diff options
69 files changed, 1317 insertions, 605 deletions
diff --git a/Makefile.am b/Makefile.am index ac8374a3..3157173c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -56,6 +56,7 @@ sbin_SCRIPTS += scripts/install/install-image-existing sbin_SCRIPTS += scripts/install/install-postinst-new sbin_SCRIPTS += scripts/install/install-image sbin_SCRIPTS += scripts/vyatta-bridgegroup-depedency.pl +sbin_SCRIPTS += scripts/vyatta-dhcpv6-client.pl share_perl5_DATA = lib/Vyatta/Login/User.pm share_perl5_DATA += lib/Vyatta/Login/RadiusServer.pm @@ -79,6 +80,8 @@ sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg +sysconf_DATA += sysconf/filecaps +sysconf_DATA += sysconf/capability.conf libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/changelog b/debian/changelog index e64453c1..da82d0f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,140 @@ +vyatta-cfg-system (0.17.55) unstable; urgency=low + + * initial support for gre-bridge tunnels. + + -- Robert Bays <rbays@roatan> Thu, 17 Jun 2010 23:33:45 -0700 + +vyatta-cfg-system (0.17.54) unstable; urgency=low + + * Remove sudo from ip command + * Remove unnecessary :expression: syntax + * Remove sudo from brctl + * Remove capability from ping + * Don't need audit write on vbash + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Thu, 17 Jun 2010 14:46:35 -0700 + +vyatta-cfg-system (0.17.53) unstable; urgency=low + + * * make vrrp work with conntrack-sync + * * perltidy vyatta-keepalived.pl + + -- Mohit Mehta <mohit.mehta@vyatta.com> Wed, 09 Jun 2010 15:01:47 -0700 + +vyatta-cfg-system (0.17.52) unstable; urgency=low + + * Add skip option to vyatta-interfaces + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Mon, 07 Jun 2010 16:28:13 -0700 + +vyatta-cfg-system (0.17.51) unstable; urgency=low + + * Using "send dhcp6.oro" is no longer required in config file. + + -- Bob Gilligan <gilligan@vyatta.com> Sun, 30 May 2010 07:14:32 -0700 + +vyatta-cfg-system (0.17.50) unstable; urgency=low + + * Fix use of bareword file handles + * Set file capability attributes + * Add pam_cap capability configuration + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Fri, 04 Jun 2010 14:10:09 -0700 + +vyatta-cfg-system (0.17.49) unstable; urgency=low + + * move list functions to vrrp perl module so other scripts can use it + as well + + -- Mohit Mehta <mohit.mehta@vyatta.com> Thu, 03 Jun 2010 16:32:05 -0700 + +vyatta-cfg-system (0.17.48) unstable; urgency=low + + * fix for bug 5656 + + -- An-Cheng Huang <ancheng@vyatta.com> Thu, 03 Jun 2010 14:55:46 -0700 + +vyatta-cfg-system (0.17.47) unstable; urgency=low + + * Fix 5521: Cannot Delete vif with vrrp configured. + + -- Stig Thormodsrud <stig@vyatta.com> Tue, 01 Jun 2010 15:24:45 -0700 + +vyatta-cfg-system (0.17.46) unstable; urgency=low + + * Move DHCPv6 client configuration to this package and restructre + parameters. + + -- Bob Gilligan <gilligan@vyatta.com> Wed, 26 May 2010 16:12:45 -0700 + +vyatta-cfg-system (0.17.45) unstable; urgency=low + + * Don't enable PAM Radius by default + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Mon, 24 May 2010 10:46:08 -0700 + +vyatta-cfg-system (0.17.44) unstable; urgency=low + + * don't start conntrackd itself + + -- Mohit Mehta <mohit.mehta@vyatta.com> Thu, 20 May 2010 19:29:10 -0700 + +vyatta-cfg-system (0.17.43) unstable; urgency=low + + * Add enable-proxy-arp to vif interface. + + -- Stig Thormodsrud <stig@vyatta.com> Wed, 19 May 2010 20:16:12 -0700 + +vyatta-cfg-system (0.17.42) unstable; urgency=low + + * Change SNMP community handling + * Fix syntax of default listen address + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Fri, 14 May 2010 11:01:48 -0700 + +vyatta-cfg-system (0.17.41) unstable; urgency=low + + * Revert "Snmp Ipv6 support" + * Better version of SNMP IPv6 support + * Allow configuring/restricting SNMP listen address + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Wed, 12 May 2010 21:02:35 -0700 + +vyatta-cfg-system (0.17.40) unstable; urgency=low + + * Snmp Ipv6 support + * Show progress bar when copying filesystem + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Wed, 12 May 2010 14:34:54 -0700 + +vyatta-cfg-system (0.17.39) unstable; urgency=low + + * Preserve file capablities and attributes during install-system + * Preserve file attributes of root files + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Fri, 07 May 2010 15:25:22 -0700 + +vyatta-cfg-system (0.17.38) unstable; urgency=low + + * Add code to check digital signature of image files. + + -- Bob Gilligan <gilligan@vyatta.com> Mon, 03 May 2010 17:21:10 -0700 + +vyatta-cfg-system (0.17.37) unstable; urgency=low + + * Allow user to name system images when installing them. + + -- Bob Gilligan <gilligan@vyatta.com> Fri, 30 Apr 2010 15:48:57 -0700 + +vyatta-cfg-system (0.17.36) unstable; urgency=low + + * Ignore comments in level file + * Set capabilities on standard utilities + * Make interface help completion strings consistent + * Revert "Set capabilities on standard utilities" + + -- Stephen Hemminger <stephen.hemminger@vyatta.com> Tue, 27 Apr 2010 15:27:49 -0700 + vyatta-cfg-system (0.17.35) unstable; urgency=low * Configure IFB devices earlier in boot diff --git a/debian/control b/debian/control index c1d19a95..6c169390 100644 --- a/debian/control +++ b/debian/control @@ -47,6 +47,7 @@ Depends: acpid, vyatta-biosdevname, ipvsadm (>= 1:1.24-2.1), radvd (>= 1:1.1-3), + apt-transport-https, hostapd (>= 1:0.6.9-3) Pre-Depends: bash-completion Suggests: util-linux (>= 2.13-5), diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index b2719bc5..dee13d4f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -8,7 +8,7 @@ sbindir=@sbindir@ # remove init of daemons that are controlled by Vyatta configuration process for init in ntp ssh snmpd openhpid \ - vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd + vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd conntrackd do update-rc.d -f ${init} remove >/dev/null done @@ -132,10 +132,14 @@ EOF fi done - # Install pamradius config (should come with radius client eventually) - cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius - cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf + + # Set file capabilities + sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \ + | xargs -i sh -c "setcap {}" + + # Install pam_cap config + cp $sysconfdir/capability.conf /etc/security/capability.conf fi # create needed directories diff --git a/lib/Vyatta/Login/RadiusServer.pm b/lib/Vyatta/Login/RadiusServer.pm index d60f2baa..0de9bd28 100644 --- a/lib/Vyatta/Login/RadiusServer.pm +++ b/lib/Vyatta/Login/RadiusServer.pm @@ -20,18 +20,30 @@ use warnings; use lib "/opt/vyatta/share/perl5"; use Vyatta::Config; use File::Compare; +use File::Copy; my $PAM_RAD_CFG = '/etc/pam_radius_auth.conf'; my $PAM_RAD_TMP = "/tmp/pam_radius_auth.$$"; +my $PAM_RAD_AUTH = "/usr/share/pam-configs/radius"; +my $PAM_RAD_SYSCONF = "/opt/vyatta/etc/pam_radius.cfg"; + sub remove_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update --remove radius") == 0; + system("DEBIAN_FRONTEND=noninteractive " . + " pam-auth-update --package --remove radius") == 0 + or die "pam-auth-update remove failed"; + + unlink($PAM_RAD_AUTH) + or die "Can't remove $PAM_RAD_AUTH"; } sub add_pam_radius { - return system("sudo DEBIAN_FRONTEND=noninteractive" - . " pam-auth-update radius") == 0; + copy($PAM_RAD_SYSCONF,$PAM_RAD_AUTH) + or die "Can't copy $PAM_RAD_SYSCONF to $PAM_RAD_AUTH"; + + system("DEBIAN_FRONTEND=noninteractive " . + "pam-auth-update --package radius") == 0 + or die "pam-auth-update add failed" } sub update { @@ -58,16 +70,15 @@ sub update { close($cfg); if ( compare( $PAM_RAD_CFG, $PAM_RAD_TMP ) != 0 ) { - system("sudo cp $PAM_RAD_TMP $PAM_RAD_CFG") == 0 + copy ($PAM_RAD_TMP, $PAM_RAD_CFG) or die "Copy of $PAM_RAD_TMP to $PAM_RAD_CFG failed"; } unlink($PAM_RAD_TMP); if ( $count > 0 ) { - exit 1 unless add_pam_radius(); - } - else { - exit 1 unless remove_pam_radius(); + add_pam_radius(); + } else { + remove_pam_radius(); } } diff --git a/lib/Vyatta/Login/User.pm b/lib/Vyatta/Login/User.pm index 419a882d..fa0cca7d 100755 --- a/lib/Vyatta/Login/User.pm +++ b/lib/Vyatta/Login/User.pm @@ -47,7 +47,9 @@ sub _level_groups { while (<$f>) { chomp; + # Ignore blank lines and comments next unless $_; + next if /^#/; my ( $l, $g ) = split /:/; if ( $l eq $level ) { diff --git a/scripts/install-system b/scripts/install-system index d17f0c2e..4f92ca37 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -890,6 +890,23 @@ create_partitions() { fi } +# Copy directory with pretty progress bar +copy_filesystem() { + cp -r -v --preserve=all "$@" | awk '{ + ++files + if ((files % 10) == 0) { + percent = files / total_files * 100 + printf "%3d%% [", percent + for (i=0;i<percent; i+=2) + printf "=" + printf ">" + for (;i<100;i+=2) + printf " " + printf "]\r" + } + }' total_files=$(find "$@" | wc -l) +} + # Install the root filesystem # $1 is the partition to install on install_root_filesystem () { @@ -914,8 +931,7 @@ install_root_filesystem () { fi if [ -z $UNION ]; then - echo -n "Copying system image files to /dev/$ROOT_PARTITION: " - progress_indicator start + echo "Copying system files to /dev/$ROOT_PARTITION: " # Mount the squashfs for copying output=$(mkdir -p /mnt/squashfs) if [ -f /live/image/live/filesystem.squashfs ]; then @@ -936,12 +952,13 @@ install_root_filesystem () { exit 1 fi - output=$(cp -pR /mnt/squashfs/* $rootfsdir/) + echo "Copying /mnt/squashfs/* to $rootfsddir" >>$INSTALL_LOG + copy_filesystem /mnt/squashfs/* $rootfsdir 2>>$INSTALL_LOG status=$? - + echo + if [ "$status" != 0 ]; then echo -e "Error trying to copy the rootfs.\nPlease see install log for more details.\nExiting..." - echo -e "Error trying to copy the rootfs.\ncp -pR /mnt/squashfs/* $rootfsdir/\n$output" >> $INSTALL_LOG exit 1 fi diff --git a/scripts/install/install-image b/scripts/install/install-image index 607dcc98..c4bf3800 100755 --- a/scripts/install/install-image +++ b/scripts/install/install-image @@ -69,6 +69,39 @@ fetch_iso_by_url () fi echo "ISO download suceeded." + + echo "Checking for digital signature file..." + curl -f -o ${filename}.asc ${NEW_ISO}.asc + if [ $? -ne 0 ]; then + echo "Unable to fetch digital signature file." + echo -n "Do you want to continue without signature check? (yes/no) [yes] " + + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + # In case signature file was partially downloaded... + rm -f ${filename}.asc + fi + + if [ -e ${filename}.asc ]; then + echo "Found it. Checking digital signature..." + gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc + if [ $? -ne 0 ]; then + echo "Signature check FAILED." + echo -n "Do you want to continue anyway? (yes/no) [no] " + response=$(get_response "Yes" "Yes No Y N") + if [ "$response" == "no" ] || [ "$response" == "n" ]; then + fail_exit 'OK. Installation will not be performed.' + fi + + echo "OK. Proceding with installation anyway." + else + echo "Digital signature is valid." + fi + fi + NEW_ISO=$filename } diff --git a/scripts/install/install-image-existing b/scripts/install/install-image-existing index ce0e502d..e8f723a0 100755 --- a/scripts/install/install-image-existing +++ b/scripts/install/install-image-existing @@ -54,16 +54,27 @@ fi # get new version string. this is from the squashfs image. NEWVER=`dpkg -l --root=${CD_SQUASH_ROOT} | grep "^.. vyatta-version " | awk '{print $3}'` +NEWNAME=$NEWVER -if [ -z "$NEWVER" ]; then - failure_exit 'Cannot find new release version.' +echo -n "What would you like to name this image? [$NEWNAME]: " +read response +if [ -n "$response" ]; then + NEWNAME=$response