({ifname : options}) + else: + if vrf is None: pppoe_interfaces.update({ifname : options}) return pppoe_interfaces -- cgit v1.2.3 From 306e422d8306f3e4c35779bf93177c1fb56a4b61 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 21 Mar 2023 20:53:16 +0100 Subject: ospf: T5102: do not always redistribute babel routes --- src/conf_mode/protocols_ospf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 0582d32be..eb64afa0c 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -89,7 +89,7 @@ def get_config(config=None): if 'mpls_te' not in ospf: del default_values['mpls_te'] - for protocol in ['bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: + for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: # table is a tagNode thus we need to clean out all occurances for the # default values and load them in later individually if protocol == 'table': @@ -234,7 +234,7 @@ def verify(ospf): if list(set(global_range) & set(local_range)): raise ConfigError(f'Segment-Routing Global Block ({g_low_label_value}/{g_high_label_value}) '\ f'conflicts with Local Block ({l_low_label_value}/{l_high_label_value})!') - + # Check for a blank or invalid value per prefix if dict_search('segment_routing.prefix', ospf): for prefix, prefix_config in ospf['segment_routing']['prefix'].items(): -- cgit v1.2.3 From 05e00b986a563681b038b226c86c83a29d6da820 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 22 Mar 2023 10:29:35 +0000 Subject: T5105: Fix error message from dhcp-server --- src/conf_mode/dhcp_server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index 39c87478f..2b2af252d 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -247,7 +247,7 @@ def verify(dhcp): net2 = ip_network(n) if (net != net2): if net.overlaps(net2): - raise ConfigError('Conflicting subnet ranges: "{net}" overlaps "{net2}"!') + raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!') # Prevent 'disable' for shared-network if only one network is configured if (shared_networks - disabled_shared_networks) < 1: -- cgit v1.2.3 From 0e670fa038304709b4d748de7e7c7d13aef9a553 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 10:21:16 -0500 Subject: graphql: T5106: add auth_token client op --- src/services/api/graphql/graphql/client_op/auth_token.graphql | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 src/services/api/graphql/graphql/client_op/auth_token.graphql diff --git a/src/services/api/graphql/graphql/client_op/auth_token.graphql b/src/services/api/graphql/graphql/client_op/auth_token.graphql new file mode 100644 index 000000000..5ea2ecc1c --- /dev/null +++ b/src/services/api/graphql/graphql/client_op/auth_token.graphql @@ -0,0 +1,10 @@ + +mutation AuthToken ($username: String!, $password: String!) { + AuthToken (data: { username: $username, password: $password }) { + success + errors + data { + result + } + } +} -- cgit v1.2.3 From de253a0017da889fd2560811f774fc394528a133 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 11:50:40 -0500 Subject: graphql: T5106: generate client ops for configsession functions --- .../graphql/generate/config_session_function.py | 2 - .../graphql/generate/schema_from_config_session.py | 72 +++++++++++++++++++--- .../api/graphql/generate/schema_from_op_mode.py | 3 +- 3 files changed, 65 insertions(+), 12 deletions(-) diff --git a/src/services/api/graphql/generate/config_session_function.py b/src/services/api/graphql/generate/config_session_function.py index 20fc7cc1d..4ebb47a7e 100644 --- a/src/services/api/graphql/generate/config_session_function.py +++ b/src/services/api/graphql/generate/config_session_function.py @@ -28,5 +28,3 @@ mutations = {'save_config_file': save_config_file, 'load_config_file': load_config_file, 'add_system_image': add_system_image, 'delete_system_image': delete_system_image} - - diff --git a/src/services/api/graphql/generate/schema_from_config_session.py b/src/services/api/graphql/generate/schema_from_config_session.py index 831faa41e..1d5ff1e53 100755 --- a/src/services/api/graphql/generate/schema_from_config_session.py +++ b/src/services/api/graphql/generate/schema_from_config_session.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,8 +20,7 @@ import os import sys -import json -from inspect import signature, getmembers, isfunction, isclass, getmro +from inspect import signature from jinja2 import Template from vyos.defaults import directories @@ -32,9 +31,9 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import snake_to_pascal_case, map_type_name from . config_session_function import queries, mutations - from .. import state SCHEMA_PATH = directories['api_schema'] +CLIENT_OP_PATH = directories['api_client_op'] schema_data: dict = {'schema_name': '', 'schema_fields': []} @@ -85,6 +84,30 @@ extend type Mutation { } """ +op_query_template = """ +query {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + +op_mutation_template = """ +mutation {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + def create_schema(func_name: str, func: callable, template: str) -> str: sig = signature(func) @@ -104,19 +127,52 @@ def create_schema(func_name: str, func: callable, template: str) -> str: return res +def create_client_op(func_name: str, func: callable, template: str) -> str: + sig = signature(func) + + field_dict = {} + for k in sig.parameters: + field_dict[sig.parameters[k].name] = map_type_name(sig.parameters[k].annotation) + + op_sig = ['$key: String'] + op_arg = ['key: $key'] + for k,v in field_dict.items(): + op_sig.append('$'+k+': '+v) + op_arg.append(k+': $'+k) + + op_data = {} + op_data['op_name'] = snake_to_pascal_case(func_name) + op_data['op_sig'] = ', '.join(op_sig) + op_data['op_arg'] = ', '.join(op_arg) + + j2_template = Template(template) + + res = j2_template.render(op_data) + + return res + def generate_config_session_definitions(): - results = [] + schema = [] + client_op = [] for name,func in queries.items(): res = create_schema(name, func, query_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_query_template) + client_op.append(res) for name,func in mutations.items(): res = create_schema(name, func, mutation_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_mutation_template) + client_op.append(res) - out = '\n'.join(results) + out = '\n'.join(schema) with open(f'{SCHEMA_PATH}/configsession.graphql', 'w') as f: f.write(out) + out = '\n'.join(client_op) + with open(f'{CLIENT_OP_PATH}/configsession.graphql', 'w') as f: + f.write(out) + if __name__ == '__main__': generate_config_session_definitions() diff --git a/src/services/api/graphql/generate/schema_from_op_mode.py b/src/services/api/graphql/generate/schema_from_op_mode.py index cb7b0fd21..229ccf90f 100755 --- a/src/services/api/graphql/generate/schema_from_op_mode.py +++ b/src/services/api/graphql/generate/schema_from_op_mode.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -35,7 +35,6 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import is_show_function_name from .. libs.op_mode import snake_to_pascal_case, map_type_name - from .. import state OP_MODE_PATH = directories['op_mode'] SCHEMA_PATH = directories['api_schema'] -- cgit v1.2.3 From 1177c9cf010ee2c8eb17fc0486ad9b5116c5a9d9 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 22 Mar 2023 12:25:07 -0500 Subject: graphql: T5106: generate client ops for composite functions --- .../api/graphql/generate/schema_from_composite.py | 72 +++++++++++++++++++--- 1 file changed, 64 insertions(+), 8 deletions(-) diff --git a/src/services/api/graphql/generate/schema_from_composite.py b/src/services/api/graphql/generate/schema_from_composite.py index 50c5d24f8..06e74032d 100755 --- a/src/services/api/graphql/generate/schema_from_composite.py +++ b/src/services/api/graphql/generate/schema_from_composite.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,8 +20,7 @@ import os import sys -import json -from inspect import signature, getmembers, isfunction, isclass, getmro +from inspect import signature from jinja2 import Template from vyos.defaults import directories @@ -32,9 +31,9 @@ if __package__ is None or __package__ == '': else: from .. libs.op_mode import snake_to_pascal_case, map_type_name from . composite_function import queries, mutations - from .. import state SCHEMA_PATH = directories['api_schema'] +CLIENT_OP_PATH = directories['api_client_op'] schema_data: dict = {'schema_name': '', 'schema_fields': []} @@ -85,6 +84,30 @@ extend type Mutation { } """ +op_query_template = """ +query {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + +op_mutation_template = """ +mutation {{ op_name }} ({{ op_sig }}) { + {{ op_name }} (data: { {{ op_arg }} }) { + success + errors + data { + result + } + } +} +""" + def create_schema(func_name: str, func: callable, template: str) -> str: sig = signature(func) @@ -104,19 +127,52 @@ def create_schema(func_name: str, func: callable, template: str) -> str: return res +def create_client_op(func_name: str, func: callable, template: str) -> str: + sig = signature(func) + + field_dict = {} + for k in sig.parameters: + field_dict[sig.parameters[k].name] = map_type_name(sig.parameters[k].annotation) + + op_sig = ['$key: String'] + op_arg = ['key: $key'] + for k,v in field_dict.items(): + op_sig.append('$'+k+': '+v) + op_arg.append(k+': $'+k) + + op_data = {} + op_data['op_name'] = snake_to_pascal_case(func_name) + op_data['op_sig'] = ', '.join(op_sig) + op_data['op_arg'] = ', '.join(op_arg) + + j2_template = Template(template) + + res = j2_template.render(op_data) + + return res + def generate_composite_definitions(): - results = [] + schema = [] + client_op = [] for name,func in queries.items(): res = create_schema(name, func, query_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_query_template) + client_op.append(res) for name,func in mutations.items(): res = create_schema(name, func, mutation_template) - results.append(res) + schema.append(res) + res = create_client_op(name, func, op_mutation_template) + client_op.append(res) - out = '\n'.join(results) + out = '\n'.join(schema) with open(f'{SCHEMA_PATH}/composite.graphql', 'w') as f: f.write(out) + out = '\n'.join(client_op) + with open(f'{CLIENT_OP_PATH}/composite.graphql', 'w') as f: + f.write(out) + if __name__ == '__main__': generate_composite_definitions() -- cgit v1.2.3 From 32e94e1699c20f4ba3c0a2248f3eb27c07a3f170 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 23 Mar 2023 08:12:56 +0000 Subject: T5086: Add smoketest DROP_MONITOR kernel option --- smoketest/scripts/system/test_kernel_options.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/smoketest/scripts/system/test_kernel_options.py b/smoketest/scripts/system/test_kernel_options.py index 4d9cbacbe..94be0483a 100755 --- a/smoketest/scripts/system/test_kernel_options.py +++ b/smoketest/scripts/system/test_kernel_options.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -14,14 +14,19 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import gzip import re +import os import platform import unittest +from vyos.util import call from vyos.util import read_file kernel = platform.release() config = read_file(f'/boot/config-{kernel}') +CONFIG = '/proc/config.gz' + class TestKernelModules(unittest.TestCase): """ VyOS makes use of a lot of Kernel drivers, modules and features. The @@ -42,6 +47,22 @@ class TestKernelModules(unittest.TestCase): tmp = re.findall(f'{option}=(y|m)', config) self.assertTrue(tmp) + def test_dropmon_enabled(self): + options_to_check = [ + 'CONFIG_NET_DROP_MONITOR=y', + 'CONFIG_UPROBE_EVENTS=y', + 'CONFIG_BPF_EVENTS=y', + 'CONFIG_TRACEPOINTS=y' + ] + if not os.path.isfile(CONFIG): + call('sudo modprobe configs') + + with gzip.open(CONFIG, 'rt') as f: + config_data = f.read() + for option in options_to_check: + self.assertIn(option, config_data, + f"Option {option} is not present in /proc/config.gz") + def test_qemu_support(self): # The bond/lacp interface must be enabled in the OS Kernel for option in ['CONFIG_VIRTIO_BLK', 'CONFIG_SCSI_VIRTIO', @@ -58,6 +79,7 @@ class TestKernelModules(unittest.TestCase): tmp = re.findall(f'{option}=(y|m)', config) self.assertTrue(tmp) + if __name__ == '__main__': unittest.main(verbosity=2) -- cgit v1.2.3 From 7380bf1216399f905fe85ff26eaa0272b9f6dfe0 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 23 Mar 2023 08:31:28 -0500 Subject: op-mode: T5107: raise error instead of calling exit --- src/op_mode/dns.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/op_mode/dns.py b/src/op_mode/dns.py index a0e47d7ad..f8863c530 100755 --- a/src/op_mode/dns.py +++ b/src/op_mode/dns.py @@ -17,7 +17,6 @@ import sys -from sys import exit from tabulate import tabulate from vyos.configquery import ConfigTreeQuery @@ -75,8 +74,7 @@ def show_forwarding_statistics(raw: bool): config = ConfigTreeQuery() if not config.exists('service dns forwarding'): - print("DNS forwarding is not configured") - exit(0) + raise vyos.opmode.UnconfiguredSubsystem('DNS forwarding is not configured') dns_data = _get_raw_forwarding_statistics() if raw: -- cgit v1.2.3 From 98940e92d5c75d9f112a19e3f12ac1d4a257667c Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 23 Mar 2023 14:50:51 +0100 Subject: ipsec: T5003: Resolve issue with ipsec DHCP test tearDown checks for existence of charon process, however this test does not create any connections by design. --- smoketest/scripts/cli/test_vpn_ipsec.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 61363b853..b677f0e45 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -117,6 +117,8 @@ rgiyCHemtMepq57Pl1Nmj49eEA== """ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): + skip_process_check = False + @classmethod def setUpClass(cls): super(TestVPNIPsec, cls).setUpClass() @@ -141,7 +143,10 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): def tearDown(self): # Check for running process - self.assertTrue(process_named_running(PROCESS_NAME)) + if not self.skip_process_check: + self.assertTrue(process_named_running(PROCESS_NAME)) + else: + self.skip_process_check = False # Reset self.cli_delete(base_path) self.cli_delete(tunnel_path) @@ -151,6 +156,9 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.assertFalse(process_named_running(PROCESS_NAME)) def test_01_dhcp_fail_handling(self): + # Skip process check - connection is not created for this test + self.skip_process_check = True + # Interface for dhcp-interface self.cli_set(ethernet_path + [interface, 'vif', vif, 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server -- cgit v1.2.3 From 62875954a6679e1124cd727187f64bd37ec4678f Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 23 Mar 2023 14:55:05 +0100 Subject: ipsec: T2816: Cleanup dhcp hook file if not required --- src/conf_mode/vpn_ipsec.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index d207c63df..63887b278 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -549,6 +549,8 @@ def generate(ipsec): if ipsec['dhcp_no_address']: with open(DHCP_HOOK_IFLIST, 'w') as f: f.write(" ".join(ipsec['dhcp_no_address'].values())) + elif os.path.exists(DHCP_HOOK_IFLIST): + os.unlink(DHCP_HOOK_IFLIST) for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH, PUBKEY_PATH]: if not os.path.exists(path): -- cgit v1.2.3 From 9c81b63a1a42d95e99c6a32ca6e3cb4704231352 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 23 Mar 2023 13:41:13 +0000 Subject: T5108: Add option rate-limit for l2tp pptp sstp ipoe raw format There is a missing usefull option 'rate-limit' for L2TP/PPTP/SSTP/IPoE raw output format --- src/op_mode/accelppp.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/op_mode/accelppp.py b/src/op_mode/accelppp.py index 87a25bb96..00de45fc8 100755 --- a/src/op_mode/accelppp.py +++ b/src/op_mode/accelppp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -75,8 +75,8 @@ def _get_raw_statistics(accel_output, pattern, protocol): def _get_raw_sessions(port): - cmd_options = 'show sessions ifname,username,ip,ip6,ip6-dp,type,state,' \ - 'uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes-raw,' \ + cmd_options = 'show sessions ifname,username,ip,ip6,ip6-dp,type,rate-limit,' \ + 'state,uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes-raw,' \ 'tx-bytes-raw,rx-pkts,tx-pkts' output = vyos.accel_ppp.accel_cmd(port, cmd_options) parsed_data: list[dict[str, str]] = vyos.accel_ppp.accel_out_parse( -- cgit v1.2.3 From b48e9a7c4cc89546aaf4a40f71535acfddc7e4d3 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 23 Mar 2023 18:55:02 -0500 Subject: op-mode: T5097: show interfaces should reflect cleared counters 'show interfaces counters' correctly displays counter stats after a call to 'clear interfaces counters', however, 'show interfaces detail' does not. Add missing update to counter stats. --- src/op_mode/interfaces.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py index 678c74980..7d04ec4e3 100755 --- a/src/op_mode/interfaces.py +++ b/src/op_mode/interfaces.py @@ -207,7 +207,11 @@ def _get_raw_data(ifname: typing.Optional[str], res_intf['description'] = interface.get_alias() - res_intf['stats'] = interface.operational.get_stats() + stats = interface.operational.get_stats() + for k in list(stats): + stats[k] = _get_counter_val(cache[k], stats[k]) + + res_intf['stats'] = stats ret.append(res_intf) -- cgit v1.2.3 From 58b29610221a8f80bea1cfacbd2112f3690fe734 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 24 Mar 2023 08:47:28 +0100 Subject: xml: T5109: use common include file for alpha-numeric, hyphen and underscore regex --- interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i | 4 ++-- interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i | 4 ++-- interface-definitions/include/bgp/protocol-common-config.xml.i | 2 +- .../include/constraint/alpha-numeric-hyphen-underscore.xml.in | 3 +++ interface-definitions/policy.xml.in | 8 ++++---- interface-definitions/service-monitoring-telegraf.xml.in | 10 +++++----- 6 files changed, 17 insertions(+), 14 deletions(-) create mode 100644 interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in diff --git a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i index 34b5ec7d7..ee902b0b6 100644 --- a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i @@ -15,7 +15,7 @@ Name of IPv4 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores @@ -31,7 +31,7 @@ Name of IPv4 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i index 06c661a90..da966f193 100644 --- a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i @@ -15,7 +15,7 @@ Name of IPv6 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores @@ -31,7 +31,7 @@ Name of IPv6 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 7a3617044..9435b45fd 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1497,7 +1497,7 @@ Name of peer-group - [-_a-zA-Z0-9]+ + #include diff --git a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in new file mode 100644 index 000000000..eb568d7d9 --- /dev/null +++ b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in @@ -0,0 +1,3 @@ + +[-_a-zA-Z0-9]+ + diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index b3745fda0..66608be6f 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -242,7 +242,7 @@ BGP extended community-list name - [-_a-zA-Z0-9]+ + #include Should be an alphanumeric name @@ -291,7 +291,7 @@ BGP large-community-list name - [-_a-zA-Z0-9]+ + #include Should be an alphanumeric name @@ -340,7 +340,7 @@ Name of IPv4 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores @@ -408,7 +408,7 @@ Name of IPv6 prefix-list - [-_a-zA-Z0-9]+ + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index f50e5e334..5ba932400 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -74,7 +74,7 @@ Application client id - [-_a-zA-Z0-9]+ + #include Client-id is limited to alphanumerical characters and can contain hyphen and underscores @@ -83,7 +83,7 @@ Application client secret - [-_a-zA-Z0-9]+ + #include Client-secret is limited to alphanumerical characters and can contain hyphen and underscores @@ -92,7 +92,7 @@ Set tenant id - [-_a-zA-Z0-9]+ + #include Tenant-id is limited to alphanumerical characters and can contain hyphen and underscores @@ -107,7 +107,7 @@ Remote database name - [-_a-zA-Z0-9]+ + #include Database is limited to alphanumerical characters and can contain hyphen and underscores @@ -140,7 +140,7 @@ Table name - [-_a-zA-Z0-9]+ + #include Table is limited to alphanumerical characters and can contain hyphen and underscores -- cgit v1.2.3 From 85ed5feda444604622f08d73ea52e744733315d0 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Sat, 25 Mar 2023 02:42:29 -0500 Subject: ntp: T5112: Enable support for NTS (Network Time Security) in chrony This is basic configuration to enable NTS support in chrony. --- data/templates/chrony/chrony.conf.j2 | 3 ++- interface-definitions/ntp.xml.in | 6 ++++++ smoketest/scripts/cli/test_service_ntp.py | 3 ++- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 index 711bbbec7..7a36fe69d 100644 --- a/data/templates/chrony/chrony.conf.j2 +++ b/data/templates/chrony/chrony.conf.j2 @@ -17,6 +17,7 @@ clientloglimit 1048576 driftfile /run/chrony/drift dumpdir /run/chrony +ntsdumpdir /run/chrony pidfile {{ config_file | replace('.conf', '.pid') }} # Determine when will the next leap second occur and what is the current offset @@ -31,7 +32,7 @@ user {{ user }} {% if config.pool is vyos_defined %} {% set association = 'pool' %} {% endif %} -{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} +{{ association }} {{ server | replace('_', '-') }} iburst {{ 'nts' if config.nts is vyos_defined }} {{ 'noselect' if config.noselect is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} {% endfor %} {% endif %} diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index 65e40ee32..287401ed6 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -37,6 +37,12 @@ + + + Enable Network Time Security (NTS) for the server + + + Associate with a number of remote servers diff --git a/smoketest/scripts/cli/test_service_ntp.py b/smoketest/scripts/cli/test_service_ntp.py index 3ccd19a31..046e5eea6 100755 --- a/smoketest/scripts/cli/test_service_ntp.py +++ b/smoketest/scripts/cli/test_service_ntp.py @@ -46,7 +46,7 