summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-03-14 15:09:43 +0100
committerGitHub <noreply@github.com>2021-03-14 15:09:43 +0100
commitfece992339e696b7d133682bb37cf3c88b6f358a (patch)
treed5000837154ad2aced2c9165bd6a29007a7de717
parentdfa91f60f8bf0eeb3e7964ecc5d421a23521a931 (diff)
parent9761804ddef45b3a981c1148ff8165688aafb5a0 (diff)
downloadvyos-1x-fece992339e696b7d133682bb37cf3c88b6f358a.tar.gz
vyos-1x-fece992339e696b7d133682bb37cf3c88b6f358a.zip
Merge pull request #733 from sever-sever/T2425
conf-mode: T2425: Add XML for policy-lists
-rw-r--r--Makefile1
-rw-r--r--interface-definitions/include/policy-list-action.xml.i21
-rw-r--r--interface-definitions/include/policy-list-description.xml.i11
-rw-r--r--interface-definitions/include/policy-list-rule-description.xml.i11
-rw-r--r--interface-definitions/policy-lists.xml.in1266
-rwxr-xr-xsrc/conf_mode/policy-lists.py117
6 files changed, 1427 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index 2adf385f9..2d3a14f4e 100644
--- a/Makefile
+++ b/Makefile
@@ -45,6 +45,7 @@ interface_definitions: $(config_xml_obj)
rm -f $(TMPL_DIR)/vpn/node.def
rm -f $(TMPL_DIR)/vpn/ipsec/node.def
rm -rf $(TMPL_DIR)/vpn/nipsec
+ rm -rf $(TMPL_DIR)/npolicy
.PHONY: op_mode_definitions
.ONESHELL:
diff --git a/interface-definitions/include/policy-list-action.xml.i b/interface-definitions/include/policy-list-action.xml.i
new file mode 100644
index 000000000..fddbd5a98
--- /dev/null
+++ b/interface-definitions/include/policy-list-action.xml.i
@@ -0,0 +1,21 @@
+<!-- included start from policy-list-action.xml.i -->
+<leafNode name="action">
+ <properties>
+ <help>Action to take on entries matching this rule [REQUIRED]</help>
+ <completionHelp>
+ <list>permit deny</list>
+ </completionHelp>
+ <valueHelp>
+ <format>permit</format>
+ <description>Permit matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>deny</format>
+ <description>Deny matching entries</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(permit|deny)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/include/policy-list-description.xml.i b/interface-definitions/include/policy-list-description.xml.i
new file mode 100644
index 000000000..a50278729
--- /dev/null
+++ b/interface-definitions/include/policy-list-description.xml.i
@@ -0,0 +1,11 @@
+<!-- included start from policy-list-description.xml.i -->
+<leafNode name="description">
+ <properties>
+ <help>Description for this policy</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Description for this policy</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/include/policy-list-rule-description.xml.i b/interface-definitions/include/policy-list-rule-description.xml.i
new file mode 100644
index 000000000..e22fb7c28
--- /dev/null
+++ b/interface-definitions/include/policy-list-rule-description.xml.i
@@ -0,0 +1,11 @@
+<!-- included start from policy-list-rule-description.xml.i -->
+<leafNode name="description">
+ <properties>
+ <help>Description for this rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Description for this rule</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/policy-lists.xml.in b/interface-definitions/policy-lists.xml.in
new file mode 100644
index 000000000..0fece6594
--- /dev/null
+++ b/interface-definitions/policy-lists.xml.in
@@ -0,0 +1,1266 @@
+<?xml version="1.0"?>
+<!-- Policy access|prefix|route-map lists -->
+<interfaceDefinition>
+ <node name="npolicy" owner="${vyos_conf_scripts_dir}/policy-lists.py">
+ <properties>
+ <help>Routing policy</help>
+ </properties>
+ <children>
+ <tagNode name="access-list">
+ <properties>
+ <help>IP access-list filter</help>
+ <valueHelp>
+ <format>u32:1-99</format>
+ <description>IP standard access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:100-199</format>
+ <description>IP extended access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1300-1999</format>
+ <description>IP standard access list (expanded range)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2000-2699</format>
+ <description>IP extended access list (expanded range)</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this access-list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Access-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <node name="destination">
+ <properties>
+ <help>Destination network or address</help>
+ </properties>
+ <children>
+ <leafNode name="any">
+ <properties>
+ <help>Any IP address to match</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="host">
+ <properties>
+ <help>Single host IP address to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Host address to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-host"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="inverse-mask">
+ <properties>
+ <help>Network/netmask to match (requires network be defined)</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Inverse-mask to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="network">
+ <properties>
