summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorKim <kim.sidney@gmail.com>2021-10-07 16:52:56 +0200
committerGitHub <noreply@github.com>2021-10-07 16:52:56 +0200
commit2274dbf9047493a00a6f30346b38dacd8cfcf965 (patch)
treef431f5f6f1b2770c98ed9047e1cec9209e536366 /src
parent2acfffab8b98238e7d869673a858a4ae21651f0b (diff)
parentadc7ef387d40e92bd7163ee6b401e99e554394a3 (diff)
downloadvyos-1x-2274dbf9047493a00a6f30346b38dacd8cfcf965.tar.gz
vyos-1x-2274dbf9047493a00a6f30346b38dacd8cfcf965.zip
Merge branch 'current' into 2fa
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/conntrack.py11
-rwxr-xr-xsrc/conf_mode/containers.py249
-rwxr-xr-xsrc/conf_mode/dhcp_server.py43
-rwxr-xr-xsrc/conf_mode/dns_forwarding.py15
-rwxr-xr-xsrc/conf_mode/firewall_options.py150
-rwxr-xr-xsrc/conf_mode/host_name.py49
-rwxr-xr-xsrc/conf_mode/interfaces-ethernet.py74
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py7
-rwxr-xr-xsrc/conf_mode/interfaces-pppoe.py93
-rwxr-xr-xsrc/conf_mode/interfaces-tunnel.py34
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py11
-rwxr-xr-xsrc/conf_mode/interfaces-wwan.py1
-rwxr-xr-xsrc/conf_mode/nat.py8
-rwxr-xr-xsrc/conf_mode/nat66.py21
-rwxr-xr-xsrc/conf_mode/pki.py46
-rwxr-xr-xsrc/conf_mode/policy-local-route.py39
-rwxr-xr-xsrc/conf_mode/policy.py1
-rwxr-xr-xsrc/conf_mode/protocols_bfd.py2
-rwxr-xr-xsrc/conf_mode/protocols_bgp.py65
-rwxr-xr-xsrc/conf_mode/protocols_isis.py12
-rwxr-xr-xsrc/conf_mode/protocols_ospf.py30
-rwxr-xr-xsrc/conf_mode/protocols_ospfv3.py4
-rwxr-xr-xsrc/conf_mode/protocols_rip.py2
-rwxr-xr-xsrc/conf_mode/protocols_ripng.py2
-rwxr-xr-xsrc/conf_mode/protocols_static.py2
-rwxr-xr-xsrc/conf_mode/service_webproxy.py3
-rwxr-xr-xsrc/conf_mode/system-login.py12
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py27
-rwxr-xr-xsrc/conf_mode/vrf.py20
-rwxr-xr-xsrc/conf_mode/vrf_vni.py76
-rwxr-xr-xsrc/conf_mode/vrrp.py339
-rwxr-xr-xsrc/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook46
-rwxr-xr-xsrc/etc/ipsec.d/vti-up-down14
-rwxr-xr-xsrc/etc/ppp/ip-up.d/99-vyos-pppoe-callback59
-rw-r--r--src/etc/sysctl.d/32-vyos-podman.conf5
-rw-r--r--src/etc/systemd/system/keepalived.service.d/override.conf11
-rw-r--r--src/etc/udev/rules.d/65-vyatta-net.rules26
-rw-r--r--src/etc/udev/rules.d/65-vyos-net.rules26
-rw-r--r--src/etc/udev/rules.d/90-vyos-serial.rules8
-rwxr-xr-xsrc/etc/update-motd.d/99-reboot7
-rwxr-xr-xsrc/helpers/strip-private.py8
-rwxr-xr-xsrc/helpers/vyos-interface-rescan.py206
-rwxr-xr-xsrc/helpers/vyos_net_name229
-rwxr-xr-xsrc/migration-scripts/bgp/1-to-277
-rwxr-xr-xsrc/migration-scripts/conntrack/2-to-337
-rwxr-xr-xsrc/migration-scripts/dhcp-server/5-to-687
-rwxr-xr-xsrc/migration-scripts/dns-forwarding/1-to-210
-rwxr-xr-xsrc/migration-scripts/firewall/5-to-663
-rwxr-xr-xsrc/migration-scripts/interfaces/20-to-21227
-rwxr-xr-xsrc/migration-scripts/interfaces/21-to-22143
-rwxr-xr-xsrc/migration-scripts/interfaces/22-to-23379
-rwxr-xr-xsrc/migration-scripts/interfaces/23-to-24369
-rwxr-xr-xsrc/migration-scripts/system/20-to-2125
-rwxr-xr-xsrc/migration-scripts/system/21-to-2257
-rwxr-xr-xsrc/migration-scripts/vrrp/2-to-362
-rwxr-xr-xsrc/op_mode/containers_op.py49
-rwxr-xr-xsrc/op_mode/dns_forwarding_statistics.py2
-rwxr-xr-xsrc/op_mode/ikev2_profile_generator.py6
-rwxr-xr-xsrc/op_mode/ping.py10
-rwxr-xr-xsrc/op_mode/pki.py189
-rwxr-xr-xsrc/op_mode/powerctrl.py33
-rwxr-xr-xsrc/op_mode/restart_frr.py133
-rwxr-xr-xsrc/op_mode/show_dhcp.py8
-rwxr-xr-xsrc/op_mode/show_interfaces.py34
-rwxr-xr-xsrc/op_mode/show_ipsec_sa.py8
-rwxr-xr-xsrc/op_mode/show_nat_rules.py84
-rwxr-xr-xsrc/op_mode/show_system_integrity.py70
-rwxr-xr-xsrc/op_mode/show_version.py4
-rwxr-xr-xsrc/op_mode/show_wwan.py18
-rwxr-xr-xsrc/op_mode/wireguard_client.py3
-rwxr-xr-xsrc/system/keepalived-fifo.py85
-rw-r--r--src/systemd/opennhrp.service4
-rw-r--r--src/tests/test_dict_search.py21
-rwxr-xr-xsrc/validators/base6427
-rwxr-xr-xsrc/validators/bgp-large-community-list36
-rwxr-xr-xsrc/validators/bgp-route-target51
-rwxr-xr-xsrc/validators/script9
77 files changed, 2838 insertions, 1675 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 4e6e39c0f..68877f794 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -97,7 +97,7 @@ def apply(conntrack):
# Depending on the enable/disable state of the ALG (Application Layer Gateway)
# modules we need to either insmod or rmmod the helpers.
for module, module_config in module_map.items():
- if dict_search(f'modules.{module}.disable', conntrack) != None:
+ if dict_search(f'modules.{module}', conntrack) is None:
if 'ko' in module_config:
for mod in module_config['ko']:
# Only remove the module if it's loaded
@@ -105,8 +105,9 @@ def apply(conntrack):
cmd(f'rmmod {mod}')
if 'iptables' in module_config:
for rule in module_config['iptables']:
- print(f'iptables --delete {rule}')
- cmd(f'iptables --delete {rule}')
+ # Only install iptables rule if it does not exist
+ tmp = run(f'iptables --check {rule}')
+ if tmp == 0: cmd(f'iptables --delete {rule}')
else:
if 'ko' in module_config:
for mod in module_config['ko']:
@@ -115,9 +116,7 @@ def apply(conntrack):
for rule in module_config['iptables']:
# Only install iptables rule if it does not exist
tmp = run(f'iptables --check {rule}')
- if tmp > 0:
- cmd(f'iptables --insert {rule}')
-
+ if tmp > 0: cmd(f'iptables --insert {rule}')
if process_named_running('conntrackd'):
# Reload conntrack-sync daemon to fetch new sysctl values
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py
index 21b47f42a..1e0197a13 100755
--- a/src/conf_mode/containers.py
+++ b/src/conf_mode/containers.py
@@ -19,15 +19,23 @@ import json
from ipaddress import ip_address
from ipaddress import ip_network
+from time import sleep
+from json import dumps as json_write
from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import node_changed
+from vyos.util import call
from vyos.util import cmd
-from vyos.util import popen
-from vyos.template import render
+from vyos.util import run
+from vyos.util import read_file
+from vyos.util import write_file
+from vyos.util import is_systemd_service_active
+from vyos.util import is_systemd_service_running
+from vyos.template import inc_ip
from vyos.template import is_ipv4
from vyos.template import is_ipv6
+from vyos.template import render
from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
@@ -41,27 +49,7 @@ def _cmd(command):
print(command)
return cmd(command)
-# Container management functions
-def container_exists(name):
- '''
- https://docs.podman.io/en/latest/_static/api.html#operation/ContainerExistsLibpod
- Check if container exists. Response codes.
- 204 - container exists
- 404 - no such container
- '''
- tmp = _cmd(f"curl --unix-socket /run/podman/podman.sock 'http://d/v3.0.0/libpod/containers/{name}/exists'")
- # If container exists it return status code "0" - code can not be displayed
- return (tmp == "")
-
-def container_status(name):
- '''
- https://docs.podman.io/en/latest/_static/api.html#operation/ContainerInspectLibpod
- '''
- tmp = _cmd(f"curl --unix-socket /run/podman/podman.sock 'http://d/v3.0.0/libpod/containers/{name}/json'")
- data = json.loads(tmp)
- return data['State']['Status']
-
-def ctnr_network_exists(name):
+def network_exists(name):
# Check explicit name for network, returns True if network exists
c = _cmd(f'podman network ls --quiet --filter name=^{name}$')
return bool(c)
@@ -79,11 +67,20 @@ def get_config(config=None):
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
+ # container base default values can not be merged here - remove and add them later
+ if 'name' in default_values:
+ del default_values['name']
container = dict_merge(default_values, container)
+ # Merge per-container default values
+ if 'name' in container:
+ default_values = defaults(base + ['name'])
+ for name in container['name']:
+ container['name'][name] = dict_merge(default_values, container['name'][name])
+
# Delete container network, delete containers
tmp = node_changed(conf, ['container', 'network'])
- if tmp: container.update({'net_remove' : tmp})
+ if tmp: container.update({'network_remove' : tmp})
tmp = node_changed(conf, ['container', 'name'])
if tmp: container.update({'container_remove' : tmp})
@@ -102,7 +99,6 @@ def verify(container):
if len(container_config['network']) > 1:
raise ConfigError(f'Only one network can be specified for container "{name}"!')
-
# Check if the specified container network exists
network_name = list(container_config['network'])[0]
if network_name not in container['network']:
@@ -125,8 +121,25 @@ def verify(container):
# We can not use the first IP address of a network prefix as this is used by podman
if ip_address(address) == ip_network(network)[1]:
- raise ConfigError(f'Address "{address}" reserved for the container engine!')
+ raise ConfigError(f'IP address "{address}" can not be used for a container, '\
+ 'reserved for the container engine!')
+ if 'environment' in container_config:
+ for var, cfg in container_config['environment'].items():
+ if 'value' not in cfg:
+ raise ConfigError(f'Environment variable {var} has no value assigned!')
+
+ if 'volume' in container_config:
+ for volume, volume_config in container_config['volume'].items():
+ if 'source' not in volume_config:
+ raise ConfigError(f'Volume "{volume}" has no source path configured!')
+
+ if 'destination' not in volume_config:
+ raise ConfigError(f'Volume "{volume}" has no destination path configured!')
+
+ source = volume_config['source']
+ if not os.path.exists(source):
+ raise ConfigError(f'Volume "{volume}" source path "{source}" does not exist!')
# Container image is a mandatory option
if 'image' not in container_config:
@@ -142,9 +155,9 @@ def verify(container):
# Add new network
if 'network' in container:
- v4_prefix = 0
- v6_prefix = 0
for network, network_config in container['network'].items():
+ v4_prefix = 0
+ v6_prefix = 0
# If ipv4-prefix not defined for user-defined network
if 'prefix' not in network_config:
raise ConfigError(f'prefix for network "{net}" must be defined!')
@@ -160,8 +173,8 @@ def verify(container):
# A network attached to a container can not be deleted
- if {'net_remove', 'name'} <= set(container):
- for network in container['net_remove']:
+ if {'network_remove', 'name'} <= set(container):
+ for network in container['network_remove']:
for container, container_config in container['name'].items():
if 'network' in container_config and network in container_config['network']:
raise ConfigError(f'Can not remove network "{network}", used by container "{container}"!')
@@ -173,6 +186,37 @@ def generate(container):
if not container:
return None
+ if 'network' in container:
+ for network, network_config in container['network'].items():
+ tmp = {
+ 'cniVersion' : '0.4.0',
+ 'name' : network,
+ 'plugins' : [{
+ 'type': 'bridge',
+ 'bridge': f'cni-{network}',
+ 'isGateway': True,
+ 'ipMasq': False,
+ 'hairpinMode': False,
+ 'ipam' : {
+ 'type': 'host-local',
+ 'routes': [],
+ 'ranges' : [],
+ },
+ }]
+ }
+
+ for prefix in network_config['prefix']:
+ net = [{'gateway' : inc_ip(prefix, 1), 'subnet' : prefix}]
+ tmp['plugins'][0]['ipam']['ranges'].append(net)
+
+ # install per address-family default orutes
+ default_route = '0.0.0.0/0'
+ if is_ipv6(prefix):
+ default_route = '::/0'
+ tmp['plugins'][0]['ipam']['routes'].append({'dst': default_route})
+
+ write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2))
+
render(config_containers_registry, 'containers/registry.tmpl', container)
render(config_containers_storage, 'containers/storage.tmpl', container)
@@ -183,79 +227,90 @@ def apply(container):
# Option "--force" allows to delete containers with any status
if 'container_remove' in container:
for name in container['container_remove']:
- if container_status(name) == 'running':
- _cmd(f'podman stop {name}')
- _cmd(f'podman rm --force {name}')
+ call(f'podman stop {name}')
+ call(f'podman rm --force {name}')
# Delete old networks if needed
- if 'net_remove' in container:
- for network in container['net_remove']:
- _cmd(f'podman network rm {network}')
-
- # Add network
- if 'network' in container:
- for network, network_config in container['network'].items():
- # Check if the network has already been created
- if not ctnr_network_exists(network) and 'prefix' in network_config:
- tmp = f'podman network create {network}'
- # we can not use list comprehension here as the --ipv6 option
- # must immediately follow the specified subnet!!!
- for prefix in sorted(network_config['prefix']):
- tmp += f' --subnet={prefix}'
- if is_ipv6(prefix):
- tmp += ' --ipv6'
- _cmd(tmp)
+ if 'network_remove' in container:
+ for network in container['network_remove']:
+ tmp = f'/etc/cni/net.d/{network}.conflist'
+ if os.path.exists(tmp):
+ os.unlink(tmp)
+
+ service_name = 'podman.service'
+ if 'network' in container or 'name' in container:
+ # Start podman if it's required and not yet running
+ if not is_systemd_service_active(service_name):
+ _cmd(f'systemctl start {service_name}')
+ # Wait for podman to be running
+ while not is_systemd_service_running(service_name):
+ sleep(0.250)
+ else:
+ _cmd(f'systemctl stop {service_name}')
# Add container
if 'name' in container:
for name, container_config in container['name'].items():
- # Check if the container has already been created
- if not container_exists(name):
- image = container_config['image']
- # Currently the best way to run a command and immediately print stdout
- print(os.system(f'podman pull {image}'))
-
- # Check/set environment options "-e foo=bar"
- env_opt = ''
- if 'environment' in container_config:
- env_opt = '-e '
- env_opt += " -e ".join(f"{k}={v['value']}" for k, v in container_config['environment'].items())
-
- # Publish ports
- port = ''
- if 'port' in container_config:
- protocol = ''
- for portmap in container_config['port']:
- if 'protocol' in container_config['port'][portmap]:
- protocol = container_config['port'][portmap]['protocol']
- protocol = f'/{protocol}'
- else:
- protocol = '/tcp'
- sport = container_config['port'][portmap]['source']
- dport = container_config['port'][portmap]['destination']
- port += f' -p {sport}:{dport}{protocol}'
-
- # Bind volume
- volume = ''
- if 'volume' in container_config:
- for vol in container_config['volume']:
- svol = container_config['volume'][vol]['source']
- dvol = container_config['volume'][vol]['destination']
- volume += f' -v {svol}:{dvol}'
-
- if 'allow_host_networks' in container_config:
- _cmd(f'podman run -dit --name {name} --net host {port} {volume} {env_opt} {image}')
- else:
- for network in container_config['network']:
- ipparam = ''
- if 'address' in container_config['network'][network]:
- ipparam = '--ip ' + container_config['network'][network]['address']
- _cmd(f'podman run --name {name} -dit --net {network} {ipparam} {port} {volume} {env_opt} {image}')
-
- # Else container is already created. Just start it.
- # It's needed after reboot.
- elif container_status(name) != 'running':
- _cmd(f'podman start {name}')
+ image = container_config['image']
+
+ if 'disable' in container_config:
+ # check if there is a container by that name running
+ tmp = _cmd('podman ps -a --format "{{.Names}}"')
+ if name in tmp:
+ _cmd(f'podman stop {name}')
+ _cmd(f'podman rm --force {name}')
+ continue
+
+ memory = container_config['memory']
+ restart = container_config['restart']
+
+ # Check if requested container image exists locally. If it does not, we
+ # pull it. print() is the best way to have a good response from the
+ # polling process to the user to display progress. If the image exists
+ # locally, a user can update it running `update container image <name>`
+ tmp = run(f'podman image exists {image}')
+ if tmp != 0: print(os.system(f'podman pull {image}'))
+
+ # Check/set environment options "-e foo=bar"
+ env_opt = ''
+ if 'environment' in container_config:
+ for k, v in container_config['environment'].items():
+ env_opt += f" -e \"{k}={v['value']}\""
+
+ # Publish ports
+ port = ''
+ if 'port' in container_config:
+ protocol = ''
+ for portmap in container_config['port']:
+ if 'protocol' in container_config['port'][portmap]:
+ protocol = container_config['port'][portmap]['protocol']
+ protocol = f'/{protocol}'
+ else:
+ protocol = '/tcp'
+ sport = container_config['port'][portmap]['source']
+ dport = container_config['port'][portmap]['destination']
+ port += f' -p {sport}:{dport}{protocol}'
+
+ # Bind volume
+ volume = ''
+ if 'volume' in container_config:
+ for vol, vol_config in container_config['volume'].items():
+ svol = vol_config['source']
+ dvol = vol_config['destination']
+ volume += f' -v {svol}:{dvol}'
+
+ container_base_cmd = f'podman run --detach --interactive --tty --replace ' \
+ f'--memory {memory}m --memory-swap 0 --restart {restart} ' \
+ f'--name {name} {port} {volume} {env_opt}'
+ if 'allow_host_networks' in container_config:
+ _cmd(f'{container_base_cmd} --net host {image}')
+ else:
+ for network in container_config['network']:
+ ipparam = ''
+ if 'address' in container_config['network'][network]:
+ address = container_config['network'][network]['address']
+ ipparam = f'--ip {address}'
+ _cmd(f'{container_base_cmd} --net {network} {ipparam} {image}')
return None
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index cdee72e09..28f2a4ca5 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -148,9 +148,9 @@ def verify(dhcp):
'At least one DHCP shared network must be configured.')
# Inspect shared-network/subnet
- failover_names = []
listen_ok = False
subnets = []
+ failover_ok = False
# A shared-network requires a subnet definition
for network, network_config in dhcp['shared_network_name'].items():
@@ -159,9 +159,18 @@ def verify(dhcp):
'lease subnet must be configured.')
for subnet, subnet_config in network_config['subnet'].items():
- if 'static_route' in subnet_config and len(subnet_config['static_route']) != 2:
- raise ConfigError('Missing DHCP static-route parameter(s):\n' \
- 'destination-subnet | router must be defined!')
+ # All delivered static routes require a next-hop to be set
+ if 'static_route' in subnet_config:
+ for route, route_option in subnet_config['static_route'].items():
+ if 'next_hop' not in route_option:
+ raise ConfigError(f'DHCP static-route "{route}" requires router to be defined!')
+
+ # DHCP failover needs at least one subnet that uses it
+ if 'enable_failover' in subnet_config:
+ if 'failover' not in dhcp:
+ raise ConfigError(f'Can not enable failover for "{subnet}" in "{network}".\n' \
+ 'Failover is not configured globally!')
+ failover_ok = True
# Check if DHCP address range is inside configured subnet declaration
if 'range' in subnet_config:
@@ -191,23 +200,6 @@ def verify(dhcp):
tmp = IPRange(range_config['start'], range_config['stop'])
networks.append(tmp)
- if 'failover' in subnet_config:
- for key in ['local_address', 'peer_address', 'name', 'status']:
- if key not in subnet_config['failover']:
- raise ConfigError(f'Missing DHCP failover parameter "{key}"!')
-
- # Failover names must be uniquie
- if subnet_config['failover']['name'] in failover_names:
- name = subnet_config['failover']['name']
- raise ConfigError(f'DHCP failover names must be unique:\n' \
- f'{name} has already been configured!')
- failover_names.append(subnet_config['failover']['name'])
-
- # Failover requires start/stop ranges for pool
- if 'range' not in subnet_config:
- raise ConfigError(f'DHCP failover requires at least one start-stop range to be configured\n'\
- f'within shared-network "{network}, {subnet}" for using failover!')
-
# Exclude addresses must be in bound
if 'exclude' in subnet_config:
for exclude in subnet_config['exclude']:
@@ -251,6 +243,15 @@ def verify(dhcp):
if net.overlaps(net2):
raise ConfigError('Conflicting subnet ranges: "{net}" overlaps "{net2}"!')
+ if 'failover' in dhcp:
+ if not failover_ok:
+ raise ConfigError('DHCP failover must be enabled for at least one subnet!')
+
+ for key in ['name', 'remote', 'source_address', 'status']:
+ if key not in dhcp['failover']:
+ tmp = key.replace('_', '-')
+ raise ConfigError(f'DHCP failover requires "{tmp}" to be specified!')
+
for address in (dict_search('listen_address', dhcp) or []):
if is_addr_assigned(address):
listen_ok = True
diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py
index c44e6c974..06366362a 100755
--- a/src/conf_mode/dns_forwarding.py
+++ b/src/conf_mode/dns_forwarding.py
@@ -66,21 +66,6 @@ def get_config(config=None):
if conf.exists(base_nameservers_dhcp):
dns.update({'system_name_server_dhcp': conf.return_values(base_nameservers_dhcp)})
- # Split the source_address property into separate IPv4 and IPv6 lists
- # NOTE: In future versions of pdns-recursor (> 4.4.0), this logic can be removed
- # as both IPv4 and IPv6 addresses can be specified in a single setting.
- source_address_v4 = []
- source_address_v6 = []
-
- for source_address in dns['source_address']:
- if is_ipv6(source_address):
- source_address_v6.append(source_address)
- else:
- source_address_v4.append(source_address)
-
- dns.update({'source_address_v4': source_address_v4})
- dns.update({'source_address_v6': source_address_v6})
-
return dns
def verify(dns):
diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py
deleted file mode 100755
index 67bf5d0e2..000000000
--- a/src/conf_mode/firewall_options.py
+++ /dev/null
@@ -1,150 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-import sys
-import os
-import copy
-
-from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
-
-from vyos import airbag
-airbag.enable()
-
-default_config_data = {
- 'intf_opts': [],
- 'new_chain4': False,
- 'new_chain6': False
-}
-
-def get_config(config=None):
- opts = copy.deepcopy(default_config_data)
- if config:
- conf = config
- else:
- conf = Config()
- if not conf.exists('firewall options'):
- # bail out early
- return opts
- else:
- conf.set_level('firewall options')
-
- # Parse configuration of each individual instance
- if conf.exists('interface'):
- for intf in conf.list_nodes('interface'):
- conf.set_level('firewall options interface {0}'.format(intf))
- config = {
- 'intf': intf,
- 'disabled': False,
- 'mss4': '',
- 'mss6': ''
- }
-
- # Check if individual option is disabled
- if conf.exists('disable'):
- config['disabled'] = True
-
- #
- # Get MSS value IPv4
- #
- if conf.exists('adjust-mss'):
- config['mss4'] = conf.return_value('adjust-mss')
-
- # We need a marker that a new iptables chain needs to be generated
- if not opts['new_chain4']:
- opts['new_chain4'] = True
-
- #
- # Get MSS value IPv6
- #
- if conf.exists('adjust-mss6'):
- config['mss6'] = conf.return_value('adjust-mss6')
-
- # We need a marker that a new ip6tables chain needs to be generated
- if not opts['new_chain6']:
- opts['new_chain6'] = True
-
- # Append interface options to global list
- opts['intf_opts'].append(config)
-
- return opts
-
-def verify(tcp):
- # syntax verification is done via cli
- return None
-
-def apply(tcp):
- target = 'VYOS_FW_OPTIONS'
-
- # always cleanup iptables
- call('iptables --table mangle --delete FORWARD --jump {} >&/dev/null'.format(target))
- call('iptables --table mangle --flush {} >&/dev/null'.format(target))
- call('iptables --table mangle --delete-chain {} >&/dev/null'.format(target))
-
- # always cleanup ip6tables
- call('ip6tables --table mangle --delete FORWARD --jump {} >&/dev/null'.format(target))
- call('ip6tables --table mangle --flush {} >&/dev/null'.format(target))
- call('ip6tables --table mangle --delete-chain {} >&/dev/null'.format(target))
-
- # Setup new iptables rules
- if tcp['new_chain4']:
- call('iptables --table mangle --new-chain {} >&/dev/null'.format(target))
- call('iptables --table mangle --append FORWARD --jump {} >&/dev/null'.format(target))
-
- for opts in tcp['intf_opts']:
- intf = opts['intf']
- mss = opts['mss4']
-
- # Check if this rule iis disabled
- if opts['disabled']:
- continue
-
- # adjust TCP MSS per interface
- if mss:
- call('iptables --table mangle --append {} --out-interface {} --protocol tcp '
- '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
-
- # Setup new ip6tables rules
- if tcp['new_chain6']:
- call('ip6tables --table mangle --new-chain {} >&/dev/null'.format(target))
- call('ip6tables --table mangle --append FORWARD --jump {} >&/dev/null'.format(target))
-
- for opts in tcp['intf_opts']:
- intf = opts['intf']
- mss = opts['mss6']
-
- # Check if this rule iis disabled
- if opts['disabled']:
- continue
-
- # adjust TCP MSS per interface
- if mss:
- call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp '
- '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
-
- return None
-
-if __name__ == '__main__':
-
- try:
- c = get_config()
- verify(c)
- apply(c)
- except ConfigError as e:
- print(e)
- sys.exit(1)
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py
index f4c75c257..a7135911d 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/host_name.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -14,10 +14,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-"""
-conf-mode script for 'system host-name' and 'system domain-name'.
