From 1bde9ebee6812a1497f8b6d36e684235e41631f2 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 3 Nov 2022 17:58:54 +0200 Subject: T4790: Added check of the sum of radius timeouts Added check of the sum of radius timeouts. It has to be less or eq 50 sec. Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec Added check of number of radius servers. It has to be less or eq 25. 50 sec divided by 2sec (minimum recomended login timeout) Otherwise, log in to the device can be descarded. --- src/conf_mode/system-login.py | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index e26b81e3d..da6c3f775 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,6 +43,11 @@ airbag.enable() autologout_file = "/etc/profile.d/autologout.sh" radius_config_file = "/etc/pam_radius_auth.conf" +# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec +MAX_RADIUS_TIMEOUT: int = 50 +# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) +MAX_RADIUS_COUNT: int = 25 + def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] @@ -118,18 +123,27 @@ def verify(login): if 'radius' in login: if 'server' not in login['radius']: raise ConfigError('No RADIUS server defined!') - + sum_timeout: int = 0 + radius_servers_count: int = 0 fail = True for server, server_config in dict_search('radius.server', login).items(): if 'key' not in server_config: raise ConfigError(f'RADIUS server "{server}" requires key!') - - if 'disabled' not in server_config: + if 'disable' not in server_config: + sum_timeout += int(server_config['timeout']) + radius_servers_count += 1 fail = False - continue + if fail: raise ConfigError('All RADIUS servers are disabled') + if radius_servers_count > MAX_RADIUS_COUNT: + raise ConfigError('Number of RADIUS servers more than 25 ') + + if sum_timeout > MAX_RADIUS_TIMEOUT: + raise ConfigError('Sum of RADIUS servers timeouts ' + 'has to be less or eq 50 sec') + verify_vrf(login['radius']) if 'source_address' in login['radius']: -- cgit v1.2.3 From 53aebddb4ca54b0cc4a296d6cc4c4d960c5f1d73 Mon Sep 17 00:00:00 2001 From: Zen3515 <7106408+Zen3515@users.noreply.github.com> Date: Tue, 31 Jan 2023 14:23:06 +0700 Subject: container: T4014: Add `command`, `arg` and `entrypoint` configuration options for containers --- interface-definitions/container.xml.in | 27 +++++++++++++++++++++++++++ src/conf_mode/container.py | 21 ++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) (limited to 'src/conf_mode') diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index b61664125..2ea1e6ab2 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -104,11 +104,38 @@ + + + Override the default ENTRYPOINT from the image + + [ !#-%&(-~]+ + + Entrypoint must be ascii characters, use &quot; and &apos for double and single quotes respectively + + Image name in the hub-registry + + + Override the default CMD from the image + + [ !#-%&(-~]+ + + Command must be ascii characters, use &quot; and &apos for double and single quotes respectively + + + + + The command's arguments for this container + + [ !#-%&(-~]+ + + The command's arguments must be ascii characters, use &quot; and &apos for double and single quotes respectively + + Memory (RAM) available to this container diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 08861053d..30016b865 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -279,8 +279,22 @@ def generate_run_arguments(name, container_config): f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ f'--name {name} {device} {port} {volume} {env_opt}' + entrypoint = '' + if 'entrypoint' in container_config: + # it needs to be json-formatted with single quote on the outside + entrypoint = json_write(container_config['entrypoint'].split()).replace('"', """) + entrypoint = f'--entrypoint '{entrypoint}'' + + command = '' + if 'command' in container_config: + command = container_config['command'].strip() + + command_arguments = '' + if 'arguments' in container_config: + command_arguments = container_config['arguments'].strip() + if 'allow_host_networks' in container_config: - return f'{container_base_cmd} --net host {image}' + return f'{container_base_cmd} --net