+ <help>Network/netmask to match (requires inverse-mask be defined)</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Inverse-mask to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="source">
+ <properties>
+ <help>Source network or address to match</help>
+ </properties>
+ <children>
+ <leafNode name="any">
+ <properties>
+ <help>Any IP address to match</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="host">
+ <properties>
+ <help>Single host IP address to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Host address to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-host"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="inverse-mask">
+ <properties>
+ <help>Network/netmask to match (requires network be defined)</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Inverse-mask to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="network">
+ <properties>
+ <help>Network/netmask to match (requires inverse-mask be defined)</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Inverse-mask to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END access-list -->
+ <tagNode name="access-list6">
+ <properties>
+ <help>IPv6 access-list filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Name of IPv6 access-list</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this access-list6</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Access-list6 rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <node name="source">
+ <properties>
+ <help>Source IPv6 network to match</help>
+ </properties>
+ <children>
+ <leafNode name="any">
+ <properties>
+ <help>Any IP address to match</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="exact-match">
+ <properties>
+ <help>Exact match of the network prefixes</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="network">
+ <properties>
+ <help>Network/netmask to match</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END access-list6 -->
+ <tagNode name="as-path-list">
+ <properties>
+ <help>Border Gateway Protocol (BGP) autonomous system path filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>AS path list name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this as-path-list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>AS path list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="regex">
+ <properties>
+ <help>Regular expression to match against an AS path</help>
+ <valueHelp>
+ <format>&lt;asn&gt;</format>
+ <description>AS path regular expression (ex: "64501 64502")</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END as-path-list -->
+ <tagNode name="community-list">
+ <properties>
+ <help>Border Gateway Protocol (BGP) autonomous system path filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Border Gateway Protocol (BGP) community-list filter</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this BGP community list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Community-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="regex">
+ <properties>
+ <help>Regular expression to match against a community list</help>
+ <valueHelp>
+ <format>&lt;aa:nn&gt;</format>
+ <description>Community list regular expression or one of: internet, local-AS, no-advertise, no-export</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END community-list -->
+ <tagNode name="extcommunity-list">
+ <properties>
+ <help>Border Gateway Protocol (BGP) extended community-list filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Border Gateway Protocol (BGP) extended community-list filter</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this BGP extended community list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Extended community-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="regex">
+ <properties>
+ <help>Regular expression to match against an extended community list</help>
+ <valueHelp>
+ <format>&lt;aa:nn:nn&gt;</format>
+ <description>Extended community list regular expression</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;rt aa:nn:nn&gt;</format>
+ <description>Extended community list regular expression</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;soo aa:nn&gt;</format>
+ <description>Extended community list regular expression</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END extcommunity-list -->
+ <tagNode name="large-community-list">
+ <properties>
+ <help>Border Gateway Protocol (BGP) large-community-list filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Border Gateway Protocol (BGP) large-community-list filter</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this BGP extended community list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Large community-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="regex">
+ <properties>
+ <help>Regular expression to match against a large community list</help>
+ <valueHelp>
+ <format>&lt;aa:nn:nn&gt;</format>
+ <description>Large community list regular expression</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END large-community-list -->