fi -if [ "$CURVER" == "$NEWVER" ]; then - echo "Image version $NEWVER is the same as the running system." - echo "Cannot install the same release version as the running system." - exit 1 + +# Validate image name +if [ "$NEWNAME" = "grub" -o "${NEWNAME:0:7}" = "vmlinuz" -o \ + "${NEWNAME:0:6}" = "initrd" -o "${NEWNAME:0:10}" = "System.map" -o \ + "$NEWNAME" = "Old-non-image-installation" ]; then + echo "Can't use $NEWNAME. It is a reserved image name." + exit 1; +fi + +if [ -z "$NEWNAME" ]; then + failure_exit 'Invalid image name.' fi +echo "OK. This image will be named: $NEWNAME" # this is the default if current install is union BOOT_DIR=/live/image/boot @@ -74,24 +85,30 @@ elif [ "$CUR_INSTALL" != 'union' ]; then exit 1 fi -if [ -d $BOOT_DIR/$NEWVER ]; then - echo "Version $NEWVER is already installed on this system." +if [ -d $BOOT_DIR/$NEWNAME ]; then + if [ "$CURVER" = "$NEWNAME" ]; then + echo "$NEWNAME is the image you are currently running. Can't" + echo "Re-install over the running image." + exit 1 + fi + + echo "An image named $NEWNAME is already installed on this system." echo "Proceeding with this installation will delete this copy of" - echo "$NEWVER and replace it with a new copy." + echo "$NEWNAME and replace it with a new copy." echo -n "Do you want to replace it? (Yes/No) [No]: " resp=$(get_response "No" "Yes No Y N") if [ "$resp" != 'yes' ] && [ "$resp" != 'y' ]; then - echo "OK. Will not replace $NEWVER" + echo "OK. Will not replace $NEWNAME" echo "Exiting..." exit 1 fi fi # start the install -echo "Installing \"$NEWVER\" release." +echo "Installing \"$NEWNAME\" image." # create the new release directories -REL_ROOT=$BOOT_DIR/$NEWVER +REL_ROOT=$BOOT_DIR/$NEWNAME RW_DIR="$REL_ROOT/live-rw" if ! mkdir -p "$RW_DIR"; then failure_exit 'Cannot create directory for new release.' @@ -108,7 +125,7 @@ if [ ! -f "$squash_img" ] || [ -z "$boot_files" ]; then fi target_squash=$REL_ROOT/$NEWVER.squashfs cp -p $squash_img $target_squash >&/dev/null -cp -dp $boot_files $REL_ROOT/ >&/dev/null +cp --no-dereference --preserve=all $boot_files $REL_ROOT/ >&/dev/null # mount copied squashfs if ! try_mount "-o loop,ro $target_squash $READ_ROOT"; then @@ -163,10 +180,16 @@ if [ -e "$DEF_GRUB" ]; then echo "Setting up grub configuration..." new_index=$(get_grub_index) + def_grub_vers=/tmp/def_grub.$$ + cp $DEF_GRUB $def_grub_vers + sed -i "s/menuentry \"Vyatta.*(/menuentry \"Vyatta image $NEWNAME (/" $def_grub_vers + sed -i "s/menuentry \"Lost password change.*(/menuentry \"Lost password change $NEWNAME (/" $def_grub_vers + sed -i "sX/boot/[A-Za-z0-9\.\-]*X/boot/${NEWNAME}Xg" $def_grub_vers + old_grub_cfg=$BOOT_DIR/grub/grub.cfg new_grub_cfg=/tmp/grub.cfg.$$ sed -n '/^menuentry/q;p' $old_grub_cfg >$new_grub_cfg - cat $DEF_GRUB >>$new_grub_cfg + cat $def_grub_vers >> $new_grub_cfg sed -n '/^menuentry/,${p}' $old_grub_cfg >>$new_grub_cfg sed -i "s/^set default=[0-9]\+$/set default=$new_index/" $new_grub_cfg mv $new_grub_cfg $old_grub_cfg diff --git a/scripts/install/install-image-new b/scripts/install/install-image-new index 7294fc35..5726fa03 100755 --- a/scripts/install/install-image-new +++ b/scripts/install/install-image-new @@ -24,15 +24,36 @@ if ! try_mount "/dev/$ROOT_PARTITION $WRITE_ROOT"; then fi version=$(get_new_version) -if [ -z "$version" ]; then +image_name=$version +if [ -z "$image_name" ]; then echo 'Cannot find new version. Exiting...' exit 1 fi +echo -n "What would you like to name this image? [$image_name]: " +read response +if [ -n "$response" ]; then + image_name=$response +fi + +# Validate image name +if [ "$image_name" = "grub" -o "${image_name:0:7}" = "vmlinuz" -o \ + "${image_name:0:6}" = "initrd" -o "${image_name:0:10}" = "System.map" -o \ + "$image_name" = "Old-non-image-installation" ]; then + echo "Can't use $image_name. It is a reserved image name." + exit 1; +fi + +if [ -z "$image_name" ]; then + failure_exit 'Invalid image name.' +fi + +echo "OK. This image will be named: $image_name" + # make the dir for the new version -mkdir -p $WRITE_ROOT/boot/$version +mkdir -p $WRITE_ROOT/boot/$image_name # make dir for backing store -rw_dir=$WRITE_ROOT/boot/$version/live-rw +rw_dir=$WRITE_ROOT/boot/$image_name/live-rw mkdir -p $rw_dir echo Copying squashfs image... @@ -53,10 +74,10 @@ if [ ! -f "$squash_img" ] || [ -z "$boot_files" ]; then fi fi -target_squash=$WRITE_ROOT/boot/$version/$version.squashfs +target_squash=$WRITE_ROOT/boot/$image_name/$version.squashfs cp -p $squash_img $target_squash echo Copying kernel and initrd images... -cp -dp $boot_files $WRITE_ROOT/boot/$version/ +cp -dp $boot_files $WRITE_ROOT/boot/$image_name/ # set up union root for postinst mkdir -p $INST_ROOT $READ_ROOT diff --git a/scripts/install/install-postinst-new b/scripts/install/install-postinst-new index 65c6cd7f..c96f5657 100755 --- a/scripts/install/install-postinst-new +++ b/scripts/install/install-postinst-new @@ -133,9 +133,13 @@ if [ -z "$version" ]; then exit 1 fi +array=( $WRITE_ROOT/boot/* ) +image_name=${array[0]} +image_name=${image_name#$WRITE_ROOT/boot/} + # these are the defaults for "union" grub_root=$WRITE_ROOT -grub_setup_args="-u $version" +grub_setup_args="-u $image_name" if [ "$INSTALL_TYPE" == 'old' ]; then grub_root=$INST_ROOT grub_setup_args="-v $version" diff --git a/scripts/keepalived/vyatta-keepalived.pl b/scripts/keepalived/vyatta-keepalived.pl index e87c9f64..d06b9e36 100755 --- a/scripts/keepalived/vyatta-keepalived.pl +++ b/scripts/keepalived/vyatta-keepalived.pl @@ -1,12 +1,12 @@ #!/usr/bin/perl # # Module: vyatta-keepalived.pl -# +# # **** License **** # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU @@ -15,11 +15,11 @@ # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2007-2009 Vyatta, Inc. # All Rights Reserved. -# +# # Author: Stig Thormodsrud # Date: October 2007 # Description: Script to glue vyatta cli to keepalived daemon -# +# # **** End License **** # @@ -28,445 +28,506 @@ use Vyatta::Config; use Vyatta::Keepalived; use Vyatta::TypeChecker; use Vyatta::Interface; +use Vyatta::ConntrackSync; use Vyatta::Misc; use Getopt::Long; use strict; use warnings; -my ($action, $vrrp_intf, $vrrp_group, $vrrp_vip); -my ($conf_file, $changes_file); +my ( $action, $vrrp_intf, $vrrp_group, $vrrp_vip, $ctsync ); +my ( $conf_file, $changes_file ); my %HoA_sync_groups; +my $ctsync_script = "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh"; sub validate_source_addr { - my ($ifname, $source_addr) = @_; - - my @ipaddrs; - if (defined $source_addr) { - my %config_ipaddrs; - my @ipaddrs = Vyatta::Misc::getInterfacesIPadresses('all'); - foreach my $ip (@ipaddrs) { - if ($ip =~ /^([\d.]+)\/([\d.]+)$/) { # strip /mask - $config_ipaddrs{$1} = 1; - } - } - if (!defined $config_ipaddrs{$source_addr}) { - vrrp_log("no hello-source"); - return "hello-source-address [$source_addr] must be " . - "configured on the interface\n"; - } - return; + my ( $ifname, $source_addr ) = @_; + + my @ipaddrs; + if ( defined $source_addr ) { + my %config_ipaddrs; + my @ipaddrs = Vyatta::Misc::getInterfacesIPadresses('all'); + foreach my $ip (@ipaddrs) { + if ( $ip =~ /^([\d.]+)\/([\d.]+)$/ ) { # strip /mask + $config_ipaddrs{$1} = 1; + } } - # if the hello-source-address wasn't configured, check that the - # interface has an IPv4 address configured on it. - my $intf = new Vyatta::Interface($ifname); - @ipaddrs = $intf->address(4); - if (scalar(@ipaddrs) < 1) { - vrrp_log("no primary or hello-source"); - return "must configure either a primary address on [$ifname] or" . - " a hello-source-address\n"; + if ( !defined $config_ipaddrs{$source_addr} ) { + vrrp_log("no hello-source"); + return "hello-source-address [$source_addr] must be " + . "configured on the interface\n"; } return; + } + + # if the hello-source-address wasn't configured, check that the + # interface has an IPv4 address configured on it. + my $intf = new Vyatta::Interface($ifname); + @ipaddrs = $intf->address(4); + if ( scalar(@ipaddrs) < 1 ) { + vrrp_log("no primary or hello-source"); + return "must configure either a primary address on [$ifname] or" + . " a hello-source-address\n"; + } + return; +} + +sub get_ctsync_syncgrp { + my ($origfunc) = @_; + my $failover_sync_grp = undef; + + my $listnodesfunc = "listNodes"; + my $returnvalfunc = "returnValue"; + if ( defined $origfunc ) { + $listnodesfunc = "listOrigNodes"; + $returnvalfunc = "returnOrigValue"; + } + + my @failover_mechanism = + Vyatta::ConntrackSync::get_conntracksync_val( $listnodesfunc, + "failover-mechanism" ); + + if ( defined $failover_mechanism[0] && $failover_mechanism[0] eq 'vrrp' ) { + $failover_sync_grp = + Vyatta::ConntrackSync::get_conntracksync_val( $returnvalfunc, + "failover-mechanism $failover_mechanism[0] vrrp-sync-group" ); + } + return $failover_sync_grp; } sub keepalived_get_values { - my ($intf, $path) = @_; - - my @errs = (); - my $output = ''; - my $config = new Vyatta::Config; - - my $state_transition_script = get_state_script(); - - vrrp_log("keepalived_get_values [$intf][$path]"); - $config->setLevel("$path vrrp vrrp-group"); - my @groups = $config->listNodes(); - foreach my $group (@groups) { - my $vrrp_instance = "vyatta-$intf-$group"; - $config->setLevel("$path vrrp vrrp-group $group"); - if ($config->exists("disable")) { - vrrp_log("$vrrp_instance disabled - skipping"); - my $state_file = get_state_file($intf, $group); - system("rm -f $state_file"); - next; - } - my @vips = $config->returnValues("virtual-address"); - my $num_vips = scalar(@vips); - if ($num_vips == 0) { - push @errs, "must define a virtual-address for vrrp-group $group\n"; - next; - } - if ($num_vips > 20) { - push @errs, "can not set more than 20 VIPs per group\n"; - next - } - my $priority = $config->returnValue("priority"); - if (!defined $priority) { - $priority = 1; - } - my $preempt = $config->returnValue("preempt"); - if (!defined $preempt) { - $preempt = "true"; - } - my $preempt_delay = $config->returnValue("preempt-delay"); - if (defined $preempt_delay and $preempt eq "false") { - print "Warning: preempt delay is ignored when preempt=false\n"; - } - my $advert_int = $config->returnValue("advertise-interval"); - if (!defined $advert_int) { - $advert_int = 1; - } - my $sync_group = $config->returnValue("sync-group"); - if (defined $sync_group && $sync_group ne "") { - push @{ $HoA_sync_groups{$sync_group} }, $vrrp_instance; - } - my $hello_source_addr = $config->returnValue("hello-source-address"); - my $err = validate_source_addr($intf, $hello_source_addr); - if (defined $err) { - push @errs, $err; - next; - } - - $config->setLevel("$path vrrp vrrp-group $group authentication"); - my $auth_type = $config->returnValue("type"); - my $auth_pass; - if (defined $auth_type) { - $auth_type = "PASS" if $auth_type eq "simple"; - $auth_type = uc($auth_type); - $auth_pass = $config->returnValue("password"); - if (! defined $auth_pass) { - push @errs, "vrrp authentication password not set\n"; - next; - } - } - - $config->setLevel("$path vrrp vrrp-group $group run-transition-scripts"); - my $run_backup_script = $config->returnValue("backup"); - if(!defined $run_backup_script){ - $run_backup_script = "null"; - } - my $run_fault_script = $config->returnValue("fault"); - if(!defined $run_fault_script){ - $run_fault_script = "null"; - } - my $run_master_script = $config->returnValue("master"); - if(!defined $run_master_script){ - $run_master_script = "null"; - } + my ( $intf, $path ) = @_; + + my @errs = (); + my $output = ''; + my $config = new Vyatta::Config; + + my $state_transition_script = get_state_script(); + + vrrp_log("keepalived_get_values [$intf][$path]"); + $config->setLevel("$path