diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-03-14 15:09:43 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-14 15:09:43 +0100 |
| commit | fece992339e696b7d133682bb37cf3c88b6f358a (patch) | |
| tree | d5000837154ad2aced2c9165bd6a29007a7de717 | |
| parent | dfa91f60f8bf0eeb3e7964ecc5d421a23521a931 (diff) | |
| parent | 9761804ddef45b3a981c1148ff8165688aafb5a0 (diff) | |
| download | vyos-1x-fece992339e696b7d133682bb37cf3c88b6f358a.tar.gz vyos-1x-fece992339e696b7d133682bb37cf3c88b6f358a.zip | |
Merge pull request #733 from sever-sever/T2425
conf-mode: T2425: Add XML for policy-lists
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | interface-definitions/include/policy-list-action.xml.i | 21 | ||||
| -rw-r--r-- | interface-definitions/include/policy-list-description.xml.i | 11 | ||||
| -rw-r--r-- | interface-definitions/include/policy-list-rule-description.xml.i | 11 | ||||
| -rw-r--r-- | interface-definitions/policy-lists.xml.in | 1266 | ||||
| -rwxr-xr-x | src/conf_mode/policy-lists.py | 117 |
6 files changed, 1427 insertions, 0 deletions
@@ -45,6 +45,7 @@ interface_definitions: $(config_xml_obj) rm -f $(TMPL_DIR)/vpn/node.def rm -f $(TMPL_DIR)/vpn/ipsec/node.def rm -rf $(TMPL_DIR)/vpn/nipsec + rm -rf $(TMPL_DIR)/npolicy .PHONY: op_mode_definitions .ONESHELL: diff --git a/interface-definitions/include/policy-list-action.xml.i b/interface-definitions/include/policy-list-action.xml.i new file mode 100644 index 000000000..fddbd5a98 --- /dev/null +++ b/interface-definitions/include/policy-list-action.xml.i @@ -0,0 +1,21 @@ +<!-- included start from policy-list-action.xml.i --> +<leafNode name="action"> + <properties> + <help>Action to take on entries matching this rule [REQUIRED]</help> + <completionHelp> + <list>permit deny</list> + </completionHelp> + <valueHelp> + <format>permit</format> + <description>Permit matching entries</description> + </valueHelp> + <valueHelp> + <format>deny</format> + <description>Deny matching entries</description> + </valueHelp> + <constraint> + <regex>^(permit|deny)$</regex> + </constraint> + </properties> +</leafNode> +<!-- included end --> diff --git a/interface-definitions/include/policy-list-description.xml.i b/interface-definitions/include/policy-list-description.xml.i new file mode 100644 index 000000000..a50278729 --- /dev/null +++ b/interface-definitions/include/policy-list-description.xml.i @@ -0,0 +1,11 @@ +<!-- included start from policy-list-description.xml.i --> +<leafNode name="description"> + <properties> + <help>Description for this policy</help> + <valueHelp> + <format>txt</format> + <description>Description for this policy</description> + </valueHelp> + </properties> +</leafNode> +<!-- included end --> diff --git a/interface-definitions/include/policy-list-rule-description.xml.i b/interface-definitions/include/policy-list-rule-description.xml.i new file mode 100644 index 000000000..e22fb7c28 --- /dev/null +++ b/interface-definitions/include/policy-list-rule-description.xml.i @@ -0,0 +1,11 @@ +<!-- included start from policy-list-rule-description.xml.i --> +<leafNode name="description"> + <properties> + <help>Description for this rule</help> + <valueHelp> + <format>txt</format> + <description>Description for this rule</description> + </valueHelp> + </properties> +</leafNode> +<!-- included end --> diff --git a/interface-definitions/policy-lists.xml.in b/interface-definitions/policy-lists.xml.in new file mode 100644 index 000000000..0fece6594 --- /dev/null +++ b/interface-definitions/policy-lists.xml.in @@ -0,0 +1,1266 @@ +<?xml version="1.0"?> +<!-- Policy access|prefix|route-map lists --> +<interfaceDefinition> + <node name="npolicy" owner="${vyos_conf_scripts_dir}/policy-lists.py"> + <properties> + <help>Routing policy</help> + </properties> + <children> + <tagNode name="access-list"> + <properties> + <help>IP access-list filter</help> + <valueHelp> + <format>u32:1-99</format> + <description>IP standard access list</description> + </valueHelp> + <valueHelp> + <format>u32:100-199</format> + <description>IP extended access list</description> + </valueHelp> + <valueHelp> + <format>u32:1300-1999</format> + <description>IP standard access list (expanded range)</description> + </valueHelp> + <valueHelp> + <format>u32:2000-2699</format> + <description>IP extended access list (expanded range)</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this access-list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Access-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <node name="destination"> + <properties> + <help>Destination network or address</help> + </properties> + <children> + <leafNode name="any"> + <properties> + <help>Any IP address to match</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="host"> + <properties> + <help>Single host IP address to match</help> + <valueHelp> + <format>ipv4</format> + <description>Host address to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + </properties> + </leafNode> + <leafNode name="inverse-mask"> + <properties> + <help>Network/netmask to match (requires network be defined)</help> + <valueHelp> + <format>ipv4</format> + <description>Inverse-mask