+ <tagNode name="prefix-list">
+ <properties>
+ <help>IP prefix-list filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Prefix list name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this prefix-list</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Prefix-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="ge">
+ <properties>
+ <help>Prefix length to match a netmask greater than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-32</format>
+ <description>Netmask greater than length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-32"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="le">
+ <properties>
+ <help>Prefix length to match a netmask less than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-32</format>
+ <description>Netmask less than length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-32"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix">
+ <properties>
+ <help>Prefix to match</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Prefix to match against</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END prefix-list -->
+ <tagNode name="prefix-list6">
+ <properties>
+ <help>IPv6 prefix-list filter</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Prefix list name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this prefix-list6</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Prefix-list rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ #include <include/policy-list-rule-description.xml.i>
+ <leafNode name="ge">
+ <properties>
+ <help>Prefix length to match a netmask greater than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-128</format>
+ <description>Netmask greater than length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-128"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="le">
+ <properties>
+ <help>Prefix length to match a netmask less than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-128</format>
+ <description>Netmask less than length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-128"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix">
+ <properties>
+ <help>Prefix to match</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END prefix-list6 -->
+ <tagNode name="route-map">
+ <properties>
+ <help>IP route-map</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Route map name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/policy-list-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule for this route-map</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Route-map rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/policy-list-action.xml.i>
+ <leafNode name="call">
+ <properties>
+ <help>Call another route-map on match</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Route map name</description>
+ </valueHelp>
+ <completionHelp>
+ <path>policy route-map</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="continue">
+ <properties>
+ <help>Jump to a different rule in this route-map on a match</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Rule number</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ #include <include/policy-list-rule-description.xml.i>
+ <node name="match">
+ <properties>
+ <help>Route parameters to match</help>
+ </properties>
+ <children>
+ <leafNode name="as-path">
+ <properties>
+ <help>BGP as-path-list to match</help>
+ <completionHelp>
+ <path>policy as-path-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <node name="community">
+ <properties>
+ <help>BGP community-list to match</help>
+ </properties>
+ <children>
+ <leafNode name="community-list">
+ <properties>
+ <help>BGP community-list to match</help>
+ <completionHelp>
+ <path>policy community-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="exact-match">
+ <properties>
+ <help>Community-list to exactly match</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="extcommunity">
+ <properties>
+ <help>BGP extended community to match</help>
+ <completionHelp>
+ <path>policy extcommunity-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="interface">
+ <properties>
+ <help>First hop interface of a route to match</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <node name="ip">
+ <properties>
+ <help>IP prefix parameters to match</help>
+ </properties>
+ <children>
+ <node name="address">
+ <properties>
+ <help>IP address of route to match</help>
+ </properties>
+ <children>
+ <leafNode name="access-list">
+ <properties>
+ <help>IP access-list to match</help>
+ <valueHelp>
+ <format>u32:1-99</format>
+ <description>IP standard access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:100-199</format>
+ <description>IP extended access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1300-1999</format>
+ <description>IP standard access list (expanded range)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2000-2699</format>
+ <description>IP extended access list (expanded range)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix-list">
+ <properties>