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase): def test_01_ntp_options(self): # Test basic NTP support with multiple servers and their options servers = ['192.0.2.1', '192.0.2.2'] - options = ['noselect', 'prefer'] + options = ['nts', 'noselect', 'prefer'] pools = ['pool.vyos.io'] for server in servers: @@ -65,6 +65,7 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase): config = cmd(f'sudo cat {NTP_CONF}') self.assertIn('driftfile /run/chrony/drift', config) self.assertIn('dumpdir /run/chrony', config) + self.assertIn('ntsdumpdir /run/chrony', config) self.assertIn('clientloglimit 1048576', config) self.assertIn('rtcsync', config) self.assertIn('makestep 1.0 3', config) -- cgit v1.2.3 From c6494f12f92746cc4603fceca6b1a22fed010b93 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Sat, 25 Mar 2023 18:51:34 -0500 Subject: dns: T5113: Support custom port for name-server forwarders Support custom port for name-server forwarders that would allow using custom ports in name server forwarders to enable forwarding to alternative name servers (unbound, stubby, dnscrypt-proxy etc.) operating on non-default port. This would also allow using DNS Over TLS in PowerDNS Recursor 4.6 onwards (pdns doesn't support certificate check for validity yet) by enabling 'dot-to-port-853'. This is set by default if compiled in with DoT support. See: https://doc.powerdns.com/recursor/settings.html#dot-to-port-853 This also partially implements T921, T2195 (DoT without certificate check). Implementation details: - In 'dns/forwarding' configuration, 'name-server' now allows optional 'port' (defaults to 53). - Instead of modifying 'name-server-ipv4-ipv6.xml.i' to add optional 'port', a new file 'name-server-ipv4-ipv6-port.xml.i' has been used to avoid impacting other places where it is reused because not all of them honor ports (mostly VPN related). - The `host:port` entries to be used by PowerDNS recursor config are normalized eagerly at the point of loading VyOS `Config` instead of doing them lazily while rendering the Jinja2 template to keep the implementation less intrusive. The alternative would entail making quite a bit of change in how 'vyos-hostsd' processes 'static' 'name_servers' entries or persists their runtime states. --- interface-definitions/dns-forwarding.xml.in | 2 +- .../include/name-server-ipv4-ipv6-port.xml.i | 25 ++++++++++++++++++++++ src/conf_mode/dns_forwarding.py | 17 +++++++++++++-- 3 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 interface-definitions/include/name-server-ipv4-ipv6-port.xml.i diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 371f198c6..b23eaa351 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -635,7 +635,7 @@ 1500 - #include + #include Local addresses from which to send DNS queries diff --git a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i new file mode 100644 index 000000000..cf86e66a2 --- /dev/null +++ b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i @@ -0,0 +1,25 @@ + + + + Domain Name Servers (DNS) addresses + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + + + #include + + 53 + + + + diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index d0d87d73e..4d6b85d92 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -24,7 +24,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.hostsd_client import Client as hostsd_client from vyos.template import render -from vyos.template import is_ipv6 +from vyos.template import bracketize_ipv6 from vyos.util import call from vyos.util import chown from vyos.util import dict_search @@ -58,8 +58,16 @@ def get_config(config=None): default_values = defaults(base) # T2665 due to how defaults under tag nodes work, we must clear these out before we merge del default_values['authoritative_domain'] + del default_values['name_server'] dns = dict_merge(default_values, dns) + # T2665: we cleared default values for tag node 'name_server' above. + # We now need to add them back back in a granular way. + if 'name_server' in dns: + default_values = defaults(base + ['name-server']) + for server in dns['name_server']: + dns['name_server'][server] = dict_merge(default_values, dns['name_server'][server]) + # some additions to the default dictionary if 'system' in dns: base_nameservers = ['system', 'name-server'] @@ -329,7 +337,12 @@ def apply(dns): # sources hc.delete_name_servers([hostsd_tag]) if 'name_server' in dns: - hc.add_name_servers({hostsd_tag: dns['name_server']}) + # 'name_server' is a dict of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] with IPv6 hosts bracketized + nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in dns['name_server'].items()] + hc.add_name_servers({hostsd_tag: nslist}) # delete all nameserver tags hc.delete_name_server_tags_recursor(hc.get_name_server_tags_recursor()) -- cgit v1.2.3 From 3826517b1d1672d6ad5e2d1c2a8b7d70e22fd0ae Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Sun, 26 Mar 2023 18:17:46 -0500 Subject: dns: T5113: Support custom port for name-server forwarders Smoketest update for T5113 with optional port for name-server forwarders. --- smoketest/scripts/cli/test_service_dns_forwarding.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py index 94e0597ad..04dced292 100755 --- a/smoketest/scripts/cli/test_service_dns_forwarding.py +++ b/smoketest/scripts/cli/test_service_dns_forwarding.py @@ -20,6 +20,7 @@ import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError +from vyos.template import bracketize_ipv6 from vyos.util import read_file from vyos.util import process_named_running @@ -141,15 +142,20 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): for address in listen_adress: self.cli_set(base_path + ['listen-address', address]) - nameservers = ['192.0.2.1', '192.0.2.2'] - for nameserver in nameservers: - self.cli_set(base_path + ['name-server', nameserver]) + nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}} + for h,p in nameservers.items(): + if 'port' in p: + self.cli_set(base_path + ['name-server', h, 'port', p['port']]) + else: + self.cli_set(base_path + ['name-server', h]) # commit changes self.cli_commit() tmp = get_config_value(r'\+.', file=FORWARD_FILE) - self.assertEqual(tmp, ', '.join(nameservers)) + canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p) + for (h, p) in nameservers.items()] + self.assertEqual(tmp, ', '.join(canonical_entries)) # Do not use local /etc/hosts file in name resolution # default: yes -- cgit v1.2.3 From f8522f323ec26a2a1507a6026cbc939bb8960262 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Mon, 27 Mar 2023 12:03:58 -0500 Subject: openvpn: T5051: fix hyphen/underscore error in use of typing.Literal --- src/op_mode/openvpn.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/op_mode/openvpn.py b/src/op_mode/openvpn.py index 7ae49472e..37fdbcbeb 100755 --- a/src/op_mode/openvpn.py +++ b/src/op_mode/openvpn.py @@ -150,7 +150,8 @@ def _get_raw_data(mode: str) -> list: if not conf_dict: return data - interfaces = [x for x in list(conf_dict) if conf_dict[x]['mode'] == mode] + interfaces = [x for x in list(conf_dict) if + conf_dict[x]['mode'].replace('-', '_') == mode] for intf in interfaces: d = _get_interface_status(mode, intf) d['local_host'] = conf_dict[intf].get('local-host', '') -- cgit v1.2.3 From 35126e6b41b212aafb2784dee7577b0682bb3af5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 27 Mar 2023 22:36:32 +0200 Subject: bgp: T5114: add peer-group "port" CLI command --- .../include/bgp/protocol-common-config.xml.i | 16 +++------------- interface-definitions/include/bgp/timers-holdtime.xml.i | 4 ++-- smoketest/scripts/cli/test_protocols_bgp.py | 9 ++++++--- 3 files changed, 11 insertions(+), 18 deletions(-) diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 9435b45fd..aa9cd5850 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1008,18 +1008,6 @@ #include #include #include - - - Neighbor BGP port - - u32:1-65535 - Neighbor BGP port number - - - - - - #include #include @@ -1061,6 +1049,7 @@ #include #include + #include @@ -1524,10 +1513,11 @@ #include #include #include - #include #include #include #include + #include + #include #include diff --git a/interface-definitions/include/bgp/timers-holdtime.xml.i b/interface-definitions/include/bgp/timers-holdtime.xml.i index 9e86ab13d..31e97f6b8 100644 --- a/interface-definitions/include/bgp/timers-holdtime.xml.i +++ b/interface-definitions/include/bgp/timers-holdtime.xml.i @@ -1,14 +1,14 @@ - BGP hold timer for this neighbor + Hold timer u32:1-65535 Hold timer in seconds 0 - Hold timer disabled + Disable hold timer diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index 4047ea8f4..d024ea92a 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -132,7 +132,8 @@ peer_group_config = { }, 'bar' : { 'remote_as' : '111', - 'graceful_rst_no' : '' + 'graceful_rst_no' : '', + 'port' : '667', }, 'foo-bar' : { 'advertise_map' : route_map_in, @@ -237,6 +238,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' neighbor {peer} passive', frrconfig) if 'password' in peer_config: self.assertIn(f' neighbor {peer} password {peer_config["password"]}', frrconfig) + if 'port' in peer_config: + self.assertIn(f' neighbor {peer} port {peer_config["port"]}', frrconfig) if 'remote_as' in peer_config: self.assertIn(f' neighbor {peer} remote-as {peer_config["remote_as"]}', frrconfig) if 'solo' in peer_config: @@ -463,8 +466,6 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): for peer, peer_config in neighbor_config.items(): if 'adv_interv' in peer_config: self.assertIn(f' neighbor {peer} advertisement-interval {peer_config["adv_interv"]}', frrconfig) - if 'port' in peer_config: - self.assertIn(f' neighbor {peer} port {peer_config["port"]}', frrconfig) if 'cap_strict' in peer_config: self.assertIn(f' neighbor {peer} strict-capability-match', frrconfig) @@ -500,6 +501,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['peer-group', peer_group, 'passive']) if 'password' in config: self.cli_set(base_path + ['peer-group', peer_group, 'password', config["password"]]) + if 'port' in config: + self.cli_set(base_path + ['peer-group', peer_group, 'port', config["port"]]) if 'remote_as' in config: self.cli_set(base_path + ['peer-group', peer_group, 'remote-as', config["remote_as"]]) if 'shutdown' in config: -- cgit v1.2.3 From d9fa39a370c06d8add22a7018d14984e5ac14fc8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 27 Mar 2023 22:43:26 +0200 Subject: bgp: T5114: add "neighbor path-attribute discard" --- data/templates/frr/bgpd.frr.j2 | 3 +++ .../include/bgp/neighbor-path-attribute.xml.i | 21 +++++++++++++++++++++ .../include/bgp/protocol-common-config.xml.i | 2 ++ smoketest/scripts/cli/test_protocols_bgp.py | 8 ++++++++ 4 files changed, 34 insertions(+) create mode 100644 interface-definitions/include/bgp/neighbor-path-attribute.xml.i diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 5170a12ba..346eb3996 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -74,6 +74,9 @@ {% if config.password is vyos_defined %} neighbor {{ neighbor }} password {{ config.password }} {% endif %} +{% if config.path_attribute.discard is vyos_defined %} + neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard }} +{% endif %} {% if config.port is vyos_defined %} neighbor {{ neighbor }} port {{ config.port }} {% endif %} diff --git a/interface-definitions/include/bgp/neighbor-path-attribute.xml.i b/interface-definitions/include/bgp/neighbor-path-attribute.xml.i new file mode 100644 index 000000000..f4f2fcfa9 --- /dev/null +++ b/interface-definitions/include/bgp/neighbor-path-attribute.xml.i @@ -0,0 +1,21 @@ + + + + Manipulate path attributes from incoming UPDATE messages + + + + + Drop specified attributes from incoming UPDATE messages + + u32:1-255 + Attribute number + + + + + + + + + diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index aa9cd5850..2bf2fdfc3 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1005,6 +1005,7 @@ #include #include #include + #include #include #include #include @@ -1511,6 +1512,7 @@ #include #include #include + #include #include #include #include diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index d024ea92a..c366b4e89 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -55,6 +55,7 @@ neighbor_config = { 'route_map_out' : route_map_out, 'no_send_comm_ext' : '', 'addpath_all' : '', + 'p_attr_discard' : '123', }, '192.0.2.2' : { 'bfd_profile' : bfd_profile, @@ -129,6 +130,7 @@ peer_group_config = { 'cap_over' : '', 'ttl_security' : '5', 'disable_conn_chk' : '', + 'p_attr_discard' : '250', }, 'bar' : { 'remote_as' : '111', @@ -264,6 +266,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' no neighbor {peer} send-community extended', frrconfig) if 'addpath_all' in peer_config: self.assertIn(f' neighbor {peer} addpath-tx-all-paths', frrconfig) + if 'p_attr_discard' in peer_config: + self.assertIn(f' neighbor {peer} path-attribute discard {peer_config["p_attr_discard"]}', frrconfig) if 'addpath_per_as' in peer_config: self.assertIn(f' neighbor {peer} addpath-tx-bestpath-per-AS', frrconfig) if 'advertise_map' in peer_config: @@ -417,6 +421,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['neighbor', peer, 'ttl-security', 'hops', peer_config["ttl_security"]]) if 'update_src' in peer_config: self.cli_set(base_path + ['neighbor', peer, 'update-source', peer_config["update_src"]]) + if 'p_attr_discard' in peer_config: + self.cli_set(base_path + ['neighbor', peer, 'path-attribute', 'discard', peer_config["p_attr_discard"]]) if 'route_map_in' in peer_config: self.cli_set(base_path + ['neighbor', peer, 'address-family', afi, 'route-map', 'import', peer_config["route_map_in"]]) if 'route_map_out' in peer_config: @@ -535,6 +541,8 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['peer-group', peer_group, 'graceful-restart', 'restart-helper']) if 'disable_conn_chk' in config: self.cli_set(base_path + ['peer-group', peer_group, 'disable-connected-check']) + if 'p_attr_discard' in config: + self.cli_set(base_path + ['peer-group', peer_group, 'path-attribute', 'discard', config["p_attr_discard"]]) # Conditional advertisement if 'advertise_map' in config: -- cgit v1.2.3 From b5d940d9f279a8391c8d8c56cc86f4855c9d38b5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 27 Mar 2023 22:45:02 +0200 Subject: bgp: T5114: support configuring TCP keepalive messages --- data/templates/frr/bgpd.frr.j2 | 3 ++ .../include/bgp/protocol-common-config.xml.i | 43 ++++++++++++++++++++++ smoketest/scripts/cli/test_protocols_bgp.py | 7 ++++ src/conf_mode/protocols_bgp.py | 5 +++ 4 files changed, 58 insertions(+) diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 346eb3996..b749be93f 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -553,6 +553,9 @@ bgp route-reflector allow-outbound-policy {% if parameters.suppress_fib_pending is vyos_defined %} bgp suppress-fib-pending {% endif %} +{% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %} + bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }} +{% endif %} {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %} timers bgp {{ timers.keepalive }} {{ timers.holdtime }} {% endif %} diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 2bf2fdfc3..089c36ef3 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1481,6 +1481,49 @@ #include + + + TCP keepalive parameters + + + + + TCP keepalive idle time + + u32:1-65535 + Idle time in seconds + + + + + + + + + TCP keepalive interval + + u32:1-65535 + Interval in seconds + + + + + + + + + TCP keepalive maximum probes + + u32:1-30 + Maximum probes + + + + + + + + diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index c366b4e89..f6eede87a 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -297,6 +297,9 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): max_path_v6ibgp = '16' cond_adv_timer = '30' min_hold_time = '2' + tcp_keepalive_idle = '66' + tcp_keepalive_interval = '77' + tcp_keepalive_probes = '22' self.cli_set(base_path + ['parameters', 'router-id', router_id]) self.cli_set(base_path + ['parameters', 'log-neighbor-changes']) @@ -327,6 +330,9 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['parameters', 'route-reflector-allow-outbound-policy']) self.cli_set(base_path + ['parameters', 'shutdown']) self.cli_set(base_path + ['parameters', 'suppress-fib-pending']) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'idle', tcp_keepalive_idle]) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'interval', tcp_keepalive_interval]) + self.cli_set(base_path + ['parameters', 'tcp-keepalive', 'probes', tcp_keepalive_probes]) # AFI maximum path support self.cli_set(base_path + ['address-family', 'ipv4-unicast', 'maximum-paths', 'ebgp', max_path_v4]) @@ -356,6 +362,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' bgp route-reflector allow-outbound-policy', frrconfig) self.assertIn(f' bgp shutdown', frrconfig) self.assertIn(f' bgp suppress-fib-pending', frrconfig) + self.assertIn(f' bgp tcp-keepalive {tcp_keepalive_idle} {tcp_keepalive_interval} {tcp_keepalive_probes}', frrconfig) self.assertNotIn(f'bgp ebgp-requires-policy', frrconfig) self.assertIn(f' no bgp suppress-duplicates', frrconfig) diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 4f05957fa..cf553f0e8 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -412,6 +412,11 @@ def verify(bgp): raise ConfigError('Missing mandatory configuration option for '\ f'global administrative distance {key}!') + # TCP keepalive requires all three parameters to be set + if dict_search('parameters.tcp_keepalive', bgp) != None: + if not {'idle', 'interval', 'probes'} <= set(bgp['parameters']['tcp_keepalive']): + raise ConfigError('TCP keepalive incomplete - idle, keepalive and probes must be set') + # Address Family specific validation if 'address_family' in bgp: for afi, afi_config in bgp['address_family'].items(): -- cgit v1.2.3 From 2bb5c5d0fd9ed07649b81a61e9c1a78a9f222405 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Mon, 27 Mar 2023 03:56:13 -0500 Subject: dns: T5115: Support custom port for name servers for forwarding zones. This would allow using custom ports in name server operating on non- default port for forwarding zones. This is a follow-up to T5113 for sake of completeness and having consistent treatment of all name servers configured in PowerDNS recursor. Additionally, migrate `service dns forwarding domain example.com server` to `service dns forwarding domain foo3.com name-server` for consistency and reusability. --- .../dns-forwarding/recursor.forward-zones.conf.j2 | 3 +- interface-definitions/dns-forwarding.xml.in | 19 +-------- .../include/name-server-ipv4-ipv6-port.xml.i | 2 +- .../scripts/cli/test_service_dns_forwarding.py | 13 ++++-- src/conf_mode/dns_forwarding.py | 25 +++++++++-- src/migration-scripts/dns-forwarding/3-to-4 | 49 ++++++++++++++++++++++ src/services/vyos-hostsd | 2 +- 7 files changed, 83 insertions(+), 30 deletions(-) create mode 100755 src/migration-scripts/dns-forwarding/3-to-4 diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 index de3269e47..593a98c24 100644 --- a/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -23,7 +23,6 @@ {% if forward_zones is vyos_defined %} # zones added via 'service dns forwarding domain' {% for zone, zonedata in forward_zones.items() %} -{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.server | join(', ') }} +{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.name_server | join(', ') }} {% endfor %} {% endif %} - diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index b23eaa351..14b38b24d 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -85,24 +85,7 @@ Domain to forward to a custom DNS server - - - Domain Name Server (DNS) to forward queries to - - ipv4 - Domain Name Server (DNS) IPv4 address - - - ipv6 - Domain Name Server (DNS) IPv6 address - - - - - - - - + #include Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC) diff --git a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i index cf86e66a2..fb0a4f4ae 100644 --- a/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i +++ b/interface-definitions/include/name-server-ipv4-ipv6-port.xml.i @@ -1,7 +1,7 @@ - Domain Name Servers (DNS) addresses + Domain Name Servers (DNS) addresses to forward queries to ipv4 Domain Name Server (DNS) IPv4 address diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py index 04dced292..88492e348 100755 --- a/smoketest/scripts/cli/test_service_dns_forwarding.py +++ b/smoketest/scripts/cli/test_service_dns_forwarding.py @@ -169,10 +169,13 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['listen-address', address]) domains = ['vyos.io', 'vyos.net', 'vyos.com'] - nameservers = ['192.0.2.1', '192.0.2.2'] + nameservers = {'192.0.2.1': {}, '192.0.2.2': {'port': '53'}, '2001:db8::1': {'port': '853'}} for domain in domains: - for nameserver in nameservers: - self.cli_set(base_path + ['domain', domain, 'server', nameserver]) + for h,p in nameservers.items(): + if 'port' in p: + self.cli_set(base_path + ['domain', domain, 'name-server', h, 'port', p['port']]) + else: + self.cli_set(base_path + ['domain', domain, 'name-server', h]) # Test 'recursion-desired' flag for only one domain if domain == domains[0]: @@ -192,7 +195,9 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase): if domain == domains[0]: key =f'\+{domain}' else: key =f'{domain}' tmp = get_config_value(key, file=FORWARD_FILE) - self.assertEqual(tmp, ', '.join(nameservers)) + canonical_entries = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port'] if 'port' in p else 53}")(h, p) + for (h, p) in nameservers.items()] + self.assertEqual(tmp, ', '.join(canonical_entries)) # Test 'negative trust anchor' flag for the second domain only if domain == domains[1]: diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index 4d6b85d92..36c1098fe 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -59,6 +59,7 @@ def get_config(config=None): # T2665 due to how defaults under tag nodes work, we must clear these out before we merge del default_values['authoritative_domain'] del default_values['name_server'] + del default_values['domain']['name_server'] dns = dict_merge(default_values, dns) # T2665: we cleared default values for tag node 'name_server' above. @@ -68,6 +69,15 @@ def get_config(config=None): for server in dns['name_server']: dns['name_server'][server] = dict_merge(default_values, dns['name_server'][server]) + # T2665: we cleared default values for tag node 'domain' above. + # We now need to add them back back in a granular way. + if 'domain' in dns: + default_values = defaults(base + ['domain', 'name-server']) + for domain in dns['domain'].keys(): + for server in dns['domain'][domain]['name_server']: + dns['domain'][domain]['name_server'][server] = dict_merge( + default_values, dns['domain'][domain]['name_server'][server]) + # some additions to the default dictionary if 'system' in dns: base_nameservers = ['system', 'name-server'] @@ -271,7 +281,7 @@ def verify(dns): # as a domain will contains dot's which is out dictionary delimiter. if 'domain' in dns: for domain in dns['domain']: - if 'server' not in dns['domain'][domain]: + if 'name_server' not in dns['domain'][domain]: raise ConfigError(f'No server configured for domain {domain}!') if 'dns64_prefix' in dns: @@ -337,9 +347,9 @@ def apply(dns): # sources hc.delete_name_servers([hostsd_tag]) if 'name_server' in dns: - # 'name_server' is a dict of the form + # 'name_server' is of the form # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} - # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] with IPv6 hosts bracketized + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] nslist = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) for (h, p) in dns['name_server'].items()] hc.add_name_servers({hostsd_tag: nslist}) @@ -371,7 +381,14 @@ def apply(dns): # the list and keys() are required as get returns a dict, not list hc.delete_forward_zones(list(hc.get_forward_zones().keys())) if 'domain' in dns: - hc.add_forward_zones(dns['domain']) + zones = dns['domain'] + for domain in zones.keys(): + # 'name_server' is of the form + # {'192.0.2.1': {'port': 53}, '2001:db8::1': {'port': 853}, ...