vrrp vrrp-group"); + my @groups = $config->listNodes(); + foreach my $group (@groups) { + my $vrrp_instance = "vyatta-$intf-$group"; + $config->setLevel("$path vrrp vrrp-group $group"); + if ( $config->exists("disable") ) { + vrrp_log("$vrrp_instance disabled - skipping"); + my $state_file = get_state_file( $intf, $group ); + system("rm -f $state_file"); + next; + } + my @vips = $config->returnValues("virtual-address"); + my $num_vips = scalar(@vips); + if ( $num_vips == 0 ) { + push @errs, "must define a virtual-address for vrrp-group $group\n"; + next; + } + if ( $num_vips > 20 ) { + push @errs, "can not set more than 20 VIPs per group\n"; + next; + } + my $priority = $config->returnValue("priority"); + if ( !defined $priority ) { + $priority = 1; + } + my $preempt = $config->returnValue("preempt"); + if ( !defined $preempt ) { + $preempt = "true"; + } + my $preempt_delay = $config->returnValue("preempt-delay"); + if ( defined $preempt_delay and $preempt eq "false" ) { + print "Warning: preempt delay is ignored when preempt=false\n"; + } + my $advert_int = $config->returnValue("advertise-interval"); + if ( !defined $advert_int ) { + $advert_int = 1; + } + my $sync_group = $config->returnValue("sync-group"); + if ( defined $sync_group && $sync_group ne "" ) { + push @{ $HoA_sync_groups{$sync_group} }, $vrrp_instance; + } + my $hello_source_addr = $config->returnValue("hello-source-address"); + my $err = validate_source_addr( $intf, $hello_source_addr ); + if ( defined $err ) { + push @errs, $err; + next; + } + + $config->setLevel("$path vrrp vrrp-group $group authentication"); + my $auth_type = $config->returnValue("type"); + my $auth_pass; + if ( defined $auth_type ) { + $auth_type = "PASS" if $auth_type eq "simple"; + $auth_type = uc($auth_type); + $auth_pass = $config->returnValue("password"); + if ( !defined $auth_pass ) { + push @errs, "vrrp authentication password not set\n"; + next; + } + } - # We now have the values and have validated them, so - # generate the config. - - $output .= "vrrp_instance $vrrp_instance \{\n"; - my $init_state; - $init_state = vrrp_get_init_state($intf, $group, $vips[0], $preempt); - $output .= "\tstate $init_state\n"; - $output .= "\tinterface $intf\n"; - $output .= "\tvirtual_router_id $group\n"; - $output .= "\tpriority $priority\n"; - if ($preempt eq "false") { - $output .= "\tnopreempt\n"; - } - if (defined $preempt_delay) { - $output .= "\tpreempt_delay $preempt_delay\n"; - } - $output .= "\tadvert_int $advert_int\n"; - if (defined $auth_type) { - $output .= "\tauthentication {\n"; - $output .= "\t\tauth_type $auth_type\n"; - $output .= "\t\tauth_pass $auth_pass\n\t}\n"; - } - if (defined $hello_source_addr) { - $output .= "\tmcast_src_ip $hello_source_addr\n"; - } - $output .= "\tvirtual_ipaddress \{\n"; - foreach my $vip (@vips) { - $output .= "\t\t$vip\n"; - } - $output .= "\t\}\n"; - $output .= "\tnotify_master \"$state_transition_script master "; - $output .= "$intf $group $run_master_script @vips\" \n"; - $output .= "\tnotify_backup \"$state_transition_script backup "; - $output .= "$intf $group $run_backup_script @vips\" \n"; - $output .= "\tnotify_fault \"$state_transition_script fault "; - $output .= "$intf $group $run_fault_script @vips\" \n"; - $output .= "\}\n\n"; + $config->setLevel("$path vrrp vrrp-group $group run-transition-scripts"); + my $run_backup_script = $config->returnValue("backup"); + if ( !defined $run_backup_script ) { + $run_backup_script = "null"; + } + my $run_fault_script = $config->returnValue("fault"); + if ( !defined $run_fault_script ) { + $run_fault_script = "null"; + } + my $run_master_script = $config->returnValue("master"); + if ( !defined $run_master_script ) { + $run_master_script = "null"; } - return ($output, @errs); + # We now have the values and have validated them, so + # generate the config. + + $output .= "vrrp_instance $vrrp_instance \{\n"; + my $init_state; + if ( defined $ctsync ) { + + # check if this group is part of conntrack-sync vrrp-sync-group + my $ctsync_syncgrp = get_ctsync_syncgrp(); + my $vrrpsyncgrp = + list_vrrp_sync_group( $intf, $group, 'returnOrigPlusComValue' ); + if ( defined $ctsync_syncgrp + && defined $vrrpsyncgrp + && ( $ctsync_syncgrp eq $vrrpsyncgrp ) ) + { + $init_state = 'BACKUP'; + } else { + $init_state = vrrp_get_init_state( $intf, $group, $vips[0], $preempt ); + } + } else { + $init_state = vrrp_get_init_state( $intf, $group, $vips[0], $preempt ); + } + $output .= "\tstate $init_state\n"; + $output .= "\tinterface $intf\n"; + $output .= "\tvirtual_router_id $group\n"; + $output .= "\tpriority $priority\n"; + if ( $preempt eq "false" ) { + $output .= "\tnopreempt\n"; + } + if ( defined $preempt_delay ) { + $output .= "\tpreempt_delay $preempt_delay\n"; + } + $output .= "\tadvert_int $advert_int\n"; + if ( defined $auth_type ) { + $output .= "\tauthentication {\n"; + $output .= "\t\tauth_type $auth_type\n"; + $output .= "\t\tauth_pass $auth_pass\n\t}\n"; + } + if ( defined $hello_source_addr ) { + $output .= "\tmcast_src_ip $hello_source_addr\n"; + } + $output .= "\tvirtual_ipaddress \{\n"; + foreach my $vip (@vips) { + $output .= "\t\t$vip\n"; + } + $output .= "\t\}\n"; + $output .= "\tnotify_master \"$state_transition_script master "; + $output .= "$intf $group $run_master_script @vips\" \n"; + $output .= "\tnotify_backup \"$state_transition_script backup "; + $output .= "$intf $group $run_backup_script @vips\" \n"; + $output .= "\tnotify_fault \"$state_transition_script fault "; + $output .= "$intf $group $run_fault_script @vips\" \n"; + $output .= "\}\n\n"; + } + + return ( $output, @errs ); } sub vrrp_get_sync_groups { - - my $output = ""; - - foreach my $sync_group ( keys %HoA_sync_groups) { - $output .= "vrrp_sync_group $sync_group \{\n\tgroup \{\n"; - foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { - $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; - } - $output .= "\t\}\n\}\n"; + + my $output = ""; + + foreach my $sync_group ( keys %HoA_sync_groups ) { + $output .= "vrrp_sync_group $sync_group \{\n\tgroup \{\n"; + foreach my $vrrp_instance ( 0 .. $#{ $HoA_sync_groups{$sync_group} } ) { + $output .= "\t\t$HoA_sync_groups{$sync_group}[$vrrp_instance]\n"; + } + $output .= "\t\}\n"; + + ## add conntrack-sync part here if configured ## + my $origfunc = undef; + $origfunc = 'true' if !defined $ctsync; + my $failover_sync_grp = get_ctsync_syncgrp($origfunc); + if ( defined $failover_sync_grp && $failover_sync_grp eq $sync_group ) { + $output .= "\tnotify_master \"$ctsync_script master $sync_group\"\n"; + $output .= "\tnotify_backup \"$ctsync_script backup $sync_group\"\n"; + $output .= "\tnotify_fault \"$ctsync_script fault $sync_group\"\n"; } - return $output; + $output .= "\}\n"; + } + return $output; } sub vrrp_read_changes { - my @lines = (); - open(my $FILE, "<", $changes_file) or die "Error: read $!"; - @lines = <$FILE>; - close($FILE); - chomp @lines; - return @lines; + my @lines = (); + return @lines if !-e $changes_file; + open( my $FILE, "<", $changes_file ) or die "Error: read $!"; + @lines = <$FILE>; + close($FILE); + chomp @lines; + return @lines; } sub vrrp_save_changes { - my @list = @_; + my @list = @_; - my $num_changes = scalar(@list); - vrrp_log("saving changes file $num_changes"); - open(my $FILE, ">", $changes_file) or die "Error: write $!"; - print $FILE join("\n", @list), "\n"; - close($FILE); + my $num_changes = scalar(@list); + vrrp_log("saving changes file $num_changes"); + open( my $FILE, ">", $changes_file ) or die "Error: write $!"; + print $FILE join( "\n", @list ), "\n"; + close($FILE); } sub vrrp_find_changes { - my @list = (); - my $config = new Vyatta::Config; - my $vrrp_instances = 0; - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - if ($config->exists("vrrp")) { - my %vrrp_status_hash = $config->listNodeStatus("vrrp"); - my ($vrrp, $vrrp_status) = each(%vrrp_status_hash); - if ($vrrp_status ne "static") { - push @list, $name; - vrrp_log("$vrrp_status found $name"); - } - } - - # - # Now look for deleted from the origin tree - # - $config->setLevel($path); - if ($config->isDeleted("vrrp")) { - push @list, $name; - vrrp_log("Delete found $name"); - } - + my @list = (); + my $config = new Vyatta::Config; + my $vrrp_instances = 0; + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); + $config->setLevel($path); + if ( $config->exists("vrrp") ) { + my %vrrp_status_hash = $config->listNodeStatus("vrrp"); + my ( $vrrp, $vrrp_status ) = each(%vrrp_status_hash); + if ( $vrrp_status ne "static" ) { + push @list, $name; + vrrp_log("$vrrp_status found $name"); + } } - my $num = scalar(@list); - vrrp_log("Start transation: $num changes"); - if ($num) { - vrrp_save_changes(@list); + # + # Now look for deleted from the origin tree + # + $config->setLevel($path); + if ( $config->isDeleted("vrrp") ) { + push @list, $name; + vrrp_log("Delete found $name"); } - return $num; + + } + + my $num = scalar(@list); + vrrp_log("Start transation: $num changes"); + if ($num) { + vrrp_save_changes(@list); + } + return $num; } sub remove_from_changes { - my $intf = shift; - - my @lines = vrrp_read_changes(); - if (scalar(@lines) < 1) { - # - # we shouldn't get to this point, but try to handle it if we do - # - vrrp_log("unexpected remove_from_changes()"); - system("rm -f $changes_file"); - return 0; - } - my @new_lines = (); - foreach my $line (@lines) { - if ($line =~ /$intf$/) { - vrrp_log("remove_from_changes [$line]"); - } else { - push @new_lines, $line; - } - } - - my $num_changes = scalar(@new_lines); - if ($num_changes > 0) { - vrrp_save_changes(@new_lines); + my $intf = shift; + + my @lines = vrrp_read_changes(); + if ( scalar(@lines) < 1 ) { + + # + # we shouldn't get to this point, but try to handle it if we do + # + vrrp_log("unexpected remove_from_changes()"); + system("rm -f $changes_file"); + return 0; + } + my @new_lines = (); + foreach my $line (@lines) { + if ( $line =~ /$intf$/ ) { + vrrp_log("remove_from_changes [$line]"); } else { - system("rm -f $changes_file"); + push @new_lines, $line; } - return $num_changes; + } + + my $num_changes = scalar(@new_lines); + if ( $num_changes > 0 ) { + vrrp_save_changes(@new_lines); + } else { + system("rm -f $changes_file"); + } + return $num_changes; } sub vrrp_update_config { - my ($intf) = @_; - - my @errs = (); - my $date = localtime(); - my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; - - my $config = new Vyatta::Config; - my $vrrp_instances = 0; - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - if ($config->exists("vrrp")) { - # - # keepalived gets real grumpy with interfaces that - # don't exist, so skip vlans that haven't been - # instantiated yet (typically occurs at boot up). - # - if (!(-d "/sys/class/net/$name")) { - push @errs, "$name doesn't exist"; - next; - } - my ($inst_output, @inst_errs) = - keepalived_get_values($name, $path); - if (scalar(@inst_errs)) { - push @errs, @inst_errs; - } else { - $output .= $inst_output; - $vrrp_instances++; - } - } - } - - if ($vrrp_instances > 0) { - my $sync_groups = vrrp_get_sync_groups(); - if (defined $sync_groups && $sync_groups ne "") { - $output = $sync_groups . $output; - } - keepalived_write_file($conf_file, $output); - } - return ($vrrp_instances, @errs); -} -sub keepalived_write_file { - my ($file, $data) = @_; + my @errs = (); + my $date = localtime(); + my $output = "#\n# autogenerated by $0 on $date\n#\n\n"; - open(my $fh, '>', $file) || die "Couldn't open $file - $!"; - print $fh $data; - close $fh; -} + my $config = new Vyatta::Config; + my $vrrp_instances = 0; -sub list_vrrp_intf { - my $config = new Vyatta::Config; - my @intfs = (); - - foreach my $name ( getInterfaces() ) { - my $intf = new Vyatta::Interface($name); - next unless $intf; - my $path = $intf->path(); - $config->setLevel($path); - push @intfs, $name if $config->existsOrig("vrrp"); + foreach my $name ( getInterfaces() ) { + my $intf = new Vyatta::Interface($name); + next unless $intf; + my $path = $intf->path(); + $config->setLevel($path); + if ( $config->exists("vrrp") ) { + + # + # keepalived gets real grumpy with interfaces that + # don't exist, so skip vlans that haven't been + # instantiated yet (typically occurs at boot up). + # + if ( !