From 4c61fa82f59e26023993be56be1ff9bf0cb5251e Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 19 Jul 2023 14:25:55 +0000
Subject: T4899: NAT Redirect: adddestination nat redirection (to local host)
 feature.

---
 interface-definitions/nat.xml.in | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'interface-definitions')

diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index 501ff05d3..a06ceefb6 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -44,6 +44,14 @@
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
                   #include <include/nat-translation-options.xml.i>
+                  <node name="redirect">
+                    <properties>
+                      <help>Redirect to local host</help>
+                    </properties>
+                    <children>
+                      #include <include/nat-translation-port.xml.i>
+                    </children>
+                  </node>
                 </children>
               </node>
             </children>
-- 
cgit v1.2.3


From 9cdfbd77f7414ea8a13ae66df41035d2f6edef32 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 20 Jul 2023 21:07:40 +0200
Subject: ospf: T5377: add graceful restart FRR feature (RFC 3623)

New CLI commands:

* set protocols ospf graceful-restart grace-period 300
* set protocols ospf graceful-restart helper planned-only
* set protocols ospf graceful-restart helper no-strict-lsa-checking
* set protocols ospf graceful-restart helper supported-grace-time 400
* set protocols ospf graceful-restart helper enable router-id 192.0.2.1
* set protocols ospf graceful-restart helper enable router-id 192.0.2.2

* set protocols ospfv3 graceful-restart grace-period 300
* set protocols ospfv3 graceful-restart helper planned-only
* set protocols ospfv3 graceful-restart helper lsa-check-disable
* set protocols ospfv3 graceful-restart helper supported-grace-time 400
* set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.1
* set protocols ospfv3 graceful-restart helper enable router-id 192.0.2.2
---
 data/templates/frr/ospf6d.frr.j2                   | 21 +++++++
 data/templates/frr/ospfd.frr.j2                    | 21 +++++++
 .../include/ospf/graceful-restart.xml.i            | 67 ++++++++++++++++++++++
 .../include/ospf/protocol-common-config.xml.i      | 17 +++++-
 .../include/ospfv3/protocol-common-config.xml.i    | 15 +++++
 smoketest/scripts/cli/test_protocols_ospf.py       | 25 ++++++++
 smoketest/scripts/cli/test_protocols_ospfv3.py     | 26 +++++++++
 src/conf_mode/protocols_ospf.py                    |  2 +
 src/conf_mode/protocols_ospfv3.py                  |  2 +
 9 files changed, 195 insertions(+), 1 deletion(-)
 create mode 100644 interface-definitions/include/ospf/graceful-restart.xml.i

(limited to 'interface-definitions')

