nhrp: T2326: NHRP migration to FRR

NHRP migration to FRR

3 files changed, 91 insertions, 66 deletions

diff --git a/src/conf_mode/interfaces_tunnel.py b/src/conf_mode/interfaces_tunnel.py
index 98ef98d12..ee1436e49 100755
--- a/src/conf_mode/interfaces_tunnel.py
+++ b/src/conf_mode/interfaces_tunnel.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2024 yOS maintainers and contributors
+# Copyright (C) 2018-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,9 +13,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
 from sys import exit
-
+import ipaddress
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
@@ -89,6 +88,13 @@ def verify(tunnel):
             raise ConfigError('Tunnel used for NHRP, it can not be deleted!')
 
         return None
+    if 'nhrp' in tunnel:
+        if 'address' in tunnel:
+            address_list = dict_search('address', tunnel)
+            for tunip in address_list:
+                if ipaddress.ip_network(tunip, strict=False).prefixlen != 32:
+                    raise ConfigError(
+                        'Tunnel is used for NHRP, Netmask should be /32!')
 
     verify_tunnel(tunnel)
 
diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py
index 0bd68b7d8..ac92c9d99 100755
--- a/src/conf_mode/protocols_nhrp.py
+++ b/src/conf_mode/protocols_nhrp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2024 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,95 +14,112 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
+from sys import exit
+from sys import argv
 
+import ipaddress
 from vyos.config import Config
-from vyos.configdict import node_changed
 from vyos.template import render
+from vyos.configverify import has_frr_protocol_in_dict
 from vyos.utils.process import run
+from vyos.utils.dict import dict_search
 from vyos import ConfigError
 from vyos import airbag
+from vyos.frrender import FRRender
+from vyos.frrender import get_frrender_dict
+from vyos.utils.process import is_systemd_service_running
+
 airbag.enable()
 
-opennhrp_conf = '/run/opennhrp/opennhrp.conf'
+nflog_redirect = 1
+nflog_multicast = 2
 nhrp_nftables_conf = '/run/nftables_nhrp.conf'
 
+
 def get_config(config=None):
     if config:
         conf = config
     else:
         conf = Config()
-    base = ['protocols', 'nhrp']
-
-    nhrp = conf.get_config_dict(base, key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
-    nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'])
-
-    if not conf.exists(base):
-        return nhrp
 
-    nhrp['if_tunnel'] = conf.get_config_dict(['interfaces', 'tunnel'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
+    return get_frrender_dict(conf, argv)
 
-    nhrp['profile_map'] = {}
-    profile = conf.get_config_dict(['vpn', 'ipsec', 'profile'], key_mangling=('-', '_'),
-                                get_first_key=True, no_tag_node_value_mangle=True)
 
-    for name, profile_conf in profile.items():
-        if 'bind' in profile_conf and 'tunnel' in profile_conf['bind']:
-            interfaces = profile_conf['bind']['tunnel']
-            if isinstance(interfaces, str):
-                interfaces = [interfaces]
-            for interface in interfaces:
-                nhrp['profile_map'][interface] = name
-
-    return nhrp
-
-def verify(nhrp):
-    if 'tunnel' in nhrp:
-        for name, nhrp_conf in nhrp['tunnel'].items():
-            if not nhrp['if_tunnel'] or name not in nhrp['if_tunnel']:
+def verify(config_dict):
+    if not config_dict or 'deleted' in config_dict:
+        return None
+    if 'tunnel' in config_dict:
+        for name, nhrp_conf in config_dict['tunnel'].items():
+            if not config_dict['if_tunnel'] or name not in config_dict['if_tunnel']:
                 raise ConfigError(f'Tunnel interface "{name}" does not exist')
 
-            tunnel_conf = nhrp['if_tunnel'][name]
+            tunnel_conf = config_dict['if_tunnel'][name]
+            if 'address' in tunnel_conf:
+                address_list = dict_search('address', tunnel_conf)
+                for tunip in address_list:
+                    if ipaddress.ip_network(tunip,
+                                            strict=False).prefixlen != 32:
+                        raise ConfigError(
+                            f'Tunnel {name} is used for NHRP, Netmask should be /32!')
 
             if 'encapsulation' not in tunnel_conf or tunnel_conf['encapsulation'] != 'gre':
                 raise ConfigError(f'Tunnel "{name}" is not an mGRE tunnel')
 
+            if 'network_id' not in nhrp_conf:
+                raise ConfigError(f'network-id is not specified in tunnel "{name}"')
+
             if 'remote' in tunnel_conf:
                 raise ConfigError(f'Tunnel "{name}" cannot have a remote address defined')
 
-            if 'map' in nhrp_conf:
-                for map_name, map_conf in nhrp_conf['map'].items():
-                    if 'nbma_address' not in map_conf:
+            map_tunnelip = dict_search('map.tunnel_ip', nhrp_conf)
+            if map_tunnelip:
+                for map_name, map_conf in map_tunnelip.items():
+                    if 'nbma' not in map_conf:
                         raise ConfigError(f'nbma-address missing on map {map_name} on tunnel {name}')
 