+ <help>IP prefix-list to match</help>
+ <completionHelp>
+ <path>policy prefix-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <!-- T3304 but it overwrite node nexthop
+ <leafNode name="nexthop">
+ <properties>
+ <help>IP next-hop of route to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Next-hop IPv4 router address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode> -->
+ <node name="nexthop">
+ <properties>
+ <help>IP next-hop of route to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Next-hop IPv4 router address</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="access-list">
+ <properties>
+ <help>IP access-list to match</help>
+ <valueHelp>
+ <format>u32:1-99</format>
+ <description>IP standard access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:100-199</format>
+ <description>IP extended access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1300-1999</format>
+ <description>IP standard access list (expanded range)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2000-2699</format>
+ <description>IP extended access list (expanded range)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix-list">
+ <properties>
+ <help>IP prefix-list to match</help>
+ <completionHelp>
+ <path>policy prefix-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="route-source">
+ <properties>
+ <help>test</help>
+ </properties>
+ <children>
+ <leafNode name="access-list">
+ <properties>
+ <help>IP access-list to match</help>
+ <valueHelp>
+ <format>u32:1-99</format>
+ <description>IP standard access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:100-199</format>
+ <description>IP extended access list</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1300-1999</format>
+ <description>IP standard access list (expanded range)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2000-2699</format>
+ <description>IP extended access list (expanded range)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix-list">
+ <properties>
+ <help>IP prefix-list to match</help>
+ <completionHelp>
+ <path>policy prefix-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="ipv6">
+ <properties>
+ <help>IPv6 prefix parameters to match</help>
+ </properties>
+ <children>
+ <node name="address">
+ <properties>
+ <help>IPv6 address of route to match</help>
+ </properties>
+ <children>
+ <leafNode name="access-list">
+ <properties>
+ <help>IPv6 access-list to match</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>IPV6 access list name</description>
+ </valueHelp>
+ <completionHelp>
+ <path>policy access-list6</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix-list">
+ <properties>
+ <help>IPv6 prefix-list to match</help>
+ <completionHelp>
+ <path>policy prefix-list6</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="nexthop">
+ <properties>
+ <help>IPv6 next-hop of route to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Peer IP address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="large-community">
+ <properties>
+ <help>Match BGP large communities</help>
+ </properties>
+ <children>
+ <leafNode name="large-community-list">
+ <properties>
+ <help>BGP large-community-list to match</help>
+ <completionHelp>
+ <path>policy large-community-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="local-preference">
+ <properties>
+ <help>local-preference_help</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Local Preference</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="metric">
+ <properties>
+ <help>Metric of route to match</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Route metric</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="origin">
+ <properties>
+ <help>Border Gateway Protocol (BGP) origin code to match</help>
+ <completionHelp>
+ <list>egp igp incomplete</list>
+ </completionHelp>
+ <valueHelp>
+ <format>egp</format>
+ <description>Exterior gateway protocol origin</description>
+ </valueHelp>
+ <valueHelp>
+ <format>igp</format>
+ <description>Interior gateway protocol origin</description>
+ </valueHelp>
+ <valueHelp>
+ <format>incomplete</format>
+ <description>Incomplete origin</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(egp|igp|incomplete)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="peer">
+ <properties>
+ <help>Peer address to match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Peer IP address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rpki">
+ <properties>
+ <help>Match RPKI validation result</help>
+ <completionHelp>
+ <list>invalid notfound valid</list>
+ </completionHelp>
+ <valueHelp>
+ <format>invalid</format>
+ <description>Match invalid entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>notfound</format>
+ <description>Match notfound entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>valid</format>
+ <description>Match valid entries</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(invalid|notfound|valid)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="tag">
+ <properties>