diff --git a/data/templates/frr/ospf6d.frr.j2 b/data/templates/frr/ospf6d.frr.j2
index 84394ed1a..b0b5663dd 100644
--- a/data/templates/frr/ospf6d.frr.j2
+++ b/data/templates/frr/ospf6d.frr.j2
@@ -80,6 +80,27 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if distance.ospfv3 is vyos_defined %}
  distance ospf6 {{ 'intra-area ' ~ distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' ~ distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' ~ distance.ospfv3.external if distance.ospfv3.external is vyos_defined }}
 {% endif %}
+{% if graceful_restart is vyos_defined %}
+{%     if graceful_restart.grace_period is vyos_defined %}
+ graceful-restart grace-period {{ graceful_restart.grace_period }}
+{%     endif %}
+{%     if graceful_restart.helper.enable.router_id is vyos_defined %}
+{%         for router_id in graceful_restart.helper.enable.router_id %}
+ graceful-restart helper enable {{ router_id }}
+{%         endfor %}
+{%     elif graceful_restart.helper.enable is vyos_defined %}
+ graceful-restart helper enable
+{%     endif %}
+{%     if graceful_restart.helper.planned_only is vyos_defined %}
+ graceful-restart helper planned-only
+{%     endif %}
+{%     if graceful_restart.helper.lsa_check_disable is vyos_defined %}
+ graceful-restart helper lsa-check-disable
+{%     endif %}
+{%     if graceful_restart.helper.supported_grace_time is vyos_defined %}
+ graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }}
+{%     endif %}
+{% endif %}
 {% if log_adjacency_changes is vyos_defined %}
  log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }}
 {% endif %}
diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2
index 1ee8d8752..121ecf677 100644
--- a/data/templates/frr/ospfd.frr.j2
+++ b/data/templates/frr/ospfd.frr.j2
@@ -153,6 +153,27 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if distance.ospf is vyos_defined %}
  distance ospf {{ 'intra-area ' + distance.ospf.intra_area if distance.ospf.intra_area is vyos_defined }} {{ 'inter-area ' + distance.ospf.inter_area if distance.ospf.inter_area is vyos_defined }} {{ 'external ' + distance.ospf.external if distance.ospf.external is vyos_defined }}
 {% endif %}
+{% if graceful_restart is vyos_defined %}
+{%     if graceful_restart.grace_period is vyos_defined %}
+ graceful-restart grace-period {{ graceful_restart.grace_period }}
+{%     endif %}
+{%     if graceful_restart.helper.enable.router_id is vyos_defined %}
+{%         for router_id in graceful_restart.helper.enable.router_id %}
+ graceful-restart helper enable {{ router_id }}
+{%         endfor %}
+{%     elif graceful_restart.helper.enable is vyos_defined %}
+ graceful-restart helper enable
+{%     endif %}
+{%     if graceful_restart.helper.planned_only is vyos_defined %}
+ graceful-restart helper planned-only
+{%     endif %}
+{%     if graceful_restart.helper.no_strict_lsa_checking is vyos_defined %}
+ no graceful-restart helper strict-lsa-checking
+{%     endif %}
+{%     if graceful_restart.helper.supported_grace_time is vyos_defined %}
+ graceful-restart helper supported-grace-time {{ graceful_restart.helper.supported_grace_time }}
+{%     endif %}
+{% endif %}
 {% if log_adjacency_changes is vyos_defined %}
  log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }}
 {% endif %}
diff --git a/interface-definitions/include/ospf/graceful-restart.xml.i b/interface-definitions/include/ospf/graceful-restart.xml.i
new file mode 100644
index 000000000..37d9a7f13
--- /dev/null
+++ b/interface-definitions/include/ospf/graceful-restart.xml.i
@@ -0,0 +1,67 @@
+<!-- include start from ospf/graceful-restart.xml.i -->
+<node name="graceful-restart">
+  <properties>
+    <help>Graceful Restart</help>
+  </properties>
+  <children>
+    <leafNode name="grace-period">
+      <properties>
+        <help>Maximum length of the grace period</help>
+        <valueHelp>
+          <format>u32:1-1800</format>
+          <description>Maximum length of the grace period in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 5-1800"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+    <node name="helper">
+      <properties>
+        <help>OSPF graceful-restart helpers</help>
+      </properties>
+      <children>
+        <node name="enable">
+          <properties>
+            <help>Enable helper support</help>
+          </properties>
+          <children>
+            <leafNode name="router-id">
+              <properties>
+                <help>Advertising Router-ID</help>
+                <valueHelp>
+                  <format>ipv4</format>
+                  <description>Router-ID in IP address format</description>
+                </valueHelp>
+                <constraint>
+                  <validator name="ipv4-address"/>
+                </constraint>
+                <multi/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+        <leafNode name="planned-only">
+          <properties>
+            <help>Supported only planned restart</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="supported-grace-time">
+          <properties>
+            <help>Supported grace timer</help>
+            <valueHelp>
+              <format>u32:10-1800</format>
+              <description>Grace interval in seconds</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 10-1800"/>
+            </constraint>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index 3492b873f..438093222 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -339,6 +339,21 @@
     </constraint>
   </properties>
 </leafNode>
+#include <include/ospf/graceful-restart.xml.i>
+<node name="graceful-restart">
+  <children>
+    <node name="helper">
+      <children>
+        <leafNode name="no-strict-lsa-checking">
+          <properties>
+            <help>Disable strict LSA check</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
 <leafNode name="maximum-paths">
   <properties>
     <help>Maximum multiple paths (ECMP)</help>
@@ -928,4 +943,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
index a7de50638..4c3ca68e1 100644
--- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
@@ -107,6 +107,21 @@
     </node>
   </children>
 </node>
+#include <include/ospf/graceful-restart.xml.i>
+<node name="graceful-restart">
+  <children>
+    <node name="helper">
+      <children>
+        <leafNode name="lsa-check-disable">
+          <properties>
+            <help>Disable strict LSA check</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
 <tagNode name="interface">
   <properties>
     <help>Enable routing on an IPv6 interface</help>
diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py
index 977376bdd..f4b540694 100755
--- a/smoketest/scripts/cli/test_protocols_ospf.py
+++ b/smoketest/scripts/cli/test_protocols_ospf.py
@@ -479,5 +479,30 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f' ip ospf dead-interval 40', config)
             self.assertIn(f' no ip ospf mpls ldp-sync', config)
 