-"""
-
import re
import sys
import copy
@@ -25,10 +21,13 @@ import copy
import vyos.util
import vyos.hostsd_client
-from vyos.config import Config
from vyos import ConfigError
-from vyos.util import cmd, call, process_named_running
-
+from vyos.config import Config
+from vyos.ifconfig import Section
+from vyos.template import is_ip
+from vyos.util import cmd
+from vyos.util import call
+from vyos.util import process_named_running
from vyos import airbag
airbag.enable()
@@ -37,7 +36,7 @@ default_config_data = {
'domain_name': '',
'domain_search': [],
'nameserver': [],
- 'nameservers_dhcp_interfaces': [],
+ 'nameservers_dhcp_interfaces': {},
'static_host_mapping': {}
}
@@ -51,29 +50,37 @@ def get_config(config=None):
hosts = copy.deepcopy(default_config_data)
- hosts['hostname'] = conf.return_value("system host-name")
+ hosts['hostname'] = conf.return_value(['system', 'host-name'])
# This may happen if the config is not loaded yet,
# e.g. if run by cloud-init
if not hosts['hostname']:
hosts['hostname'] = default_config_data['hostname']
- if conf.exists("system domain-name"):
- hosts['domain_name'] = conf.return_value("system domain-name")
+ if conf.exists(['system', 'domain-name']):
+ hosts['domain_name'] = conf.return_value(['system', 'domain-name'])
hosts['domain_search'].append(hosts['domain_name'])
- for search in conf.return_values("system domain-search domain"):
+ for search in conf.return_values(['system', 'domain-search', 'domain']):
hosts['domain_search'].append(search)
- hosts['nameserver'] = conf.return_values("system name-server")
+ if conf.exists(['system', 'name-server']):
+ for ns in conf.return_values(['system', 'name-server']):
+ if is_ip(ns):
+ hosts['nameserver'].append(ns)
+ else:
+ tmp = ''
+ if_type = Section.section(ns)
+ if conf.exists(['interfaces', if_type, ns, 'address']):
+ tmp = conf.return_values(['interfaces', if_type, ns, 'address'])
- hosts['nameservers_dhcp_interfaces'] = conf.return_values("system name-servers-dhcp")
+ hosts['nameservers_dhcp_interfaces'].update({ ns : tmp })
# system static-host-mapping
- for hn in conf.list_nodes('system static-host-mapping host-name'):
+ for hn in conf.list_nodes(['system', 'static-host-mapping', 'host-name']):
hosts['static_host_mapping'][hn] = {}
- hosts['static_host_mapping'][hn]['address'] = conf.return_value(f'system static-host-mapping host-name {hn} inet')
- hosts['static_host_mapping'][hn]['aliases'] = conf.return_values(f'system static-host-mapping host-name {hn} alias')
+ hosts['static_host_mapping'][hn]['address'] = conf.return_value(['system', 'static-host-mapping', 'host-name', hn, 'inet'])
+ hosts['static_host_mapping'][hn]['aliases'] = conf.return_values(['system', 'static-host-mapping', 'host-name', hn, 'alias'])
return hosts
@@ -103,8 +110,10 @@ def verify(hosts):
if not hostname_regex.match(a) and len(a) != 0:
raise ConfigError(f'Invalid alias "{a}" in static-host-mapping "{host}"')
- # TODO: add warnings for nameservers_dhcp_interfaces if interface doesn't
- # exist or doesn't have address dhcp(v6)
+ for interface, interface_config in hosts['nameservers_dhcp_interfaces'].items():
+ # Warnin user if interface does not have DHCP or DHCPv6 configured
+ if not set(interface_config).intersection(['dhcp', 'dhcpv6']):
+ print(f'WARNING: "{interface}" is not a DHCP interface but uses DHCP name-server option!')
return None
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 78c24952b..e7250fb49 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -37,6 +37,7 @@ from vyos.pki import wrap_private_key
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
+from vyos.util import write_file
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -54,15 +55,17 @@ def get_config(config=None):
conf = config
else:
conf = Config()
- base = ['interfaces', 'ethernet']
- tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ # This must be called prior to get_interface_dict(), as this function will
+ # alter the config level (config.set_level())
+ pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+ base = ['interfaces', 'ethernet']
ethernet = get_interface_dict(conf, base)
if 'deleted' not in ethernet:
- ethernet['pki'] = tmp_pki
+ if pki: ethernet['pki'] = pki
return ethernet
@@ -72,12 +75,6 @@ def verify(ethernet):
ifname = ethernet['ifname']
verify_interface_exists(ifname)
-
- # No need to check speed and duplex keys as both have default values.
- if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or
- (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')):
- raise ConfigError('Speed/Duplex missmatch. Must be both auto or manually configured')
-
verify_mtu(ethernet)
verify_mtu_ipv6(ethernet)
verify_dhcpv6(ethernet)
@@ -86,25 +83,31 @@ def verify(ethernet):
verify_eapol(ethernet)
verify_mirror(ethernet)
- # verify offloading capabilities
- if dict_search('offload.rps', ethernet) != None:
- if not os.path.exists(f'/sys/class/net/{ifname}/queues/rx-0/rps_cpus'):
- raise ConfigError('Interface does not suport RPS!')
+ ethtool = Ethtool(ifname)
+ # No need to check speed and duplex keys as both have default values.
+ if ((ethernet['speed'] == 'auto' and ethernet['duplex'] != 'auto') or
+ (ethernet['speed'] != 'auto' and ethernet['duplex'] == 'auto')):
+ raise ConfigError('Speed/Duplex missmatch. Must be both auto or manually configured')
- driver = EthernetIf(ifname).get_driver_name()
- # T3342 - Xen driver requires special treatment
- if driver == 'vif':
- if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
- raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\
- 'for MTU size larger then 1500 bytes')
+ if ethernet['speed'] != 'auto' and ethernet['duplex'] != 'auto':
+ # We need to verify if the requested speed and duplex setting is
+ # supported by the underlaying NIC.
+ speed = ethernet['speed']
+ duplex = ethernet['duplex']
+ if not ethtool.check_speed_duplex(speed, duplex):
+ raise ConfigError(f'Adapter does not support changing speed and duplex '\
+ f'settings to: {speed}/{duplex}!')
+
+ if 'disable_flow_control' in ethernet:
+ if not ethtool.check_flow_control():
+ raise ConfigError('Adapter does not support changing flow-control settings!')
- ethtool = Ethtool(ifname)
if 'ring_buffer' in ethernet:
- max_rx = ethtool.get_rx_buffer()
+ max_rx = ethtool.get_ring_buffer_max('rx')
if not max_rx:
raise ConfigError('Driver does not support RX ring-buffer configuration!')
- max_tx = ethtool.get_tx_buffer()
+ max_tx = ethtool.get_ring_buffer_max('tx')
if not max_tx:
raise ConfigError('Driver does not support TX ring-buffer configuration!')
@@ -118,6 +121,18 @@ def verify(ethernet):
raise ConfigError(f'Driver only supports a maximum TX ring-buffer '\
f'size of "{max_tx}" bytes!')
+ # verify offloading capabilities
+ if dict_search('offload.rps', ethernet) != None:
+ if not os.path.exists(f'/sys/class/net/{ifname}/queues/rx-0/rps_cpus'):
+ raise ConfigError('Interface does not suport RPS!')
+
+ driver = ethtool.get_driver_name()
+ # T3342 - Xen driver requires special treatment
+ if driver == 'vif':
+ if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
+ raise ConfigError('Xen netback drivers requires scatter-gatter offloading '\
+ 'for MTU size larger then 1500 bytes')
+
# XDP requires multiple TX queues
if 'xdp' in ethernet:
queues = glob(f'/sys/class/net/{ifname}/queues/tx-*')
@@ -136,7 +151,7 @@ def generate(ethernet):
if 'eapol' in ethernet:
render(wpa_suppl_conf.format(**ethernet),
'ethernet/wpa_supplicant.conf.tmpl', ethernet)
-
+
ifname = ethernet['ifname']
cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem')
cert_key_path = os.path.join(cfg_dir, f'{ifname}_cert.key')
@@ -144,19 +159,16 @@ def generate(ethernet):
cert_name = ethernet['eapol']['certificate']
pki_cert = ethernet['pki']['certificate'][cert_name]
- with open(cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_cert['certificate']))
-
- with open(cert_key_path, 'w') as f:
- f.write(wrap_private_key(pki_cert['private']['key']))
+ write_file(cert_file_path, wrap_certificate(pki_cert['certificate']))
+ write_file(cert_key_path, wrap_private_key(pki_cert['private']['key']))
if 'ca_certificate' in ethernet['eapol']:
ca_cert_file_path = os.path.join(cfg_dir, f'{ifname}_ca.pem')
ca_cert_name = ethernet['eapol']['ca_certificate']
pki_ca_cert = ethernet['pki']['ca'][cert_name]
- with open(ca_cert_file_path, 'w') as f:
- f.write(wrap_certificate(pki_ca_cert['certificate']))
+ write_file(ca_cert_file_path,
+ wrap_certificate(pki_ca_cert['certificate']))
else:
# delete configuration on interface removal
if os.path.isfile(wpa_suppl_conf.format(**ethernet)):
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 4bd0b22a9..2533a5b02 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -100,7 +100,7 @@ def get_config(config=None):
# need to check this first and drop those keys
if 'totp' not in tmp_openvpn['server']:
del openvpn['server']['mfa']['totp']
-
+
return openvpn
def is_ec_private_key(pki, cert_name):
@@ -295,6 +295,9 @@ def verify(openvpn):
if openvpn['protocol'] == 'tcp-active':
raise ConfigError('Protocol "tcp-active" is not valid in server mode')
+ if dict_search('authentication.username', openvpn) or dict_search('authentication.password', openvpn):
+ raise ConfigError('Cannot specify "authentication" in server mode')
+
if 'remote_port' in openvpn:
raise ConfigError('Cannot specify "remote-port" in server mode')
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 6c4c6c95b..584adc75e 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -22,12 +22,16 @@ from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
from vyos.configverify import verify_authentication
from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_interface_exists
from vyos.configverify import verify_vrf
from vyos.configverify import verify_mtu_ipv6
+from vyos.ifconfig import PPPoEIf
from vyos.template import render
from vyos.util import call
+from vyos.util import is_systemd_service_running
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -44,6 +48,32 @@ def get_config(config=None):
base = ['interfaces', 'pppoe']
pppoe = get_interface_dict(conf, base)
+ # We should only terminate the PPPoE session if critical parameters change.
+ # All parameters that can be changed on-the-fly (like interface description)
+ # should not lead to a reconnect!
+ tmp = leaf_node_changed(conf, ['access-concentrator'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
+ tmp = leaf_node_changed(conf, ['connect-on-demand'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
+ tmp = leaf_node_changed(conf, ['service-name'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
+ tmp = leaf_node_changed(conf, ['source-interface'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
+ tmp = leaf_node_changed(conf, ['vrf'])
+ # leaf_node_changed() returns a list, as VRF is a non-multi node, there
+ # will be only one list element
+ if tmp: pppoe.update({'vrf_old': tmp[0]})
+
+ tmp = leaf_node_changed(conf, ['authentication', 'user'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
+ tmp = leaf_node_changed(conf, ['authentication', 'password'])
+ if tmp: pppoe.update({'shutdown_required': {}})
+
return pppoe
def verify(pppoe):
@@ -66,57 +96,42 @@ def generate(pppoe):
# rendered into
ifname = pppoe['ifname']
config_pppoe = f'/etc/ppp/peers/{ifname}'
- script_pppoe_pre_up = f'/etc/ppp/ip-pre-up.d/1000-vyos-pppoe-{ifname}'
- script_pppoe_ip_up = f'/etc/ppp/ip-up.d/1000-vyos-pppoe-{ifname}'
- script_pppoe_ip_down = f'/etc/ppp/ip-down.d/1000-vyos-pppoe-{ifname}'
- script_pppoe_ipv6_up = f'/etc/ppp/ipv6-up.d/1000-vyos-pppoe-{ifname}'
- config_wide_dhcp6c = f'/run/dhcp6c/dhcp6c.{ifname}.conf'
-
- config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up,
- script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c]
if 'deleted' in pppoe or 'disable' in pppoe:
- # stop DHCPv6-PD client
- call(f'systemctl stop dhcp6c@{ifname}.service')
- # Hang-up PPPoE connection
- call(f'systemctl stop ppp@{ifname}.service')
-
- # Delete PPP configuration files
- for file in config_files:
- if os.path.exists(file):
- os.unlink(file)
+ if os.path.exists(config_pppoe):
+ os.unlink(config_pppoe)
return None
# Create PPP configuration files
- render(config_pppoe, 'pppoe/peer.tmpl', pppoe, permission=0o755)
-
- # Create script for ip-pre-up.d
- render(script_pppoe_pre_up, 'pppoe/ip-pre-up.script.tmpl', pppoe,
- permission=0o755)
- # Create script for ip-up.d
- render(script_pppoe_ip_up, 'pppoe/ip-up.script.tmpl', pppoe,
- permission=0o755)
- # Create script for ip-down.d
- render(script_pppoe_ip_down, 'pppoe/ip-down.script.tmpl', pppoe,
- permission=0o755)
- # Create script for ipv6-up.d
- render(script_pppoe_ipv6_up, 'pppoe/ipv6-up.script.tmpl', pppoe,
- permission=0o755)
-
- if 'dhcpv6_options' in pppoe and 'pd' in pppoe['dhcpv6_options']:
- # ipv6.tmpl relies on ifname - this should be made consitent in the
- # future better then double key-ing the same value
- render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe)
+ render(config_pppoe, 'pppoe/peer.tmpl', pppoe, permission=0o640)
return None
def apply(pppoe):
+ ifname = pppoe['ifname']
if 'deleted' in pppoe or 'disable' in pppoe:
- call('systemctl stop ppp@{ifname}.service'.format(**pppoe))
+ if os.path.isdir(f'/sys/class/net/{ifname}'):
+ p = PPPoEIf(ifname)
+ p.remove()
+ call(f'systemctl stop ppp@{ifname}.service')
return None
- call('systemctl restart ppp@{ifname}.service'.format(**pppoe))
+ # reconnect should only be necessary when certain config options change,
+ # like ACS name, authentication, no-peer-dns, source-interface
+ if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or
+ 'shutdown_required' in pppoe):
+
+ # cleanup system (e.g. FRR routes first)
+ if os.path.isdir(f'/sys/class/net/{ifname}'):
+ p = PPPoEIf(ifname)
+ p.remove()
+
+ call(f'systemctl restart ppp@{ifname}.service')
+ else:
+ if os.path.isdir(f'/sys/class/net/{ifname}'):
+ p = PPPoEIf(ifname)
+ p.update(pppoe)
return None
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index 294da8ef9..ef385d2e7 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -18,6 +18,7 @@ import os
from sys import exit
from netifaces import interfaces
+from ipaddress import IPv4Address
from vyos.config import Config
from vyos.configdict import dict_merge
@@ -31,6 +32,7 @@ from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_vrf
from vyos.configverify import verify_tunnel
from vyos.ifconfig import Interface
+from vyos.ifconfig import Section
from vyos.ifconfig import TunnelIf
from vyos.template import is_ipv4
from vyos.template import is_ipv6
@@ -94,6 +96,38 @@ def verify(tunnel):
if 'direction' not in tunnel['parameters']['erspan']:
raise ConfigError('ERSPAN version 2 requires direction to be set!')
+ # If tunnel source address any and key not set
+ if tunnel['encapsulation'] in ['gre'] and \
+ tunnel['source_address'] == '0.0.0.0' and \
+ dict_search('parameters.ip.key', tunnel) == None:
+ raise ConfigError('Tunnel parameters ip key must be set!')
+
+ if tunnel['encapsulation'] in ['gre', 'gretap']:
+ if dict_search('parameters.ip.key', tunnel) != None:
+ # Check pairs tunnel source-address/encapsulation/key with exists tunnels.
+ # Prevent the same key for 2 tunnels with same source-address/encap. T2920
+ for tunnel_if in Section.interfaces('tunnel'):
+ tunnel_cfg = get_interface_config(tunnel_if)
+ exist_encap = tunnel_cfg['linkinfo']['info_kind']
+ exist_source_address = tunnel_cfg['address']
+ exist_key = tunnel_cfg['linkinfo']['info_data']['ikey']
+ new_source_address = tunnel['source_address']
+ # Convert tunnel key to ip key, format "ip -j link show"
+ # 1 => 0.0.0.1, 999 => 0.0.3.231
+ orig_new_key = int(tunnel['parameters']['ip']['key'])
+ new_key = IPv4Address(orig_new_key)
+ new_key = str(new_key)
+ if tunnel['encapsulation'] == exist_encap and \
+ new_source_address == exist_source_address and \
+ new_key == exist_key:
+ raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \
+ f'is already used for tunnel "{tunnel_if}"!')
+
+ # Keys are not allowed with ipip and sit tunnels
+ if tunnel['encapsulation'] in ['ipip', 'sit']:
+ if dict_search('parameters.ip.key', tunnel) != None:
+ raise ConfigError('Keys are not allowed with ipip and sit tunnels!')
+
verify_mtu_ipv6(tunnel)
verify_address(tunnel)
verify_vrf(tunnel)
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index 4c566a5ad..da64dd076 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -30,6 +30,7 @@ from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
from vyos.ifconfig import WireGuardIf
from vyos.util import check_kmod
+from vyos.util import check_port_availability
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -46,6 +47,9 @@ def get_config(config=None):
base = ['interfaces', 'wireguard']
wireguard = get_interface_dict(conf, base)
+ # Check if a port was changed
+ wireguard['port_changed'] = leaf_node_changed(conf, ['port'])
+
# Determine which Wireguard peer has been removed.
# Peers can only be removed with their public key!
dict = {}
@@ -73,6 +77,13 @@ def verify(wireguard):
if 'peer' not in wireguard:
raise ConfigError('At least one Wireguard peer is required!')
+ if 'port' in wireguard and wireguard['port_changed']:
+ listen_port = int(wireguard['port'])
+ if check_port_availability('0.0.0.0', listen_port, 'udp') is not True:
+ raise ConfigError(
+ f'The UDP port {listen_port} is busy or unavailable and cannot be used for the interface'
+ )
+
# run checks on individual configured WireGuard peer
for tmp in wireguard['peer']:
peer = wireguard['peer'][tmp]
diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py
index 31c599145..faa5eb628 100755
--- a/src/conf_mode/interfaces-wwan.py
+++ b/src/conf_mode/interfaces-wwan.py
@@ -26,7 +26,6 @@ from vyos.configverify import verify_vrf
from vyos.ifconfig import WWANIf
from vyos.util import cmd
from vyos.util import dict_search
-from vyos.template import render
from vyos import ConfigError
from vyos import airbag
airbag.enable()
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index dae958774..59939d0fb 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -139,12 +139,10 @@ def verify(nat):
for rule, config in dict_search('source.rule', nat).items():
err_msg = f'Source NAT configuration error in rule {rule}:'
if 'outbound_interface' not in config:
- raise ConfigError(f'{err_msg}\n' \
- 'outbound-interface not specified')
- else:
- if config['outbound_interface'] not in 'any' and config['outbound_interface'] not in interfaces():
- print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
+ raise ConfigError(f'{err_msg} outbound-interface not specified')
+ if config['outbound_interface'] not in 'any' and config['outbound_interface'] not in interfaces():
+ print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
addr = dict_search('translation.address', config)
if addr != None:
diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py
index e2bd6417d..fb376a434 100755
--- a/src/conf_mode/nat66.py
+++ b/src/conf_mode/nat66.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -55,7 +55,7 @@ def get_config(config=None):
conf = config
else:
conf = Config()
-
+
base = ['nat66']
nat = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
@@ -90,7 +90,7 @@ def get_config(config=None):
# be done only once
if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'):
nat['helper_functions'] = 'add'
-
+
# Retrieve current table handler positions
nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_IGNORE')
nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_PREROUTING_HOOK')
@@ -109,21 +109,22 @@ def verify(nat):
if 'helper_functions' in nat and nat['helper_functions'] != 'has':
if not (nat['pre_ct_conntrack'] or nat['out_ct_conntrack']):
raise Exception('could not determine nftable ruleset handlers')
-
+
if dict_search('source.rule', nat):
for rule, config in dict_search('source.rule', nat).items():
err_msg = f'Source NAT66 configuration error in rule {rule}:'
if 'outbound_interface' not in config:
- raise ConfigError(f'{err_msg}\n' \
- 'outbound-interface not specified')
- else:
- if config['outbound_interface'] not in interfaces():
- print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
+ raise ConfigError(f'{err_msg} outbound-interface not specified')
+
+ if config['outbound_interface'] not in interfaces():
+ raise ConfigError(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
addr = dict_search('translation.address', config)
if addr != None:
if addr != 'masquerade' and not is_ipv6(addr):
raise ConfigError(f'Warning: IPv6 address {addr} is not a valid address')
+ else:
+ raise ConfigError(f'{err_msg} translation address not specified')
prefix = dict_search('source.prefix', config)
if prefix != None:
@@ -145,7 +146,7 @@ def verify(nat):
def generate(nat):
render(iptables_nat_config, 'firewall/nftables-nat66.tmpl', nat, permission=0o755)
- render(ndppd_config, 'proxy-ndp/ndppd.conf.tmpl', nat, permission=0o755)
+ render(ndppd_config, 'ndppd/ndppd.conf.tmpl', nat, permission=0o755)
return None
def apply(nat):
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index ef1b57650..efa3578b4 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -16,8 +16,11 @@
from sys import exit
+import jmespath
+
from vyos.config import Config
from vyos.configdict import dict_merge
+from vyos.configdict import node_changed
from vyos.pki import is_ca_certificate
from vyos.pki import load_certificate
from vyos.pki import load_certificate_request
@@ -26,6 +29,7 @@ from vyos.pki import load_private_key
from vyos.pki import load_crl
from vyos.pki import load_dh_parameters
from vyos.util import ask_input
+from vyos.util import dict_search_recursive
from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
@@ -37,14 +41,29 @@ def get_config(config=None):
else:
conf = Config()
base = ['pki']
- if not conf.exists(base):
- return None
pki = conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ pki['changed'] = {}
+ tmp = node_changed(conf, base + ['ca'], key_mangling=('-', '_'))
+ if tmp: pki['changed'].update({'ca' : tmp})
+
+ tmp = node_changed(conf, base + ['certificate'], key_mangling=('-', '_'))
+ if tmp: pki['changed'].update({'certificate' : tmp})
+
+ # We only merge on the defaults of there is a configuration at all
+ if conf.exists(base):
+ default_values = defaults(base)
+ pki = dict_merge(default_values, pki)
+
+ # We need to get the entire system configuration to verify that we are not
+ # deleting a certificate that is still referenced somewhere!
+ pki['system'] = conf.get_config_dict([], key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
- default_values = defaults(base)
- pki = dict_merge(default_values, pki)
return pki
def is_valid_certificate(raw_data):
@@ -142,6 +161,21 @@ def verify(pki):
if len(country) != 2 or not country.isalpha():
raise ConfigError(f'Invalid default country value. Value must be 2 alpha characters.')
+ if 'changed' in pki:
+ # if the list is getting longer, we can move to a dict() and also embed the
+ # search key as value from line 173 or 176
+ for cert_type in ['ca', 'certificate']:
+ if not cert_type in pki['changed']:
+ continue
+ for certificate in pki['changed'][cert_type]:
+ if cert_type not in pki or certificate not in pki['changed'][cert_type]:
+ if cert_type == 'ca':
+ if certificate in dict_search_recursive(pki['system'], 'ca_certificate'):
+ raise ConfigError(f'CA certificate "{certificate}" is still in use!')
+ elif cert_type == 'certificate':
+ if certificate in dict_search_recursive(pki['system'], 'certificate'):
+ raise ConfigError(f'Certificate "{certificate}" is still in use!')
+
return None
def generate(pki):
@@ -154,6 +188,8 @@ def apply(pki):
if not pki:
return None
+ # XXX: restart services if the content of a certificate changes
+
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/policy-local-route.py b/src/conf_mode/policy-local-route.py
index 013f22665..539189442 100755
--- a/src/conf_mode/policy-local-route.py
+++ b/src/conf_mode/policy-local-route.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -44,17 +44,26 @@ def get_config(config=None):
if tmp:
for rule in (tmp or []):
src = leaf_node_changed(conf, ['policy', 'local-route', 'rule', rule, 'source'])
+ fwmk = leaf_node_changed(conf, ['policy', 'local-route', 'rule', rule, 'fwmark'])
if src:
dict = dict_merge({'rule_remove' : {rule : {'source' : src}}}, dict)
pbr.update(dict)
+ if fwmk:
+ dict = dict_merge({'rule_remove' : {rule : {'fwmark' : fwmk}}}, dict)
+ pbr.update(dict)
# delete policy local-route rule x source x.x.x.x
+ # delete policy local-route rule x fwmark x
if 'rule' in pbr:
for rule in pbr['rule']:
src = leaf_node_changed(conf, ['policy', 'local-route', 'rule', rule, 'source'])
+ fwmk = leaf_node_changed(conf, ['policy', 'local-route', 'rule', rule, 'fwmark'])
if src:
dict = dict_merge({'rule_remove' : {rule : {'source' : src}}}, dict)
pbr.update(dict)
+ if fwmk:
+ dict = dict_merge({'rule_remove' : {rule : {'fwmark' : fwmk}}}, dict)
+ pbr.update(dict)
return pbr
@@ -65,8 +74,8 @@ def verify(pbr):
if 'rule' in pbr:
for rule in pbr['rule']:
- if 'source' not in pbr['rule'][rule]:
- raise ConfigError('Source address required!')
+ if 'source' not in pbr['rule'][rule] and 'fwmark' not in pbr['rule'][rule]:
+ raise ConfigError('Source address or fwmark is required!')
else:
if 'set' not in pbr['rule'][rule] or 'table' not in pbr['rule'][rule]['set']:
raise ConfigError('Table set is required!')
@@ -86,16 +95,34 @@ def apply(pbr):
# Delete old rule if needed
if 'rule_remove' in pbr:
for rule in pbr['rule_remove']:
- for src in pbr['rule_remove'][rule]['source']:
- call(f'ip rule del prio {rule} from {src}')
+ if 'source' in pbr['rule_remove'][rule]:
+ for src in pbr['rule_remove'][rule]['source']:
+ call(f'ip rule del prio {rule} from {src}')
+ if 'fwmark' in pbr['rule_remove'][rule]:
+ for fwmk in pbr['rule_remove'][rule]['fwmark']:
+ call(f'ip rule del prio {rule} from all fwmark {fwmk}')
# Generate new config
if 'rule' in pbr:
for rule in pbr['rule']:
table = pbr['rule'][rule]['set']['table']
- if pbr['rule'][rule]['source']:
+ # Only source in the rule
+ # set policy local-route rule 100 source '203.0.113.1'
+ if 'source' in pbr['rule'][rule] and not 'fwmark' in pbr['rule'][rule]:
for src in pbr['rule'][rule]['source']:
call(f'ip rule add prio {rule} from {src} lookup {table}')
+ # Only fwmark in the rule
+ # set policy local-route rule 101 fwmark '23'
+ if 'fwmark' in pbr['rule'][rule] and not 'source' in pbr['rule'][rule]:
+ fwmk = pbr['rule'][rule]['fwmark']
+ call(f'ip rule add prio {rule} from all fwmark {fwmk} lookup {table}')
+ # Source and fwmark in the rule
+ # set policy local-route rule 100 source '203.0.113.1'
+ # set policy local-route rule 100 fwmark '23'
+ if 'source' in pbr['rule'][rule] and 'fwmark' in pbr['rule'][rule]:
+ fwmk = pbr['rule'][rule]['fwmark']
+ for src in pbr['rule'][rule]['source']:
+ call(f'ip rule add prio {rule} from {src} fwmark {fwmk} lookup {table}')
return None
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index d56bae9e9..1a03d520b 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -190,6 +190,7 @@ def apply(policy):
frr_cfg.modify_section(r'^bgp community-list .*')
frr_cfg.modify_section(r'^bgp extcommunity-list .*')
frr_cfg.modify_section(r'^bgp large-community-list .*')
+ frr_cfg.modify_section(r'^route-map .*')
frr_cfg.add_before('^line vty', policy['new_frr_config'])
frr_cfg.commit_configuration(bgp_daemon)
diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py
index 348bae59f..539fd7b8e 100755
--- a/src/conf_mode/protocols_bfd.py
+++ b/src/conf_mode/protocols_bfd.py
@@ -92,7 +92,7 @@ def generate(bfd):
bfd['new_frr_config'] = ''
return None
- bfd['new_frr_config'] = render_to_string('frr/bfd.frr.tmpl', bfd)
+ bfd['new_frr_config'] = render_to_string('frr/bfdd.frr.tmpl', bfd)
def apply(bfd):
# Save original configuration prior to starting any commit actions
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 9ecfd07fe..68284e0f9 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -23,6 +23,7 @@ from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configverify import verify_prefix_list
from vyos.configverify import verify_route_map
+from vyos.configverify import verify_vrf
from vyos.template import is_ip
from vyos.template import is_interface
from vyos.template import render_to_string
@@ -129,7 +130,7 @@ def verify(bgp):
if 'local_as' in peer_config:
if len(peer_config['local_as']) > 1:
- raise ConfigError('Only one local-as number may be specified!')