} + # canonicalize them as ['192.0.2.1:53', '[2001:db8::1]:853', ...] + zones[domain]['name_server'] = [(lambda h, p: f"{bracketize_ipv6(h)}:{p['port']}")(h, p) + for (h, p) in zones[domain]['name_server'].items()] + hc.add_forward_zones(zones) # hostsd generates NTAs for the authoritative zones # the list and keys() are required as get returns a dict, not list diff --git a/src/migration-scripts/dns-forwarding/3-to-4 b/src/migration-scripts/dns-forwarding/3-to-4 new file mode 100755 index 000000000..55165c2c5 --- /dev/null +++ b/src/migration-scripts/dns-forwarding/3-to-4 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T5115: migrate "service dns forwarding domain example.com server" to +# "service dns forwarding domain example.com name-server" + +import sys +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base = ['service', 'dns', 'forwarding', 'domain'] +if not config.exists(base): + # Nothing to do + sys.exit(0) + +for domain in config.list_nodes(base): + if config.exists(base + [domain, 'server']): + config.copy(base + [domain, 'server'], base + [domain, 'name-server']) + config.delete(base + [domain, 'server']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/services/vyos-hostsd b/src/services/vyos-hostsd index a380f2e66..894f9e24d 100755 --- a/src/services/vyos-hostsd +++ b/src/services/vyos-hostsd @@ -329,7 +329,7 @@ tag_regex_schema = op_type_schema.extend({ forward_zone_add_schema = op_type_schema.extend({ 'data': { str: { - 'server': [str], + 'name_server': [str], 'addnta': Any({}, None), 'recursion_desired': Any({}, None), } -- cgit v1.2.3 From 3d4e0e070e84581d4eb28cb623c019c30daf85f4 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 28 Mar 2023 13:50:10 -0500 Subject: interfaces: T4885: fix Perl to Python rewrite of clear/reset_counters --- python/vyos/ifconfig/operational.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/python/vyos/ifconfig/operational.py b/python/vyos/ifconfig/operational.py index 33e8614f0..dc2742123 100644 --- a/python/vyos/ifconfig/operational.py +++ b/python/vyos/ifconfig/operational.py @@ -143,15 +143,17 @@ class Operational(Control): except IOError: return no_stats - def clear_counters(self, counters=None): - clear = self._stats_all if counters is None else [] - stats = self.load_counters() + def clear_counters(self): + stats = self.get_stats() for counter, value in stats.items(): - stats[counter] = 0 if counter in clear else value + stats[counter] = value self.save_counters(stats) def reset_counters(self): - os.remove(self.cachefile(self.ifname)) + try: + os.remove(self.cachefile(self.ifname)) + except FileNotFoundError: + pass def get_stats(self): """ return a dict() with the value for each interface counter """ -- cgit v1.2.3 From 9964b04e0aba8b8e50509faa9aef5ce079a8733b Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 28 Mar 2023 13:53:55 -0500 Subject: interfaces: T4885: add clear/reset_counters to op-mode script --- src/op_mode/interfaces.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py index 7d04ec4e3..dd87b5901 100755 --- a/src/op_mode/interfaces.py +++ b/src/op_mode/interfaces.py @@ -406,6 +406,18 @@ def show_counters(raw: bool, intf_name: typing.Optional[str], return data return _format_show_counters(data) +def clear_counters(intf_name: typing.Optional[str], + intf_type: typing.Optional[str], + vif: bool, vrrp: bool): + for interface in filtered_interfaces(intf_name, intf_type, vif, vrrp): + interface.operational.clear_counters() + +def reset_counters(intf_name: typing.Optional[str], + intf_type: typing.Optional[str], + vif: bool, vrrp: bool): + for interface in filtered_interfaces(intf_name, intf_type, vif, vrrp): + interface.operational.reset_counters() + if __name__ == '__main__': try: res = vyos.opmode.run(sys.modules[__name__]) -- cgit v1.2.3 From a1c9c36c917a23d4cc3d5a9bbdd92c18829679b7 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Tue, 28 Mar 2023 13:55:08 -0500 Subject: interfaces: T4885: add op-mode-defs for clear interfaces counters --- op-mode-definitions/counters.xml.in | 598 ++++++++++++++++++++++++++++++++++++ op-mode-definitions/wireless.xml.in | 40 --- 2 files changed, 598 insertions(+), 40 deletions(-) create mode 100644 op-mode-definitions/counters.xml.in delete mode 100644 op-mode-definitions/wireless.xml.in diff --git a/op-mode-definitions/counters.xml.in b/op-mode-definitions/counters.xml.in new file mode 100644 index 000000000..4bf08d201 --- /dev/null +++ b/op-mode-definitions/counters.xml.in @@ -0,0 +1,598 @@ + + + + + + + + + Clear interface counters for all interfaces + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters + + + + Clear Bonding interface information + + + + + Clear all bonding interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given bonding interface + + + + + + + + Clear interface counters for a given bonding interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Bridge interface information + + + + + Clear all bridge interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given bridge interface + + + + + + + + Clear interface counters for a given bridge interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Dummy interface information + + + + + Clear all dummy interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given dummy interface + + + + + + + + Clear interface counters for a given dummy interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Ethernet interface information + + + + + Clear all ethernet interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given ethernet interface + + + + + + + + Clear interface counters for a given ethernet interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear GENEVE interface information + + + + + Clear all GENEVE interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given GENEVE interface + + + + + + + + Clear interface counters for a given GENEVE interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Input (ifb) interface information + + + + + Clear all Input interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given Input interface + + + + + + + + Clear interface counters for a given Input interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear L2TPv3 interface information + + + + + Clear all L2TPv3 interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given L2TPv3 interface + + + + + + + + Clear interface counters for a given L2TPv3 interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Loopback interface information + + + + + Clear all loopback interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given loopback interface + + + + + + + + Clear interface counters for a given loopback interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear MACsec interface information + + + + + Clear all MACsec interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given MACsec interface + + + + + + + + Clear interface counters for a given MACsec interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear OpenVPN interface information + + + + + Clear all OpenVPN interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given OpenVPN interface + + + + + + + + Clear interface counters for a given OpenVPN interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear PPPoE interface information + + + + + Clear all PPPoE interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given PPPoE interface + + + + + + + + Clear interface counters for a given PPPoE interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Pseudo-Ethernet/MACvlan interface information + + + + + Clear all Pseudo-Ethernet interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given Pseudo-Ethernet interface + + + + + + + + Clear interface counters for a given Pseudo-Ethernet interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear SSTP interface information + + + + + Clear all SSTP interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given SSTP interface + + + + + + + + Clear interface counters for a given SSTP interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Tunnel interface information + + + + + Clear all tunnel interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given tunnel interface + + + + + + + + Clear interface counters for a given tunnel interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear virtual-ethernet interface information + + + + + Clear all virtual-ethernet interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given virtual-ethernet interface + + + + + + + + Clear interface counters for a given virtual-ethernet interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear VTI interface information + + + + + Clear all VTI interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given VTI interface + + + + + + + + Clear interface counters for a given VTI interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear VXLAN interface information + + + + + Clear all VXLAN interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given VXLAN interface + + + + + + + + Clear interface counters for a given VXLAN interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Wireguard interface information + + + + + Clear all Wireguard interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given Wireguard interface + + + + + + + + Clear interface counters for a given Wireguard interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Wireless (WLAN) interface information + + + + + Clear all wireless interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given wireless interface + + + + + + + + Clear counters for a given wireless interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + Clear Wireless Modem (WWAN) interface information + + + + + Clear all WWAN interface counters + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_type "$3" + + + + + + Clear interface information for a given WWAN interface + + + + + + + + Clear counters for a given WWAN interface + + sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters --intf_name "$4" + + + + + + + + + diff --git a/op-mode-definitions/wireless.xml.in b/op-mode-definitions/wireless.xml.in deleted file mode 100644 index 25809e0b8..000000000 --- a/op-mode-definitions/wireless.xml.in +++ /dev/null @@ -1,40 +0,0 @@ - - - - - - - - - Clear wireless interface information - - - - - Clear all wireless interface counters - - sudo ${vyos_op_scripts_dir}/show_interfaces.py --action=clear --intf-type="$3" - - - - - - Clear interface information for a given wireless interface - - - - - - - - Clear all wireless interface counters - - sudo ${vyos_op_scripts_dir}/show_interfaces.py --action=clear --intf="$4" - - - - - - - - -- cgit v1.2.3 From 4a58a27adad59f19c7d14d0b9753259baed011f4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 28 Mar 2023 21:34:15 +0200 Subject: container: T2216: explicitly select CNI network backend As podman is going to use netavark as new default we must explicitly select the old driver until we have migrated to netavark. --- data/templates/container/containers.conf.j2 | 709 ++++++++++++++++++++++++++++ src/conf_mode/container.py | 17 +- 2 files changed, 718 insertions(+), 8 deletions(-) create mode 100644 data/templates/container/containers.conf.j2 diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 new file mode 100644 index 000000000..9f66aed27 --- /dev/null +++ b/data/templates/container/containers.conf.j2 @@ -0,0 +1,709 @@ +### Autogenerated by container.py ### + +# The containers configuration file specifies all of the available configuration +# command-line options/flags for container engine tools like Podman & Buildah, +# but in a TOML format that can be easily modified and versioned. + +# Please refer to containers.conf(5) for details of all configuration options. +# Not all container engines implement all of the options. +# All of the options have hard coded defaults and these options will override +# the built in defaults. Users can then override these options via the command +# line. Container engines will read containers.conf files in up to three +# locations in the following order: +# 1. /usr/share/containers/containers.conf +# 2. /etc/containers/containers.conf +# 3. $HOME/.config/containers/containers.conf (Rootless containers ONLY) +# Items specified in the latter containers.conf, if they exist, override the +# previous containers.conf settings, or the default settings. + +[containers] + +# List of annotation. Specified as +# "key = value" +# If it is empty or commented out, no annotations will be added +# +#annotations = [] + +# Used to change the name of the default AppArmor profile of container engine. +# +#apparmor_profile = "container-default" + +# The hosts entries from the base hosts file are added to the containers hosts +# file. This must be either an absolute path or as special values "image" which +# uses the hosts file from the container image or "none" which means +# no base hosts file is used. The default is "" which will use /etc/hosts. +# +#base_hosts_file = "" + +# Default way to to create a cgroup namespace for the container +# Options are: +# `private` Create private Cgroup Namespace for the container. +# `host` Share host Cgroup Namespace with the container. +# +#cgroupns = "private" + +# Control container cgroup configuration +# Determines whether the container will create CGroups. +# Options are: +# `enabled` Enable cgroup support within container +# `disabled` Disable cgroup support, will inherit cgroups from parent +# `no-conmon` Do not create a cgroup dedicated to conmon. +# +#cgroups = "enabled" + +# List of default capabilities for containers. If it is empty or commented out, +# the default capabilities defined in the container engine will be added. +# +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] + +# A list of sysctls to be set in containers by default, +# specified as "name=value", +# for example:"net.ipv4.ping_group_range=0 0". +# +default_sysctls = [ + "net.ipv4.ping_group_range=0 0", +] + +# A list of ulimits to be set in containers by default, specified as +# "=:", for example: +# "nofile=1024:2048" +# See setrlimit(2) for a list of resource names. +# Any limit not specified here will be inherited from the process launching the +# container engine. +# Ulimits has limits for non privileged container engines. +# +#default_ulimits = [ +# "nofile=1280:2560", +#] + +# List of devices. Specified as +# "::", for example: +# "/dev/sdc:/dev/xvdc:rwm". +# If it is empty or commented out, only the default devices will be used +# +#devices = [] + +# List of default DNS options to be added to /etc/resolv.conf inside of the container. +# +#dns_options = [] + +# List of default DNS search domains to be added to /etc/resolv.conf inside of the container. +# +#dns_searches = [] + +# Set default DNS servers. +# This option can be used to override the DNS configuration passed to the +# container. The special value "none" can be specified to disable creation of +# /etc/resolv.conf in the container. +# The /etc/resolv.conf file in the image will be used without changes. +# +#dns_servers = [] + +# Environment variable list for the conmon process; used for passing necessary +# environment variables to conmon or the runtime. +# +#env = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +# "TERM=xterm", +#] + +# Pass all host environment variables into the container. +# +#env_host = false + +# Set the ip for the host.containers.internal entry in the containers /etc/hosts +# file. This can be set to "none" to disable adding this entry. By default it +# will automatically choose the host ip. +# +# NOTE: When using podman machine this entry will never be added to the containers +# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore +# it is not possible to disable the entry in this case. +# +#host_containers_internal_ip = "" + +# Default proxy environment variables passed into the container. +# The environment variables passed in include: +# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of +# these. This option is needed when host system uses a proxy but container +# should not use proxy. Proxy environment variables specified for the container +# in any other way will override the values passed from the host. +# +#http_proxy = true + +# Run an init inside the container that forwards signals and reaps processes. +# +#init = false + +# Container init binary, if init=true, this is the init binary to be used for containers. +# +#init_path = "/usr/libexec/podman/catatonit" + +# Default way to to create an IPC namespace (POSIX SysV IPC) for the container +# Options are: +# "host" Share host IPC Namespace with the container. +# "none" Create shareable IPC Namespace for the container without a private /dev/shm. +# "private" Create private IPC Namespace for the container, other containers are not allowed to share it. +# "shareable" Create shareable IPC Namespace for the container. +# +#ipcns = "shareable" + +# keyring tells the container engine whether to create +# a kernel keyring for use within the container. +# +#keyring = true + +# label tells the container engine whether to use container separation using +# MAC(SELinux) labeling or not. +# The label flag is ignored on label disabled systems. +# +#label = true + +# Logging driver for the container. Available options: k8s-file and journald. +# +#log_driver = "k8s-file" + +# Maximum size allowed for the container log file. Negative numbers indicate +# that no size limit is imposed. If positive, it must be >= 8192 to match or +# exceed conmon's read buffer. The file is truncated and re-opened so the +# limit is never exceeded. +# +#log_size_max = -1 + +# Specifies default format tag for container log messages. +# This is useful for creating a specific tag for container log messages. +# Containers logs default to truncated container ID as a tag. +# +#log_tag = "" + +# Default way to to create a Network namespace for the container +# Options are: +# `private` Create private Network Namespace for the container. +# `host` Share host Network Namespace with the container. +# `none` Containers do not use the network +# +#netns = "private" + +# Create /etc/hosts for the container. By default, container engine manage +# /etc/hosts, automatically adding the container's own IP address. +# +#no_hosts = false + +# Default way to to create a PID namespace for the container +# Options are: +# `private` Create private PID Namespace for the container. +# `host` Share host PID Namespace with the container. +# +#pidns = "private" + +# Maximum number of processes allowed in a container. +# +#pids_limit = 2048 + +# Copy the content from the underlying image into the newly created volume +# when the container is created instead of when it is started. If false, +# the container engine will not copy the content until the container is started. +# Setting it to true may have negative performance implications. +# +#prepare_volume_on_create = false + +# Path to the seccomp.json profile which is used as the default seccomp profile +# for the runtime. +# +#seccomp_profile = "/usr/share/containers/seccomp.json" + +# Size of /dev/shm. Specified as . +# Unit is optional, values: +# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# If the unit is omitted, the system uses bytes. +# +#shm_size = "65536k" + +# Set timezone in container. Takes IANA timezones as well as "local", +# which sets the timezone in the container to match the host machine. +# +#tz = "" + +# Set umask inside the container +# +#umask = "0022" + +# Default way to to create a User namespace for the container +# Options are: +# `auto` Create unique User Namespace for the container. +# `host` Share host User Namespace with the container. +# +#userns = "host" + +# Number of UIDs to allocate for the automatic container creation. +# UIDs are allocated from the "container" UIDs listed in +# /etc/subuid & /etc/subgid +# +#userns_size = 65536 + +# Default way to to create a UTS namespace for the container +# Options are: +# `private` Create private UTS Namespace for the container. +# `host` Share