summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/package-smoketest.yml104
-rw-r--r--Makefile6
-rw-r--r--data/templates/ssh/sshd_config.j25
-rw-r--r--data/templates/telegraf/telegraf.j22
-rw-r--r--debian/control46
-rwxr-xr-xdebian/rules4
-rw-r--r--debian/vyos-1x.install2
-rw-r--r--debian/vyos-1x.postinst55
-rw-r--r--interface-definitions/interfaces_geneve.xml.in1
-rw-r--r--interface-definitions/service_ssh.xml.in13
-rw-r--r--op-mode-definitions/clear-interfaces.xml.in (renamed from op-mode-definitions/counters.xml.in)18
-rw-r--r--op-mode-definitions/configure.xml.in6
-rw-r--r--op-mode-definitions/connect.xml.in2
-rw-r--r--op-mode-definitions/disconnect.xml.in2
-rwxr-xr-xsmoketest/scripts/cli/test_service_ssh.py16
-rwxr-xr-xsrc/conf_mode/service_monitoring_telegraf.py3
-rw-r--r--src/etc/bash_completion.d/vyatta-op685
-rw-r--r--src/etc/default/vyatta217
-rwxr-xr-xsrc/op_mode/connect_disconnect.py22
-rwxr-xr-xsrc/opt/vyatta/bin/restricted-shell11
-rwxr-xr-xsrc/opt/vyatta/bin/vyatta-op-cmd-wrapper6
-rw-r--r--src/opt/vyatta/etc/LICENSE340
-rw-r--r--src/opt/vyatta/etc/shell/level/users/allowed-op20
-rw-r--r--src/opt/vyatta/etc/shell/level/users/allowed-op.in16
-rwxr-xr-xsrc/opt/vyatta/sbin/if-mib-alias130
-rwxr-xr-xsrc/opt/vyatta/sbin/vyos-persistpath19
-rw-r--r--src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-common82
-rw-r--r--src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run240
-rw-r--r--src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-unpriv97
29 files changed, 2105 insertions, 65 deletions
diff --git a/.github/workflows/package-smoketest.yml b/.github/workflows/package-smoketest.yml
index 27272a6e2..08c8d42f5 100644
--- a/.github/workflows/package-smoketest.yml
+++ b/.github/workflows/package-smoketest.yml
@@ -14,7 +14,7 @@ env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed for PR comments
jobs:
- build:
+ build_iso:
runs-on: ubuntu-24.04
timeout-minutes: 45
container:
@@ -42,6 +42,7 @@ jobs:
run: |
echo "build_version=1.5-integration-$(date -u +%Y%m%d%H%M)" >> $GITHUB_OUTPUT
- name: Build custom ISO image
+ shell: bash
run: |
sudo --preserve-env ./build-vyos-image \
--architecture amd64 \
@@ -55,13 +56,15 @@ jobs:
name: vyos-${{ steps.version.outputs.build_version }}
path: build/live-image-amd64.hybrid.iso
- cli-smoketests:
- needs: build
+ test_smoketest_cli:
+ needs: build_iso
runs-on: ubuntu-24.04
timeout-minutes: 180
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
+ outputs:
+ exit_code: ${{ steps.test.outputs.exit_code }}
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
@@ -70,27 +73,28 @@ jobs:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
- name: vyos-${{ needs.build.outputs.build_version }}
+ name: vyos-${{ needs.build_iso.outputs.build_version }}
path: build
- name: VyOS CLI smoketests
- run: sudo make test
- - name: Add PR comment
- if: always()
- uses: mshick/add-pr-comment@v2
- with:
- message-success: '👍 VyOS CLI smoketests finished successfully!'
- message-failure: '❌ VyOS CLI smoketests failed!'
- message-cancelled: '❌ VyOS CLI smoketests cancelled!'
- allow-repeats: false
- refresh-message-position: true
+ id: test
+ shell: bash
+ run: |
+ # always fail first
+ echo "exit_code=1" >> $GITHUB_OUTPUT
+ sudo make test
+ exit_code=$?
+ echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+ exit $exit_code
- config-load-tests:
- needs: build
+ test_config_load:
+ needs: build_iso
runs-on: ubuntu-24.04
timeout-minutes: 90
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
+ outputs:
+ exit_code: ${{ steps.test.outputs.exit_code }}
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
@@ -99,27 +103,28 @@ jobs:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
- name: vyos-${{ needs.build.outputs.build_version }}
+ name: vyos-${{ needs.build_iso.outputs.build_version }}
path: build
- - name: VyOS config tests
- run: sudo make testc
- - name: Add PR comment
- if: always()
- uses: mshick/add-pr-comment@v2
- with:
- message-success: '👍 VyOS config tests finished successfully!'
- message-failure: '❌ VyOS config tests failed!'
- message-cancelled: '❌ VyOS config tests cancelled!'
- allow-repeats: false
- refresh-message-position: true
+ - name: VyOS config load tests
+ id: test
+ shell: bash
+ run: |
+ # always fail first
+ echo "exit_code=1" >> $GITHUB_OUTPUT
+ sudo make testc
+ exit_code=$?
+ echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+ exit $exit_code
- raid1-install-test:
- needs: build
+ test_raid1_install:
+ needs: build_iso
runs-on: ubuntu-24.04
timeout-minutes: 20
container:
image: vyos/vyos-build:current
options: --sysctl net.ipv6.conf.lo.disable_ipv6=0 --privileged
+ outputs:
+ exit_code: ${{ steps.test.outputs.exit_code }}
steps:
# We need the test script from vyos-build repo
- name: Clone vyos-build source code
@@ -128,16 +133,43 @@ jobs:
repository: vyos/vyos-build
- uses: actions/download-artifact@v4
with:
- name: vyos-${{ needs.build.outputs.build_version }}
+ name: vyos-${{ needs.build_iso.outputs.build_version }}
path: build
- - name: VyOS RAID1 install test
- run: sudo make testraid
+ - name: VyOS RAID1 installation tests
+ id: test
+ shell: bash
+ run: |
+ # always fail first
+ echo "exit_code=1" >> $GITHUB_OUTPUT
+ sudo make testraid
+ exit_code=$?
+ echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+ exit $exit_code
+
+ result:
+ needs:
+ - test_smoketest_cli
+ - test_config_load
+ - test_raid1_install
+ runs-on: ubuntu-24.04
+ timeout-minutes: 5
+ if: always()
+ steps:
- name: Add PR comment
if: always()
uses: mshick/add-pr-comment@v2
with:
- message-success: '👍 RAID1 Smoketests finished successfully!'
- message-failure: '❌ RAID1 Smoketests failed!'
- message-cancelled: '❌ RAID1 action cancelled!'
+ message: |
+ CI integration ${{ needs.test_smoketest_cli.outputs.exit_code == 0 && needs.test_config_load.outputs.exit_code == 0 && needs.test_raid1_install.outputs.exit_code == 0 && '👍 passed!' || '❌ failed!' }}
+
+ ### Details
+
+ [CI logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+
+ * ${{ needs.test_smoketest_cli.outputs.exit_code == '0' && '👍 passed' || '❌ failed' }} CLI Smoketests returned: ${{ needs.test_smoketest_cli.outputs.exit_code }}
+ * ${{ needs.test_config_load.outputs.exit_code == '0' && '👍 passed' || '❌ failed' }} Config tests returned: ${{ needs.test_config_load.outputs.exit_code }}
+ * ${{ needs.test_raid1_install.outputs.exit_code == '0' && '👍 passed' || '❌ failed' }} RAID1 tests returned: ${{ needs.test_raid1_install.outputs.exit_code }}
+
+ message-id: "SMOKETEST_RESULTS"
allow-repeats: false
refresh-message-position: true
diff --git a/Makefile b/Makefile
index 06b4aaa6f..685c8f150 100644
--- a/Makefile
+++ b/Makefile
@@ -55,12 +55,6 @@ op_mode_definitions: $(op_xml_obj)
find $(BUILD_DIR)/op-mode-definitions/ -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-op-templates {} $(CURDIR)/schema/op-mode-definition.rng $(OP_TMPL_DIR) || exit 1
- # XXX: delete top level op mode node.def's that now live in other packages
- rm -f $(OP_TMPL_DIR)/add/node.def
- rm -f $(OP_TMPL_DIR)/clear/interfaces/node.def
- rm -f $(OP_TMPL_DIR)/clear/node.def
- rm -f $(OP_TMPL_DIR)/delete/node.def
-
# XXX: tcpdump, ping, traceroute and mtr must be able to recursivly call themselves as the
# options are provided from the scripts themselves
ln -s ../node.tag $(OP_TMPL_DIR)/ping/node.tag/node.tag/
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 650fd25e6..2cf0494c4 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -67,6 +67,11 @@ Ciphers {{ ciphers | join(',') }}
HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
{% endif %}
+{% if pubkey_accepted_algorithm is vyos_defined %}
+# Specifies the available PubKey signature algorithms
+PubkeyAcceptedAlgorithms {{ pubkey_accepted_algorithm | join(',') }}
+{% endif %}
+
{% if mac is vyos_defined %}
# Specifies the available MAC (message authentication code) algorithms
MACs {{ mac | join(',') }}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index f382dbf2e..535e3a347 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -130,7 +130,9 @@ metric_name_label = "{{ loki.metric_name_label }}"
{% if influxdb is vyos_defined %}
[[inputs.exec]]
commands = [
+{% if nft_chains is vyos_defined %}
"{{ custom_scripts_dir }}/show_firewall_input_filter.py",
+{% endif %}
"{{ custom_scripts_dir }}/show_interfaces_input_filter.py",
"{{ custom_scripts_dir }}/vyos_services_input_filter.py"
]
diff --git a/debian/control b/debian/control
index 883e08649..189a959b0 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,6 @@ Build-Depends:
iproute2,
libvyosconfig0 (>= 0.0.7),
libzmq3-dev,
- procps,
python3 (>= 3.10),
# For QA
pylint,
@@ -38,14 +37,24 @@ Standards-Version: 3.9.6
Package: vyos-1x
Architecture: amd64 arm64
Pre-Depends:
+ libpam-runtime [amd64],
libnss-tacplus [amd64],
libpam-tacplus [amd64],
libpam-radius-auth [amd64]
Depends:
## Fundamentals
${python3:Depends} (>= 3.10),
+ dialog,
libvyosconfig0,
+ libpam-cap,
+ bash-completion,
+ ipvsadm,
+ udev,
+ less,
+ at,
+ rsync,
vyatta-bash,
+ vyatta-biosdevname,
vyatta-cfg,
vyos-http-api-tools,
vyos-utils,
@@ -72,6 +81,7 @@ Depends:
python3-zmq,
## End of Python libraries
## Basic System services and utilities
+ coreutils,
sudo,
systemd,
bsdmainutils,
@@ -84,7 +94,6 @@ Depends:
# ipaddrcheck is widely used in IP value validators
ipaddrcheck,
ethtool,
- fdisk,
lm-sensors,
procps,
netplug,
@@ -97,6 +106,14 @@ Depends:
grc,
## End of System services and utilities
## For the installer
+ fdisk,
+ gdisk,
+ mdadm,
+ efibootmgr,
+ libefivar1,
+ dosfstools,
+ grub-efi-amd64-bin [amd64],
+ grub-efi-arm64-bin [arm64],
# Image signature verification tool
minisign,
# Live filesystem tools
@@ -105,6 +122,7 @@ Depends:
## End installer
auditd,
iputils-arping,
+ iputils-ping,
isc-dhcp-client,
# For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server"
accel-ppp,
@@ -143,7 +161,7 @@ Depends:
sstp-client,
# End "interfaces sstpc"
# For "protocols *"
- frr (>= 7.5),
+ frr (>= 9.1),
frr-pythontools,
frr-rpki-rtrlib,
frr-snmp,
@@ -179,9 +197,12 @@ Depends:
# For "service router-advert"
radvd,