+ raise ConfigError(f'Only one local-as number can be specified for peer "{peer}"!')
# Neighbor local-as override can not be the same as the local-as
# we use for this BGP instane!
@@ -139,7 +140,7 @@ def verify(bgp):
# ttl-security and ebgp-multihop can't be used in the same configration
if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config:
- raise ConfigError('You can\'t set both ebgp-multihop and ttl-security hops')
+ raise ConfigError('You can not set both ebgp-multihop and ttl-security hops')
# Check if neighbor has both override capability and strict capability match configured at the same time.
if 'override_capability' in peer_config and 'strict_capability_match' in peer_config:
@@ -147,7 +148,7 @@ def verify(bgp):
# Check spaces in the password
if 'password' in peer_config and ' ' in peer_config['password']:
- raise ConfigError('You can\'t use spaces in the password')
+ raise ConfigError('Whitespace is not allowed in passwords!')
# Some checks can/must only be done on a neighbor and not a peer-group
if neighbor == 'neighbor':
@@ -221,27 +222,47 @@ def verify(bgp):
raise ConfigError(f'Peer-group "{peer_group}" requires remote-as to be set!')
# Throw an error if the global administrative distance parameters aren't all filled out.
- if dict_search('parameters.distance', bgp) == None:
- pass
- else:
- if dict_search('parameters.distance.global', bgp):
- for key in ['external', 'internal', 'local']:
- if dict_search(f'parameters.distance.global.{key}', bgp) == None:
- raise ConfigError('Missing mandatory configuration option for '\
- f'global administrative distance {key}!')
-
- # Throw an error if the address family specific administrative distance parameters aren't all filled out.
- if dict_search('address_family', bgp) == None:
- pass
- else:
- for address_family_name in dict_search('address_family', bgp):
- if dict_search(f'address_family.{address_family_name}.distance', bgp) == None:
- pass
- else:
+ if dict_search('parameters.distance.global', bgp) != None:
+ for key in ['external', 'internal', 'local']:
+ if dict_search(f'parameters.distance.global.{key}', bgp) == None:
+ raise ConfigError('Missing mandatory configuration option for '\
+ f'global administrative distance {key}!')
+
+ # Address Family specific validation
+ if 'address_family' in bgp:
+ for afi, afi_config in bgp['address_family'].items():
+ if 'distance' in afi_config:
+ # Throw an error if the address family specific administrative
+ # distance parameters aren't all filled out.
for key in ['external', 'internal', 'local']:
- if dict_search(f'address_family.{address_family_name}.distance.{key}', bgp) == None:
+ if key not in afi_config['distance']:
raise ConfigError('Missing mandatory configuration option for '\
- f'{address_family_name} administrative distance {key}!')
+ f'{afi} administrative distance {key}!')
+
+ if afi in ['ipv4_unicast', 'ipv6_unicast']:
+ if 'import' in afi_config and 'vrf' in afi_config['import']:
+ # Check if VRF exists
+ verify_vrf(afi_config['import']['vrf'])
+
+ # FRR error: please unconfigure vpn to vrf commands before
+ # using import vrf commands
+ if 'vpn' in afi_config['import'] or dict_search('export.vpn', afi_config) != None:
+ raise ConfigError('Please unconfigure VPN to VRF commands before '\
+ 'using "import vrf" commands!')
+
+ # Verify that the export/import route-maps do exist
+ for export_import in ['export', 'import']:
+ tmp = dict_search(f'route_map.vpn.{export_import}', afi_config)
+ if tmp: verify_route_map(tmp, bgp)
+
+ if afi in ['l2vpn_evpn'] and 'vrf' not in bgp:
+ # Some L2VPN EVPN AFI options are only supported under VRF
+ if 'vni' in afi_config:
+ for vni, vni_config in afi_config['vni'].items():
+ if 'rd' in vni_config:
+ raise ConfigError('VNI route-distinguisher is only supported under EVPN VRF')
+ if 'route_target' in vni_config:
+ raise ConfigError('VNI route-target is only supported under EVPN VRF')
return None
diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py
index d4c82249b..4505e2496 100755
--- a/src/conf_mode/protocols_isis.py
+++ b/src/conf_mode/protocols_isis.py
@@ -113,9 +113,13 @@ def verify(isis):
# Interface MTU must be >= configured lsp-mtu
mtu = Interface(interface).get_mtu()
area_mtu = isis['lsp_mtu']
- if mtu < int(area_mtu):
- raise ConfigError(f'Interface {interface} has MTU {mtu}, minimum ' \
- f'area MTU is {area_mtu}!')
+ # Recommended maximum PDU size = interface MTU - 3 bytes
+ recom_area_mtu = mtu - 3
+ if mtu < int(area_mtu) or int(area_mtu) > recom_area_mtu:
+ raise ConfigError(f'Interface {interface} has MTU {mtu}, ' \
+ f'current area MTU is {area_mtu}! \n' \
+ f'Recommended area lsp-mtu {recom_area_mtu} or less ' \
+ '(calculated on MTU size).')
if 'vrf' in isis:
# If interface specific options are set, we must ensure that the
@@ -144,7 +148,7 @@ def verify(isis):
exist_timers = set(required_timers).difference(set(exist_timers))
if len(exist_timers) > 0:
- raise ConfigError('All types of delay must be specified: ' + ', '.join(exist_timers).replace('_', '-'))
+ raise ConfigError('All types of spf-delay must be configured. Missing: ' + ', '.join(exist_timers).replace('_', '-'))
# If Redistribute set, but level don't set
if 'redistribute' in isis:
diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py
index 78c1c82bd..6ccda2e5a 100755
--- a/src/conf_mode/protocols_ospf.py
+++ b/src/conf_mode/protocols_ospf.py
@@ -87,7 +87,13 @@ def get_config(config=None):
del default_values['area']['area_type']['nssa']
if 'mpls_te' not in ospf:
del default_values['mpls_te']
- for protocol in ['bgp', 'connected', 'isis', 'kernel', 'rip', 'static']:
+
+ for protocol in ['bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']:
+ # table is a tagNode thus we need to clean out all occurances for the
+ # default values and load them in later individually
+ if protocol == 'table':
+ del default_values['redistribute']['table']
+ continue
if dict_search(f'redistribute.{protocol}', ospf) is None:
del default_values['redistribute'][protocol]
@@ -109,7 +115,6 @@ def get_config(config=None):
default_values = defaults(base + ['area', 'virtual-link'])
for area, area_config in ospf['area'].items():
if 'virtual_link' in area_config:
- print(default_values)
for virtual_link in area_config['virtual_link']:
ospf['area'][area]['virtual_link'][virtual_link] = dict_merge(
default_values, ospf['area'][area]['virtual_link'][virtual_link])
@@ -127,6 +132,12 @@ def get_config(config=None):
ospf['interface'][interface] = dict_merge(default_values,
ospf['interface'][interface])
+ if 'redistribute' in ospf and 'table' in ospf['redistribute']:
+ default_values = defaults(base + ['redistribute', 'table'])
+ for table in ospf['redistribute']['table']:
+ ospf['redistribute']['table'][table] = dict_merge(default_values,
+ ospf['redistribute']['table'][table])
+
# We also need some additional information from the config, prefix-lists
# and route-maps for instance. They will be used in verify().
#
@@ -149,14 +160,23 @@ def verify(ospf):
if route_map_name: verify_route_map(route_map_name, ospf)
if 'interface' in ospf:
- for interface in ospf['interface']:
+ for interface, interface_config in ospf['interface'].items():
verify_interface_exists(interface)
# One can not use dead-interval and hello-multiplier at the same
# time. FRR will only activate the last option set via CLI.
- if {'hello_multiplier', 'dead_interval'} <= set(ospf['interface'][interface]):
+ if {'hello_multiplier', 'dead_interval'} <= set(interface_config):
raise ConfigError(f'Can not use hello-multiplier and dead-interval ' \
f'concurrently for {interface}!')
+ # One can not use the "network <prefix> area <id>" command and an
+ # per interface area assignment at the same time. FRR will error
+ # out using: "Please remove all network commands first."
+ if 'area' in ospf and 'area' in interface_config:
+ for area, area_config in ospf['area'].items():
+ if 'network' in area_config:
+ raise ConfigError('Can not use OSPF interface area and area ' \
+ 'network configuration at the same time!')
+
if 'vrf' in ospf:
# If interface specific options are set, we must ensure that the
# interface is bound to our requesting VRF. Due to the VyOS
@@ -177,7 +197,7 @@ def generate(ospf):
ospf['protocol'] = 'ospf' # required for frr/vrf.route-map.frr.tmpl
ospf['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.tmpl', ospf)
- ospf['frr_ospfd_config'] = render_to_string('frr/ospf.frr.tmpl', ospf)
+ ospf['frr_ospfd_config'] = render_to_string('frr/ospfd.frr.tmpl', ospf)
return None
def apply(ospf):
diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py
index fef0f509b..536ffa690 100755
--- a/src/conf_mode/protocols_ospfv3.py
+++ b/src/conf_mode/protocols_ospfv3.py
@@ -65,7 +65,7 @@ def verify(ospfv3):
if 'ifmtu' in if_config:
mtu = Interface(ifname).get_mtu()
if int(if_config['ifmtu']) > int(mtu):
- raise ConfigError(f'OSPFv3 ifmtu cannot go beyond physical MTU of "{mtu}"')
+ raise ConfigError(f'OSPFv3 ifmtu can not exceed physical MTU of "{mtu}"')
return None
@@ -74,7 +74,7 @@ def generate(ospfv3):
ospfv3['new_frr_config'] = ''
return None
- ospfv3['new_frr_config'] = render_to_string('frr/ospfv3.frr.tmpl', ospfv3)
+ ospfv3['new_frr_config'] = render_to_string('frr/ospf6d.frr.tmpl', ospfv3)
return None
def apply(ospfv3):
diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py
index e56eb1f56..6b78f6f2d 100755
--- a/src/conf_mode/protocols_rip.py
+++ b/src/conf_mode/protocols_rip.py
@@ -93,7 +93,7 @@ def generate(rip):
rip['new_frr_config'] = ''
return None
- rip['new_frr_config'] = render_to_string('frr/rip.frr.tmpl', rip)
+ rip['new_frr_config'] = render_to_string('frr/ripd.frr.tmpl', rip)
return None
diff --git a/src/conf_mode/protocols_ripng.py b/src/conf_mode/protocols_ripng.py
index aaec5dacb..bc4954f63 100755
--- a/src/conf_mode/protocols_ripng.py
+++ b/src/conf_mode/protocols_ripng.py
@@ -95,7 +95,7 @@ def generate(ripng):
ripng['new_frr_config'] = ''
return None
- ripng['new_frr_config'] = render_to_string('frr/ripng.frr.tmpl', ripng)
+ ripng['new_frr_config'] = render_to_string('frr/ripngd.frr.tmpl', ripng)
return None
def apply(ripng):
diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py
index 338247e30..597fcc443 100755
--- a/src/conf_mode/protocols_static.py
+++ b/src/conf_mode/protocols_static.py
@@ -80,7 +80,7 @@ def verify(static):
return None
def generate(static):
- static['new_frr_config'] = render_to_string('frr/static.frr.tmpl', static)
+ static['new_frr_config'] = render_to_string('frr/staticd.frr.tmpl', static)
return None
def apply(static):
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index cbbd2e0bc..a16cc4aeb 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -23,6 +23,7 @@ from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.template import render
from vyos.util import call
+from vyos.util import chmod_755
from vyos.util import dict_search
from vyos.util import write_file
from vyos.validate import is_addr_assigned
@@ -192,6 +193,8 @@ def apply(proxy):
return None
+ if os.path.exists(squidguard_db_dir):
+ chmod_755(squidguard_db_dir)
call('systemctl restart squid.service')
return None
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index f0b92aea8..4dd7f936d 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -59,7 +59,7 @@ def get_config(config=None):
conf = Config()
base = ['system', 'login']
login = conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True)
+ no_tag_node_value_mangle=True, get_first_key=True)
# users no longer existing in the running configuration need to be deleted
local_users = get_local_users()
@@ -80,12 +80,6 @@ def get_config(config=None):
login['radius']['server'][server] = dict_merge(default_values,
login['radius']['server'][server])
- # XXX: for a yet unknown reason when we only have one source-address
- # get_config_dict() will show a string over a string
- if 'radius' in login and 'source_address' in login['radius']:
- if isinstance(login['radius']['source_address'], str):
- login['radius']['source_address'] = [login['radius']['source_address']]
-
# create a list of all users, cli and users
all_users = list(set(local_users + cli_users))
# We will remove any normal users that dos not exist in the current
@@ -246,7 +240,9 @@ def apply(login):
# XXX: Should we deny using root at all?
home_dir = getpwnam(user).pw_dir
render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.tmpl',
- user_config, permission=0o600, user=user, group='users')
+ user_config, permission=0o600,
+ formater=lambda _: _.replace("&quot;", '"'),
+ user=user, group='users')
except Exception as e:
raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d3065fc47..99b82ca2d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -286,20 +286,34 @@ def verify(ipsec):
if 'pre_shared_secret' not in ra_conf['authentication']:
raise ConfigError(f"Missing pre-shared-key on {name} remote-access config")
+ if 'client_mode' not in ra_conf['authentication']:
+ raise ConfigError('Client authentication method is required!')
- if 'client_mode' in ra_conf['authentication']:
- if ra_conf['authentication']['client_mode'] == 'eap-radius':
- if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0:
- raise ConfigError('RADIUS authentication requires at least one server')
+ if dict_search('authentication.client_mode', ra_conf) == 'eap-radius':
+ if dict_search('remote_access.radius.server', ipsec) == None:
+ raise ConfigError('RADIUS authentication requires at least one server')
if 'pool' in ra_conf:
+ if {'dhcp', 'radius'} <= set(ra_conf['pool']):
+ raise ConfigError(f'Can not use both DHCP and RADIUS for address allocation '\
+ f'at the same time for "{name}"!')
+
if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
- raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!')
+ raise ConfigError(f'Can not use DHCP and a predefined address pool for "{name}"!')
+
+ if 'radius' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
+ raise ConfigError(f'Can not use RADIUS and a predefined address pool for "{name}"!')
for pool in ra_conf['pool']:
if pool == 'dhcp':
if dict_search('remote_access.dhcp.server', ipsec) == None:
raise ConfigError('IPSec DHCP server is not configured!')
+ elif pool == 'radius':
+ if dict_search('remote_access.radius.server', ipsec) == None:
+ raise ConfigError('IPSec RADIUS server is not configured!')
+
+ if dict_search('authentication.client_mode', ra_conf) != 'eap-radius':
+ raise ConfigError('RADIUS IP pool requires eap-radius client authentication!')
elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']:
raise ConfigError(f'Requested pool "{pool}" does not exist!')
@@ -348,6 +362,9 @@ def verify(ipsec):
if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']:
raise ConfigError(f"Missing authentication on site-to-site peer {peer}")
+ if {'id', 'use_x509_id'} <= set(peer_conf['authentication']):
+ raise ConfigError(f"Manually set peer id and use-x509-id are mutually exclusive!")
+
if peer_conf['authentication']['mode'] == 'x509':
if 'x509' not in peer_conf['authentication']:
raise ConfigError(f"Missing x509 settings on site-to-site peer {peer}")
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index c1cfc1dcb..919083ac4 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -24,7 +24,6 @@ from vyos.config import Config
from vyos.configdict import node_changed
from vyos.ifconfig import Interface
from vyos.template import render
-from vyos.template import render_to_string
from vyos.util import call
from vyos.util import cmd
from vyos.util import dict_search
@@ -32,12 +31,9 @@ from vyos.util import get_interface_config
from vyos.util import popen
from vyos.util import run
from vyos import ConfigError
-from vyos import frr
from vyos import airbag
airbag.enable()
-frr_daemon = 'zebra'
-
config_file = r'/etc/iproute2/rt_tables.d/vyos-vrf.conf'
def list_rules():
@@ -131,7 +127,6 @@ def verify(vrf):
def generate(vrf):
render(config_file, 'vrf/vrf.conf.tmpl', vrf)
- vrf['new_frr_config'] = render_to_string('frr/vrf.frr.tmpl', vrf)
# Render nftables zones config
vrf['nft_vrf_zones'] = NamedTemporaryFile().name
render(vrf['nft_vrf_zones'], 'firewall/nftables-vrf-zones.tmpl', vrf)
@@ -242,21 +237,6 @@ def apply(vrf):
if tmp == 0:
cmd('nft delete table inet vrf_zones')
- # T3694: Somehow we hit a priority inversion here as we need to remove the
- # VRF assigned VNI before we can remove a BGP bound VRF instance. Maybe
- # move this to an individual helper script that set's up the VNI for the
- # given VRF after any routing protocol.
- #
- # # add configuration to FRR
- # frr_cfg = frr.FRRConfig()
- # frr_cfg.load_configuration(frr_daemon)
- # frr_cfg.modify_section(f'^vrf [a-zA-Z-]*$', '')
- # frr_cfg.add_before(r'(interface .*|line vty)', vrf['new_frr_config'])
- # frr_cfg.commit_configuration(frr_daemon)
- #
- # # Save configuration to /run/frr/config/frr.conf
- # frr.save_configuration()
-
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/vrf_vni.py b/src/conf_mode/vrf_vni.py
new file mode 100755
index 000000000..87ee8f2d1
--- /dev/null
+++ b/src/conf_mode/vrf_vni.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2020-2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from sys import argv
+from sys import exit
+
+from vyos.config import Config
+from vyos.template import render_to_string
+from vyos import ConfigError
+from vyos import frr
+from vyos import airbag
+airbag.enable()
+
+frr_daemon = 'zebra'
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
+ # This script only works with a passed VRF name
+ if len(argv) < 1:
+ raise NotImplementedError
+ vrf = argv[1]
+
+ # "assemble" dict - easier here then use a full blown get_config_dict()
+ # on a single leafNode
+ vni = { 'vrf' : vrf }
+ tmp = conf.return_value(['vrf', 'name', vrf, 'vni'])
+ if tmp: vni.update({ 'vni' : tmp })
+
+ return vni
+
+def verify(vni):
+ return None
+
+def generate(vni):
+ vni['new_frr_config'] = render_to_string('frr/vrf-vni.frr.tmpl', vni)
+ return None
+
+def apply(vni):
+ # add configuration to FRR
+ frr_cfg = frr.FRRConfig()
+ frr_cfg.load_configuration(frr_daemon)
+ frr_cfg.modify_section(f'^vrf [a-zA-Z-]*$', '')
+ frr_cfg.add_before(r'(interface .*|line vty)', vni['new_frr_config'])
+ frr_cfg.commit_configuration(frr_daemon)
+
+ # Save configuration to /run/frr/config/frr.conf
+ frr.save_configuration()
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/vrrp.py b/src/conf_mode/vrrp.py
index 680a80859..e8f1c1f99 100755
--- a/src/conf_mode/vrrp.py
+++ b/src/conf_mode/vrrp.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -17,244 +17,131 @@
import os
from sys import exit
-from ipaddress import ip_address, ip_interface, IPv4Interface, IPv6Interface, IPv4Address, IPv6Address
-from json import dumps
-from pathlib import Path
-
-import vyos.config
-
-from vyos import ConfigError
-from vyos.util import call
-from vyos.template import render
+from ipaddress import ip_interface
+from ipaddress import IPv4Interface
+from ipaddress import IPv6Interface
+from vyos.config import Config
+from vyos.configdict import dict_merge
from vyos.ifconfig.vrrp import VRRP
-
+from vyos.template import render
+from vyos.template import is_ipv4
+from vyos.template import is_ipv6
+from vyos.util import call
+from vyos.xml import defaults
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
def get_config(config=None):
- vrrp_groups = []
- sync_groups = []
-
if config:
- config = config
+ conf = config
else:
- config = vyos.config.Config()
-
- # Get the VRRP groups
- for group_name in config.list_nodes("high-availability vrrp group"):
- config.set_level("high-availability vrrp group {0}".format(group_name))
-
- # Retrieve the values
- group = {"preempt": True, "use_vmac": False, "disable": False}
-
- if config.exists("disable"):
- group["disable"] = True
-
- group["name"] = group_name
- group["vrid"] = config.return_value("vrid")
- group["interface"] = config.return_value("interface")
- group["description"] = config.return_value("description")
- group["advertise_interval"] = config.return_value("advertise-interval")
- group["priority"] = config.return_value("priority")
- group["hello_source"] = config.return_value("hello-source-address")
- group["peer_address"] = config.return_value("peer-address")
- group["sync_group"] = config.return_value("sync-group")
- group["preempt_delay"] = config.return_value("preempt-delay")
- group["virtual_addresses"] = config.return_values("virtual-address")
- group["virtual_addresses_excluded"] = config.return_values("virtual-address-excluded")
-
- group["auth_password"] = config.return_value("authentication password")
- group["auth_type"] = config.return_value("authentication type")
-
- group["health_check_script"] = config.return_value("health-check script")
- group["health_check_interval"] = config.return_value("health-check interval")
- group["health_check_count"] = config.return_value("health-check failure-count")
-
- group["master_script"] = config.return_value("transition-script master")
- group["backup_script"] = config.return_value("transition-script backup")
- group["fault_script"] = config.return_value("transition-script fault")
- group["stop_script"] = config.return_value("transition-script stop")
- group["script_mode_force"] = config.exists("transition-script mode-force")
-
- if config.exists("no-preempt"):
- group["preempt"] = False
- if config.exists("rfc3768-compatibility"):
- group["use_vmac"] = True
-
- # Substitute defaults where applicable
- if not group["advertise_interval"]:
- group["advertise_interval"] = 1
- if not group["priority"]:
- group["priority"] = 100
- if not group["preempt_delay"]:
- group["preempt_delay"] = 0
- if not group["health_check_interval"]:
- group["health_check_interval"] = 60
- if not group["health_check_count"]:
- group["health_check_count"] = 3
-
- # FIXUP: translate our option for auth type to keepalived's syntax
- # for simplicity
- if group["auth_type"]:
- if group["auth_type"] == "plaintext-password":
- group["auth_type"] = "PASS"
- else:
- group["auth_type"] = "AH"
-
- vrrp_groups.append(group)
-
- config.set_level("")
-
- # Get the sync group used for conntrack-sync
- conntrack_sync_group = None
- if config.exists("service conntrack-sync failover-mechanism vrrp"):
- conntrack_sync_group = config.return_value("service conntrack-sync failover-mechanism vrrp sync-group")
-
- # Get the sync groups
- for sync_group_name in config.list_nodes("high-availability vrrp sync-group"):
- config.set_level("high-availability vrrp sync-group {0}".format(sync_group_name))
-
- sync_group = {"conntrack_sync": False}
- sync_group["name"] = sync_group_name
- sync_group["members"] = config.return_values("member")
- if conntrack_sync_group:
- if conntrack_sync_group == sync_group_name:
- sync_group["conntrack_sync"] = True
-
- # add transition script configuration
- sync_group["master_script"] = config.return_value("transition-script master")
- sync_group["backup_script"] = config.return_value("transition-script backup")
- sync_group["fault_script"] = config.return_value("transition-script fault")
- sync_group["stop_script"] = config.return_value("transition-script stop")
-
- sync_groups.append(sync_group)
-
- # create a file with dict with proposed configuration
- with open("{}.temp".format(VRRP.location['vyos']), 'w') as dict_file:
- dict_file.write(dumps({'vrrp_groups': vrrp_groups, 'sync_groups': sync_groups}))
-
- return (vrrp_groups, sync_groups)
-
-
-def verify(data):
- vrrp_groups, sync_groups = data
-
- for group in vrrp_groups:
- # Check required fields
- if not group["vrid"]:
- raise ConfigError("vrid is required but not set in VRRP group {0}".format(group["name"]))
- if not group["interface"]:
- raise ConfigError("interface is required but not set in VRRP group {0}".format(group["name"]))
- if not group["virtual_addresses"]:
- raise ConfigError("virtual-address is required but not set in VRRP group {0}".format(group["name"]))
-
- if group["auth_password"] and (not group["auth_type"]):
- raise ConfigError("authentication type is required but not set in VRRP group {0}".format(group["name"]))
-
- # Keepalived doesn't allow mixing IPv4 and IPv6 in one group, so we mirror that restriction
-
- # XXX: filter on map object is destructive, so we force it to list.
- # Additionally, filter objects always evaluate to True, empty or not,
- # so we force them to lists as well.
- vaddrs = list(map(lambda i: ip_interface(i), group["virtual_addresses"]))
- vaddrs4 = list(filter(lambda x: isinstance(x, IPv4Interface), vaddrs))
- vaddrs6 = list(filter(lambda x: isinstance(x, IPv6Interface), vaddrs))
-
- if vaddrs4 and vaddrs6:
- raise ConfigError("VRRP group {0} mixes IPv4 and IPv6 virtual addresses, this is not allowed. Create separate groups for IPv4 and IPv6".format(group["name"]))
-
- if vaddrs4:
- if group["hello_source"]:
- hsa = ip_address(group["hello_source"])
- if isinstance(hsa, IPv6Address):
- raise ConfigError("VRRP group {0} uses IPv4 but its hello-source-address is IPv6".format(group["name"]))
- if group["peer_address"]:
- pa = ip_address(group["peer_address"])
- if isinstance(pa, IPv6Address):
- raise ConfigError("VRRP group {0} uses IPv4 but its peer-address is IPv6".format(group["name"]))
-
- if vaddrs6:
- if group["hello_source"]:
- hsa = ip_address(group["hello_source"])
- if isinstance(hsa, IPv4Address):
- raise ConfigError("VRRP group {0} uses IPv6 but its hello-source-address is IPv4".format(group["name"]))
- if group["peer_address"]:
- pa = ip_address(group["peer_address"])
- if isinstance(pa, IPv4Address):
- raise ConfigError("VRRP group {0} uses IPv6 but its peer-address is IPv4".format(group["name"]))
-
- # Warn the user about the deprecated mode-force option
- if group['script_mode_force']:
- print("""Warning: "transition-script mode-force" VRRP option is deprecated and will be removed in VyOS 1.4.""")
- print("""It's no longer necessary, so you can safely remove it from your config now.""")
-
- # Disallow same VRID on multiple interfaces
- _groups = sorted(vrrp_groups, key=(lambda x: x["interface"]))
- count = len(_groups) - 1
- index = 0
- while (index < count):
- if (_groups[index]["vrid"] == _groups[index + 1]["vrid"]) and (_groups[index]["interface"] == _groups[index + 1]["interface"]):
- raise ConfigError("VRID {0} is used in groups {1} and {2} that both use interface {3}. Groups on the same interface must use different VRIDs".format(
- _groups[index]["vrid"], _groups[index]["name"], _groups[index + 1]["name"], _groups[index]["interface"]))
- else:
- index += 1
-
+ conf = Config()
+
+ base = ['high-availability', 'vrrp']
+ if not conf.exists(base):
+ return None
+
+ vrrp = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True, no_tag_node_value_mangle=True)
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ if 'group' in vrrp:
+ default_values = defaults(base + ['group'])
+ for group in vrrp['group']:
+ vrrp['group'][group] = dict_merge(default_values, vrrp['group'][group])
+
+ ## Get the sync group used for conntrack-sync
+ conntrack_path = ['service', 'conntrack-sync', 'failover-mechanism', 'vrrp', 'sync-group']
+ if conf.exists(conntrack_path):
+ vrrp['conntrack_sync_group'] = conf.return_value(conntrack_path)
+
+ return vrrp
+
+def verify(vrrp):
+ if not vrrp:
+ return None
+
+ used_vrid_if = []
+ if 'group' in vrrp:
+ for group, group_config in vrrp['group'].items():
+ # Check required fields
+ if 'vrid' not in group_config:
+ raise ConfigError(f'VRID is required but not set in VRRP group "{group}"')
+
+ if 'interface' not in group_config:
+ raise ConfigError(f'Interface is required but not set in VRRP group "{group}"')
+
+ if 'address' not in group_config:
+ raise ConfigError(f'Virtual IP address is required but not set in VRRP group "{group}"')
+
+ if 'authentication' in group_config:
+ if not {'password', 'type'} <= set(group_config['authentication']):
+ raise ConfigError(f'Authentication requires both type and passwortd to be set in VRRP group "{group}"')
+
+ # We can not use a VRID once per interface
+ interface = group_config['interface']
+ vrid = group_config['vrid']
+ tmp = {'interface': interface, 'vrid': vrid}
+ if tmp in used_vrid_if:
+ raise ConfigError(f'VRID "{vrid}" can only be used once on interface "{interface}"!')