host {entrypoint} {image} {command} {command_arguments}'.strip() ip_param = '' networks = ",".join(container_config['network']) @@ -289,7 +303,7 @@ def generate_run_arguments(name, container_config): address = container_config['network'][network]['address'] ip_param = f'--ip {address}' - return f'{container_base_cmd} --net {networks} {ip_param} {image}' + return f'{container_base_cmd} --net {networks} {ip_param} {entrypoint} {image} {command} {command_arguments}'.strip() def generate(container): # bail out early - looks like removal from running config @@ -341,7 +355,8 @@ def generate(container): file_path = os.path.join(systemd_unit_path, f'vyos-container-{name}.service') run_args = generate_run_arguments(name, container_config) - render(file_path, 'container/systemd-unit.j2', {'name': name, 'run_args': run_args}) + render(file_path, 'container/systemd-unit.j2', {'name': name, 'run_args': run_args,}, + formater=lambda _: _.replace(""", '"').replace("'", "'")) return None -- cgit v1.2.3 From 4bfe801e7e6c59bdb70500b629fd31bb03598d4b Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Mon, 9 Jan 2023 05:48:50 +0000 Subject: T4977: Add Babel routing protocol support This PR adds basic Babel routing protocol support using the implementation in FRR. Signed-off-by: Yuxiang Zhu --- data/templates/frr/babeld.frr.j2 | 85 +++++++ data/templates/frr/daemons.frr.tmpl | 3 +- data/templates/frr/distribute_list_macro.j2 | 30 +++ data/templates/frr/ipv6_distribute_list_macro.j2 | 30 +++ data/templates/frr/ripd.frr.j2 | 30 +-- data/templates/frr/ripngd.frr.j2 | 30 +-- .../include/babel/interface.xml.i | 187 +++++++++++++++ .../include/bgp/protocol-common-config.xml.i | 16 ++ .../include/eigrp/protocol-common-config.xml.i | 6 +- .../include/isis/protocol-common-config.xml.i | 18 +- .../include/ospf/protocol-common-config.xml.i | 10 + .../include/ospfv3/protocol-common-config.xml.i | 8 + interface-definitions/protocols-babel.xml.in | 254 +++++++++++++++++++++ interface-definitions/protocols-rip.xml.in | 9 +- interface-definitions/protocols-ripng.xml.in | 8 + op-mode-definitions/restart-frr.xml.in | 6 + op-mode-definitions/show-babel.xml.in | 41 ++++ python/vyos/frr.py | 2 +- src/conf_mode/protocols_babel.py | 163 +++++++++++++ src/op_mode/restart_frr.py | 2 +- 20 files changed, 875 insertions(+), 63 deletions(-) create mode 100644 data/templates/frr/babeld.frr.j2 create mode 100644 data/templates/frr/distribute_list_macro.j2 create mode 100644 data/templates/frr/ipv6_distribute_list_macro.j2 create mode 100644 interface-definitions/include/babel/interface.xml.i create mode 100644 interface-definitions/protocols-babel.xml.in create mode 100644 op-mode-definitions/show-babel.xml.in create mode 100755 src/conf_mode/protocols_babel.py (limited to 'src/conf_mode') diff --git a/data/templates/frr/babeld.frr.j2 b/data/templates/frr/babeld.frr.j2 new file mode 100644 index 000000000..344a5f988 --- /dev/null +++ b/data/templates/frr/babeld.frr.j2 @@ -0,0 +1,85 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} +! +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.type is vyos_defined('wired') or iface_config.type is vyos_defined('wireless') %} + babel {{ iface_config.type }} +{% endif %} +{% if iface_config.split_horizon is vyos_defined("enable") %} + babel split-horizon +{% elif iface_config.split_horizon is vyos_defined("disable") %} + no babel split-horizon +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} + babel hello-interval {{ iface_config.hello_interval }} +{% endif %} +{% if iface_config.update_interval is vyos_defined %} + babel update-interval {{ iface_config.update_interval }} +{% endif %} +{% if iface_config.rxcost is vyos_defined %} + babel rxcost {{ iface_config.rxcost }} +{% endif %} +{% if iface_config.rtt_decay is vyos_defined %} + babel rtt-decay {{ iface_config.rtt_decay }} +{% endif %} +{% if iface_config.rtt_min is vyos_defined %} + babel rtt-min {{ iface_config.rtt_min }} +{% endif %} +{% if iface_config.rtt_max is vyos_defined %} + babel rtt-max {{ iface_config.rtt_max }} +{% endif %} +{% if iface_config.max_rtt_penalty