# End "service route-advert"
-# For "high-availability reverse-proxy"
+# For "load-balancing reverse-proxy"
haproxy,
-# End "high-availability reverse-proxy"
+# End "load-balancing reverse-proxy"
+# For "load-balancing wan"
+ vyatta-wanloadbalance,
+# End "load-balancing wan"
# For "service dhcp-relay"
isc-dhcp-relay,
# For "service dhcp-server"
@@ -235,6 +256,9 @@ Depends:
# For "high-availability vrrp"
keepalived (>=2.0.5),
# End "high-availability-vrrp"
+# For "system console"
+ util-linux,
+# End "system console"
# For "system task-scheduler"
cron,
# End "system task-scheduler"
@@ -267,7 +291,7 @@ Depends:
# For "system conntrack modules rtsp"
nat-rtsp,
# End "system conntrack modules rtsp"
-# For "system ntp"
+# For "service ntp"
chrony,
# End "system ntp"
# For "vpn openconnect"
@@ -276,7 +300,13 @@ Depends:
# For "system flow-accounting"
pmacct (>= 1.6.0),
# End "system flow-accounting"
-# For container
+# For "system syslog"
+ rsyslog,
+# End "system syslog"
+# For "system option keyboard-layout"
+ kbd,
+# End "system option keyboard-layout"
+# For "container"
podman,
netavark,
aardvark-dns,
@@ -314,6 +344,8 @@ Depends:
ndisc6,
# For "run monitor bandwidth"
bmon,
+# For "run format disk"
+ parted,
# End Operational mode
## TPM tools
cryptsetup,
diff --git a/debian/rules b/debian/rules
index 9da40465f..df1d9e7f3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -103,6 +103,10 @@ override_dh_auto_install:
mkdir -p $(DIR)/etc
cp -r src/etc/* $(DIR)/etc
+ # Install legacy Vyatta files
+ mkdir -p $(DIR)/opt
+ cp -r src/opt/* $(DIR)/opt
+
# Install PAM configuration snippets
mkdir -p $(DIR)/usr/share/pam-configs
cp -r src/pam-configs/* $(DIR)/usr/share/pam-configs
diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
index b3978d38a..7171911dc 100644
--- a/debian/vyos-1x.install
+++ b/debian/vyos-1x.install
@@ -1,4 +1,6 @@
+etc/bash_completion.d
etc/commit
+etc/default
etc/dhcp
etc/ipsec.d
etc/logrotate.d
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 78e895d6e..26b81db6f 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -120,6 +120,61 @@ fi
# ensure the proxy user has a proper shell
chsh -s /bin/sh proxy
+# Set file capabilities
+setcap cap_net_admin=pe /sbin/ethtool
+setcap cap_net_admin=pe /sbin/tc
+setcap cap_net_admin=pe /bin/ip
+setcap cap_net_admin=pe /sbin/xtables-legacy-multi
+setcap cap_net_admin=pe /sbin/xtables-nft-multi
+setcap cap_net_admin=pe /usr/sbin/conntrack
+setcap cap_net_admin=pe /usr/sbin/arp
+setcap cap_net_raw=pe /usr/bin/tcpdump
+setcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl
+setcap cap_sys_module=pe /bin/kmod
+setcap cap_sys_time=pe /bin/date
+
+# create needed directories
+mkdir -p /var/log/user
+mkdir -p /var/core
+mkdir -p /opt/vyatta/etc/config/auth
+mkdir -p /opt/vyatta/etc/config/scripts
+mkdir -p /opt/vyatta/etc/config/user-data
+mkdir -p /opt/vyatta/etc/config/support
+chown -R root:vyattacfg /opt/vyatta/etc/config
+chmod -R 775 /opt/vyatta/etc/config
+mkdir -p /opt/vyatta/etc/logrotate
+mkdir -p /opt/vyatta/etc/netdevice.d
+
+touch /etc/environment
+
+if [ ! -f /etc/bash_completion ]; then
+ echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
+ echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
+fi
+
+sed -i 's/^set /builtin set /' /etc/bash_completion
+
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
+
+# Do not allow users to change full name field (controlled by vyos-1x)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Only allow root to use passwd command
+if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
+ sed -i -e '/^@include/i \
+password requisite pam_succeed_if.so user = root
+' /etc/pam.d/passwd
+fi
+
+# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
+# this logs unnecessary messages trying to start ddclient
+rm -f /etc/ppp/ip-up.d/ddclient
+
# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
if [ ! -x $PRECONFIG_SCRIPT ]; then
diff --git a/interface-definitions/interfaces_geneve.xml.in b/interface-definitions/interfaces_geneve.xml.in
index c94113271..990c5bd91 100644
--- a/interface-definitions/interfaces_geneve.xml.in
+++ b/interface-definitions/interfaces_geneve.xml.in
@@ -52,6 +52,7 @@
#include <include/interface/mirror.xml.i>
#include <include/interface/redirect.xml.i>
#include <include/interface/tunnel-remote.xml.i>
+ #include <include/interface/vrf.xml.i>
#include <include/vni.xml.i>
</children>
</tagNode>
diff --git a/interface-definitions/service_ssh.xml.in b/interface-definitions/service_ssh.xml.in
index d9eee1ab8..221e451d1 100644
--- a/interface-definitions/service_ssh.xml.in
+++ b/interface-definitions/service_ssh.xml.in
@@ -146,6 +146,19 @@
</constraint>
</properties>
</leafNode>
+ <leafNode name="pubkey-accepted-algorithm">
+ <properties>
+ <help>Allowed pubkey signature algorithms</help>
+ <completionHelp>
+ <!-- generated by ssh -Q PubkeyAcceptedAlgorithms | tr '\n' ' ' as this will not change dynamically -->