+ used_vrid_if.append(tmp)
+
+ # Keepalived doesn't allow mixing IPv4 and IPv6 in one group, so we mirror that restriction
+
+ # XXX: filter on map object is destructive, so we force it to list.
+ # Additionally, filter objects always evaluate to True, empty or not,
+ # so we force them to lists as well.
+ vaddrs = list(map(lambda i: ip_interface(i), group_config['address']))
+ vaddrs4 = list(filter(lambda x: isinstance(x, IPv4Interface), vaddrs))
+ vaddrs6 = list(filter(lambda x: isinstance(x, IPv6Interface), vaddrs))
+
+ if vaddrs4 and vaddrs6:
+ raise ConfigError(f'VRRP group "{group}" mixes IPv4 and IPv6 virtual addresses, this is not allowed.\n' \
+ 'Create individual groups for IPv4 and IPv6!')
+ if vaddrs4:
+ if 'hello_source_address' in group_config:
+ if is_ipv6(group_config['hello_source_address']):
+ raise ConfigError(f'VRRP group "{group}" uses IPv4 but hello-source-address is IPv6!')
+
+ if 'peer_address' in group_config:
+ if is_ipv6(group_config['peer_address']):
+ raise ConfigError(f'VRRP group "{group}" uses IPv4 but peer-address is IPv6!')
+
+ if vaddrs6:
+ if 'hello_source_address' in group_config:
+ if is_ipv4(group_config['hello_source_address']):
+ raise ConfigError(f'VRRP group "{group}" uses IPv6 but hello-source-address is IPv4!')
+
+ if 'peer_address' in group_config:
+ if is_ipv4(group_config['peer_address']):
+ raise ConfigError(f'VRRP group "{group}" uses IPv6 but peer-address is IPv4!')
# Check sync groups
- vrrp_group_names = list(map(lambda x: x["name"], vrrp_groups))
-
- for sync_group in sync_groups:
- for m in sync_group["members"]:
- if not (m in vrrp_group_names):
- raise ConfigError("VRRP sync-group {0} refers to VRRP group {1}, but group {1} does not exist".format(sync_group["name"], m))
-
-
-def generate(data):
- vrrp_groups, sync_groups = data
-
- # Remove disabled groups from the sync group member lists
- for sync_group in sync_groups:
- for member in sync_group["members"]:
- g = list(filter(lambda x: x["name"] == member, vrrp_groups))[0]
- if g["disable"]:
- print("Warning: ignoring disabled VRRP group {0} in sync-group {1}".format(g["name"], sync_group["name"]))
- # Filter out disabled groups
- vrrp_groups = list(filter(lambda x: x["disable"] is not True, vrrp_groups))
-
- render(VRRP.location['config'], 'vrrp/keepalived.conf.tmpl',
- {"groups": vrrp_groups, "sync_groups": sync_groups})
- render(VRRP.location['daemon'], 'vrrp/daemon.tmpl', {})
+ if 'sync_group' in vrrp:
+ for sync_group, sync_config in vrrp['sync_group'].items():
+ if 'member' in sync_config:
+ for member in sync_config['member']:
+ if member not in vrrp['group']:
+ raise ConfigError(f'VRRP sync-group "{sync_group}" refers to VRRP group "{member}", '\
+ 'but it does not exist!')
+
+def generate(vrrp):
+ if not vrrp:
+ return None
+
+ render(VRRP.location['config'], 'vrrp/keepalived.conf.tmpl', vrrp)
return None
+def apply(vrrp):
+ service_name = 'keepalived.service'
+ if not vrrp:
+ call(f'systemctl stop {service_name}')
+ return None
-def apply(data):
- vrrp_groups, sync_groups = data
- if vrrp_groups:
- # safely rename a temporary file with configuration dict
- try:
- dict_file = Path("{}.temp".format(VRRP.location['vyos']))
- dict_file.rename(Path(VRRP.location['vyos']))
- except Exception as err:
- print("Unable to rename the file with keepalived config for FIFO pipe: {}".format(err))
-
- if not VRRP.is_running():
- print("Starting the VRRP process")
- ret = call("systemctl restart keepalived.service")
- else:
- print("Reloading the VRRP process")
- ret = call("systemctl reload keepalived.service")
-
- if ret != 0:
- raise ConfigError("keepalived failed to start")
- else:
- # VRRP is removed in the commit
- print("Stopping the VRRP process")
- call("systemctl stop keepalived.service")
- os.unlink(VRRP.location['daemon'])
-
+ call(f'systemctl restart {service_name}')
return None
-
if __name__ == '__main__':
try:
c = get_config()
@@ -262,5 +149,5 @@ if __name__ == '__main__':
generate(c)
apply(c)
except ConfigError as e:
- print("VRRP error: {0}".format(str(e)))
+ print(e)
exit(1)
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
index a7a9a2ce6..61a89e62a 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
@@ -35,19 +35,14 @@ fi
python3 - <<PYEND
import os
import re
+
from vyos.util import call
from vyos.util import cmd
+from vyos.util import read_file
+from vyos.util import write_file
SWANCTL_CONF="/etc/swanctl/swanctl.conf"
-def getlines(file):
- with open(file, 'r') as f:
- return f.readlines()
-
-def writelines(file, lines):
- with open(file, 'w') as f:
- f.writelines(lines)
-
def ipsec_down(ip_address):
# This prevents the need to restart ipsec and kill all active connections, only the stale connection is closed
status = cmd('sudo ipsec statusall')
@@ -66,23 +61,26 @@ if __name__ == '__main__':
new_ip = os.getenv('new_ip_address')
old_ip = os.getenv('old_ip_address')
- conf_lines = getlines(SWANCTL_CONF)
- found = False
- to_match = f'# dhcp:{interface}'
+ if os.path.exists(SWANCTL_CONF):
+ conf_lines = read_file(SWANCTL_CONF)
+ found = False
+ to_match = f'# dhcp:{interface}'
+
+ for i, line in enumerate(conf_lines):
+ if line.find(to_match) > 0:
+ conf_lines[i] = line.replace(old_ip, new_ip)
+ found = True
- for i, line in enumerate(conf_lines):
- if line.find(to_match) > 0:
- conf_lines[i] = line.replace(old_ip, new_ip)
- found = True
+ for i, line in enumerate(secrets_lines):
+ if line.find(to_match) > 0:
+ secrets_lines[i] = line.replace(old_ip, new_ip)
- for i, line in enumerate(secrets_lines):
- if line.find(to_match) > 0:
- secrets_lines[i] = line.replace(old_ip, new_ip)
+ if found:
+ write_file(SWANCTL_CONF, conf_lines)
+ ipsec_down(old_ip)
+ call('sudo ipsec rereadall')
+ call('sudo ipsec reload')
+ call('sudo swanctl -q')
- if found:
- writelines(SWANCTL_CONF, conf_lines)
- ipsec_down(old_ip)
- call('sudo ipsec rereadall')
- call('sudo ipsec reload')
- call('sudo swanctl -q')
+ exit(0)
PYEND \ No newline at end of file
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 281c9bf2b..1ffb32955 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -29,19 +29,10 @@ from vyos.util import call
from vyos.util import get_interface_config
from vyos.util import get_interface_address
-def get_dhcp_address(interface):
- addr = get_interface_address(interface)
- if not addr:
- return None
- if len(addr['addr_info']) == 0:
- return None
- return addr['addr_info'][0]['local']
-
if __name__ == '__main__':
verb = os.getenv('PLUTO_VERB')
connection = os.getenv('PLUTO_CONNECTION')
interface = sys.argv[1]
- dhcp_interface = sys.argv[2]
openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO)
syslog(f'Interface {interface} {verb} {connection}')
@@ -55,7 +46,7 @@ if __name__ == '__main__':
syslog(f'Interface {interface} not found')
sys.exit(0)
- vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False)
+ vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
config = ConfigTreeQuery()
vti_dict = config.get_config_dict(['interfaces', 'vti', interface],
@@ -63,9 +54,6 @@ if __name__ == '__main__':
if verb in ['up-client', 'up-host']:
if not vti_link_up:
- if dhcp_interface != 'no':
- local_ip = get_dhcp_address(dhcp_interface)
- call(f'sudo ip tunnel change {interface} local {local_ip}')
if 'disable' not in vti_dict:
call(f'sudo ip link set {interface} up')
else:
diff --git a/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback b/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback
new file mode 100755
index 000000000..bb918a468
--- /dev/null
+++ b/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# This is a Python hook script which is invoked whenever a PPPoE session goes
+# "ip-up". It will call into our vyos.ifconfig library and will then execute
+# common tasks for the PPPoE interface. The reason we have to "hook" this is
+# that we can not create a pppoeX interface in advance in linux and then connect
+# pppd to this already existing interface.
+
+from sys import argv
+from sys import exit
+
+from syslog import syslog
+from syslog import openlog
+from syslog import LOG_PID
+from syslog import LOG_INFO
+
+from vyos.configquery import ConfigTreeQuery
+from vyos.ifconfig import PPPoEIf
+from vyos.util import read_file
+
+# When the ppp link comes up, this script is called with the following
+# parameters
+# $1 the interface name used by pppd (e.g. ppp3)
+# $2 the tty device name
+# $3 the tty device speed
+# $4 the local IP address for the interface
+# $5 the remote IP address
+# $6 the parameter specified by the 'ipparam' option to pppd
+
+if (len(argv) < 7):
+ exit(1)
+
+interface = argv[6]
+dialer_pid = read_file(f'/var/run/{interface}.pid')
+
+openlog(ident=f'pppd[{dialer_pid}]', facility=LOG_INFO)
+syslog('executing ' + argv[0])
+
+conf = ConfigTreeQuery()
+pppoe = conf.get_config_dict(['interfaces', 'pppoe', argv[6]],
+ get_first_key=True, key_mangling=('-', '_'))
+pppoe['ifname'] = argv[6]
+
+p = PPPoEIf(pppoe['ifname'])
+p.update(pppoe)
diff --git a/src/etc/sysctl.d/32-vyos-podman.conf b/src/etc/sysctl.d/32-vyos-podman.conf
new file mode 100644
index 000000000..7068bf88d
--- /dev/null
+++ b/src/etc/sysctl.d/32-vyos-podman.conf
@@ -0,0 +1,5 @@
+# Increase inotify watchers as per https://bugzilla.redhat.com/show_bug.cgi?id=1829596
+fs.inotify.max_queued_events = 1048576
+fs.inotify.max_user_instances = 1048576
+fs.inotify.max_user_watches = 1048576
+
diff --git a/src/etc/systemd/system/keepalived.service.d/override.conf b/src/etc/systemd/system/keepalived.service.d/override.conf
index 9fcabf652..1c68913f2 100644
--- a/src/etc/systemd/system/keepalived.service.d/override.conf
+++ b/src/etc/systemd/system/keepalived.service.d/override.conf
@@ -1,2 +1,13 @@
+[Unit]
+ConditionPathExists=
+ConditionPathExists=/run/keepalived/keepalived.conf
+After=
+After=vyos-router.service
+
[Service]
KillMode=process
+EnvironmentFile=
+ExecStart=
+ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork --snmp
+PIDFile=
+PIDFile=/run/keepalived/keepalived.pid
diff --git a/src/etc/udev/rules.d/65-vyatta-net.rules b/src/etc/udev/rules.d/65-vyatta-net.rules
deleted file mode 100644
index 2b48c1213..000000000
--- a/src/etc/udev/rules.d/65-vyatta-net.rules
+++ /dev/null
@@ -1,26 +0,0 @@
-# These rules use vyatta_net_name to persistently name network interfaces
-# per "hwid" association in the Vyatta configuration file.
-
-ACTION!="add", GOTO="vyatta_net_end"
-SUBSYSTEM!="net", GOTO="vyatta_net_end"
-
-# ignore the interface if a name has already been set
-NAME=="?*", GOTO="vyatta_net_end"
-
-# Do name change for ethernet and wireless devices only
-KERNEL!="eth*|wlan*", GOTO="vyatta_net_end"
-
-# ignore "secondary" monitor interfaces of mac80211 drivers
-KERNEL=="wlan*", ATTRS{type}=="803", GOTO="vyatta_net_end"
-
-# If using VyOS predefined names
-ENV{VYOS_IFNAME}!="eth*", GOTO="end_vyos_predef_names"
-
-DRIVERS=="?*", PROGRAM="vyatta_net_name %k $attr{address} $env{VYOS_IFNAME}", NAME="%c", GOTO="vyatta_net_end"
-
-LABEL="end_vyos_predef_names"
-
-# ignore interfaces without a driver link like bridges and VLANs
-DRIVERS=="?*", PROGRAM="vyatta_net_name %k $attr{address}", NAME="%c"
-
-LABEL="vyatta_net_end"
diff --git a/src/etc/udev/rules.d/65-vyos-net.rules b/src/etc/udev/rules.d/65-vyos-net.rules
new file mode 100644
index 000000000..c8d5750dd
--- /dev/null
+++ b/src/etc/udev/rules.d/65-vyos-net.rules
@@ -0,0 +1,26 @@
+# These rules use vyos_net_name to persistently name network interfaces
+# per "hwid" association in the VyOS configuration file.
+
+ACTION!="add", GOTO="vyos_net_end"
+SUBSYSTEM!="net", GOTO="vyos_net_end"
+
+# ignore the interface if a name has already been set
+NAME=="?*", GOTO="vyos_net_end"
+
+# Do name change for ethernet and wireless devices only
+KERNEL!="eth*|wlan*", GOTO="vyos_net_end"
+
+# ignore "secondary" monitor interfaces of mac80211 drivers
+KERNEL=="wlan*", ATTRS{type}=="803", GOTO="vyos_net_end"
+
+# If using VyOS predefined names
+ENV{VYOS_IFNAME}!="eth*", GOTO="end_vyos_predef_names"
+
+DRIVERS=="?*", PROGRAM="vyos_net_name %k $attr{address} $env{VYOS_IFNAME}", NAME="%c", GOTO="vyos_net_end"
+
+LABEL="end_vyos_predef_names"
+
+# ignore interfaces without a driver link like bridges and VLANs
+DRIVERS=="?*", PROGRAM="vyos_net_name %k $attr{address}", NAME="%c"
+
+LABEL="vyos_net_end"
diff --git a/src/etc/udev/rules.d/90-vyos-serial.rules b/src/etc/udev/rules.d/90-vyos-serial.rules
index 3f10f4924..872fd4fea 100644
--- a/src/etc/udev/rules.d/90-vyos-serial.rules
+++ b/src/etc/udev/rules.d/90-vyos-serial.rules
@@ -8,7 +8,7 @@ SUBSYSTEMS=="pci", IMPORT{builtin}="hwdb --subsystem=pci"
SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb"
# /dev/serial/by-path/, /dev/serial/by-id/ for USB devices
-KERNEL!="ttyUSB[0-9]*|ttyACM[0-9]*", GOTO="serial_end"
+KERNEL!="ttyUSB[0-9]*", GOTO="serial_end"
SUBSYSTEMS=="usb-serial", ENV{.ID_PORT}="$attr{port_number}"
@@ -18,11 +18,11 @@ IMPORT{builtin}="path_id", IMPORT{builtin}="usb_id"
#
# - $env{ID_PATH} usually is a name like: "pci-0000:00:10.0-usb-0:2.3.3.4:1.0-port0" so we strip the "pci-*"
# portion and only use the usb part
-# - Transform the USB "speach" to the tree like structure so we start with "usb0" as root-complex 0.
+# - Transform the USB "speech" to the tree like structure so we start with "usb0" as root-complex 0.
# (tr -d -) does the replacement
# - Replace the first group after ":" to represent the bus relation (sed -e 0,/:/s//b/) indicated by "b"
# - Replace the next group after ":" to represent the port relation (sed -e 0,/:/s//p/) indicated by "p"
-ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", PROGRAM="/bin/sh -c 'D=$env{ID_PATH}; echo ${D:17} | tr -d - | sed -e 0,/:/s//b/ | sed -e 0,/:/s//p/'", SYMLINK+="serial/by-bus/$result"
-ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", PROGRAM="/bin/sh -c 'D=$env{ID_PATH}; echo ${D:17} | tr -d - | sed -e 0,/:/s//b/ | sed -e 0,/:/s//p/'", SYMLINK+="serial/by-bus/$result"
+ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", PROGRAM="/bin/sh -c 'echo $env{ID_PATH:17} | tr -d - | sed -e 0,/:/s//b/ | sed -e 0,/:/s//p/'", SYMLINK+="serial/by-bus/$result"
+ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", PROGRAM="/bin/sh -c 'echo $env{ID_PATH:17} | tr -d - | sed -e 0,/:/s//b/ | sed -e 0,/:/s//p/'", SYMLINK+="serial/by-bus/$result"
LABEL="serial_end"
diff --git a/src/etc/update-motd.d/99-reboot b/src/etc/update-motd.d/99-reboot
new file mode 100755
index 000000000..718be1a7a
--- /dev/null
+++ b/src/etc/update-motd.d/99-reboot
@@ -0,0 +1,7 @@
+#!/bin/vbash
+source /opt/vyatta/etc/functions/script-template
+if [ -f /run/systemd/shutdown/scheduled ]; then
+ echo
+ run show reboot
+fi
+exit
diff --git a/src/helpers/strip-private.py b/src/helpers/strip-private.py
index c165d2cba..c74a379aa 100755
--- a/src/helpers/strip-private.py
+++ b/src/helpers/strip-private.py
@@ -47,7 +47,7 @@ ipv4_re = re.compile(r'(\d{1,3}\.){2}(\d{1,3}\.\d{1,3})')
ipv4_subst = r'xxx.xxx.\2'
# Censor all but the first two fields.
-ipv6_re = re.compile(r'([0-9a-fA-F]{1,4}\:){2}(\S+)')
+ipv6_re = re.compile(r'([0-9a-fA-F]{1,4}\:){2}([0-9a-fA-F:]+)')
ipv6_subst = r'xxxx:xxxx:\2'
def ip_match(match: re.Match, subst: str) -> str:
@@ -96,12 +96,12 @@ if __name__ == "__main__":
args = parser.parse_args()
# Strict mode is the default and the absence of loose mode implies presence of strict mode.
if not args.loose:
- for arg in [args.mac, args.domain, args.hostname, args.username, args.dhcp, args.asn, args.snmp, args.lldp]:
- arg = True
+ args.mac = args.domain = args.hostname = args.username = args.dhcp = args.asn = args.snmp = args.lldp = True
if not args.public_address and not args.keep_address:
args.address = True
elif not args.address and not args.public_address:
args.keep_address = True
+
# (condition, precompiled regexp, substitution string)
stripping_rules = [
# Strip passwords
@@ -120,7 +120,7 @@ if __name__ == "__main__":
(True, re.compile(r'private-key \S+'), 'private-key xxxxxx'),
# Strip MAC addresses
- (args.mac, re.compile(r'([0-9a-fA-F]{2}\:){5}([0-9a-fA-F]{2}((\:{0,1})){3})'), r'XX:XX:XX:XX:XX:\2'),
+ (args.mac, re.compile(r'([0-9a-fA-F]{2}\:){5}([0-9a-fA-F]{2}((\:{0,1})){3})'), r'xx:xx:xx:xx:xx:\2'),
# Strip host-name, domain-name, and domain-search
(args.hostname, re.compile(r'(host-name|domain-name|domain-search) \S+'), r'\1 xxxxxx'),
diff --git a/src/helpers/vyos-interface-rescan.py b/src/helpers/vyos-interface-rescan.py
new file mode 100755
index 000000000..1ac1810e0
--- /dev/null
+++ b/src/helpers/vyos-interface-rescan.py
@@ -0,0 +1,206 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import stat
+import argparse
+import logging
+import netaddr
+
+from vyos.configtree import ConfigTree
+from vyos.defaults import directories
+from vyos.util import get_cfg_group_id
+
+debug = False
+
+vyos_udev_dir = directories['vyos_udev_dir']
+vyos_log_dir = directories['log']
+log_file = os.path.splitext(os.path.basename(__file__))[0]
+vyos_log_file = os.path.join(vyos_log_dir, log_file)
+
+logger = logging.getLogger(__name__)
+handler = logging.FileHandler(vyos_log_file, mode='a')
+formatter = logging.Formatter('%(levelname)s: %(message)s')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+passlist = {
+ '02:07:01' : 'Interlan',
+ '02:60:60' : '3Com',
+ '02:60:8c' : '3Com',
+ '02:a0:c9' : 'Intel',
+ '02:aa:3c' : 'Olivetti',
+ '02:cf:1f' : 'CMC',
+ '02:e0:3b' : 'Prominet',
+ '02:e6:d3' : 'BTI',
+ '52:54:00' : 'Realtek',
+ '52:54:4c' : 'Novell 2000',
+ '52:54:ab' : 'Realtec',
+ 'e2:0c:0f' : 'Kingston Technologies'
+}
+
+def is_multicast(addr: netaddr.eui.EUI) -> bool:
+ return bool(addr.words[0] & 0b1)
+
+def is_locally_administered(addr: netaddr.eui.EUI) -> bool:
+ return bool(addr.words[0] & 0b10)
+
+def is_on_passlist(hwid: str) -> bool:
+ top = hwid.rsplit(':', 3)[0]
+ if top in list(passlist):
+ return True
+ return False
+
+def is_persistent(hwid: str) -> bool:
+ addr = netaddr.EUI(hwid)
+ if is_multicast(addr):
+ return False
+ if is_locally_administered(addr) and not is_on_passlist(hwid):
+ return False
+ return True
+
+def get_wireless_physical_device(intf: str) -> str:
+ if 'wlan' not in intf:
+ return ''
+ try:
+ tmp = os.readlink(f'/sys/class/net/{intf}/phy80211')
+ except OSError:
+ logger.critical(f"Failed to read '/sys/class/net/{intf}/phy80211'")
+ return ''
+ phy = os.path.basename(tmp)
+ logger.info(f"wireless phy is {phy}")
+ return phy
+
+def get_interface_type(intf: str) -> str:
+ if 'eth' in intf:
+ intf_type = 'ethernet'
+ elif 'wlan' in intf:
+ intf_type = 'wireless'
+ else:
+ logger.critical('Unrecognized interface type!')
+ intf_type = ''
+ return intf_type
+
+def get_new_interfaces() -> dict:
+ """ Read any new interface data left in /run/udev/vyos by vyos_net_name
+ """
+ interfaces = {}
+
+ for intf in os.listdir(vyos_udev_dir):
+ path = os.path.join(vyos_udev_dir, intf)
+ try:
+ with open(path) as f:
+ hwid = f.read().rstrip()
+ except OSError as e:
+ logger.error(f"OSError {e}")
+ continue
+ interfaces[intf] = hwid
+
+ # reverse sort to simplify insertion in config
+ interfaces = {key: value for key, value in sorted(interfaces.items(),
+ reverse=True)}
+ return interfaces
+
+def filter_interfaces(intfs: dict) -> dict:
+ """ Ignore no longer existing interfaces or non-persistent mac addresses
+ """
+ filtered = {}
+
+ for intf, hwid in intfs.items():
+ if not os.path.isdir(os.path.join('/sys/class/net', intf)):
+ continue
+ if not is_persistent(hwid):
+ continue
+ filtered[intf] = hwid
+
+ return filtered
+
+def interface_rescan(config_path: str):
+ """ Read new data and update config file
+ """
+ interfaces = get_new_interfaces()
+
+ logger.debug(f"interfaces from udev: {interfaces}")
+
+ interfaces = filter_interfaces(interfaces)
+
+ logger.debug(f"filtered interfaces: {interfaces}")
+
+ try:
+ with open(config_path) as f:
+ config_file = f.read()
+ except OSError as e:
+ logger.critical(f"OSError {e}")
+ exit(1)
+
+ config = ConfigTree(config_file)
+
+ for intf, hwid in interfaces.items():
+ logger.info(f"Writing '{intf}' '{hwid}' to config file")
+ intf_type = get_interface_type(intf)
+ if not intf_type:
+ continue
+ if not config.exists(['interfaces', intf_type]):
+ config.set(['interfaces', intf_type])
+ config.set_tag(['interfaces', intf_type])
+ config.set(['interfaces', intf_type, intf, 'hw-id'], value=hwid)
+
+ if intf_type == 'wireless':
+ phy = get_wireless_physical_device(intf)
+ if not phy:
+ continue
+ config.set(['interfaces', intf_type, intf, 'physical-device'],
+ value=phy)
+
+ try:
+ with open(config_path, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ logger.critical(f"OSError {e}")
+
+def main():
+ global debug
+
+ argparser = argparse.ArgumentParser(
+ formatter_class=argparse.RawTextHelpFormatter)
+ argparser.add_argument('configfile', type=str)
+ argparser.add_argument('--debug', action='store_true')
+ args = argparser.parse_args()
+
+ if args.debug:
+ debug = True
+ logger.setLevel(logging.DEBUG)
+ else:
+ logger.setLevel(logging.INFO)
+
+ configfile = args.configfile
+
+ # preserve vyattacfg group write access to running config
+ os.setgid(get_cfg_group_id())
+ os.umask(0o002)
+
+ # log file perms are not automatic; this could be cleaner by moving to a
+ # logging config file
+ os.chown(vyos_log_file, 0, get_cfg_group_id())
+ os.chmod(vyos_log_file,
+ stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IWGRP | stat.S_IROTH)
+
+ interface_rescan(configfile)
+
+if __name__ == '__main__':
+ main()
diff --git a/src/helpers/vyos_net_name b/src/helpers/vyos_net_name
new file mode 100755
index 000000000..0652e98b1
--- /dev/null
+++ b/src/helpers/vyos_net_name
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import os
+import re
+import time
+import logging
+import threading
+from sys import argv
+
+from vyos.configtree import ConfigTree
+from vyos.defaults import directories
+from vyos.util import cmd
+
+vyos_udev_dir = directories['vyos_udev_dir']
+vyos_log_dir = '/run/udev/log'
+vyos_log_file = os.path.join(vyos_log_dir, 'vyos-net-name')
+
+config_path = '/opt/vyatta/etc/config/config.boot'
+config_status = '/tmp/vyos-config-status'
+
+lock = threading.Lock()
+
+try:
+ os.mkdir(vyos_log_dir)
+except FileExistsError:
+ pass
+
+logging.basicConfig(filename=vyos_log_file, level=logging.DEBUG)
+
+def boot_configuration_complete() -> bool:
+ """ Check if vyos-router has completed, hence hotplug event
+ """
+ if os.path.isfile(config_status):
+ return True
+ return False
+
+def is_available(intfs: dict, intf_name: str) -> bool:
+ """ Check if interface name is already assigned
+ """
+ if intf_name in list(intfs.values()):
+ return False
+ return True
+
+def find_available(intfs: dict, prefix: str) -> str:
+ """ Find lowest indexed iterface name that is not assigned
+ """
+ index_list = [int(x.replace(prefix, '')) for x in list(intfs.values()) if prefix in x]
+ index_list.sort()
+ # find 'holes' in list, if any
+ missing = sorted(set(range(index_list[0], index_list[-1])) - set(index_list))
+ if missing:
+ return f'{prefix}{missing[0]}'
+
+ return f'{prefix}{len(index_list)}'
+
+def get_biosdevname(ifname: str) -> str:
+ """ Use legacy vyatta-biosdevname to query for name
+
+ This is carried over for compatability only, and will likely be dropped
+ going forward.
