From ebece7a4cdb942ea1ff7582ceda0f8765c329c9b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 15 Apr 2021 09:02:23 +0200 Subject: policy: T2425: re-implement "policy" tree from vyatta-cfg-quagga in XML/Python --- src/conf_mode/policy.py | 98 ++++++++++++++++++++++++------------------------- 1 file changed, 49 insertions(+), 49 deletions(-) (limited to 'src') diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py index 94a020e7b..f2e9010e3 100755 --- a/src/conf_mode/policy.py +++ b/src/conf_mode/policy.py @@ -20,47 +20,46 @@ from sys import exit from vyos.config import Config from vyos.configdict import dict_merge -from vyos.template import render from vyos.template import render_to_string -from vyos.util import call from vyos.util import dict_search from vyos import ConfigError from vyos import frr from vyos import airbag -from pprint import pprint airbag.enable() -config_file = r'/tmp/policy.frr' -frr_daemon = 'zebra' - -DEBUG = os.path.exists('/tmp/policy.debug') -if DEBUG: - import logging - lg = logging.getLogger("vyos.frr") - lg.setLevel(logging.DEBUG) - ch = logging.StreamHandler() - lg.addHandler(ch) - def get_config(config=None): if config: conf = config else: conf = Config() - base = ['npolicy'] - policy = conf.get_config_dict(base, key_mangling=('-', '_')) - # Bail out early if configuration tree does not exist - if not conf.exists(base): - return policy - - pprint(policy) - exit(1) + base = ['policy'] + policy = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True) return policy def verify(policy): if not policy: return None + if 'access-list' in policy: + for acl, acl_config in policy['access-list'].items(): + if 'rule' not in acl_config: + continue + + for rule, rule_config in acl_config['rule'].items(): + if 'source' not in rule_config: + raise ConfigError(f'Source must be specified for rule {rule} '\ + f'for access-list {acl}!') + if 'action' not in rule_config: + raise ConfigError(f'Action must be specified for rule {rule} '\ + f'for access-list {acl}!') + + if int(acl) not in range(100, 200) or int(acl) not in range(2000, 2700): + if 'destination' not in rule_config: + raise ConfigError(f'Destination must be specified for rule {rule} '\ + f'for access-list {acl}!') + return None def generate(policy): @@ -68,41 +67,42 @@ def generate(policy): policy['new_frr_config'] = '' return None - # render(config) not needed, its only for debug - # render(config_file, 'frr/policy.frr.tmpl', policy) - # policy['new_frr_config'] = render_to_string('frr/policy.frr.tmpl') - + policy['new_frr_config'] = render_to_string('frr/policy.frr.tmpl', policy) return None def apply(policy): + bgp_daemon = 'bgpd' + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions - # frr_cfg = frr.FRRConfig() - # frr_cfg.load_configuration(frr_daemon) - # frr_cfg.modify_section(f'ip', '') - # frr_cfg.add_before(r'(line vty)', policy['new_frr_config']) - - # Debugging - if DEBUG: - from pprint import pprint - print('') - print('--------- DEBUGGING ----------') - pprint(dir(frr_cfg)) - print('Existing config:\n') - for line in frr_cfg.original_config: - print(line) - print(f'Replacement config:\n') - print(f'{policy["new_frr_config"]}') - print(f'Modified config:\n') - print(f'{frr_cfg}') - - # frr_cfg.commit_configuration(frr_daemon) + frr_cfg = frr.FRRConfig() + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(bgp_daemon) + frr_cfg.modify_section(r'^bgp as-path access-list .*') + frr_cfg.modify_section(r'^bgp community-list .*') + frr_cfg.modify_section(r'^bgp extcommunity-list .*') + frr_cfg.modify_section(r'^bgp large-community-list .*') + frr_cfg.add_before('^line vty', policy['new_frr_config']) + frr_cfg.commit_configuration(bgp_daemon) + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'^access-list .*') + frr_cfg.modify_section(r'^ipv6 access-list .*') + frr_cfg.modify_section(r'^ip prefix-list .*') + frr_cfg.modify_section(r'^ipv6 prefix-list .*') + frr_cfg.add_before('^line vty', policy['new_frr_config']) + frr_cfg.commit_configuration(zebra_daemon) # If FRR config is blank, rerun the blank commit x times due to frr-reload # behavior/bug not properly clearing out on one commit. - # if policy['new_frr_config'] == '': - # for a in range(5): - # frr_cfg.commit_configuration(frr_daemon) + if policy['new_frr_config'] == '': + for a in range(5): + frr_cfg.commit_configuration(zebra_daemon) + # Save configuration to /run/frr/config/frr.conf + frr.save_configuration() return None -- cgit v1.2.3