diff options
35 files changed, 1327 insertions, 176 deletions
| diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json index ccee359d1..91a757c16 100644 --- a/data/config-mode-dependencies.json +++ b/data/config-mode-dependencies.json @@ -28,5 +28,8 @@             "wireguard": ["interfaces-wireguard"],             "wireless": ["interfaces-wireless"],             "wwan": ["interfaces-wwan"] +         }, +  "vpp": { +           "ethernet": ["interfaces-ethernet"]           }  } diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 7a89d29e4..1c9bda64f 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -11,7 +11,7 @@ table ip vyos_mangle {          type filter hook prerouting priority -150; policy accept;  {% if route is vyos_defined %}  {%     for route_text, conf in route.items() if conf.interface is vyos_defined %} -        iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }} +        iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }}  {%     endfor %}  {% endif %}      } @@ -22,7 +22,7 @@ table ip vyos_mangle {  {% if route is vyos_defined %}  {%     for route_text, conf in route.items() %} -    chain VYOS_PBR_{{ route_text }} { +    chain VYOS_PBR_UD_{{ route_text }} {  {%         if conf.rule is vyos_defined %}  {%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}          {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} @@ -40,7 +40,7 @@ table ip6 vyos_mangle {          type filter hook prerouting priority -150; policy accept;  {% if route6 is vyos_defined %}  {%     for route_text, conf in route6.items() if conf.interface is vyos_defined %} -        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }} +        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }}  {%     endfor %}  {% endif %}      } @@ -51,7 +51,7 @@ table ip6 vyos_mangle {  {% if route6 is vyos_defined %}  {%     for route_text, conf in route6.items() %} -    chain VYOS_PBR6_{{ route_text }} { +    chain VYOS_PBR6_UD_{{ route_text }} {  {%         if conf.rule is vyos_defined %}  {%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}          {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 3f97b7325..1ee8d8752 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -72,6 +72,9 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}  {%         endfor %}  {%     endfor %}  {% endif %} +{% if aggregation.timer is vyos_defined %} + aggregation timer {{ aggregation.timer }} +{% endif %}  {% if area is vyos_defined %}  {%     for area_id, area_config in area.items() %}  {%         if area_config.area_type is vyos_defined %} @@ -200,6 +203,11 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }}  {% if refresh.timers is vyos_defined %}   refresh timer {{ refresh.timers }}  {% endif %} +{% if summary_address is vyos_defined %} +{%     for prefix, prefix_options in summary_address.items() %} + summary-address {{ prefix }} {{ 'tag ' + prefix_options.tag if prefix_options.tag is vyos_defined }}{{ 'no-advertise' if prefix_options.no_advertise is vyos_defined }} +{%     endfor %} +{% endif %}  {% if segment_routing is vyos_defined %}  {%     if segment_routing.maximum_label_depth is vyos_defined %}   segment-routing node-msd {{ segment_routing.maximum_label_depth }} diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2 new file mode 100644 index 000000000..a2c2b04ed --- /dev/null +++ b/data/templates/vpp/override.conf.j2 @@ -0,0 +1,14 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/vpp/vpp.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf +WorkingDirectory= +WorkingDirectory=/run/vpp +Restart=always +RestartSec=10 diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2 new file mode 100644 index 000000000..f33539fba --- /dev/null +++ b/data/templates/vpp/startup.conf.j2 @@ -0,0 +1,116 @@ +# Generated by /usr/libexec/vyos/conf_mode/vpp.py + +unix { +    nodaemon +    log /var/log/vpp.log +    full-coredump +    cli-listen /run/vpp/cli.sock +    gid vpp +    # exec /etc/vpp/bootstrap.vpp +{% if unix is vyos_defined %} +{%     if unix.poll_sleep_usec is vyos_defined %} +    poll-sleep-usec {{ unix.poll_sleep_usec }} +{%     endif %} +{% endif %} +} + +{% if cpu is vyos_defined %} +cpu { +{%     if cpu.main_core is vyos_defined %} +    main-core {{ cpu.main_core }} +{%     endif %} +{%     if cpu.corelist_workers is vyos_defined %} +    corelist-workers {{ cpu.corelist_workers | join(',') }} +{%     endif %} +{%     if cpu.skip_cores is vyos_defined %} +    skip-cores {{ cpu.skip_cores }} +{%     endif %} +{%     if cpu.workers is vyos_defined %} +    workers {{ cpu.workers }} +{%     endif %} +} +{% endif %} + +{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #} +{# vlib_call_all_config_functions: unknown input `ip  heap-size 32M ' #} +{% if ip is vyos_defined %} +#ip { +#{%     if ip.heap_size is vyos_defined %} +#    heap-size {{ ip.heap_size }}M +#{%     endif %} +#} +{% endif %} + +{% if ip6 is vyos_defined %} +ip6 { +{%     if ip6.hash_buckets is vyos_defined %} +    hash-buckets {{ ip6.hash_buckets }} +{%     endif %} +{%     if ip6.heap_size is vyos_defined %} +    heap-size {{ ip6.heap_size }}M +{%     endif %} +} +{% endif %} + +{% if l2learn is vyos_defined %} +l2learn { +{%     if l2learn.limit is vyos_defined %} +    limit {{ l2learn.limit }} +{%     endif %} +} +{% endif %} + +{% if logging is vyos_defined %} +logging { +{%     if logging.default_log_level is vyos_defined %} +    default-log-level {{ logging.default_log_level }} +{%     endif %} +} +{% endif %} + +{% if physmem is vyos_defined %} +physmem { +{%     if physmem.max_size is vyos_defined %} +    max-size {{ physmem.max_size.upper() }} +{%     endif %} +} +{% endif %} + +plugins { +    path /usr/lib/x86_64-linux-gnu/vpp_plugins/ +    plugin default { disable } +    plugin dpdk_plugin.so { enable } +    plugin linux_cp_plugin.so { enable } +    plugin linux_nl_plugin.so { enable } +} + +linux-cp { +    lcp-sync +    lcp-auto-subint +} + +dpdk { +    # Whitelist the fake PCI address 0000:00:00.0 +    # This prevents all devices from being added to VPP-DPDK by default +    dev 0000:00:00.0 +{% for iface, iface_config in interface.items() %} +{%     if iface_config.pci is vyos_defined %} +    dev {{ iface_config.pci }} { +        name {{ iface }} +{%         if iface_config.num_rx_desc is vyos_defined %} +        num-rx-desc {{ iface_config.num_rx_desc }} +{%         endif %} +{%         if iface_config.num_tx_desc is vyos_defined %} +        num-tx-desc {{ iface_config.num_tx_desc }} +{%         endif %} +{%         if iface_config.num_rx_queues is vyos_defined %} +        num-rx-queues {{ iface_config.num_rx_queues }} +{%         endif %} +{%         if iface_config.num_tx_queues is vyos_defined %} +        num-tx-queues {{ iface_config.num_tx_queues }} +{%         endif %} +        } +{%     endif %} +{% endfor %} +    uio-bind-force +} diff --git a/debian/control b/debian/control index dcce8036a..40920cadc 100644 --- a/debian/control +++ b/debian/control @@ -27,9 +27,9 @@ Standards-Version: 3.9.6  Package: vyos-1x  Architecture: amd64 arm64  Pre-Depends: -  libnss-tacplus (>= 1.0.4), -  libpam-tacplus (>= 1.4.3), -  libpam-radius-auth (>= 1.5.0) +  libnss-tacplus [amd64], +  libpam-tacplus [amd64], +  libpam-radius-auth [amd64]  Depends:    ${python3:Depends} (>= 3.10),    aardvark-dns, @@ -90,6 +90,7 @@ Depends:    libqmi-utils,    libstrongswan-extra-plugins (>=5.9),    libstrongswan-standard-plugins (>=5.9), +  libvppinfra,    libvyosconfig0,    lldpd,    lm-sensors, @@ -142,6 +143,7 @@ Depends:    python3-tabulate,    python3-vici (>= 5.7.2),    python3-voluptuous, +  python3-vpp-api,    python3-xmltodict,    python3-zmq,    qrencode, @@ -176,6 +178,9 @@ Depends:    uidmap,    usb-modeswitch,    usbutils, +  vpp, +  vpp-plugin-core, +  vpp-plugin-dpdk,    vyatta-bash,    vyatta-cfg,    vyos-http-api-tools, diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 9822ce286..2958afd0a 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -179,3 +179,12 @@ systemctl enable vyos-config-cloud-init.service  # Generate API GraphQL schema  /usr/libexec/vyos/services/api/graphql/generate/generate_schema.py + +# T1797: disable VPP support for rolling release, should be used by developers +# only (in the initial phase). If you wan't to enable VPP use the below command +# on your VyOS installation: +# +# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp +if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then +    mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp +fi diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index bfbeb112c..92037a915 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -7,3 +7,4 @@ dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus  dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf  dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc  dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile +dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf diff --git a/interface-definitions/include/interface/parameters-innerproto.xml.i b/interface-definitions/include/interface/parameters-innerproto.xml.i new file mode 100644 index 000000000..9cafebd11 --- /dev/null +++ b/interface-definitions/include/interface/parameters-innerproto.xml.i @@ -0,0 +1,8 @@ +<!