Merge branch 'current' of github.com:vyos/vyos-1x into equuleus

* 'current' of github.com:vyos/vyos-1x:
  ifconfig: T1793: extend set_speed_duplex() delta check
  [OpenVPN]: T1704: Added uppercase entries of ncp-ciphers, since there seems to be a bug in OpenVPN client when comparing pushed cipher with local ncp cipher list
  [OpenVPN]: T1704: Moved ncp-ciphers out of encryption block in config template
  [OpenVPN]: T1704: Changed the description of ncp-ciphers in config
  [OpenVPN]: T1704: Added function for ncp-ciphers, and ability to disable it. [OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers. [OpenVPN]: T1704: Added migration scripts for interface 2-to-3
  Intel QAT: T1788: Intel QAT implementation
  ifconfig: T1793: add delta check on set_speed_duplex()
  ifconfig: T1793: add delta check on set_flow_control()
  Python/ifconfig: wireguard: remove trailing whitespaces
  l2tp: T1747: automatically calculate gw-ip-address
  QAT: T1788: Intel QAT implementation

3 files changed, 175 insertions, 6 deletions

diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py
index 244a720db..37fda2029 100755
--- a/src/conf_mode/accel_l2tp.py
+++ b/src/conf_mode/accel_l2tp.py
@@ -125,6 +125,9 @@ gw-ip-address={{outside_nexthop}}
 {% if authentication['mode'] == 'local' %}
 [chap-secrets]
 chap-secrets=/etc/accel-ppp/l2tp/chap-secrets
+{% if outside_nexthop %}
+gw-ip-address={{outside_nexthop}}
+{% endif %}
 {% endif %}
 
 [ppp]
@@ -287,7 +290,7 @@ def get_config():
     'mppe'                : 'prefer'
     },
     'outside_addr'        : '',
-    'outside_nexthop'     : '',
+    'outside_nexthop'     : '10.255.255.0',
     'dns'                 : [],
     'dnsv6'               : [],
     'wins'                : [],
@@ -429,7 +432,16 @@ def get_config():
   ### gateway address 
   if c.exists('outside-nexthop'):
     config_data['outside_nexthop'] = c.return_value('outside-nexthop') 
-  
+  else:
+    ### calculate gw-ip-address
+    if c.exists('client-ip-pool start'):
+      ### use start ip as gw-ip-address
+      config_data['outside_nexthop'] = c.return_value('client-ip-pool start')
+    elif c.exists('client-ip-pool subnet'):
+      ### use first ip address from first defined pool
+      lst_ip = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", c.return_values('client-ip-pool subnet')[0])
+      config_data['outside_nexthop'] = lst_ip[0]
+
   if c.exists('authentication require'):
     auth_mods = {'pap' : 'pap','chap' : 'auth_chap_md5', 'mschap' : 'auth_mschap_v1', 'mschap-v2' : 'auth_mschap_v2'}
     for proto in c.return_values('authentication require'):
diff --git a/src/conf_mode/intel_qat.py b/src/conf_mode/intel_qat.py
new file mode 100755
index 000000000..a1abd5e81
--- /dev/null
+++ b/src/conf_mode/intel_qat.py
@@ -0,0 +1,108 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import re
+import subprocess
+
+from vyos.config import Config
+from vyos import ConfigError
+
+# Define for recovering
+gl_ipsec_conf = None
+
+def get_config():
+  c = Config()
+  config_data = {
+    'qat_conf'     : None,
+    'ipsec_conf'   : None,
+    'openvpn_conf' : None,
+  }
+
+  if c.exists('system acceleration qat'):
+    config_data['qat_conf'] = True
+
+  if c.exists('vpn ipsec '):
+    gl_ipsec_conf = True
+    config_data['ipsec_conf'] = True
+
+  if c.exists('interfaces openvpn'):
+    config_data['openvpn_conf'] = True
+
+  return config_data
+
+# Control configured VPN service which can use QAT
+def vpn_control(action):
+  if action == 'restore' and gl_ipsec_conf:
+    ret = subprocess.Popen(['sudo', 'ipsec', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    (output, err) = ret.communicate()
+    return
+
+  ret = subprocess.Popen(['sudo', 'ipsec', action], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  (output, err) = ret.communicate()
+
+def verify(c):
+  # Check if QAT service installed
+  if not os.path.exists('/etc/init.d/vyos-qat-utilities'):
+    raise ConfigError("Warning: QAT init file not found")
+
+  if c['qat_conf'] == None:
+    return
+
+  # Check if QAT device exist
+  ret = subprocess.Popen(['sudo', 'lspci',  '-nn'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  (output, err) = ret.communicate()
+  if not err:
+    data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output.decode("utf-8"))
+    #If QAT devices found
+    if not data:
+      print("\t No QAT acceleration device found")
+      sys.exit(1)
+
+def apply(c):
+  if c['ipsec_conf']:
+    # Shutdown VPN service which can use QAT
+    vpn_control('stop')
+
+  # Disable QAT service
+  if c['qat_conf'] == None:
+    ret = subprocess.Popen(['sudo', '/etc/init.d/vyos-qat-utilities', 'stop'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    (output, err) = ret.communicate()
+    if c['ipsec_conf']:
+      vpn_control('start')
+
+    return
+
+  # Run qat init.d script
+  ret = subprocess.Popen(['sudo', '/etc/init.d/vyos-qat-utilities', 'start'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  (output, err) = ret.communicate()
+
+  if c['ipsec_conf']:
+    # Recovery VPN service
+    vpn_control('start')
+
+if __name__ == '__main__':
+  try:
+    c = get_config()
+    verify(c)
+    apply(c)
+  except ConfigError as e:
+    print(e)
+    vpn_control('restore')
+    sys.exit(1)
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index cdd133904..50d367f2f 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -222,6 +222,13 @@ cipher aes-256-cbc
 {% endif %}
 {% endif %}
 