+    def test_ospf_16_graceful_restart(self):
+        period = '300'
+        supported_grace_time = '400'
+        router_ids = ['192.0.2.1', '192.0.2.2']
+
+        self.cli_set(base_path + ['graceful-restart', 'grace-period', period])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only'])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'no-strict-lsa-checking'])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time])
+        for router_id in router_ids:
+            self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id])
+
+        # commit changes
+        self.cli_commit()
+
+        # Verify FRR ospfd configuration
+        frrconfig = self.getFRRconfig('router ospf')
+        self.assertIn(f'router ospf', frrconfig)
+        self.assertIn(f' graceful-restart grace-period {period}', frrconfig)
+        self.assertIn(f' graceful-restart helper planned-only', frrconfig)
+        self.assertIn(f' no graceful-restart helper strict-lsa-checking', frrconfig)
+        self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig)
+        for router_id in router_ids:
+            self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py
index b67bfaac7..64dfa18db 100755
--- a/smoketest/scripts/cli/test_protocols_ospfv3.py
+++ b/smoketest/scripts/cli/test_protocols_ospfv3.py
@@ -281,5 +281,31 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
         self.cli_delete(['vrf', 'name', vrf])
         self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
 
+
+    def test_ospfv3_09_graceful_restart(self):
+        period = '300'
+        supported_grace_time = '400'
+        router_ids = ['192.0.2.1', '192.0.2.2']
+
+        self.cli_set(base_path + ['graceful-restart', 'grace-period', period])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only'])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'lsa-check-disable'])
+        self.cli_set(base_path + ['graceful-restart', 'helper', 'supported-grace-time', supported_grace_time])
+        for router_id in router_ids:
+            self.cli_set(base_path + ['graceful-restart', 'helper', 'enable', 'router-id', router_id])
+
+        # commit changes
+        self.cli_commit()
+
+        # Verify FRR ospfd configuration
+        frrconfig = self.getFRRconfig('router ospf6')
+        self.assertIn(f'router ospf6', frrconfig)
+        self.assertIn(f' graceful-restart grace-period {period}', frrconfig)
+        self.assertIn(f' graceful-restart helper planned-only', frrconfig)
+        self.assertIn(f' graceful-restart helper lsa-check-disable', frrconfig)
+        self.assertIn(f' graceful-restart helper supported-grace-time {supported_grace_time}', frrconfig)
+        for router_id in router_ids:
+            self.assertIn(f' graceful-restart helper enable {router_id}', frrconfig)
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index 509d4f501..f2075d25b 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -88,6 +88,8 @@ def get_config(config=None):
         del default_values['area']['area_type']['nssa']
     if 'mpls_te' not in ospf:
         del default_values['mpls_te']
+    if 'graceful_restart' not in ospf:
+        del default_values['graceful_restart']
 
     for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']:
         # table is a tagNode thus we need to clean out all occurances for the
diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py
index 7f50d8624..fbea51f56 100755
--- a/src/conf_mode/protocols_ospfv3.py
+++ b/src/conf_mode/protocols_ospfv3.py
@@ -83,6 +83,8 @@ def get_config(config=None):
     # need to check this first and probably drop that key.
     if dict_search('default_information.originate', ospfv3) is None:
         del default_values['default_information']
+    if 'graceful_restart' not in ospfv3:
+        del default_values['graceful_restart']
 
     # XXX: T2665: we currently have no nice way for defaults under tag nodes,
     # clean them out and add them manually :(
-- 
cgit v1.2.3


From bd4bb4f869d6df02bfda1ce5668b8cf15a95b4af Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Fri, 21 Jul 2023 10:35:34 +0000
Subject: T5368: service ids ddos-protection add support sflow mode

sFlow mode requires fewer resources then mode "mirror"
Integrate it into configuration mode

set service ids ddos-protection mode 'sflow'
set service ids ddos-protection sflow listen-address '127.0.0.1'
set service ids ddos-protection sflow port '6343'
---
 data/templates/ids/fastnetmon.j2                   | 11 +++++++-
 data/templates/ids/fastnetmon_networks_list.j2     |  2 +-
 .../service-ids-ddos-protection.xml.in             | 33 ++++++++++++++++------
 src/conf_mode/service_ids_fastnetmon.py            | 14 +++++++--
 4 files changed, 47 insertions(+), 13 deletions(-)

