nhrp: T2326: NHRP migration to FRR

NHRP migration to FRR
author: aapostoliuk <a.apostoliuk@vyos.io> 2024-08-09 18:08:56 +0300
committer: aapostoliuk <a.apostoliuk@vyos.io> 2025-01-09 18:24:15 +0200
commit: 5e8307bf3a7f816193ca9da8cb290d57bbb375f2 (patch)
tree: 14c10b6e515bbdf97a85bad741e5e5a0e5f91307 /data/templates
parent: 4ca6177f782c336330054c72854e5edbb2fe6322 (diff)
download: vyos-1x-5e8307bf3a7f816193ca9da8cb290d57bbb375f2.tar.gz
vyos-1x-5e8307bf3a7f816193ca9da8cb290d57bbb375f2.zip
6 files changed, 113 insertions, 64 deletions
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index 3506528d2..835dc382b 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -30,7 +30,7 @@ isisd=yes
 pimd=no
 pim6d=yes
 ldpd=yes
-nhrpd=no
+nhrpd=yes
 eigrpd=no
 babeld=yes
 sharpd=no
diff --git a/data/templates/frr/nhrpd.frr.j2 b/data/templates/frr/nhrpd.frr.j2
new file mode 100644
index 000000000..2b2aba256
--- /dev/null
+++ b/data/templates/frr/nhrpd.frr.j2
@@ -0,0 +1,62 @@
+!
+{% if redirect is vyos_defined %}
+nhrp nflog-group {{ redirect }}
+{% endif %}
+{% if multicast is vyos_defined %}
+nhrp multicast-nflog-group {{ multicast }}
+{% endif %}
+{% if tunnel is vyos_defined %}
+{%     for iface, iface_config in tunnel.items() %}
+interface {{ iface }}
+{%         if iface_config.authentication is vyos_defined %}
+ ip nhrp authentication {{ iface_config.authentication }}
+{%         endif %}
+{%         if iface_config.holdtime is vyos_defined %}
+ ip nhrp holdtime {{ iface_config.holdtime }}
+{%         endif %}
+{%         if iface_config.map.tunnel_ip is vyos_defined %}
+{%             for tunip, tunip_config in iface_config.map.tunnel_ip.items() %}
+{%                 if tunip_config.nbma is vyos_defined %}
+ ip nhrp map {{ tunip }} {{ tunip_config.nbma }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.mtu is vyos_defined %}
+ ip nhrp mtu {{ iface_config.mtu }}
+{%         endif %}
+{%         if iface_config.multicast is vyos_defined %}
+{%             for multicast_ip in iface_config.multicast %}
+ ip nhrp map multicast {{ multicast_ip }}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.nhs.tunnel_ip is vyos_defined %}
+{%             for tunip, tunip_config in iface_config.nhs.tunnel_ip.items() %}
+{%                 if tunip_config.nbma is vyos_defined %}
+{%                     for nbmaip in tunip_config.nbma %}
+ ip nhrp nhs {{ tunip }} nbma {{ nbmaip }}
+{%                     endfor %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%         if iface_config.network_id is vyos_defined %}
+ ip nhrp network-id {{ iface_config.network_id }}
+{%         endif %}
+{%         if iface_config.redirect is vyos_defined %}
+ ip nhrp redirect
+{%         endif %}
+{%         if iface_config.registration_no_unique is vyos_defined %}
+ ip nhrp registration no-unique
+{%         endif %}
+{%         if iface_config.shortcut is vyos_defined %}
+ ip nhrp shortcut
+{%         endif %}
+{%         if iface_config.security_profile is vyos_defined %}
+ tunnel protection vici profile dmvpn-{{ iface_config.security_profile }}-{{ iface }}-child
+{%         endif %}
+exit
+!
+{%     endfor %}
+{% endif %}
+!
+exit
+!
diff --git a/data/templates/frr/nhrpd_nftables.conf.j2 b/data/templates/frr/nhrpd_nftables.conf.j2
new file mode 100644
index 000000000..6ae35ef52
--- /dev/null
+++ b/data/templates/frr/nhrpd_nftables.conf.j2
@@ -0,0 +1,46 @@
+#!/usr/sbin/nft -f
+
+table ip vyos_nhrp_multicast
+table ip vyos_nhrp_redirect
+delete table ip vyos_nhrp_multicast
+delete table ip vyos_nhrp_redirect
+{% if multicast is vyos_defined %}
+table ip vyos_nhrp_multicast {
+    chain VYOS_NHRP_MULTICAST_OUTPUT {
+        type filter hook output priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.multicast is vyos_defined %}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/24 counter log group {{ multicast }}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/24 counter drop
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+    chain VYOS_NHRP_MULTICAST_FORWARD {
+        type filter hook forward priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.multicast is vyos_defined %}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/4 counter log group {{ multicast }}
+                oifname "{{ tun }}" ip daddr 224.0.0.0/4 counter drop
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+}
+{% endif %}
+{% if redirect is vyos_defined %}
+table ip vyos_nhrp_redirect {
+    chain VYOS_NHRP_REDIRECT_FORWARD {
+        type filter hook forward priority filter+10; policy accept;
+{%     if tunnel is vyos_defined %}
+{%         for tun, tunnel_conf in tunnel.items() %}
+{%             if tunnel_conf.redirect is vyos_defined %}
+                iifname "{{ tun }}" oifname "{{ tun }}" meter loglimit-0 size 65535 { ip daddr & 255.255.255.0 . ip saddr & 255.255.255.0 timeout 1m limit rate 4/minute burst 1 packets } counter log group {{ redirect }}
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+    }
+}
+{% endif %}
diff --git a/data/templates/ipsec/swanctl/profile.j2 b/data/templates/ipsec/swanctl/profile.j2
index 8519a84f8..6a04b038a 100644
--- a/data/templates/ipsec/swanctl/profile.j2
+++ b/data/templates/ipsec/swanctl/profile.j2
@@ -22,16 +22,16 @@
         }
 {%         endif %}
         children {
-            dmvpn {
+            dmvpn-{{ name }}-{{ interface }}-child {
                 esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
                 rekey_time = {{ esp.lifetime }}s
                 rand_time = 540s
                 local_ts = dynamic[gre]
                 remote_ts = dynamic[gre]
                 mode = {{ esp.mode }}
-{%         if ike.dead_peer_detection.action is vyos_defined %}
-                dpd_action = {{ ike.dead_peer_detection.action }}
-{%         endif %}
+                dpd_action = clear
+                close_action = none
+                start_action = none
 {%         if esp.compression is vyos_defined('enable') %}
                 ipcomp = yes
 {%         endif %}
diff --git a/data/templates/nhrp/nftables.conf.j2 b/data/templates/nhrp/nftables.conf.j2
deleted file mode 100644
index a0d1f6d4c..000000000
--- a/data/templates/nhrp/nftables.conf.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/sbin/nft -f
-
-{% if first_install is not vyos_defined %}
-delete table ip vyos_nhrp_filter
-{% endif %}
-table ip vyos_nhrp_filter {
-    chain VYOS_NHRP_OUTPUT {
-        type filter hook output priority 10; policy accept;
-{% if tunnel is vyos_defined %}
-{%     for tun, tunnel_conf in tunnel.items() %}
-{%         if if_tunnel[tun].source_address is vyos_defined %}
-        ip protocol gre ip saddr {{ if_tunnel[tun].source_address }} ip daddr 224.0.0.0/4 counter drop comment "VYOS_NHRP_{{ tun }}"
-{%         endif %}
-{%     endfor %}
-{% endif %}
-    }
-}
diff --git a/data/templates/nhrp/opennhrp.conf.j2 b/data/templates/nhrp/opennhrp.conf.j2
deleted file mode 100644
index c040a8f14..000000000
--- a/data/templates/nhrp/opennhrp.conf.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-{# j2lint: disable=jinja-variable-format #}
-# Created by VyOS - manual changes will be overwritten
-
-{% if tunnel is vyos_defined %}
-{%     for name, tunnel_conf in tunnel.items() %}
-{%         set type = 'spoke' if tunnel_conf.map is vyos_defined or tunnel_conf.dynamic_map is vyos_defined else 'hub' %}
-{%         set profile_name = profile_map[name] if profile_map is vyos_defined and name in profile_map else '' %}
-interface {{ name }} #{{ type }} {{ profile_name }}
-{%         if tunnel_conf.map is vyos_defined %}
-{%             for map, map_conf in tunnel_conf.map.items() %}
-{%                 set cisco = ' cisco' if map_conf.cisco is vyos_defined else '' %}
-{%                 set register = ' register' if map_conf.register is vyos_defined else '' %}
-    map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }}
-{%             endfor %}
-{%         endif %}
-{%         if tunnel_conf.dynamic_map is vyos_defined %}
-{%             for map, map_conf in tunnel_conf.dynamic_map.items() %}
-    dynamic-map {{ map }} {{ map_conf.nbma_domain_name }}
-{%             endfor %}
-{%         endif %}
-{%         if tunnel_conf.cisco_authentication is vyos_defined %}
-    cisco-authentication {{ tunnel_conf.cisco_authentication }}
-{%         endif %}
-{%         if tunnel_conf.holding_time is vyos_defined %}
-    holding-time {{ tunnel_conf.holding_time }}
-{%         endif %}
-{%         if tunnel_conf.multicast is vyos_defined %}
-    multicast {{ tunnel_conf.multicast }}
-{%         endif %}
-{%         for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %}
-{%             if key in tunnel_conf %}
-    {{ key | replace("_", "-") }}
-{%             endif %}
-{%         endfor %}
-{%         if tunnel_conf.shortcut_target is vyos_defined %}
-{%             for target, shortcut_conf in tunnel_conf.shortcut_target.items() %}
-    shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is vyos_defined }}
-{%             endfor %}
-{%         endif %}
-
-{%     endfor %}
-{% endif %}
author	aapostoliuk <a.apostoliuk@vyos.io>	2024-08-09 18:08:56 +0300
committer	aapostoliuk <a.apostoliuk@vyos.io>	2025-01-09 18:24:15 +0200
commit	5e8307bf3a7f816193ca9da8cb290d57bbb375f2 (patch)
tree	14c10b6e515bbdf97a85bad741e5e5a0e5f91307 /data/templates
parent	4ca6177f782c336330054c72854e5edbb2fe6322 (diff)
download	vyos-1x-5e8307bf3a7f816193ca9da8cb290d57bbb375f2.tar.gz vyos-1x-5e8307bf3a7f816193ca9da8cb290d57bbb375f2.zip