+{%- if ncp_ciphers %}
+ncp-ciphers {{ncp_ciphers}}
+{% endif %} 
+{%- if disable_ncp %}
+ncp-disable
+{% endif %}
+
 {%- if auth %}
 auth-user-pass /tmp/openvpn-{{ intf }}-pw
 auth-retry nointeract
@@ -277,6 +284,7 @@ default_config_data = {
     'deleted': False,
     'description': '',
     'disable': False,
+    'disable_ncp': False,
     'encryption': '',
     'hash': '',
     'intf': '',
@@ -287,6 +295,7 @@ default_config_data = {
     'local_host': '',
     'local_port': '',
     'mode': '',
+    'ncp_ciphers': '',
     'options': [],
     'persistent_tunnel': False,
     'protocol': '',
@@ -410,10 +419,44 @@ def get_config():
     if conf.exists('disable'):
         openvpn['disable'] = True
 
-    # data encryption algorithm
-    if conf.exists('encryption'):
-        openvpn['encryption'] = conf.return_value('encryption')
-
+    # data encryption algorithm cipher
+    if conf.exists('encryption cipher'):
+        openvpn['encryption'] = conf.return_value('encryption cipher')
+
+    # disable ncp-ciphers support
+    if conf.exists('encryption disable-ncp'):
+        openvpn['disable_ncp'] = True
+    
+    # data encryption algorithm ncp-list
+    if conf.exists('encryption ncp-ciphers'):
+        _ncp_ciphers = []
+        for enc in conf.return_values('encryption ncp-ciphers'):
+            if enc == 'des':
+                _ncp_ciphers.append('des-cbc')
+                _ncp_ciphers.append('DES-CBC')
+            elif enc == '3des':
+                _ncp_ciphers.append('des-ede3-cbc')
+                _ncp_ciphers.append('DES-EDE3-CBC')
+            elif enc == 'aes128':
+                _ncp_ciphers.append('aes-128-cbc')
+                _ncp_ciphers.append('AES-128-CBC')
+            elif enc == 'aes128gcm':
+                _ncp_ciphers.append('aes-128-gcm')
+                _ncp_ciphers.append('AES-128-GCM')
+            elif enc == 'aes192':
+                _ncp_ciphers.append('aes-192-cbc')
+                _ncp_ciphers.append('AES-192-CBC')
+            elif enc == 'aes192gcm':
+                _ncp_ciphers.append('aes-192-gcm')
+                _ncp_ciphers.append('AES-192-GCM')
+            elif enc == 'aes256':
+                _ncp_ciphers.append('aes-256-cbc')
+                _ncp_ciphers.append('AES-256-CBC')
+            elif enc == 'aes256gcm':
+                _ncp_ciphers.append('aes-256-gcm')
+                _ncp_ciphers.append('AES-256-GCM')
+        openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers)
+    
     # hash algorithm
     if conf.exists('hash'):
         openvpn['hash'] = conf.return_value('hash')
@@ -621,6 +664,9 @@ def verify(openvpn):
         if openvpn['bridge_member']:
             raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge))
 
+    # Check if we have disabled ncp and at the same time specified ncp-ciphers
+    if openvpn['disable_ncp'] and openvpn['ncp_ciphers']:
+        raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"')
     #
     # OpenVPN client mode - VERIFY
     #
@@ -661,6 +707,9 @@ def verify(openvpn):
             if openvpn['local_address'] == openvpn['local_host']:
                 raise ConfigError('"local-address" cannot be the same as "local-host"')
 
+        if openvpn['ncp_ciphers']:
+            raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client')
+
     else:
         if openvpn['local_address'] or openvpn['remote_address']:
             raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode')