ipsec: T2816: remove default values from Jinja2 template and place them in XML

VyOS has a known to work mechanism in supplying CLI default values into the Python configuration scripts. This commit removes hardcoded default values from the Jinja2 template and places them into the appropriate XML definitions. The big advantage is that the default value itself and the corresponding help string are located in the exact same file.
author: Christian Poessinger <christian@poessinger.com> 2021-07-03 15:39:17 +0200
committer: Christian Poessinger <christian@poessinger.com> 2021-07-03 15:39:17 +0200
commit: 1e74c0df2179c60036e440e15ed9036163039b2a (patch)
tree: 4352ed737a931a3d6fbbfb6ecd99cfb84f34661f
parent: a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (diff)
download: vyos-1x-1e74c0df2179c60036e440e15ed9036163039b2a.tar.gz
vyos-1x-1e74c0df2179c60036e440e15ed9036163039b2a.zip
4 files changed, 24 insertions, 5 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 0559d1dac..b35cd4b60 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -63,7 +63,7 @@
                 if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
                 if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
                 ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
-                mode = {{ vti_esp.mode if vti_esp.mode is defined else "tunnel" }}
+                mode = {{ vti_esp.mode }}
 {%     if peer[0:1] == '@' %}
                 start_action = none
 {%     elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
@@ -101,7 +101,7 @@
                 remote_ts = {{ peer }}{{ remote_suffix }}
 {%       endif %}
                 ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }}
-                mode = {{ tunnel_esp.mode if tunnel_esp.mode is defined else "tunnel" }}
+                mode = {{ tunnel_esp.mode }}
 {%       if peer[0:1] == '@' %}
                 start_action = none
 {%       elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index 0360972f6..0a7268405 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -7,7 +7,7 @@
     dmvpn-{{ name }}-{{ interface }} {
         proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
         version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
-        rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s
+        rekey_time = {{ ike.lifetime }}s
         keyingtries = 0
 {%       if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
         local {
@@ -20,11 +20,11 @@
         children {
             dmvpn {
                 esp_proposals = {{ esp | get_esp_ike_cipher | join(',')  }}
-                rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s
+                rekey_time = {{ esp.lifetime }}s
                 rand_time = 540s
                 local_ts = dynamic[gre]
                 remote_ts = dynamic[gre]
-                mode = {{ esp.mode if esp.mode is defined else 'transport' }}
+                mode = {{ esp.mode }}
 {%       if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %}
                 dpd_action = {{ ike.dead_peer_detection.action }}
 {%       endif %}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 6aff7bef5..a2e9a7a5a 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -64,6 +64,7 @@
                     <validator name="numeric" argument="--range 30-86400"/>
                   </constraint>
                 </properties>
+                <defaultValue>3600</defaultValue>
               </leafNode>
               <leafNode name="mode">
                 <properties>
@@ -83,6 +84,7 @@
                     <regex>^(tunnel|transport)$</regex>
                   </constraint>
                 </properties>
+                <defaultValue>tunnel</defaultValue>
               </leafNode>
               <leafNode name="pfs">
                 <properties>
@@ -190,6 +192,7 @@
                     <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
                   </constraint>
                 </properties>
+                <defaultValue>enable</defaultValue>
               </leafNode>
               <tagNode name="proposal">
                 <properties>
@@ -341,6 +344,7 @@
                     <validator name="numeric" argument="--range 30-86400"/>
                   </constraint>
                 </properties>
+                <defaultValue>28800</defaultValue>
               </leafNode>
               <leafNode name="mobike">
                 <properties>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index e95a3e82d..6d5d24e52 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -23,6 +23,7 @@ from time import sleep
 from vyos.config import Config
 from vyos.configdict import leaf_node_changed
 from vyos.configverify import verify_interface_exists
+from vyos.configdict import dict_merge
 from vyos.ifconfig import Interface
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_crl
@@ -35,6 +36,7 @@ from vyos.util import call
 from vyos.util import dict_search
 from vyos.util import process_named_running
 from vyos.util import run
+from vyos.xml import defaults
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -77,6 +79,19 @@ def get_config(config=None):
     ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
                                  get_first_key=True, no_tag_node_value_mangle=True)
 
+    if 'esp_group' in ipsec:
+        default_values = defaults(base + ['esp-group'])
+        for group in ipsec['esp_group']:
+            ipsec['esp_group'][group] = dict_merge(default_values,
+                                                   ipsec['esp_group'][group])
+
+    if 'ike_group' in ipsec:
+        default_values = defaults(base + ['ike-group'])
+        for group in ipsec['ike_group']:
+            ipsec['ike_group'][group] = dict_merge(default_values,
+                                                   ipsec['ike_group'][group])
+
+
     ipsec['dhcp_no_address'] = {}
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
                                                                 'interface'])
author	Christian Poessinger <christian@poessinger.com>	2021-07-03 15:39:17 +0200
committer	Christian Poessinger <christian@poessinger.com>	2021-07-03 15:39:17 +0200
commit	1e74c0df2179c60036e440e15ed9036163039b2a (patch)
tree	4352ed737a931a3d6fbbfb6ecd99cfb84f34661f
parent	a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (diff)
download	vyos-1x-1e74c0df2179c60036e440e15ed9036163039b2a.tar.gz vyos-1x-1e74c0df2179c60036e440e15ed9036163039b2a.zip