to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="network"> + <properties> + <help>Network/netmask to match (requires inverse-mask be defined)</help> + <valueHelp> + <format>ipv4net</format> + <description>Inverse-mask to match</description> + </valueHelp> + <constraint> + <validator name="ip-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="source"> + <properties> + <help>Source network or address to match</help> + </properties> + <children> + <leafNode name="any"> + <properties> + <help>Any IP address to match</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="host"> + <properties> + <help>Single host IP address to match</help> + <valueHelp> + <format>ipv4</format> + <description>Host address to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + </properties> + </leafNode> + <leafNode name="inverse-mask"> + <properties> + <help>Network/netmask to match (requires network be defined)</help> + <valueHelp> + <format>ipv4</format> + <description>Inverse-mask to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="network"> + <properties> + <help>Network/netmask to match (requires inverse-mask be defined)</help> + <valueHelp> + <format>ipv4net</format> + <description>Inverse-mask to match</description> + </valueHelp> + <constraint> + <validator name="ip-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <!-- END access-list --> + <tagNode name="access-list6"> + <properties> + <help>IPv6 access-list filter</help> + <valueHelp> + <format>txt</format> + <description>Name of IPv6 access-list</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this access-list6</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Access-list6 rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <node name="source"> + <properties> + <help>Source IPv6 network to match</help> + </properties> + <children> + <leafNode name="any"> + <properties> + <help>Any IP address to match</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="exact-match"> + <properties> + <help>Exact match of the network prefixes</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="network"> + <properties> + <help>Network/netmask to match</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <!-- END access-list6 --> + <tagNode name="as-path-list"> + <properties> + <help>Border Gateway Protocol (BGP) autonomous system path filter</help> + <valueHelp> + <format>txt</format> + <description>AS path list name</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this as-path-list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>AS path list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="regex"> + <properties> + <help>Regular expression to match against an AS path</help> + <valueHelp> + <format><asn></format> + <description>AS path regular expression (ex: "64501 64502")</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END as-path-list --> + <tagNode name="community-list"> + <properties> + <help>Border Gateway Protocol (BGP) autonomous system path filter</help> + <valueHelp> + <format>txt</format> + <description>Border Gateway Protocol (BGP) community-list filter</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this BGP community list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Community-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="regex"> + <properties> + <help>Regular expression to match against a community list</help> + <valueHelp> + <format><aa:nn></format> + <description>Community list regular expression or one of: internet, local-AS, no-advertise, no-export</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END community-list --> + <tagNode name="extcommunity-list"> + <properties> + <help>Border Gateway Protocol (BGP) extended community-list filter</help> + <valueHelp> + <format>txt</format> + <description>Border Gateway Protocol (BGP) extended community-list filter</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this BGP extended community list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Extended community-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="regex"> + <properties> + <help>Regular expression to match against an extended community list</help> + <valueHelp> + <format><aa:nn:nn></format> + <description>Extended community list regular expression</description> + </valueHelp> + <valueHelp> + <format><rt aa:nn:nn></format> + <description>Extended community list regular expression</description> + </valueHelp> + <valueHelp> + <format><soo aa:nn></format> + <description>Extended community list regular expression</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END extcommunity-list --> + <tagNode name="large-community-list"> + <properties> + <help>Border Gateway Protocol (BGP) large-community-list filter</help> + <valueHelp> + <format>txt</format> + <description>Border Gateway Protocol (BGP) large-community-list filter</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this BGP extended community list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Large community-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="regex"> + <properties> + <help>Regular expression to match against a large community list</help> + <valueHelp> + <format><aa:nn:nn></format> + <description>Large