is vyos_defined %} + babel max-rtt-penalty {{ iface_config.max_rtt_penalty }} +{% endif %} +{% if iface_config.enable_timestamps is vyos_defined %} + babel enable-timestamps +{% endif %} +{% if iface_config.channel is vyos_defined %} + babel channel {{ iface_config.channel | replace("non-interfering", "noninterfering") }} +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +{# Babel configuration #} +router babel +{% if parameters.diversity is vyos_defined %} + babel diversity +{% endif %} +{% if parameters.diversity_factor is vyos_defined %} + babel diversity-factor {{ parameters.diversity_factor }} +{% endif %} +{% if parameters.resend_delay is vyos_defined %} + babel resend-delay {{ parameters.resend_delay }} +{% endif %} +{% if parameters.smoothing_half_life is vyos_defined %} + babel smoothing-half-life {{ parameters.smoothing_half_life }} +{% endif %} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} + network {{ iface }} +{% endfor %} +{% endif %} +{% if redistribute is vyos_defined %} +{% for address_family in redistribute %} +{% for protocol, protocol_config in redistribute[address_family].items() %} +{% if protocol is vyos_defined('ospfv3') %} +{% set protocol = 'ospf6' %} +{% endif %} + redistribute {{ address_family }} {{ protocol }} +{% endfor %} +{% endfor %} +{% endif %} +{% if distribute_list.ipv4 is vyos_defined %} +{{ render_distribute_list(distribute_list.ipv4) }} +{% endif %} +{% if distribute_list.ipv6 is vyos_defined %} +{{ render_ipv6_distribute_list(distribute_list.ipv6) }} +{% endif %} +exit +! +end diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl index df98e74d6..fdff9772a 100644 --- a/data/templates/frr/daemons.frr.tmpl +++ b/data/templates/frr/daemons.frr.tmpl @@ -9,7 +9,7 @@ pimd=no ldpd=yes nhrpd=no eigrpd=yes -babeld=no +babeld=yes sharpd=no pbrd=no bfdd=yes @@ -51,4 +51,3 @@ bfdd_options=" --daemon -A 127.0.0.1" watchfrr_enable=no valgrind_enable=no - diff --git a/data/templates/frr/distribute_list_macro.j2 b/data/templates/frr/distribute_list_macro.j2 new file mode 100644 index 000000000..c10bf732d --- /dev/null +++ b/data/templates/frr/distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/ipv6_distribute_list_macro.j2 b/data/templates/frr/ipv6_distribute_list_macro.j2 new file mode 100644 index 000000000..c365fbdae --- /dev/null +++ b/data/templates/frr/ipv6_distribute_list_macro.j2 @@ -0,0 +1,30 @@ +{% macro render_ipv6_distribute_list(distribute_list) %} +{% if distribute_list.access_list.in is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + ipv6 distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endmacro %} diff --git a/data/templates/frr/ripd.frr.j2 b/data/templates/frr/ripd.frr.j2 index e9e484cc2..1445bf97f 100644 --- a/data/templates/frr/ripd.frr.j2 +++ b/data/templates/frr/ripd.frr.j2 @@ -1,3 +1,4 @@ +{% from 'frr/distribute_list_macro.j2' import render_distribute_list %} {# RIP key-chain definition #} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} @@ -60,34 +61,7 @@ router rip {% endfor %} {% endif %} {% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} - distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} - distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} - distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} - distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} +{{ render_distribute_list(distribute_list) }} {% endif %} {% include 'frr/rip_ripng.frr.j2' %} {% if version is vyos_defined %} diff --git a/data/templates/frr/ripngd.frr.j2 b/data/templates/frr/ripngd.frr.j2 index 7919b1bad..e857e9481 100644 --- a/data/templates/frr/ripngd.frr.j2 +++ b/data/templates/frr/ripngd.frr.j2 @@ -1,3 +1,4 @@ +{% from 'frr/ipv6_distribute_list_macro.j2' import render_ipv6_distribute_list %} {# Interface specific configuration #} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} @@ -19,34 +20,7 @@ router ripng {% endfor %} {% endif %} {% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} - ipv6 distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} - ipv6 distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} - ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} - ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} - ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} - ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} - ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} - ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} +{{ render_ipv6_distribute_list(distribute_list) }} {% endif %} {% include 'frr/rip_ripng.frr.j2' %} exit diff --git a/interface-definitions/include/babel/interface.xml.i b/interface-definitions/include/babel/interface.xml.i new file mode 100644 index 000000000..549e4909d --- /dev/null +++ b/interface-definitions/include/babel/interface.xml.i @@ -0,0 +1,187 @@ + + + + Interface name + + + + + txt + Interface name + + + #include + + + + + + Interface type + + auto wired wireless + + + auto + Automatically detect interface type + + + wired + Wired interface + + + wireless + Wireless interface + + + (auto|wired|wireless) + + + auto + + + + Split horizon parameters + + default enable disable + + + default + Enable on wired interfaces, and disable on wireless interfaces + + + enable + Enable split horizon processing + + + disable + Disable split horizon processing + + + (default|enable|disable) + + + default + + + + Time between scheduled hellos + + u32:20-655340 + Milliseconds + + + + + + 4000 + + + + Time between scheduled updates + + u32:20-655340 + Milliseconds + + + + + + 20000 + + + + Base receive cost for this interface + + u32:1-65534 + Base receive cost + + + + + + + + + Decay factor for exponential moving average of RTT samples + + u32:1-256 + Decay factor, in units of 1/256 + + + + + + 42 + + + + Minimum RTT + + u32:1-65535 + Milliseconds + + + + + + 10 + + + + Maximum RTT + + u32:1-65535 + Milliseconds + + + + + + 120 + + + + Maximum additional cost due to RTT + + u32:0-65535 + Milliseconds (0 to disable the use of RTT-based cost) + + + + + + 150 + + + + Enable timestamps with each Hello and IHU message in order to compute RTT values + + + + + + Channel number for diversity routing + + interfering non-interfering + + + u32:1-254 + Interfaces with a channel number interfere with interfering interfaces and interfaces with the same channel number + + + interfering + Interfering interfaces are assumed to interfere with all other channels except non-interfering channels + + + non-interfering + Non-interfering interfaces only interfere with themselves + + + + (interfering|non-interfering) + + + + + + diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index ec065347c..0d88c7b25 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -165,6 +165,14 @@ #include + + + Redistribute Babel routes into BGP + + + #include + + Redistribute static routes into BGP @@ -542,6 +550,14 @@ #include + + + Redistribute Babel routes into BGP + + + #include + + Redistribute static routes into BGP diff --git a/interface-definitions/include/eigrp/protocol-common-config.xml.i b/interface-definitions/include/eigrp/protocol-common-config.xml.i index 147277102..30ddc5d11 100644 --- a/interface-definitions/include/eigrp/protocol-common-config.xml.i +++ b/interface-definitions/include/eigrp/protocol-common-config.xml.i @@ -86,6 +86,10 @@ rip Routing Information Protocol (RIP) + + babel + Babel routing protocol (Babel) + static Statically configured routes @@ -98,7 +102,7 @@ bgp connected nhrp ospf rip static vnc - (bgp|connected|nhrp|ospf|rip|static|vnc) + (bgp|connected|nhrp|ospf|rip|babel|static|vnc) diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index 42bda7a80..c44939528 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -394,6 +394,14 @@ #include + + + Redistribute Babel routes into IS-IS + + + #include + + Redistribute static routes into IS-IS @@ -449,6 +457,14 @@ #include + + + Redistribute Babel routes into IS-IS + + + #include + + Redistribute static routes into IS-IS @@ -670,4 +686,4 @@ #include - \ No newline at end of file + diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 06609c10e..16b346131 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -756,6 +756,16 @@ #include + + + Redistribute