-- include start from interface/parameters-innerproto.xml.i --> +<leafNode name="innerproto"> +  <properties> +    <help>Use IPv4 as inner protocol instead of Ethernet</help> +    <valueless/> +  </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index b7f22cb88..3492b873f 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -1,4 +1,24 @@  <!-- include start from ospf/protocol-common-config.xml.i --> +<node name="aggregation"> +  <properties> +    <help>External route aggregation</help> +  </properties> +  <children> +    <leafNode name="timer"> +      <properties> +        <help>Delay timer</help> +        <valueHelp> +          <format>u32:5-1800</format> +          <description>Timer interval in seconds</description> +        </valueHelp> +        <constraint> +          <validator name="numeric" argument="--range 5-1800"/> +        </constraint> +      </properties> +      <defaultValue>5</defaultValue> +    </leafNode> +  </children> +</node>  <tagNode name="access-list">    <properties>      <help>Access list to filter networks in routing updates</help> @@ -816,6 +836,38 @@      </leafNode>    </children>  </node> +<tagNode name="summary-address"> +  <properties> +    <help>External summary address</help> +    <valueHelp> +      <format>ipv4net</format> +      <description>OSPF area number in dotted decimal notation</description> +    </valueHelp> +    <constraint> +      <validator name="ipv4-prefix"/> +    </constraint> +  </properties> +  <children> +    <leafNode name="no-advertise"> +      <properties> +        <help>Don not advertise summary route</help> +        <valueless/> +      </properties> +    </leafNode> +    <leafNode name="tag"> +      <properties> +        <help>Router tag</help> +        <valueHelp> +          <format>u32:1-4294967295</format> +          <description>Router tag value</description> +        </valueHelp> +        <constraint> +          <validator name="numeric" argument="--range 1-4294967295"/> +        </constraint> +      </properties> +    </leafNode> +  </children> +</tagNode>  <node name="timers">    <properties>      <help>Adjust routing timers</help> diff --git a/interface-definitions/include/policy/tag.xml.i b/interface-definitions/include/policy/tag.xml.i new file mode 100644 index 000000000..ec25b9391 --- /dev/null +++ b/interface-definitions/include/policy/tag.xml.i @@ -0,0 +1,14 @@ +<!-- include start from policy/tag.xml.i --> +<leafNode name="tag"> +  <properties> +    <help>Route tag value</help> +    <valueHelp> +      <format>u32:1-65535</format> +      <description>Route tag</description> +    </valueHelp> +    <constraint> +      <validator name="numeric" argument="--range 1-65535"/> +    </constraint> +  </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 330dadd95..29b563a09 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -36,6 +36,7 @@                    #include <include/interface/parameters-df.xml.i>                    #include <include/interface/parameters-tos.xml.i>                    #include <include/interface/parameters-ttl.xml.i> +                  #include <include/interface/parameters-innerproto.xml.i>                  </children>                </node>                <node name="ipv6"> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 03f169c05..dd1e8e511 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -5,7 +5,7 @@        <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/interfaces-wireguard.py">          <properties>            <help>WireGuard Interface</help> -          <priority>381</priority> +          <priority>379</priority>            <constraint>              <regex>wg[0-9]+</regex>            </constraint> diff --git a/interface-definitions/netns.xml.in b/interface-definitions/netns.xml.in index 87880e96a..5d958968f 100644 --- a/interface-definitions/netns.xml.in +++ b/interface-definitions/netns.xml.in @@ -3,7 +3,7 @@    <node name="netns" owner="${vyos_conf_scripts_dir}/netns.py">      <properties>        <help>Network namespace</help> -      <priority>299</priority> +      <priority>291</priority>      </properties>      <children>        <tagNode name="name"> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index aa39950c2..c470cfdb3 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1052,18 +1052,7 @@                        </constraint>                      </properties>                    </leafNode> -                  <leafNode name="tag"> -                    <properties> -                      <help>Route tag to match</help> -                      <valueHelp> -                        <format>u32:1-65535</format> -                        <description>Route tag</description> -                      </valueHelp> -                      <constraint> -                        <validator name="numeric" argument="--range 1-65535"/> -                      </constraint> -                    </properties> -                  </leafNode> +                  #include <include/policy/tag.xml.i>                  </children>                </node>                <node name="on-match"> @@ -1548,18 +1537,7 @@                        </constraint>                      </properties>                    </leafNode> -                  <leafNode name="tag"> -                    <properties> -                      <help>Tag value for routing protocol</help> -                      <valueHelp> -                        <format>u32:1-65535</format> -                        <description>Tag value</description> -                      </valueHelp> -                      <constraint> -                        <validator name="numeric" argument="--range 1-65535"/> -                      </constraint> -                    </properties> -                  </leafNode> +                  #include <include/policy/tag.xml.i>                    <leafNode name="weight">                      <properties>                        <help>BGP weight attribute</help> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 0fa349e0b..efab50a66 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -36,7 +36,7 @@               <properties>                 <help>System keyboard layout, type ISO2</help>                 <completionHelp> -                 <list>us uk fr de es fi jp106 no dk dvorak</list> +                 <list>us uk fr de es fi jp106 no dk se-latin1 dvorak</list>                 </completionHelp>                 <valueHelp>                   <format>us</format> @@ -75,11 +75,15 @@                   <description>Denmark</description>                 </valueHelp>                 <valueHelp> +                 <format>se-latin1</format> +                 <description>Sweden</description> +               </valueHelp> +               <valueHelp>                   <format>dvorak</format>                   <description>Dvorak</description>                 </valueHelp>                 <constraint> -                <regex>(us|uk|fr|de|es|fi|jp106|no|dk|dvorak)</regex> +                <regex>(us|uk|fr|de|es|fi|jp106|no|dk|se-latin1|dvorak)</regex>                </constraint>                <constraintErrorMessage>Invalid keyboard layout</constraintErrorMessage>               </properties> diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in new file mode 100644 index 000000000..3f0758c0a --- /dev/null +++ b/interface-definitions/vpp.xml.in @@ -0,0 +1,342 @@ +<?xml version="1.0"?> +<interfaceDefinition> +  <node name="vpp" owner="${vyos_conf_scripts_dir}/vpp.py"> +    <properties> +      <help>Accelerated data-plane</help> +      <priority>295</priority> +    </properties> +    <children> +      <node name="cpu"> +        <properties> +          <help>CPU settings</help> +        </properties> +        <children> +          <leafNode name="corelist-workers"> +            <properties> +              <help>List of cores worker threads</help> +              <valueHelp> +                <format><id></format> +                <description>CPU core id</description> +              </valueHelp> +              <valueHelp> +                <format><idN>-<idM></format> +                <description>CPU core id range (use '-' as delimiter)</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--allow-range --range 0-512"/> +              </constraint> +              <constraintErrorMessage>not a valid CPU core value or range</constraintErrorMessage> +              <multi/> +            </properties> +          </leafNode> +          <leafNode name="main-core"> +            <properties> +              <help>Main core</help> +              <valueHelp> +                <format>u32:0-512</format> +                <description>Assign main thread to specific core</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 0-512"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name="skip-cores"> +            <properties> +              <help>Skip cores</help> +              <valueHelp> +                <format>u32:0-512</format> +                <description>Skip cores</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 0-512"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name="workers"> +            <properties> +              <help>Create worker threads</help> +              <valueHelp> +                <format>u32:0-4294967295</format> +                <description>Worker threads</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 0-512"/> +              </constraint> +            </properties> +          </leafNode> +        </children> +      </node> +      <tagNode name="interface"> +        <properties> +          <help>Interface</help> +          <valueHelp> +            <format>ethN</format> +            <description>Interface name</description> +          </valueHelp> +          <constraint> +            <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex> +          </constraint> +          <constraintErrorMessage>Invalid interface name</constraintErrorMessage> +        </properties> +        <children> +          <leafNode name="num-rx-desc"> +            <properties> +              <help>Number of receive ring descriptors</help> +              <valueHelp> +                <format>u32:256-8192</format> +                <description>Number of receive ring descriptors</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 256-8192"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name="num-tx-desc"> +            <properties> +              <help>Number of tranceive ring descriptors</help> +              <valueHelp> +                <format>u32:256-8192</format> +                <description>Number of tranceive ring descriptors</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 256-8192"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name="num-rx-queues"> +            <properties> +              <help>Number of receive ring descriptors</help> +              <valueHelp> +                <format>u32:256-8192</format> +                <description>Number of receive queues</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 256-8192"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name="num-tx-queues"> +            <properties> +              <help>Number of tranceive ring descriptors</help> +              <valueHelp> +                <format>u32:256-8192</format> +                <description>Number of tranceive queues</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 256-8192"/> +              </constraint> +            </properties> +          </leafNode> +          <leafNode name='pci'> +            <properties> +              <help>PCI address allocation</help> +              <valueHelp> +                <format>auto</format> +                <description>Auto detect PCI address</description> +              </valueHelp> +              <valueHelp> +                <format><xxxx:xx:xx.x></format> +                <description>Set Peripheral Component Interconnect (PCI) address</description> +              </valueHelp> +              <constraint> +                <regex>(auto|[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F])</regex> +              </constraint> +            </properties> +            <defaultValue>auto</defaultValue> +          </leafNode> +          <leafNode name="rx-mode"> +            <properties> +              <help>Receive packet processing mode</help> +              <completionHelp> +                <list>polling interrupt adaptive</list> +              </completionHelp> +              <valueHelp> +                <format>polling</format> +                <description>Constantly check for new data</description> +              </valueHelp> +              <valueHelp> +                <format>interrupt</format> +                <description>Interrupt mode</description> +              </valueHelp> +              <valueHelp> +                <format>adaptive</format> +                <description>Adaptive mode</description> +              </valueHelp> +              <constraint> +                <regex>(polling|interrupt|adaptive)</regex> +              </constraint> +            </properties> +          </leafNode> +        </children> +      </tagNode> +      <node name="ip"> +        <properties> +          <help>IP settings</help> +        </properties> +        <children> +          <leafNode name="heap-size"> +            <properties> +              <help>IPv4 heap size</help> +              <valueHelp> +                <format>u32:0-4294967295</format> +                <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 1-4294967295"/> +              </constraint> +            </properties> +            <defaultValue>32</defaultValue> +          </leafNode> +        </children> +      </node> +      <node name="ip6"> +        <properties> +          <help>IPv6 settings</help> +        </properties> +        <children> +          <leafNode name="heap-size"> +            <properties> +              <help>IPv6 heap size</help> +              <valueHelp> +                <format>u32:0-4294967295</format> +                <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 1-4294967295"/> +              </constraint> +            </properties> +            <defaultValue>32</defaultValue> +          </leafNode> +          <leafNode name="hash-buckets"> +            <properties> +              <help>IPv6 forwarding table hash buckets</help> +              <valueHelp> +                <format>u32:1-4294967295</format> +                <description>IPv6 forwarding table hash buckets</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 1-4294967295"/> +              </constraint> +            </properties> +            <defaultValue>65536</defaultValue> +          </leafNode> +        </children> +      </node> +      <node name="l2learn"> +        <properties> +          <help>Level 2 MAC address learning settings</help> +        </properties> +        <children> +          <leafNode name="limit"> +            <properties> +              <help>Number of MAC addresses in the L2 FIB</help> +              <valueHelp> +                <format>u32:1-4294967295</format> +                <description>Number of concurent entries</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 1-4294967295"/> +              </constraint> +            </properties> +            <defaultValue>4194304</defaultValue> +          </leafNode> +        </children> +      </node> +      <node name="logging"> +        <properties> +          <help>Loggint settings</help> +        </properties> +        <children> +          <leafNode name="default-log-level"> +            <properties> +              <help>default-log-level</help> +              <completionHelp> +                <list>alert crit debug disabled emerg err info notice warn</list> +              </completionHelp> +              <valueHelp> +                <format>alert</format> +                <description>Alert</description> +              </valueHelp> +              <valueHelp> +                <format>crit</format> +                <description>Critical</description> +              </valueHelp> +              <valueHelp> +                <format>debug</format> +                <description>Debug</description> +              </valueHelp> +              <valueHelp> +                <format>disabled</format> +                <description>Disabled</description> +              </valueHelp> +              <valueHelp> +                <format>emerg</format> +                <description>Emergency</description> +              </valueHelp> +              <valueHelp> +                <format>err</format> +                <description>Error</description> +              </valueHelp> +              <valueHelp> +                <format>info</format> +                <description>Informational</description> +              </valueHelp> +              <valueHelp> +                <format>notice</format> +                <description>Notice</description> +              </valueHelp> +              <valueHelp> +                <format>warn</format> +                <description>Warning</description> +              </valueHelp> +              <constraint> +                <regex>(alert|crit|debug|disabled|emerg|err|info|notice|warn)</regex> +              </constraint> +            </properties> +          </leafNode> +        </children> +      </node> +      <node name="physmem"> +        <properties> +          <help>Memory settings</help> +        </properties> +        <children> +          <leafNode name="max-size"> +            <properties> +              <help>Set memory size for protectable memory allocator (pmalloc) memory space</help> +              <valueHelp> +                <format><number>m</format> +                <description>Megabyte</description> +              </valueHelp> +              <valueHelp> +                <format><number>g</format> +                <description>Gigabyte</description> +              </valueHelp> +            </properties> +          </leafNode> +        </children> +      </node> +      <node name="unix"> +        <properties> +          <help>Unix settings</help> +        </properties> +        <children> +          <leafNode name="poll-sleep-usec"> +            <properties> +              <help>Add a fixed-sleep between main loop poll</help> +              <valueHelp> +                <format>u32:0-4294967295</format> +                <description>Number of receive queues</description> +              </valueHelp> +              <constraint> +                <validator