-            if 'dynamic_map' in nhrp_conf:
-                for map_name, map_conf in nhrp_conf['dynamic_map'].items():
-                    if 'nbma_domain_name' not in map_conf:
-                        raise ConfigError(f'nbma-domain-name missing on dynamic-map {map_name} on tunnel {name}')
+            nhs_tunnelip = dict_search('nhs.tunnel_ip', nhrp_conf)
+            nbma_list = []
+            if nhs_tunnelip:
+                for nhs_name, nhs_conf in nhs_tunnelip.items():
+                    if 'nbma' not in nhs_conf:
+                        raise ConfigError(f'nbma-address missing on map nhs {nhs_name} on tunnel {name}')
+                    if nhs_name != 'dynamic':
+                        if len(list(dict_search('nbma', nhs_conf))) > 1:
+                            raise ConfigError(
+                                f'Static nhs tunnel-ip {nhs_name} cannot contain multiple nbma-addresses')
+                    for nbma_ip in dict_search('nbma', nhs_conf):
+                        if nbma_ip not in nbma_list:
+                            nbma_list.append(nbma_ip)
+                        else:
+                            raise ConfigError(
+                                f'Nbma address {nbma_ip} cannot be maped to several tunnel-ip')
     return None
 
-def generate(nhrp):
-    if not os.path.exists(nhrp_nftables_conf):
-        nhrp['first_install'] = True
 
-    render(opennhrp_conf, 'nhrp/opennhrp.conf.j2', nhrp)
-    render(nhrp_nftables_conf, 'nhrp/nftables.conf.j2', nhrp)
+def generate(config_dict):
+    if not has_frr_protocol_in_dict(config_dict, 'nhrp'):
+        return None
+
+    if 'deleted' in config_dict['nhrp']:
+        return None
+    render(nhrp_nftables_conf, 'frr/nhrpd_nftables.conf.j2', config_dict['nhrp'])
+
+    if config_dict and not is_systemd_service_running('vyos-configd.service'):
+        FRRender().generate(config_dict)
     return None
 
-def apply(nhrp):
+
+def apply(config_dict):
+
     nft_rc = run(f'nft --file {nhrp_nftables_conf}')
     if nft_rc != 0:
         raise ConfigError('Failed to apply NHRP tunnel firewall rules')
 
-    action = 'restart' if nhrp and 'tunnel' in nhrp else 'stop'
-    service_rc = run(f'systemctl {action} opennhrp.service')
-    if service_rc != 0:
-        raise ConfigError(f'Failed to {action} the NHRP service')
-
+    if config_dict and not is_systemd_service_running('vyos-configd.service'):
+        FRRender().apply()
     return None
 
+
 if __name__ == '__main__':
     try:
         c = get_config()
@@ -112,3 +129,4 @@ if __name__ == '__main__':
     except ConfigError as e:
         print(e)
         exit(1)
+
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index e22b7550c..25604d2a2 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2024 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -86,8 +86,6 @@ def get_config(config=None):
         conf = Config()
     base = ['vpn', 'ipsec']
     l2tp_base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings']
-    if not conf.exists(base):
-        return None
 
     # retrieve common dictionary keys
     ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
@@ -95,6 +93,14 @@ def get_config(config=None):
                                  get_first_key=True,
                                  with_pki=True)
 
+    ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
+    if ipsec['nhrp_exists']:
+        set_dependents('nhrp', conf)
+
+    if not conf.exists(base):
+        ipsec.update({'deleted' : ''})
+        return ipsec
+
     # We have to cleanup the default dict, as default values could
     # enable features which are not explicitly enabled on the
     # CLI. E.g. dead-peer-detection defaults should not be injected
@@ -115,7 +121,6 @@ def get_config(config=None):
     ipsec['dhcp_no_address'] = {}
     ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface'])
-    ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
 
     if ipsec['nhrp_exists']:
         set_dependents('nhrp', conf)
@@ -196,8 +201,8 @@ def verify_pki_rsa(pki, rsa_conf):
     return True
 
 def verify(ipsec):
-    if not ipsec:
-        return None
+    if not ipsec or 'deleted' in ipsec:
+        return
 
     if 'authentication' in ipsec:
         if 'psk' in ipsec['authentication']:
@@ -624,7 +629,7 @@ def generate_pki_files_rsa(pki, rsa_conf):
 def generate(ipsec):
     cleanup_pki_files()
 
-    if not ipsec:
+    if not ipsec or 'deleted' in ipsec:
         for config_file in [charon_dhcp_conf, charon_radius_conf, interface_conf, swanctl_conf]:
             if os.path.isfile(config_file):
                 os.unlink(config_file)
@@ -721,15 +726,12 @@ def generate(ipsec):
 
 def apply(ipsec):
     systemd_service = 'strongswan.service'
-    if not ipsec:
+    if not ipsec or 'deleted' in ipsec:
         call(f'systemctl stop {systemd_service}')
-
         if vti_updown_db_exists():
             remove_vti_updown_db()
-
     else:
         call(f'systemctl reload-or-restart {systemd_service}')
-
         if ipsec['enabled_vti_interfaces']:
             with open_vti_updown_db_for_create_or_update() as db:
                 db.removeAllOtherInterfaces(ipsec['enabled_vti_interfaces'])
@@ -737,7 +739,7 @@ def apply(ipsec):
                 db.commit(lambda interface: ipsec['vti_interface_dicts'][interface])
         elif vti_updown_db_exists():
             remove_vti_updown_db()
-
+    if ipsec:
         if ipsec.get('nhrp_exists', False):
             try:
                 call_dependents()
@@ -746,7 +748,6 @@ def apply(ipsec):
                 # ConfigError("ConfigError('Interface ethN requires an IP address!')")
                 pass
 
-
 if __name__ == '__main__':
     try:
         ipsec = get_config()