+ <list>ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ecdsa-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-dss ssh-dss-cert-v01@openssh.com ssh-rsa ssh-rsa-cert-v01@openssh.com rsa-sha2-256 rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512 rsa-sha2-512-cert-v01@openssh.com</list>
+ </completionHelp>
+ <multi/>
+ <constraint>
+ <regex>(ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ecdsa-sha2-nistp256|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-dss|ssh-dss-cert-v01@openssh.com|ssh-rsa|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512|rsa-sha2-512-cert-v01@openssh.com)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
<leafNode name="key-exchange">
<properties>
<help>Allowed key exchange (KEX) algorithms</help>
diff --git a/op-mode-definitions/counters.xml.in b/op-mode-definitions/clear-interfaces.xml.in
index f563cb9a0..de2c3443e 100644
--- a/op-mode-definitions/counters.xml.in
+++ b/op-mode-definitions/clear-interfaces.xml.in
@@ -1,8 +1,14 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="clear">
+ <properties>
+ <help>Clear system information</help>
+ </properties>
<children>
<node name="interfaces">
+ <properties>
+ <help>Clear interface information</help>
+ </properties>
<children>
<node name="counters">
<properties>
@@ -10,6 +16,17 @@
</properties>
<command>sudo ${vyos_op_scripts_dir}/interfaces.py clear_counters</command>
</node>
+ <tagNode name="connection">
+ <properties>
+ <help>Bring connection-oriented network interface down and up</help>
+ <completionHelp>
+ <path>interfaces pppoe</path>
+ <path>interfaces sstpc</path>
+ <path>interfaces wwan</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect --disconnect --interface "$3"</command>
+ </tagNode>
<node name="bonding">
<properties>
<help>Clear Bonding interface information</help>
@@ -595,4 +612,3 @@
</children>
</node>
</interfaceDefinition>
-
diff --git a/op-mode-definitions/configure.xml.in b/op-mode-definitions/configure.xml.in
index a711fa4a9..d7657289b 100644
--- a/op-mode-definitions/configure.xml.in
+++ b/op-mode-definitions/configure.xml.in
@@ -11,11 +11,11 @@
echo "Please do it as an administrator level VyOS user instead."
else
if grep -q -e '^overlay.*/filesystem.squashfs' /proc/mounts; then
- echo "WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed"
+ echo "WARNING: You are currently configuring a live-ISO environment, changes will not persist until installed"
else
if grep -q -s '1' /tmp/vyos-config-status; then
- echo "WARNING: There was a config error on boot: saving the configuration now could overwrite data."
- echo "You may want to check and reload the boot config"
+ echo "WARNING: There was a config error on boot: saving the configuration now could overwrite data."
+ echo "You may want to check and reload the boot config"
fi
fi
history -w
diff --git a/op-mode-definitions/connect.xml.in b/op-mode-definitions/connect.xml.in
index 116cd6231..9027056a6 100644
--- a/op-mode-definitions/connect.xml.in
+++ b/op-mode-definitions/connect.xml.in
@@ -24,7 +24,7 @@
<path>interfaces wwan</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect "$3"</command>
+ <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --connect --interface "$3"</command>
</tagNode>
</children>
</node>
diff --git a/op-mode-definitions/disconnect.xml.in b/op-mode-definitions/disconnect.xml.in
index 843998c4f..f0523d9b9 100644
--- a/op-mode-definitions/disconnect.xml.in
+++ b/op-mode-definitions/disconnect.xml.in
@@ -14,7 +14,7 @@
<path>interfaces wwan</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect "$3"</command>
+ <command>sudo ${vyos_op_scripts_dir}/connect_disconnect.py --disconnect --interface "$3"</command>
</tagNode>
</children>
</node>
diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index b09990c92..d8e325eee 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -304,6 +304,22 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase):
for line in ssh_lines:
self.assertIn(line, tmp_sshd_conf)
+ def test_ssh_pubkey_accepted_algorithm(self):
+ algs = ['ssh-ed25519', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384',
+ 'ecdsa-sha2-nistp521', 'ssh-dss', 'ssh-rsa', 'rsa-sha2-256',
+ 'rsa-sha2-512'
+ ]
+
+ expected = 'PubkeyAcceptedAlgorithms '
+ for alg in algs:
+ self.cli_set(base_path + ['pubkey-accepted-algorithm', alg])
+ expected = f'{expected}{alg},'
+ expected = expected[:-1]
+
+ self.cli_commit()
+ tmp_sshd_conf = read_file(SSHD_CONF)
+ self.assertIn(expected, tmp_sshd_conf)
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py
index 9455b6109..db870aae5 100755
--- a/src/conf_mode/service_monitoring_telegraf.py
+++ b/src/conf_mode/service_monitoring_telegraf.py
@@ -86,7 +86,8 @@ def get_config(config=None):
monitoring['custom_scripts_dir'] = custom_scripts_dir
monitoring['hostname'] = get_hostname()
