summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-tunnel.py
diff options
context:
space:
mode:
authorViacheslav <v.gletenko@vyos.io>2021-08-31 10:48:12 +0000
committerViacheslav <v.gletenko@vyos.io>2021-09-01 12:15:43 +0000
commit468ba7b076c7145b7fe62b60b7e81b432bb27d54 (patch)
tree133ada19eabea32616be02dfcb79935759798a75 /src/conf_mode/interfaces-tunnel.py
parenta086dc2c429aea9614ac7a9c735c6475c2d6da59 (diff)
downloadvyos-1x-468ba7b076c7145b7fe62b60b7e81b432bb27d54.tar.gz
vyos-1x-468ba7b076c7145b7fe62b60b7e81b432bb27d54.zip
tunnel: T2920: Add checks tun with same source addr and keys
2 tunnels with the same local-address should has different keys Check existing tunnels (source-address key) with new tunnel.
Diffstat (limited to 'src/conf_mode/interfaces-tunnel.py')
-rwxr-xr-xsrc/conf_mode/interfaces-tunnel.py23
1 files changed, 23 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index 616a2e23c..bfd9a8c56 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -18,6 +18,7 @@ import os
from sys import exit
from netifaces import interfaces
+from ipaddress import IPv4Address
from vyos.config import Config
from vyos.configdict import dict_merge
@@ -31,6 +32,7 @@ from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_vrf
from vyos.configverify import verify_tunnel
from vyos.ifconfig import Interface
+from vyos.ifconfig import Section
from vyos.ifconfig import TunnelIf
from vyos.template import is_ipv4
from vyos.template import is_ipv6
@@ -100,6 +102,27 @@ def verify(tunnel):
dict_search('parameters.ip.key', tunnel) == None:
raise ConfigError('Tunnel parameters ip key must be set!')
+ if tunnel['encapsulation'] in ['gre', 'gretap']:
+ if dict_search('parameters.ip.key', tunnel) != None:
+ # Check pairs tunnel source-address/encapsulation/key with exists tunnels.
+ # Prevent the same key for 2 tunnels with same source-address/encap. T2920
+ for tunnel_if in Section.interfaces('tunnel'):
+ tunnel_cfg = get_interface_config(tunnel_if)
+ exist_encap = tunnel_cfg['linkinfo']['info_kind']
+ exist_source_address = tunnel_cfg['address']
+ exist_key = tunnel_cfg['linkinfo']['info_data']['ikey']
+ new_source_address = tunnel['source_address']
+ # Convert tunnel key to ip key, format "ip -j link show"
+ # 1 => 0.0.0.1, 999 => 0.0.3.231
+ orig_new_key = int(tunnel['parameters']['ip']['key'])
+ new_key = IPv4Address(orig_new_key)
+ new_key = str(new_key)
+ if tunnel['encapsulation'] == exist_encap and \
+ new_source_address == exist_source_address and \
+ new_key == exist_key:
+ raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \
+ f'is already used for tunnel "{tunnel_if}"!')
+
verify_mtu_ipv6(tunnel)
verify_address(tunnel)
verify_vrf(tunnel)