name="numeric" argument="--range 0-4294967295"/> +              </constraint> +            </properties> +            <defaultValue>0</defaultValue> +          </leafNode> +        </children> +      </node> +    </children> +  </node> +</interfaceDefinition> diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 9618ec93e..1205342df 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -595,40 +595,8 @@ def get_accel_dict(config, base, chap_secrets):      dict = config.get_config_dict(base, key_mangling=('-', '_'),                                    get_first_key=True, -                                  no_tag_node_value_mangle=True) - -    # We have gathered the dict representation of the CLI, but there are default -    # options which we need to update into the dictionary retrived. -    default_values = defaults(base) - -    # T2665: defaults include RADIUS server specifics per TAG node which need to -    # be added to individual RADIUS servers instead - so we can simply delete them -    if dict_search('authentication.radius.server', default_values): -        del default_values['authentication']['radius']['server'] - -    # T2665: defaults include static-ip address per TAG node which need to be -    # added to individual local users instead - so we can simply delete them -    if dict_search('authentication.local_users.username', default_values): -        del default_values['authentication']['local_users']['username'] - -    # T2665: defaults include IPv6 client-pool mask per TAG node which need to be -    # added to individual local users instead - so we can simply delete them -    if dict_search('client_ipv6_pool.prefix.mask', default_values): -        del default_values['client_ipv6_pool']['prefix']['mask'] -        # delete empty dicts -        if len (default_values['client_ipv6_pool']['prefix']) == 0: -            del default_values['client_ipv6_pool']['prefix'] -        if len (default_values['client_ipv6_pool']) == 0: -            del default_values['client_ipv6_pool'] - -    # T2665: IPoE only - it has an interface tag node -    # added to individual local users instead - so we can simply delete them -    if dict_search('authentication.interface', default_values): -        del default_values['authentication']['interface'] -    if dict_search('interface', default_values): -        del default_values['interface'] - -    dict = dict_merge(default_values, dict) +                                  no_tag_node_value_mangle=True, +                                  with_recursive_defaults=True)      # set CPUs cores to process requests      dict.update({'thread_count' : get_half_cpus()}) @@ -648,43 +616,9 @@ def get_accel_dict(config, base, chap_secrets):          dict.update({'name_server_ipv4' : ns_v4, 'name_server_ipv6' : ns_v6})          del dict['name_server'] -    # T2665: Add individual RADIUS server default values -    if dict_search('authentication.radius.server', dict): -        default_values = defaults(base + ['authentication', 'radius', 'server']) -        for server in dict_search('authentication.radius.server', dict): -            dict['authentication']['radius']['server'][server] = dict_merge( -                default_values, dict['authentication']['radius']['server'][server]) - -            # Check option "disable-accounting" per server and replace default value from '1813' to '0' -            # set vpn sstp authentication radius server x.x.x.x disable-accounting -            if 'disable_accounting' in dict['authentication']['radius']['server'][server]: -                dict['authentication']['radius']['server'][server]['acct_port'] = '0' - -    # T2665: Add individual local-user default values -    if dict_search('authentication.local_users.username', dict): -        default_values = defaults(base + ['authentication', 'local-users', 'username']) -        for username in dict_search('authentication.local_users.username', dict): -            dict['authentication']['local_users']['username'][username] = dict_merge( -                default_values, dict['authentication']['local_users']['username'][username]) - -    # T2665: Add individual IPv6 client-pool default mask if required -    if dict_search('client_ipv6_pool.prefix', dict): -        default_values = defaults(base + ['client-ipv6-pool', 'prefix']) -        for prefix in dict_search('client_ipv6_pool.prefix', dict): -            dict['client_ipv6_pool']['prefix'][prefix] = dict_merge( -                default_values, dict['client_ipv6_pool']['prefix'][prefix]) - -    # T2665: IPoE only - add individual local-user default values -    if dict_search('authentication.interface', dict): -        default_values = defaults(base + ['authentication', 'interface']) -        for interface in dict_search('authentication.interface', dict): -            dict['authentication']['interface'][interface] = dict_merge( -                default_values, dict['authentication']['interface'][interface]) - -    if dict_search('interface', dict): -        default_values = defaults(base + ['interface']) -        for interface in dict_search('interface', dict): -            dict['interface'][interface] = dict_merge(default_values, -                                                      dict['interface'][interface]) +    # Check option "disable-accounting" per server and replace default value from '1813' to '0' +    for server in (dict_search('authentication.radius.server', dict) or []): +        if 'disable_accounting' in dict['authentication']['radius']['server'][server]: +            dict['authentication']['radius']['server'][server]['acct_port'] = '0'      return dict diff --git a/python/vyos/ethtool.py b/python/vyos/ethtool.py index 68234089c..9b7da89fa 100644 --- a/python/vyos/ethtool.py +++ b/python/vyos/ethtool.py @@ -21,7 +21,8 @@ from vyos.util import popen  # These drivers do not support using ethtool to change the speed, duplex, or  # flow control settings  _drivers_without_speed_duplex_flow = ['vmxnet3', 'virtio_net', 'xen_netfront', -                                      'iavf', 'ice', 'i40e', 'hv_netvsc', 'veth', 'ixgbevf'] +                                      'iavf', 'ice', 'i40e', 'hv_netvsc', 'veth', 'ixgbevf', +                                      'tun']  class Ethtool:      """ diff --git a/python/vyos/ifconfig/geneve.py b/python/vyos/ifconfig/geneve.py index 276c34cd7..7a05e47a7 100644 --- a/python/vyos/ifconfig/geneve.py +++ b/python/vyos/ifconfig/geneve.py @@ -45,6 +45,7 @@ class GeneveIf(Interface):              'parameters.ip.df'           : 'df',              'parameters.ip.tos'          : 'tos',              'parameters.ip.ttl'          : 'ttl', +            'parameters.ip.innerproto'   : 'innerprotoinherit',              'parameters.ipv6.flowlabel'  : 'flowlabel',          } diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py index 26ec65535..3983b1bc0 100644 --- a/python/vyos/qos/base.py +++ b/python/vyos/qos/base.py @@ -61,6 +61,7 @@ class QoSBase:          "CS7": 0xE0,          "EF": 0xB8      } +    qostype = None      def __init__(self, interface):          if os.path.exists('/tmp/vyos.qos.debug'): @@ -203,18 +204,21 @@ class QoSBase:                  self._build_base_qdisc(cls_config, int(cls))                  # every match criteria has it's tc instance -                filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}:' +                filter_cmd_base = f'tc filter add dev {self._interface} parent {self._parent:x}:'                  if priority: -                    filter_cmd += f' prio {cls}' +                    filter_cmd_base += f' prio {cls}'                  elif 'priority' in cls_config:                      prio = cls_config['priority'] -                    filter_cmd += f' prio {prio}' +                    filter_cmd_base += f' prio {prio}' -                filter_cmd += ' protocol all' +                filter_cmd_base += ' protocol all'                  if 'match' in cls_config: -                    for match, match_config in cls_config['match'].items(): +                    for index, (match, match_config) in enumerate(cls_config['match'].items(), start=1): +                        filter_cmd = filter_cmd_base +                        if self.qostype == 'shaper' and 'prio ' not in filter_cmd: +                            filter_cmd += f' prio {index}'                          if 'mark' in match_config:                              mark = match_config['mark']                              filter_cmd += f' handle {mark} fw' @@ -289,10 +293,19 @@ class QoSBase:                                      elif af == 'ipv6':                                          filter_cmd += f' match u8 {mask} {mask} at 53' +                                cls = int(cls) +                                filter_cmd += f' flowid {self._parent:x}:{cls:x}' +                                self._cmd(filter_cmd) +                  else:                      filter_cmd += ' basic' +                    cls = int(cls) +                    filter_cmd += f' flowid {self._parent:x}:{cls:x}' +                    self._cmd(filter_cmd) + +                  # The police block allows limiting of the byte or packet rate of                  # traffic matched by the filter it is attached to.                  # https://man7.org/linux/man-pages/man8/tc-police.8.html @@ -318,48 +331,41 @@ class QoSBase:                  #     burst = cls_config['burst']                  #     filter_cmd += f' burst {burst}' -                cls = int(cls) -                filter_cmd += f' flowid {self._parent:x}:{cls:x}' -                self._cmd(filter_cmd) +        if 'default' in config: +            default_cls_id = 1 +            if 'class' in config: +                class_id_max = self._get_class_max_id(config) +                default_cls_id = int(class_id_max) +1 +            self._build_base_qdisc(config['default'], default_cls_id) + +        if self.qostype == 'limiter': +            if 'default' in config: +                filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}: ' +                filter_cmd += 'prio 255 protocol all basic' + +                # The police block allows limiting of the byte or packet rate of +                # traffic matched by the filter it is attached to. +                # https://man7.org/linux/man-pages/man8/tc-police.8.html +                if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in +                       config['default']): +                    filter_cmd += f' action police' + +                if 'exceed' in config['default']: +                    action = config['default']['exceed'] +                    filter_cmd += f' conform-exceed {action}' +                    if 'not_exceed' in config['default']: +                        action = config['default']['not_exceed'] +                        filter_cmd += f'/{action}' + +                if 'bandwidth' in config['default']: +                    rate = self._rate_convert(config['default']['bandwidth']) +                    filter_cmd += f' rate {rate}' -        # T5295: Do not do any tc filter action for 'default' -        # In VyOS 1.4, we have the following configuration: -        # tc filter replace dev eth0 parent 1: prio 255 protocol all basic action police rate 300000000 burst 15k -        # However, this caused unexpected random speeds. -        # In VyOS 1.3, we do not use any 'tc filter' for rate limits, -        # It gets rate from  tc class classid 1:1 -        # -        # if 'default' in config: -        #     if 'class' in config: -        #         class_id_max = self._get_class_max_id(config) -        #         default_cls_id = int(class_id_max) +1 -        #         self._build_base_qdisc(config['default'], default_cls_id) -        # -        #     filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}: ' -        #     filter_cmd += 'prio 255 protocol all basic' -        # -        #     # The police block allows limiting of the byte or packet rate of -        #     # traffic matched by the filter it is attached to. -        #     # https://man7.org/linux/man-pages/man8/tc-police.8.html -        #     if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in config['default']): -        #         filter_cmd += f' action police' -        # -        #     if 'exceed' in config['default']: -        #         action = config['default']['exceed'] -        #         filter_cmd += f' conform-exceed {action}' -        #         if 'not_exceed' in config['default']: -        #             action = config['default']['not_exceed'] -        #             filter_cmd += f'/{action}' -        # -        #     if 'bandwidth' in config['default']: -        #         rate = self._rate_convert(config['default']['bandwidth']) -        #         filter_cmd += f' rate {rate}' -        # -        #     if 'burst' in config['default']: -        #         burst = config['default']['burst'] -        #         filter_cmd += f' burst {burst}' -        # -        #     if 'class' in config: -        #         filter_cmd += f' flowid {self._parent:x}:{default_cls_id:x}' -        # -        #     self._cmd(filter_cmd) +                if 'burst' in config['default']: +                    burst = config['default']['burst'] +                    filter_cmd += f' burst {burst}' + +                if 'class' in config: +                    filter_cmd += f' flowid {self._parent:x}:{default_cls_id:x}' + +                self._cmd(filter_cmd) diff --git a/python/vyos/qos/limiter.py b/python/vyos/qos/limiter.py index ace0c0b6c..3f5c11112 100644 --- a/python/vyos/qos/limiter.py +++ b/python/vyos/qos/limiter.py @@ -17,6 +17,7 @@ from vyos.qos.base import QoSBase  class Limiter(QoSBase):      _direction = ['ingress'] +    qostype = 'limiter'      def update(self, config, direction):          tmp = f'tc qdisc add dev {self._interface} handle {self._parent:x}: {direction}' diff --git a/python/vyos/qos/trafficshaper.py b/python/vyos/qos/trafficshaper.py index 573283833..c63c7cf39 100644 --- a/python/vyos/qos/trafficshaper.py +++ b/python/vyos/qos/trafficshaper.py @@ -22,6 +22,7 @@ MINQUANTUM = 1000  class TrafficShaper(QoSBase):      _parent = 1 +    qostype = 'shaper'      # https://man7.org/linux/man-pages/man8/tc-htb.8.html      def update(self, config, direction): diff --git a/python/vyos/utils/system.py b/python/vyos/utils/system.py new file mode 100644 index 000000000..7102d5985 --- /dev/null +++ b/python/vyos/utils/system.py @@ -0,0 +1,82 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library.  If not, see <http://www.gnu.org/licenses/>. + +from subprocess import run + + +def sysctl_read(name: str) -> str: +    """Read and return current value of sysctl() option + +    Args: +        name (str): sysctl key name + +    Returns: +        str: sysctl key value +    """ +    tmp = run(['sysctl', '-nb', name], capture_output=True) +    return tmp.stdout.decode() + + +def sysctl_write(name: str, value: str | int) -> bool: +    """Change value via sysctl() + +    Args: +        name (str): sysctl key name +        value (str | int): sysctl key value + +    Returns: +        bool: True if changed, False otherwise +    """ +    # convert other types to string before comparison +    if not isinstance(value, str): +        value = str(value) +    # do not change anything if a value is already configured +    if sysctl_read(name) == value: +        return True +    # return False if sysctl call failed +    if run(['sysctl', '-wq', f'{name}={value}']).returncode != 0: +        return False +    # compare old and new values +    # sysctl may apply value, but its actual value will be +    # different from requested +    if sysctl_read(name) == value: +        return True +    # False in other cases +    return False + + +def sysctl_apply(sysctl_dict: dict[str, str], revert: bool = True) -> bool: +    """Apply sysctl values. + +    Args: +        sysctl_dict (dict[str, str]): dictionary with sysctl keys with values +        revert (bool, optional): Revert to original values if new were not  +        applied. Defaults to True. + +    Returns: +        bool: True if all params configured properly, False in other cases +    """ +    # get current values +    sysctl_original: dict[str, str] = {} +    for key_name in sysctl_dict.keys(): +        sysctl_original[key_name] = sysctl_read(key_name) +    # apply new values and revert in case one of them was not applied +    for key_name, value in sysctl_dict.items(): +        if not sysctl_write(key_name, value): +            if revert: +                sysctl_apply(sysctl_original, revert=False) +            return False +    # everything applied +    return True diff --git a/python/vyos/vpp.py b/python/vyos/vpp.py new file mode 100644 index 000000000..76e5d29c3 --- /dev/null +++ b/python/vyos/vpp.py @@ -0,0 +1,315 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library.  If not, see <http://www.gnu.org/licenses/>. + +from functools import wraps +from pathlib import Path +from re import search as re_search, fullmatch as re_fullmatch, MULTILINE as re_M +from subprocess import run +from time import sleep + +from vpp_papi import VPPApiClient +from vpp_papi import VPPIOError, VPPValueError + + +class VPPControl: +    """Control VPP network stack +    """ + +    class _Decorators: +        """Decorators for VPPControl +        """ + +        @classmethod +        def api_call(cls, decorated_func): +            """Check if API is connected before API call + +            Args: +                decorated_func: function to decorate + +            Raises: +                VPPIOError: Connection to API is not established +            """ + +            @wraps(decorated_func) +            def api_safe_wrapper(cls, *args, **kwargs): +                if not cls.vpp_api_client.transport.connected: +                    raise VPPIOError(2, 'VPP API is not connected') +                return decorated_func(cls, *args, **kwargs) + +            return api_safe_wrapper + +        @classmethod +        def check_retval(cls, decorated_func): +            """Check retval from API response + +            Args: +                decorated_func: function to decorate + +            Raises: +                VPPValueError: raised when retval is not 0 +            """ + +            @wraps(decorated_func) +            def check_retval_wrapper(cls, *args, **kwargs): +                return_value = decorated_func(cls, *args, **kwargs) +                if not return_value.retval == 0: +                    raise VPPValueError( +                        