host UTS Namespace with the container. +# +#utsns = "private" + +# List of volumes. Specified as +# "::", for example: +# "/db:/var/lib/db:ro". +# If it is empty or commented out, no volumes will be added +# +#volumes = [] + +[secrets] +#driver = "file" + +[secrets.opts] +#root = "/example/directory" + +[network] + +# Network backend determines what network driver will be used to set up and tear down container networks. +# Valid values are "cni" and "netavark". +# The default value is empty which means that it will automatically choose CNI or netavark. If there are +# already containers/images or CNI networks preset it will choose CNI. +# +# Before changing this value all containers must be stopped otherwise it is likely that +# iptables rules and network interfaces might leak on the host. A reboot will fix this. +# +network_backend = "cni" + +# Path to directory where CNI plugin binaries are located. +# +#cni_plugin_dirs = [ +# "/usr/local/libexec/cni", +# "/usr/libexec/cni", +# "/usr/local/lib/cni", +# "/usr/lib/cni", +# "/opt/cni/bin", +#] + +# The network name of the default network to attach pods to. +# +#default_network = "podman" + +# The default subnet for the default network given in default_network. +# If a network with that name does not exist, a new network using that name and +# this subnet will be created. +# Must be a valid IPv4 CIDR prefix. +# +#default_subnet = "10.88.0.0/16" + +# DefaultSubnetPools is a list of subnets and size which are used to +# allocate subnets automatically for podman network create. +# It will iterate through the list and will pick the first free subnet +# with the given size. This is only used for ipv4 subnets, ipv6 subnets +# are always assigned randomly. +# +#default_subnet_pools = [ +# {"base" = "10.89.0.0/16", "size" = 24}, +# {"base" = "10.90.0.0/15", "size" = 24}, +# {"base" = "10.92.0.0/14", "size" = 24}, +# {"base" = "10.96.0.0/11", "size" = 24}, +# {"base" = "10.128.0.0/9", "size" = 24}, +#] + +# Path to the directory where network configuration files are located. +# For the CNI backend the default is "/etc/cni/net.d" as root +# and "$HOME/.config/cni/net.d" as rootless. +# For the netavark backend "/etc/containers/networks" is used as root +# and "$graphroot/networks" as rootless. +# +#network_config_dir = "/etc/cni/net.d/" + +# Port to use for dns forwarding daemon with netavark in rootful bridge +# mode and dns enabled. +# Using an alternate port might be useful if other dns services should +# run on the machine. +# +#dns_bind_port = 53 + +[engine] +# Index to the active service +# +#active_service = production + +# The compression format to use when pushing an image. +# Valid options are: `gzip`, `zstd` and `zstd:chunked`. +# +#compression_format = "gzip" + + +# Cgroup management implementation used for the runtime. +# Valid options "systemd" or "cgroupfs" +# +#cgroup_manager = "systemd" + +# Environment variables to pass into conmon +# +#conmon_env_vars = [ +# "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +#] + +# Paths to look for the conmon container manager binary +# +#conmon_path = [ +# "/usr/libexec/podman/conmon", +# "/usr/local/libexec/podman/conmon", +# "/usr/local/lib/podman/conmon", +# "/usr/bin/conmon", +# "/usr/sbin/conmon", +# "/usr/local/bin/conmon", +# "/usr/local/sbin/conmon" +#] + +# Enforces using docker.io for completing short names in Podman's compatibility +# REST API. Note that this will ignore unqualified-search-registries and +# short-name aliases defined in containers-registries.conf(5). +#compat_api_enforce_docker_hub = true + +# Specify the keys sequence used to detach a container. +# Format is a single character [a-Z] or a comma separated sequence of +# `ctrl-`, where `` is one of: +# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_` +# +#detach_keys = "ctrl-p,ctrl-q" + +# Determines whether engine will reserve ports on the host when they are +# forwarded to containers. When enabled, when ports are forwarded to containers, +# ports are held open by as long as the container is running, ensuring that +# they cannot be reused by other programs on the host. However, this can cause +# significant memory usage if a container has many ports forwarded to it. +# Disabling this can save memory. +# +#enable_port_reservation = true + +# Environment variables to be used when running the container engine (e.g., Podman, Buildah). +# For example "http_proxy=internal.proxy.company.com". +# Note these environment variables will not be used within the container. +# Set the env section under [containers] table, if you want to set environment variables for the container. +# +#env = [] + +# Define where event logs will be stored, when events_logger is "file". +#events_logfile_path="" + +# Sets the maximum size for events_logfile_path. +# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes). +# The format for the size is ``, e.g., `1b` or `3g`. +# If no unit is included then the size will be read in bytes. +# When the limit is exceeded, the logfile will be rotated and the old one will be deleted. +# If the maximum size is set to 0, then no limit will be applied, +# and the logfile will not be rotated. +#events_logfile_max_size = "1m" + +# Selects which logging mechanism to use for container engine events. +# Valid values are `journald`, `file` and `none`. +# +#events_logger = "journald" + +# A is a list of directories which are used to search for helper binaries. +# +#helper_binaries_dir = [ +# "/usr/local/libexec/podman", +# "/usr/local/lib/podman", +# "/usr/libexec/podman", +# "/usr/lib/podman", +#] + +# Path to OCI hooks directories for automatically executed hooks. +# +#hooks_dir = [ +# "/usr/share/containers/oci/hooks.d", +#] + +# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building +# container images. By default image pulled and pushed match the format of the +# source image. Building/committing defaults to OCI. +# +#image_default_format = "" + +# Default transport method for pulling and pushing for images +# +#image_default_transport = "docker://" + +# Maximum number of image layers to be copied (pulled/pushed) simultaneously. +# Not setting this field, or setting it to zero, will fall back to containers/image defaults. +# +#image_parallel_copies = 0 + +# Tells container engines how to handle the builtin image volumes. +# * bind: An anonymous named volume will be created and mounted +# into the container. +# * tmpfs: The volume is mounted onto the container as a tmpfs, +# which allows users to create content that disappears when +# the container is stopped. +# * ignore: All volumes are just ignored and no action is taken. +# +#image_volume_mode = "" + +# Default command to run the infra container +# +#infra_command = "/pause" + +# Infra (pause) container image name for pod infra containers. When running a +# pod, we start a `pause` process in a container to hold open the namespaces +# associated with the pod. This container does nothing other then sleep, +# reserving the pods resources for the lifetime of the pod. By default container +# engines run a builtin container using the pause executable. If you want override +# specify an image to pull. +# +#infra_image = "" + +# Specify the locking mechanism to use; valid values are "shm" and "file". +# Change the default only if you are sure of what you are doing, in general +# "file" is useful only on platforms where cgo is not available for using the +# faster "shm" lock type. You may need to run "podman system renumber" after +# you change the lock type. +# +#lock_type** = "shm" + +# MultiImageArchive - if true, the container engine allows for storing archives +# (e.g., of the docker-archive transport) with multiple images. By default, +# Podman creates single-image archives. +# +#multi_image_archive = "false" + +# Default engine namespace +# If engine is joined to a namespace, it will see only containers and pods +# that were created in the same namespace, and will create new containers and +# pods in that namespace. +# The default namespace is "", which corresponds to no namespace. When no +# namespace is set, all containers and pods are visible. +# +#namespace = "" + +# Path to the slirp4netns binary +# +#network_cmd_path = "" + +# Default options to pass to the slirp4netns binary. +# Valid options values are: +# +# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`). +# Default is false. +# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`). +# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`). +# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`). +# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only). +# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to. +# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only). +# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to. +# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default. +# Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container +# network namespace, usually `10.0.2.100`. If your application requires the real source IP address, +# e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for +# rootless containers when connected to user-defined networks. +# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but +# preserves the correct source IP address. This port handler cannot be used for user-defined networks. +# +#network_cmd_options = [] + +# Whether to use chroot instead of pivot_root in the runtime +# +#no_pivot_root = false + +# Number of locks available for containers and pods. +# If this is changed, a lock renumber must be performed (e.g. with the +# 'podman system renumber' command). +# +#num_locks = 2048 + +# Set the exit policy of the pod when the last container exits. +#pod_exit_policy = "continue" + +# Whether to pull new image before running a container +# +#pull_policy = "missing" + +# Indicates whether the application should be running in remote mode. This flag modifies the +# --remote option on container engines. Setting the flag to true will default +# `podman --remote=true` for access to the remote Podman service. +# +#remote = false + +# Default OCI runtime +# +#runtime = "crun" + +# List of the OCI runtimes that support --format=json. When json is supported +# engine will use it for reporting nicer errors. +# +#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"] + +# List of the OCI runtimes that supports running containers with KVM Separation. +# +#runtime_supports_kvm = ["kata", "krun"] + +# List of the OCI runtimes that supports running containers without cgroups. +# +#runtime_supports_nocgroups = ["crun", "krun"] + +# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment +# variable. If you specify "storage", then the location of the +# container/storage tmp directory will be used. +# image_copy_tmp_dir="/var/tmp" + +# Number of seconds to wait without a connection +# before the `podman system service` times out and exits +# +#service_timeout = 5 + +# Directory for persistent engine files (database, etc) +# By default, this will be configured relative to where the containers/storage +# stores containers +# Uncomment to change location from this default +# +#static_dir = "/var/lib/containers/storage/libpod" + +# Number of seconds to wait for container to exit before sending kill signal. +# +#stop_timeout = 10 + +# Number of seconds to wait before exit command in API process is given to. +# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds). +# +#exit_command_delay = 300 + +# map of service destinations +# +#[service_destinations] +# [service_destinations.production] +# URI to access the Podman service +# Examples: +# rootless "unix://run/user/$UID/podman/podman.sock" (Default) +# rootful "unix://run/podman/podman.sock (Default) +# remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock +# remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock +# +# uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock" +# Path to file containing ssh identity key +# identity = "~/.ssh/id_rsa" + +# Directory for temporary files. Must be tmpfs (wiped after reboot) +# +#tmp_dir = "/run/libpod" + +# Directory for libpod named volumes. +# By default, this will be configured relative to where containers/storage +# stores containers. +# Uncomment to change location from this default. +# +#volume_path = "/var/lib/containers/storage/volumes" + +# Default timeout (in seconds) for volume plugin operations. +# Plugins are external programs accessed via a REST API; this sets a timeout +# for requests to that API. +# A value of 0 is treated as no timeout. +#volume_plugin_timeout = 5 + +# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc) +[engine.runtimes] +#crun = [ +# "/usr/bin/crun", +# "/usr/sbin/crun", +# "/usr/local/bin/crun", +# "/usr/local/sbin/crun", +# "/sbin/crun", +# "/bin/crun", +# "/run/current-system/sw/bin/crun", +#] + +#kata = [ +# "/usr/bin/kata-runtime", +# "/usr/sbin/kata-runtime", +# "/usr/local/bin/kata-runtime", +# "/usr/local/sbin/kata-runtime", +# "/sbin/kata-runtime", +# "/bin/kata-runtime", +# "/usr/bin/kata-qemu", +# "/usr/bin/kata-fc", +#] + +#runc = [ +# "/usr/bin/runc", +# "/usr/sbin/runc", +# "/usr/local/bin/runc", +# "/usr/local/sbin/runc", +# "/sbin/runc", +# "/bin/runc", +# "/usr/lib/cri-o-runc/sbin/runc", +#] + +#runsc = [ +# "/usr/bin/runsc", +# "/usr/sbin/runsc", +# "/usr/local/bin/runsc", +# "/usr/local/sbin/runsc", +# "/bin/runsc", +# "/sbin/runsc", +# "/run/current-system/sw/bin/runsc", +#] + +#krun = [ +# "/usr/bin/krun", +# "/usr/local/bin/krun", +#] + +[engine.volume_plugins] +#testplugin = "/run/podman/plugins/test.sock" + +[machine] +# Number of CPU's a machine is created with. +# +#cpus=1 + +# The size of the disk in GB created when init-ing a podman-machine VM. +# +#disk_size=10 + +# Default image URI when creating a new VM using `podman machine init`. +# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major +# version of the OS (e.g `36`) for Fedora 36. For all platforms you can +# alternatively specify a custom download URL to an image. Container engines +# translate URIs $OS and $ARCH to the native OS and ARCH. URI +# "https://example.com/$OS/$ARCH/foobar.ami" becomes +# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine. +# The default value is `testing`. +# +# image = "testing" + +# Memory in MB a machine is created with. +# +#memory=2048 + +# The username to use and create on the podman machine OS for rootless +# container access. +# +#user = "core" + +# Host directories to be mounted as volumes into the VM by default. +# Environment variables like $HOME as well as complete paths are supported for +# the source and destination. An optional third field `:ro` can be used to +# tell the container engines to mount the volume readonly. +# +# volumes = [ +# "$HOME:$HOME", +#] + +# The [machine] table MUST be the last entry in this file. +# (Unless another table is added) +# TOML does not provide a way to end a table other than a further table being +# defined, so every key hereafter will be part of [machine] and not the +# main config. diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 68070ea5b..44c9b74da 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -38,8 +38,9 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -config_containers_registry = '/etc/containers/registries.conf' -config_containers_storage = '/etc/containers/storage.conf' +config_containers = '/etc/containers/containers.conf' +config_registry = '/etc/containers/registries.conf' +config_storage = '/etc/containers/storage.conf' systemd_unit_path = '/run/systemd/system' def _cmd(command): @@ -335,10 +336,9 @@ def generate_run_arguments(name, container_config): def generate(container): # bail out early - looks like removal from running config if not container: - if os.path.exists(config_containers_registry): - os.unlink(config_containers_registry) - if os.path.exists(config_containers_storage): - os.unlink(config_containers_storage) + for file in [config_containers, config_registry, config_storage]: + if os.path.exists(file): + os.unlink(file) return None if 'network' in container: @@ -390,8 +390,9 @@ def generate(container): if rc != 0: raise ConfigError(out) - render(config_containers_registry, 'container/registries.conf.j2', container) - render(config_containers_storage, 'container/storage.conf.j2', container) + render(config_containers, 'container/containers.conf.j2', container) + render(config_registry, 'container/registries.conf.j2', container) + render(config_storage, 'container/storage.conf.j2', container) if 'name' in container: for name, container_config in container['name'].items(): -- cgit v1.2.3 From 52e51ffbb84996aee9d5b94eebf64589ead31225 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 28 Mar 2023 21:53:07 +0200 Subject: container: T5047: restart only containers that changed By default VyOS used to restart all containers it managed. This makes no sense as it will be service disrupting. Instead only restart the containers that had changes on the CLI beeing made. --- src/conf_mode/container.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 44c9b74da..bf83416b2 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -24,8 +24,10 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed +from vyos.configdict import is_node_changed from vyos.util import call from vyos.util import cmd +from vyos.util import dict_search from vyos.util import run from vyos.util import rc_cmd from vyos.util import write_file @@ -84,6 +86,15 @@ def get_config(config=None): for name in container['name']: container['name'][name] = dict_merge(default_values, container['name'][name]) + # T5047: Any container related configuration changed? We only + # wan't to restart the required containers and not all of them ... + tmp = is_node_changed(conf, base + ['name', name]) + if tmp: + if 'container_restart' not in container: + container['container_restart'] = [name] + else: + container['container_restart'].append(name) + # XXX: T2665: we can not safely rely on the defaults() when there are # tagNodes in place, it is better to blend in the defaults manually. if 'port' in container['name'][name]: @@ -448,7 +459,8 @@ def apply(container): os.unlink(file_path) continue - cmd(f'systemctl restart vyos-container-{name}.service') + if name in dict_search('container_restart', container): + cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: call('systemctl daemon-reload') -- cgit v1.2.3 From b9ab6ab5987edf34fb79d5f0fafee381103f69d7 Mon Sep 17 00:00:00 2001 From: Indrajit Raychaudhuri Date: Tue, 28 Mar 2023 17:48:37 -0500 Subject: ntp: T5118: Remove vestigial ntp completion script This isn't used anymore after migration from ntpd to chrony as part of T3008. --- src/completion/list_ntp_servers.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100755 src/completion/list_ntp_servers.sh diff --git a/src/completion/list_ntp_servers.sh b/src/completion/list_ntp_servers.sh deleted file mode 100755 index d0977fbd6..000000000 --- a/src/completion/list_ntp_servers.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -# Completion script used to select specific NTP server -/bin/cli-shell-api -- listEffectiveNodes system ntp server | sed "s/'//g" -- cgit v1.2.3 From 4a44d8bbd328b99582d8079fd086a7239bfc2121 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 29 Mar 2023 07:56:36 +0200 Subject: frr: T5045: remove LimitNOFILESoft Commit cb872efb ("frr: T5045: lift LimitNOFILE 1024 -> 4096") added both LimitNOFILE and LimitNOFILESoft parameters for FRR, as "systemctl cat frr.service" showed both versions. During daemon startup systemd complains: Unknown key name 'LimitNOFILESoft' in section 'Service', ignoring. So the key got removed again. --- src/etc/systemd/system/frr.service.d/override.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/src/etc/systemd/system/frr.service.d/override.conf b/src/etc/systemd/system/frr.service.d/override.conf index 2e2f67f70..2e4b6e295 100644 --- a/src/etc/systemd/system/frr.service.d/override.conf +++ b/src/etc/systemd/system/frr.service.d/override.conf @@ -4,7 +4,6 @@ Before=vyos-router.service [Service] LimitNOFILE=4096 -LimitNOFILESoft=4096 ExecStartPre=/bin/bash -c 'mkdir -p /run/frr/config; \ echo "log syslog" > /run/frr/config/frr.conf; \ echo "log facility local7" >> /run/frr/config/frr.conf; \ -- cgit v1.2.3 From b1d3193d2bb1ae8cd214a0dd6eabd1d732446407 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 29 Mar 2023 10:35:47 +0200 Subject: T5115: bump version dns-forwarding 3 -> 4 --- interface-definitions/include/version/dns-forwarding-version.xml.i | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interface-definitions/include/version/dns-forwarding-version.xml.i b/interface-definitions/include/version/dns-forwarding-version.xml.i index fe817940a..86121ae5a 100644 --- a/interface-definitions/include/version/dns-forwarding-version.xml.i +++ b/interface-definitions/include/version/dns-forwarding-version.xml.i @@ -1,3 +1,3 @@ - + -- cgit v1.2.3 From 116b9395523ea4285a593afad2b746a63e6c1b74 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Wed, 29 Mar 2023 08:37:13 +0000 Subject: T5110: Fix op-mode FRR vtysh_pam account validation With FRR 8.5 there is exists file /etc/pam.d/frr With this file by default we have cosmtetic error for any op-mode command $ show ip bgp vtysh_pam: Failed in account validation: Success(0)No BGP prefixes displayed, 0 exist Fix it --- debian/vyos-1x.postinst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index f6693c799..ddc189508 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -115,5 +115,12 @@ done sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog +# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110 +if test -f /etc/pam.d/frr; then + if grep -q 'pam_rootok.so' /etc/pam.d/frr; then + sed -i -re 's/rootok/permit/' /etc/pam.d/frr + fi +fi + # Generate API GraphQL schema /usr/libexec/vyos/services/api/graphql/generate/generate_schema.py -- cgit v1.2.3 From c57494027bd3b5865634c62ccd97f44e1d75c546 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 29 Mar 2023 09:27:16 -0500 Subject: configtree: T5089: sorting of nodes is now implemented on parsing config --- src/tests/test_config_parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tests/test_config_parser.py b/src/tests/test_config_parser.py index 6e0a071f8..8148aa79b 100644 --- a/src/tests/test_config_parser.py +++ b/src/tests/test_config_parser.py @@ -34,8 +34,8 @@ class TestConfigParser(TestCase): def test_top_level_tag(self): self.assertTrue(self.config.exists(["top-level-tag-node"])) - # No sorting is intentional, child order must be preserved - self.assertEqual(self.config.list_nodes(["top-level-tag-node"]), ["foo", "bar"]) + # Sorting is now intentional, during parsing of config + self.assertEqual(self.config.list_nodes(["top-level-tag-node"]), ["bar", "foo"]) def test_copy(self): self.config.copy(["top-level-tag-node", "bar"], ["top-level-tag-node", "baz"]) -- cgit v1.2.3 From e5758160c8a25523df9c8cde9baf958466bf1881 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Sun, 19 Mar 2023 20:05:51 -0500 Subject: configdiff: T5089: add union of configtrees for unit test --- python/vyos/configtree.