+ XXX: This throws an error, and likely has for a long time, unnoticed
+ since vyatta_net_name redirected stderr to /dev/null.
+ """
+ if 'eth' not in ifname:
+ return ifname
+ if os.path.isdir('/proc/xen'):
+ return ifname
+
+ time.sleep(1)
+
+ try:
+ biosname = cmd(f'/sbin/biosdevname --policy all_ethN -i {ifname}')
+ except Exception as e:
+ logging.error(f'biosdevname error: {e}')
+ biosname = ''
+
+ return ifname if biosname == '' else biosname
+
+def leave_rescan_hint(intf_name: str, hwid: str):
+ """Write interface information reported by udev
+
+ This script is called while the root mount is still read-only. Leave
+ information in /run/udev: file name, the interface; contents, the
+ hardware id.
+ """
+ try:
+ os.mkdir(vyos_udev_dir)
+ except FileExistsError:
+ pass
+ except Exception as e:
+ logging.critical(f"Error creating rescan hint directory: {e}")
+ exit(1)
+
+ try:
+ with open(os.path.join(vyos_udev_dir, intf_name), 'w') as f:
+ f.write(hwid)
+ except OSError as e:
+ logging.critical(f"OSError {e}")
+
+def get_configfile_interfaces() -> dict:
+ """Read existing interfaces from config file
+ """
+ interfaces: dict = {}
+
+ if not os.path.isfile(config_path):
+ # If the case, then we are running off of livecd; return empty
+ return interfaces
+
+ try:
+ with open(config_path) as f:
+ config_file = f.read()
+ except OSError as e:
+ logging.critical(f"OSError {e}")
+ exit(1)
+
+ config = ConfigTree(config_file)
+
+ base = ['interfaces', 'ethernet']
+ if config.exists(base):
+ eth_intfs = config.list_nodes(base)
+ for intf in eth_intfs:
+ path = base + [intf, 'hw-id']
+ if not config.exists(path):
+ logging.warning(f"no 'hw-id' entry for {intf}")
+ continue
+ hwid = config.return_value(path)
+ if hwid in list(interfaces):
+ logging.warning(f"multiple entries for {hwid}: {interfaces[hwid]}, {intf}")
+ continue
+ interfaces[hwid] = intf
+
+ base = ['interfaces', 'wireless']
+ if config.exists(base):
+ wlan_intfs = config.list_nodes(base)
+ for intf in wlan_intfs:
+ path = base + [intf, 'hw-id']
+ if not config.exists(path):
+ logging.warning(f"no 'hw-id' entry for {intf}")
+ continue
+ hwid = config.return_value(path)
+ if hwid in list(interfaces):
+ logging.warning(f"multiple entries for {hwid}: {interfaces[hwid]}, {intf}")
+ continue
+ interfaces[hwid] = intf
+
+ logging.debug(f"config file entries: {interfaces}")
+
+ return interfaces
+
+def add_assigned_interfaces(intfs: dict):
+ """Add interfaces found by previous invocation of udev rule
+ """
+ if not os.path.isdir(vyos_udev_dir):
+ return
+
+ for intf in os.listdir(vyos_udev_dir):
+ path = os.path.join(vyos_udev_dir, intf)
+ try:
+ with open(path) as f:
+ hwid = f.read().rstrip()
+ except OSError as e:
+ logging.error(f"OSError {e}")
+ continue
+ intfs[hwid] = intf
+
+def on_boot_event(intf_name: str, hwid: str, predefined: str = '') -> str:
+ """Called on boot by vyos-router: 'coldplug' in vyatta_net_name
+ """
+ logging.info(f"lookup {intf_name}, {hwid}")
+ interfaces = get_configfile_interfaces()
+ logging.debug(f"config file interfaces are {interfaces}")
+
+ if hwid in list(interfaces) and intf_name == interfaces[hwid]:
+ logging.info(f"use mapping from config file: '{hwid}' -> '{intf_name}'")
+ return intf_name
+
+ add_assigned_interfaces(interfaces)
+ logging.debug(f"adding assigned interfaces: {interfaces}")
+
+ if predefined:
+ newname = predefined
+ logging.info(f"predefined interface name for '{intf_name}' is '{newname}'")
+ else:
+ newname = get_biosdevname(intf_name)
+ logging.info(f"biosdevname returned '{newname}' for '{intf_name}'")
+
+ if not is_available(interfaces, newname):
+ prefix = re.sub(r'\d+$', '', newname)
+ newname = find_available(interfaces, prefix)
+
+ logging.info(f"new name for '{intf_name}' is '{newname}'")
+
+ leave_rescan_hint(newname, hwid)
+
+ return newname
+
+def hotplug_event():
+ # Not yet implemented, since interface-rescan will only be run on boot.
+ pass
+
+if len(argv) > 3:
+ predef_name = argv[3]
+else:
+ predef_name = ''
+
+lock.acquire()
+if not boot_configuration_complete():
+ res = on_boot_event(argv[1], argv[2], predefined=predef_name)
+ logging.debug(f"on boot, returned name is {res}")
+else:
+ logging.debug("boot configuration complete")
+lock.release()
+
diff --git a/src/migration-scripts/bgp/1-to-2 b/src/migration-scripts/bgp/1-to-2
new file mode 100755
index 000000000..4c6d5ceb8
--- /dev/null
+++ b/src/migration-scripts/bgp/1-to-2
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T3741: no-ipv4-unicast is now enabled by default
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.template import is_ipv4
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['protocols', 'bgp']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+# This is now a default option - simply delete it.
+# As it was configured explicitly - we can also bail out early as we need to
+# do nothing!
+if config.exists(base + ['parameters', 'default', 'no-ipv4-unicast']):
+ config.delete(base + ['parameters', 'default', 'no-ipv4-unicast'])
+
+ # Check if the "default" node is now empty, if so - remove it
+ if len(config.list_nodes(base + ['parameters', 'default'])) == 0:
+ config.delete(base + ['parameters', 'default'])
+
+ # Check if the "default" node is now empty, if so - remove it
+ if len(config.list_nodes(base + ['parameters'])) == 0:
+ config.delete(base + ['parameters'])
+
+ exit(0)
+
+# As we now install a new default option into BGP we need to migrate all
+# existing BGP neighbors and restore the old behavior
+if config.exists(base + ['neighbor']):
+ for neighbor in config.list_nodes(base + ['neighbor']):
+ peer_group = base + ['neighbor', neighbor, 'peer-group']
+ if config.exists(peer_group):
+ peer_group_name = config.return_value(peer_group)
+ # peer group enables old behavior for neighbor - bail out
+ if config.exists(base + ['peer-group', peer_group_name, 'address-family', 'ipv4-unicast']):
+ continue
+
+ afi_ipv4 = base + ['neighbor', neighbor, 'address-family', 'ipv4-unicast']
+ if not config.exists(afi_ipv4):
+ config.set(afi_ipv4)
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print(f'Failed to save the modified config: {e}')
+ exit(1)
diff --git a/src/migration-scripts/conntrack/2-to-3 b/src/migration-scripts/conntrack/2-to-3
new file mode 100755
index 000000000..8a8b43279
--- /dev/null
+++ b/src/migration-scripts/conntrack/2-to-3
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+
+# Conntrack syntax version 3
+# Enables all conntrack modules (previous default behaviour) and omits manually disabled modules.
+
+import sys
+
+from vyos.configtree import ConfigTree
+from vyos.version import get_version
+
+if len(sys.argv) < 1:
+ print('Must specify file name!')
+ sys.exit(1)
+
+filename = sys.argv[1]
+
+with open(filename, 'r') as f:
+ config = ConfigTree(f.read())
+
+module_path = ['system', 'conntrack', 'modules']
+
+# Go over all conntrack modules available as of v1.3.0.
+for module in ['ftp', 'h323', 'nfs', 'pptp', 'sip', 'sqlnet', 'tftp']:
+ # 'disable' is being phased out.
+ if config.exists(module_path + [module, 'disable']):
+ config.delete(module_path + [module])
+ # If it wasn't manually 'disable'd, it was enabled by default.
+ else:
+ config.set(module_path + [module])
+
+try:
+ if config.exists(module_path):
+ with open(filename, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print(f'Failed to save the modified config: {e}')
+ sys.exit(1)
diff --git a/src/migration-scripts/dhcp-server/5-to-6 b/src/migration-scripts/dhcp-server/5-to-6
new file mode 100755
index 000000000..aefe84737
--- /dev/null
+++ b/src/migration-scripts/dhcp-server/5-to-6
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T1968: allow multiple static-routes to be configured
+# T3838: rename dns-server -> name-server
+
+import sys
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['service', 'dhcp-server']
+config = ConfigTree(config_file)
+
+if not config.exists(base + ['shared-network-name']):
+ # Nothing to do
+ exit(0)
+
+# Run this for every instance if 'shared-network-name'
+for network in config.list_nodes(base + ['shared-network-name']):
+ base_network = base + ['shared-network-name', network]
+
+ if not config.exists(base_network + ['subnet']):
+ continue
+
+ # Run this for every specified 'subnet'
+ for subnet in config.list_nodes(base_network + ['subnet']):
+ base_subnet = base_network + ['subnet', subnet]
+
+ # T1968: allow multiple static-routes to be configured
+ if config.exists(base_subnet + ['static-route']):
+ prefix = config.return_value(base_subnet + ['static-route', 'destination-subnet'])
+ router = config.return_value(base_subnet + ['static-route', 'router'])
+ config.delete(base_subnet + ['static-route'])
+
+ config.set(base_subnet + ['static-route', prefix, 'next-hop'], value=router)
+ config.set_tag(base_subnet + ['static-route'])
+
+ # T3838: rename dns-server -> name-server
+ if config.exists(base_subnet + ['dns-server']):
+ config.rename(base_subnet + ['dns-server'], 'name-server')
+
+
+ # T3672: ISC DHCP server only supports one failover peer
+ if config.exists(base_subnet + ['failover']):
+ # There can only be one failover configuration, if none is present
+ # we add the first one
+ if not config.exists(base + ['failover']):
+ local = config.return_value(base_subnet + ['failover', 'local-address'])
+ remote = config.return_value(base_subnet + ['failover', 'peer-address'])
+ status = config.return_value(base_subnet + ['failover', 'status'])
+ name = config.return_value(base_subnet + ['failover', 'name'])
+
+ config.set(base + ['failover', 'remote'], value=remote)
+ config.set(base + ['failover', 'source-address'], value=local)
+ config.set(base + ['failover', 'status'], value=status)
+ config.set(base + ['failover', 'name'], value=name)
+
+ config.delete(base_subnet + ['failover'])
+ config.set(base_subnet + ['enable-failover'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/dns-forwarding/1-to-2 b/src/migration-scripts/dns-forwarding/1-to-2
index 8c4f4b5c7..ba10c26f2 100755
--- a/src/migration-scripts/dns-forwarding/1-to-2
+++ b/src/migration-scripts/dns-forwarding/1-to-2
@@ -67,8 +67,14 @@ if config.exists(base + ['listen-on']):
# retrieve corresponding interface addresses in CIDR format
# those need to be converted in pure IP addresses without network information
path = ['interfaces', section, intf, 'address']
- for addr in config.return_values(path):
- listen_addr.append( ip_interface(addr).ip )
+ try:
+ for addr in config.return_values(path):
+ listen_addr.append( ip_interface(addr).ip )
+ except:
+ # Some interface types do not use "address" option (e.g. OpenVPN)
+ # and may not even have a fixed address
+ print("Could not retrieve the address of the interface {} from the config".format(intf))
+ print("You will need to update your DNS forwarding configuration manually")
for addr in listen_addr:
config.set(base + ['listen-address'], value=addr, replace=False)
diff --git a/src/migration-scripts/firewall/5-to-6 b/src/migration-scripts/firewall/5-to-6
new file mode 100755
index 000000000..ccb86830a
--- /dev/null
+++ b/src/migration-scripts/firewall/5-to-6
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T3090: migrate "firewall options interface <name> adjust-mss" to the
+# individual interface.
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall', 'options', 'interface']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+for interface in config.list_nodes(base):
+ if config.exists(base + [interface, 'disable']):
+ continue
+
+ if config.exists(base + [interface, 'adjust-mss']):
+ section = Section.section(interface)
+ tmp = config.return_value(base + [interface, 'adjust-mss'])
+ config.set(['interfaces', section, interface, 'ip', 'adjust-mss'], value=tmp)
+
+ if config.exists(base + [interface, 'adjust-mss6']):
+ section = Section.section(interface)
+ tmp = config.return_value(base + [interface, 'adjust-mss6'])
+ config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp)
+
+config.delete(['firewall', 'options'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/interfaces/20-to-21 b/src/migration-scripts/interfaces/20-to-21
index 06e07572f..0bd858760 100755
--- a/src/migration-scripts/interfaces/20-to-21
+++ b/src/migration-scripts/interfaces/20-to-21
@@ -14,132 +14,107 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# T3619: mirror Linux Kernel defaults for ethernet offloading options into VyOS
+# CLI. See https://phabricator.vyos.net/T3619#102254 for all the details.
+# T3787: Remove deprecated UDP fragmentation offloading option
+
from sys import argv
-from sys import exit
+
+from vyos.ethtool import Ethtool
from vyos.configtree import ConfigTree
-def migrate_ospf(config, path, interface):
- path = path + ['ospf']
- if config.exists(path):
- new_base = ['protocols', 'ospf', 'interface']
- config.set(new_base)
- config.set_tag(new_base)
- config.copy(path, new_base + [interface])
- config.delete(path)
-
- # if "ip ospf" was the only setting, we can clean out the empty
- # ip node afterwards
- if len(config.list_nodes(path[:-1])) == 0:
- config.delete(path[:-1])
-
-def migrate_ospfv3(config, path, interface):
- path = path + ['ospfv3']
- if config.exists(path):
- new_base = ['protocols', 'ospfv3', 'interface']
- config.set(new_base)
- config.set_tag(new_base)
- config.copy(path, new_base + [interface])
- config.delete(path)
-
- # if "ipv6 ospfv3" was the only setting, we can clean out the empty
- # ip node afterwards
- if len(config.list_nodes(path[:-1])) == 0:
- config.delete(path[:-1])
-
-def migrate_rip(config, path, interface):
- path = path + ['rip']
- if config.exists(path):
- new_base = ['protocols', 'rip', 'interface']
- config.set(new_base)
- config.set_tag(new_base)
- config.copy(path, new_base + [interface])
- config.delete(path)
-
- # if "ip rip" was the only setting, we can clean out the empty
- # ip node afterwards
- if len(config.list_nodes(path[:-1])) == 0:
- config.delete(path[:-1])
-
-def migrate_ripng(config, path, interface):
- path = path + ['ripng']
- if config.exists(path):
- new_base = ['protocols', 'ripng', 'interface']
- config.set(new_base)
- config.set_tag(new_base)
- config.copy(path, new_base + [interface])
- config.delete(path)
-
- # if "ipv6 ripng" was the only setting, we can clean out the empty
- # ip node afterwards
- if len(config.list_nodes(path[:-1])) == 0:
- config.delete(path[:-1])
-
-if __name__ == '__main__':
- if (len(argv) < 1):
- print("Must specify file name!")
- exit(1)
-
- file_name = argv[1]
- with open(file_name, 'r') as f:
- config_file = f.read()
-
- config = ConfigTree(config_file)
-
- #
- # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0"
- #
- for type in config.list_nodes(['interfaces']):
- for interface in config.list_nodes(['interfaces', type]):
- ip_base = ['interfaces', type, interface, 'ip']
- ipv6_base = ['interfaces', type, interface, 'ipv6']
- migrate_rip(config, ip_base, interface)
- migrate_ripng(config, ipv6_base, interface)
- migrate_ospf(config, ip_base, interface)
- migrate_ospfv3(config, ipv6_base, interface)
-
- vif_path = ['interfaces', type, interface, 'vif']
- if config.exists(vif_path):
- for vif in config.list_nodes(vif_path):
- vif_ip_base = vif_path + [vif, 'ip']
- vif_ipv6_base = vif_path + [vif, 'ipv6']
- ifname = f'{interface}.{vif}'
-
- migrate_rip(config, vif_ip_base, ifname)
- migrate_ripng(config, vif_ipv6_base, ifname)
- migrate_ospf(config, vif_ip_base, ifname)
- migrate_ospfv3(config, vif_ipv6_base, ifname)
-
-
- vif_s_path = ['interfaces', type, interface, 'vif-s']
- if config.exists(vif_s_path):
- for vif_s in config.list_nodes(vif_s_path):
- vif_s_ip_base = vif_s_path + [vif_s, 'ip']
- vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6']
-
- # vif-c interfaces MUST be migrated before their parent vif-s
- # interface as the migrate_*() functions delete the path!
- vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c']
- if config.exists(vif_c_path):
- for vif_c in config.list_nodes(vif_c_path):
- vif_c_ip_base = vif_c_path + [vif_c, 'ip']
- vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6']
- ifname = f'{interface}.{vif_s}.{vif_c}'
-
- migrate_rip(config, vif_c_ip_base, ifname)
- migrate_ripng(config, vif_c_ipv6_base, ifname)
- migrate_ospf(config, vif_c_ip_base, ifname)
- migrate_ospfv3(config, vif_c_ipv6_base, ifname)
-
-
- ifname = f'{interface}.{vif_s}'
- migrate_rip(config, vif_s_ip_base, ifname)
- migrate_ripng(config, vif_s_ipv6_base, ifname)
- migrate_ospf(config, vif_s_ip_base, ifname)
- migrate_ospfv3(config, vif_s_ipv6_base, ifname)
-
- try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
- except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['interfaces', 'ethernet']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ exit(0)
+
+for ifname in config.list_nodes(base):
+ eth = Ethtool(ifname)
+
+ # If GRO is enabled by the Kernel - we reflect this on the CLI. If GRO is
+ # enabled via CLI but not supported by the NIC - we remove it from the CLI
+ configured = config.exists(base + [ifname, 'offload', 'gro'])
+ enabled, fixed = eth.get_generic_receive_offload()
+ if configured and fixed:
+ config.delete(base + [ifname, 'offload', 'gro'])
+ elif enabled and not fixed:
+ config.set(base + [ifname, 'offload', 'gro'])
+
+ # If GSO is enabled by the Kernel - we reflect this on the CLI. If GSO is
+ # enabled via CLI but not supported by the NIC - we remove it from the CLI
+ configured = config.exists(base + [ifname, 'offload', 'gso'])
+ enabled, fixed = eth.get_generic_segmentation_offload()
+ if configured and fixed:
+ config.delete(base + [ifname, 'offload', 'gso'])
+ elif enabled and not fixed:
+ config.set(base + [ifname, 'offload', 'gso'])
+
+ # If LRO is enabled by the Kernel - we reflect this on the CLI. If LRO is
+ # enabled via CLI but not supported by the NIC - we remove it from the CLI
+ configured = config.exists(base + [ifname, 'offload', 'lro'])
+ enabled, fixed = eth.get_large_receive_offload()
+ if configured and fixed:
+ config.delete(base + [ifname, 'offload', 'lro'])
+ elif enabled and not fixed:
+ config.set(base + [ifname, 'offload', 'lro'])
+
+ # If SG is enabled by the Kernel - we reflect this on the CLI. If SG is
+ # enabled via CLI but not supported by the NIC - we remove it from the CLI
+ configured = config.exists(base + [ifname, 'offload', 'sg'])
+ enabled, fixed = eth.get_scatter_gather()
+ if configured and fixed:
+ config.delete(base + [ifname, 'offload', 'sg'])
+ elif enabled and not fixed:
+ config.set(base + [ifname, 'offload', 'sg'])
+
+ # If TSO is enabled by the Kernel - we reflect this on the CLI. If TSO is
+ # enabled via CLI but not supported by the NIC - we remove it from the CLI
+ configured = config.exists(base + [ifname, 'offload', 'tso'])
+ enabled, fixed = eth.get_tcp_segmentation_offload()
+ if configured and fixed:
+ config.delete(base + [ifname, 'offload', 'tso'])
+ elif enabled and not fixed:
+ config.set(base + [ifname, 'offload', 'tso'])
+
+ # Remove deprecated UDP fragmentation offloading option
+ if config.exists(base + [ifname, 'offload', 'ufo']):
+ config.delete(base + [ifname, 'offload', 'ufo'])
+
+ # Also while processing the interface configuration, not all adapters support
+ # changing the speed and duplex settings. If the desired speed and duplex
+ # values do not work for the NIC driver, we change them back to the default
+ # value of "auto" - which will be applied if the CLI node is deleted.
+ speed_path = base + [ifname, 'speed']
+ duplex_path = base + [ifname, 'duplex']
+ # speed and duplex must always be set at the same time if not set to "auto"
+ if config.exists(speed_path) and config.exists(duplex_path):
+ speed = config.return_value(speed_path)
+ duplex = config.return_value(duplex_path)
+ if speed != 'auto' and duplex != 'auto':
+ if not eth.check_speed_duplex(speed, duplex):
+ config.delete(speed_path)
+ config.delete(duplex_path)
+
+ # Also while processing the interface configuration, not all adapters support
+ # changing disabling flow-control - or change this setting. If disabling
+ # flow-control is not supported by the NIC, we remove the setting from CLI
+ flow_control_path = base + [ifname, 'disable-flow-control']
+ if config.exists(flow_control_path):
+ if not eth.check_flow_control():
+ config.delete(flow_control_path)
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/interfaces/21-to-22 b/src/migration-scripts/interfaces/21-to-22
index d1ec2ad3e..06e07572f 100755
--- a/src/migration-scripts/interfaces/21-to-22
+++ b/src/migration-scripts/interfaces/21-to-22
@@ -14,47 +14,132 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported
-# having a VTI interface in the CLI but no IPSec configuration - drop VTI
-# configuration if this is the case for VyOS 1.4
-
-import sys
+from sys import argv
+from sys import exit
from vyos.configtree import ConfigTree
+def migrate_ospf(config, path, interface):
+ path = path + ['ospf']
+ if config.exists(path):
+ new_base = ['protocols', 'ospf', 'interface']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.copy(path, new_base + [interface])
+ config.delete(path)
+
+ # if "ip ospf" was the only setting, we can clean out the empty
+ # ip node afterwards
+ if len(config.list_nodes(path[:-1])) == 0:
+ config.delete(path[:-1])
+
+def migrate_ospfv3(config, path, interface):
+ path = path + ['ospfv3']
+ if config.exists(path):
+ new_base = ['protocols', 'ospfv3', 'interface']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.copy(path, new_base + [interface])
+ config.delete(path)
+
+ # if "ipv6 ospfv3" was the only setting, we can clean out the empty
+ # ip node afterwards
+ if len(config.list_nodes(path[:-1])) == 0:
+ config.delete(path[:-1])
+
+def migrate_rip(config, path, interface):
+ path = path + ['rip']
+ if config.exists(path):
+ new_base = ['protocols', 'rip', 'interface']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.copy(path, new_base + [interface])
+ config.delete(path)
+
+ # if "ip rip" was the only setting, we can clean out the empty
+ # ip node afterwards
+ if len(config.list_nodes(path[:-1])) == 0:
+ config.delete(path[:-1])
+
+def migrate_ripng(config, path, interface):
+ path = path + ['ripng']
+ if config.exists(path):
+ new_base = ['protocols', 'ripng', 'interface']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.copy(path, new_base + [interface])
+ config.delete(path)
+
+ # if "ipv6 ripng" was the only setting, we can clean out the empty
+ # ip node afterwards
+ if len(config.list_nodes(path[:-1])) == 0:
+ config.delete(path[:-1])
+
if __name__ == '__main__':
- if (len(sys.argv) < 1):
+ if (len(argv) < 1):
print("Must specify file name!")
- sys.exit(1)
-
- file_name = sys.argv[1]
+ exit(1)
+ file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
config = ConfigTree(config_file)
- base = ['interfaces', 'vti']
- if not config.exists(base):
- # Nothing to do
- sys.exit(0)
-
- ipsec_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
- for interface in config.list_nodes(base):
- found = False
- if config.exists(ipsec_base):
- for peer in config.list_nodes(ipsec_base):
- if config.exists(ipsec_base + [peer, 'vti', 'bind']):
- tmp = config.return_value(ipsec_base + [peer, 'vti', 'bind'])
- if tmp == interface:
- # Interface was found and we no longer need to search
- # for it in our IPSec peers
- found = True
- break
- if not found:
- config.delete(base + [interface])
+
+ #
+ # Migrate "interface ethernet eth0 ip ospf" to "protocols ospf interface eth0"
+ #
+ for type in config.list_nodes(['interfaces']):
+ for interface in config.list_nodes(['interfaces', type]):
+ ip_base = ['interfaces', type, interface, 'ip']
+ ipv6_base = ['interfaces', type, interface, 'ipv6']
+ migrate_rip(config, ip_base, interface)
+ migrate_ripng(config, ipv6_base, interface)
+ migrate_ospf(config, ip_base, interface)
+ migrate_ospfv3(config, ipv6_base, interface)
+
+ vif_path = ['interfaces', type, interface, 'vif']
+ if config.exists(vif_path):
+ for vif in config.list_nodes(vif_path):
+ vif_ip_base = vif_path + [vif, 'ip']
+ vif_ipv6_base = vif_path + [vif, 'ipv6']
+ ifname = f'{interface}.{vif}'
+
+ migrate_rip(config, vif_ip_base, ifname)
+ migrate_ripng(config, vif_ipv6_base, ifname)
+ migrate_ospf(config, vif_ip_base, ifname)
+ migrate_ospfv3(config, vif_ipv6_base, ifname)
+
+
+ vif_s_path = ['interfaces', type, interface, 'vif-s']
+ if config.exists(vif_s_path):
+ for vif_s in config.list_nodes(vif_s_path):
+ vif_s_ip_base = vif_s_path + [vif_s, 'ip']
+ vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6']
+
+ # vif-c interfaces MUST be migrated before their parent vif-s
+ # interface as the migrate_*() functions delete the path!
+ vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c']
+ if config.exists(vif_c_path):
+ for vif_c in config.list_nodes(vif_c_path):
+ vif_c_ip_base = vif_c_path + [vif_c, 'ip']
+ vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6']
+ ifname = f'{interface}.{vif_s}.{vif_c}'
+
+ migrate_rip(config, vif_c_ip_base, ifname)
+ migrate_ripng(config, vif_c_ipv6_base, ifname)
+ migrate_ospf(config, vif_c_ip_base, ifname)
+ migrate_ospfv3(config, vif_c_ipv6_base, ifname)
+
+
+ ifname = f'{interface}.{vif_s}'
+ migrate_rip(config, vif_s_ip_base, ifname)
+ migrate_ripng(config, vif_s_ipv6_base, ifname)
+ migrate_ospf(config, vif_s_ip_base, ifname)
+ migrate_ospfv3(config, vif_s_ipv6_base, ifname)
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
except OSError as e:
print("Failed to save the modified config: {}".format(e))
- sys.exit(1)
+ exit(1)
diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23
index 93ce9215f..d1ec2ad3e 100755
--- a/src/migration-scripts/interfaces/22-to-23
+++ b/src/migration-scripts/interfaces/22-to-23
@@ -14,356 +14,47 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-# Migrate Wireguard to store keys in CLI
-# Migrate EAPoL to PKI configuration
+# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported
+# having a VTI interface in the CLI but no IPSec configuration - drop VTI
+# configuration if this is the case for VyOS 1.4
-import os
import sys
from vyos.configtree import ConfigTree
-from vyos.pki import load_certificate
-from vyos.pki import load_crl
-from vyos.pki import load_dh_parameters
-from vyos.pki import load_private_key
-from vyos.pki import encode_certificate
-from vyos.pki import encode_dh_parameters
-from vyos.pki import encode_private_key
-from vyos.util import run
-def wrapped_pem_to_config_value(pem):
- out = []
- for line in pem.strip().split("\n"):
- if not line or line.startswith("-----") or line[0] == '#':
- continue
- out.append(line)
- return "".join(out)
+if __name__ == '__main__':
+ if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
-def read_file_for_pki(config_auth_path):
- full_path = os.path.join(AUTH_DIR, config_auth_path)
- output = None
+ file_name = sys.argv[1]
- if os.path.isfile(full_path):
- if not os.access(full_path, os.R_OK):
- run(f'sudo chmod 644 {full_path}')
+ with open(file_name, 'r') as f:
+ config_file = f.read()
- with open(full_path, 'r') as f:
- output = f.read()
+ config = ConfigTree(config_file)
+ base = ['interfaces', 'vti']
+ if not config.exists(base):
+ # Nothing to do
+ sys.exit(0)
- return output
-
-if (len(sys.argv) < 1):
- print("Must specify file name!")