(limited to 'interface-definitions')

diff --git a/data/templates/ids/fastnetmon.j2 b/data/templates/ids/fastnetmon.j2
index 0340d3c92..f6f03d0db 100644
--- a/data/templates/ids/fastnetmon.j2
+++ b/data/templates/ids/fastnetmon.j2
@@ -29,10 +29,19 @@ unban_only_if_attack_finished = on
 # For each subnet, list track speed in bps and pps for both directions
 enable_subnet_counters = off
 
-{% if mode.mirror is vyos_defined %}
+{% if mode is vyos_defined('mirror') %}
 mirror_afpacket = on
+{% elif mode is vyos_defined('sflow') %}
+sflow = on
+{%     if sflow.port is vyos_defined %}
+sflow_port = {{ sflow.port }}
+{%     endif %}
+{%     if sflow.listen_address is vyos_defined %}
+sflow_host = {{ sflow.listen_address }}
+{%     endif %}
 {% endif %}
 
+
 process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }}
 process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }}
 
diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2
index 5f1b3ba4d..0a0576d2a 100644
--- a/data/templates/ids/fastnetmon_networks_list.j2
+++ b/data/templates/ids/fastnetmon_networks_list.j2
@@ -1,4 +1,4 @@
-{% if network is vyos_defined() %}
+{% if network is vyos_defined %}
 {%     for net in network %}
 {{ net }}
 {%     endfor %}
diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in
index bb06189bc..78463136b 100644
--- a/interface-definitions/service-ids-ddos-protection.xml.in
+++ b/interface-definitions/service-ids-ddos-protection.xml.in
@@ -70,17 +70,34 @@
                   <multi/>
                 </properties>
               </leafNode>
-              <node name="mode">
+              <leafNode name="mode">
                 <properties>
-                  <help>Traffic capture modes</help>
+                  <help>Traffic capture mode</help>
+                  <completionHelp>
+                    <list>mirror sflow</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>mirror</format>
+                    <description>Listen to mirrored traffic</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>sflow</format>
+                    <description>Capture sFlow flows</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(mirror|sflow)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <node name="sflow">
+                <properties>
+                  <help>Sflow settings</help>
                 </properties>
                 <children>
-                  <!-- Future modes "mirror" "netflow" "combine (both)" -->
-                  <leafNode name="mirror">
-                    <properties>
-                      <help>Listen mirrored traffic mode</help>
-                      <valueless/>
-                    </properties>
+                  #include <include/listen-address-ipv4-single.xml.i>
+                  #include <include/port-number.xml.i>
+                  <leafNode name="port">
+                    <defaultValue>6343</defaultValue>
                   </leafNode>
                 </children>
               </node>
diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py
index 2e678cf0b..f6b80552b 100755
--- a/src/conf_mode/service_ids_fastnetmon.py
+++ b/src/conf_mode/service_ids_fastnetmon.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -30,6 +30,7 @@ airbag.enable()
 config_file = r'/run/fastnetmon/fastnetmon.conf'
 networks_list = r'/run/fastnetmon/networks_list'
 excluded_networks_list = r'/run/fastnetmon/excluded_networks_list'
+attack_dir = '/var/log/fastnetmon_attacks'
 
 def get_config(config=None):
     if config:
@@ -55,8 +56,11 @@ def verify(fastnetmon):
     if 'mode' not in fastnetmon:
         raise ConfigError('Specify operating mode!')
 
-    if 'listen_interface' not in fastnetmon:
-        raise ConfigError('Specify interface(s) for traffic capture')
+    if fastnetmon.get('mode') == 'mirror' and 'listen_interface' not in fastnetmon:
+        raise ConfigError("Incorrect settings for 'mode mirror': must specify interface(s) for traffic mirroring")
+
+    if fastnetmon.get('mode') == 'sflow' and 'listen_address' not in fastnetmon.get('sflow', {}):
+        raise ConfigError("Incorrect settings for 'mode sflow': must specify sFlow 'listen-address'")
 
     if 'alert_script' in fastnetmon:
         if os.path.isfile(fastnetmon['alert_script']):
@@ -74,6 +78,10 @@ def generate(fastnetmon):
 
         return None
 
+    # Create dir for log attack details
+    if not os.path.exists(attack_dir):
+        os.mkdir(attack_dir)
+
     render(config_file, 'ids/fastnetmon.j2', fastnetmon)
     render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon)
     render(excluded_networks_list, 'ids/fastnetmon_excluded_networks_list.j2', fastnetmon)
-- 
cgit v1.2.3


From 9e5d0384a0b25949edfd0dfc065b6fe572f943e7 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 21 Jul 2023 21:23:49 +0200
Subject: ospf: T5377: add "capability opaque" support