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py index c0b3ebd78..078a8ad0a 100644 --- a/python/vyos/configtree.py +++ b/python/vyos/configtree.py @@ -352,6 +352,27 @@ def show_diff(left, right, path=[], commands=False, libpath=LIBPATH): return res +def union(left, right, libpath=LIBPATH): + if left is None: + left = ConfigTree(config_string='\n') + if right is None: + right = ConfigTree(config_string='\n') + if not (isinstance(left, ConfigTree) and isinstance(right, ConfigTree)): + raise TypeError("Arguments must be instances of ConfigTree") + + __lib = cdll.LoadLibrary(libpath) + __tree_union = __lib.tree_union + __tree_union.argtypes = [c_void_p, c_void_p] + __tree_union.restype = c_void_p + __get_error = __lib.get_error + __get_error.argtypes = [] + __get_error.restype = c_char_p + + res = __tree_union( left._get_config(), right._get_config()) + tree = ConfigTree(address=res) + + return tree + class DiffTree: def __init__(self, left, right, path=[], libpath=LIBPATH): if left is None: -- cgit v1.2.3 From da43c4cbd495ce85f491c304de43e65ee1f39f08 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Sun, 19 Mar 2023 20:06:57 -0500 Subject: configdiff: T5089: add optional arg ordered_values for unit tests --- python/vyos/configtree.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py index 078a8ad0a..9308bdde4 100644 --- a/python/vyos/configtree.py +++ b/python/vyos/configtree.py @@ -60,7 +60,7 @@ class ConfigTree(object): self.__get_error.restype = c_char_p self.__to_string = self.__lib.to_string - self.__to_string.argtypes = [c_void_p] + self.__to_string.argtypes = [c_void_p, c_bool] self.__to_string.restype = c_char_p self.__to_commands = self.__lib.to_commands @@ -160,8 +160,8 @@ class ConfigTree(object): def _get_config(self): return self.__config - def to_string(self): - config_string = self.__to_string(self.__config).decode() + def to_string(self, ordered_values=False): + config_string = self.__to_string(self.__config, ordered_values).decode() config_string = "{0}\n{1}".format(config_string, self.__version) return config_string -- cgit v1.2.3 From dccc689e0e666787834f45e6ab6bd972fddabf95 Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Mon, 20 Mar 2023 11:50:14 -0500 Subject: configdiff: T5089: add unit test --- src/tests/test_config_diff.py | 70 +++++++++++++++++++++++++++++++++++++++++++ tests/data/config.left | 36 ++++++++++++++++++++++ tests/data/config.right | 25 ++++++++++++++++ 3 files changed, 131 insertions(+) create mode 100644 src/tests/test_config_diff.py create mode 100644 tests/data/config.left create mode 100644 tests/data/config.right diff --git a/src/tests/test_config_diff.py b/src/tests/test_config_diff.py new file mode 100644 index 000000000..f61cbc4a2 --- /dev/null +++ b/src/tests/test_config_diff.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import vyos.configtree + +from unittest import TestCase + +class TestConfigDiff(TestCase): + def setUp(self): + with open('tests/data/config.left', 'r') as f: + config_string = f.read() + self.config_left = vyos.configtree.ConfigTree(config_string) + + with open('tests/data/config.right', 'r') as f: + config_string = f.read() + self.config_right = vyos.configtree.ConfigTree(config_string) + + self.config_null = vyos.configtree.ConfigTree('') + + def test_unit(self): + diff = vyos.configtree.DiffTree(self.config_left, self.config_null) + sub = diff.sub + self.assertEqual(sub.to_string(), self.config_left.to_string()) + + diff = vyos.configtree.DiffTree(self.config_null, self.config_left) + add = diff.add + self.assertEqual(add.to_string(), self.config_left.to_string()) + + def test_symmetry(self): + lr_diff = vyos.configtree.DiffTree(self.config_left, + self.config_right) + rl_diff = vyos.configtree.DiffTree(self.config_right, + self.config_left) + + sub = lr_diff.sub + add = rl_diff.add + self.assertEqual(sub.to_string(), add.to_string()) + add = lr_diff.add + sub = rl_diff.sub + self.assertEqual(add.to_string(), sub.to_string()) + + def test_identity(self): + lr_diff = vyos.configtree.DiffTree(self.config_left, + self.config_right) + + sub = lr_diff.sub + inter = lr_diff.inter + add = lr_diff.add + + r_union = vyos.configtree.union(add, inter) + l_union = vyos.configtree.union(sub, inter) + + self.assertEqual(r_union.to_string(), + self.config_right.to_string(ordered_values=True)) + self.assertEqual(l_union.to_string(), + self.config_left.to_string(ordered_values=True)) diff --git a/tests/data/config.left b/tests/data/config.left new file mode 100644 index 000000000..e57c40396 --- /dev/null +++ b/tests/data/config.left @@ -0,0 +1,36 @@ +node1 { + tag_node foo { + valueless + multi_node 'v2' + multi_node 'v1' + single 'left_val' + } + tag_node bar { + node { + single 'v0' + } + } + tag_node other { + leaf 'leaf_l' + } +} + +node3 { +} + +node2 { + sub_node_other { + single 'val' + } + sub_node { + tag_node other { + single 'val' + } + tag_node bob { + valued 'baz' + } + tag_node duff { + valued 'buz' + } + } +} diff --git a/tests/data/config.right b/tests/data/config.right new file mode 100644 index 000000000..48defeb89 --- /dev/null +++ b/tests/data/config.right @@ -0,0 +1,25 @@ +node1 { + tag_node baz { + other_node { + multi_node 'some_val' + multe_node 'other_val' + } + } + tag_node foo { + valueless + multi_node 'v3' + multi_node 'v1' + single 'right_val' + } + tag_node other { + leaf 'leaf_r' + } +} + +node2 { + sub_node { + tag_node other { + multi 'mv' + } + } +} -- cgit v1.2.3 From db0fc992c0f1e3f1ab6f099b07b933bfca07d520 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 29 Mar 2023 21:05:06 +0200 Subject: ntp: T3008: start daemon with extended privileges but then drop to _chrony --- data/templates/chrony/override.conf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/data/templates/chrony/override.conf.j2 b/data/templates/chrony/override.conf.j2 index 0ab8f0824..b8935ae76 100644 --- a/data/templates/chrony/override.conf.j2 +++ b/data/templates/chrony/override.conf.j2 @@ -5,10 +5,9 @@ ConditionPathExists={{ config_file }} After=vyos-router.service [Service] -User=root EnvironmentFile= ExecStart= -ExecStart={{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }} +ExecStart=!{{ vrf_command }}/usr/sbin/chronyd -F 1 -f {{ config_file }} PIDFile= PIDFile={{ config_file | replace('.conf', '.pid') }} Restart=always -- cgit v1.2.3 From 8a75a0ea52f24b27ef0b4e50dc91e4144bcca059 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 30 Mar 2023 08:51:15 +0000 Subject: T4173: Fix smoketest for load-balancing wan Counter jump WANLOADBALANCE was deleted in the commit https://github.com/vyos/vyos-1x/commit/27ca5b9d6d699e201f88ffff41b0a651166b65eb I guess it was done to pass the smoketest even if it broke the load-balance wan feature Fix it --- smoketest/scripts/cli/test_load_balancing_wan.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/smoketest/scripts/cli/test_load_balancing_wan.py b/smoketest/scripts/cli/test_load_balancing_wan.py index 0e1806f66..8df3471f7 100755 --- a/smoketest/scripts/cli/test_load_balancing_wan.py +++ b/smoketest/scripts/cli/test_load_balancing_wan.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2022 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -177,7 +177,7 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase): nat_vyos_pre_snat_hook = """table ip nat { chain VYOS_PRE_SNAT_HOOK { type nat hook postrouting priority srcnat - 1; policy accept; - return + counter jump WANLOADBALANCE } }""" -- cgit v1.2.3 From a78982625a8a18069bd5a13744734873698fd0f9 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 30 Mar 2023 18:28:56 +0300 Subject: ipsec: T5093: Fixed 'reset vpn ipsec profile' command Fixed 'reset vpn ipsec profile' command using vici library and new op-mode style. Added ability to use 'reset vpn ipsec profile' command with 'remote-host' option. --- op-mode-definitions/vpn-ipsec.xml.in | 19 +++++++-- python/vyos/ipsec.py | 38 +++++++++++++++++ src/completion/list_ipsec_profile_tunnels.py | 48 +++++++++++++++++++++ src/op_mode/ipsec.py | 62 ++++++++++++++++++++++++++++ src/op_mode/vpn_ipsec.py | 61 ++------------------------- 5 files changed, 168 insertions(+), 60 deletions(-) create mode 100644 src/completion/list_ipsec_profile_tunnels.py diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index 5baaec7ce..5a7e6dd63 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -14,7 +14,7 @@ - Reset all tunnels for given DMVPN profile + Reset a specific tunnel for given DMVPN profile vpn ipsec profile @@ -23,11 +23,24 @@ Reset a specific tunnel for given DMVPN profile + + + - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="$8" + + + + Reset a specific tunnel for given DMVPN NBMA + + <x.x.x.x> <h:h:h:h:h:h:h:h> + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_dst --profile="$5" --tunnel="$7" --nbma_dst="$9" + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_profile_all --profile="$5" --tunnel="$7" - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="all" diff --git a/python/vyos/ipsec.py b/python/vyos/ipsec.py index cb7c39ff6..bb5611025 100644 --- a/python/vyos/ipsec.py +++ b/python/vyos/ipsec.py @@ -139,3 +139,41 @@ def terminate_vici_by_name(ike_name: str, child_name: str) -> None: else: raise ViciCommandError( f'Failed to terminate SA for IKE {ike_name}') + + +def vici_initiate(ike_sa_name: str, child_sa_name: str, src_addr: str, + dst_addr: str) -> bool: + """Initiate IKE SA connection with specific peer + + Args: + ike_sa_name (str): an IKE SA connection name + child_sa_name (str): a child SA profile name + src_addr (str): source address + dst_addr (str): remote address + + Returns: + bool: a result of initiation command + """ + from vici import Session as vici_session + + try: + session = vici_session() + except Exception: + raise ViciInitiateError("IPsec not initialized") + + try: + session_generator = session.initiate({ + 'ike': ike_sa_name, + 'child': child_sa_name, + 'timeout': '-1', + 'my-host': src_addr, + 'other-host': dst_addr + }) + # a dummy `for` loop is required because of requirements + # from vici. Without a full iteration on the output, the + # command to vici may not be executed completely + for _ in session_generator: + pass + return True + except Exception: + raise ViciCommandError(f'Failed to initiate SA for IKE {ike_sa_name}') \ No newline at end of file diff --git a/src/completion/list_ipsec_profile_tunnels.py b/src/completion/list_ipsec_profile_tunnels.py new file mode 100644 index 000000000..df6c52f6d --- /dev/null +++ b/src/completion/list_ipsec_profile_tunnels.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import sys +import argparse + +from vyos.config import Config +from vyos.util import dict_search + +def get_tunnels_from_ipsecprofile(profile): + config = Config() + base = ['vpn', 'ipsec', 'profile', profile, 'bind'] + profile_conf = config.get_config_dict(base, effective=True, key_mangling=('-', '_')) + tunnels = [] + + try: + for tunnel in (dict_search('bind.tunnel', profile_conf) or []): + tunnels.append(tunnel) + except: + pass + + return tunnels + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("-p", "--profile", type=str, help="List tunnels per profile") + args = parser.parse_args() + + tunnels = [] + + tunnels = get_tunnels_from_ipsecprofile(args.profile) + + print(" ".join(tunnels)) + diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py index 6acde08ea..7f4fb72e5 100755 --- a/src/op_mode/ipsec.py +++ b/src/op_mode/ipsec.py @@ -13,6 +13,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . + import re import sys import typing @@ -487,6 +488,67 @@ def reset_ra(username: typing.Optional[str] = None): vyos.ipsec.terminate_vici_ikeid_list(list_sa_id) +def reset_profile_dst(profile: str, tunnel: str, nbma_dst: str): + if profile and tunnel and nbma_dst: + ike_sa_name = f'dmvpn-{profile}-{tunnel}' + try: + # Get IKE SAs + sa_list = convert_data( + vyos.ipsec.get_vici_sas_by_name(ike_sa_name, None)) + if not sa_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} not found, aborting') + sa_nbma_list = list([x for x in sa_list if + ike_sa_name in x and x[ike_sa_name][ + 'remote-host'] == nbma_dst]) + if not sa_nbma_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} remote-host {nbma_dst} not found, aborting') + # terminate IKE SAs + vyos.ipsec.terminate_vici_ikeid_list(list( + [x[ike_sa_name]['uniqueid'] for x in sa_nbma_list if + ike_sa_name in x])) + # initiate IKE SAs + for ike in sa_nbma_list: + if ike_sa_name in ike: + vyos.ipsec.vici_initiate(ike_sa_name, 'dmvpn', + ike[ike_sa_name]['local-host'], + ike[ike_sa_name]['remote-host']) + print( + f'Profile {profile} tunnel {tunnel} remote-host {nbma_dst} reset result: success') + except (vyos.ipsec.ViciInitiateError) as err: + raise vyos.opmode.UnconfiguredSubsystem(err) + except (vyos.ipsec.ViciCommandError) as err: + raise vyos.opmode.IncorrectValue(err) + + +def reset_profile_all(profile: str, tunnel: str): + if profile and tunnel: + ike_sa_name = f'dmvpn-{profile}-{tunnel}' + try: + # Get IKE SAs + sa_list: list = convert_data( + vyos.ipsec.get_vici_sas_by_name(ike_sa_name, None)) + if not sa_list: + raise vyos.opmode.IncorrectValue( + f'SA(s) for profile {profile} tunnel {tunnel} not found, aborting') + # terminate IKE SAs + vyos.ipsec.terminate_vici_by_name(ike_sa_name, None) + # initiate IKE SAs + for ike in sa_list: + if ike_sa_name in ike: + vyos.ipsec.vici_initiate(ike_sa_name, 'dmvpn', + ike[ike_sa_name]['local-host'], + ike[ike_sa_name]['remote-host']) + print( + f'Profile {profile} tunnel {tunnel} remote-host {ike[ike_sa_name]["remote-host"]} reset result: success') + print(f'Profile {profile} tunnel {tunnel} reset result: success') + except (vyos.ipsec.ViciInitiateError) as err: + raise vyos.opmode.UnconfiguredSubsystem(err) + except (vyos.ipsec.ViciCommandError) as err: + raise vyos.opmode.IncorrectValue(err) + + def show_sa(raw: bool): sa_data = _get_raw_data_sas() if raw: diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index 2392cfe92..b81d1693e 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -16,12 +16,12 @@ import re import argparse -from subprocess import TimeoutExpired from vyos.util import call SWANCTL_CONF = '/etc/swanctl/swanctl.conf' + def get_peer_connections(peer, tunnel, return_all = False): search = rf'^[\s]*(peer_{peer}_(tunnel_[\d]+|vti)).*' matches = [] @@ -34,57 +34,6 @@ def get_peer_connections(peer, tunnel, return_all = False): matches.append(result[1]) return matches -def reset_peer(peer, tunnel): - if not peer: - print('Invalid peer, aborting') - return - - conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all')) - - if not conns: - print('Tunnel(s) not found, aborting') - return - - result = True - for conn in conns: - try: - call(f'/usr/sbin/ipsec down {conn}{{*}}', timeout = 10) - call(f'/usr/sbin/ipsec up {conn}', timeout = 10) - except TimeoutExpired as e: - print(f'Timed out while resetting {conn}') - result = False - - - print('Peer reset result: ' + ('success' if result else 'failed')) - -def get_profile_connection(profile, tunnel = None): - search = rf'(dmvpn-{profile}-[\w]+)' if tunnel == 'all' else rf'(dmvpn-{profile}-{tunnel})' - with open(SWANCTL_CONF, 'r') as f: - for line in f.readlines(): - result = re.search(search, line) - if result: - return result[1] - return None - -def reset_profile(profile, tunnel): - if not profile: - print('Invalid profile, aborting') - return - - if not tunnel: - print('Invalid tunnel, aborting') - return - - conn = get_profile_connection(profile) - - if not conn: - print('Profile not found, aborting') - return - - call(f'/usr/sbin/ipsec down {conn}') - result = call(f'/usr/sbin/ipsec up {conn}') - - print('Profile reset result: ' + ('success' if result == 0 else 'failed')) def debug_peer(peer, tunnel): peer = peer.replace(':', '-') @@ -119,6 +68,7 @@ def debug_peer(peer, tunnel): for conn in conns: call(f'/usr/sbin/ipsec statusall | grep {conn}') + if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--action', help='Control action', required=True) @@ -127,9 +77,6 @@ if __name__ == '__main__': args = parser.parse_args() - if args.action == 'reset-peer': - reset_peer(args.name, args.tunnel) - elif args.action == "reset-profile": - reset_profile(args.name, args.tunnel) - elif args.action == "vpn-debug": + + if args.action == "vpn-debug": debug_peer(args.name, args.tunnel) -- cgit v1.2.3 From 328c2f1c2111870796d30a7c7616a03f9339c2fe Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 30 Mar 2023 14:12:39 -0500 Subject: interfaces: T5130: show/interfaces/node.def defined in vyos-1x --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index a4bfac17d..4f49f0d27 100644 --- a/Makefile +++ b/Makefile @@ -65,7 +65,6 @@ op_mode_definitions: $(op_xml_obj) rm -f $(OP_TMPL_DIR)/generate/node.def rm -f $(OP_TMPL_DIR)/monitor/node.def rm -f $(OP_TMPL_DIR)/set/node.def - rm -f $(OP_TMPL_DIR)/show/interfaces/node.def rm -f $(OP_TMPL_DIR)/show/node.def rm -f $(OP_TMPL_DIR)/show/system/node.def -- cgit v1.2.3 From 33b804c2030f8bc47acb3499a155a0e2f1f2db0f Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Thu, 30 Mar 2023 14:12:59 -0500 Subject: interfaces: T5130: remove obsoleted show_interfaces.py --- src/op_mode/show_interfaces.py | 310 ----------------------------------------- 1 file changed, 310 deletions(-) delete mode 100755 src/op_mode/show_interfaces.py diff --git a/src/op_mode/show_interfaces.py b/src/op_mode/show_interfaces.py deleted file mode 100755 index eac068274..000000000 --- a/src/op_mode/show_interfaces.py +++ /dev/null @@ -1,310 +0,0 @@ -#!/usr/bin/env python3 - -# Copyright 2017-2021 VyOS maintainers and contributors -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see . - -import os -import re -import sys -import glob -import argparse - -from vyos.ifconfig import Section -from vyos.ifconfig import Interface -from vyos.ifconfig import VRRP -from vyos.util import cmd, call - - -# interfaces = Sections.reserved() -interfaces = ['eno', 'ens', 'enp', 'enx', 'eth', 'vmnet', 'lo', 'tun', 'wan', 'pppoe'] -glob_ifnames = '/sys/class/net/({})*'.format('|'.join(interfaces)) - - -actions = {} -def register(name): - """ - Decorator to register a function into actions with a name. - `actions[name]' can be used to call the registered functions. - We wrap each function in a SIGPIPE handler as all registered functions - can be subject to a broken pipe if there are a lot of interfaces. - """ - def _register(function): - def handled_function(*args, **kwargs): - try: - function(*args, **kwargs) - except BrokenPipeError: - # Flush output to /dev/null and bail out. - os.dup2(os.open(os.devnull, os.O_WRONLY), sys.stdout.fileno()) - sys.exit(1) - actions[name] = handled_function - return handled_function - return _register - - -def filtered_interfaces(ifnames, iftypes, vif, vrrp): - """ - get all the interfaces from the OS and returns them - ifnames can be used to filter which interfaces should be considered - - ifnames: a list of interfaces names to consider, empty do not filter - return an instance of the interface class - """ - if isinstance(iftypes, list): - for iftype in iftypes: - yield from filtered_interfaces(ifnames, iftype, vif, vrrp) - - for ifname in Section.interfaces(iftypes): - # Bail out early if interface name not part of our search list - if ifnames and ifname not in ifnames: - continue - - # As we are only "reading" from the interface - we must use the - # generic base class which exposes all the data via a common API - interface = Interface(ifname, create=False, debug=False) - - # VLAN interfaces have a '.' in their name by convention - if vif and not '.' in ifname: - continue - - if vrrp: - vrrp_interfaces = VRRP.active_interfaces() - if ifname not in vrrp_interfaces: - continue - - yield interface - - -def split_text(text, used=0): - """ - take a string and attempt to split it to fit with the width of the screen - - text: the string to split - used: number of characted already used in the screen - """ - no_tty = call('tty -s') - - returned = cmd('stty size') if not no_tty else '' - if len(returned) == 2: - rows, columns = [int(_) for _ in returned] - else: - rows, columns = (40, 80) - - desc_len = columns - used - - line = '' - for word in text.split(): - if len(line) + len(word) < desc_len: - line = f'{line} {word}' - continue - if line: - yield line[1:] - else: - line = f'{line} {word}' - - yield line[1:] - - -def get_counter_val(clear, now): - """ - attempt to correct a counter if it wrapped, copied from perl - - clear: previous counter - now: the current counter - """ - # This function has to deal with both 32 and 64 bit counters - if clear == 0: - return now - - # device is using 64 bit values assume they never wrap - value = now - clear - if (now >> 32) != 0: - return value - - # The counter has rolled. If the counter has rolled - # multiple times since the clear value, then this math - # is meaningless. - if (value < 0): - value = (4294967296 - clear) + now - - return value - - -@register('help') -def usage(*args): - print(f"Usage: {sys.argv[0]} [intf=NAME|intf-type=TYPE|vif|vrrp] action=ACTION") - print(f" NAME = " + ' | '.join(Section.interfaces())) - print(f" TYPE = " + ' | '.join(Section.sections())) - print(f" ACTION = " + ' | '.join(actions)) - sys.exit(1) - - -@register('allowed') -def run_allowed(**kwarg): - sys.stdout.write(' '.join(Section.interfaces())) - - -def pppoe(ifname): - out = cmd(f'ps -C pppd -f') - if ifname in out: - return 'C' - elif ifname in [_.split('/')[-1] for _ in glob.glob('/etc/ppp/peers/pppoe*')]: - return 'D' - return '' - - -@register('show') -def run_show_intf(ifnames, iftypes, vif, vrrp): - handled = [] - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - handled.append(interface.ifname) - cache = interface.operational.load_counters() - - out = cmd(f'ip addr show {interface.ifname}') - out = re.sub(f'^\d+:\s+','',out) - if re.search('link/tunnel6', out): - tunnel = cmd(f'ip -6 tun show {interface.ifname}') - # tun0: ip/ipv6 remote ::2 local ::1 encaplimit 4 hoplimit 64 tclass inherit flowlabel inherit (flowinfo 0x00000000) - tunnel = re.sub('.