community list regular expression</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END large-community-list --> + <tagNode name="prefix-list"> + <properties> + <help>IP prefix-list filter</help> + <valueHelp> + <format>txt</format> + <description>Prefix list name</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this prefix-list</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Prefix-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="ge"> + <properties> + <help>Prefix length to match a netmask greater than or equal to it</help> + <valueHelp> + <format>u32:0-32</format> + <description>Netmask greater than length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-32"/> + </constraint> + </properties> + </leafNode> + <leafNode name="le"> + <properties> + <help>Prefix length to match a netmask less than or equal to it</help> + <valueHelp> + <format>u32:0-32</format> + <description>Netmask less than length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-32"/> + </constraint> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Prefix to match</help> + <valueHelp> + <format>ipv4net</format> + <description>Prefix to match against</description> + </valueHelp> + <constraint> + <validator name="ip-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END prefix-list --> + <tagNode name="prefix-list6"> + <properties> + <help>IPv6 prefix-list filter</help> + <valueHelp> + <format>txt</format> + <description>Prefix list name</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this prefix-list6</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Prefix-list rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + #include <include/policy-list-rule-description.xml.i> + <leafNode name="ge"> + <properties> + <help>Prefix length to match a netmask greater than or equal to it</help> + <valueHelp> + <format>u32:0-128</format> + <description>Netmask greater than length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-128"/> + </constraint> + </properties> + </leafNode> + <leafNode name="le"> + <properties> + <help>Prefix length to match a netmask less than or equal to it</help> + <valueHelp> + <format>u32:0-128</format> + <description>Netmask less than length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-128"/> + </constraint> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Prefix to match</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 prefix</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </tagNode> + <!-- END prefix-list6 --> + <tagNode name="route-map"> + <properties> + <help>IP route-map</help> + <valueHelp> + <format>txt</format> + <description>Route map name</description> + </valueHelp> + </properties> + <children> + #include <include/policy-list-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule for this route-map</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Route-map rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + <children> + #include <include/policy-list-action.xml.i> + <leafNode name="call"> + <properties> + <help>Call another route-map on match</help> + <valueHelp> + <format>txt</format> + <description>Route map name</description> + </valueHelp> + <completionHelp> + <path>policy route-map</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="continue"> + <properties> + <help>Jump to a different rule in this route-map on a match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Rule number</description> + </valueHelp> + </properties> + </leafNode> + #include <include/policy-list-rule-description.xml.i> + <node name="match"> + <properties> + <help>Route parameters to match</help> + </properties> + <children> + <leafNode name="as-path"> + <properties> + <help>BGP as-path-list to match</help> + <completionHelp> + <path>policy as-path-list</path> + </completionHelp> + </properties> + </leafNode> + <node name="community"> + <properties> + <help>BGP community-list to match</help> + </properties> + <children> + <leafNode name="community-list"> + <properties> + <help>BGP community-list to match</help> + <completionHelp> + <path>policy community-list</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="exact-match"> + <properties> + <help>Community-list to exactly match</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="extcommunity"> + <properties> + <help>BGP extended community to match</help> + <completionHelp> + <path>policy extcommunity-list</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="interface"> + <properties> + <help>First hop interface of a route to match</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + <node name="ip"> + <properties> + <help>IP prefix parameters to match</help> + </properties> + <children> + <node name="address"> + <properties> + <help>IP address of route to match</help> + </properties> + <children> + <leafNode name="access-list"> + <properties> + <help>IP access-list to match</help> + <valueHelp> + <format>u32:1-99</format> + <description>IP standard access list</description> + </valueHelp> + <valueHelp> + <format>u32:100-199</format> + <description>IP extended access list</description> + </valueHelp> + <valueHelp> + <format>u32:1300-1999</format> + <description>IP standard access list (expanded range)</description> + </valueHelp> + <valueHelp> + <format>u32:2000-2699</format> + <description>IP extended access list (expanded range)</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="prefix-list"> + <properties> + <help>IP prefix-list to match</help> + <completionHelp> + <path>policy prefix-list</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <!-- T3304 but it overwrite node nexthop + <leafNode name="nexthop"> + <properties> + <help>IP next-hop of route to match</help> + <valueHelp> + <format>ipv4</format> + <description>Next-hop IPv4 router address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> --> + <node name="nexthop"> + <properties> + <help>IP next-hop of route to match</help> + <valueHelp> + <format>ipv4</format> + <description>Next-hop IPv4 router address</description> + </valueHelp> + </properties> + <children> + <leafNode name="access-list"> + <properties> + <help>IP access-list to match</help> + <valueHelp> + <format>u32:1-99</format> + <description>IP standard access list</description> + </valueHelp> + <valueHelp> + <format>u32:100-199</format> + <description>IP extended access list</description> + </valueHelp> + <valueHelp> + <format>u32:1300-1999</format> + <description>IP standard access list (expanded range)</description> + </valueHelp> + <valueHelp> + <format>u32:2000-2699</format> + <description>IP extended access list (expanded range)</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="prefix-list"> + <properties> + <help>IP prefix-list to match</help> + <completionHelp> + <path>policy prefix-list</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <node name="route-source"> + <properties> + <help>test</help> + </properties> + <children> + <leafNode name="access-list"> + <properties> + <help>IP access-list to match</help> + <valueHelp> + <format>u32:1-99</format> + <description>IP standard access list</description> + </valueHelp> + <valueHelp> + <format>u32:100-199</format> + <description>IP extended access list</description> + </valueHelp> + <valueHelp> + <format>u32:1300-1999</format> + <description>IP standard access list (expanded range)</description> + </valueHelp> + <valueHelp> + <format>u32:2000-2699</format> + <description>IP extended access list (expanded range)</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="prefix-list"> + <properties> + <help>IP prefix-list to match</help> + <completionHelp> + <path>policy prefix-list</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + <node name="ipv6"> + <properties> + <help>IPv6 prefix parameters to match</help> + </properties> + <children> + <node name="address"> + <properties> + <help>IPv6 address of route to match</help> + </properties> + <children> + <leafNode name="access-list"> + <properties> + <help>IPv6 access-list to match</help> + <valueHelp> + <format>txt</format> + <description>IPV6 access list name</description> + </valueHelp> + <completionHelp> + <path>policy access-list6</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="prefix-list"> + <properties> + <help>IPv6 prefix-list to match</help> + <completionHelp> + <path>policy prefix-list6</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <leafNode name="nexthop"> + <properties> + <help>IPv6 next-hop of route to match</help> + <valueHelp> + <format>ipv4</format> + <description>Peer IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="large-community"> + <properties> + <help>Match BGP large communities</help> + </properties> + <children> + <leafNode name="large-community-list"> + <properties> + <help>BGP large-community-list to match</help> + <completionHelp> + <path>policy large-community-list</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <leafNode name="local-preference"> + <properties> + <help>local-preference_help</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Local Preference</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="metric"> + <properties> + <help>Metric of route to match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Route metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="origin"> + <properties> + <help>Border Gateway Protocol (BGP) origin code to match</help> + <completionHelp> + <list>egp igp incomplete</list> + </completionHelp> + <valueHelp> + <format>egp</format> + <description>Exterior gateway protocol origin</description> + </valueHelp> + <valueHelp> + <format>igp</format> + <description>Interior gateway protocol origin</description> + </valueHelp> + <valueHelp> + <format>incomplete</format> + <description>Incomplete origin</description> + </valueHelp> + <constraint> + <regex>^(egp|igp|incomplete)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="peer"> + <properties> + <help>Peer address to match</help> + <valueHelp> + <format>ipv4</format> + <description>Peer IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rpki"> + <properties> + <help>Match RPKI validation result</help> + <completionHelp> + <list>invalid notfound valid</list> + </completionHelp> + <valueHelp> + <format>invalid</format> + <description>Match invalid entries</description> + </valueHelp> + <valueHelp> + <format>notfound</format> + <description>Match