- sys.exit(1)
-
-file_name = sys.argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
-config = ConfigTree(config_file)
-
-AUTH_DIR = '/config/auth'
-pki_base = ['pki']
-
-# OpenVPN
-base = ['interfaces', 'openvpn']
-
-if config.exists(base):
- for interface in config.list_nodes(base):
- x509_base = base + [interface, 'tls']
- pki_name = f'openvpn_{interface}'
-
- if config.exists(base + [interface, 'shared-secret-key-file']):
- if not config.exists(pki_base + ['openvpn', 'shared-secret']):
- config.set(pki_base + ['openvpn', 'shared-secret'])
- config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
- key_file = config.return_value(base + [interface, 'shared-secret-key-file'])
- key = read_file_for_pki(key_file)
- key_pki_name = f'{pki_name}_shared'
-
- if key:
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
- config.set(base + [interface, 'shared-secret-key'], value=key_pki_name)
- else:
- print(f'Failed to migrate shared-secret-key on openvpn interface {interface}')
-
- config.delete(base + [interface, 'shared-secret-key-file'])
-
- if not config.exists(base + [interface, 'tls']):
- continue
-
- if config.exists(base + [interface, 'tls', 'auth-file']):
- if not config.exists(pki_base + ['openvpn', 'shared-secret']):
- config.set(pki_base + ['openvpn', 'shared-secret'])
- config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
- key_file = config.return_value(base + [interface, 'tls', 'auth-file'])
- key = read_file_for_pki(key_file)
- key_pki_name = f'{pki_name}_auth'
-
- if key:
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
- config.set(base + [interface, 'tls', 'auth-key'], value=key_pki_name)
- else:
- print(f'Failed to migrate auth-key on openvpn interface {interface}')
-
- config.delete(base + [interface, 'tls', 'auth-file'])
-
- if config.exists(base + [interface, 'tls', 'crypt-file']):
- if not config.exists(pki_base + ['openvpn', 'shared-secret']):
- config.set(pki_base + ['openvpn', 'shared-secret'])
- config.set_tag(pki_base + ['openvpn', 'shared-secret'])
-
- key_file = config.return_value(base + [interface, 'tls', 'crypt-file'])
- key = read_file_for_pki(key_file)
- key_pki_name = f'{pki_name}_crypt'
-
- if key:
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
- config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
- config.set(base + [interface, 'tls', 'crypt-key'], value=key_pki_name)
- else:
- print(f'Failed to migrate crypt-key on openvpn interface {interface}')
-
- config.delete(base + [interface, 'tls', 'crypt-file'])
-
- if config.exists(x509_base + ['ca-cert-file']):
- if not config.exists(pki_base + ['ca']):
- config.set(pki_base + ['ca'])
- config.set_tag(pki_base + ['ca'])
-
- cert_file = config.return_value(x509_base + ['ca-cert-file'])
- cert_path = os.path.join(AUTH_DIR, cert_file)
- cert = None
-
- if os.path.isfile(cert_path):
- if not os.access(cert_path, os.R_OK):
- run(f'sudo chmod 644 {cert_path}')
-
- with open(cert_path, 'r') as f:
- cert_data = f.read()
- cert = load_certificate(cert_data, wrap_tags=False)
-
- if cert:
- cert_pem = encode_certificate(cert)
- config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
- config.set(x509_base + ['ca-certificate'], value=pki_name)
- else:
- print(f'Failed to migrate CA certificate on openvpn interface {interface}')
-
- config.delete(x509_base + ['ca-cert-file'])
-
- if config.exists(x509_base + ['crl-file']):
- if not config.exists(pki_base + ['ca']):
- config.set(pki_base + ['ca'])
- config.set_tag(pki_base + ['ca'])
-
- crl_file = config.return_value(x509_base + ['crl-file'])
- crl_path = os.path.join(AUTH_DIR, crl_file)
- crl = None
-
- if os.path.isfile(crl_path):
- if not os.access(crl_path, os.R_OK):
- run(f'sudo chmod 644 {crl_path}')
-
- with open(crl_path, 'r') as f:
- crl_data = f.read()
- crl = load_crl(crl_data, wrap_tags=False)
-
- if crl:
- crl_pem = encode_certificate(crl)
- config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem))
- else:
- print(f'Failed to migrate CRL on openvpn interface {interface}')
-
- config.delete(x509_base + ['crl-file'])
-
- if config.exists(x509_base + ['cert-file']):
- if not config.exists(pki_base + ['certificate']):
- config.set(pki_base + ['certificate'])
- config.set_tag(pki_base + ['certificate'])
-
- cert_file = config.return_value(x509_base + ['cert-file'])
- cert_path = os.path.join(AUTH_DIR, cert_file)
- cert = None
-
- if os.path.isfile(cert_path):
- if not os.access(cert_path, os.R_OK):
- run(f'sudo chmod 644 {cert_path}')
-
- with open(cert_path, 'r') as f:
- cert_data = f.read()
- cert = load_certificate(cert_data, wrap_tags=False)
-
- if cert:
- cert_pem = encode_certificate(cert)
- config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
- config.set(x509_base + ['certificate'], value=pki_name)
- else:
- print(f'Failed to migrate certificate on openvpn interface {interface}')
-
- config.delete(x509_base + ['cert-file'])
-
- if config.exists(x509_base + ['key-file']):
- key_file = config.return_value(x509_base + ['key-file'])
- key_path = os.path.join(AUTH_DIR, key_file)
- key = None
-
- if os.path.isfile(key_path):
- if not os.access(key_path, os.R_OK):
- run(f'sudo chmod 644 {key_path}')
-
- with open(key_path, 'r') as f:
- key_data = f.read()
- key = load_private_key(key_data, passphrase=None, wrap_tags=False)
-
- if key:
- key_pem = encode_private_key(key, passphrase=None)
- config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
- else:
- print(f'Failed to migrate private key on openvpn interface {interface}')
-
- config.delete(x509_base + ['key-file'])
-
- if config.exists(x509_base + ['dh-file']):
- if not config.exists(pki_base + ['dh']):
- config.set(pki_base + ['dh'])
- config.set_tag(pki_base + ['dh'])
-
- dh_file = config.return_value(x509_base + ['dh-file'])
- dh_path = os.path.join(AUTH_DIR, dh_file)
- dh = None
-
- if os.path.isfile(dh_path):
- if not os.access(dh_path, os.R_OK):
- run(f'sudo chmod 644 {dh_path}')
-
- with open(dh_path, 'r') as f:
- dh_data = f.read()
- dh = load_dh_parameters(dh_data, wrap_tags=False)
-
- if dh:
- dh_pem = encode_dh_parameters(dh)
- config.set(pki_base + ['dh', pki_name, 'parameters'], value=wrapped_pem_to_config_value(dh_pem))
- config.set(x509_base + ['dh-params'], value=pki_name)
- else:
- print(f'Failed to migrate DH parameters on openvpn interface {interface}')
-
- config.delete(x509_base + ['dh-file'])
-
-# Wireguard
-base = ['interfaces', 'wireguard']
-
-if config.exists(base):
- for interface in config.list_nodes(base):
- private_key_path = base + [interface, 'private-key']
-
- key_file = 'default'
- if config.exists(private_key_path):
- key_file = config.return_value(private_key_path)
-
- full_key_path = f'/config/auth/wireguard/{key_file}/private.key'
-
- if not os.path.exists(full_key_path):
- print(f'Could not find wireguard private key for migration on interface "{interface}"')
- continue
-
- with open(full_key_path, 'r') as f:
- key_data = f.read().strip()
- config.set(private_key_path, value=key_data)
-
- for peer in config.list_nodes(base + [interface, 'peer']):
- config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key')
-
-# Ethernet EAPoL
-base = ['interfaces', 'ethernet']
-
-if config.exists(base):
+ ipsec_base = ['vpn', 'ipsec', 'site-to-site', 'peer']
for interface in config.list_nodes(base):
- if not config.exists(base + [interface, 'eapol']):
- continue
-
- x509_base = base + [interface, 'eapol']
- pki_name = f'eapol_{interface}'
-
- if config.exists(x509_base + ['ca-cert-file']):
- if not config.exists(pki_base + ['ca']):
- config.set(pki_base + ['ca'])
- config.set_tag(pki_base + ['ca'])
-
- cert_file = config.return_value(x509_base + ['ca-cert-file'])
- cert_path = os.path.join(AUTH_DIR, cert_file)
- cert = None
-
- if os.path.isfile(cert_path):
- if not os.access(cert_path, os.R_OK):
- run(f'sudo chmod 644 {cert_path}')
-
- with open(cert_path, 'r') as f:
- cert_data = f.read()
- cert = load_certificate(cert_data, wrap_tags=False)
-
- if cert:
- cert_pem = encode_certificate(cert)
- config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
- config.set(x509_base + ['ca-certificate'], value=pki_name)
- else:
- print(f'Failed to migrate CA certificate on eapol config for interface {interface}')
-
- config.delete(x509_base + ['ca-cert-file'])
-
- if config.exists(x509_base + ['cert-file']):
- if not config.exists(pki_base + ['certificate']):
- config.set(pki_base + ['certificate'])
- config.set_tag(pki_base + ['certificate'])
-
- cert_file = config.return_value(x509_base + ['cert-file'])
- cert_path = os.path.join(AUTH_DIR, cert_file)
- cert = None
-
- if os.path.isfile(cert_path):
- if not os.access(cert_path, os.R_OK):
- run(f'sudo chmod 644 {cert_path}')
-
- with open(cert_path, 'r') as f:
- cert_data = f.read()
- cert = load_certificate(cert_data, wrap_tags=False)
-
- if cert:
- cert_pem = encode_certificate(cert)
- config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
- config.set(x509_base + ['certificate'], value=pki_name)
- else:
- print(f'Failed to migrate certificate on eapol config for interface {interface}')
-
- config.delete(x509_base + ['cert-file'])
-
- if config.exists(x509_base + ['key-file']):
- key_file = config.return_value(x509_base + ['key-file'])
- key_path = os.path.join(AUTH_DIR, key_file)
- key = None
-
- if os.path.isfile(key_path):
- if not os.access(key_path, os.R_OK):
- run(f'sudo chmod 644 {key_path}')
-
- with open(key_path, 'r') as f:
- key_data = f.read()
- key = load_private_key(key_data, passphrase=None, wrap_tags=False)
-
- if key:
- key_pem = encode_private_key(key, passphrase=None)
- config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
- else:
- print(f'Failed to migrate private key on eapol config for interface {interface}')
-
- config.delete(x509_base + ['key-file'])
-
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- sys.exit(1)
+ found = False
+ if config.exists(ipsec_base):
+ for peer in config.list_nodes(ipsec_base):
+ if config.exists(ipsec_base + [peer, 'vti', 'bind']):
+ tmp = config.return_value(ipsec_base + [peer, 'vti', 'bind'])
+ if tmp == interface:
+ # Interface was found and we no longer need to search
+ # for it in our IPSec peers
+ found = True
+ break
+ if not found:
+ config.delete(base + [interface])
+
+ try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+ except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)
diff --git a/src/migration-scripts/interfaces/23-to-24 b/src/migration-scripts/interfaces/23-to-24
new file mode 100755
index 000000000..93ce9215f
--- /dev/null
+++ b/src/migration-scripts/interfaces/23-to-24
@@ -0,0 +1,369 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Migrate Wireguard to store keys in CLI
+# Migrate EAPoL to PKI configuration
+
+import os
+import sys
+from vyos.configtree import ConfigTree
+from vyos.pki import load_certificate
+from vyos.pki import load_crl
+from vyos.pki import load_dh_parameters
+from vyos.pki import load_private_key
+from vyos.pki import encode_certificate
+from vyos.pki import encode_dh_parameters
+from vyos.pki import encode_private_key
+from vyos.util import run
+
+def wrapped_pem_to_config_value(pem):
+ out = []
+ for line in pem.strip().split("\n"):
+ if not line or line.startswith("-----") or line[0] == '#':
+ continue
+ out.append(line)
+ return "".join(out)
+
+def read_file_for_pki(config_auth_path):
+ full_path = os.path.join(AUTH_DIR, config_auth_path)
+ output = None
+
+ if os.path.isfile(full_path):
+ if not os.access(full_path, os.R_OK):
+ run(f'sudo chmod 644 {full_path}')
+
+ with open(full_path, 'r') as f:
+ output = f.read()
+
+ return output
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+config = ConfigTree(config_file)
+
+AUTH_DIR = '/config/auth'
+pki_base = ['pki']
+
+# OpenVPN
+base = ['interfaces', 'openvpn']
+
+if config.exists(base):
+ for interface in config.list_nodes(base):
+ x509_base = base + [interface, 'tls']
+ pki_name = f'openvpn_{interface}'
+
+ if config.exists(base + [interface, 'shared-secret-key-file']):
+ if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+ config.set(pki_base + ['openvpn', 'shared-secret'])
+ config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+ key_file = config.return_value(base + [interface, 'shared-secret-key-file'])
+ key = read_file_for_pki(key_file)
+ key_pki_name = f'{pki_name}_shared'
+
+ if key:
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+ config.set(base + [interface, 'shared-secret-key'], value=key_pki_name)
+ else:
+ print(f'Failed to migrate shared-secret-key on openvpn interface {interface}')
+
+ config.delete(base + [interface, 'shared-secret-key-file'])
+
+ if not config.exists(base + [interface, 'tls']):
+ continue
+
+ if config.exists(base + [interface, 'tls', 'auth-file']):
+ if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+ config.set(pki_base + ['openvpn', 'shared-secret'])
+ config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+ key_file = config.return_value(base + [interface, 'tls', 'auth-file'])
+ key = read_file_for_pki(key_file)
+ key_pki_name = f'{pki_name}_auth'
+
+ if key:
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+ config.set(base + [interface, 'tls', 'auth-key'], value=key_pki_name)
+ else:
+ print(f'Failed to migrate auth-key on openvpn interface {interface}')
+
+ config.delete(base + [interface, 'tls', 'auth-file'])
+
+ if config.exists(base + [interface, 'tls', 'crypt-file']):
+ if not config.exists(pki_base + ['openvpn', 'shared-secret']):
+ config.set(pki_base + ['openvpn', 'shared-secret'])
+ config.set_tag(pki_base + ['openvpn', 'shared-secret'])
+
+ key_file = config.return_value(base + [interface, 'tls', 'crypt-file'])
+ key = read_file_for_pki(key_file)
+ key_pki_name = f'{pki_name}_crypt'
+
+ if key:
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'key'], value=wrapped_pem_to_config_value(key))
+ config.set(pki_base + ['openvpn', 'shared-secret', key_pki_name, 'version'], value='1')
+ config.set(base + [interface, 'tls', 'crypt-key'], value=key_pki_name)
+ else:
+ print(f'Failed to migrate crypt-key on openvpn interface {interface}')
+
+ config.delete(base + [interface, 'tls', 'crypt-file'])
+
+ if config.exists(x509_base + ['ca-cert-file']):
+ if not config.exists(pki_base + ['ca']):
+ config.set(pki_base + ['ca'])
+ config.set_tag(pki_base + ['ca'])
+
+ cert_file = config.return_value(x509_base + ['ca-cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['ca-certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate CA certificate on openvpn interface {interface}')
+
+ config.delete(x509_base + ['ca-cert-file'])
+
+ if config.exists(x509_base + ['crl-file']):
+ if not config.exists(pki_base + ['ca']):
+ config.set(pki_base + ['ca'])
+ config.set_tag(pki_base + ['ca'])
+
+ crl_file = config.return_value(x509_base + ['crl-file'])
+ crl_path = os.path.join(AUTH_DIR, crl_file)
+ crl = None
+
+ if os.path.isfile(crl_path):
+ if not os.access(crl_path, os.R_OK):
+ run(f'sudo chmod 644 {crl_path}')
+
+ with open(crl_path, 'r') as f:
+ crl_data = f.read()
+ crl = load_crl(crl_data, wrap_tags=False)
+
+ if crl:
+ crl_pem = encode_certificate(crl)
+ config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem))
+ else:
+ print(f'Failed to migrate CRL on openvpn interface {interface}')
+
+ config.delete(x509_base + ['crl-file'])
+
+ if config.exists(x509_base + ['cert-file']):
+ if not config.exists(pki_base + ['certificate']):
+ config.set(pki_base + ['certificate'])
+ config.set_tag(pki_base + ['certificate'])
+
+ cert_file = config.return_value(x509_base + ['cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate certificate on openvpn interface {interface}')
+
+ config.delete(x509_base + ['cert-file'])
+
+ if config.exists(x509_base + ['key-file']):
+ key_file = config.return_value(x509_base + ['key-file'])
+ key_path = os.path.join(AUTH_DIR, key_file)
+ key = None
+
+ if os.path.isfile(key_path):
+ if not os.access(key_path, os.R_OK):
+ run(f'sudo chmod 644 {key_path}')
+
+ with open(key_path, 'r') as f:
+ key_data = f.read()
+ key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+ if key:
+ key_pem = encode_private_key(key, passphrase=None)
+ config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+ else:
+ print(f'Failed to migrate private key on openvpn interface {interface}')
+
+ config.delete(x509_base + ['key-file'])
+
+ if config.exists(x509_base + ['dh-file']):
+ if not config.exists(pki_base + ['dh']):
+ config.set(pki_base + ['dh'])
+ config.set_tag(pki_base + ['dh'])
+
+ dh_file = config.return_value(x509_base + ['dh-file'])
+ dh_path = os.path.join(AUTH_DIR, dh_file)
+ dh = None
+
+ if os.path.isfile(dh_path):
+ if not os.access(dh_path, os.R_OK):
+ run(f'sudo chmod 644 {dh_path}')
+
+ with open(dh_path, 'r') as f:
+ dh_data = f.read()
+ dh = load_dh_parameters(dh_data, wrap_tags=False)
+
+ if dh:
+ dh_pem = encode_dh_parameters(dh)
+ config.set(pki_base + ['dh', pki_name, 'parameters'], value=wrapped_pem_to_config_value(dh_pem))
+ config.set(x509_base + ['dh-params'], value=pki_name)
+ else:
+ print(f'Failed to migrate DH parameters on openvpn interface {interface}')
+
+ config.delete(x509_base + ['dh-file'])
+
+# Wireguard
+base = ['interfaces', 'wireguard']
+
+if config.exists(base):
+ for interface in config.list_nodes(base):
+ private_key_path = base + [interface, 'private-key']
+
+ key_file = 'default'
+ if config.exists(private_key_path):
+ key_file = config.return_value(private_key_path)
+
+ full_key_path = f'/config/auth/wireguard/{key_file}/private.key'
+
+ if not os.path.exists(full_key_path):
+ print(f'Could not find wireguard private key for migration on interface "{interface}"')
+ continue
+
+ with open(full_key_path, 'r') as f:
+ key_data = f.read().strip()
+ config.set(private_key_path, value=key_data)
+
+ for peer in config.list_nodes(base + [interface, 'peer']):
+ config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key')
+
+# Ethernet EAPoL
+base = ['interfaces', 'ethernet']
+
+if config.exists(base):
+ for interface in config.list_nodes(base):
+ if not config.exists(base + [interface, 'eapol']):
+ continue
+
+ x509_base = base + [interface, 'eapol']
+ pki_name = f'eapol_{interface}'
+
+ if config.exists(x509_base + ['ca-cert-file']):
+ if not config.exists(pki_base + ['ca']):
+ config.set(pki_base + ['ca'])
+ config.set_tag(pki_base + ['ca'])
+
+ cert_file = config.return_value(x509_base + ['ca-cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['ca-certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate CA certificate on eapol config for interface {interface}')
+
+ config.delete(x509_base + ['ca-cert-file'])
+
+ if config.exists(x509_base + ['cert-file']):
+ if not config.exists(pki_base + ['certificate']):
+ config.set(pki_base + ['certificate'])
+ config.set_tag(pki_base + ['certificate'])
+
+ cert_file = config.return_value(x509_base + ['cert-file'])
+ cert_path = os.path.join(AUTH_DIR, cert_file)
+ cert = None
+
+ if os.path.isfile(cert_path):
+ if not os.access(cert_path, os.R_OK):
+ run(f'sudo chmod 644 {cert_path}')
+
+ with open(cert_path, 'r') as f:
+ cert_data = f.read()
+ cert = load_certificate(cert_data, wrap_tags=False)
+
+ if cert:
+ cert_pem = encode_certificate(cert)
+ config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem))
+ config.set(x509_base + ['certificate'], value=pki_name)
+ else:
+ print(f'Failed to migrate certificate on eapol config for interface {interface}')
+
+ config.delete(x509_base + ['cert-file'])
+
+ if config.exists(x509_base + ['key-file']):
+ key_file = config.return_value(x509_base + ['key-file'])
+ key_path = os.path.join(AUTH_DIR, key_file)
+ key = None
+
+ if os.path.isfile(key_path):
+ if not os.access(key_path, os.R_OK):
+ run(f'sudo chmod 644 {key_path}')
+
+ with open(key_path, 'r') as f:
+ key_data = f.read()
+ key = load_private_key(key_data, passphrase=None, wrap_tags=False)
+
+ if key:
+ key_pem = encode_private_key(key, passphrase=None)
+ config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem))
+ else:
+ print(f'Failed to migrate private key on eapol config for interface {interface}')
+
+ config.delete(x509_base + ['key-file'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ sys.exit(1)
diff --git a/src/migration-scripts/system/20-to-21 b/src/migration-scripts/system/20-to-21
index ad41be646..1728995de 100755
--- a/src/migration-scripts/system/20-to-21
+++ b/src/migration-scripts/system/20-to-21
@@ -14,9 +14,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# T3795: merge "system name-servers-dhcp" into "system name-server"
+
import os
-from sys import exit, argv
+from sys import argv
from vyos.configtree import ConfigTree
if (len(argv) < 1):
@@ -27,27 +29,16 @@ file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
-base = ['system', 'sysctl']
+base = ['system', 'name-servers-dhcp']
config = ConfigTree(config_file)
-
if not config.exists(base):
# Nothing to do
exit(0)
-for all_custom in ['all', 'custom']:
- if config.exists(base + [all_custom]):
- for key in config.list_nodes(base + [all_custom]):
- tmp = config.return_value(base + [all_custom, key, 'value'])
- config.set(base + ['parameter', key, 'value'], value=tmp)
- config.set_tag(base + ['parameter'])
- config.delete(base + [all_custom])
-
-for ipv4_param in ['net.ipv4.igmp_max_memberships', 'net.ipv4.ipfrag_time']:
- if config.exists(base + [ipv4_param]):
- tmp = config.return_value(base + [ipv4_param])
- config.set(base + ['parameter', ipv4_param, 'value'], value=tmp)
- config.set_tag(base + ['parameter'])
- config.delete(base + [ipv4_param])
+for interface in config.return_values(base):
+ config.set(['system', 'name-server'], value=interface, replace=False)
+
+config.delete(base)
try:
with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/system/21-to-22 b/src/migration-scripts/system/21-to-22
new file mode 100755
index 000000000..ad41be646
--- /dev/null
+++ b/src/migration-scripts/system/21-to-22
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit, argv
+from vyos.configtree import ConfigTree
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['system', 'sysctl']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+for all_custom in ['all', 'custom']:
+ if config.exists(base + [all_custom]):
+ for key in config.list_nodes(base + [all_custom]):
+ tmp = config.return_value(base + [all_custom, key, 'value'])
+ config.set(base + ['parameter', key, 'value'], value=tmp)
+ config.set_tag(base + ['parameter'])
+ config.delete(base + [all_custom])
+
+for ipv4_param in ['net.ipv4.igmp_max_memberships', 'net.ipv4.ipfrag_time']:
+ if config.exists(base + [ipv4_param]):
+ tmp = config.return_value(base + [ipv4_param])
+ config.set(base + ['parameter', ipv4_param, 'value'], value=tmp)
+ config.set_tag(base + ['parameter'])
+ config.delete(base + [ipv4_param])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/vrrp/2-to-3 b/src/migration-scripts/vrrp/2-to-3
new file mode 100755
index 000000000..1151ae18c
--- /dev/null
+++ b/src/migration-scripts/vrrp/2-to-3
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T3847: vrrp config cleanup
+
+from sys import argv
+from vyos.configtree import ConfigTree
+
+if (len(argv) < 1):
+ print('Must specify file name!')
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['high-availability', 'vrrp']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+if config.exists(base + ['group']):
+ for group in config.list_nodes(base + ['group']):
+ group_base = base + ['group', group]
+
+ # Deprecated option
+ tmp = group_base + ['transition-script', 'mode-force']
+ if config.exists(tmp):
+ config.delete(tmp)
+
+ # Rename virtual-address -> address
+ tmp = group_base + ['virtual-address']
+ if config.exists(tmp):
+ config.rename(tmp, 'address')
+
+ # Rename virtual-address-excluded -> excluded-address
+ tmp = group_base + ['virtual-address-excluded']
+ if config.exists(tmp):
+ config.rename(tmp, 'excluded-address')
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print(f'Failed to save the modified config: {e}')
+ exit(1)
diff --git a/src/op_mode/containers_op.py b/src/op_mode/containers_op.py
index 1e3fc3a8f..bc317029c 100755
--- a/src/op_mode/containers_op.py
+++ b/src/op_mode/containers_op.py
@@ -15,10 +15,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import argparse
-from vyos.configquery import query_context, ConfigQueryError
-from vyos.util import cmd
-config, op = query_context()
+from getpass import getuser
+from vyos.configquery import ConfigTreeQuery
+from vyos.util import cmd
parser = argparse.ArgumentParser()
parser.add_argument("-a", "--all", action="store_true", help="Show all containers")
@@ -26,34 +26,53 @@ parser.add_argument("-i", "--image", action="store_true", help="Show container i
parser.add_argument("-n", "--networks", action="store_true", help="Show container images")
parser.add_argument("-p", "--pull", action="store", help="Pull image for container")
parser.add_argument("-d", "--remove", action="store", help="Delete container image")
+parser.add_argument("-u", "--update", action="store", help="Update given container image")
-if not config.exists(['container']):
+config = ConfigTreeQuery()
+base = ['container']
+if not config.exists(base):
print('Containers not configured')
exit(0)
+if getuser() != 'root':
+ raise OSError('This functions needs to be run as root to return correct results!')