*encap', 'encap', tunnel) - out = re.sub('(\n\s+)(link/tunnel6)', f'\g<1>{tunnel}\g<1>\g<2>', out) - - print(out) - - timestamp = int(cache.get('timestamp', 0)) - if timestamp: - when = interface.operational.strtime(timestamp) - print(f' Last clear: {when}') - - description = interface.get_alias() - if description: - print(f' Description: {description}') - - print() - print(interface.operational.formated_stats()) - - for ifname in ifnames: - if ifname not in handled and ifname.startswith('pppoe'): - state = pppoe(ifname) - if not state: - continue - string = { - 'C': 'Coming up', - 'D': 'Link down', - }[state] - print('{}: {}'.format(ifname, string)) - - -@register('show-brief') -def run_show_intf_brief(ifnames, iftypes, vif, vrrp): - format1 = '%-16s %-33s %-4s %s' - format2 = '%-16s %s' - - print('Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down') - print(format1 % ("Interface", "IP Address", "S/L", "Description")) - print(format1 % ("---------", "----------", "---", "-----------")) - - handled = [] - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - handled.append(interface.ifname) - - oper_state = interface.operational.get_state() - admin_state = interface.get_admin_state() - - intf = [interface.ifname,] - - oper = ['u', ] if oper_state in ('up', 'unknown') else ['D', ] - admin = ['u', ] if admin_state in ('up', 'unknown') else ['A', ] - addrs = [_ for _ in interface.get_addr() if not _.startswith('fe80::')] or ['-', ] - descs = list(split_text(interface.get_alias(),0)) - - while intf or oper or admin or addrs or descs: - i = intf.pop(0) if intf else '' - a = addrs.pop(0) if addrs else '' - d = descs.pop(0) if descs else '' - s = [admin.pop(0)] if admin else [] - l = [oper.pop(0)] if oper else [] - if len(a) < 33: - print(format1 % (i, a, '/'.join(s+l), d)) - else: - print(format2 % (i, a)) - print(format1 % ('', '', '/'.join(s+l), d)) - - for ifname in ifnames: - if ifname not in handled and ifname.startswith('pppoe'): - state = pppoe(ifname) - if not state: - continue - string = { - 'C': 'u/D', - 'D': 'A/D', - }[state] - print(format1 % (ifname, '', string, '')) - - -@register('show-count') -def run_show_counters(ifnames, iftypes, vif, vrrp): - formating = '%-12s %10s %10s %10s %10s' - print(formating % ('Interface', 'Rx Packets', 'Rx Bytes', 'Tx Packets', 'Tx Bytes')) - - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - oper = interface.operational.get_state() - - if oper not in ('up','unknown'): - continue - - stats = interface.operational.get_stats() - cache = interface.operational.load_counters() - print(formating % ( - interface.ifname, - get_counter_val(cache['rx_packets'], stats['rx_packets']), - get_counter_val(cache['rx_bytes'], stats['rx_bytes']), - get_counter_val(cache['tx_packets'], stats['tx_packets']), - get_counter_val(cache['tx_bytes'], stats['tx_bytes']), - )) - - -@register('clear') -def run_clear_intf(ifnames, iftypes, vif, vrrp): - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - print(f'Clearing {interface.ifname}') - interface.operational.clear_counters() - - -@register('reset') -def run_reset_intf(ifnames, iftypes, vif, vrrp): - for interface in filtered_interfaces(ifnames, iftypes, vif, vrrp): - interface.operational.reset_counters() - - -if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=False, description='Show interface information') - parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface(s)') - parser.add_argument('--intf-type', action="store", type=str, default='', help='only show the specified interface type') - parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') - parser.add_argument('--vif', action='store_true', default=False, help="only show vif interfaces") - parser.add_argument('--vrrp', action='store_true', default=False, help="only show vrrp interfaces") - parser.add_argument('--help', action='store_true', default=False, help="show help") - - args = parser.parse_args() - - def missing(*args): - print('Invalid action [{args.action}]') - usage() - - actions.get(args.action, missing)( - [_ for _ in args.intf.split(' ') if _], - [_ for _ in args.intf_type.split(' ') if _], - args.vif, - args.vrrp - ) -- cgit v1.2.3 From d1345fe688546082a1d8283ccb0c3b05bcd0a1d3 Mon Sep 17 00:00:00 2001 From: fett0 Date: Thu, 30 Mar 2023 22:54:16 +0000 Subject: T5131: fix op-mode show isis segment-routing prefix-sids --- op-mode-definitions/include/isis-common.xml.i | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/op-mode-definitions/include/isis-common.xml.i b/op-mode-definitions/include/isis-common.xml.i index 95a171515..4a2f1e503 100644 --- a/op-mode-definitions/include/isis-common.xml.i +++ b/op-mode-definitions/include/isis-common.xml.i @@ -122,6 +122,12 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + Show Prefix-SID information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + vtysh -c "show isis route" @@ -136,12 +142,6 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - - - Show prefix segment IDs - - ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - -- cgit v1.2.3 From 599c5405e7ff5b76aa774b8cc97a82fbc053d46c Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 30 Mar 2023 12:55:30 +0000 Subject: T5128: Policy Route: allow wildcard on interface --- data/templates/firewall/nftables-policy.j2 | 2 +- .../constraint/interface-name-with-wildcard.xml.in | 4 ++++ .../include/generic-interface-multi-wildcard.xml.i | 19 +++++++++++++++++++ interface-definitions/policy-route.xml.in | 4 ++-- smoketest/scripts/cli/test_policy_route.py | 8 +++++--- 5 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 interface-definitions/include/constraint/interface-name-with-wildcard.xml.in create mode 100644 interface-definitions/include/generic-interface-multi-wildcard.xml.i diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 6cb3b2f95..7a89d29e4 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -11,7 +11,7 @@ table ip vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route is vyos_defined %} {% for route_text, conf in route.items() if conf.interface is vyos_defined %} - iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR_{{ route_text }} + iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }} {% endfor %} {% endif %} } diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in new file mode 100644 index 000000000..09867b380 --- /dev/null +++ b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in @@ -0,0 +1,4 @@ + +(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|lo + + diff --git a/interface-definitions/include/generic-interface-multi-wildcard.xml.i b/interface-definitions/include/generic-interface-multi-wildcard.xml.i new file mode 100644 index 000000000..354841a85 --- /dev/null +++ b/interface-definitions/include/generic-interface-multi-wildcard.xml.i @@ -0,0 +1,19 @@ + + + + + Interface name to apply policy route configuration + + + + + txt + Interface name + + + #include + + + + + diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index bbd6dbf56..d4ec75786 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -12,8 +12,8 @@ #include - #include #include + #include Policy rule number @@ -67,8 +67,8 @@ #include - #include #include + #include Policy rule number diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index 4be36b134..a3df6bf4d 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -26,6 +26,7 @@ conn_mark_set = '111' table_mark_offset = 0x7fffffff table_id = '101' interface = 'eth0' +interface_wc = 'ppp*' interface_ip = '172.16.10.1/24' class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): @@ -236,7 +237,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '5', 'set', 'table', table_id]) self.cli_set(['policy', 'route', 'smoketest', 'interface', interface]) - self.cli_set(['policy', 'route6', 'smoketest6', 'interface', interface]) + self.cli_set(['policy', 'route', 'smoketest', 'interface', interface_wc]) + self.cli_set(['policy', 'route6', 'smoketest6', 'interface', interface_wc]) self.cli_commit() @@ -244,7 +246,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv4 nftables_search = [ - [f'iifname "{interface}"', 'jump VYOS_PBR_smoketest'], + ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_smoketest'], ['meta l4proto udp', 'drop'], ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex], ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex], @@ -256,7 +258,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv6 nftables6_search = [ - [f'iifname "{interface}"', 'jump VYOS_PBR6_smoketest'], + [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_smoketest'], ['meta l4proto udp', 'drop'], ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex], ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex], -- cgit v1.2.3 From c41af9698abaeb1dc656933570c14fc9d75c9ce5 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 31 Mar 2023 13:05:50 +0000 Subject: T5128: Add contraint for firewall interface. Also update smoketest to include at least one wildcarded interface --- interface-definitions/firewall.xml.in | 3 +++ smoketest/scripts/cli/test_firewall.py | 3 +++ 2 files changed, 6 insertions(+) diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 624d61759..edbf1e03a 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -349,6 +349,9 @@ + + #include + diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index e071b7df9..99d3b3ca1 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -198,6 +198,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): def test_ipv4_basic_rules(self): name = 'smoketest' interface = 'eth0' + interface_wc = 'l2tp*' mss_range = '501-1460' conn_mark = '555' @@ -240,6 +241,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark]) self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) + self.cli_set(['firewall', 'interface', interface_wc, 'in', 'name', name]) self.cli_commit() @@ -247,6 +249,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ [f'iifname "{interface}"', f'jump NAME_{name}'], + [f'iifname "{interface_wc}"', f'jump NAME_{name}'], ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'], ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'], ['tcp dport 22', 'limit rate 5/minute', 'return'], -- cgit v1.2.3 From 657f5c1a08351c7740ff74cc112321d8f4e2155c Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Fri, 31 Mar 2023 13:09:21 +0000 Subject: T5125: Add op-mode for sFlow based on hsflowd Add op-mode for sFlow based on hsflowd "show sflow" Add machine readable format '--raw' and formatted output --- data/templates/sflow/hsflowd.conf.j2 | 1 + op-mode-definitions/sflow.xml.in | 15 +++++ smoketest/scripts/cli/test_system_sflow.py | 1 + src/op_mode/sflow.py | 102 +++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+) create mode 100644 op-mode-definitions/sflow.xml.in create mode 100755 src/op_mode/sflow.py diff --git a/data/templates/sflow/hsflowd.conf.j2 b/data/templates/sflow/hsflowd.conf.j2 index 94f5939be..5000956bd 100644 --- a/data/templates/sflow/hsflowd.conf.j2 +++ b/data/templates/sflow/hsflowd.conf.j2 @@ -28,4 +28,5 @@ sflow { {% if drop_monitor_limit is vyos_defined %} dropmon { limit={{ drop_monitor_limit }} start=on sw=on hw=off } {% endif %} + dbus { } } diff --git a/op-mode-definitions/sflow.xml.in b/op-mode-definitions/sflow.xml.in new file mode 100644 index 000000000..9f02dacda --- /dev/null +++ b/op-mode-definitions/sflow.xml.in @@ -0,0 +1,15 @@ + + + + + + + + Show sFlow statistics + + + sudo ${vyos_op_scripts_dir}/sflow.py show + + + + diff --git a/smoketest/scripts/cli/test_system_sflow.py b/smoketest/scripts/cli/test_system_sflow.py index fef88b56a..1aec050a4 100755 --- a/smoketest/scripts/cli/test_system_sflow.py +++ b/smoketest/scripts/cli/test_system_sflow.py @@ -91,6 +91,7 @@ class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): self.assertIn(f'collector {{ ip = {server} udpport = {port} }}', hsflowd) self.assertIn(f'collector {{ ip = {local_server} udpport = {default_port} }}', hsflowd) self.assertIn(f'dropmon {{ limit={mon_limit} start=on sw=on hw=off }}', hsflowd) + self.assertIn('dbus { }', hsflowd) for interface in Section.interfaces('ethernet'): self.assertIn(f'pcap {{ dev={interface} }}', hsflowd) diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py new file mode 100755 index 000000000..1ff006274 --- /dev/null +++ b/src/op_mode/sflow.py @@ -0,0 +1,102 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import dbus +import sys + +from tabulate import tabulate + +from vyos.configquery import ConfigTreeQuery +from vyos.util import cmd + +import vyos.opmode + + +def _get_raw_sflow(): + bus = dbus.SystemBus() + config = ConfigTreeQuery() + + interfaces = config.values('system sflow interface') + servers = config.list_nodes('system sflow server') + + sflow = bus.get_object('net.sflow.hsflowd', '/net/sflow/hsflowd') + sflow_telemetry = dbus.Interface( + sflow, dbus_interface='net.sflow.hsflowd.telemetry') + agent_address = sflow_telemetry.GetAgent() + samples_dropped = int(sflow_telemetry.Get('dropped_samples')) + samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) + samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) + datagrams_sent = int(sflow_telemetry.Get('datagrams')) + rtmetric_samples = int(sflow_telemetry.Get('rtmetric_samples')) + samples_suppressed = int(sflow_telemetry.Get('flow_samples_suppressed')) + counter_samples_suppressed = int( + sflow_telemetry.Get("counter_samples_suppressed")) + version = sflow_telemetry.GetVersion() + + sflow_dict = { + 'agent_address': agent_address, + 'sflow_interfaces': interfaces, + 'sflow_servers': servers, + 'counter_samples_sent': samples_counter_sent, + 'datagrams_sent': datagrams_sent, + 'packet_samples_dropped': samples_dropped, + 'packet_samples_sent': samples_packet_sent, + 'rtmetric_samples': rtmetric_samples, + 'flow_samples_suppressed': samples_suppressed, + 'counter_samples_suppressed': counter_samples_suppressed, + 'hsflowd_version': version + } + return sflow_dict + + +def _get_formatted_sflow(data): + table = [ + ['Agent address', f'{data.get("agent_address")}'], + ['sFlow interfaces', f'{data.get("sflow_interfaces", "n/a")}'], + ['sFlow servers', f'{data.get("sflow_servers", "n/a")}'], + ['Datagrams sent', f'{data.get("datagrams_sent")}'], + ['Packet samples sent', f'{data.get("packet_samples_sent")}'], + ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], + ['Counter samples sent', f'{data.get("counter_samples_sent")}'], + ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], + ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] + ] + + return tabulate(table) + + +def show(raw: bool): + + config = ConfigTreeQuery() + if not config.exists('system sflow'): + raise vyos.opmode.UnconfiguredSubsystem( + '"system sflow" is not configured!') + + sflow_data = _get_raw_sflow() + if raw: + return sflow_data + else: + return _get_formatted_sflow(sflow_data) + + +if __name__ == '__main__': + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3 From 11b1d043310833447ddeea3b68fba2a1d1f5799d Mon Sep 17 00:00:00 2001 From: John Estabrook Date: Wed, 29 Mar 2023 19:48:52 -0500 Subject: http-api: T5126: allow restricting client IP address --- data/templates/https/nginx.default.j2 | 6 +++++ interface-definitions/https.xml.in | 1 + interface-definitions/include/allow-client.xml.i | 33 ++++++++++++++++++++++++ src/conf_mode/https.py | 2 ++ 4 files changed, 42 insertions(+) create mode 100644 interface-definitions/include/allow-client.xml.i diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index d42b3b389..b541ff309 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -49,6 +49,12 @@ server { proxy_buffering off; {% else %} return 503; +{% endif %} +{% if server.allow_client %} +{% for client in server.allow_client %} + allow {{ client }}; +{% endfor %} + deny all; {% endif %} } diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 6adb07598..cf30ab2be 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -60,6 +60,7 @@ + #include diff --git a/interface-definitions/include/allow-client.xml.i b/interface-definitions/include/allow-client.xml.i new file mode 100644 index 000000000..03a0b3ff8 --- /dev/null +++ b/interface-definitions/include/allow-client.xml.i @@ -0,0 +1,33 @@ + + + Restrict to allowed IP client addresses + + + + + Allowed IP client addresses + + ipv4 + IPv4 address + + + ipv6 + IPv6 address + + + ipv4net + IPv4 address and prefix length + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index ce5e63928..b0c38e8d3 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -159,6 +159,8 @@ def generate(https): server_block['port'] = data.get('listen-port', '443') name = data.get('server-name', ['_']) server_block['name'] = name + allow_client = data.get('allow-client', {}) + server_block['allow_client'] = allow_client.get('address', []) server_block_list.append(server_block) # get certificate data -- cgit v1.2.3 From 0993d9ed9fbbd2110a4911d10fc0b42c7ee8856e Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 10:51:09 +0200 Subject: xml: allow-client: T5126: re-use new building block also for NTP service --- interface-definitions/include/allow-client.xml.i | 68 ++++++++++++------------ interface-definitions/ntp.xml.in | 34 +----------- 2 files changed, 36 insertions(+), 66 deletions(-) diff --git a/interface-definitions/include/allow-client.xml.i b/interface-definitions/include/allow-client.xml.i index 03a0b3ff8..1b06e2c17 100644 --- a/interface-definitions/include/allow-client.xml.i +++ b/interface-definitions/include/allow-client.xml.i @@ -1,33 +1,35 @@ - - - Restrict to allowed IP client addresses - - - - - Allowed IP client addresses - - ipv4 - IPv4 address - - - ipv6 - IPv6 address - - - ipv4net - IPv4 address and prefix length - - - ipv6net - IPv6 address and prefix length - - - - - - - - - - + + + + Restrict to allowed IP client addresses + + + + + Allowed IP client addresses + + ipv4 + IPv4 address + + + ipv6 + IPv6 address + + + ipv4net + IPv4 address and prefix length + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + + diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index 287401ed6..558204a06 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -57,39 +57,7 @@ - - - Specify NTP clients allowed to access the server - - - - - IP address - - ipv4 - Allowed IPv4 address - - - ipv4net - Allowed IPv4 prefix - - - ipv6 - Allowed IPv6 address - - - ipv6net - Allowed IPv6 prefix - - - - - - - - - - + #include #include #include #include -- cgit v1.2.3 From 0a49c0af4dbdcad9e494d4fba2212f156485fd7d Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 10:51:57 +0200 Subject: xml: T5128: streamline help string for interface CLI node building blocks --- interface-definitions/include/generic-interface-broadcast.xml.i | 2 +- .../include/generic-interface-multi-broadcast.xml.i | 2 +- interface-definitions/include/generic-interface-multi-wildcard.xml.i | 5 ++--- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/interface-definitions/include/generic-interface-broadcast.xml.i b/interface-definitions/include/generic-interface-broadcast.xml.i index 82bfc139b..ac21767d1 100644 --- a/interface-definitions/include/generic-interface-broadcast.xml.i +++ b/interface-definitions/include/generic-interface-broadcast.xml.i @@ -1,7 +1,7 @@ - Interface Name to use + Interface to use diff --git a/interface-definitions/include/generic-interface-multi-broadcast.xml.i b/interface-definitions/include/generic-interface-multi-broadcast.xml.i index 8160f816d..8b0c38761 100644 --- a/interface-definitions/include/generic-interface-multi-broadcast.xml.i +++ b/interface-definitions/include/generic-interface-multi-broadcast.xml.i @@ -1,7 +1,7 @@ - Interface Name to use + Interface to use diff --git a/interface-definitions/include/generic-interface-multi-wildcard.xml.i b/interface-definitions/include/generic-interface-multi-wildcard.xml.i index 354841a85..a93eddbbe 100644 --- a/interface-definitions/include/generic-interface-multi-wildcard.xml.i +++ b/interface-definitions/include/generic-interface-multi-wildcard.xml.i @@ -1,14 +1,13 @@ - - Interface name to apply policy route configuration + Interface to use txt - Interface name + Interface name, wildcard (*) supported #include -- cgit v1.2.3 From 15922541cef35956107e0b32ee952fee05928dbd Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 12:33:21 +0200 Subject: isis: op-mode: T5132: bugfix VRF commands for route and neighbor show isis vrf neighbor|route did not call the vtysh wrapper but instead always called the commands for the default routing table. --- op-mode-definitions/include/isis-common.xml.i | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/op-mode-definitions/include/isis-common.xml.i b/op-mode-definitions/include/isis-common.xml.i index 4a2f1e503..0e20861c7 100644 --- a/op-mode-definitions/include/isis-common.xml.i +++ b/op-mode-definitions/include/isis-common.xml.i @@ -94,7 +94,7 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - vtysh -c "show isis