---
 data/templates/frr/ospfd.frr.j2                             |  3 +++
 .../include/ospf/protocol-common-config.xml.i               | 13 +++++++++++++
 smoketest/scripts/cli/test_protocols_ospf.py                |  2 ++
 3 files changed, 18 insertions(+)

(limited to 'interface-definitions')

diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2
index 121ecf677..040628e82 100644
--- a/data/templates/frr/ospfd.frr.j2
+++ b/data/templates/frr/ospfd.frr.j2
@@ -133,6 +133,9 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if auto_cost.reference_bandwidth is vyos_defined %}
  auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }}
 {% endif %}
+{% if capability.opaque is vyos_defined %}
+ capability opaque
+{% endif %}
 {% if default_information.originate is vyos_defined %}
  default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is vyos_defined }}
 {% endif %}
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index 438093222..c4778e126 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -326,6 +326,19 @@
   </children>
 </tagNode>
 #include <include/ospf/auto-cost.xml.i>
+<node name="capability">
+  <properties>
+    <help>Enable specific OSPF features</help>
+  </properties>
+  <children>
+    <leafNode name="opaque">
+      <properties>
+        <help>Opaque LSA</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
 #include <include/ospf/default-information.xml.i>
 <leafNode name="default-metric">
   <properties>
diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py
index f4b540694..80befbfd6 100755
--- a/smoketest/scripts/cli/test_protocols_ospf.py
+++ b/smoketest/scripts/cli/test_protocols_ospf.py
@@ -484,6 +484,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
         supported_grace_time = '400'
         router_ids = ['192.0.2.1', '192.0.2.2']
 
+        self.cli_set(base_path + ['capability', 'opaque'])
         self.cli_set(base_path + ['graceful-restart', 'grace-period', period])
         self.cli_set(base_path + ['graceful-restart', 'helper', 'planned-only'])
         self.cli_set(base_path + ['graceful-restart', 'helper', 'no-strict-lsa-checking'])
@@ -497,6 +498,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
         # Verify FRR ospfd configuration
         frrconfig = self.getFRRconfig('router ospf')
         self.assertIn(f'router ospf', frrconfig)
+        self.assertIn(f' capability opaque', frrconfig)
         self.assertIn(f' graceful-restart grace-period {period}', frrconfig)
         self.assertIn(f' graceful-restart helper planned-only', frrconfig)
         self.assertIn(f' no graceful-restart helper strict-lsa-checking', frrconfig)
-- 
cgit v1.2.3


From b805b9950b63a43591799804cc2cacb0fbfb568a Mon Sep 17 00:00:00 2001
From: fett0 <fernando.gmaidana@gmail.com>
Date: Fri, 21 Jul 2023 21:23:25 +0000
Subject:  T4974:add/fixed enable ovpn-dco by default

---
 data/templates/openvpn/server.conf.j2           | 4 ++++
 interface-definitions/interfaces-openvpn.xml.in | 6 ++++++
 2 files changed, 10 insertions(+)

(limited to 'interface-definitions')

diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 6332ed9c2..525605240 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -48,6 +48,10 @@ push "redirect-gateway def1"
 {% if use_lzo_compression is vyos_defined %}
 compress lzo
 {% endif %}
+{% if enable_dco is not vyos_defined %}
+disable-dco
+{% endif %}
+
 
 {% if mode is vyos_defined('client') %}
 #
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 4e061c3e6..ca6d80f8b 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -793,6 +793,12 @@
               <valueless/>
             </properties>
           </leafNode>
+          <leafNode name="enable-dco">
+            <properties>
+              <help>Use to enable OpenVPN data channel offload on this TUN interface</help>
+              <valueless/>
+            </properties>
+          </leafNode>
           #include <include/interface/redirect.xml.i>
           #include <include/interface/vrf.xml.i>
         </children>
-- 
cgit v1.2.3


From 5f2e9cb81d89a5cfecbac01bec054b3ba4e8dff5 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Thu, 6 Jul 2023 17:40:37 +0000
Subject: T5154: NTP: allow maximum of one ipv4 and one ipv6 address on
 parameter <listen-address>. Also allow only one single value <interface>.