( -d "/sys/class/net/$name" ) ) { + push @errs, "$name doesn't exist"; + next; + } + my ( $inst_output, @inst_errs ) = keepalived_get_values( $name, $path ); + if ( scalar(@inst_errs) ) { + push @errs, @inst_errs; + } else { + $output .= $inst_output; + $vrrp_instances++; + } } + } - return @intfs; + if ( $vrrp_instances > 0 ) { + my $sync_groups = vrrp_get_sync_groups(); + if ( defined $sync_groups && $sync_groups ne "" ) { + $output = $sync_groups . $output; + } + keepalived_write_file( $conf_file, $output ); + } + return ( $vrrp_instances, @errs ); } -sub list_vrrp_group { - my ($name) = @_; - my $config = new Vyatta::Config; - my $path; +sub keepalived_write_file { + my ( $file, $data ) = @_; - my $intf = new Vyatta::Interface($name); - next unless $intf; - $path = $intf->path(); - $path .= " vrrp vrrp-group"; - $config->setLevel($path); - my @groups = $config->listOrigNodes(); - return @groups; + open( my $fh, '>', $file ) || die "Couldn't open $file - $!"; + print $fh $data; + close $fh; } - # # main # -GetOptions("vrrp-action=s" => \$action, - "intf=s" => \$vrrp_intf, - "group=s" => \$vrrp_group, - "vip=s" => \$vrrp_vip); - -if (! defined $action) { - print "no action\n"; - exit 1; +GetOptions( + "vrrp-action=s" => \$action, + "intf=s" => \$vrrp_intf, + "group=s" => \$vrrp_group, + "vip=s" => \$vrrp_vip, + "ctsync=s" => \$ctsync, +); + +if ( !defined $action ) { + print "no action\n"; + exit 1; } -if ($action eq "update") { - $changes_file = get_changes_file(); - $conf_file = get_conf_file(); - vrrp_log("vrrp update $vrrp_intf"); - if ( ! -e $changes_file) { - my $num_changes = vrrp_find_changes(); - if ($num_changes == 0) { - # - # Shouldn't happen, but ... - # - vrrp_log("unexpected 0 changes"); - } - } - my ($vrrp_instances, @errs) = vrrp_update_config($vrrp_intf); - my $more_changes = remove_from_changes($vrrp_intf); - vrrp_log(" instances $vrrp_instances, $more_changes"); - if ($vrrp_instances > 0 and $more_changes == 0) { - restart_daemon($conf_file); - } - if ($vrrp_instances == 0) { - stop_daemon(); - system("rm -f $conf_file"); +if ( !defined $ctsync ) { + + # make sure sync-group used by ctsync has not been deleted + + my $failover_sync_grp = get_ctsync_syncgrp(); + if ( defined $failover_sync_grp ) { + + # make sure vrrp-sync-group exists + my $sync_grp_exists = 'false'; + my @vrrp_intfs = list_vrrp_intf('exists'); + foreach my $vrrp_intf (@vrrp_intfs) { + my @vrrp_groups = list_vrrp_group( $vrrp_intf, 'listNodes' ); + foreach my $vrrp_group (@vrrp_groups) { + my $sync_grp = + list_vrrp_sync_group( $vrrp_intf, $vrrp_group, 'returnValue' ); + if ( defined $sync_grp && $sync_grp eq "$failover_sync_grp" ) { + $sync_grp_exists = 'true'; + last; + } + } + last if $sync_grp_exists eq 'true'; } - if (scalar(@errs)) { - print join("\n", @errs); - vrrp_log(join("\n", @errs)); - exit 1 + + if ( $sync_grp_exists eq 'false' ) { + print "sync-group $failover_sync_grp used for conntrack-sync" + . " is either deleted or undefined\n"; + exit 1; } - exit 0; + } + } -if ($action eq "delete") { - if (! defined $vrrp_intf || ! defined $vrrp_group) { - print "must include interface & group"; - exit 1; +if ( $action eq "update" ) { + $changes_file = get_changes_file(); + $conf_file = get_conf_file(); + vrrp_log("vrrp update $vrrp_intf") if defined $vrrp_intf; + vrrp_log("vrrp update conntrack-sync") if defined $ctsync; + if ( !-e $changes_file ) { + my $num_changes = vrrp_find_changes(); + if ( $num_changes == 0 ) { + + # + # Shouldn't happen, but ... + # + vrrp_log("unexpected 0 changes"); } - vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); - my $state_file = get_state_file($vrrp_intf, $vrrp_group); - system("rm -f $state_file"); - exit 0; + } + my ( $vrrp_instances, @errs ) = vrrp_update_config(); + my $more_changes = 0; + $more_changes = remove_from_changes($vrrp_intf) if !defined $ctsync; + vrrp_log(" instances $vrrp_instances, $more_changes"); + if ( $vrrp_instances > 0 and $more_changes == 0 ) { + restart_daemon($conf_file); + } + if ( $vrrp_instances == 0 ) { + stop_daemon(); + system("rm -f $conf_file"); + } + if ( scalar(@errs) ) { + print join( "\n", @errs ); + vrrp_log( join( "\n", @errs ) ); + exit 1; + } + exit 0; } -if ($action eq "check-vip") { - if (! defined $vrrp_vip) { - print "must include the virtual-address to check"; - exit 1; - } - my $rc = 1; - if ($vrrp_vip =~ /\//) { - $rc = Vyatta::TypeChecker::validateType('ipv4net', $vrrp_vip, 1); - } else { - $rc = Vyatta::TypeChecker::validateType('ipv4', $vrrp_vip, 1); - } - exit 1 if ! $rc; - exit 0; +if ( $action eq "delete" ) { + if ( !defined $vrrp_intf || !defined $vrrp_group ) { + print "must include interface & group"; + exit 1; + } + vrrp_log("vrrp delete $vrrp_intf $vrrp_group"); + my $state_file = get_state_file( $vrrp_intf, $vrrp_group ); + system("rm -f $state_file"); + exit 0; } -if ($action eq "list-vrrp-intf") { - my @intfs = list_vrrp_intf(); - print join(' ', @intfs); - exit 0; +if ( $action eq "check-vip" ) { + if ( !defined $vrrp_vip ) { + print "must include the virtual-address to check"; + exit 1; + } + my $rc = 1; + if ( $vrrp_vip =~ /\// ) { + $rc = Vyatta::TypeChecker::validateType( 'ipv4net', $vrrp_vip, 1 ); + } else { + $rc = Vyatta::TypeChecker::validateType( 'ipv4', $vrrp_vip, 1 ); + } + exit 1 if !$rc; + exit 0; } -if ($action eq "list-vrrp-group") { - if (! defined $vrrp_intf) { - print "must include interface\n"; - exit 1; - } - my @groups = list_vrrp_group($vrrp_intf); - print join(' ', @groups); - exit 0; +if ( $action eq "list-vrrp-intf" ) { + my @intfs = list_vrrp_intf(); + print join( ' ', @intfs ); + exit 0; +} + +if ( $action eq "list-vrrp-group" ) { + if ( !defined $vrrp_intf ) { + print "must include interface\n"; + exit 1; + } + my @groups = list_vrrp_group($vrrp_intf); + print join( ' ', @groups ); + exit 0; } exit 0; diff --git a/scripts/rl-system.init b/scripts/rl-system.init index d95fcafa..fd5b9eea 100755 --- a/scripts/rl-system.init +++ b/scripts/rl-system.init @@ -173,7 +173,9 @@ security_reset () { # restore PAM back to virgin state (no radius other services) rm -f /etc/pam_radius_auth.conf if grep -q radius /etc/pam.d/common-auth - then pam-auth-update --remove radius + then + pam-auth-update --package --remove radius + rm /usr/share/pam-configs/radius fi # Disable root login with ssh diff --git a/scripts/snmp/vyatta-snmp.pl b/scripts/snmp/vyatta-snmp.pl index 3adb37b7..a3be64ad 100644 --- a/scripts/snmp/vyatta-snmp.pl +++ b/scripts/snmp/vyatta-snmp.pl @@ -26,6 +26,7 @@ use lib "/opt/vyatta/share/perl5/"; use Vyatta::Config; use Vyatta::Misc; +use NetAddr::IP; use Getopt::Long; use File::Copy; @@ -40,6 +41,7 @@ my $snmp_tmp = "/tmp/snmpd.conf.$$"; my $snmp_snmpv3_user_conf = '/usr/share/snmp/snmpd.conf'; my $snmp_snmpv3_createuser_conf = '/var/lib/snmp/snmpd.conf'; my $versionfile = '/opt/vyatta/etc/version'; +my $local_agent = 'unix:/var/run/snmpd.socket'; my $snmp_level = 'service snmp'; @@ -60,7 +62,7 @@ sub snmp_start { snmp_get_values(); close $fh; select STDOUT; - + snmp_client_config(); move($snmp_tmp, $snmp_conf) @@ -85,14 +87,60 @@ sub get_version { return $version; } +# convert address to snmpd transport syntax +sub transport_syntax { + my ($addr, $port) = @_; + my $ip = new NetAddr::IP $addr; + die "$addr: not a valid IP address" unless $ip; + + my $version = $ip->version(); + return "udp:$addr:$port" if ($version == 4); + return "udp6:[$addr]:$port" if ($version == 6); + die "$addr: unknown IP version $version"; +} + +sub ipv6_disabled { + my $config = new Vyatta::Config; + return $config->exists("system ipv6 disable"); +} + +# Find SNMP agent listening addresses +sub get_listen_address { + my $config = new Vyatta::Config; + my @listen; + + $config->setLevel('service snmp listen-address'); + my @address = $config->listNodes(); + + if(@address) { + foreach my $addr (@address) { + my $port = $config->returnValue("$addr port"); + push @listen, transport_syntax($addr, $port); + } + } else { + # default if no address specified + @listen = ( 'udp:161' ); + push @listen, 'udp6:161' unless ipv6_disabled(); + return @listen; + } + + return @listen; +} + sub snmp_get_constants { my $version = get_version(); my $now = localtime; + my @addr = get_listen_address(); + + # add local unix domain target for use by operational commands + unshift @addr, $local_agent; print "# autogenerated by vyatta-snmp.pl on $now\n"; print "sysDescr Vyatta $version\n"; print "sysObjectID 1.3.6.1.4.1.30803\n"; print "sysServices 14\n"; + print "agentaddress ", join(',',@addr), "\n"; + print "smuxpeer .1.3.6.1.4.1.3317.1.2.2\n"; # ospfd print "smuxpeer .1.3.6.1.4.1.3317.1.2.5\n"; # bgpd print "smuxpeer .1.3.6.1.4.1.3317.1.2.3\n"; # ripd @@ -106,44 +154,43 @@ sub randhex { return join "", map { unpack "H*", chr(rand(256)) } 1..($length/2); } +# output snmpd.conf file syntax for community +sub print_community { + my ($config, $community) = @_; + my $ro = $config->returnValue('authorization'); + $ro = 'ro' unless $ro; + + my @clients = $config->returnValues('client'); + my @networks = $config->returnValues('network'); + + my @restriction = (@clients, @networks); + if (!@restriction) { + print $ro . "community $community\n"; + print $ro . "community6 $community\n" unless ipv6_disabled(); + return; + } + + foreach my $addr (@restriction) { + my $ip = new NetAddr::IP $addr; + die "$addr: Not a valid IP address" unless $ip; + + if ($ip->version() == 4) { + print $ro . "community $community $addr\n"; + } elsif ($ip->version() == 6) { + print $ro . "community6 $community $addr\n"; + } else { + die "$addr: bad IP version ", $ip->version(); + } + } +} + sub snmp_get_values { my $config = new Vyatta::Config; - $config->setLevel("service snmp community"); - my @communities = $config->listNodes(); - + my @communities = $config->listNodes("service snmp community"); foreach my $community (@communities) { - my $authorization = $config->returnValue("$community authorization"); - my @clients = $config->returnValues("$community client"); - my @networks = $config->returnValues("$community network"); - - if (scalar(@clients) == 0 and scalar(@networks) == 0){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community\n"; - } else { - print "rocommunity $community\n"; - } - } else { - if (scalar(@clients) != 0) { - foreach my $client (@clients){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $client\n"; - } else { - print "rocommunity $community $client\n"; - } - } - } - if (scalar(@networks) != 0){ - foreach my $network (@networks){ - if (defined $authorization and $authorization eq "rw") { - print "rwcommunity $community $network\n"; - } else { - print "rocommunity $community $network\n"; - } - - } - } - } + $config->setLevel("service snmp community $community"); + print_community($config, $community); } $config->setLevel($snmp_level); diff --git a/scripts/system/vyatta_update_resolv.pl b/scripts/system/vyatta_update_resolv.pl index 7f2b84b2..a4e2b9ba 100755 --- a/scripts/system/vyatta_update_resolv.pl +++ b/scripts/system/vyatta_update_resolv.pl @@ -134,10 +134,11 @@ if ($dhclient_script == 1) { } } if ($ns_in_resolvconf == 0) { - open (APPEND, ">>/etc/resolv.conf") or die "$! error trying to overwrite"; - print APPEND "nameserver\t$ns\t\t#nameserver written by $0\n"; - close (APPEND); - $restart_ntp = 1; + open (my $rf, '>>', '/etc/resolv.conf') + or die "$! error trying to overwrite"; + print $rf "nameserver\t$ns\t\t#nameserver written by $0\n"; + close $rf; + $restart_ntp = 1; } } } @@ -190,37 +191,40 @@ if ($dhclient_script == 1) { my @resolv; if (-e '/etc/resolv.conf') { - open (RESOLV, '</etc/resolv.conf') or die("$0: Error! Unable to open '/etc/resolv.conf' for input: $!