+ <help>Route tag to match</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Route tag</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="on-match">
+ <properties>
+ <help>Exit policy on matches</help>
+ </properties>
+ <children>
+ <leafNode name="goto">
+ <properties>
+ <help>Rule number to goto on match</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="next">
+ <properties>
+ <help>Next sequence number to goto on match</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="set">
+ <properties>
+ <help>Route parameters</help>
+ </properties>
+ <children>
+ <node name="aggregator">
+ <properties>
+ <help>Border Gateway Protocol (BGP) aggregator attribute</help>
+ </properties>
+ <children>
+ <leafNode name="as">
+ <properties>
+ <help>AS number of an aggregation</help>
+ <valueHelp>
+ <format>u32:1-4294967295</format>
+ <description>Rule number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="ip">
+ <properties>
+ <help>IP address of an aggregation</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="as-path-exclude">
+ <properties>
+ <help>Remove ASN(s) from a Border Gateway Protocol (BGP) AS-path attribute</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>BGP AS path exclude string (ex: "456 64500 45001")</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="as-path-prepend">
+ <properties>
+ <help>as-path-prepend_help</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>BGP AS path prepend string (ex: "64501 64501")</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="atomic-aggregate">
+ <properties>
+ <help>Border Gateway Protocol (BGP) atomic aggregate attribute</help>
+ </properties>
+ </leafNode>
+ <leafNode name="bgp-extcommunity-rt">
+ <properties>
+ <help>Set route target value</help>
+ <valueHelp>
+ <format>&lt;aa:nn&gt;</format>
+ <description>ExtCommunity in format: asn:value</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <node name="comm-list">
+ <properties>
+ <help>Border Gateway Protocol (BGP) communities matching a community-list</help>
+ </properties>
+ <children>
+ <leafNode name="comm-list">
+ <properties>
+ <help>BGP communities with a community-list</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>BGP communities with a community-list</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="delete">
+ <properties>
+ <help>Delete BGP communities matching the community-list</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="community">
+ <properties>
+ <help>community_help</help>
+ <completionHelp>
+ <list>local-AS no-advertise no-export internet additive none</list>
+ </completionHelp>
+ <valueHelp>
+ <format>&lt;aa:nn&gt;</format>
+ <description>Community in 4 octet AS:value format</description>
+ </valueHelp>
+ <valueHelp>
+ <format>local-AS</format>
+ <description>local-AS</description>
+ </valueHelp>
+ <valueHelp>
+ <format>no-advertise</format>
+ <description>no-advertise</description>
+ </valueHelp>
+ <valueHelp>
+ <format>no-export</format>
+ <description>no-export</description>
+ </valueHelp>
+ <valueHelp>
+ <format>internet</format>
+ <description>internet</description>
+ </valueHelp>
+ <valueHelp>
+ <format>additive</format>
+ <description>additive</description>
+ </valueHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>none</description>
+ </valueHelp>
+ <!-- Need to add properly validator
+ <constraint>
+ <regex>^(local-AS|no-advertise|no-export|internet|additive|none)$</regex>
+ </constraint> -->
+ </properties>
+ </leafNode>
+ <leafNode name="distance">
+ <properties>
+ <help>Locally significant administrative distance</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>Distance value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="extcommunity-rt">
+ <properties>
+ <help>Set route target value</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ASN:nn_or_IP_address:nn VPN extended community</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="extcommunity-soo">
+ <properties>
+ <help>Set Site of Origin value</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ASN:nn_or_IP_address:nn VPN extended community</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="ip-next-hop">
+ <properties>
+ <help>Nexthop IP address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IP address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="ipv6-next-hop">
+ <properties>
+ <help>Nexthop IPv6 address</help>
+ </properties>
+ <children>
+ <leafNode name="global">
+ <properties>
+ <help>Nexthop IPv6 global address</help>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="local">
+ <properties>
+ <help>Nexthop IPv6 local address</help>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="large-community">
+ <properties>
+ <help>Set BGP large community value</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ASN:nn:mm BGP large community</description>
+ </valueHelp>
+ <completionHelp>
+ <path>policy large-community-list</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="local-preference">
+ <properties>