---
 data/templates/chrony/chrony.conf.j2               |  4 +-
 .../include/version/ntp-version.xml.i              |  2 +-
 interface-definitions/ntp.xml.in                   |  2 +-
 smoketest/scripts/cli/test_service_ntp.py          |  2 +-
 src/conf_mode/ntp.py                               | 34 ++++++++----
 src/migration-scripts/ntp/2-to-3                   | 62 ++++++++++++++++++++++
 6 files changed, 90 insertions(+), 16 deletions(-)
 create mode 100755 src/migration-scripts/ntp/2-to-3

(limited to 'interface-definitions')

diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 7a36fe69d..0daec8fb8 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -53,8 +53,6 @@ bindaddress {{ address }}
 {%         endfor %}
 {%     endif %}
 {%     if interface is vyos_defined %}
-{%         for ifname in interface %}
-binddevice {{ ifname }}
-{%         endfor %}
+binddevice {{ interface }}
 {%     endif %}
 {% endif %}
diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i
index 9eafbf7f0..155c824dc 100644
--- a/interface-definitions/include/version/ntp-version.xml.i
+++ b/interface-definitions/include/version/ntp-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/ntp-version.xml.i -->
-<syntaxVersion component='ntp' version='2'></syntaxVersion>
+<syntaxVersion component='ntp' version='3'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in
index 2275dd61c..4e874434b 100644
--- a/interface-definitions/ntp.xml.in
+++ b/interface-definitions/ntp.xml.in
@@ -57,7 +57,7 @@
             </children>
           </tagNode>
           #include <include/allow-client.xml.i>
-          #include <include/generic-interface-multi.xml.i>
+          #include <include/generic-interface.xml.i>
           #include <include/listen-address.xml.i>
           #include <include/interface/vrf.xml.i>
         </children>
diff --git a/smoketest/scripts/cli/test_service_ntp.py b/smoketest/scripts/cli/test_service_ntp.py
index 046e5eea6..47e012913 100755
--- a/smoketest/scripts/cli/test_service_ntp.py
+++ b/smoketest/scripts/cli/test_service_ntp.py
@@ -108,7 +108,7 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f'bindaddress {listen}', config)
 
     def test_03_ntp_interface(self):
-        interfaces = ['eth0', 'eth1']
+        interfaces = ['eth0']
         for interface in interfaces:
             self.cli_set(base_path + ['interface', interface])
 
diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py
index 92cb73aab..95766c44c 100755
--- a/src/conf_mode/ntp.py
+++ b/src/conf_mode/ntp.py
@@ -24,6 +24,7 @@ from vyos.util import call
 from vyos.util import chmod_750
 from vyos.util import get_interface_config
 from vyos.template import render
+from vyos.template import is_ipv4
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -62,16 +63,29 @@ def verify(ntp):
 
     if 'interface' in ntp:
         # If ntpd should listen on a given interface, ensure it exists
-        for interface in ntp['interface']:
-            verify_interface_exists(interface)
-
-            # If we run in a VRF, our interface must belong to this VRF, too
-            if 'vrf' in ntp:
-                tmp = get_interface_config(interface)
-                vrf_name = ntp['vrf']
-                if 'master' not in tmp or tmp['master'] != vrf_name:
-                    raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\
-                                      f'does not belong to this VRF!')
+        interface = ntp['interface']
+        verify_interface_exists(interface)
+
+        # If we run in a VRF, our interface must belong to this VRF, too
+        if 'vrf' in ntp:
+            tmp = get_interface_config(interface)
+            vrf_name = ntp['vrf']
+            if 'master' not in tmp or tmp['master'] != vrf_name:
+                raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\
+                                  f'does not belong to this VRF!')
+
+    if 'listen_address' in ntp:
+        ipv4_addresses = 0
+        ipv6_addresses = 0
+        for address in ntp['listen_address']:
+            if is_ipv4(address):
+                ipv4_addresses += 1
+            else:
+                ipv6_addresses += 1
+        if ipv4_addresses > 1:
+            raise ConfigError(f'NTP Only admits one ipv4 value for listen-address parameter ')
+        if ipv6_addresses > 1:
+            raise ConfigError(f'NTP Only admits one ipv6 value for listen-address parameter ')
 