\n"); - @resolv = <RESOLV>; - close (RESOLV); + open (my $f, '<', '/etc/resolv.conf') + or die("$0: Error! Unable to open '/etc/resolv.conf' for input: $!\n"); + @resolv = <$f>; + close ($f); } my $foundSearch = 0; my $foundDomain = 0; -open (RESOLV, '>/etc/resolv.conf') or die("$0: Error! Unable to open '/etc/resolv.conf' for output: $!\n"); +open (my $r, '>', '/etc/resolv.conf') + or die("$0: Error! Unable to open '/etc/resolv.conf' for output: $!\n"); + foreach my $line (@resolv) { if ($line =~ /^search\s/) { $foundSearch = 1; if (length($search) > 0) { - print RESOLV $search; + print $r $search; } } elsif ($line =~ /^domain\s/) { $foundDomain = 1; if (length($domain) > 0) { - print RESOLV $domain; + print $r $domain; } } else { - print RESOLV $line; + print $r $line; } } if ($foundSearch == 0 && length($search) > 0) { - print RESOLV $search; + print $r $search; } if ($foundDomain == 0 && length($domain) > 0) { - print RESOLV $domain; + print $r $domain; } -close (RESOLV); +close ($r); diff --git a/scripts/vyatta-dhcpv6-client.pl b/scripts/vyatta-dhcpv6-client.pl new file mode 100644 index 00000000..b23d1700 --- /dev/null +++ b/scripts/vyatta-dhcpv6-client.pl @@ -0,0 +1,157 @@ +#!/usr/bin/perl +# +# Module: vyatta-dhcpv6-client.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2005-2009 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan <gilligan@vyatta.com> +# Date: April 2010 +# Description: Start and stop DHCPv6 client daemon for an interface. +# +# **** End License **** +# +# + +use strict; +use lib "/opt/vyatta/share/perl5/"; +use FileHandle; +use Vyatta::Config; +use Getopt::Long; + +my $start_flag; # Start the daemon +my $stop_flag; # Stop the daemon and delete all config files +my $release_flag; # Stop the daemon, but leave config file +my $renew_flag; # Re-start the daemon. Functionally same as start_flag +my $temp_flag; +my $params_only_flag; +my $ifname; + + +sub gen_conf_file { + my ($conffile, $ifname) = @_; + + my $FD_WR = new FileHandle; + + if (!open($FD_WR, ">$conffile")) { + printf("Can't write config file: $conffile\n"); + exit 1; + } + my $date = `date`; + my $user = `id -un`; + my $hostname = `hostname`; + chomp($date); + chomp($user); + chomp($hostname); + + print $FD_WR "# This file was auto-generated by the Vyatta\n"; + print $FD_WR "# configuration sub-system. Do not edit it.\n"; + print $FD_WR "\n"; + print $FD_WR "# Generated on $date by $user\n"; + print $FD_WR "#\n"; + print $FD_WR "interface \"$ifname\" {\n"; +# print $FD_WR " send host-name \"$hostname\";\n"; +# print $FD_WR " send dhcp6.oro 1, 2, 7, 12, 13, 23, 24, 39;\n"; + print $FD_WR "}\n"; +} + + +# +# Main Section +# + +GetOptions("start" => \$start_flag, + "stop" => \$stop_flag, + "release" => \$release_flag, + "renew" => \$renew_flag, + "temporary" => \$temp_flag, + "parameters-only" => \$params_only_flag, + "ifname=s" => \$ifname, + ); + +if ((defined $temp_flag) && (defined $params_only_flag)) { + printf("Error: --temporary and --parameters-only flags are mutually exclusive.\n"); + exit 1; +} + +if (!defined $ifname) { + printf("Error: Interface name must be specified with --ifname parameter.\n"); + exit 1; +} + +my $pidfile = "/var/lib/dhcp3/dhclient_v6_$ifname.pid"; +my $leasefile = "/var/lib/dhcp3/dhclient_v6_$ifname.leases"; +my $conffile = "/var/lib/dhcp3/dhclient_v6_$ifname.conf"; +my $cmdname = "/sbin/dhclient"; + +if (defined $release_flag) { + if (! -e $conffile) { + printf("DHCPv6 client is not configured on interface $ifname.\n"); + exit 1; + } + + if (! -e $pidfile) { + printf("DHCPv6 client is already released on interface $ifname.\n"); + exit 1; + } +} + +if (defined $renew_flag) { + if (! -e $conffile) { + printf("DHCPv6 client is not configured on interface $ifname.\n"); + exit 1; + } +} + +if (defined $stop_flag || defined $release_flag) { + # Stop dhclient -6 on $ifname + + printf("Stopping daemon...\n"); + my $output=`$cmdname -6 -nw -cf $conffile -pf $pidfile -lf $leasefile -r $ifname`; + printf($output); + + # Delete files it leaves behind... + printf("Deleting related files...\n"); + unlink($pidfile); + if (defined $stop_flag) { + # If just releasing, leave the config file around as a flag that + # DHCPv6 remains configured on this interface. + unlink($conffile); + } +} + +if (defined $start_flag || defined $renew_flag) { + # Generate the DHCP client config file... + gen_conf_file($conffile, $ifname); + + # First, kill any previous instance of dhclient running on this interface + # + printf("Stopping old daemon...\n"); + my $output = `$cmdname -6 -pf $pidfile -x $ifname`; + printf($output); + + # start "dhclient -6" on $ifname + + my $args = ""; + if (defined $temp_flag) { + $args .= " -T"; + } + if (defined $params_only_flag) { + $args .= " -S"; + } + + printf("Starting new daemon...\n"); + my $output=`$cmdname -6 -nw -cf $conffile -pf $pidfile -lf $leasefile $args $ifname`; + printf($output); +} diff --git a/scripts/vyatta-interfaces.pl b/scripts/vyatta-interfaces.pl index 90d8dfc7..a303c82c 100755 --- a/scripts/vyatta-interfaces.pl +++ b/scripts/vyatta-interfaces.pl @@ -47,10 +47,11 @@ use warnings; my $dhcp_daemon = '/sbin/dhclient'; -my ($eth_update, $eth_delete, $addr_set, @addr_commit, $dev, $mac, $mac_update); +my ($eth_update, $eth_delete, $addr_set, $dev, $mac, $mac_update); +my %skip_interface; my ($check_name, $show_names, $intf_cli_path, $vif_name, $warn_name); my ($check_up, $show_path, $dhcp_command); -my @speed_duplex; +my (@speed_duplex, @addr_commit); sub usage { print <<EOF; @@ -80,6 +81,7 @@ GetOptions("eth-addr-update=s" => \$eth_update, "dhcp=s" => \$dhcp_command, "check=s" => \$check_name, "show=s" => \$show_names, + "skip=s" => sub { $skip_interface{$_[1]} = 1 }, "vif=s" => \$vif_name, "warn" => \$warn_name, "path" => \$show_path, @@ -312,14 +314,14 @@ sub update_mac { if (POSIX::strtoul($flags) & 1) { # NB: Perl 5 system return value is bass-ackwards - system "sudo ip link set $intf down" + system "ip link set $intf down" and die "Could not set $intf down ($!)\n"; - system "sudo ip link set $intf address $mac" + system "ip link set $intf address $mac" and die "Could not set $intf address ($!)\n"; - system "sudo ip link set $intf up" + system "ip link set $intf up" and die "Could not set $intf up ($!)\n"; } else { - system "sudo ip link set $intf address $mac" + system "ip link set $intf address $mac" and die "Could not set $intf address ($!)\n"; } exit 0; @@ -356,6 +358,13 @@ sub is_valid_addr_set { exit 0; } + if ($addr_net eq "dhcpv6") { + die "Error: can't use dhcpv6 client on loopback interface\n" + if ($intf eq "lo"); + + exit 0; + } + my ($addr, $net); if ($addr_net =~ m/^([0-9a-fA-F\.\:]+)\/(\d+)$/) { $addr = $1; @@ -423,7 +432,7 @@ sub is_valid_addr_commit { $dhcp = 1; } else { my $version = is_ip_v4_or_v6($addr); - if ($version == 4) { + if (defined($version) && $version == 4) { $static_v4 = 1; } } @@ -516,6 +525,7 @@ sub show_interfaces { foreach my $name (@interfaces) { my $intf = new Vyatta::Interface($name); next unless $intf; # skip unknown types + next if $skip_interface{$name}; next unless ($type eq 'all' || $type eq $intf->type()); if ($vif_name) { diff --git a/sysconf/capability.conf b/sysconf/capability.conf new file mode 100644 index 00000000..0a7235f1 --- /dev/null +++ b/sysconf/capability.conf @@ -0,0 +1,10 @@ +# this is a capability file (used in conjunction with the pam_cap.so module) + +# Special capability for Vyatta admin +all %vyattacfg + +# Vyatta Operator +cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop + +## 'everyone else' gets no inheritable capabilities +none * diff --git a/sysconf/filecaps b/sysconf/filecaps new file mode 100644 index 00000000..1e06c0e8 --- /dev/null +++ b/sysconf/filecaps @@ -0,0 +1,26 @@ +# List of files that get special attribute labeling + +# Network related utilities +cap_net_admin=pe /usr/sbin/ethtool +cap_net_admin=pe /sbin/tc +cap_net_admin=pe /bin/ip +cap_net_admin=pe /sbin/iptables +cap_net_admin=pe /sbin/ip6tables +cap_net_admin=pe/ /usr/sbin/ipset +cap_net_admin=pe /usr/sbin/conntrack +cap_net_admin=pe /usr/sbin/arp +cap_net_admin=pe /usr/sbin/brctl + +# Raw sockets +cap_net_raw=pe /usr/bin/tshark +cap_net_raw=pe /usr/sbin/tcpdump + +# Allow changes to system settings +cap_sys_admin=pe /sbin/sysctl + +# Module install +cap_sys_module=pe /sbin/modprobe + +# Set time +cap_sys_time=pe /bin/date +cap_sys_time=pe /usr/sbin/ntpdate diff --git a/templates/interfaces/bonding/node.def b/templates/interfaces/bonding/node.def index bb1b9ae3..4a944970 100644 --- a/templates/interfaces/bonding/node.def +++ b/templates/interfaces/bonding/node.def @@ -1,14 +1,15 @@ tag: priority: 315 type: txt -help: Set bonding interface +help: Set bonding interface name +comp_help: Enter bonding interface name (bond0 - bond99) syntax:expression: pattern $VAR(@) "^bond[0-9]+$" \ ; "bonding must be (bond0-bond99)" begin: if [ ! -f /sys/class/net/bonding_masters ]; then sudo modprobe bonding max_bonds=0 miimon=250 fi create: sudo sh -c "echo +$VAR(@) > /sys/class/net/bonding_masters" || exit 1 - sudo ip link set "$VAR(@)" up + ip link set "$VAR(@)" up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on delete: SLAVES=`cat /sys/class/net/$VAR(@)/bonding/slaves`; if [ -z "$SLAVES" ] @@ -18,4 +19,3 @@ delete: SLAVES=`cat /sys/class/net/$VAR(@)/bonding/slaves`; echo "bonded interface $VAR(@) still has slaves: $SLAVES" exit 1; fi -comp_help: Enter bond interface name (bond0 - bond99) diff --git a/templates/interfaces/bonding/node.tag/bridge-group/node.def b/templates/interfaces/bonding/node.tag/bridge-group/node.def index 940295fa..9ce97b1b 100644 --- a/templates/interfaces/bonding/node.tag/bridge-group/node.def +++ b/templates/interfaces/bonding/node.tag/bridge-group/node.def @@ -12,13 +12,13 @@ end: exit 1 else echo "Adding interface $bondif to bridge $newbridge." - sudo brctl addif $newbridge $bondif; + /usr/sbin/brctl addif $newbridge $bondif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -32,7 +32,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi else if [ -z "$newbridge" ]; then @@ -46,15 +46,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi - sudo brctl addif $newbridge $bondif + /usr/sbin/brctl addif $newbridge $bondif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/bonding/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/disable/node.def index ad033365..96325d72 100644 --- a/templates/interfaces/bonding/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled create: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/bonding/node.tag/mtu/node.def b/templates/interfaces/bonding/node.tag/mtu/node.def index 07c102ac..cd244402 100644 --- a/templates/interfaces/bonding/node.tag/mtu/node.def +++ b/templates/interfaces/bonding/node.tag/mtu/node.def @@ -1,5 +1,5 @@ type: u32 help: Set the Maximum Transmission Unit (MTU) for this interface syntax:expression: $VAR(@) >= 68 && $VAR(@) <= 9000; "MTU must be between 68 and 9000" -update:expression: "sudo ip link set $VAR(../@) mtu $VAR(@)"; "Error setting MTU on dev $VAR(../@)" -delete:expression: "sudo ip link set $VAR(../@) mtu 1500"; "Error deleting MTU on dev $VAR(../@)" +update: ip link set $VAR(../@) mtu $VAR(@) +delete: ip link set $VAR(../@) mtu 1500 diff --git a/templates/interfaces/bonding/node.tag/vif/node.def b/templates/interfaces/bonding/node.tag/vif/node.def index 2e718f41..62e7ab95 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.def @@ -8,9 +8,9 @@ create: read -a SLAVES </sys/class/net/$VAR(../@)/bonding/slaves echo "Must configure slave devices for bond interface $VAR(../@) before adding vif" exit 1 fi - sudo ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) || exit 1 - sudo ip link set "$VAR(../@).