+
if __name__ == '__main__':
args = parser.parse_args()
if args.all:
print(cmd('podman ps --all'))
- exit(0)
- if args.image:
+
+ elif args.image:
print(cmd('podman image ls'))
- exit(0)
- if args.networks:
+
+ elif args.networks:
print(cmd('podman network ls'))
- exit(0)
- if args.pull:
+
+ elif args.pull:
image = args.pull
try:
- print(cmd(f'sudo podman image pull {image}'))
+ print(cmd(f'podman image pull {image}'))
except:
print(f'Can\'t find or download image "{image}"')
- exit(0)
- if args.remove:
+
+ elif args.remove:
image = args.remove
try:
- print(cmd(f'sudo podman image rm {image}'))
+ print(cmd(f'podman image rm {image}'))
except:
print(f'Can\'t delete image "{image}"')
- exit(0)
+
+ elif args.update:
+ tmp = config.get_config_dict(base + ['name', args.update],
+ key_mangling=('-', '_'), get_first_key=True)
+ try:
+ image = tmp['image']
+ print(cmd(f'podman image pull {image}'))
+ except:
+ print(f'Can\'t find or download image "{image}"')
+ else:
+ parser.print_help()
+ exit(1)
+
+ exit(0)
diff --git a/src/op_mode/dns_forwarding_statistics.py b/src/op_mode/dns_forwarding_statistics.py
index 1fb61d263..d79b6c024 100755
--- a/src/op_mode/dns_forwarding_statistics.py
+++ b/src/op_mode/dns_forwarding_statistics.py
@@ -11,7 +11,7 @@ PDNS_CMD='/usr/bin/rec_control --socket-dir=/run/powerdns'
OUT_TMPL_SRC = """
DNS forwarding statistics:
-Cache entries: {{ cache_entries -}}
+Cache entries: {{ cache_entries }}
Cache size: {{ cache_size }} kbytes
"""
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index d45525431..990b06c12 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -21,7 +21,7 @@ from sys import exit
from socket import getfqdn
from cryptography.x509.oid import NameOID
-from vyos.config import Config
+from vyos.configquery import ConfigTreeQuery
from vyos.pki import load_certificate
from vyos.template import render_to_string
from vyos.util import ask_input
@@ -117,7 +117,7 @@ args = parser.parse_args()
ipsec_base = ['vpn', 'ipsec']
config_base = ipsec_base + ['remote-access', 'connection']
pki_base = ['pki']
-conf = Config()
+conf = ConfigTreeQuery()
if not conf.exists(config_base):
exit('IPSec remote-access is not configured!')
@@ -153,7 +153,7 @@ cert = load_certificate(pki['certificate'][cert_name]['certificate'])
data['ca_cn'] = ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
data['cert_cn'] = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
-data['ca_cert'] = conf.return_value(pki_base + ['ca', ca_name, 'certificate'])
+data['ca_cert'] = conf.value(pki_base + ['ca', ca_name, 'certificate'])
esp_proposals = conf.get_config_dict(ipsec_base + ['esp-group', data['esp_group'], 'proposal'],
key_mangling=('-', '_'), get_first_key=True)
diff --git a/src/op_mode/ping.py b/src/op_mode/ping.py
index 2144ab53c..60bbc0c78 100755
--- a/src/op_mode/ping.py
+++ b/src/op_mode/ping.py
@@ -62,8 +62,8 @@ options = {
},
'interface': {
'ping': '{command} -I {value}',
- 'type': '<interface> <X.X.X.X> <h:h:h:h:h:h:h:h>',
- 'help': 'Interface to use as source for ping'
+ 'type': '<interface>',
+ 'help': 'Source interface'
},
'interval': {
'ping': '{command} -i {value}',
@@ -115,6 +115,10 @@ options = {
'type': '<bytes>',
'help': 'Number of bytes to send'
},
+ 'source-address': {
+ 'ping': '{command} -I {value}',
+ 'type': '<x.x.x.x> <h:h:h:h:h:h:h:h>',
+ },
'ttl': {
'ping': '{command} -t {value}',
'type': '<ttl>',
@@ -234,4 +238,4 @@ if __name__ == '__main__':
# print(f'{command} {host}')
os.system(f'{command} {host}')
- \ No newline at end of file
+
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 297270cf1..2283cd820 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -17,7 +17,6 @@
import argparse
import ipaddress
import os
-import re
import sys
import tabulate
@@ -25,6 +24,7 @@ from cryptography import x509
from cryptography.x509.oid import ExtendedKeyUsageOID
from vyos.config import Config
+from vyos.configquery import ConfigTreeQuery
from vyos.configdict import dict_merge
from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters
from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list
@@ -37,25 +37,24 @@ from vyos.util import ask_input, ask_yes_no
from vyos.util import cmd
CERT_REQ_END = '-----END CERTIFICATE REQUEST-----'
-
auth_dir = '/config/auth'
# Helper Functions
-
+conf = ConfigTreeQuery()
def get_default_values():
# Fetch default x509 values
- conf = Config()
base = ['pki', 'x509', 'default']
x509_defaults = conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
default_values = defaults(base)
- return dict_merge(default_values, x509_defaults)
+ x509_defaults = dict_merge(default_values, x509_defaults)
+
+ return x509_defaults
def get_config_ca_certificate(name=None):
# Fetch ca certificates from config
- conf = Config()
base = ['pki', 'ca']
-
if not conf.exists(base):
return False
@@ -65,13 +64,12 @@ def get_config_ca_certificate(name=None):
return False
return conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
def get_config_certificate(name=None):
# Get certificates from config
- conf = Config()
base = ['pki', 'certificate']
-
if not conf.exists(base):
return False
@@ -81,7 +79,8 @@ def get_config_certificate(name=None):
return False
return conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
def get_certificate_ca(cert, ca_certs):
# Find CA certificate for given certificate
@@ -100,7 +99,6 @@ def get_certificate_ca(cert, ca_certs):
def get_config_revoked_certificates():
# Fetch revoked certificates from config
- conf = Config()
ca_base = ['pki', 'ca']
cert_base = ['pki', 'certificate']
@@ -108,12 +106,14 @@ def get_config_revoked_certificates():
if conf.exists(ca_base):
ca_certificates = conf.get_config_dict(ca_base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
certs.extend(ca_certificates.values())
if conf.exists(cert_base):
certificates = conf.get_config_dict(cert_base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
certs.extend(certificates.values())
return [cert_dict for cert_dict in certs if 'revoke' in cert_dict]
@@ -144,39 +144,41 @@ def get_revoked_by_serial_numbers(serial_numbers=[]):
def install_certificate(name, cert='', private_key=None, key_type=None, key_passphrase=None, is_ca=False):
# Show conf commands for installing certificate
prefix = 'ca' if is_ca else 'certificate'
- print("Configure mode commands to install:")
+ print('Configure mode commands to install:')
+ base = f"set pki {prefix} {name}"
if cert:
cert_pem = "".join(encode_certificate(cert).strip().split("\n")[1:-1])
- print("set pki %s %s certificate '%s'" % (prefix, name, cert_pem))
+ print(f"{base} certificate '{cert_pem}'")
if private_key:
key_pem = "".join(encode_private_key(private_key, passphrase=key_passphrase).strip().split("\n")[1:-1])
- print("set pki %s %s private key '%s'" % (prefix, name, key_pem))
+ print(f"{base} private key '{key_pem}'")
if key_passphrase:
- print("set pki %s %s private password-protected" % (prefix, name))
+ print(f"{base} private password-protected")
def install_crl(ca_name, crl):
# Show conf commands for installing crl
print("Configure mode commands to install CRL:")
crl_pem = "".join(encode_certificate(crl).strip().split("\n")[1:-1])
- print("set pki ca %s crl '%s'" % (ca_name, crl_pem))
+ print(f"set pki ca {ca_name} crl '{crl_pem}'")
def install_dh_parameters(name, params):
# Show conf commands for installing dh params
print("Configure mode commands to install DH parameters:")
dh_pem = "".join(encode_dh_parameters(params).strip().split("\n")[1:-1])
- print("set pki dh %s parameters '%s'" % (name, dh_pem))
+ print(f"set pki dh {name} parameters '{dh_pem}'")
def install_ssh_key(name, public_key, private_key, passphrase=None):
# Show conf commands for installing ssh key
key_openssh = encode_public_key(public_key, encoding='OpenSSH', key_format='OpenSSH')
username = os.getlogin()
type_key_split = key_openssh.split(" ")
+
+ base = f"set system login user {username} authentication public-keys {name}"
print("Configure mode commands to install SSH key:")
- print("set system login user %s authentication public-keys %s key '%s'" % (username, name, type_key_split[1]))
- print("set system login user %s authentication public-keys %s type '%s'" % (username, name, type_key_split[0]))
- print("")
+ print(f"{base} key '{type_key_split[1]}'")
+ print(f"{base} type '{type_key_split[0]}'", end="\n\n")
print(encode_private_key(private_key, encoding='PEM', key_format='OpenSSH', passphrase=passphrase))
def install_keypair(name, key_type, private_key=None, public_key=None, passphrase=None):
@@ -189,7 +191,7 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_public_key:
install_public_pem = "".join(public_key_pem.strip().split("\n")[1:-1])
- print("set pki key-pair %s public key '%s'" % (name, install_public_pem))
+ print(f"set pki key-pair {name} public key '{install_public_pem}'")
else:
print("Public key:")
print(public_key_pem)
@@ -200,30 +202,53 @@ def install_keypair(name, key_type, private_key=None, public_key=None, passphras
if install_private_key:
install_private_pem = "".join(private_key_pem.strip().split("\n")[1:-1])
- print("set pki key-pair %s private key '%s'" % (name, install_private_pem))
+ print(f"set pki key-pair {name} private key '{install_private_pem}'")
if passphrase:
- print("set pki key-pair %s private password-protected" % (name,))
+ print(f"set pki key-pair {name} private password-protected")
else:
print("Private key:")
print(private_key_pem)
-def install_wireguard_key(name, private_key, public_key):
+def install_wireguard_key(interface, private_key, public_key):
# Show conf commands for installing wireguard key pairs
- is_interface = re.match(r'^wg[\d]+$', name)
+ from vyos.ifconfig import Section
+ if Section.section(interface) != 'wireguard':
+ print(f'"{interface}" is not a WireGuard interface name!')
+ exit(1)
+
+ # Check if we are running in a config session - if yes, we can directly write to the CLI
+ cli_string = f"interfaces wireguard {interface} private-key '{private_key}'"
+ if Config().in_session():
+ cmd(f"/opt/vyatta/sbin/my_set {cli_string}")
+
+ print('"generate" CLI command executed from config session.\nGenerated private-key was imported to CLI!',end='\n\n')
+ print(f'Use the following command to verify: show interfaces wireguard {interface}')
+ else:
+ print('"generate" CLI command executed from operational level.\n'
+ 'Generated private-key is not stored to CLI, use configure mode commands to install key:', end='\n\n')
+ print(f"set {cli_string}", end="\n\n")
- print("Configure mode commands to install key:")
- if is_interface:
- print("set interfaces wireguard %s private-key '%s'" % (name, private_key))
- print("")
- print("Public key for use on peer configuration: " + public_key)
+ print(f"Corresponding public-key to use on peer system is: '{public_key}'")
+
+
+def install_wireguard_psk(interface, peer, psk):
+ from vyos.ifconfig import Section
+ if Section.section(interface) != 'wireguard':
+ print(f'"{interface}" is not a WireGuard interface name!')
+ exit(1)
+
+ # Check if we are running in a config session - if yes, we can directly write to the CLI
+ cli_string = f"interfaces wireguard {interface} peer {peer} preshared-key '{psk}'"
+ if Config().in_session():
+ cmd(f"/opt/vyatta/sbin/my_set {cli_string}")
+
+ print('"generate" CLI command executed from config session.\nGenerated preshared-key was imported to CLI!',end='\n\n')
+ print(f'Use the following command to verify: show interfaces wireguard {interface}')
else:
- print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key))
- print("")
- print("Private key for use on peer configuration: " + private_key)
+ print('"generate" CLI command executed from operational level.\n'
+ 'Generated preshared-key is not stored to CLI, use configure mode commands to install key:', end='\n\n')
+ print(f"set {cli_string}", end="\n\n")
-def install_wireguard_psk(name, psk):
- # Show conf commands for installing wireguard psk
- print("set interfaces wireguard [INTERFACE] peer %s preshared-key '%s'" % (name, psk))
def ask_passphrase():
passphrase = None
@@ -464,7 +489,7 @@ def generate_certificate_sign(name, ca_name, install=False, file=False):
if not cert_req:
print("Invalid certificate request")
return None
-
+
cert = generate_certificate(cert_req, ca_cert, ca_private_key, is_ca=False)
passphrase = ask_passphrase()
@@ -630,49 +655,37 @@ def generate_openvpn_key(name, install=False, file=False):
key_data = "".join(key_lines[1:-1]) # Remove wrapper tags and line endings
key_version = '1'
+ import re
version_search = re.search(r'BEGIN OpenVPN Static key V(\d+)', result) # Future-proofing (hopefully)
if version_search:
key_version = version_search[1]
+ base = f"set pki openvpn shared-secret {name}"
print("Configure mode commands to install OpenVPN key:")
- print("set pki openvpn shared-secret %s key '%s'" % (name, key_data))
- print("set pki openvpn shared-secret %s version '%s'" % (name, key_version))
+ print(f"{base} key '{key_data}'")
+ print(f"{base} version '{key_version}'")
if file:
write_file(f'{name}.key', result)
-def generate_wireguard_key(name, install=False, file=False):
+def generate_wireguard_key(interface=None, install=False):
private_key = cmd('wg genkey')
public_key = cmd('wg pubkey', input=private_key)
- if not install:
- print("Private key: " + private_key)
- print("Public key: " + public_key)
- return None
-
- if install:
- install_wireguard_key(name, private_key, public_key)
-
- if file:
- write_file(f'{name}_public.key', public_key)
- write_file(f'{name}_private.key', private_key)
+ if interface and install:
+ install_wireguard_key(interface, private_key, public_key)
+ else:
+ print(f'Private key: {private_key}')
+ print(f'Public key: {public_key}', end='\n\n')
-def generate_wireguard_psk(name, install=False, file=False):
+def generate_wireguard_psk(interface=None, peer=None, install=False):
psk = cmd('wg genpsk')
-
- if not install and not file:
- print("Pre-shared key:")
- print(psk)
- return None
-
- if install:
- install_wireguard_psk(name, psk)
-
- if file:
- write_file(f'{name}.key', psk)
+ if interface and peer and install:
+ install_wireguard_psk(interface, peer, psk)
+ else:
+ print(f'Pre-shared key: {psk}')
# Show functions
-
def show_certificate_authority(name=None):
headers = ['Name', 'Subject', 'Issuer CN', 'Issued', 'Expiry', 'Private Key', 'Parent']
data = []
@@ -789,10 +802,13 @@ if __name__ == '__main__':
# OpenVPN
parser.add_argument('--openvpn', help='OpenVPN TLS key', required=False)
- # Wireguard
+ # WireGuard
parser.add_argument('--wireguard', help='Wireguard', action='store_true')
- parser.add_argument('--key', help='Wireguard key pair', required=False)
- parser.add_argument('--psk', help='Wireguard pre shared key', required=False)
+ group = parser.add_mutually_exclusive_group()
+ group.add_argument('--key', help='Wireguard key pair', action='store_true', required=False)
+ group.add_argument('--psk', help='Wireguard pre shared key', action='store_true', required=False)
+ parser.add_argument('--interface', help='Install generated keys into running-config for named interface', action='store')
+ parser.add_argument('--peer', help='Install generated keys into running-config for peer', action='store')
# Global
parser.add_argument('--file', help='Write generated keys into specified filename', action='store_true')
@@ -813,26 +829,47 @@ if __name__ == '__main__':
elif args.self_sign:
generate_certificate_selfsign(args.certificate, install=args.install, file=args.file)
else:
- generate_certificate_request(name=args.certificate, install=args.install)
+ generate_certificate_request(name=args.certificate, install=args.install, file=args.file)
+
elif args.crl:
generate_certificate_revocation_list(args.crl, install=args.install, file=args.file)
+
elif args.ssh:
generate_ssh_keypair(args.ssh, install=args.install, file=args.file)
+
elif args.dh:
generate_dh_parameters(args.dh, install=args.install, file=args.file)
+
elif args.keypair:
generate_keypair(args.keypair, install=args.install, file=args.file)
+
elif args.openvpn:
generate_openvpn_key(args.openvpn, install=args.install, file=args.file)
+
elif args.wireguard:
+ # WireGuard supports writing key directly into the CLI, but this
+ # requires the vyos_libexec_dir environment variable to be set
+ os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos"
+
if args.key:
- generate_wireguard_key(args.key, install=args.install, file=args.file)
- elif args.psk:
- generate_wireguard_psk(args.psk, install=args.install, file=args.file)
+ generate_wireguard_key(args.interface, install=args.install)
+ if args.psk:
+ generate_wireguard_psk(args.interface, peer=args.peer, install=args.install)
+
elif args.action == 'show':
if args.ca:
- show_certificate_authority(None if args.ca == 'all' else args.ca)
+ ca_name = None if args.ca == 'all' else args.ca
+ if ca_name:
+ if not conf.exists(['pki', 'ca', ca_name]):
+ print(f'CA "{ca_name}" does not exist!')
+ exit(1)
+ show_certificate_authority(ca_name)
elif args.certificate:
+ cert_name = None if args.certificate == 'all' else args.certificate
+ if cert_name:
+ if not conf.exists(['pki', 'certificate', cert_name]):
+ print(f'Certificate "{cert_name}" does not exist!')
+ exit(1)
show_certificate(None if args.certificate == 'all' else args.certificate)
elif args.crl:
show_crl(None if args.crl == 'all' else args.crl)
diff --git a/src/op_mode/powerctrl.py b/src/op_mode/powerctrl.py
index f8b5a3dda..679b03c0b 100755
--- a/src/op_mode/powerctrl.py
+++ b/src/op_mode/powerctrl.py
@@ -92,37 +92,40 @@ def cancel_shutdown():
try:
run('/sbin/shutdown -c --no-wall')
except OSError as e:
- exit("Could not cancel a reboot or poweroff: %s" % e)
+ exit(f'Could not cancel a reboot or poweroff: {e}')
- message = 'Scheduled {} has been cancelled {}'.format(output['MODE'], timenow)
+ mode = output['MODE']
+ message = f'Scheduled {mode} has been cancelled {timenow}'
run(f'wall {message} > /dev/null 2>&1')
else:
print("Reboot or poweroff is not scheduled")
def execute_shutdown(time, reboot=True, ask=True):
+ action = "reboot" if reboot else "poweroff"
if not ask:
- action = "reboot" if reboot else "poweroff"
- if not ask_yes_no("Are you sure you want to %s this system?" % action):
+ if not ask_yes_no(f"Are you sure you want to {action} this system?"):
exit(0)
-
- action = "-r" if reboot else "-P"
+ action_cmd = "-r" if reboot else "-P"
if len(time) == 0:
# T870 legacy reboot job support
chk_vyatta_based_reboots()
###
- out = cmd(f'/sbin/shutdown {action} now', stderr=STDOUT)
+ out = cmd(f'/sbin/shutdown {action_cmd} now', stderr=STDOUT)
print(out.split(",", 1)[0])
return
elif len(time) == 1:
# Assume the argument is just time
ts = parse_time(time[0])
if ts:
- cmd(f'/sbin/shutdown {action} {time[0]}', stderr=STDOUT)
+ cmd(f'/sbin/shutdown {action_cmd} {time[0]}', stderr=STDOUT)
+ # Inform all other logged in users about the reboot/shutdown
+ wall_msg = f'System {action} is scheduled {time[0]}'
+ cmd(f'/usr/bin/wall "{wall_msg}"')
else:
- exit("Invalid time \"{0}\". The valid format is HH:MM".format(time[0]))
+ exit(f'Invalid time "{time[0]}". The valid format is HH:MM')
elif len(time) == 2:
# Assume it's date and time
ts = parse_time(time[0])
@@ -131,14 +134,18 @@ def execute_shutdown(time, reboot=True, ask=True):
t = datetime.combine(ds, ts)
td = t - datetime.now()
t2 = 1 + int(td.total_seconds())//60 # Get total minutes
- cmd('/sbin/shutdown {action} {t2}', stderr=STDOUT)
+
+ cmd(f'/sbin/shutdown {action_cmd} {t2}', stderr=STDOUT)
+ # Inform all other logged in users about the reboot/shutdown
+ wall_msg = f'System {action} is scheduled {time[1]} {time[0]}'
+ cmd(f'/usr/bin/wall "{wall_msg}"')
else:
if not ts:
- exit("Invalid time \"{0}\". The valid format is HH:MM".format(time[0]))
+ exit(f'Invalid time "{time[0]}". The valid format is HH:MM')
else:
- exit("Invalid time \"{0}\". A valid format is YYYY-MM-DD [HH:MM]".format(time[1]))
+ exit(f'Invalid date "{time[1]}". A valid format is YYYY-MM-DD [HH:MM]')
else:
- exit("Could not decode date and time. Valids formats are HH:MM or YYYY-MM-DD HH:MM")
+ exit('Could not decode date and time. Valids formats are HH:MM or YYYY-MM-DD HH:MM')
check_shutdown()
diff --git a/src/op_mode/restart_frr.py b/src/op_mode/restart_frr.py
index d1b66b33f..109c8dd7b 100755
--- a/src/op_mode/restart_frr.py
+++ b/src/op_mode/restart_frr.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -13,16 +13,19 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-import sys
+import os
import argparse
import logging
-from logging.handlers import SysLogHandler
-from pathlib import Path
import psutil
+from logging.handlers import SysLogHandler
+from shutil import rmtree
+
from vyos.util import call
+from vyos.util import ask_yes_no
+from vyos.util import process_named_running
+from vyos.util import makedir
# some default values
watchfrr = '/usr/lib/frr/watchfrr.sh'
@@ -40,40 +43,45 @@ logger.setLevel(logging.INFO)
def _check_safety():
try:
# print warning
- answer = input("WARNING: This is a potentially unsafe function! You may lose the connection to the router or active configuration after running this command. Use it at your own risk! Continue? [y/N]: ")
- if not answer.lower() == "y":
- logger.error("User aborted command")
+ if not ask_yes_no('WARNING: This is a potentially unsafe function!\n' \
+ 'You may lose the connection to the router or active configuration after\n' \
+ 'running this command. Use it at your own risk!\n\n'
+ 'Continue?'):
return False
# check if another restart process already running
if len([process for process in psutil.process_iter(attrs=['pid', 'name', 'cmdline']) if 'python' in process.info['name'] and 'restart_frr.py' in process.info['cmdline'][1]]) > 1:
- logger.error("Another restart_frr.py already running")
- answer = input("Another restart_frr.py process is already running. It is unsafe to continue. Do you want to process anyway? [y/N]: ")
- if not answer.lower() == "y":
+ message = 'Another restart_frr.py process is already running!'
+ logger.error(message)
+ if not ask_yes_no(f'\n{message} It is unsafe to continue.\n\n' \
+ 'Do you want to process anyway?'):
return False
# check if watchfrr.sh is running
- for process in psutil.process_iter(attrs=['pid', 'name', 'cmdline']):
- if 'bash' in process.info['name'] and watchfrr in process.info['cmdline']:
- logger.error("Another {} already running".format(watchfrr))
- answer = input("Another {} process is already running. It is unsafe to continue. Do you want to process anyway? [y/N]: ".format(watchfrr))
- if not answer.lower() == "y":
- return False
+ tmp = os.path.basename(watchfrr)
+ if process_named_running(tmp):
+ message = f'Another {tmp} process is already running.'
+ logger.error(message)
+ if not ask_yes_no(f'{message} It is unsafe to continue.\n\n' \
+ 'Do you want to process anyway?'):
+ return False
# check if vtysh is running
- for process in psutil.process_iter(attrs=['pid', 'name', 'cmdline']):
- if 'vtysh' in process.info['name']:
- logger.error("The vtysh is running by another task")
- answer = input("The vtysh is running by another task. It is unsafe to continue. Do you want to process anyway? [y/N]: ")
- if not answer.lower() == "y":
- return False
+ if process_named_running('vtysh'):
+ message = 'vtysh process is executed by another task.'
+ logger.error(message)
+ if not ask_yes_no(f'{message} It is unsafe to continue.\n\n' \
+ 'Do you want to process anyway?'):
+ return False
# check if temporary directory exists
- if Path(frrconfig_tmp).exists():
- logger.error("The temporary directory \"{}\" already exists".format(frrconfig_tmp))
- answer = input("The temporary directory \"{}\" already exists. It is unsafe to continue. Do you want to process anyway? [y/N]: ".format(frrconfig_tmp))
- if not answer.lower() == "y":
+ if os.path.exists(frrconfig_tmp):
+ message = f'Temporary directory "{frrconfig_tmp}" already exists!'
+ logger.error(message)
+ if not ask_yes_no(f'{message} It is unsafe to continue.\n\n' \
+ 'Do you want to process anyway?'):
return False
+
except:
logger.error("Something goes wrong in _check_safety()")
return False
@@ -84,94 +92,68 @@ def _check_safety():
# write active config to file
def _write_config():
# create temporary directory
- Path(frrconfig_tmp).mkdir(parents=False, exist_ok=True)
+ makedir(frrconfig_tmp)
# save frr.conf to it
- command = "{} -n -w --config_dir {} 2> /dev/null".format(vtysh, frrconfig_tmp)
+ command = f'{vtysh} -n -w --config_dir {frrconfig_tmp} 2> /dev/null'
return_code = call(command)
- if not return_code == 0:
- logger.error("Failed to save active config: \"{}\" returned exit code: {}".format(command, return_code))
+ if return_code != 0:
+ logger.error(f'Failed to save active config: "{command}" returned exit code: {return_code}')
return False
- logger.info("Active config saved to {}".format(frrconfig_tmp))
+ logger.info(f'Active config saved to {frrconfig_tmp}')
return True
# clear and remove temporary directory
def _cleanup():
- tmpdir = Path(frrconfig_tmp)
- try:
- if tmpdir.exists():
- for file in tmpdir.iterdir():
- file.unlink()
- tmpdir.rmdir()
- except:
- logger.error("Failed to remove temporary directory {}".format(frrconfig_tmp))
- print("Failed to remove temporary directory {}".format(frrconfig_tmp))
-
-# check if daemon is running
-def _daemon_check(daemon):
- command = "{} print_status {}".format(watchfrr, daemon)
- return_code = call(command)
- if not return_code == 0:
- logger.error("Daemon \"{}\" is not running".format(daemon))
- return False
-
- # return True if all checks were passed
- return True
+ if os.path.isdir(frrconfig_tmp):
+ rmtree(frrconfig_tmp)
# restart daemon
def _daemon_restart(daemon):
- command = "{} restart {}".format(watchfrr, daemon)
+ command = f'{watchfrr} restart {daemon}'
return_code = call(command)
if not return_code == 0:
- logger.error("Failed to restart daemon \"{}\"".format(daemon))
+ logger.error(f'Failed to restart daemon "{daemon}"!')
return False
# return True if restarted successfully
- logger.info("Daemon \"{}\" restarted".format(daemon))
+ logger.info(f'Daemon "{daemon}" restarted!')
return True
# reload old config
def _reload_config(daemon):
if daemon != '':
- command = "{} -n -b --config_dir {} -d {} 2> /dev/null".format(vtysh, frrconfig_tmp, daemon)
+ command = f'{vtysh} -n -b --config_dir {frrconfig_tmp} -d {daemon} 2> /dev/null'
else:
- command = "{} -n -b --config_dir {} 2> /dev/null".format(vtysh, frrconfig_tmp)
+ command = f'{vtysh} -n -b --config_dir {frrconfig_tmp} 2> /dev/null'
return_code = call(command)
if not return_code == 0:
- logger.error("Failed to reinstall configuration")
+ logger.error('Failed to re-install configuration!')
return False
# return True if restarted successfully
- logger.info("Configuration reinstalled successfully")
- return True
-
-# check all daemons if they are running
-def _check_args_daemon(daemons):
- for daemon in daemons:
- if not _daemon_check(daemon):
- return False
+ logger.info('Configuration re-installed successfully!')
return True
# define program arguments
cmd_args_parser = argparse.ArgumentParser(description='restart frr daemons')
cmd_args_parser.add_argument('--action', choices=['restart'], required=True, help='action to frr daemons')
-cmd_args_parser.add_argument('--daemon', choices=['bfdd', 'bgpd', 'ospfd', 'ospf6d', 'ripd', 'ripngd', 'staticd', 'zebra'], required=False, nargs='*', help='select single or multiple daemons')
+cmd_args_parser.add_argument('--daemon', choices=['bfdd', 'bgpd', 'ospfd', 'ospf6d', 'isisd', 'ripd', 'ripngd', 'staticd', 'zebra'], required=False, nargs='*', help='select single or multiple daemons')
# parse arguments
cmd_args = cmd_args_parser.parse_args()
-
# main logic
# restart daemon
if cmd_args.action == 'restart':
# check if it is safe to restart FRR
if not _check_safety():
print("\nOne of the safety checks was failed or user aborted command. Exiting.")