neighbor" + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ @@ -129,7 +129,7 @@ ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ - vtysh -c "show isis route" + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ -- cgit v1.2.3 From 2265bb4dc27965da3dce7e3f476366b7d1e911f3 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 13:14:30 +0200 Subject: xml: include building block file name should end with .i and not .in --- interface-definitions/container.xml.in | 2 +- interface-definitions/dhcp-relay.xml.in | 4 ++-- interface-definitions/dns-domain-name.xml.in | 4 ++-- interface-definitions/firewall.xml.in | 2 +- interface-definitions/high-availability.xml.in | 2 +- interface-definitions/include/babel/interface.xml.i | 2 +- interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i | 4 ++-- interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i | 4 ++-- interface-definitions/include/bgp/neighbor-update-source.xml.i | 2 +- interface-definitions/include/bgp/protocol-common-config.xml.i | 4 ++-- .../include/constraint/alpha-numeric-hyphen-underscore.xml.i | 3 +++ .../include/constraint/alpha-numeric-hyphen-underscore.xml.in | 3 --- interface-definitions/include/constraint/host-name.xml.i | 3 +++ interface-definitions/include/constraint/host-name.xml.in | 3 --- .../include/constraint/interface-name-with-wildcard.xml.i | 4 ++++ .../include/constraint/interface-name-with-wildcard.xml.in | 4 ---- interface-definitions/include/constraint/interface-name.xml.i | 4 ++++ interface-definitions/include/constraint/interface-name.xml.in | 4 ---- interface-definitions/include/dhcp-interface-multi.xml.i | 2 +- interface-definitions/include/dhcp-interface.xml.i | 2 +- .../include/generic-interface-broadcast.xml.i | 2 +- .../include/generic-interface-multi-broadcast.xml.i | 2 +- .../include/generic-interface-multi-wildcard.xml.i | 2 +- interface-definitions/include/generic-interface-multi.xml.i | 2 +- interface-definitions/include/generic-interface.xml.i | 2 +- interface-definitions/include/interface/redirect.xml.i | 2 +- .../include/ospf/protocol-common-config.xml.i | 2 +- .../include/ospfv3/protocol-common-config.xml.i | 2 +- interface-definitions/include/rip/interface.xml.i | 2 +- interface-definitions/include/routing-passive-interface.xml.i | 2 +- interface-definitions/include/source-interface.xml.i | 2 +- .../include/static/static-route-interface.xml.i | 2 +- interface-definitions/include/static/static-route.xml.i | 2 +- interface-definitions/include/static/static-route6.xml.i | 2 +- interface-definitions/interfaces-bonding.xml.in | 4 ++-- interface-definitions/policy.xml.in | 8 ++++---- interface-definitions/protocols-babel.xml.in | 4 ++-- interface-definitions/protocols-rip.xml.in | 2 +- interface-definitions/protocols-ripng.xml.in | 2 +- interface-definitions/protocols-static-arp.xml.in | 2 +- interface-definitions/qos.xml.in | 2 +- interface-definitions/service-monitoring-telegraf.xml.in | 10 +++++----- interface-definitions/service-upnp.xml.in | 4 ++-- interface-definitions/system-config-mgmt.xml.in | 2 +- interface-definitions/system-sflow.xml.in | 2 +- 45 files changed, 66 insertions(+), 66 deletions(-) create mode 100644 interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i delete mode 100644 interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in create mode 100644 interface-definitions/include/constraint/host-name.xml.i delete mode 100644 interface-definitions/include/constraint/host-name.xml.in create mode 100644 interface-definitions/include/constraint/interface-name-with-wildcard.xml.i delete mode 100644 interface-definitions/include/constraint/interface-name-with-wildcard.xml.in create mode 100644 interface-definitions/include/constraint/interface-name.xml.i delete mode 100644 interface-definitions/include/constraint/interface-name.xml.in diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 6947ed500..0849af656 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -117,7 +117,7 @@ Container host name - #include + #include Host-name must be alphanumeric and can contain hyphens diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index 79ad2c01c..2a2597dd5 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -21,7 +21,7 @@ Interface name - #include + #include @@ -37,7 +37,7 @@ Interface name - #include + #include diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in index c0ac16a80..e93c49ebd 100644 --- a/interface-definitions/dns-domain-name.xml.in +++ b/interface-definitions/dns-domain-name.xml.in @@ -25,7 +25,7 @@ - #include + #include @@ -34,7 +34,7 @@ System host name (default: vyos) - #include + #include diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index edbf1e03a..69901e5d3 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -350,7 +350,7 @@ - #include + #include diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index 1fa051df9..ce6603796 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -220,7 +220,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/babel/interface.xml.i b/interface-definitions/include/babel/interface.xml.i index 586eca7a5..a122ef024 100644 --- a/interface-definitions/include/babel/interface.xml.i +++ b/interface-definitions/include/babel/interface.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i index ee902b0b6..0f760daae 100644 --- a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i @@ -15,7 +15,7 @@ Name of IPv4 prefix-list - #include + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores @@ -31,7 +31,7 @@ Name of IPv4 prefix-list - #include + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i index da966f193..268d9cbc0 100644 --- a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i @@ -15,7 +15,7 @@ Name of IPv6 prefix-list - #include + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores @@ -31,7 +31,7 @@ Name of IPv6 prefix-list - #include + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/include/bgp/neighbor-update-source.xml.i b/interface-definitions/include/bgp/neighbor-update-source.xml.i index 0acec4126..c6aa776c2 100644 --- a/interface-definitions/include/bgp/neighbor-update-source.xml.i +++ b/interface-definitions/include/bgp/neighbor-update-source.xml.i @@ -22,7 +22,7 @@ - #include + #include diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 089c36ef3..a9122db57 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -942,7 +942,7 @@ - #include + #include @@ -1530,7 +1530,7 @@ Name of peer-group - #include + #include diff --git a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i new file mode 100644 index 000000000..eb568d7d9 --- /dev/null +++ b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.i @@ -0,0 +1,3 @@ + +[-_a-zA-Z0-9]+ + diff --git a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in b/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in deleted file mode 100644 index eb568d7d9..000000000 --- a/interface-definitions/include/constraint/alpha-numeric-hyphen-underscore.xml.in +++ /dev/null @@ -1,3 +0,0 @@ - -[-_a-zA-Z0-9]+ - diff --git a/interface-definitions/include/constraint/host-name.xml.i b/interface-definitions/include/constraint/host-name.xml.i new file mode 100644 index 000000000..202c200f4 --- /dev/null +++ b/interface-definitions/include/constraint/host-name.xml.i @@ -0,0 +1,3 @@ + +[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9] + diff --git a/interface-definitions/include/constraint/host-name.xml.in b/interface-definitions/include/constraint/host-name.xml.in deleted file mode 100644 index 202c200f4..000000000 --- a/interface-definitions/include/constraint/host-name.xml.in +++ /dev/null @@ -1,3 +0,0 @@ - -[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9] - diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard.xml.i b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.i new file mode 100644 index 000000000..09867b380 --- /dev/null +++ b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.i @@ -0,0 +1,4 @@ + +(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|lo + + diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in deleted file mode 100644 index 09867b380..000000000 --- a/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in +++ /dev/null @@ -1,4 +0,0 @@ - -(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|lo - - diff --git a/interface-definitions/include/constraint/interface-name.xml.i b/interface-definitions/include/constraint/interface-name.xml.i new file mode 100644 index 000000000..e540e4418 --- /dev/null +++ b/interface-definitions/include/constraint/interface-name.xml.i @@ -0,0 +1,4 @@ + +(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo + + diff --git a/interface-definitions/include/constraint/interface-name.xml.in b/interface-definitions/include/constraint/interface-name.xml.in deleted file mode 100644 index e540e4418..000000000 --- a/interface-definitions/include/constraint/interface-name.xml.in +++ /dev/null @@ -1,4 +0,0 @@ - -(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo - - diff --git a/interface-definitions/include/dhcp-interface-multi.xml.i b/interface-definitions/include/dhcp-interface-multi.xml.i index e10341037..0db11cf79 100644 --- a/interface-definitions/include/dhcp-interface-multi.xml.i +++ b/interface-definitions/include/dhcp-interface-multi.xml.i @@ -10,7 +10,7 @@ DHCP interface name - #include + #include diff --git a/interface-definitions/include/dhcp-interface.xml.i b/interface-definitions/include/dhcp-interface.xml.i index 24edbbd15..b5c94cb24 100644 --- a/interface-definitions/include/dhcp-interface.xml.i +++ b/interface-definitions/include/dhcp-interface.xml.i @@ -9,7 +9,7 @@ DHCP interface name - #include + #include diff --git a/interface-definitions/include/generic-interface-broadcast.xml.i b/interface-definitions/include/generic-interface-broadcast.xml.i index ac21767d1..e37e75012 100644 --- a/interface-definitions/include/generic-interface-broadcast.xml.i +++ b/interface-definitions/include/generic-interface-broadcast.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/generic-interface-multi-broadcast.xml.i b/interface-definitions/include/generic-interface-multi-broadcast.xml.i index 8b0c38761..ed13cf2cf 100644 --- a/interface-definitions/include/generic-interface-multi-broadcast.xml.i +++ b/interface-definitions/include/generic-interface-multi-broadcast.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/generic-interface-multi-wildcard.xml.i b/interface-definitions/include/generic-interface-multi-wildcard.xml.i index a93eddbbe..6c846a795 100644 --- a/interface-definitions/include/generic-interface-multi-wildcard.xml.i +++ b/interface-definitions/include/generic-interface-multi-wildcard.xml.i @@ -10,7 +10,7 @@ Interface name, wildcard (*) supported - #include + #include diff --git a/interface-definitions/include/generic-interface-multi.xml.i b/interface-definitions/include/generic-interface-multi.xml.i index 1b8dc102b..cfc77af3a 100644 --- a/interface-definitions/include/generic-interface-multi.xml.i +++ b/interface-definitions/include/generic-interface-multi.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/generic-interface.xml.i b/interface-definitions/include/generic-interface.xml.i index 9417f9ef0..65f5bfbb8 100644 --- a/interface-definitions/include/generic-interface.xml.i +++ b/interface-definitions/include/generic-interface.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i index 0421f4074..9b41cd8ff 100644 --- a/interface-definitions/include/interface/redirect.xml.i +++ b/interface-definitions/include/interface/redirect.xml.i @@ -10,7 +10,7 @@ Destination interface name - #include + #include diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 25b54b181..f39b9c5e3 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -358,7 +358,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index 014bf9e49..1c33ca920 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -118,7 +118,7 @@ Interface used for routing information exchange - #include + #include diff --git a/interface-definitions/include/rip/interface.xml.i b/interface-definitions/include/rip/interface.xml.i index 0a89f4d92..8007f0208 100644 --- a/interface-definitions/include/rip/interface.xml.i +++ b/interface-definitions/include/rip/interface.xml.i @@ -10,7 +10,7 @@ Interface name - #include + #include diff --git a/interface-definitions/include/routing-passive-interface.xml.i b/interface-definitions/include/routing-passive-interface.xml.i index 715468e59..8fa0d0fe7 100644 --- a/interface-definitions/include/routing-passive-interface.xml.i +++ b/interface-definitions/include/routing-passive-interface.xml.i @@ -16,7 +16,7 @@ (default) - #include + #include diff --git a/interface-definitions/include/source-interface.xml.i b/interface-definitions/include/source-interface.xml.i index c25a6a6d0..40fdc6c5e 100644 --- a/interface-definitions/include/source-interface.xml.i +++ b/interface-definitions/include/source-interface.xml.i @@ -10,7 +10,7 @@ - #include + #include diff --git a/interface-definitions/include/static/static-route-interface.xml.i b/interface-definitions/include/static/static-route-interface.xml.i index db2f0baa6..cb5436847 100644 --- a/interface-definitions/include/static/static-route-interface.xml.i +++ b/interface-definitions/include/static/static-route-interface.xml.i @@ -10,7 +10,7 @@ Gateway interface name - #include + #include diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 34e36f5a7..268cfa005 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -26,7 +26,7 @@ Gateway interface name - #include + #include diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i index aac02062f..1f8d54108 100644 --- a/interface-definitions/include/static/static-route6.xml.i +++ b/interface-definitions/include/static/static-route6.xml.i @@ -25,7 +25,7 @@ Gateway interface name - #include + #include diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index f5f1eb1b6..14b1036b4 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -199,7 +199,7 @@ Interface name - #include + #include @@ -218,7 +218,7 @@ Interface name - #include + #include diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 66608be6f..7d5fe79ef 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -242,7 +242,7 @@ BGP extended community-list name - #include + #include Should be an alphanumeric name @@ -291,7 +291,7 @@ BGP large-community-list name - #include + #include Should be an alphanumeric name @@ -340,7 +340,7 @@ Name of IPv4 prefix-list - #include + #include Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores @@ -408,7 +408,7 @@ Name of IPv6 prefix-list - #include + #include Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores diff --git a/interface-definitions/protocols-babel.xml.in b/interface-definitions/protocols-babel.xml.in index b3377aac1..49fffe230 100644 --- a/interface-definitions/protocols-babel.xml.in +++ b/interface-definitions/protocols-babel.xml.in @@ -206,7 +206,7 @@ - #include + #include @@ -234,7 +234,7 @@ - #include + #include diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols-rip.xml.in index 68d2b64ca..0edd8f2ce 100644 --- a/interface-definitions/protocols-rip.xml.in +++ b/interface-definitions/protocols-rip.xml.in @@ -39,7 +39,7 @@ - #include + #include diff --git a/interface-definitions/protocols-ripng.xml.in b/interface-definitions/protocols-ripng.xml.in index be643896f..9d4d87422 100644 --- a/interface-definitions/protocols-ripng.xml.in +++ b/interface-definitions/protocols-ripng.xml.in @@ -40,7 +40,7 @@ - #include + #include diff --git a/interface-definitions/protocols-static-arp.xml.in b/interface-definitions/protocols-static-arp.xml.in index 63f450bd8..4b338df63 100644 --- a/interface-definitions/protocols-static-arp.xml.in +++ b/interface-definitions/protocols-static-arp.xml.in @@ -20,7 +20,7 @@ Interface name - #include + #include diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in index 9b1430ea0..c7bd8606a 100644 --- a/interface-definitions/qos.xml.in +++ b/interface-definitions/qos.xml.in @@ -17,7 +17,7 @@ Interface name - #include + #include diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index 5ba932400..ae0bae900 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -74,7 +74,7 @@ Application client id - #include + #include Client-id is limited to alphanumerical characters and can contain hyphen and underscores @@ -83,7 +83,7 @@ Application client secret - #include + #include Client-secret is limited to alphanumerical characters and can contain hyphen and underscores @@ -92,7 +92,7 @@ Set tenant id - #include + #include Tenant-id is limited to alphanumerical characters and can contain hyphen and underscores @@ -107,7 +107,7 @@ Remote database name - #include + #include Database is limited to alphanumerical characters and can contain hyphen and underscores @@ -140,7 +140,7 @@ Table name - #include + #include Table is limited to alphanumerical characters and can contain hyphen and underscores diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service-upnp.xml.in index 9e222d29a..1b2e00d91 100644 --- a/interface-definitions/service-upnp.xml.in +++ b/interface-definitions/service-upnp.xml.in @@ -24,7 +24,7 @@ - #include + #include @@ -119,7 +119,7 @@ - #include + #include diff --git a/interface-definitions/system-config-mgmt.xml.in b/interface-definitions/system-config-mgmt.xml.in index 1f852d284..716332d2a 100644 --- a/interface-definitions/system-config-mgmt.xml.in +++ b/interface-definitions/system-config-mgmt.xml.in @@ -32,7 +32,7 @@ - #include + #include diff --git a/interface-definitions/system-sflow.xml.in b/interface-definitions/system-sflow.xml.in index 335181fe1..9c748c24a 100644 --- a/interface-definitions/system-sflow.xml.in +++ b/interface-definitions/system-sflow.xml.in @@ -42,7 +42,7 @@ Interface name - #include + #include -- cgit v1.2.3 From 86d7b8d1d2b53b9fa93bd456abb4ea1b4f2949b6 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 14:42:45 +0200 Subject: container: T5047: bugfix TypeError: argument of type 'NoneType' is not iterable Commit 52e51ffb ("container: T5047: restart only containers that changed") started to iterate over a NoneType which is invalid. This happened when a network description was changed but no container was due for restart. --- src/conf_mode/container.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index bf83416b2..4e4db7180 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -459,7 +459,8 @@ def apply(container): os.unlink(file_path) continue - if name in dict_search('container_restart', container): + tmp = dict_search('container_restart', container) + if tmp and name in tmp: cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: -- cgit v1.2.3 From 0ea3e1420c373027bdf57ea9e794b81dd6b6ad4f Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 15:31:46 +0200 Subject: container: T5082: switch to netavark network stack We now support assigning discrete IPv6 addresses to a container. --- data/templates/container/containers.conf.j2 | 2 +- debian/control | 1 + interface-definitions/container.xml.in | 7 ++- src/conf_mode/container.py | 95 +++++++++++++++-------------- 4 files changed, 56 insertions(+), 49 deletions(-) diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2 index 9f66aed27..c635ca213 100644 --- a/data/templates/container/containers.conf.j2 +++ b/data/templates/container/containers.conf.j2 @@ -282,7 +282,7 @@ default_sysctls = [ # Before changing this value all containers must be stopped otherwise it is likely that # iptables rules and network interfaces might leak on the host. A reboot will fix this. # -network_backend = "cni" +network_backend = "netavark" # Path to directory where CNI plugin binaries are located. # diff --git a/debian/control b/debian/control index 028b7cd43..8cd49f62a 100644 --- a/debian/control +++ b/debian/control @@ -99,6 +99,7 @@ Depends: mtr-tiny, ndisc6, ndppd, + netavark, netplug, nfct, nftables (>= 0.9.3), diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 0849af656..b09536a16 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -191,15 +191,20 @@ - Assign static IP address to container ipv4 IPv4 address + + ipv6 + IPv6 address + + + diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 4e4db7180..5cfbfc30c 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -16,6 +16,7 @@ import os +from hashlib import sha256 from ipaddress import ip_address from ipaddress import ip_network from json import dumps as json_write @@ -27,7 +28,6 @@ from vyos.configdict import node_changed from vyos.configdict import is_node_changed from vyos.util import call from vyos.util import cmd -from vyos.util import dict_search from vyos.util import run from vyos.util import rc_cmd from vyos.util import write_file @@ -166,21 +166,29 @@ def verify(container): raise ConfigError(f'Container network "{network_name}" does not exist!') if 'address' in container_config['network'][network_name]: - address = container_config['network'][network_name]['address'] - network = None - if is_ipv4(address): - network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0] - elif is_ipv6(address): - network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0] - - # Specified container IP address must belong to network prefix - if ip_address(address) not in ip_network(network): - raise ConfigError(f'Used container address "{address}" not in network "{network}"!') - - # We can not use the first IP address of a network prefix as this is used by podman - if ip_address(address) == ip_network(network)[1]: - raise ConfigError(f'IP address "{address}" can not be used for a container, '\ - 'reserved for the container engine!') + cnt_ipv4 = 0 + cnt_ipv6 = 0 + for address in container_config['network'][network_name]['address']: + network = None + if is_ipv4(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0] + cnt_ipv4 += 1 + elif is_ipv6(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0] + cnt_ipv6 += 1 + + # Specified container IP address must belong to network prefix + if ip_address(address) not in ip_network(network): + raise ConfigError(f'Used container address "{address}" not in network "{network}"!') + + # We can not use the first IP