f'VPP API call failed: {return_value.retval}') +                return return_value + +            return check_retval_wrapper + +    def __init__(self, attempts: int = 5, interval: int = 1000) -> None: +        """Create VPP API connection + +        Args: +            attempts (int, optional): attempts to connect. Defaults to 5. +            interval (int, optional): interval between attempts in ms. Defaults to 1000. + +        Raises: +            VPPIOError: Connection to API cannot be established +        """ +        self.vpp_api_client = VPPApiClient() +        # connect with interval +        while attempts: +            try: +                attempts -= 1 +                self.vpp_api_client.connect('vpp-vyos') +                break +            except (ConnectionRefusedError, FileNotFoundError) as err: +                print(f'VPP API connection timeout: {err}') +                sleep(interval / 1000) +        # raise exception if connection was not successful in the end +        if not self.vpp_api_client.transport.connected: +            raise VPPIOError(2, 'Cannot connect to VPP API') + +    def __del__(self) -> None: +        """Disconnect from VPP API (destructor) +        """ +        self.disconnect() + +    def disconnect(self) -> None: +        """Disconnect from VPP API +        """ +        if self.vpp_api_client.transport.connected: +            self.vpp_api_client.disconnect() + +    @_Decorators.check_retval +    @_Decorators.api_call +    def cli_cmd(self, command: str): +        """Send raw CLI command + +        Args: +            command (str): command to send + +        Returns: +            vpp_papi.vpp_serializer.cli_inband_reply: CLI reply class +        """ +        return self.vpp_api_client.api.cli_inband(cmd=command) + +    @_Decorators.api_call +    def get_mac(self, ifname: str) -> str: +        """Find MAC address by interface name in VPP + +        Args: +            ifname (str): interface name inside VPP + +        Returns: +            str: MAC address +        """ +        for iface in self.vpp_api_client.api.sw_interface_dump(): +            if iface.interface_name == ifname: +                return iface.l2_address.mac_string +        return '' + +    @_Decorators.api_call +    def get_sw_if_index(self, ifname: str) -> int | None: +        """Find interface index by interface name in VPP + +        Args: +            ifname (str): interface name inside VPP + +        Returns: +            int | None: Interface index or None (if was not fount) +        """ +        for iface in self.vpp_api_client.api.sw_interface_dump(): +            if iface.interface_name == ifname: +                return iface.sw_if_index +        return None + +    @_Decorators.check_retval +    @_Decorators.api_call +    def lcp_pair_add(self, iface_name_vpp: str, iface_name_kernel: str) -> None: +        """Create LCP interface pair between VPP and kernel + +        Args: +            iface_name_vpp (str): interface name in VPP +            iface_name_kernel (str): interface name in kernel +        """ +        iface_index = self.get_sw_if_index(iface_name_vpp) +        if iface_index: +            return self.vpp_api_client.api.lcp_itf_pair_add_del( +                is_add=True, +                sw_if_index=iface_index, +                host_if_name=iface_name_kernel) + +    @_Decorators.check_retval +    @_Decorators.api_call +    def lcp_pair_del(self, iface_name_vpp: str, iface_name_kernel: str) -> None: +        """Delete LCP interface pair between VPP and kernel + +        Args: +            iface_name_vpp (str): interface name in VPP +            iface_name_kernel (str): interface name in kernel +        """ +        iface_index = self.get_sw_if_index(iface_name_vpp) +        if iface_index: +            return self.vpp_api_client.api.lcp_itf_pair_add_del( +                is_add=False, +                sw_if_index=iface_index, +                host_if_name=iface_name_kernel) + +    @_Decorators.check_retval +    @_Decorators.api_call +    def iface_rxmode(self, iface_name: str, rx_mode: str) -> None: +        """Set interface rx-mode in VPP + +        Args: +            iface_name (str): interface name in VPP +            rx_mode (str): mode (polling, interrupt, adaptive) +        """ +        modes_dict: dict[str, int] = { +            'polling': 1, +            'interrupt': 2, +            'adaptive': 3 +        } +        if rx_mode not in modes_dict: +            raise VPPValueError(f'Mode {rx_mode} is not known') +        iface_index = self.get_sw_if_index(iface_name) +        return self.vpp_api_client.api.sw_interface_set_rx_mode( +            sw_if_index=iface_index, mode=modes_dict[rx_mode]) + +    @_Decorators.api_call +    def get_pci_addr(self, ifname: str) -> str: +        """Find PCI address of interface by interface name in VPP + +        Args: +            ifname (str): interface name inside VPP + +        Returns: +            str: PCI address +        """ +        hw_info = self.cli_cmd(f'show hardware-interfaces {ifname}').reply + +        regex_filter = r'^\s+pci: device (?P<device>\w+:\w+) subsystem (?P<subsystem>\w+:\w+) address (?P<address>\w+:\w+:\w+\.\w+) numa (?P<numa>\w+)$' +        re_obj = re_search(regex_filter, hw_info, re_M) + +        # return empty string if no interface or no PCI info was found +        if not hw_info or not re_obj: +            return '' + +        address = re_obj.groupdict().get('address', '') + +        # we need to modify address to math kernel style +        # for example: 0000:06:14.00 -> 0000:06:14.0 +        address_chunks: list[str] = address.split('.') +        address_normalized: str = f'{address_chunks[0]}.{int(address_chunks[1])}' + +        return address_normalized + + +class HostControl: +    """Control Linux host +    """ + +    @staticmethod +    def pci_rescan(pci_addr: str = '') -> None: +        """Rescan PCI device by removing it and rescan PCI bus + +        If PCI address is not defined - just rescan PCI bus + +        Args: +            address (str, optional): PCI address of device. Defaults to ''. +        """ +        if pci_addr: +            device_file = Path(f'/sys/bus/pci/devices/{pci_addr}/remove') +            if device_file.exists(): +                device_file.write_text('1') +                # wait 10 seconds max until device will be removed +                attempts = 100 +                while device_file.exists() and attempts: +                    attempts -= 1 +                    sleep(0.1) +                if device_file.exists(): +                    raise TimeoutError( +                        f'Timeout was reached for removing PCI device {pci_addr}' +                    ) +            else: +                raise FileNotFoundError(f'PCI device {pci_addr} does not exist') +        rescan_file = Path('/sys/bus/pci/rescan') +        rescan_file.write_text('1') +        if pci_addr: +            # wait 10 seconds max until device will be installed +            attempts = 100 +            while not device_file.exists() and attempts: +                attempts -= 1 +                sleep(0.1) +            if not device_file.exists(): +                raise TimeoutError( +                    f'Timeout was reached for installing PCI device {pci_addr}') + +    @staticmethod +    def get_eth_name(pci_addr: str) -> str: +        """Find Ethernet interface name by PCI address + +        Args: +            pci_addr (str): PCI address + +        Raises: +            FileNotFoundError: no Ethernet interface was found + +        Returns: +            str: Ethernet interface name +        """ +        # find all PCI devices with eth* names +        net_devs: dict[str, str] = {} +        net_devs_dir = Path('/sys/class/net') +        regex_filter = r'^/sys/devices/pci[\w/:\.]+/(?P<pci_addr>\w+:\w+:\w+\.\w+)/[\w/:\.]+/(?P<iface_name>eth\d+)$' +        for dir in net_devs_dir.iterdir(): +            real_dir: str = dir.resolve().as_posix() +            re_obj = re_fullmatch(regex_filter, real_dir) +            if re_obj: +                iface_name: str = re_obj.group('iface_name') +                iface_addr: str = re_obj.group('pci_addr') +                net_devs.update({iface_addr: iface_name}) +        # match to provided PCI address and return a name if found +        if pci_addr in net_devs: +            return net_devs[pci_addr] +        # raise error if device was not found +        raise FileNotFoundError( +            f'PCI device {pci_addr} not found in ethernet interfaces') + +    @staticmethod +    def rename_iface(name_old: str, name_new: str) -> None: +        """Rename interface + +        Args: +            name_old (str): old name +            name_new (str): new name +        """ +        rename_cmd: list[str] = [ +            'ip', 'link', 'set', name_old, 'name', name_new +        ] +        run(rename_cmd) diff --git a/python/vyos/xml_ref/definition.py b/python/vyos/xml_ref/definition.py index 7fd7a7b77..33a49ca69 100644 --- a/python/vyos/xml_ref/definition.py +++ b/python/vyos/xml_ref/definition.py @@ -147,8 +147,8 @@ class Xml:          default = self._get_default_value(node)          if default is None:              return None -        if self._is_multi_node(node) and