Babel routes + + + #include + #include + #include + + Redistribute statically configured routes diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index c0aab912d..fd00af95e 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -238,6 +238,14 @@ #include + + + Redistribute Babel routes + + + #include + + Redistribute static routes diff --git a/interface-definitions/protocols-babel.xml.in b/interface-definitions/protocols-babel.xml.in new file mode 100644 index 000000000..0ef833077 --- /dev/null +++ b/interface-definitions/protocols-babel.xml.in @@ -0,0 +1,254 @@ + + + + + + + Babel Routing Protocol + 650 + + + + + Babel-specific parameters + + + + + Enable diversity-aware routing + + + + + + Multiplicative factor used for diversity routing + + u32:1-256 + Multiplicative factor, in units of 1/256 + + + + + + 256 + + + + Time before resending a message + + u32:20-655340 + Milliseconds + + + + + + 2000 + + + + Smoothing half-life + + u32:0-65534 + Seconds + + + + + + 4 + + + + #include + + + Redistribute information from another routing protocol + + + + + Redistribute IPv4 routes + + + + + Redistribute BGP routes + + + + + + Redistribute connected routes + + + + + + Redistribute EIGRP routes + + + + + + Redistribute IS-IS routes + + + + + + Redistribute kernel routes + + + + + + Redistribute NHRP routes + + + + + + Redistribute OSPF routes + + + + + + Redistribute RIP routes + + + + + + Redistribute static routes + + + + + + + + Redistribute IPv6 routes + + + + + Redistribute BGP routes + + + + + + Redistribute connected routes + + + + + + Redistribute IS-IS routes + + + + + + Redistribute kernel routes + + + + + + Redistribute NHRP routes + + + + + + Redistribute OSPFv3 routes + + + + + + Redistribute RIPng routes + + + + + + Redistribute static routes + + + + + + + + + + Filter networks in routing updates + + + + + Filter IPv4 routes + + + #include + + + Apply filtering to an interface + + txt + Apply filtering to an interface + + + + + + #include + + + + #include + #include + + + #include + + + + + Filter IPv6 routes + + + #include + + + Apply filtering to an interface + + txt + Apply filtering to an interface + + + + + + #include + + + + #include + #include + + + #include + + + + + + + + + diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols-rip.xml.in index 33aae5015..b5d48090a 100644 --- a/interface-definitions/protocols-rip.xml.in +++ b/interface-definitions/protocols-rip.xml.in @@ -225,6 +225,14 @@ #include + + + Redistribute Babel routes + + + #include + + @@ -248,4 +256,3 @@ - diff --git a/interface-definitions/protocols-ripng.xml.in b/interface-definitions/protocols-ripng.xml.in index cd35dbf53..cf000b824 100644 --- a/interface-definitions/protocols-ripng.xml.in +++ b/interface-definitions/protocols-ripng.xml.in @@ -123,6 +123,14 @@ #include + + + Redistribute Babel routes + + + #include + + diff --git a/op-mode-definitions/restart-frr.xml.in b/op-mode-definitions/restart-frr.xml.in index 4e2be1bf2..4572858b5 100644 --- a/op-mode-definitions/restart-frr.xml.in +++ b/op-mode-definitions/restart-frr.xml.in @@ -68,6 +68,12 @@ sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon zebra + + + Restart Babel routing daemon + + sudo ${vyos_op_scripts_dir}/restart_frr.py --action restart --daemon babeld + diff --git a/op-mode-definitions/show-babel.xml.in b/op-mode-definitions/show-babel.xml.in new file mode 100644 index 000000000..3aac3764e --- /dev/null +++ b/op-mode-definitions/show-babel.xml.in @@ -0,0 +1,41 @@ + + + + + + + Show Babel routing protocol information + + + + + Show Babel Interface information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show Babel neighbor information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show Babel neighbor information for specified interface + + + + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + Show Babel route information + + ${vyos_op_scripts_dir}/vtysh_wrapper.sh $@ + + + + + + diff --git a/python/vyos/frr.py b/python/vyos/frr.py index ccb132dd5..a84f183ef 100644 --- a/python/vyos/frr.py +++ b/python/vyos/frr.py @@ -85,7 +85,7 @@ LOG.addHandler(ch2) _frr_daemons = ['zebra', 'bgpd', 'fabricd', 'isisd', 'ospf6d', 'ospfd', 'pbrd', 'pimd', 'ripd', 'ripngd', 'sharpd', 'staticd', 'vrrpd', 'ldpd', - 'bfdd', 'eigrpd'] + 'bfdd', 'eigrpd', 'babeld'] path_vtysh = '/usr/bin/vtysh' path_frr_reload = '/usr/lib/frr/frr-reload.py' diff --git a/src/conf_mode/protocols_babel.py b/src/conf_mode/protocols_babel.py new file mode 100755 index 000000000..20821c7f2 --- /dev/null +++ b/src/conf_mode/protocols_babel.py @@ -0,0 +1,163 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.configverify import verify_common_route_maps +from vyos.configverify import verify_access_list +from vyos.configverify import verify_prefix_list +from vyos.util import dict_search +from vyos.xml import defaults +from vyos.template import render_to_string +from vyos import ConfigError +from vyos import frr +from vyos import airbag +airbag.enable() + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['protocols', 'babel'] + babel = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + + # FRR has VRF support for different routing daemons. As interfaces belong + # to VRFs - or the global VRF, we need to check for changed interfaces so + # that they will be properly rendered for the FRR config. Also this eases + # removal of interfaces from the running configuration. + interfaces_removed = node_changed(conf, base + ['interface']) + if interfaces_removed: + babel['interface_removed'] = list(interfaces_removed) + + # Bail out early if configuration tree does not exist + if not conf.exists(base): + babel.update({'deleted' : ''}) + return babel + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + + # XXX: T2665: we currently have no nice way for defaults under tag nodes, + # clean them out and add them manually :( + del default_values['interface'] + + # merge in remaining default values + babel = dict_merge(default_values, babel) + + # We also need some additional information from the config, prefix-lists + # and route-maps for instance. They will be used in verify(). + # + # XXX: one MUST always call this without the key_mangling() option! See + # vyos.configverify.verify_common_route_maps() for more information. + tmp = conf.get_config_dict(['policy']) + # Merge policy dict into "regular" config dict + babel = dict_merge(tmp, babel) + return babel + +def verify(babel): + if not babel: + return None + + # verify distribute_list + if "distribute_list" in babel: + acl_keys = { + "ipv4": [ + "distribute_list.ipv4.access_list.in", + "distribute_list.ipv4.access_list.out", + ], + "ipv6": [ + "distribute_list.ipv6.access_list.in", + "distribute_list.ipv6.access_list.out", + ] + } + prefix_list_keys = { + "ipv4": [ + "distribute_list.ipv4.prefix_list.in", + "distribute_list.ipv4.prefix_list.out", + ], + "ipv6":[ + "distribute_list.ipv6.prefix_list.in", + "distribute_list.ipv6.prefix_list.out", + ] + } + for address_family in ["ipv4", "ipv6"]: + for iface_key in babel["distribute_list"].get(address_family, {}).get("interface", {}).keys(): + acl_keys[address_family].extend([ + f"distribute_list.{address_family}.interface.{iface_key}.access_list.in", + f"distribute_list.{address_family}.interface.{iface_key}.access_list.out" + ]) + prefix_list_keys[address_family].extend([ + f"distribute_list.{address_family}.interface.{iface_key}.prefix_list.in", + f"distribute_list.{address_family}.interface.{iface_key}.prefix_list.out" + ]) + + for address_family, keys in acl_keys.items(): + for key in keys: + acl = dict_search(key, babel) + if acl: + verify_access_list(acl, babel, version='6' if address_family == 'ipv6' else '') + + for address_family, keys in prefix_list_keys.items(): + for key in keys: + prefix_list = dict_search(key, babel) + if prefix_list: + verify_prefix_list(prefix_list, babel, version='6' if address_family == 'ipv6' else '') + + +def generate(babel): + if not babel or 'deleted' in babel: + return None + + babel['new_frr_config'] = render_to_string('frr/babeld.frr.j2', babel) + return None + +def apply(babel): + babel_daemon = 'babeld' + + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + + frr_cfg.load_configuration(babel_daemon) + frr_cfg.modify_section('^router babel', stop_pattern='^exit', remove_stop_mark=True) + + for key in ['interface', 'interface_removed']: + if key not in babel: + continue + for interface in babel[key]: + frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True) + + if 'new_frr_config' in babel: + frr_cfg.add_before(frr.default_add_before, babel['new_frr_config']) + frr_cfg.commit_configuration(babel_daemon) + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/op_mode/restart_frr.py b/src/op_mode/restart_frr.py index 91b25567a..680d9f8cc 100755 --- a/src/op_mode/restart_frr.py +++ b/src/op_mode/restart_frr.py @@ -139,7 +139,7 @@ def _reload_config(daemon): # define program arguments cmd_args_parser = argparse.ArgumentParser(description='restart frr daemons') cmd_args_parser.add_argument('--action', choices=['restart'], required=True, help='action to frr daemons') -cmd_args_parser.add_argument('--daemon', choices=['bfdd', 'bgpd', 'ldpd', 'ospfd', 'ospf6d', 'isisd', 'ripd', 'ripngd', 'staticd', 'zebra'], required=False, nargs='*', help='select single or multiple daemons') +cmd_args_parser.add_argument('--daemon', choices=['bfdd', 'bgpd', 'ldpd', 'ospfd', 'ospf6d', 'isisd', 'ripd', 'ripngd', 'staticd', 'zebra', 'babeld'], required=False, nargs='*', help='select single or multiple daemons') # parse arguments cmd_args = cmd_args_parser.parse_args() -- cgit v1.2.3 From eaba3bdfb3f8d68f0994f0d96653b91714e33e6b Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Mon, 27 Feb 2023 16:13:50 +0200 Subject: openconnect: T4955: Renamed function and changed error messages Renamed local function to be identical to 1.3 ver Changed error messages after commit to be identical to 1.3 ver --- src/conf_mode/vpn_openconnect.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index bf5d3ac84..68da70d7d 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -47,7 +47,7 @@ def get_hash(password): return crypt(password, mksalt(METHOD_SHA512)) -def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict: +def _default_dict_cleanup(origin: dict, default_values: dict) -> dict: """ https://vyos.dev/T2665 Clear unnecessary key values in merged config by dict_merge function @@ -63,7 +63,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict: del origin['authentication']['local_users']['username']['otp'] if not origin["authentication"]["local_users"]["username"]: raise ConfigError( - 'Openconnect mode local required at least one user') + 'Openconnect authentication mode local requires at least one user') default_ocserv_usr_values = \ default_values['authentication']['local_users']['username']['otp'] for user, params in origin['authentication']['local_users'][ @@ -82,7 +82,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict: del origin['authentication']['radius']['server']['port'] if not origin["authentication"]['radius']['server']: raise ConfigError( - 'Openconnect authentication mode radius required at least one radius server') + 'Openconnect authentication mode radius requires at least one RADIUS server') default_values_radius_port = \ default_values['authentication']['radius']['server']['port'] for server, params in origin['authentication']['radius'][ @@ -95,7 +95,7 @@ def T2665_default_dict_cleanup(origin: dict, default_values: dict) -> dict: del origin['accounting']['radius']['server']['port'] if not origin["accounting"]['radius']['server']: raise ConfigError( - 'Openconnect accounting mode radius required at least one radius server') + 'Openconnect accounting mode radius requires at least one RADIUS server') default_values_radius_port = \ default_values['accounting']['radius']['server']['port'] for server, params in origin['accounting']['radius'][ @@ -120,7 +120,7 @@ def get_config(config=None): default_values = defaults(base) ocserv = dict_merge(default_values, ocserv) # workaround a "know limitation" - https://vyos.dev/T2665 - ocserv = T2665_default_dict_cleanup(ocserv, default_values) + ocserv = _default_dict_cleanup(ocserv, default_values) if ocserv: ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) -- cgit v1.2.3