notfound entries</description> + </valueHelp> + <valueHelp> + <format>valid</format> + <description>Match valid entries</description> + </valueHelp> + <constraint> + <regex>^(invalid|notfound|valid)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="tag"> + <properties> + <help>Route tag to match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Route tag</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="on-match"> + <properties> + <help>Exit policy on matches</help> + </properties> + <children> + <leafNode name="goto"> + <properties> + <help>Rule number to goto on match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="next"> + <properties> + <help>Next sequence number to goto on match</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <node name="set"> + <properties> + <help>Route parameters</help> + </properties> + <children> + <node name="aggregator"> + <properties> + <help>Border Gateway Protocol (BGP) aggregator attribute</help> + </properties> + <children> + <leafNode name="as"> + <properties> + <help>AS number of an aggregation</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Rule number</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="ip"> + <properties> + <help>IP address of an aggregation</help> + <valueHelp> + <format>ipv4</format> + <description>IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <leafNode name="as-path-exclude"> + <properties> + <help>Remove ASN(s) from a Border Gateway Protocol (BGP) AS-path attribute</help> + <valueHelp> + <format>txt</format> + <description>BGP AS path exclude string (ex: "456 64500 45001")</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="as-path-prepend"> + <properties> + <help>as-path-prepend_help</help> + <valueHelp> + <format>txt</format> + <description>BGP AS path prepend string (ex: "64501 64501")</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="atomic-aggregate"> + <properties> + <help>Border Gateway Protocol (BGP) atomic aggregate attribute</help> + </properties> + </leafNode> + <leafNode name="bgp-extcommunity-rt"> + <properties> + <help>Set route target value</help> + <valueHelp> + <format><aa:nn></format> + <description>ExtCommunity in format: asn:value</description> + </valueHelp> + </properties> + </leafNode> + <node name="comm-list"> + <properties> + <help>Border Gateway Protocol (BGP) communities matching a community-list</help> + </properties> + <children> + <leafNode name="comm-list"> + <properties> + <help>BGP communities with a community-list</help> + <valueHelp> + <format>txt</format> + <description>BGP communities with a community-list</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="delete"> + <properties> + <help>Delete BGP communities matching the community-list</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="community"> + <properties> + <help>community_help</help> + <completionHelp> + <list>local-AS no-advertise no-export internet additive none</list> + </completionHelp> + <valueHelp> + <format><aa:nn></format> + <description>Community in 4 octet AS:value format</description> + </valueHelp> + <valueHelp> + <format>local-AS</format> + <description>local-AS</description> + </valueHelp> + <valueHelp> + <format>no-advertise</format> + <description>no-advertise</description> + </valueHelp> + <valueHelp> + <format>no-export</format> + <description>no-export</description> + </valueHelp> + <valueHelp> + <format>internet</format> + <description>internet</description> + </valueHelp> + <valueHelp> + <format>additive</format> + <description>additive</description> + </valueHelp> + <valueHelp> + <format>none</format> + <description>none</description> + </valueHelp> + <!-- Need to add properly validator + <constraint> + <regex>^(local-AS|no-advertise|no-export|internet|additive|none)$</regex> + </constraint> --> + </properties> + </leafNode> + <leafNode name="distance"> + <properties> + <help>Locally significant administrative distance</help> + <valueHelp> + <format>u32:0-255</format> + <description>Distance value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="extcommunity-rt"> + <properties> + <help>Set route target value</help> + <valueHelp> + <format>txt</format> + <description>ASN:nn_or_IP_address:nn VPN extended community</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="extcommunity-soo"> + <properties> + <help>Set Site of Origin value</help> + <valueHelp> + <format>txt</format> + <description>ASN:nn_or_IP_address:nn VPN extended community</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="ip-next-hop"> + <properties> + <help>Nexthop IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + <node name="ipv6-next-hop"> + <properties> + <help>Nexthop IPv6 address</help> + </properties> + <children> + <leafNode name="global"> + <properties> + <help>Nexthop IPv6 global address</help> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="local"> + <properties> + <help>Nexthop IPv6 local address</help> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <leafNode name="large-community"> + <properties> + <help>Set BGP large community value</help> + <valueHelp> + <format>txt</format> + <description>ASN:nn:mm BGP large community</description> + </valueHelp> + <completionHelp> + <path>policy