not isinstance(default, list): -            return [default] +        if self._is_multi_node(node): +            return default.split()          return default      def get_defaults(self, path: list, get_first_key=False, recursive=False) -> dict: diff --git a/smoketest/scripts/cli/test_interfaces_geneve.py b/smoketest/scripts/cli/test_interfaces_geneve.py index 24d350aeb..b2efb0349 100755 --- a/smoketest/scripts/cli/test_interfaces_geneve.py +++ b/smoketest/scripts/cli/test_interfaces_geneve.py @@ -43,6 +43,7 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase):              self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set'])              self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) +            self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'innerproto'])              self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)])              ttl += 10 @@ -67,6 +68,11 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase):                  label = options['linkinfo']['info_data']['label']                  self.assertIn(f'parameters ipv6 flowlabel {label}', self._options[interface]) +            if any('innerproto' in s for s in self._options[interface]): +                inner = options['linkinfo']['info_data']['innerproto'] +                self.assertIn(f'parameters ip {inner}', self._options[interface]) + +              self.assertEqual('geneve',        options['linkinfo']['info_kind'])              self.assertEqual('set',      options['linkinfo']['info_data']['df'])              self.assertEqual(f'0x{tos}', options['linkinfo']['info_data']['tos']) diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index a3df6bf4d..c83e633b2 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -1,6 +1,6 @@  #!/usr/bin/env python3  # -# Copyright (C) 2021-2022 VyOS maintainers and contributors +# Copyright (C) 2021-2023 VyOS maintainers and contributors  #  # This program is free software; you can redistribute it and/or modify  # it under the terms of the GNU General Public License version 2 or later as @@ -100,7 +100,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          self.cli_commit()          nftables_search = [ -            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], +            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],              ['ip daddr @N_smoketest_network1', 'ip saddr @N_smoketest_network'],          ] @@ -119,7 +119,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          mark_hex = "{0:#010x}".format(int(mark))          nftables_search = [ -            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], +            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],              ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'meta mark set ' + mark_hex],          ] @@ -138,7 +138,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          mark_hex_set = "{0:#010x}".format(int(conn_mark_set))          nftables_search = [ -            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], +            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],              ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set],          ] @@ -164,7 +164,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          # IPv4          nftables_search = [ -            [f'iifname "{interface}"', 'jump VYOS_PBR_smoketest'], +            [f'iifname "{interface}"', 'jump VYOS_PBR_UD_smoketest'],              ['tcp flags syn / syn,ack', 'tcp dport 8888', 'meta mark set ' + mark_hex]          ] @@ -173,7 +173,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          # IPv6          nftables6_search = [ -            [f'iifname "{interface}"', 'jump VYOS_PBR6_smoketest'], +            [f'iifname "{interface}"', 'jump VYOS_PBR6_UD_smoketest'],              ['meta l4proto { tcp, udp }', 'th dport 8888', 'meta mark set ' + mark_hex]          ] @@ -246,7 +246,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          # IPv4          nftables_search = [ -            ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_smoketest'], +            ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'],              ['meta l4proto udp', 'drop'],              ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],              ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex], @@ -258,7 +258,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):          # IPv6          nftables6_search = [ -            [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_smoketest'], +            [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_UD_smoketest'],              ['meta l4proto udp', 'drop'],              ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],              ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex], diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index 6fe6dd979..e4907596e 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -159,6 +159,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):          on_startup = '30'          on_shutdown = '60'          refresh = '50' +        aggregation_timer = '100' +        summary_nets = { +            '10.0.1.0/24' : {}, +            '10.0.2.0/24' : {'tag' : '50'}, +            '10.0.3.0/24' : {'no_advertise' : {}}, +         }          self.cli_set(base_path + ['distance', 'global', global_distance])          self.cli_set(base_path + ['distance', 'ospf', 'external', external]) @@ -170,6 +176,15 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):          self.cli_set(base_path + ['mpls-te', 'enable'])          self.cli_set(base_path + ['refresh', 'timers', refresh]) +        self.cli_set(base_path + ['aggregation', 'timer', aggregation_timer]) + +        for summary, summary_options in summary_nets.items(): +            self.cli_set(base_path + ['summary-address', summary]) +            if 'tag' in summary_options: +                self.cli_set(base_path + ['summary-address', summary, 'tag', summary_options['tag']]) +            if 'no_advertise' in summary_options: +                self.cli_set(base_path + ['summary-address', summary, 'no-advertise']) +          # commit changes          self.cli_commit() @@ -184,6 +199,14 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):          self.assertIn(f' max-metric router-lsa on-shutdown {on_shutdown}', frrconfig)          self.assertIn(f' refresh timer {refresh}', frrconfig) +        self.assertIn(f' aggregation timer {aggregation_timer}', frrconfig) +        for summary, summary_options in summary_nets.items(): +            self.assertIn(f' summary-address {summary}', frrconfig) +            if 'tag' in summary_options: +                tag = summary_options['tag'] +                self.assertIn(f' summary-address {summary} tag {tag}', frrconfig) +            if 'no_advertise' in summary_options: +                self.assertIn(f' summary-address {summary} no-advertise', frrconfig)          # enable inter-area          self.cli_set(base_path + ['distance', 'ospf', 'inter-area', inter_area]) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index 459e4cdd4..7b93a31c0 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -52,11 +52,11 @@ def verify(relay):          # we certainly require a UDP port to listen to          if 'port' not in config: -            raise ConfigError(f'Port number mandatory for udp broadcast relay "{instance}"') +            raise ConfigError(f'Port number is mandatory for UDP broadcast relay "{instance}"')          # Relaying data without two interface is kinda senseless ...          if len(config.get('interface', [])) < 2: -            raise ConfigError('At least two interfaces are required for udp broadcast relay "{instance}"') +            raise ConfigError('At least two interfaces are required for UDP broadcast relay "{instance}"')          for interface in config.get('interface', []):              verify_interface_exists(interface) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index b73483470..460c9f1a4 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -250,6 +250,13 @@ def verify(ospf):                      raise ConfigError(f'Segment routing prefix {prefix} cannot have both explicit-null '\                                        f'and no-php-flag configured at the same time.') +    # Check route summarisation +    if 'summary_address' in ospf: +        for prefix, prefix_options in ospf['summary_address'].items(): +            if {'tag', 'no_advertise'} <= set(prefix_options): +                raise ConfigError(f'Can not set both "tag" and "no-advertise" for Type-5 '\ +                                  f'and Type-7 route summarisation of "{prefix}"!') +      return None  def generate(ospf): diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 9b7c04eb0..f4611e15e 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -161,8 +161,12 @@ def verify(snmp):          for address in snmp['listen_address']:              # We only wan't to configure addresses that exist on the system.              # Hint the user if they don't exist -            if not is_addr_assigned(address): -                Warning(f'SNMP listen address "{address}" not configured!') +            if 'vrf' in snmp: +                vrf_name = snmp['vrf'] +                if not is_addr_assigned(address, vrf_name) and address not in ['::1','127.0.0.1']: +                    raise ConfigError(f'SNMP listen address "{address}" not configured in vrf "{vrf_name}"!') +            elif not is_addr_assigned(address): +                raise ConfigError(f'SNMP listen address "{address}" not configured in default vrf!')      if 'trap_target' in snmp:          for trap, trap_config in snmp['trap_target'].items(): diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py new file mode 100755 index 000000000..87ebc3ea9 --- /dev/null +++ b/src/conf_mode/vpp.py @@ -0,0 +1,216 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. + +import os +from psutil import virtual_memory + +from pathlib import Path +from re import search as re_search, MULTILINE as re_M + +from vyos.config import Config +from vyos.configdep import set_dependents, call_dependents +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.ifconfig import Section +from vyos.util import call, rc_cmd, boot_configuration_complete +from vyos.utils.system import sysctl_read, sysctl_apply +from vyos.template import render +from vyos.xml import defaults + +from vyos import ConfigError +from vyos import airbag +from vyos.vpp import VPPControl +from vyos.vpp import HostControl + +airbag.enable() + +service_name = 'vpp' +service_conf = Path(f'/run/vpp/{service_name}.conf') +systemd_override = '/run/systemd/system/vpp.service.d/10-override.conf' + +# Free memory required for VPP +# 2 GB for hugepages + 1 GB for other services +MIN_AVAILABLE_MEMORY: int = 3 * 1024**3 + + +def _get_pci_address_by_interface(iface) -> str: +    rc, out = rc_cmd(f'ethtool -i {iface}') +    # if ethtool command was successful +    if rc == 0 and out: +        regex_filter = r'^bus-info: (?P<address>\w+:\w+:\w+\.\w+)$' +        re_obj = re_search(regex_filter, out, re_M) +        # if bus-info with PCI address found +        if re_obj: +            address = re_obj.groupdict().get('address', '') +            return address +    # use VPP - maybe interface already attached to it +    vpp_control = VPPControl(attempts=20, interval=500) +    pci_addr = vpp_control.get_pci_addr(iface) +    if pci_addr: +        return pci_addr +    # raise error if PCI address was not found +    raise ConfigError(f'Cannot find PCI address for interface {iface}') + + +def get_config(config=None): +    if config: +        conf = config +    else: +        conf = Config() + +    base = ['vpp'] +    base_ethernet = ['interfaces', 'ethernet'] + +    # find interfaces removed from VPP +    removed_ifaces = [] +    tmp = node_changed(conf, base + ['interface']) +    if tmp: +        for removed_iface in tmp: +            pci_address: str = _get_pci_address_by_interface(removed_iface) +            removed_ifaces.append({ +                'iface_name': removed_iface, +                'iface_pci_addr': pci_address +            }) +            # add an interface to a list of interfaces that need +            # to be reinitialized after the commit +            set_dependents('ethernet', conf, removed_iface) + +    if not conf.exists(base): +        return {'removed_ifaces': removed_ifaces} + +    config = conf.get_config_dict(base, +                                  get_first_key=True, +                                  key_mangling=('-', '_'), +                                  no_tag_node_value_mangle=True) + +    # We have gathered the dict representation of the CLI, but there are default +    # options which we need to update into the dictionary retrived. +    default_values = defaults(base) +    if 'interface' in default_values: +        del default_values['interface'] +    config = dict_merge(default_values, config) + +    if 'interface' in config: +        for iface, iface_config in config['interface'].items(): +            default_values_iface = defaults(base + ['interface']) +            config['interface'][iface] = dict_merge(default_values_iface, config['interface'][iface]) +            # add an interface to a list of interfaces that need +            # to be reinitialized after the commit +            set_dependents('ethernet', conf, iface) + +        # Get PCI address auto +        for iface, iface_config in config['interface'].items(): +            if iface_config['pci'] == 'auto': +                config['interface'][iface]['pci'] = _get_pci_address_by_interface(iface) + +    config['other_interfaces'] = conf.get_config_dict(base_ethernet, key_mangling=('-', '_'), +                                     get_first_key=True, no_tag_node_value_mangle=True) + +    if removed_ifaces: +        config['removed_ifaces'] = removed_ifaces + +    return config + + +def verify(config): +    # bail out early - looks like removal from running config +    if not config or (len(config) == 1 and 'removed_ifaces' in config): +        return None + +    if 'interface' not in config: +        raise ConfigError('"interface" is required but not set!') + +    if 'cpu' in config: +        if 'corelist_workers' in config['cpu'] and 'main_core' not in config[ +                'cpu']: +            raise ConfigError('"cpu main-core" is required but not set!') + +    memory_available: int = virtual_memory().available +    if memory_available < MIN_AVAILABLE_MEMORY: +        raise ConfigError( +            'Not enough free memory to start VPP:\n' +            f'available: {round(memory_available / 1024**3, 1)}GB\n' +            f'required: {round(MIN_AVAILABLE_MEMORY / 1024**3, 1)}GB') + + +def generate(config): +    if not config or (len(config) == 1 and 'removed_ifaces' in config): +        # Remove old config and return +        service_conf.unlink(missing_ok=True) +        return None + +    render(service_conf, 'vpp/startup.conf.j2', config) +    render(systemd_override, 'vpp/override.conf.j2', config) + +    # apply default sysctl values from +    # https://github.com/FDio/vpp/blob/v23.06/src/vpp/conf/80-vpp.conf +    sysctl_config: dict[str, str] = { +        'vm.nr_hugepages': '1024', +        'vm.max_map_count': '3096', +        'vm.hugetlb_shm_group': '0', +        'kernel.shmmax': '2147483648' +    } +    # we do not want to reduce `kernel.shmmax` +    kernel_shmnax_current: str = sysctl_read('kernel.shmmax') +    if int(kernel_shmnax_current) > int(sysctl_config['kernel.shmmax']): +        sysctl_config['kernel.shmmax'] = kernel_shmnax_current + +    if not sysctl_apply(sysctl_config): +        raise ConfigError('Cannot configure sysctl parameters for VPP') + +    return None + + +def apply(config): +    if not config or (len(config) == 1 and 'removed_ifaces' in config): +        call(f'systemctl stop {service_name}.service') +    else: +        call('systemctl daemon-reload') +        call(f'systemctl restart {service_name}.service') + +    # Initialize interfaces removed from VPP +    for iface in config.get('removed_ifaces', []): +        host_control = HostControl() +        # rescan PCI to use a proper driver +        host_control.pci_rescan(iface['iface_pci_addr']) +        # rename to the proper name +        iface_new_name: str = host_control.get_eth_name(iface['iface_pci_addr']) +        host_control.rename_iface(iface_new_name, iface['iface_name']) + +    if 'interface' in config: +        # connect to VPP +        # must be performed multiple attempts because API is not available +        # immediately after the service restart +        vpp_control = VPPControl(attempts=20, interval=500) +        for iface, _ in config['interface'].items(): +            # Create lcp +            if iface not in Section.interfaces(): +                vpp_control.lcp_pair_add(iface, iface) + +    # reinitialize interfaces, but not during the first boot +    if boot_configuration_complete(): +        call_dependents() + + +if __name__ == '__main__': +    try: +        c = get_config() +        verify(c) +        generate(c) +        apply(c) +    except ConfigError as e: +        print(e) +        exit(1) diff --git a/src/migration-scripts/isis/0-to-1 b/src/migration-scripts/isis/0-to-1 index 93cbbbed5..b75a7f72c 100755 --- a/src/migration-scripts/isis/0-to-1 +++ b/src/migration-scripts/isis/0-to-1 @@ -37,12 +37,9 @@ if not config.exists(base):      # Nothing to do      exit(0) -# Only one IS-IS process is supported, thus this operation is save -isis_base = base + config.list_nodes(base) -  # We need a temporary copy of the config  tmp_base = ['protocols', 'isis2'] -config.copy(isis_base, tmp_base) +config.copy(base, tmp_base)  # Now it's save to delete the old configuration  config.delete(base) diff --git a/src/op_mode/policy_route.py b/src/op_mode/policy_route.py index 5953786f3..fae47adec 100755 --- a/src/op_mode/policy_route.py +++ b/src/op_mode/policy_route.py @@ -61,8 +61,10 @@ def output_policy_route(name, route_conf, ipv6=False, single_rule_id=None):      ip_str = 'IPv6' if ipv6 else 'IPv4'      print(f'\n---------------------------------\n{ip_str} Policy Route "{name}"\n') -    if route_conf['interface']: +    if route_conf.get('interface'):          print('Active on: {0}\n'.format(" ".join(route_conf['interface']))) +    else: +        print('Inactive - Not applied to any interfaces\n')      details = get_nftables_details(name, ipv6)      rows = [] | 