     return None
 
diff --git a/src/migration-scripts/ntp/2-to-3 b/src/migration-scripts/ntp/2-to-3
new file mode 100755
index 000000000..7d4e0bd83
--- /dev/null
+++ b/src/migration-scripts/ntp/2-to-3
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5154: allow only one ip address per family for parameter 'listen-address'
+# Allow only one interface for parameter 'interface'
+# If more than one are specified, remove such entries
+
+import sys
+
+from vyos.configtree import ConfigTree
+from vyos.template import is_ipv4
+from vyos.template import is_ipv6
+
+if (len(sys.argv) < 1):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+base_path = ['service', 'ntp']
+if not config.exists(base_path):
+    # Nothing to do
+    sys.exit(0)
+
+if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv4(addr)]) > 1):
+    for addr in config.return_values(base_path + ['listen-address']):
+        if is_ipv4(addr):
+            config.delete_value(base_path + ['listen-address'], addr)
+
+if config.exists(base_path + ['listen-address']) and (len([addr for addr in config.return_values(base_path + ['listen-address']) if is_ipv6(addr)]) > 1):
+    for addr in config.return_values(base_path + ['listen-address']):
+        if is_ipv6(addr):
+            config.delete_value(base_path + ['listen-address'], addr)
+
+if config.exists(base_path + ['interface']):
+    if len(config.return_values(base_path + ['interface'])) > 1:
+        config.delete(base_path + ['interface'])
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
-- 
cgit v1.2.3


From 32b9ac3653fa27e90c0a6b16c3ab141fd4237cb7 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Thu, 27 Jul 2023 11:16:40 +0200
Subject: openvpn: T4974: move CLI node "enable-dco" -> "offload dco" to match
 other inetfaces

Keep a common CLI structure by re-using the already established offload
node from ethernet.
---
 data/templates/openvpn/server.conf.j2           |  3 +--
 interface-definitions/interfaces-openvpn.xml.in | 19 +++++++++++------
 src/conf_mode/interfaces-openvpn.py             | 28 ++++++++++++++++++-------
 3 files changed, 35 insertions(+), 15 deletions(-)

(limited to 'interface-definitions')

diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 525605240..d144529f3 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -48,11 +48,10 @@ push "redirect-gateway def1"
 {% if use_lzo_compression is vyos_defined %}
 compress lzo
 {% endif %}
-{% if enable_dco is not vyos_defined %}
+{% if offload.dco is not vyos_defined %}
 disable-dco
 {% endif %}
 
-
 {% if mode is vyos_defined('client') %}
 #
 # OpenVPN Client mode
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index ca6d80f8b..127a8179b 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -285,6 +285,19 @@
               </constraint>
             </properties>
           </leafNode>
+          <node name="offload">
+            <properties>
+              <help>Configurable offload options</help>
+            </properties>
+            <children>
+              <leafNode name="dco">
+                <properties>
+                  <help>Enable data channel offload on this interface</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <leafNode name="openvpn-option">
             <properties>
               <help>Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors.</help>
@@ -793,12 +806,6 @@
               <valueless/>
             </properties>
           </leafNode>
-          <leafNode name="enable-dco">
-            <properties>
-              <help>Use to enable OpenVPN data channel offload on this TUN interface</help>
-              <valueless/>
-            </properties>
-          </leafNode>
           #include <include/interface/redirect.xml.i>
           #include <include/interface/vrf.xml.i>
         </children>
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 653474ed0..3bef9b8f6 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -115,6 +115,18 @@ def get_config(config=None):
     if dict_search('server.mfa.totp', tmp) == None:
         del openvpn['server']['mfa']
 
+    # OpenVPN Data-Channel-Offload (DCO) is a Kernel module. If loaded it applies to all
+    # OpenVPN interfaces. Check if DCO is used by any other interface instance.
+    tmp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+    for interface, interface_config in tmp.items():
+        # If one interface has DCO configured, enable it. No need to further check
+        # all other OpenVPN interfaces. We must use a dedicated key to indicate
+        # the Kernel module must be loaded or not. The per interface "offload.dco"
+        # key is required per OpenVPN interface instance.
+        if dict_search('offload.dco', interface_config) != None:
+            openvpn['module_load_dco'] = {}
+            break
+
     return openvpn
 
 def is_ec_private_key(pki, cert_name):
@@ -675,6 +687,15 @@ def apply(openvpn):
         if interface in interfaces():
             VTunIf(interface).remove()
 
+    # dynamically load/unload DCO Kernel extension if requested
+    dco_module = 'ovpn_dco_v2'
+    if 'module_load_dco' in openvpn:
+        check_kmod(dco_module)
+    else:
+        unload_kmod(dco_module)
+
+    # Now bail out early if interface is disabled or got deleted
+    if 'deleted' in openvpn or 'disable' in openvpn:
         return None
 
     # verify specified IP address is present on any interface on this system
@@ -684,13 +705,6 @@ def apply(openvpn):
         if not is_addr_assigned(openvpn['local_host']):
             cmd('sysctl -w net.ipv4.ip_nonlocal_bind=1')
 
-    # dynamically load/unload DCO Kernel extension if requested
-    dco_module = 'ovpn_dco_v2'
-    if 'enable_dco' in openvpn:
-        check_kmod(dco_module)
-    else:
-        unload_kmod(dco_module)
-
     # No matching OpenVPN process running - maybe it got killed or none
     # existed - nevertheless, spawn new OpenVPN process
     action = 'reload-or-restart'
-- 
cgit v1.2.3


From 1d86092328ef43368fcb0bf348c14a01466e5892 Mon Sep 17 00:00:00 2001
From: 1vivy <1vivy@tutanota.com>
Date: Sun, 23 Jul 2023 13:31:00 -0400
Subject: dhcpv6-pd: T5387: add support for no-release flag

When no-release is specified, dhcp6c client will not release allocated address or prefix on client exit.

vyos.ifconfig: dhcpv6: T5387: re-use options_file for no release flag [WIP]
* Todo: render Jinja2 template and fill it

vyos.ifconfig: dhcpv6: T5387: finish options_file and no release flag in cli

vyos.ifconfig: dhcpv6: T5387: fix missing/wrong end tag

vyos.ifconfig: dhcpv6: T5387: fix options, no var for -n

dhcpv6-client: T5387: fix missing / from filepaths
---
 data/templates/dhcp-client/dhcp6c_daemon-options.j2          | 2 ++
 interface-definitions/include/interface/dhcpv6-options.xml.i | 6 ++++++
 python/vyos/ifconfig/interface.py                            | 2 ++
 src/systemd/dhcp6c@.service                                  | 4 +++-
 4 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 data/templates/dhcp-client/dhcp6c_daemon-options.j2

(limited to 'interface-definitions')

diff --git a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 b/data/templates/dhcp-client/dhcp6c_daemon-options.j2
new file mode 100644
index 000000000..d33d418fc
--- /dev/null
+++ b/data/templates/dhcp-client/dhcp6c_daemon-options.j2
@@ -0,0 +1,2 @@
+{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %}
+DHCP6C_OPTS="-D -k /run/dhcp6c/dhcp6c.{{ ifname }}.sock -c /run/dhcp6c/dhcp6c.{{ ifname }}.conf -p /run/dhcp6c/dhcp6c.{{ ifname }}.pid {{ no_release }} {{ ifname }}"
diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i
index 609af1a2b..5ca1d525f 100644
--- a/interface-definitions/include/interface/dhcpv6-options.xml.i
+++ b/interface-definitions/include/interface/dhcpv6-options.xml.i
@@ -95,6 +95,12 @@
         <valueless/>
       </properties>
     </leafNode>
+    <leafNode name="no-release">
+      <properties>
+        <help>Do not send a release message on client exit</help>
+        <valueless/>
+      </properties>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 120f2131b..99ddb2021 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -1288,9 +1288,11 @@ class Interface(Control):
 
         ifname = self.ifname
         config_file = f'/run/dhcp6c/dhcp6c.{ifname}.conf'
+        options_file = f'/run/dhcp6c/dhcp6c.{ifname}.options'
         systemd_service = f'dhcp6c@{ifname}.service'
 
         if enable and 'disable' not in self._config:
+            render(options_file, 'dhcp-client/dhcp6c_daemon-options.j2', self._config)
             render(config_file, 'dhcp-client/ipv6.j2', self._config)
 
             # We must ignore any return codes. This is required to enable
diff --git a/src/systemd/dhcp6c@.service b/src/systemd/dhcp6c@.service
index 9a97ee261..495cb7e26 100644
--- a/src/systemd/dhcp6c@.service
+++ b/src/systemd/dhcp6c@.service
@@ -2,14 +2,16 @@
 Description=WIDE DHCPv6 client on %i
 Documentation=man:dhcp6c(8) man:dhcp6c.conf(5)
 ConditionPathExists=/run/dhcp6c/dhcp6c.%i.conf
+ConditionPathExists=/run/dhcp6c/dhcp6c.%i.options
 After=vyos-router.service
 StartLimitIntervalSec=0
 
 [Service]
 WorkingDirectory=/run/dhcp6c
+EnvironmentFile=-/run/dhcp6c/dhcp6c.%i.options
 Type=forking
 PIDFile=/run/dhcp6c/dhcp6c.%i.pid
-ExecStart=/usr/sbin/dhcp6c -D -k /run/dhcp6c/dhcp6c.%i.sock -c /run/dhcp6c/dhcp6c.%i.conf -p /run/dhcp6c/dhcp6c.%i.pid %i
+ExecStart=/usr/sbin/dhcp6c $DHCP6C_OPTS
 Restart=on-failure
 RestartSec=20
 
-- 
cgit v1.2.3