address of a network prefix as this is used by podman + if ip_address(address) == ip_network(network)[1]: + raise ConfigError(f'IP address "{address}" can not be used for a container, '\ + 'reserved for the container engine!') + + if cnt_ipv4 > 1 or cnt_ipv6 > 1: + raise ConfigError(f'Only one IP address per address family can be used for '\ + f'container "{name}". {cnt_ipv4} IPv4 and {cnt_ipv6} IPv6 address(es)!') if 'device' in container_config: for dev, dev_config in container_config['device'].items(): @@ -338,9 +346,13 @@ def generate_run_arguments(name, container_config): ip_param = '' networks = ",".join(container_config['network']) for network in container_config['network']: - if 'address' in container_config['network'][network]: - address = container_config['network'][network]['address'] - ip_param = f'--ip {address}' + if 'address' not in container_config['network'][network]: + continue + for address in container_config['network'][network]['address']: + if is_ipv6(address): + ip_param += f' --ip6 {address}' + else: + ip_param += f' --ip {address}' return f'{container_base_cmd} --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip() @@ -355,33 +367,26 @@ def generate(container): if 'network' in container: for network, network_config in container['network'].items(): tmp = { - 'cniVersion' : '0.4.0', - 'name' : network, - 'plugins' : [{ - 'type': 'bridge', - 'bridge': f'cni-{network}', - 'isGateway': True, - 'ipMasq': False, - 'hairpinMode': False, - 'ipam' : { - 'type': 'host-local', - 'routes': [], - 'ranges' : [], - }, - }] + 'name': network, + 'id' : sha256(f'{network}'.encode()).hexdigest(), + 'driver': 'bridge', + 'network_interface': f'podman-{network}', + 'subnets': [], + 'ipv6_enabled': False, + 'internal': False, + 'dns_enabled': False, + 'ipam_options': { + 'driver': 'host-local' + } } - for prefix in network_config['prefix']: - net = [{'gateway' : inc_ip(prefix, 1), 'subnet' : prefix}] - tmp['plugins'][0]['ipam']['ranges'].append(net) + net = {'subnet' : prefix, 'gateway' : inc_ip(prefix, 1)} + tmp['subnets'].append(net) - # install per address-family default orutes - default_route = '0.0.0.0/0' if is_ipv6(prefix): - default_route = '::/0' - tmp['plugins'][0]['ipam']['routes'].append({'dst': default_route}) + tmp['ipv6_enabled'] = True - write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2)) + write_file(f'/etc/containers/networks/{network}.json', json_write(tmp, indent=2)) if 'registry' in container: cmd = f'podman logout --all' @@ -432,10 +437,7 @@ def apply(container): # Delete old networks if needed if 'network_remove' in container: for network in container['network_remove']: - call(f'podman network rm {network}') - tmp = f'/etc/cni/net.d/{network}.conflist' - if os.path.exists(tmp): - os.unlink(tmp) + call(f'podman network rm {network} >/dev/null 2>&1') # Add container disabled_new = False @@ -459,8 +461,7 @@ def apply(container): os.unlink(file_path) continue - tmp = dict_search('container_restart', container) - if tmp and name in tmp: + if 'container_restart' in container and name in container['container_restart']: cmd(f'systemctl restart vyos-container-{name}.service') if disabled_new: -- cgit v1.2.3 From b53c25a7bcd0a825cadf0e6c754297004ed3f0e4 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 1 Apr 2023 18:56:02 +0200 Subject: container: T4959: bugfix credential validation on registries Commit fe82d86d ("container: T4959: add registry authentication option") looked up the wrong config dict level when validating that both username and password need to be specified when registries are in use. --- src/conf_mode/container.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 5cfbfc30c..3827f4c70 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -258,9 +258,11 @@ def verify(container): if 'network' in container_config and network in container_config['network']: raise ConfigError(f'Can not remove network "{network}", used by container "{container}"!') - if 'registry' in container and 'authentication' in container['registry']: - for registry, registry_config in container['registry']['authentication'].items(): - if not {'username', 'password'} <= set(registry_config): + if 'registry' in container: + for registry, registry_config in container['registry'].items(): + if 'authentication' not in registry_config: + continue + if not {'username', 'password'} <= set(registry_config['authentication']): raise ConfigError('If registry username or or password is defined, so must be the other!') return None -- cgit v1.2.3 From 7d6731435410b16a2497dc0bc156fbde77797fb3 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Sat, 1 Apr 2023 18:44:25 +0000 Subject: T5125: Extend op-mode show sflow add new metric Add new metric, the number of packet-drop-events sent --- src/op_mode/sflow.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py index 1ff006274..ddb8bf44d 100755 --- a/src/op_mode/sflow.py +++ b/src/op_mode/sflow.py @@ -37,6 +37,7 @@ def _get_raw_sflow(): sflow, dbus_interface='net.sflow.hsflowd.telemetry') agent_address = sflow_telemetry.GetAgent() samples_dropped = int(sflow_telemetry.Get('dropped_samples')) + samples_drop_events_sent = int(sflow_telemetry.Get('event_samples')) samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) datagrams_sent = int(sflow_telemetry.Get('datagrams')) @@ -52,6 +53,7 @@ def _get_raw_sflow(): 'sflow_servers': servers, 'counter_samples_sent': samples_counter_sent, 'datagrams_sent': datagrams_sent, + 'samples_drop_events_sent': samples_drop_events_sent, 'packet_samples_dropped': samples_dropped, 'packet_samples_sent': samples_packet_sent, 'rtmetric_samples': rtmetric_samples, @@ -67,10 +69,11 @@ def _get_formatted_sflow(data): ['Agent address', f'{data.get("agent_address")}'], ['sFlow interfaces', f'{data.get("sflow_interfaces", "n/a")}'], ['sFlow servers', f'{data.get("sflow_servers", "n/a")}'], + ['Counter samples sent', f'{data.get("counter_samples_sent")}'], ['Datagrams sent', f'{data.get("datagrams_sent")}'], ['Packet samples sent', f'{data.get("packet_samples_sent")}'], ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], - ['Counter samples sent', f'{data.get("counter_samples_sent")}'], + ['Samples drop events sent', f'{data.get("samples_drop_events_sent")}'], ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] ] -- cgit v1.2.3 From 809f28f2b95a788d23db006a041955e7167a285d Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 2 Apr 2023 09:25:35 +0200 Subject: xml: re-use generic-description.xml.i building block whenever possible Remove redundant XML CLI node definitions for the common description node by referencing the common building block. --- interface-definitions/bcast-relay.xml.in | 6 +----- interface-definitions/container.xml.in | 6 +----- interface-definitions/load-balancing-wan.xml.in | 10 +--------- interface-definitions/nat66.xml.in | 12 ++---------- interface-definitions/pki.xml.in | 12 ++---------- interface-definitions/service-webproxy.xml.in | 12 ++---------- interface-definitions/snmp.xml.in | 10 +--------- interface-definitions/vpn-l2tp.xml.in | 6 +----- 8 files changed, 11 insertions(+), 63 deletions(-) diff --git a/interface-definitions/bcast-relay.xml.in b/interface-definitions/bcast-relay.xml.in index aeaa5ab37..e2993f3f3 100644 --- a/interface-definitions/bcast-relay.xml.in +++ b/interface-definitions/bcast-relay.xml.in @@ -34,11 +34,7 @@ - - - Description - - + #include #include #include diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b09536a16..b52054dd0 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -348,11 +348,7 @@ Network name cannot be longer than 11 characters - - - Network description - - + #include Prefix which allocated to that network diff --git a/interface-definitions/load-balancing-wan.xml.in b/interface-definitions/load-balancing-wan.xml.in index 2b812eb4d..c1d7e2c67 100644 --- a/interface-definitions/load-balancing-wan.xml.in +++ b/interface-definitions/load-balancing-wan.xml.in @@ -191,15 +191,7 @@ - - - Description for this rule - - txt - Description for this rule - - - + #include Destination diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index 6ea611789..7a8970bdf 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -24,11 +24,7 @@ NAT66 rule number must be between 1 and 999999 - - - Rule description - - + #include Disable NAT66 rule @@ -156,11 +152,7 @@ NAT66 rule number must be between 1 and 999999 - - - Rule description - - + #include Disable NAT66 rule diff --git a/interface-definitions/pki.xml.in b/interface-definitions/pki.xml.in index c4fde2c78..a13a357fd 100644 --- a/interface-definitions/pki.xml.in +++ b/interface-definitions/pki.xml.in @@ -16,11 +16,7 @@ CA certificate in PEM format - - - Description - - + #include CA private key in PEM format @@ -63,11 +59,7 @@ Certificate in PEM format - - - Description - - + #include Certificate private key diff --git a/interface-definitions/service-webproxy.xml.in b/interface-definitions/service-webproxy.xml.in index a315aa2ef..b24997816 100644 --- a/interface-definitions/service-webproxy.xml.in +++ b/interface-definitions/service-webproxy.xml.in @@ -538,11 +538,7 @@ - - - Description for source-group - - + #include Domain for source-group @@ -644,11 +640,7 @@ - - - Time-period description - - + #include diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index 592db7f4e..559e09388 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -78,15 +78,7 @@ Contact information is limited to 255 characters or less - - - Description information - - .{1,255} - - Description is limited to 255 characters or less - - + #include IP address to listen for incoming SNMP requests diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in index 0a92017bd..6b64c5f5d 100644 --- a/interface-definitions/vpn-l2tp.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in @@ -124,11 +124,7 @@ #include - - - Description for L2TP remote-access settings - - + #include #include -- cgit v1.2.3 From b65296a0ff39e66d87e916971477cce351f6d5a5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 2 Apr 2023 09:27:03 +0200 Subject: container: T5134: support binding container network to specific VRF Container networks now can be bound to a specific VRF instance. set vrf name table set container network vrf --- interface-definitions/container.xml.in | 1 + src/conf_mode/container.py | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b52054dd0..9b6d2369d 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -367,6 +367,7 @@ + #include diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 3827f4c70..05595f86f 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -26,6 +26,8 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configdict import is_node_changed +from vyos.configverify import verify_vrf +from vyos.ifconfig import Interface from vyos.util import call from vyos.util import cmd from vyos.util import run @@ -250,6 +252,8 @@ def verify(container): if v6_prefix > 1: raise ConfigError(f'Only one IPv6 prefix can be defined for network "{network}"!') + # Verify VRF exists + verify_vrf(network_config) # A network attached to a container can not be deleted if {'network_remove', 'name'} <= set(container): @@ -469,6 +473,15 @@ def apply(container): if disabled_new: call('systemctl daemon-reload') + # Start network and assign it to given VRF if requested. this can only be done + # after the containers got started as the podman network interface will + # only be enabled by the first container and yet I do not know how to enable + # the network interface in advance + if 'network' in container: + for network, network_config in container['network'].items(): + tmp = Interface(f'podman-{network}') + tmp.set_vrf(network_config.get('vrf', '')) + return None if __name__ == '__main__': -- cgit v1.2.3 From 1b7534855f92ea307059bd01258746e45d6f79a5 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Apr 2023 09:44:18 +0000 Subject: T5125: Sflow op-mode add event_samples_suppressed option Add "Packet drops suppressed" option Rename "Samples drop events sent" to "Packet drops sent" --- src/op_mode/sflow.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/op_mode/sflow.py b/src/op_mode/sflow.py index ddb8bf44d..88f70d6bd 100755 --- a/src/op_mode/sflow.py +++ b/src/op_mode/sflow.py @@ -37,11 +37,12 @@ def _get_raw_sflow(): sflow, dbus_interface='net.sflow.hsflowd.telemetry') agent_address = sflow_telemetry.GetAgent() samples_dropped = int(sflow_telemetry.Get('dropped_samples')) - samples_drop_events_sent = int(sflow_telemetry.Get('event_samples')) + packet_drop_sent = int(sflow_telemetry.Get('event_samples')) samples_packet_sent = int(sflow_telemetry.Get('flow_samples')) samples_counter_sent = int(sflow_telemetry.Get('counter_samples')) datagrams_sent = int(sflow_telemetry.Get('datagrams')) rtmetric_samples = int(sflow_telemetry.Get('rtmetric_samples')) + event_samples_suppressed = int(sflow_telemetry.Get('event_samples_suppressed')) samples_suppressed = int(sflow_telemetry.Get('flow_samples_suppressed')) counter_samples_suppressed = int( sflow_telemetry.Get("counter_samples_suppressed")) @@ -53,10 +54,11 @@ def _get_raw_sflow(): 'sflow_servers': servers, 'counter_samples_sent': samples_counter_sent, 'datagrams_sent': datagrams_sent, - 'samples_drop_events_sent': samples_drop_events_sent, + 'packet_drop_sent': packet_drop_sent, 'packet_samples_dropped': samples_dropped, 'packet_samples_sent': samples_packet_sent, 'rtmetric_samples': rtmetric_samples, + 'event_samples_suppressed': event_samples_suppressed, 'flow_samples_suppressed': samples_suppressed, 'counter_samples_suppressed': counter_samples_suppressed, 'hsflowd_version': version @@ -73,7 +75,8 @@ def _get_formatted_sflow(data): ['Datagrams sent', f'{data.get("datagrams_sent")}'], ['Packet samples sent', f'{data.get("packet_samples_sent")}'], ['Packet samples dropped', f'{data.get("packet_samples_dropped")}'], - ['Samples drop events sent', f'{data.get("samples_drop_events_sent")}'], + ['Packet drops sent', f'{data.get("packet_drop_sent")}'], + ['Packet drops suppressed', f'{data.get("event_samples_suppressed")}'], ['Flow samples suppressed', f'{data.get("flow_samples_suppressed")}'], ['Counter samples suppressed', f'{data.get("counter_samples_suppressed")}'] ] -- cgit v1.2.3 From 16a1a69d6e74166001b296a8f66c26c8c00be1f1 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Apr 2023 10:48:16 +0000 Subject: T5139: IPSec add IKE lifetime 0 for no rekeying IKE lifetime should starting from 0 for disabling rekeying --- interface-definitions/vpn-ipsec.xml.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in index 1b3a5532e..64cfbda08 100644 --- a/interface-definitions/vpn-ipsec.xml.in +++ b/interface-definitions/vpn-ipsec.xml.in @@ -357,11 +357,11 @@ IKE lifetime - u32:30-86400 + u32:0-86400 IKE lifetime in seconds - + 28800 -- cgit v1.2.3 From 1a1f425f869f94c7c7a9d57b71555e9e13796c9e Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Apr 2023 11:41:47 +0000 Subject: T5141: Add numbers for dhclient-exit-hooks.d to enforce order Add numbers for all dhclient-exit-hooks.d to enforce script order execution Also, move '99-run-user-hooks' to '98-run-user-hooks' due to vyatta-dhclient-hook bug and exit with 'exit 1' it is described in the https://vyos.dev/T4856, so we should move this hook to the end. Rename 'vyatta-dhclient-hook' to '99-vyatta-dhclient-hook' --- .../dhclient-exit-hooks.d/03-vyatta-dhclient-hook | 44 +++++++++++ .../dhcp/dhclient-exit-hooks.d/98-run-user-hooks | 5 ++ .../dhclient-exit-hooks.d/99-ipsec-dhclient-hook | 86 ++++++++++++++++++++++ .../dhcp/dhclient-exit-hooks.d/99-run-user-hooks | 5 -- .../dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook | 86 ---------------------- .../dhclient-exit-hooks.d/vyatta-dhclient-hook | 44 ----------- 6 files changed, 135 insertions(+), 135 deletions(-) create mode 100644 src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook create mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks create mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook delete mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks delete mode 100755 src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook delete mode 100644 src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook new file mode 100644 index 000000000..49bb18372 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook @@ -0,0 +1,44 @@ +#!/bin/sh + +# Author: Stig Thormodsrud +# Date: 2007 +# Description: dhcp client hook + +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007, 2008 Vyatta, Inc. +# All Rights Reserved. +# **** End License **** + +# To enable this script set the following variable to "yes" +RUN="yes" + +proto="" +if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6)$ ]]; then + proto="v6" +fi + +if [ "$RUN" = "yes" ]; then + LOG=/var/lib/dhcp/dhclient_"$interface"."$proto"lease + echo `date` > $LOG + + for i in reason interface new_expiry new_dhcp_lease_time medium \ + alias_ip_address new_ip_address new_broadcast_address \ + new_subnet_mask new_domain_name new_network_number \ + new_domain_name_servers new_routers new_static_routes \ + new_dhcp_server_identifier new_dhcp_message_type \ + old_ip_address old_subnet_mask old_domain_name \ + old_domain_name_servers old_routers \ + old_static_routes; do + echo $i=\'${!i}\' >> $LOG + done +fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks new file mode 100755 index 000000000..442419d79 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks @@ -0,0 +1,5 @@ +#!/bin/bash +DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/" +if [ -d "${DHCP_POST_HOOKS}" ] ; then + run-parts "${DHCP_POST_HOOKS}" +fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook new file mode 100755 index 000000000..1f1926e17 --- /dev/null +++ b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then + exit 0 +fi + +DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" + +if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then + if grep -qw $interface $DHCP_HOOK_IFLIST; then + sudo rm $DHCP_HOOK_IFLIST + sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py + exit 0 + fi +fi + +if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then + exit 0 +fi + +python3 - < 0: + regex_match = re.search(r'(peer_[^:\[]+)', line) + if regex_match: + connection_name = regex_match[1] + break + if connection_name: + call(f'sudo ipsec down {connection_name}') + +if __name__ == '__main__': + interface = os.getenv('interface') + new_ip = os.getenv('new_ip_address') + old_ip = os.getenv('old_ip_address') + + if os.path.exists(SWANCTL_CONF): + conf_lines = read_file(SWANCTL_CONF) + found = False + to_match = f'# dhcp:{interface}' + + for i, line in enumerate(conf_lines): + if line.find(to_match) > 0: + conf_lines[i] = line.replace(old_ip, new_ip) + found = True + + for i, line in enumerate(secrets_lines): + if line.find(to_match) > 0: + secrets_lines[i] = line.replace(old_ip, new_ip) + + if found: + write_file(SWANCTL_CONF, conf_lines) + ipsec_down(old_ip) + call('sudo ipsec rereadall') + call('sudo ipsec reload') + call('sudo swanctl -q') + + exit(0) +PYEND \ No newline at end of file diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks deleted file mode 100755 index 442419d79..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/99-run-user-hooks +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/" -if [ -d "${DHCP_POST_HOOKS}" ] ; then - run-parts "${DHCP_POST_HOOKS}" -fi diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook deleted file mode 100755 index 1f1926e17..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then - exit 0 -fi - -DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting" - -if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then - if grep -qw $interface $DHCP_HOOK_IFLIST; then - sudo rm $DHCP_HOOK_IFLIST - sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py - exit 0 - fi -fi - -if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then - exit 0 -fi - -python3 - < 0: - regex_match = re.search(r'(peer_[^:\[]+)', line) - if regex_match: - connection_name = regex_match[1] - break - if connection_name: - call(f'sudo ipsec down {connection_name}') - -if __name__ == '__main__': - interface = os.getenv('interface') - new_ip = os.getenv('new_ip_address') - old_ip = os.getenv('old_ip_address') - - if os.path.exists(SWANCTL_CONF): - conf_lines = read_file(SWANCTL_CONF) - found = False - to_match = f'# dhcp:{interface}' - - for i, line in enumerate(conf_lines): - if line.find(to_match) > 0: - conf_lines[i] = line.replace(old_ip, new_ip) - found = True - - for i, line in enumerate(secrets_lines): - if line.find(to_match) > 0: - secrets_lines[i] = line.replace(old_ip, new_ip) - - if found: - write_file(SWANCTL_CONF, conf_lines) - ipsec_down(old_ip) - call('sudo ipsec rereadall') - call('sudo ipsec reload') - call('sudo swanctl -q') - - exit(0) -PYEND \ No newline at end of file diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook deleted file mode 100644 index 49bb18372..000000000 --- a/src/etc/dhcp/dhclient-exit-hooks.d/vyatta-dhclient-hook +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -# Author: Stig Thormodsrud -# Date: 2007 -# Description: dhcp client hook - -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2006, 2007, 2008 Vyatta, Inc. -# All Rights Reserved. -# **** End License **** - -# To enable this script set the following variable to "yes" -RUN="yes" - -proto="" -if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|DELEGATED6)$ ]]; then - proto="v6" -fi - -if [ "$RUN" = "yes" ]; then - LOG=/var/lib/dhcp/dhclient_"$interface"."$proto"lease - echo `date` > $LOG - - for i in reason interface new_expiry new_dhcp_lease_time medium \ - alias_ip_address new_ip_address new_broadcast_address \ - new_subnet_mask new_domain_name new_network_number \ - new_domain_name_servers new_routers new_static_routes \ - new_dhcp_server_identifier new_dhcp_message_type \ - old_ip_address old_subnet_mask old_domain_name \ - old_domain_name_servers old_routers \ - old_static_routes; do - echo $i=\'${!i}\' >> $LOG - done -fi -- cgit v1.2.3