- sys.exit(1)
+ exit(1)
if not _write_config():
print("Failed to save active config")
_cleanup()
- sys.exit(1)
+ exit(1)
# a little trick to make further commands more clear
if not cmd_args.daemon:
@@ -179,19 +161,20 @@ if cmd_args.action == 'restart':
# check all daemons if they are running
if cmd_args.daemon != ['']:
- if not _check_args_daemon(cmd_args.daemon):
- print("Warning: some of listed daemons are not running")
+ for daemon in cmd_args.daemon:
+ if not process_named_running(daemon):
+ print('WARNING: some of listed daemons are not running!')
# run command to restart daemon
for daemon in cmd_args.daemon:
if not _daemon_restart(daemon):
- print("Failed to restart daemon: {}".format(daemon))
+ print('Failed to restart daemon: {daemon}')
_cleanup()
- sys.exit(1)
+ exit(1)
# reinstall old configuration
_reload_config(daemon)
# cleanup after all actions
_cleanup()
-sys.exit(0)
+exit(0)
diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py
index 4df275e04..cd6e8ed43 100755
--- a/src/op_mode/show_dhcp.py
+++ b/src/op_mode/show_dhcp.py
@@ -177,7 +177,7 @@ if __name__ == '__main__':
group = parser.add_mutually_exclusive_group()
group.add_argument("-l", "--leases", action="store_true", help="Show DHCP leases")
group.add_argument("-s", "--statistics", action="store_true", help="Show DHCP statistics")
- group.add_argument("--allowed", type=str, choices=["pool", "sort", "state"], help="Show allowed values for argument")
+ group.add_argument("--allowed", type=str, choices=["sort", "state"], help="Show allowed values for argument")
parser.add_argument("-p", "--pool", type=str, help="Show lease for specific pool")
parser.add_argument("-S", "--sort", type=str, default='ip', help="Sort by")
@@ -188,11 +188,7 @@ if __name__ == '__main__':
conf = Config()
- if args.allowed == 'pool':
- if conf.exists_effective('service dhcp-server'):
- print(' '.join(conf.list_effective_nodes("service dhcp-server shared-network-name")))
- exit(0)
- elif args.allowed == 'sort':
+ if args.allowed == 'sort':
print(' '.join(lease_display_fields.keys()))
exit(0)
elif args.allowed == 'state':
diff --git a/src/op_mode/show_interfaces.py b/src/op_mode/show_interfaces.py
index 20d5d9e17..3d50eb938 100755
--- a/src/op_mode/show_interfaces.py
+++ b/src/op_mode/show_interfaces.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
-# Copyright 2017, 2019 VyOS maintainers and contributors <maintainers@vyos.io>
+# Copyright 2017-2021 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -19,9 +19,7 @@ import os
import re
import sys
import glob
-import datetime
import argparse
-import netifaces
from vyos.ifconfig import Section
from vyos.ifconfig import Interface
@@ -63,27 +61,27 @@ def filtered_interfaces(ifnames, iftypes, vif, vrrp):
ifnames: a list of interfaces names to consider, empty do not filter
return an instance of the interface class
"""
- allnames = Section.interfaces()
+ if isinstance(iftypes, list):
+ for iftype in iftypes:
+ yield from filtered_interfaces(ifnames, iftype, vif, vrrp)
- vrrp_interfaces = VRRP.active_interfaces() if vrrp else []
-
- for ifname in allnames:
+ for ifname in Section.interfaces(iftypes):
+ # Bail out early if interface name not part of our search list
if ifnames and ifname not in ifnames:
continue
- # return the class which can handle this interface name
- klass = Section.klass(ifname)
- # connect to the interface
- interface = klass(ifname, create=False, debug=False)
-
- if iftypes and interface.definition['section'] not in iftypes:
- continue
+ # As we are only "reading" from the interface - we must use the
+ # generic base class which exposes all the data via a common API
+ interface = Interface(ifname, create=False, debug=False)
+ # VLAN interfaces have a '.' in their name by convention
if vif and not '.' in ifname:
continue
- if vrrp and ifname not in vrrp_interfaces:
- continue
+ if vrrp:
+ vrrp_interfaces = VRRP.active_interfaces()
+ if ifname not in vrrp_interfaces:
+ continue
yield interface
@@ -120,10 +118,6 @@ def split_text(text, used=0):
yield line[1:]
-def get_vrrp_intf():
- return [intf for intf in Section.interfaces() if intf.is_vrrp()]
-
-
def get_counter_val(clear, now):
"""
attempt to correct a counter if it wrapped, copied from perl
diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py
index e491267fd..c964caaeb 100755
--- a/src/op_mode/show_ipsec_sa.py
+++ b/src/op_mode/show_ipsec_sa.py
@@ -23,6 +23,12 @@ import hurry.filesize
import vyos.util
+def convert(text):
+ return int(text) if text.isdigit() else text.lower()
+
+def alphanum_key(key):
+ return [convert(c) for c in re.split('([0-9]+)', str(key))]
+
def format_output(conns, sas):
sa_data = []
@@ -111,7 +117,7 @@ if __name__ == '__main__':
headers = ["Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out", "Remote address", "Remote ID", "Proposal"]
sa_data = format_output(conns, sas)
- sa_data = sorted(sa_data, key=lambda peer: peer[0])
+ sa_data = sorted(sa_data, key=alphanum_key)
output = tabulate.tabulate(sa_data, headers)
print(output)
except PermissionError:
diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py
index 0f40ecabe..d68def26a 100755
--- a/src/op_mode/show_nat_rules.py
+++ b/src/op_mode/show_nat_rules.py
@@ -67,46 +67,54 @@ if args.source or args.destination:
continue
interface = dict_search('match.right', data['expr'][0])
srcdest = ''
- for i in [1, 2]:
- srcdest_json = dict_search('match.right', data['expr'][i])
- if not srcdest_json:
- continue
-
- if isinstance(srcdest_json,str):
- srcdest += srcdest_json + ' '
- elif 'prefix' in srcdest_json:
- addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i])
- len_tmp = dict_search('match.right.prefix.len', data['expr'][i])
- if addr_tmp and len_tmp:
- srcdest = addr_tmp + '/' + str(len_tmp) + ' '
- elif 'set' in srcdest_json:
- if isinstance(srcdest_json['set'][0],str):
- srcdest += 'port ' + str(srcdest_json['set'][0]) + ' '
- else:
- port_range = srcdest_json['set'][0]['range']
- srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' '
-
+ srcdests = []
tran_addr = ''
- tran_addr_json = dict_search('snat.addr' if args.source else 'dnat.addr', data['expr'][3])
- if tran_addr_json:
- if isinstance(tran_addr_json,str):
- tran_addr = tran_addr_json
- elif 'prefix' in tran_addr_json:
- addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3])
- len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3])
- if addr_tmp and len_tmp:
- tran_addr = addr_tmp + '/' + str(len_tmp)
- else:
- if 'masquerade' in data['expr'][3]:
- tran_addr = 'masquerade'
- elif 'log' in data['expr'][3]:
- continue
-
- tran_port = dict_search('snat.port' if args.source else 'dnat.port', data['expr'][3])
- if tran_port:
- tran_addr += ' port ' + str(tran_port)
+ for i in range(1,len(data['expr']) ):
+ srcdest_json = dict_search('match.right', data['expr'][i])
+ if srcdest_json:
+ if isinstance(srcdest_json,str):
+ if srcdest != '':
+ srcdests.append(srcdest)
+ srcdest = ''
+ srcdest = srcdest_json + ' '
+ elif 'prefix' in srcdest_json:
+ addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i])
+ len_tmp = dict_search('match.right.prefix.len', data['expr'][i])
+ if addr_tmp and len_tmp:
+ srcdest = addr_tmp + '/' + str(len_tmp) + ' '
+ elif 'set' in srcdest_json:
+ if isinstance(srcdest_json['set'][0],int):
+ srcdest += 'port ' + str(srcdest_json['set'][0]) + ' '
+ else:
+ port_range = srcdest_json['set'][0]['range']
+ srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' '
+
+ tran_addr_json = dict_search('snat' if args.source else 'dnat', data['expr'][i])
+ if tran_addr_json:
+ if isinstance(tran_addr_json['addr'],str):
+ tran_addr += tran_addr_json['addr'] + ' '
+ elif 'prefix' in tran_addr_json['addr']:
+ addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3])
+ len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3])
+ if addr_tmp and len_tmp:
+ tran_addr += addr_tmp + '/' + str(len_tmp) + ' '
+
+ if isinstance(tran_addr_json['port'],int):
+ tran_addr += 'port ' + tran_addr_json['port']
+
+ else:
+ if 'masquerade' in data['expr'][i]:
+ tran_addr = 'masquerade'
+ elif 'log' in data['expr'][i]:
+ continue
- print(format_nat_rule.format(rule, srcdest, tran_addr, interface))
+ if srcdest != '':
+ srcdests.append(srcdest)
+ srcdest = ''
+ print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
+
+ for i in range(1, len(srcdests)):
+ print(format_nat_rule.format(' ', srcdests[i], ' ', ' '))
exit(0)
else:
diff --git a/src/op_mode/show_system_integrity.py b/src/op_mode/show_system_integrity.py
deleted file mode 100755
index c34d41e80..000000000
--- a/src/op_mode/show_system_integrity.py
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-
-import sys
-import os
-import re
-import json
-from datetime import datetime, timedelta
-
-version_file = r'/usr/share/vyos/version.json'
-
-
-def _get_sys_build_version():
- if not os.path.exists(version_file):
- return None
- buf = open(version_file, 'r').read()
- j = json.loads(buf)
- if not 'built_on' in j:
- return None
- return datetime.strptime(j['built_on'], '%a %d %b %Y %H:%M %Z')
-
-
-def _check_pkgs(build_stamp):
- pkg_diffs = {
- 'buildtime': str(build_stamp),
- 'pkg': {}
- }
-
- pkg_info = os.listdir('/var/lib/dpkg/info/')
- for file in pkg_info:
- if re.search('\.list$', file):
- fts = os.stat('/var/lib/dpkg/info/' + file).st_mtime
- dt_str = (datetime.utcfromtimestamp(
- fts).strftime('%Y-%m-%d %H:%M:%S'))
- fdt = datetime.strptime(dt_str, '%Y-%m-%d %H:%M:%S')
- if fdt > build_stamp:
- pkg_diffs['pkg'].update(
- {str(re.sub('\.list', '', file)): str(fdt)})
-
- if len(pkg_diffs['pkg']) != 0:
- return pkg_diffs
- else:
- return None
-
-
-if __name__ == '__main__':
- built_date = _get_sys_build_version()
- if not built_date:
- sys.exit(1)
- pkgs = _check_pkgs(built_date)
- if pkgs:
- print (
- "The following packages don\'t fit the image creation time\nbuild time:\t" + pkgs['buildtime'])
- for k, v in pkgs['pkg'].items():
- print ("installed: " + v + '\t' + k)
diff --git a/src/op_mode/show_version.py b/src/op_mode/show_version.py
index 5bbc2e1f1..7962e1e7b 100755
--- a/src/op_mode/show_version.py
+++ b/src/op_mode/show_version.py
@@ -32,12 +32,12 @@ parser.add_argument("-j", "--json", action="store_true", help="Produce JSON outp
version_output_tmpl = """
Version: VyOS {{version}}
-Release Train: {{release_train}}
+Release train: {{release_train}}
Built by: {{built_by}}
Built on: {{built_on}}
Build UUID: {{build_uuid}}
-Build Commit ID: {{build_git}}
+Build commit ID: {{build_git}}
Architecture: {{system_arch}}
Boot via: {{boot_via}}
diff --git a/src/op_mode/show_wwan.py b/src/op_mode/show_wwan.py
index 249dda2a5..529b5bd0f 100755
--- a/src/op_mode/show_wwan.py
+++ b/src/op_mode/show_wwan.py
@@ -34,13 +34,17 @@ required = parser.add_argument_group('Required arguments')
required.add_argument("--interface", help="WWAN interface name, e.g. wwan0", required=True)
def qmi_cmd(device, command, silent=False):
- tmp = cmd(f'qmicli --device={device} --device-open-proxy {command}')
- tmp = tmp.replace(f'[{cdc}] ', '')
- if not silent:
- # skip first line as this only holds the info headline
- for line in tmp.splitlines()[1:]:
- print(line.lstrip())
- return tmp
+ try:
+ tmp = cmd(f'qmicli --device={device} --device-open-proxy {command}')
+ tmp = tmp.replace(f'[{cdc}] ', '')
+ if not silent:
+ # skip first line as this only holds the info headline
+ for line in tmp.splitlines()[1:]:
+ print(line.lstrip())
+ return tmp
+ except:
+ print('Command not supported by Modem')
+ exit(1)
if __name__ == '__main__':
args = parser.parse_args()
diff --git a/src/op_mode/wireguard_client.py b/src/op_mode/wireguard_client.py
index 7661254da..76c1ff7d1 100755
--- a/src/op_mode/wireguard_client.py
+++ b/src/op_mode/wireguard_client.py
@@ -39,10 +39,11 @@ To enable this configuration on a VyOS router you can use the following commands
set interfaces wireguard {{ interface }} peer {{ name }} allowed-ips '{{ addr }}'
{% endfor %}
set interfaces wireguard {{ interface }} peer {{ name }} public-key '{{ pubkey }}'
+
+=== RoadWarrior (client) configuration ===
"""
client_config = """
-=== RoadWarrior (client) configuration ===
[Interface]
PrivateKey = {{ privkey }}
diff --git a/src/system/keepalived-fifo.py b/src/system/keepalived-fifo.py
index 3b4330e9b..1fba0d75b 100755
--- a/src/system/keepalived-fifo.py
+++ b/src/system/keepalived-fifo.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2020 VyOS maintainers and contributors
+# Copyright (C) 2020-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -13,7 +13,6 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
import os
import time
@@ -22,11 +21,13 @@ import argparse
import threading
import re
import json
-from pathlib import Path
-from queue import Queue
import logging
+
+from queue import Queue
from logging.handlers import SysLogHandler
+from vyos.ifconfig.vrrp import VRRP
+from vyos.configquery import ConfigTreeQuery
from vyos.util import cmd
# configure logging
@@ -44,12 +45,13 @@ mdns_update_command = 'sudo /usr/libexec/vyos/conf_mode/service_mdns-repeater.py
class KeepalivedFifo:
# init - read command arguments
def __init__(self):
- logger.info("Starting FIFO pipe for Keepalived")
+ logger.info('Starting FIFO pipe for Keepalived')
# define program arguments
cmd_args_parser = argparse.ArgumentParser(description='Create FIFO pipe for keepalived and process notify events', add_help=False)
cmd_args_parser.add_argument('PIPE', help='path to the FIFO pipe')
# parse arguments
cmd_args = cmd_args_parser.parse_args()
+
self._config_load()
self.pipe_path = cmd_args.PIPE
@@ -61,33 +63,34 @@ class KeepalivedFifo:
# load configuration
def _config_load(self):
try:
- # read the dictionary file with configuration
- with open('/run/keepalived_config.dict', 'r') as dict_file:
- vrrp_config_dict = json.load(dict_file)
+ base = ['high-availability', 'vrrp']
+ conf = ConfigTreeQuery()
+ if not conf.exists(base):
+ raise ValueError()
+
+ # Read VRRP configuration directly from CLI
+ vrrp_config_dict = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
self.vrrp_config = {'vrrp_groups': {}, 'sync_groups': {}}
- # save VRRP instances to the new dictionary
- for vrrp_group in vrrp_config_dict['vrrp_groups']:
- self.vrrp_config['vrrp_groups'][vrrp_group['name']] = {
- 'STOP': vrrp_group.get('stop_script'),
- 'FAULT': vrrp_group.get('fault_script'),
- 'BACKUP': vrrp_group.get('backup_script'),
- 'MASTER': vrrp_group.get('master_script')
- }
- # save VRRP sync groups to the new dictionary
- for sync_group in vrrp_config_dict['sync_groups']:
- self.vrrp_config['sync_groups'][sync_group['name']] = {
- 'STOP': sync_group.get('stop_script'),
- 'FAULT': sync_group.get('fault_script'),
- 'BACKUP': sync_group.get('backup_script'),
- 'MASTER': sync_group.get('master_script')
- }
- logger.debug("Loaded configuration: {}".format(self.vrrp_config))
+ for key in ['group', 'sync_group']:
+ if key not in vrrp_config_dict:
+ continue
+ for group, group_config in vrrp_config_dict[key].items():
+ if 'transition_script' not in group_config:
+ continue
+ self.vrrp_config['vrrp_groups'][group] = {
+ 'STOP': group_config['transition_script'].get('stop'),
+ 'FAULT': group_config['transition_script'].get('fault'),
+ 'BACKUP': group_config['transition_script'].get('backup'),
+ 'MASTER': group_config['transition_script'].get('master'),
+ }
+ logger.info(f'Loaded configuration: {self.vrrp_config}')
except Exception as err:
- logger.error("Unable to load configuration: {}".format(err))
+ logger.error(f'Unable to load configuration: {err}')
# run command
def _run_command(self, command):
- logger.debug("Running the command: {}".format(command))
+ logger.debug(f'Running the command: {command}')
try:
cmd(command)
except OSError as err:
@@ -95,14 +98,14 @@ class KeepalivedFifo:
# create FIFO pipe
def pipe_create(self):
- if Path(self.pipe_path).exists():
- logger.info("PIPE already exist: {}".format(self.pipe_path))
+ if os.path.exists(self.pipe_path):
+ logger.info(f'PIPE already exist: {self.pipe_path}')
else:
os.mkfifo(self.pipe_path)
# process message from pipe
def pipe_process(self):
- logger.debug("Message processing start")
+ logger.debug('Message processing start')
regex_notify = re.compile(r'^(?P<type>\w+) "(?P<name>[\w-]+)" (?P<state>\w+) (?P<priority>\d+)$', re.MULTILINE)
while self.stopme.is_set() is False:
# wait for a new message event from pipe_wait
@@ -113,14 +116,14 @@ class KeepalivedFifo:
# get all messages from queue and try to process them
while self.message_queue.empty() is not True:
message = self.message_queue.get()
- logger.debug("Received message: {}".format(message))
+ logger.debug(f'Received message: {message}')
notify_message = regex_notify.search(message)
# try to process a message if it looks valid
if notify_message:
n_type = notify_message.group('type')
n_name = notify_message.group('name')
n_state = notify_message.group('state')
- logger.info("{} {} changed state to {}".format(n_type, n_name, n_state))
+ logger.info(f'{n_type} {n_name} changed state to {n_state}')
# check and run commands for VRRP instances
if n_type == 'INSTANCE':
if os.path.exists(mdns_running_file):
@@ -135,7 +138,7 @@ class KeepalivedFifo:
if n_type == 'GROUP':
if os.path.exists(mdns_running_file):
cmd(mdns_update_command)
-
+
if n_name in self.vrrp_config['sync_groups'] and n_state in self.vrrp_config['sync_groups'][n_name]:
n_script = self.vrrp_config['sync_groups'][n_name].get(n_state)
if n_script:
@@ -143,16 +146,16 @@ class KeepalivedFifo:
# mark task in queue as done
self.message_queue.task_done()
except Exception as err:
- logger.error("Error processing message: {}".format(err))
- logger.debug("Terminating messages processing thread")
+ logger.error(f'Error processing message: {err}')
+ logger.debug('Terminating messages processing thread')
# wait for messages
def pipe_wait(self):
- logger.debug("Message reading start")
+ logger.debug('Message reading start')
self.pipe_read = os.open(self.pipe_path, os.O_RDONLY | os.O_NONBLOCK)
while self.stopme.is_set() is False:
# sleep a bit to not produce 100% CPU load
- time.sleep(0.1)
+ time.sleep(0.250)
try:
# try to read a message from PIPE
message = os.read(self.pipe_read, 500)
@@ -165,21 +168,19 @@ class KeepalivedFifo:
except Exception as err:
# ignore the "Resource temporarily unavailable" error
if err.errno != 11:
- logger.error("Error receiving message: {}".format(err))
+ logger.error(f'Error receiving message: {err}')
- logger.debug("Closing FIFO pipe")
+ logger.debug('Closing FIFO pipe')
os.close(self.pipe_read)
-
# handle SIGTERM signal to allow finish all messages processing
def sigterm_handle(signum, frame):
- logger.info("Ending processing: Received SIGTERM signal")
+ logger.info('Ending processing: Received SIGTERM signal')
fifo.stopme.set()
thread_wait_message.join()
fifo.message_event.set()
thread_process_message.join()
-
signal.signal(signal.SIGTERM, sigterm_handle)
# init our class
diff --git a/src/systemd/opennhrp.service b/src/systemd/opennhrp.service
index 70235f89d..c9a44de29 100644
--- a/src/systemd/opennhrp.service
+++ b/src/systemd/opennhrp.service
@@ -6,8 +6,8 @@ StartLimitIntervalSec=0
[Service]
Type=forking
-ExecStart=/usr/sbin/opennhrp -d -v -a /run/opennhrp.socket -c /run/opennhrp/opennhrp.conf -s /etc/opennhrp/opennhrp-script.py -p /run/opennhrp.pid
+ExecStart=/usr/sbin/opennhrp -d -v -a /run/opennhrp.socket -c /run/opennhrp/opennhrp.conf -s /etc/opennhrp/opennhrp-script.py -p /run/opennhrp/opennhrp.pid
ExecReload=/usr/bin/kill -HUP $MAINPID
-PIDFile=/run/opennhrp.pid
+PIDFile=/run/opennhrp/opennhrp.pid
Restart=on-failure
RestartSec=20
diff --git a/src/tests/test_dict_search.py b/src/tests/test_dict_search.py
index 991722f0f..1028437b2 100644
--- a/src/tests/test_dict_search.py
+++ b/src/tests/test_dict_search.py
@@ -16,13 +16,25 @@
from unittest import TestCase
from vyos.util import dict_search
+from vyos.util import dict_search_recursive
data = {
'string': 'fooo',
'nested': {'string': 'bar', 'empty': '', 'list': ['foo', 'bar']},
'non': {},
'list': ['bar', 'baz'],
- 'dict': {'key_1': {}, 'key_2': 'vyos'}
+ 'dict': {'key_1': {}, 'key_2': 'vyos'},
+ 'interfaces': {'dummy': {'dum0': {'address': ['192.0.2.17/29']}},
+ 'ethernet': {'eth0': {'address': ['2001:db8::1/64', '192.0.2.1/29'],
+ 'description': 'Test123',
+ 'duplex': 'auto',
+ 'hw_id': '00:00:00:00:00:01',
+ 'speed': 'auto'},
+ 'eth1': {'address': ['192.0.2.9/29'],
+ 'description': 'Test456',
+ 'duplex': 'auto',
+ 'hw_id': '00:00:00:00:00:02',
+ 'speed': 'auto'}}}
}
class TestDictSearch(TestCase):
@@ -63,3 +75,10 @@ class TestDictSearch(TestCase):
# TestDictSearch: Return list items when querying nested list
self.assertEqual(dict_search('nested.list', None), None)
self.assertEqual(dict_search(None, data), None)
+
+ def test_dict_search_recursive(self):
+ # Test nested search in dictionary
+ tmp = list(dict_search_recursive(data, 'hw_id'))
+ self.assertEqual(len(tmp), 2)
+ tmp = list(dict_search_recursive(data, 'address'))
+ self.assertEqual(len(tmp), 3)
diff --git a/src/validators/base64 b/src/validators/base64
new file mode 100755
index 000000000..e2b1e730d
--- /dev/null
+++ b/src/validators/base64
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+from sys import argv
+
+if __name__ == '__main__':
+ if len(argv) != 2:
+ exit(1)
+ try:
+ base64.b64decode(argv[1])
+ except:
+ exit(1)
+ exit(0)
diff --git a/src/validators/bgp-large-community-list b/src/validators/bgp-large-community-list
new file mode 100755
index 000000000..c07268e81
--- /dev/null
+++ b/src/validators/bgp-large-community-list
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import sys
+
+from vyos.template import is_ipv4
+
+pattern = '(.*):(.*):(.*)'
+
+if __name__ == '__main__':
+ if len(sys.argv) != 2:
+ sys.exit(1)
+
+ value = sys.argv[1].split(':')
+ if not len(value) == 3:
+ sys.exit(1)
+
+ if not (re.match(pattern, sys.argv[1]) and
+ (is_ipv4(value[0]) or value[0].isdigit()) and value[1].isdigit()):
+ sys.exit(1)
+
+ sys.exit(0)
diff --git a/src/validators/bgp-route-target b/src/validators/bgp-route-target
new file mode 100755
index 000000000..e7e4d403f
--- /dev/null
+++ b/src/validators/bgp-route-target
@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from argparse import ArgumentParser
+from vyos.template import is_ipv4
+
+parser = ArgumentParser()
+group = parser.add_mutually_exclusive_group()
+group.add_argument('--single', action='store', help='Validate and allow only one route-target')
+group.add_argument('--multi', action='store', help='Validate multiple, whitespace separated route-targets')
+args = parser.parse_args()
+
+def is_valid_rt(rt):
+ # every route target needs to have a colon and must consists of two parts
+ value = rt.split(':')
+ if len(value) != 2:
+ return False
+ # A route target must either be only numbers, or the first part must be an
+ # IPv4 address
+ if (is_ipv4(value[0]) or value[0].isdigit()) and value[1].isdigit():
+ return True
+ return False
+
+if __name__ == '__main__':
+ if args.single:
+ if not is_valid_rt(args.single):
+ exit(1)
+
+ elif args.multi:
+ for rt in args.multi.split(' '):
+ if not is_valid_rt(rt):
+ exit(1)
+
+ else:
+ parser.print_help()
+ exit(1)
+
+ exit(0)
diff --git a/src/validators/script b/src/validators/script
index 2665ec1f6..1d8a27e5c 100755
--- a/src/validators/script
+++ b/src/validators/script
@@ -1,8 +1,6 @@
#!/usr/bin/env python3
#
-# numeric value validator
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -23,7 +21,6 @@ import shlex
import vyos.util
-
if __name__ == '__main__':
if len(sys.argv) < 2:
sys.exit('Please specify script file to check')
@@ -35,11 +32,11 @@ if __name__ == '__main__':
sys.exit(f'File {script} does not exist')
if not (os.path.isfile(script) and os.access(script, os.X_OK)):
- sys.exit('File {script} is not an executable file')
+ sys.exit(f'File {script} is not an executable file')
# File outside the config dir is just a warning
if not vyos.util.file_is_persistent(script):
sys.exit(
- 'Warning: file {path} is outside the / config directory\n'
+ f'Warning: file {path} is outside the / config directory\n'
'It will not be automatically migrated to a new image on system update'
)