+ <help>Border Gateway Protocol (BGP) local preference attribute</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Local preference value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="metric">
+ <properties>
+ <help>Destination routing protocol metric</help>
+ <valueHelp>
+ <format>&lt;+/-metric&gt;</format>
+ <description>Add or subtract metric</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Metric value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="metric-type">
+ <properties>
+ <help>Open Shortest Path First (OSPF) external metric-type</help>
+ <completionHelp>
+ <list>type-1 type-2</list>
+ </completionHelp>
+ <valueHelp>
+ <format>type-1</format>
+ <description>OSPF external type 1 metric</description>
+ </valueHelp>
+ <valueHelp>
+ <format>type-2</format>
+ <description>OSPF external type 2 metric</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(type-1|type-2)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="origin">
+ <properties>
+ <help>origin_help</help>
+ <completionHelp>
+ <list>igp egp incomplete</list>
+ </completionHelp>
+ <valueHelp>
+ <format>igp</format>
+ <description>Interior gateway protocol origin</description>
+ </valueHelp>
+ <valueHelp>
+ <format>egp</format>
+ <description>Exterior gateway protocol origin</description>
+ </valueHelp>
+ <valueHelp>
+ <format>incomplete</format>
+ <description>Incomplete origin</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(igp|egp|incomplete)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="originator-id">
+ <properties>
+ <help>Border Gateway Protocol (BGP) originator ID attribute</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Orignator IP address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-host"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="src">
+ <properties>
+ <help>Source address for route</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-host"/>
+ <validator name="ipv6-host"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="table">
+ <properties>
+ <help>Set prefixes to table</help>
+ <valueHelp>
+ <format>u32:1-200</format>
+ <description>Table value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-200"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="tag">
+ <properties>
+ <help>Tag value for routing protocol</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Tag value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="weight">
+ <properties>
+ <help>Border Gateway Protocol (BGP) weight attribute</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>BGP weight</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <!-- END route-map -->
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/src/conf_mode/policy-lists.py b/src/conf_mode/policy-lists.py
new file mode 100755
index 000000000..94a020e7b
--- /dev/null
+++ b/src/conf_mode/policy-lists.py
@@ -0,0 +1,117 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.template import render
+from vyos.template import render_to_string
+from vyos.util import call
+from vyos.util import dict_search
+from vyos import ConfigError
+from vyos import frr
+from vyos import airbag
+from pprint import pprint
+airbag.enable()
+
+config_file = r'/tmp/policy.frr'
+frr_daemon = 'zebra'
+
+DEBUG = os.path.exists('/tmp/policy.debug')
+if DEBUG:
+ import logging
+ lg = logging.getLogger("vyos.frr")
+ lg.setLevel(logging.DEBUG)
+ ch = logging.StreamHandler()
+ lg.addHandler(ch)
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['npolicy']
+ policy = conf.get_config_dict(base, key_mangling=('-', '_'))
+
+ # Bail out early if configuration tree does not exist
+ if not conf.exists(base):
+ return policy
+
+ pprint(policy)
+ exit(1)
+ return policy
+
+def verify(policy):
+ if not policy:
+ return None
+
+ return None
+
+def generate(policy):
+ if not policy:
+ policy['new_frr_config'] = ''
+ return None
+
+ # render(config) not needed, its only for debug
+ # render(config_file, 'frr/policy.frr.tmpl', policy)
+ # policy['new_frr_config'] = render_to_string('frr/policy.frr.tmpl')
+
+ return None
+
+def apply(policy):
+ # Save original configuration prior to starting any commit actions
+ # frr_cfg = frr.FRRConfig()
+ # frr_cfg.load_configuration(frr_daemon)
+ # frr_cfg.modify_section(f'ip', '')
+ # frr_cfg.add_before(r'(line vty)', policy['new_frr_config'])
+
+ # Debugging
+ if DEBUG:
+ from pprint import pprint
+ print('')
+ print('--------- DEBUGGING ----------')
+ pprint(dir(frr_cfg))
+ print('Existing config:\n')
+ for line in frr_cfg.original_config:
+ print(line)
+ print(f'Replacement config:\n')
+ print(f'{policy["new_frr_config"]}')
+ print(f'Modified config:\n')
+ print(f'{frr_cfg}')
+
+ # frr_cfg.commit_configuration(frr_daemon)
+
+ # If FRR config is blank, rerun the blank commit x times due to frr-reload
+ # behavior/bug not properly clearing out on one commit.
+ # if policy['new_frr_config'] == '':
+ # for a in range(5):
+ # frr_cfg.commit_configuration(frr_daemon)
+
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)