large-community-list</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="local-preference"> + <properties> + <help>Border Gateway Protocol (BGP) local preference attribute</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Local preference value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="metric"> + <properties> + <help>Destination routing protocol metric</help> + <valueHelp> + <format><+/-metric></format> + <description>Add or subtract metric</description> + </valueHelp> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Metric value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="metric-type"> + <properties> + <help>Open Shortest Path First (OSPF) external metric-type</help> + <completionHelp> + <list>type-1 type-2</list> + </completionHelp> + <valueHelp> + <format>type-1</format> + <description>OSPF external type 1 metric</description> + </valueHelp> + <valueHelp> + <format>type-2</format> + <description>OSPF external type 2 metric</description> + </valueHelp> + <constraint> + <regex>^(type-1|type-2)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="origin"> + <properties> + <help>origin_help</help> + <completionHelp> + <list>igp egp incomplete</list> + </completionHelp> + <valueHelp> + <format>igp</format> + <description>Interior gateway protocol origin</description> + </valueHelp> + <valueHelp> + <format>egp</format> + <description>Exterior gateway protocol origin</description> + </valueHelp> + <valueHelp> + <format>incomplete</format> + <description>Incomplete origin</description> + </valueHelp> + <constraint> + <regex>^(igp|egp|incomplete)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="originator-id"> + <properties> + <help>Border Gateway Protocol (BGP) originator ID attribute</help> + <valueHelp> + <format>ipv4</format> + <description>Orignator IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + </properties> + </leafNode> + <leafNode name="src"> + <properties> + <help>Source address for route</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + <validator name="ipv6-host"/> + </constraint> + </properties> + </leafNode> + <leafNode name="table"> + <properties> + <help>Set prefixes to table</help> + <valueHelp> + <format>u32:1-200</format> + <description>Table value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-200"/> + </constraint> + </properties> + </leafNode> + <leafNode name="tag"> + <properties> + <help>Tag value for routing protocol</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Tag value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="weight"> + <properties> + <help>Border Gateway Protocol (BGP) weight attribute</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>BGP weight</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <!-- END route-map --> + </children> + </node> +</interfaceDefinition> diff --git a/src/conf_mode/policy-lists.py b/src/conf_mode/policy-lists.py new file mode 100755 index 000000000..94a020e7b --- /dev/null +++ b/src/conf_mode/policy-lists.py @@ -0,0 +1,117 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.template import render +from vyos.template import render_to_string +from vyos.util import call +from vyos.util import dict_search +from vyos import ConfigError +from vyos import frr +from vyos import airbag +from pprint import pprint +airbag.enable() + +config_file = r'/tmp/policy.frr' +frr_daemon = 'zebra' + +DEBUG = os.path.exists('/tmp/policy.debug') +if DEBUG: + import logging + lg = logging.getLogger("vyos.frr") + lg.setLevel(logging.DEBUG) + ch = logging.StreamHandler() + lg.addHandler(ch) + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['npolicy'] + policy = conf.get_config_dict(base, key_mangling=('-', '_')) + + # Bail out early if configuration tree does not exist + if not conf.exists(base): + return policy + + pprint(policy) + exit(1) + return policy + +def verify(policy): + if not policy: + return None + + return None + +def generate(policy): + if not policy: + policy['new_frr_config'] = '' + return None + + # render(config) not needed, its only for debug + # render(config_file, 'frr/policy.frr.tmpl', policy) + # policy['new_frr_config'] = render_to_string('frr/policy.frr.tmpl') + + return None + +def apply(policy): + # Save original configuration prior to starting any commit actions + # frr_cfg = frr.FRRConfig() + # frr_cfg.load_configuration(frr_daemon) + # frr_cfg.modify_section(f'ip', '') + # frr_cfg.add_before(r'(line vty)', policy['new_frr_config']) + + # Debugging + if DEBUG: + from pprint import pprint + print('') + print('--------- DEBUGGING ----------') + pprint(dir(frr_cfg)) + print('Existing config:\n') + for line in frr_cfg.original_config: + print(line) + print(f'Replacement config:\n') + print(f'{policy["new_frr_config"]}') + print(f'Modified config:\n') + print(f'{frr_cfg}') + + # frr_cfg.commit_configuration(frr_daemon) + + # If FRR config is blank, rerun the blank commit x times due to frr-reload + # behavior/bug not properly clearing out on one commit. + # if policy['new_frr_config'] == '': + # for a in range(5): + # frr_cfg.commit_configuration(frr_daemon) + + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) |