$VAR(@)" up + ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) || exit 1 + ip link set "$VAR(../@).$VAR(@)" up sudo sh -c "/opt/vyatta/sbin/vyatta-link-detect $VAR(../@).$VAR(@) on" -delete: sudo ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) +delete: ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) comp_help: possible completions: <0-4094> Set VLAN ID diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def index 04dc957b..42234106 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/bridge-group/node.def @@ -13,13 +13,13 @@ end: exit 1 else echo "Adding interface $bondif to bridge $newbridge." - sudo brctl addif $newbridge $bondif; + /usr/sbin/brctl addif $newbridge $bondif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -33,7 +33,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi else if [ -z "$newbridge" ]; then @@ -47,15 +47,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $bondif + /usr/sbin/brctl delif $oldbridge $bondif fi - sudo brctl addif $newbridge $bondif + /usr/sbin/brctl addif $newbridge $bondif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $bondif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $bondif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $bondif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $bondif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def index 78b24870..b2119c9c 100644 --- a/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def +++ b/templates/interfaces/bonding/node.tag/vif/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled update: /etc/netplug/linkdown.d/dhclient $VAR(../../@).$VAR(../@) - if ! sudo ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../../@).$VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../../@).$VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../../@).$VAR(../@) up; then +delete: if ! ip link set $VAR(../../@).$VAR(../@) up; then echo "Error enabling dev $VAR(../../@).$VAR(../@)" exit 1 fi diff --git a/templates/interfaces/bridge/node.def b/templates/interfaces/bridge/node.def index 55c961ba..60af4bc0 100644 --- a/templates/interfaces/bridge/node.def +++ b/templates/interfaces/bridge/node.def @@ -1,19 +1,19 @@ tag: priority: 310 type: txt -help: Set bridge interface +help: Set bridge interface name +comp_help: "Enter bridge interface name (br0 - br999)" syntax:expression: pattern $VAR(@) "^br[0-9]+$" ; "Must be (br0 - br999)" -create: sudo brctl addbr $VAR(@) - sudo ip link set $VAR(@) up +create: /usr/sbin/brctl addbr $VAR(@) + ip link set $VAR(@) up delete: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --no-interfaces-assigned \ --bridge-interface="$VAR(@)"; then \ exit 1 fi - sudo ip link set $VAR(@) down; - sudo brctl delbr $VAR(@); + ip link set $VAR(@) down; + /usr/sbin/brctl delbr $VAR(@); -comp_help: "Enter bridge interface name (br0 - br999)" diff --git a/templates/interfaces/bridge/node.tag/aging/node.def b/templates/interfaces/bridge/node.tag/aging/node.def index 533a8ed5..cd2e5d1a 100644 --- a/templates/interfaces/bridge/node.tag/aging/node.def +++ b/templates/interfaces/bridge/node.tag/aging/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the number of seconds a MAC address will be kept in the forwarding database default: 300 -update:expression: "sudo brctl setageing $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setageing $VAR(../@) 300" +update: /usr/sbin/brctl setageing $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setageing $VAR(../@) 300 comp_help: possible completions: <number> Set the number of seconds for ageing (default 300) diff --git a/templates/interfaces/bridge/node.tag/disable/node.def b/templates/interfaces/bridge/node.tag/disable/node.def index 3f37a6d6..2e20be3b 100644 --- a/templates/interfaces/bridge/node.tag/disable/node.def +++ b/templates/interfaces/bridge/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Disable the bridge interface update: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/bridge/node.tag/forwarding-delay/node.def b/templates/interfaces/bridge/node.tag/forwarding-delay/node.def index 458eb320..c273c648 100644 --- a/templates/interfaces/bridge/node.tag/forwarding-delay/node.def +++ b/templates/interfaces/bridge/node.tag/forwarding-delay/node.def @@ -1,5 +1,5 @@ type: u32 help: Set the forwarding delay -update: sudo brctl setfd $VAR(../@) $VAR(@) +update: /usr/sbin/brctl setfd $VAR(../@) $VAR(@) comp_help: possible completions: <number> Set the folwarding delay (default 15) diff --git a/templates/interfaces/bridge/node.tag/hello-time/node.def b/templates/interfaces/bridge/node.tag/hello-time/node.def index 19324a65..8c6ad277 100644 --- a/templates/interfaces/bridge/node.tag/hello-time/node.def +++ b/templates/interfaces/bridge/node.tag/hello-time/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the hello packet advertisment interval default: 2 -update:expression: "sudo brctl sethello $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl sethello $VAR(../@) 2" +update: /usr/sbin/brctl sethello $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl sethello $VAR(../@) 2 comp_help: possible completions: <number> Set the hello packet advertisment interval (default 2) diff --git a/templates/interfaces/bridge/node.tag/max-age/node.def b/templates/interfaces/bridge/node.tag/max-age/node.def index ddfdf129..43a9ad04 100644 --- a/templates/interfaces/bridge/node.tag/max-age/node.def +++ b/templates/interfaces/bridge/node.tag/max-age/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the interval at which neighbor bridges are removed default: 20 -update:expression: "sudo brctl setmaxage $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setmaxage $VAR(../@) 20" +update: /usr/sbin/brctl setmaxage $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setmaxage $VAR(../@) 20 comp_help: possible completions: <number> Set the max age (default 20) diff --git a/templates/interfaces/bridge/node.tag/priority/node.def b/templates/interfaces/bridge/node.tag/priority/node.def index 1084dbf3..63548d1e 100644 --- a/templates/interfaces/bridge/node.tag/priority/node.def +++ b/templates/interfaces/bridge/node.tag/priority/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the priority for this bridge default: 0 -update:expression: "sudo brctl setbridgeprio $VAR(../@) $VAR(@)" -delete:expression: "sudo brctl setbridgeprio $VAR(../@) 0" +update: /usr/sbin/brctl setbridgeprio $VAR(../@) $VAR(@) +delete: /usr/sbin/brctl setbridgeprio $VAR(../@) 0 comp_help: possible completions: <number> Set bridge priority (default 0) diff --git a/templates/interfaces/bridge/node.tag/stp/node.def b/templates/interfaces/bridge/node.tag/stp/node.def index 6f25f0cc..f3095b26 100644 --- a/templates/interfaces/bridge/node.tag/stp/node.def +++ b/templates/interfaces/bridge/node.tag/stp/node.def @@ -3,16 +3,16 @@ help: Enable spanning tree protocol default: false update: if [ "$VAR(@)" == "true" ]; then if [ -z "$VAR(../../forwarding-delay)" ]; then - sudo brctl setfd $VAR(../@) 15 + /usr/sbin/brctl setfd $VAR(../@) 15 else - sudo brctl setfd $VAR(../@) $VAR(../../forwarding-delay) + /usr/sbin/brctl setfd $VAR(../@) $VAR(../../forwarding-delay) fi - sudo brctl stp $VAR(../@) on + /usr/sbin/brctl stp $VAR(../@) on else - sudo brctl stp $VAR(../@) off - sudo brctl setfd $VAR(../@) 0 + /usr/sbin/brctl stp $VAR(../@) off + /usr/sbin/brctl setfd $VAR(../@) 0 fi -delete:sudo brctl stp $VAR(../@) off +delete:/usr/sbin/brctl stp $VAR(../@) off comp_help: possible completions: true Enable Spanning Tree Protocol false Disable Spanning Tree Protocol (default false) diff --git a/templates/interfaces/ethernet/node.def b/templates/interfaces/ethernet/node.def index 081cabb5..05b2e03c 100644 --- a/templates/interfaces/ethernet/node.def +++ b/templates/interfaces/ethernet/node.def @@ -1,7 +1,9 @@ tag: priority: 318 type: txt -help: Set ethernet interface +help: Set Ethernet interface name +comp_help: Enter Ethernet interface name (eth0 - eth999) + allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=ethernet syntax:expression: pattern $VAR(@) "^eth[0-9]+$" \ ; "interface ethernet $VAR(@): not a valid name" @@ -10,7 +12,7 @@ syntax:expression: exec \ echo \"interface ethernet $VAR(@): does not exist\"; exit 1; \ fi" -create: sudo ip link set "$VAR(@)" up +create: ip link set "$VAR(@)" up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link set $VAR(@) down + ip link set $VAR(@) down diff --git a/templates/interfaces/ethernet/node.tag/address/node.def b/templates/interfaces/ethernet/node.tag/address/node.def index db87ff05..7ed12bba 100644 --- a/templates/interfaces/ethernet/node.tag/address/node.def +++ b/templates/interfaces/ethernet/node.tag/address/node.def @@ -15,14 +15,41 @@ syntax:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr-set # commit:expression: exec "/opt/vyatta/sbin/vyatta-interfaces.pl --valid-addr-commit $VAR(@@) --dev $VAR(../@)" -create:sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) - -delete:sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) - -allowed: echo "dhcp <>" +create: + ifname=$VAR(../@) + param=$VAR(@) + if [ "$param" = "dhcpv6" ]; then + if [ -n "$VAR(../dhcpv6-options/parameters-only)" ]; then + echo "parameters-only is set" + arg1="--parameters-only" + fi + if [ -n "$VAR(../dhcpv6-options/temporary)" ]; then + echo "temporary is set" + arg2="--temporary" + fi + + echo "Starting DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --start \ + --ifname $ifname $arg1 $arg2 + else + sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-update $VAR(@) --dev $VAR(../@) + fi + +delete: + ifname=$VAR(../@) + param=$VAR(@) + if [ "$param" = "dhcpv6" ]; then + echo "Stopping DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --stop --ifname \ + $ifname + else + sudo /opt/vyatta/sbin/vyatta-interfaces.pl --eth-addr-delete $VAR(@) --dev $VAR(../@) + fi + +allowed: echo "dhcp dhcpv6 <>" comp_help:Possible completions: - <x.x.x.x/x> Set the IP address and prefix length + <x.x.x.x/x> Set the IPv4 address and prefix length <h:h:h:h:h:h:h:h/x> Set the IPv6 address and prefix length - dhcp Set the IP address and prefix length via DHCP - + dhcp Set the IPv4 address and prefix length via DHCP + dhcpv6 Set the IPv6 address and prefix length via DHCPv6 diff --git a/templates/interfaces/ethernet/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/bridge-group/node.def index 7590dc96..c56c31cc 100644 --- a/templates/interfaces/ethernet/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/bridge-group/node.def @@ -11,13 +11,13 @@ end: exit 1 else echo "Adding interface $ethif to bridge $newbridge." - sudo brctl addif $newbridge $ethif; + /usr/sbin/brctl addif $newbridge $ethif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -31,7 +31,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi else if [ -z "$newbridge" ]; then @@ -45,15 +45,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi - sudo brctl addif $newbridge $ethif + /usr/sbin/brctl addif $newbridge $ethif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def new file mode 100644 index 00000000..aaeca067 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/node.def @@ -0,0 +1,49 @@ +# This node is run before the rest of the interface is configured. +# We first check to see if DHCPv6 is still configured on the interface by +# looking over at the interface address parameters. Then we check to see +# if the DHCPv6 client program is still running on this interface. If both +# of those are true, then any change to this tree means that the user +# has changed this tree ONLY, and that we are going to have to re-start +# the DHCPv6 client using the new parameters. + + +priority: 317 # Run before interface has been configured + +help: Set options for DHCPv6 + +end: + ifname="$VAR(../@)" + echo "dhcpv6-options: ifname is $ifname" + + dhcpv6_set=0 + for param in $VAR(../address/@@); do + if [ "$param" = "dhcpv6" ]; then + dhcpv6_set=1 + fi + done + + if [ $dhcpv6_set -eq 0 ]; then + echo "DHCPv6 is not configured on this interface" + exit 0 + fi + + conffile=/var/lib/dhcp3/dhclient_v6_$VAR(../@).conf + if [ ! -e $conffile ]; then + echo "Conf file $conffile doesn't exist" + exit 0 + fi + + if [ -n "$VAR(./parameters-only)" ]; then + arg1="--parameters-only" + fi + + if [ -n "$VAR(./temporary)" ]; then + arg2="--temporary" + fi + + echo "Re-starting DHCPv6 client on ${ifname}..." + sudo /opt/vyatta/sbin/vyatta-dhcpv6-client.pl --stop --start \ + --ifname $ifname $arg1 $arg2 + + echo "Done." + exit 0
\ No newline at end of file diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def new file mode 100644 index 00000000..0178c469 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/parameters-only/node.def @@ -0,0 +1,3 @@ + +help: Acquire only config parameters, not address, via DHCPv6 + diff --git a/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def b/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def new file mode 100644 index 00000000..afb9de9c --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/dhcpv6-options/temporary/node.def @@ -0,0 +1,3 @@ + +help: Acquire a "temporary" IPv6 address + diff --git a/templates/interfaces/ethernet/node.tag/disable/node.def b/templates/interfaces/ethernet/node.tag/disable/node.def index fbfb155a..5fe2b748 100644 --- a/templates/interfaces/ethernet/node.tag/disable/node.def +++ b/templates/interfaces/ethernet/node.tag/disable/node.def @@ -1,12 +1,12 @@ help: Set interface disabled create: /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - if ! sudo ip link set $VAR(../@) up; then + if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/ethernet/node.tag/mtu/node.def b/templates/interfaces/ethernet/node.tag/mtu/node.def index dc03ae16..f33158f8 100644 --- a/templates/interfaces/ethernet/node.tag/mtu/node.def +++ b/templates/interfaces/ethernet/node.tag/mtu/node.def @@ -1,8 +1,8 @@ type: u32 help: Set the Maximum Transmission Unit (MTU) for this interface syntax:expression: $VAR(@) >= 68 && $VAR(@) <= 9000; "MTU must be between 68 and 9000" -update: if ! sudo ip link set $VAR(../@) mtu $VAR(@) +update: if ! ip link set $VAR(../@) mtu $VAR(@) then echo "Error setting MTU on dev $VAR(../@)"; exit 1 fi delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link set $VAR(../@) mtu 1500 + ip link set $VAR(../@) mtu 1500 diff --git a/templates/interfaces/ethernet/node.tag/vif/node.def b/templates/interfaces/ethernet/node.tag/vif/node.def index b6b8abc7..c14ed002 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.def @@ -5,17 +5,17 @@ help: Set Virtual Local Area Network (VLAN) ID syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 4094; "VLAN ID must be between 0 and 4094" -create: if ! sudo ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) +create: if ! ip link add link $VAR(../@) name "$VAR(../@).$VAR(@)" type vlan id $VAR(@) then echo "Error creating VLAN device $VAR(../@).$VAR(@)" exit 1 fi # if parent is up, then bring VLAN up if [ $(( $(cat /sys/class/net/$VAR(../@)/flags) & 1 )) -eq 1 ]; then - sudo ip link set "$VAR(../@).$VAR(@)" up + ip link set "$VAR(../@).$VAR(@)" up fi /opt/vyatta/sbin/vyatta-link-detect "$VAR(../@).$VAR(@)" on delete: [ -d /sys/class/net/$VAR(../@) ] || exit 0 - sudo ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) + ip link delete dev "$VAR(../@).$VAR(@)" type vlan id $VAR(@) comp_help: possible completions: <0-4094> Set VLAN ID diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def index dd3863a0..84fa14f1 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/bridge-group/node.def @@ -14,13 +14,13 @@ end: exit 1 else echo "Adding interface $ethif to bridge $newbridge." - sudo brctl addif $newbridge $ethif; + /usr/sbin/brctl addif $newbridge $ethif; if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@); + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@); fi; if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@); + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@); fi fi elif [ ${COMMIT_ACTION} = 'DELETE' ]; then @@ -34,7 +34,7 @@ end: # it gets deleted before the removal of bridge-groups under interfaces exit 0 else - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi else if [ -z "$newbridge" ]; then @@ -48,15 +48,15 @@ end: if ! /opt/vyatta/sbin/vyatta-bridgegroup-depedency.pl \ --bridge-notin-proposedcfg \ --bridge-interface="$oldbridge"; then \ - sudo brctl delif $oldbridge $ethif + /usr/sbin/brctl delif $oldbridge $ethif fi - sudo brctl addif $newbridge $ethif + /usr/sbin/brctl addif $newbridge $ethif fi if [ -n "$VAR(./cost/@)" ]; then - sudo brctl setpathcost $newbridge $ethif $VAR(./cost/@) + /usr/sbin/brctl setpathcost $newbridge $ethif $VAR(./cost/@) fi if [ -n "$VAR(./priority/@)" ]; then - sudo brctl setportprio $newbridge $ethif $VAR(./priority/@) + /usr/sbin/brctl setportprio $newbridge $ethif $VAR(./priority/@) fi fi fi diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def index 78b24870..b2119c9c 100644 --- a/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/disable/node.def @@ -1,11 +1,11 @@ help: Set interface disabled update: /etc/netplug/linkdown.d/dhclient $VAR(../../@).$VAR(../@) - if ! sudo ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../../@).$VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../../@).$VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../../@).$VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../../@).$VAR(../@) up; then +delete: if ! ip link set $VAR(../../@).$VAR(../@) up; then echo "Error enabling dev $VAR(../../@).$VAR(../@)" exit 1 fi diff --git a/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def b/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def new file mode 100644 index 00000000..a45d4129 --- /dev/null +++ b/templates/interfaces/ethernet/node.tag/vif/node.tag/ip/enable-proxy-arp/node.def @@ -0,0 +1,3 @@ +help: Set to enable proxy-arp on this interface +create:expression: "sudo sh -c \"echo 1 > /proc/sys/net/ipv4/conf/$VAR(../../../@).$VAR(../../@)/proxy_arp\" " +delete:expression: "sudo sh -c \"echo 0 > /proc/sys/net/ipv4/conf/$VAR(../../../@).$VAR(../../@)/proxy_arp\" " diff --git a/templates/interfaces/input/node.def b/templates/interfaces/input/node.def index 2695b8a6..1873190c 100644 --- a/templates/interfaces/input/node.def +++ b/templates/interfaces/input/node.def @@ -2,9 +2,10 @@ tag: priority: 310 # before real devices that redirect type: txt help: Set input functional block (IFB) interface +comp_help: Enter input functional block interface name (ifb0 - ifb999) + syntax:expression: pattern $VAR(@) "^ifb[0-9]+$" ; "name must be (ifb0-ifb999)" begin: [ -d /sys/module/ifb ] || sudo modprobe ifb numifbs=0 -create: sudo ip link add $VAR(@) type ifb && sudo ip link set $VAR(@) up -delete: sudo ip link delete dev $VAR(@) -comp_help: Enter input functional block interface name (ifb0 - ifb999) +create: ip link add $VAR(@) type ifb && ip link set $VAR(@) up +delete: ip link delete dev $VAR(@) diff --git a/templates/interfaces/loopback/node.def b/templates/interfaces/loopback/node.def index 8312aafe..b78cf10b 100644 --- a/templates/interfaces/loopback/node.def +++ b/templates/interfaces/loopback/node.def @@ -1,8 +1,9 @@ tag: priority: 300 type: txt -help: Set loopback interface +help: Set loopback interface name +comp_help: Enter looback interface name (lo) syntax:expression: exec \ "/opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --check=loopback" allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=loopback -create: sudo ip link set $VAR(@) up +create: ip link set $VAR(@) up diff --git a/templates/interfaces/pseudo-ethernet/node.def b/templates/interfaces/pseudo-ethernet/node.def index cdbff5c8..bf88b047 100644 --- a/templates/interfaces/pseudo-ethernet/node.def +++ b/templates/interfaces/pseudo-ethernet/node.def @@ -1,13 +1,13 @@ tag: priority: 390 type: txt -help: Set Virtual Ethernet device +help: Set Pseudo Ethernet device name +comp_help: Enter Pseudo Ethernet interface name (peth0 - peth999) syntax:expression: pattern $VAR(@) "^peth[0-9]+$" \ ; "name must be (peth0-peth999)" commit:expression: $VAR(link) != "" ; "link device must be set for virtual ethernet $VAR(@)" -create: sudo ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 - sudo ip link set $VAR(@) up +create: ip link add $VAR(@) link $VAR(link/@) type macvlan || exit 1 + ip link set $VAR(@) up /opt/vyatta/sbin/vyatta-link-detect $VAR(@) on -delete: sudo ip link delete dev $VAR(@) type macvlan -comp_help: Enter virtual ethernet interface name (peth0 - peth999) +delete: ip link delete dev $VAR(@) type macvlan diff --git a/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def b/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def index 3d3ffef9..9dafeacf 100644 --- a/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def +++ b/templates/interfaces/pseudo-ethernet/node.tag/disable/node.def @@ -5,12 +5,12 @@ create: vif=`/opt/vyatta/sbin/vyatta-interfaces.pl --vif=$VAR(../@) --show=all` exit 1 fi /etc/netplug/linkdown.d/dhclient $VAR(../@) - if ! sudo ip link set $VAR(../@) down 2>/dev/null; then + if ! ip link set $VAR(../@) down 2>/dev/null; then echo "Error disabling dev $VAR(../@)" /etc/netplug/linkup.d/dhclient $VAR(../@) exit 1 fi -delete: if ! sudo ip link set $VAR(../@) up; then +delete: if ! ip link set $VAR(../@) up; then echo "Error enabling dev $VAR(../@)" exit 1 fi diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def index ba3fa49a..a90c01f9 100644 --- a/templates/interfaces/tunnel/node.def +++ b/templates/interfaces/tunnel/node.def @@ -2,7 +2,7 @@ tag: priority: 380 type: txt help: Set tunnel interface - +comp_help: Enter tunnel interface name (tun0 - tun999) syntax:expression: pattern $VAR(@) "^tun[0-9]+$" \ ; "tunnel must be (tun0-tun999)" @@ -13,19 +13,28 @@ commit:expression: $VAR(./remote-ip/) != "" ; \ commit:expression: $VAR(./encapsulation/) != "" ; \ "Must configure the tunnel encapsulation for $VAR(@)" -create:expression: "\ - if [ -n \"$VAR(./key/@)\" ]; then \ - KEY=\"key $VAR(./key/@)\"; \ - fi; \ - if [ x$VAR(./multicast/@) == xenable ]; then \ - MC=\"multicast on allmulticast on\"; \ - fi; \ - sudo ip tunnel add $VAR(@) \ - local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) \ - mode $VAR(./encapsulation/@) $KEY; \ - sudo ip link set $VAR(@) $MC up;" ; \ - "Error creating $VAR(@)" +create:if [ -n "$VAR(./key/@)" ]; then + KEY="key $VAR(./key/@)"; + fi + if [ x$VAR(./multicast/@) == xenable ]; then + MC="multicast on allmulticast on"; + fi + if [ -n "$VAR(./bridge-group/)" ] && [ "$VAR(./encapsulation/@)" != "gre-bridge" ]; then + echo "interfaces tunnel $VAR(@): Tunnel encapsulation type must be gre-bridge if a bridge group is defined"; + exit 1; + fi + if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then + ip link add $VAR(@) type gretap local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) || + echo "interfaces tunnel $VAR(@): error creating tunnel interface" + else + ip tunnel add $VAR(@) local $VAR(./local-ip/@) remote $VAR(./remote-ip/@) mode $VAR(./encapsulation/@) $KEY || + echo "interfaces tunnel $VAR(@): error creating tunnel interface" + fi + ip link set $VAR(@) $MC up || + echo "interfaces tunnel $VAR(@): error setting tunnel interface active" -delete:expression: "sudo ip tunnel del $VAR(@)" ; "Error deleting $VAR(@)" - -comp_help: Enter tunnel interface name (tun0 - tun999) +delete:if [ "$VAR(./encapsulation/@)" == "gre-bridge" ]; then + ip link delete $VAR(@) + else + ip tunnel del $VAR(@) + fi diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def new file mode 100644 index 00000000..9c28ed63 --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/bridge/node.def @@ -0,0 +1,16 @@ +type: txt +help: Set this interface to a bridge-group +allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=bridge +commit:expression: exec \ + "/opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --check=bridge" +commit:expression: $VAR(../../encapsulation/@) == "gre-bridge"; "tunnel encapsulation type must be gre-bridge" +create: + # TODO: need to add logic for update as we need to remove the interface first. + if [ "$(ip link show $VAR(../../@) | grep ether)" ]; then + sudo brctl addif $VAR(@) $VAR(../../@) || + echo interfaces tunnel $VAR(../../@) bridge-group bridge $VAR(@): error adding interface to bridge + else + echo interfaces tunnel $VAR(../../@) bridge-group bridge $VAR(@): tunnel encapsulation type must be gre-bridge + exit 1 + fi +delete: sudo brctl delif $VAR(@) $VAR(../../@) diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def new file mode 100644 index 00000000..ed3bee26 --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/cost/node.def @@ -0,0 +1,9 @@ +type: u32 +help: Set the path cost for this port +comp_help: possible completions: + <0-2147483647> Set port cost +commit:expression: $VAR(../bridge/@) != ""; "interface must first be assigned to a bridge" +create: sudo brctl setpathcost $VAR(../bridge/@) $VAR(../../@) $VAR(@) || + echo interfaces tunnel $VAR(../../@) bridge-group cost: error setting bridge cost +delete: if [ -n "$( sudo brctl show | egrep $VAR(../../@) )" ]; then sudo brctl setpathcost $VAR(../bridge/@) $VAR(../../@) 0; fi; + diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/node.def new file mode 100644 index 00000000..663979dd --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/node.def @@ -0,0 +1 @@ +help: Add this interface to a bridge group diff --git a/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def b/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def new file mode 100644 index 00000000..fe174f1f --- /dev/null +++ b/templates/interfaces/tunnel/node.tag/bridge-group/priority/node.def @@ -0,0 +1,8 @@ +type: u32 +help: Set the path priority for this port +comp_help: possible completions: + <0-255> Set port priority +commit:expression: $VAR(../bridge/@) != ""; "interface must first be assigned to a bridge" +create: sudo brctl setportprio $VAR(../bridge/@) $VAR(../../@) $VAR(@) || + echo interfaces tunnel $VAR(../../@) bridge-group priority: error setting bridge priority +delete: if [ -n "$( sudo brctl show | egrep "$VAR(../../@)" )" ]; then sudo brctl setportprio $VAR(../bridge/@) $VAR(../../@) 0; fi; diff --git a/templates/interfaces/tunnel/node.tag/disable/node.def b/templates/interfaces/tunnel/node.tag/disable/node.def index cd3c019a..26199646 100644 --- a/templates/interfaces/tunnel/node.tag/disable/node.def +++ b/templates/interfaces/tunnel/node.tag/disable/node.def @@ -1,6 +1,4 @@ help: Disable interface -update:expression: "sudo ip link set $VAR(../@) down"; \ - "Error disabling dev $VAR(../@)" +update: ip link set $VAR(../@) down -delete:expression: "sudo ip link set $VAR(../@) up"; \ - "Error enabling dev $VAR(../@)" +delete: ip link set $VAR(../@) up diff --git a/templates/interfaces/tunnel/node.tag/encapsulation/node.def b/templates/interfaces/tunnel/node.tag/encapsulation/node.def index 6b97b190..5374568c 100644 --- a/templates/interfaces/tunnel/node.tag/encapsulation/node.def +++ b/templates/interfaces/tunnel/node.tag/encapsulation/node.def @@ -1,13 +1,15 @@ type: txt help: Set the encapsulation of this tunnel interface [REQUIRED] -syntax:expression: $VAR(@) in "ipip", "gre", "sit"; "Must be (ipip, gre, sit)" +syntax:expression: $VAR(@) in "ipip", "gre", "sit", "gre-bridge"; "Must be (ipip, gre, gre-bridge, sit)" create:expression: "true" update:expression: "false" ; \ "Encapsulation can only be set at tunnel creation for $VAR(../@)" -comp_help: "possible completions: +comp_help: possible completions: gre Set Generic Routing Encapsulation + gre-bridge Set Generic Routing Encapsulation bridge interface ipip Set IP in IP encapsulation sit Set Simple Internet Transition encapsulation + diff --git a/templates/interfaces/tunnel/node.tag/key/node.def b/templates/interfaces/tunnel/node.tag/key/node.def index 1ece7642..c137107c 100644 --- a/templates/interfaces/tunnel/node.tag/key/node.def +++ b/templates/interfaces/tunnel/node.tag/key/node.def @@ -3,7 +3,7 @@ help: Set the tunnel key syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 999999; \ "Must be between 0-999999 for $VAR(../@)" syntax:expression: exec " \ - if [ -n \"`sudo ip tunnel show $VAR(../@) | grep $VAR(../@) `\" ]; then \ + if [ -n \"`ip tunnel show $VAR(../@) | grep $VAR(../@) `\" ]; then \ echo Key can only be set at tunnel creation for $VAR(../@); \ exit 1 ; \ fi ; " diff --git a/templates/interfaces/tunnel/node.tag/mtu/node.def b/templates/interfaces/tunnel/node.tag/mtu/node.def index f1fdf39b..400533f9 100644 --- a/templates/interfaces/tunnel/node.tag/mtu/node.def +++ b/templates/interfaces/tunnel/node.tag/mtu/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Maximum Transmission Unit (MTU) syntax:expression: $VAR(@) >= 64 && $VAR(@) <= 8024; "Must be between 64-8024" -update:expression: "sudo ip link set $VAR(../@) mtu $VAR(@)" -delete:expression: "sudo ip link set $VAR(../@) mtu 1476" +update: ip link set $VAR(../@) mtu $VAR(@) +delete: ip link set $VAR(../@) mtu 1476 comp_help: possible completions: <64-8024> Set MTU diff --git a/templates/interfaces/tunnel/node.tag/tos/node.def b/templates/interfaces/tunnel/node.tag/tos/node.def index 1f739966..58a4cee0 100644 --- a/templates/interfaces/tunnel/node.tag/tos/node.def +++ b/templates/interfaces/tunnel/node.tag/tos/node.def @@ -1,7 +1,7 @@ type: u32 help: Set the tunnel Type of Service (TOS) syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 99; "Must be between 0-99" -update:expression: "sudo ip tunnel change $VAR(../@) tos $VAR(@)" -delete:expression: "sudo ip tunnel change $VAR(../@) tos inherit" +update: ip tunnel change $VAR(../@) tos $VAR(@) +delete: ip tunnel change $VAR(../@) tos inherit comp_help: possible completions <0-99> Set type of service diff --git a/templates/interfaces/tunnel/node.tag/ttl/node.def b/templates/interfaces/tunnel/node.tag/ttl/node.def index 298c4d61..cfab7264 100644 --- a/templates/interfaces/tunnel/node.tag/ttl/node.def +++ b/templates/interfaces/tunnel/node.tag/ttl/node.def @@ -1,8 +1,8 @@ type: u32 -help: Set the tunnel time to live field default: 255 -syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" -update:expression: "sudo ip tunnel change $VAR(../@) ttl $VAR(@)" -delete:expression: "sudo ip tunnel change $VAR(../@) ttl inherit" +help: Set the tunnel time to live field comp_help: possible completions: <0-255> Set time to live (default 255) +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "Must be between 0-255" +update:if [ "$VAR(../encapsulation/@)" != "gre-bridge" ]; then sudo ip tunnel change $VAR(../@) ttl $VAR(@); fi; +delete:if [ "$VAR(../encapsulation/@)" != "gre-bridge" ]; then sudo ip tunnel change $VAR(../@) ttl inherit; fi; diff --git a/templates/service/snmp/community/node.tag/client/node.def b/templates/service/snmp/community/node.tag/client/node.def index 828faa97..427a9939 100644 --- a/templates/service/snmp/community/node.tag/client/node.def +++ b/templates/service/snmp/community/node.tag/client/node.def @@ -1,3 +1,3 @@ multi: -type: ipv4 +type: ipv4,ipv6 help: Set IP address of SNMP client allowed to contact system diff --git a/templates/service/snmp/community/node.tag/network/node.def b/templates/service/snmp/community/node.tag/network/node.def index 00a77d4b..4b80a51b 100644 --- a/templates/service/snmp/community/node.tag/network/node.def +++ b/templates/service/snmp/community/node.tag/network/node.def @@ -1,4 +1,4 @@ multi: -type: ipv4net +type: ipv4net,ipv6net help: Set subnet of SNMP client(s) allowed to contact system syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" diff --git a/templates/service/snmp/listen-address/node.def b/templates/service/snmp/listen-address/node.def new file mode 100644 index 00000000..f234edc8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.def @@ -0,0 +1,3 @@ +tag: +type: ipv4,ipv6 +help: Set IP address to listen for incoming SNMP requests diff --git a/templates/service/snmp/listen-address/node.tag/port/node.def b/templates/service/snmp/listen-address/node.tag/port/node.def new file mode 100644 index 00000000..5a21b1d8 --- /dev/null +++ b/templates/service/snmp/listen-address/node.tag/port/node.def @@ -0,0 +1,3 @@ +type: u32 +default: 161 +help: Set port for SNMP service diff --git a/templates/service/snmp/node.def b/templates/service/snmp/node.def index 13b39fa7..2952eb34 100644 --- a/templates/service/snmp/node.def +++ b/templates/service/snmp/node.def @@ -1,6 +1,7 @@ priority: 980 help: Configure Simple Network Management Protocol (SNMP) -commit:expression: $VAR(community/) != ""; "must configure a community" +commit:expression: $VAR(community/) != "" || $VAR(community6/) != "" \ + ; "must configure a community or community6" delete: touch /tmp/snmp.$PPID end:if [ -f "/tmp/snmp.$PPID" ] diff --git a/templates/service/snmp/trap-source/node.def b/templates/service/snmp/trap-source/node.def index d8add72c..61a8cd6a 100644 --- a/templates/service/snmp/trap-source/node.def +++ b/templates/service/snmp/trap-source/node.def @@ -1,2 +1,2 @@ -type: ipv4 +type: ipv4,ipv6 help: Set SNMP trap source address diff --git a/templates/service/snmp/trap-target/node.def b/templates/service/snmp/trap-target/node.def index 493484b7..561bc1ac 100644 --- a/templates/service/snmp/trap-target/node.def +++ b/templates/service/snmp/trap-target/node.def @@ -1,3 +1,3 @@ tag: -type: ipv4 -help: Set IP address of trap target +type: ipv4,ipv6 +help: Set address of trap target diff --git a/templates/system/domain-name/node.def b/templates/system/domain-name/node.def index 96ccc7ae..fa8527d9 100644 --- a/templates/system/domain-name/node.def +++ b/templates/system/domain-name/node.def @@ -4,7 +4,7 @@ help: Set system domain name syntax:expression: pattern $VAR(@) "^[-a-zA-Z0-9.]{0,63}$" ; "invalid domain name $VAR(@)" # also add localhost line into /etc/hosts (see host-name template)? -update:expression: "sudo /opt/vyatta/sbin/vyatta_update_resolv.pl" +update: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl # also update localhost line in /etc/hosts (see host-name template)? -delete:expression: "sudo /opt/vyatta/sbin/vyatta_update_resolv.pl" +delete: sudo /opt/vyatta/sbin/vyatta_update_resolv.pl |