monitoring['interfaces_ethernet'] = Section.interfaces('ethernet', vlan=False)
- monitoring['nft_chains'] = get_nft_filter_chains()
+ if conf.exists('firewall'):
+ monitoring['nft_chains'] = get_nft_filter_chains()
# Redefine azure group-metrics 'single-table' and 'table-per-metric'
if 'azure_data_explorer' in monitoring:
diff --git a/src/etc/bash_completion.d/vyatta-op b/src/etc/bash_completion.d/vyatta-op
new file mode 100644
index 000000000..8ac2d9b20
--- /dev/null
+++ b/src/etc/bash_completion.d/vyatta-op
@@ -0,0 +1,685 @@
+# vyatta bash operational mode completion
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Tom Grennan
+# Date: 2007
+# Description: setup bash completion for Vyatta operational commands
+#
+# **** End License ****
+
+test -z "$_vyatta_less_options" && \
+ declare -r _vyatta_less_options="\
+ --QUIT-AT-EOF\
+ --quit-if-one-screen\
+ --RAW-CONTROL-CHARS\
+ --squeeze-blank-lines\
+ --no-init"
+test -z "$_vyatta_default_pager" && \
+ declare -r _vyatta_default_pager="less \
+ --buffers=64\
+ --auto-buffers\
+ --no-lessopen\
+ $_vyatta_less_options"
+test -z "$VYATTA_PAGER" && \
+ declare -x VYATTA_PAGER=$_vyatta_default_pager
+
+_vyatta_op_do_key_bindings ()
+{
+ if [[ "$SHELL" != "/bin/vbash" && "$SHELL" != "/sbin/radius_shell" ]]; then
+ # only do bindings if vbash and radius_shell
+ return
+ fi
+ nullglob_save=$(shopt -p nullglob)
+ shopt -u nullglob
+ case "$-" in
+ *i*)
+ bind '"?": possible-completions'
+ bind 'set show-all-if-ambiguous on'
+ bind_cmds=$(grep '^bind .* # vyatta key binding$' $HOME/.bashrc)
+ eval $bind_cmds
+ ;;
+ esac
+ eval $nullglob_save
+}
+
+_vyatta_op_do_key_bindings
+
+test -f /etc/default/vyatta && \
+ source /etc/default/vyatta
+
+test ! -d "$vyatta_op_templates" && \
+ return 0
+
+case "$-" in
+ *i*)
+ declare -r _vyatta_op_last_comp_init='>>>>>>LASTCOMP<<<<<<'
+ ;;
+esac
+declare _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+declare _vyatta_op_node_path
+declare -a _vyatta_op_noncompletions _vyatta_op_completions
+declare -x -a _vyatta_pipe_noncompletions _vyatta_pipe_completions
+declare _vyatta_comptype
+declare -x -a reply
+declare -a _vyatta_operator_allowed
+
+if [[ "$VYATTA_USER_LEVEL_DIR" != "/opt/vyatta/etc/shell/level/admin" ]]; then
+ _vyatta_operator_allowed=( $(cat $VYATTA_USER_LEVEL_DIR/allowed-op) )
+fi
+
+declare -a functions
+functions=( /opt/vyatta/share/vyatta-op/functions/interpreter/* )
+
+for file in "${functions[@]}";do
+ source $file;
+done
+
+# $1: label
+# #2...: strings
+_vyatta_op_debug ()
+{
+ echo -ne \\n$1:
+ shift
+ for s ; do
+ echo -ne " \"$s\""
+ done
+}
+
+# this is needed to provide original "default completion" behavior.
+# see "vyatta-cfg" completion script for details.
+_vyatta_op_default_expand ()
+{
+ local wc=${#COMP_WORDS[@]}
+ if [[ "${COMP_WORDS[0]}" =~ "/" ]]; then
+ # if we are looking for a directory on the first completion then do directory completions
+ _filedir_xspec_vyos
+ elif (( wc < 2 )) ||
+ [[ $COMP_CWORD -eq 0 ]] ||
+ [[ $1 == $2 ]]; then
+ _vyatta_op_expand "$@"
+ else
+ # after the first word => cannot be vyatta command so use original default
+ _filedir_xspec_vyos
+ fi
+}
+
+# $1: label
+# $2...: help
+_vyatta_op_print_help ()
+{
+ local label=$1 help=$2
+ if [ ${#label} -eq 0 ] ; then
+ return
+ elif [ ${#help} -eq 0 ] ; then
+ echo -ne "\n $label"
+ elif [ ${#label} -lt 6 ] ; then
+ echo -ne "\n $label\t\t\t$help"
+ elif [ ${#label} -lt 14 ] ; then
+ echo -ne "\n $label\t\t$help"
+ elif [ ${#label} -lt 21 ] ; then
+ echo -ne "\n $label\t$help"
+ else
+ echo -ne "\n $label\n\t\t\t$help"
+ fi
+}
+
+# $1: $cur
+# $2...: possible completions
+_vyatta_op_help ()
+{
+ local restore_shopts=$( shopt -p extglob nullglob | tr \\n \; )
+ shopt -u nullglob
+ local cur=$1; shift
+ local ndef node_tag_help node_run help last_help
+
+ ndef=${_vyatta_op_node_path}/node.tag/node.def
+ [ -f $ndef ] && \
+ node_tag_help=$( _vyatta_op_get_node_def_field $ndef help )
+
+ ndef=${_vyatta_op_node_path}/node.def
+ [ -f $ndef ] && \
+ node_run=$( _vyatta_op_get_node_def_field $ndef run )
+
+ if [[ "$1" == "<nocomps>" ]]; then
+ eval "$restore_shopts"
+ return
+ fi
+ echo -en "\nPossible completions:"
+ if [ -z "$cur" -a -n "$node_run" ]; then
+ _vyatta_op_print_help '<Enter>' "Execute the current command"
+ fi
+ if [ $# -eq 0 ];then
+ _vyatta_op_print_help '<text>' "$node_tag_help"
+ eval "$restore_shopts"
+ return
+ fi
+ for comp ; do
+ if [[ "$comp" == "<Enter>" ]]; then
+ continue
+ fi
+ if [ -z "$comp" ] ; then
+ if [ "X$node_tag_help" == "X$last_help" ] ; then
+ help=""
+ else
+ last_help=$node_tag_help
+ help=$node_tag_help
+ fi
+ _vyatta_op_print_help '*' "$help"
+ elif [[ -z "$cur" || $comp == ${cur}* ]] ; then
+ ndef=${_vyatta_op_node_path}/$comp/node.def
+ if [ -f $ndef ] ; then
+ help=$( _vyatta_op_get_node_def_field $ndef help )
+ else
+ help=$node_tag_help
+ fi
+ if [ "X$help" == "X$last_help" ] ; then
+ help=""
+ else
+ last_help=$help
+ fi
+ _vyatta_op_print_help "$comp" "$help"
+ fi
+ done
+ eval "$restore_shopts"
+}
+
+_vyatta_op_set_node_path ()
+{
+ local node
+ _vyatta_op_node_path=$vyatta_op_templates
+ for (( i=0 ; i<COMP_CWORD ; i++ )) ; do
+ # expand the command so completion continues to work with short versions
+ if [[ "${COMP_WORDS[i]}" == "*" ]]; then
+ node="node.tag" # user defined wildcars are always tag nodes
+ else
+ node=$(_vyatta_op_conv_node_path $_vyatta_op_node_path ${COMP_WORDS[i]})
+ fi
+ if [ -f "${_vyatta_op_node_path}/$node/node.def" ] ; then
+ _vyatta_op_node_path+=/$node
+ elif [ -f ${_vyatta_op_node_path}/node.tag/node.def ] ; then
+ _vyatta_op_node_path+=/node.tag
+ else
+ return 1
+ fi
+ done
+}
+
+_vyatta_op_set_completions ()
+{
+ local -a allowed completions
+ local cur=$1
+ local restore_shopts=$( shopt -p extglob nullglob | tr \\n \; )
+ for ndef in ${_vyatta_op_node_path}/*/node.def ; do
+ if [[ $ndef == */node.tag/node.def ]] ; then
+ local acmd=$( _vyatta_op_get_node_def_field $ndef allowed )
+ shopt -u extglob nullglob
+ local -a a=($( eval "$acmd" ))
+ eval "$restore_shopts"
+
+ if [ ${#a[@]} -ne 0 ] ; then
+ allowed+=( "${a[@]}" )
+ else
+ allowed+=( "<text>" )
+ fi
+ else
+ local sdir=${ndef%/*}
+ allowed+=( ${sdir##*/} )
+ fi
+ done
+
+ # donot complete entries like <HOSTNAME> or <A.B.C.D>
+ _vyatta_op_noncompletions=( )
+ completions=( )
+
+ # make runable commands have a non-comp
+ ndef=${_vyatta_op_node_path}/node.def
+ [ -f $ndef ] && \
+ node_run=$( _vyatta_op_get_node_def_field $ndef run )
+ if [ -z "$cur" -a -n "$node_run" ]; then
+ _vyatta_op_noncompletions+=('<Enter>')
+ fi
+
+ for (( i=0 ; i<${#allowed[@]} ; i++ )) ; do
+ if [[ "${allowed[i]}" == \<*\> ]] ; then
+ _vyatta_op_noncompletions+=( "${allowed[i]}" )
+ else
+ if [[ "$VYATTA_USER_LEVEL_DIR" == "/opt/vyatta/etc/shell/level/admin" ]]; then
+ completions+=( ${allowed[i]} )
+ elif is_elem_of ${allowed[i]} _vyatta_operator_allowed; then
+ completions+=( ${allowed[i]} )
+ elif [[ $_vyatta_op_node_path == $vyatta_op_templates ]];then
+ continue
+ else
+ completions+=( ${allowed[i]} )
+ fi
+ fi
+ done
+
+ # Prefix filter the non empty completions
+ if [ -n "$cur" ]; then
+ _vyatta_op_completions=()
+ get_prefix_filtered_list "$cur" completions _vyatta_op_completions
+ _vyatta_op_completions=($( printf "%s\n" ${_vyatta_op_completions[@]} | sort -u ))
+ else
+ _vyatta_op_completions=($( printf "%s\n" ${completions[@]} | sort -u ))
+ fi
+ #shopt -s nullglob
+}
+
+_vyatta_op_comprely_needs_ambiguity ()
+{
+ local -a uniq
+
+ [ ${#COMPREPLY[@]} -eq 1 ] && return
+
+ uniq=( `printf "%s\n" ${COMPREPLY[@]} | cut -c1 | sort -u` )
+
+ [ ${#uniq[@]} -eq 1 ] && return
+ false
+}
+
+_vyatta_op_invalid_completion ()
+{
+ local tpath=$vyatta_op_templates
+ local -a args
+ local i=1
+ for arg in "${COMP_WORDS[@]}"; do
+ arg=( $(_vyatta_op_conv_node_path $tpath $arg) ) # expand the arguments
+ # output proper error message based on the above expansion
+ if [[ "${arg[1]}" == "ambiguous" ]]; then
+ echo -ne "\n\n Ambiguous command: ${args[@]} [$arg]\n"
+ local -a cmds=( $(compgen -d $tpath/$arg) )
+ _vyatta_op_node_path=$tpath
+ local comps=$(_vyatta_op_help $arg ${cmds[@]##*/})
+ echo -ne "$comps" | sed -e 's/^P/ P/'
+ break
+ elif [[ "${arg[1]}" == "invalid" ]]; then
+ echo -ne "\n\n Invalid command: ${args[@]} [$arg]"
+ break
+ fi
+
+ if [ -f "$tpath/$arg/node.def" ] ; then
+ tpath+=/$arg
+ elif [ -f $tpath/node.tag/node.def ] ; then
+ tpath+=/node.tag
+ else
+ echo -ne "\n\n Invalid command: ${args[@]} [$arg]" >&2
+ break
+ fi
+ args[$i]=$arg
+ let "i+=1"
+ if [ $[${#COMP_WORDS[@]}+1] -eq $i ];then
+ _vyatta_op_help "" \
+ "${_vyatta_op_noncompletions[@]}" \
+ "${_vyatta_op_completions[@]}" \
+ | ${VYATTA_PAGER:-cat}
+ fi
+ done
+}
+
+_vyatta_op_expand ()
+{
+ # We need nospace here and we have to append our own spaces
+ compopt -o nospace
+
+ local restore_shopts=$( shopt -p extglob nullglob | tr \\n \; )
+ shopt -s extglob nullglob
+ local cur=""
+ local _has_comptype=0
+ local current_prefix=$2
+ local current_word=$3
+ _vyatta_comptype=""
+
+ if (( ${#COMP_WORDS[@]} > 0 )); then
+ cur=${COMP_WORDS[COMP_CWORD]}
+ else
+ (( COMP_CWORD = ${#COMP_WORDS[@]} ))
+ fi
+
+ if _vyatta_pipe_completion "${COMP_WORDS[@]}"; then
+ if [ "${COMP_WORDS[*]}" == "$_vyatta_op_last_comp" ] ||
+ [ ${#_vyatta_pipe_completions[@]} -eq 0 ]; then
+ _vyatta_do_pipe_help
+ COMPREPLY=( "" " " )
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ else
+ COMPREPLY=( "${_vyatta_pipe_completions[@]}" )
+ _vyatta_op_last_comp="${COMP_WORDS[*]}"
+ if [ ${#COMPREPLY[@]} -eq 1 ]; then
+ COMPREPLY=( "${COMPREPLY[0]} " )
+ fi
+ fi
+ eval "$restore_shopts"
+ return
+ fi
+
+ # this needs to be done on every completion even if it is the 'same' comp.
+ # The cursor can be at different places in the string.
+ # this will lead to unexpected cases if setting the node path isn't attempted
+ # each time.
+ if ! _vyatta_op_set_node_path ; then
+ echo -ne \\a
+ _vyatta_op_invalid_completion
+ COMPREPLY=( "" " " )
+ eval "$restore_shopts"
+ return 1
+ fi
+
+ if [ "${COMP_WORDS[*]:0:$[$COMP_CWORD+1]}" != "$_vyatta_op_last_comp" ] ; then
+ _vyatta_set_comptype
+ case $_vyatta_comptype in
+ 'imagefiles')
+ _has_comptype=1
+ _vyatta_image_file_complete
+ ;;
+ *)
+ _has_comptype=0
+ if [[ -z "$current_word" ]]; then
+ _vyatta_op_set_completions $cur
+ else
+ _vyatta_op_set_completions $current_prefix
+ fi
+ ;;
+ esac
+ fi
+ if [[ $_has_comptype == 1 ]]; then
+ COMPREPLY=( "${_vyatta_op_completions[@]}" )
+ else
+ COMPREPLY=($( compgen -W "${_vyatta_op_completions[*]}" -- $current_prefix ))
+ fi
+
+ # if the last command line arg is empty and we have
+ # an empty completion option (meaning wild card),
+ # append a blank(s) to the completion array to force ambiguity
+ if [ -z "$current_prefix" -a -n "$current_word" ] ||
+ [[ "${COMPREPLY[0]}" =~ "$cur" ]]; then
+ for comp ; do
+ if [ -z "$comp" ] ; then
+ if [ ${#COMPREPLY[@]} -eq 0 ] ; then
+ COMPREPLY=( " " "" )
+ elif _vyatta_op_comprely_needs_ambiguity ; then
+ COMPREPLY+=( " " )
+ fi
+ fi
+ done
+ fi
+ # Set this environment to enable and disable debugging on the fly
+ if [[ $DBG_OP_COMPS -eq 1 ]]; then
+ echo -e "\nCurrent: '$cur'"
+ echo -e "Current word: '$current_word'"
+ echo -e "Current prefix: '$current_prefix'"
+ echo "Number of comps: ${#_vyatta_op_completions[*]}"
+ echo "Number of non-comps: ${#_vyatta_op_noncompletions[*]}"
+ echo "_vyatta_op_completions: '${_vyatta_op_completions[*]}'"
+ echo "COMPREPLY: '${COMPREPLY[@]}'"
+ echo "CWORD: $COMP_CWORD"
+ echo "Last comp: '$_vyatta_op_last_comp'"
+ echo -e "Current comp: '${COMP_WORDS[*]:0:$[$COMP_CWORD+1]}'\n"
+ fi
+
+ # This is non obvious...
+ # To have completion continue to work when working with words that aren't the last word,
+ # we have to set nospace at the beginning of this script and then append the spaces here.
+ if [ ${#COMPREPLY[@]} -eq 1 ] &&
+ [[ $_has_comptype -ne 1 ]]; then
+ COMPREPLY=( "${COMPREPLY[0]} " )
+ fi
+ # if there are no completions then handle invalid commands
+ if [ ${#_vyatta_op_noncompletions[@]} -eq 0 ] &&
+ [ ${#_vyatta_op_completions[@]} -eq 0 ]; then
+ _vyatta_op_invalid_completion
+ COMPREPLY=( "" " " )
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ elif [ ${#COMPREPLY[@]} -eq 0 ] &&
+ [ -n "$current_prefix" ]; then
+ _vyatta_op_invalid_completion
+ COMPREPLY=( "" " " )
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ # Stop completions from getting stuck
+ elif [ ${#_vyatta_op_completions[@]} -eq 1 ] &&
+ [ -n "$cur" ] &&
+ [[ "${COMPREPLY[0]}" =~ "$cur" ]]; then
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ elif [ ${#_vyatta_op_completions[@]} -eq 1 ] &&
+ [ -n "$current_prefix" ] &&
+ [[ "${COMPREPLY[0]}" =~ "$current_prefix" ]]; then
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ # if there are no completions then always show the non-comps
+ elif [ "${COMP_WORDS[*]:0:$[$COMP_CWORD+1]}" == "$_vyatta_op_last_comp" ] ||
+ [ ${#_vyatta_op_completions[@]} -eq 0 ] ||
+ [ -z "$cur" ]; then
+ _vyatta_op_help "$current_prefix" \
+ "${_vyatta_op_noncompletions[@]}" \
+ "${_vyatta_op_completions[@]}" \
+ | ${VYATTA_PAGER:-cat}
+ COMPREPLY=( "" " " )
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ else
+ _vyatta_op_last_comp="${COMP_WORDS[*]:0:$[$COMP_CWORD+1]}"
+ fi
+
+ eval "$restore_shopts"
+}
+
+# "pipe" functions
+count ()
+{
+ wc -l
+}
+
+match ()
+{
+ grep -E -e "$1"
+}
+
+no-match ()
+{
+ grep -E -v -e "$1"
+}
+
+no-more ()
+{
+ cat
+}
+
+strip-private ()
+{
+ ${vyos_libexec_dir}/strip-private.py
+}
+
+commands ()
+{
+ if [ "$_OFR_CONFIGURE" != "" ]; then
+ if $(cli-shell-api sessionChanged); then
+ echo "You have uncommited changes, please commit them before using the commands pipe"
+ else
+ vyos-config-to-commands
+ fi
+ else
+ echo "commands pipe is not supported in operational mode"
+ fi
+}
+
+json ()
+{
+ if [ "$_OFR_CONFIGURE" != "" ]; then
+ if $(cli-shell-api sessionChanged); then
+ echo "You have uncommited changes, please commit them before using the JSON pipe"
+ else
+ vyos-config-to-json
+ fi
+ else
+ echo "JSON pipe is not supported in operational mode"
+ fi
+}
+
+# pipe command help
+# $1: command
+_vyatta_pipe_help ()
+{
+ local help="No help text available"
+ case "$1" in
+ count) help="Count the number of lines in the output";;
+ match) help="Only output lines that match specified pattern";;
+ no-match) help="Only output lines that do not match specified pattern";;
+ more) help="Paginate the output";;
+ no-more) help="Do not paginate the output";;
+ strip-private) help="Remove private information from the config";;
+ commands) help="Convert config to set commands";;
+ json) help="Convert config to JSON";;
+ '<pattern>') help="Pattern for matching";;
+ esac
+ echo -n "$help"
+}
+
+_vyatta_do_pipe_help ()
+{
+ local help=''
+ if (( ${#_vyatta_pipe_completions[@]} + ${#_vyatta_pipe_noncompletions[@]}
+ == 0 )); then
+ return
+ fi
+ echo -en "\nPossible completions:"
+ for comp in "${_vyatta_pipe_completions[@]}" \
+ "${_vyatta_pipe_noncompletions[@]}"; do
+ _vyatta_op_print_help "$comp" "$(_vyatta_pipe_help "$comp")"
+ done
+}
+
+# pipe completion
+# $@: words
+_vyatta_pipe_completion ()
+{
+ local -a pipe_cmd=()
+ local -a all_cmds=( 'count' 'match' 'no-match' 'more' 'no-more' 'strip-private' 'commands' 'json' )
+ local found=0
+ _vyatta_pipe_completions=()
+ _vyatta_pipe_noncompletions=()
+
+ for word in "$@"; do
+ if [[ "$found" == "1" || "$word" == "|" ]]; then
+ pipe_cmd+=( "$word" )
+ found=1
+ fi
+ done
+ if (( found == 0 )); then
+ return 1
+ fi
+ if (( ${#pipe_cmd[@]} == 1 )); then
+ # "|" only
+ _vyatta_pipe_completions=( "${all_cmds[@]}" )
+ return 0
+ fi
+ if (( ${#pipe_cmd[@]} == 2 )); then
+ # "|<space, chars, or space+chars>"
+ _vyatta_pipe_completions=($(compgen -W "${all_cmds[*]}" -- ${pipe_cmd[1]}))
+ return 0
+ fi
+ if (( ${#pipe_cmd[@]} == 3 )); then
+ # "|<chars or space+chars><space or space+chars>"
+ case "${pipe_cmd[1]}" in
+ match|no-match) _vyatta_pipe_noncompletions=( '<pattern>' );;
+ esac
+ return 0
+ fi
+ return 0
+}
+
+# comptype
+_vyatta_set_comptype ()
+{
+ local comptype
+ unset _vyatta_comptype
+ for ndef in ${_vyatta_op_node_path}/*/node.def ; do
+ if [[ $ndef == */node.tag/node.def ]] ; then
+ local comptype=$( _vyatta_op_get_node_def_field $ndef comptype )
+ if [[ $comptype == "imagefiles" ]] ; then
+ _vyatta_comptype=$comptype
+ return 0
+ else
+ _vyatta_comptype=""
+ return 1
+ fi
+ else
+ _vyatta_comptype=""
+ return 1
+ fi
+ done
+}
+
+_filedir_xspec_vyos()
+{
+ local cur prev words cword
+ _init_completion || return
+
+ _tilde "$cur" || return 0
+
+ local IFS=$'\n' xspec=${_xspec[${1##*/}]} tmp
+ local -a toks
+
+ toks=( $(
+ compgen -d -- "$(quote_readline "$cur")" | {
+ while read -r tmp; do
+ printf '%s\n' $tmp
+ done
+ }
+ ))
+
+ # Munge xspec to contain uppercase version too
+ # http://thread.gmane.org/gmane.comp.shells.bash.bugs/15294/focus=15306
+ eval xspec="${xspec}"
+ local matchop=!
+ if [[ $xspec == !* ]]; then
+ xspec=${xspec#!}
+ matchop=@
+ fi
+ xspec="$matchop($xspec|${xspec^^})"
+
+ toks+=( $(
+ eval compgen -f -X "!$xspec" -- "\$(quote_readline "\$cur")" | {
+ while read -r tmp; do
+ [[ -n $tmp ]] && printf '%s\n' $tmp
+ done
+ }
+ ))
+
+ if [[ ${#toks[@]} -ne 0 ]]; then
+ compopt -o filenames
+ COMPREPLY=( "${toks[@]}" )
+ fi
+}
+
+nullglob_save=$( shopt -p nullglob )
+shopt -s nullglob
+for f in ${vyatta_datadir}/vyatta-op/functions/allowed/* ; do
+ source $f
+done
+eval $nullglob_save
+unset nullglob_save
+
+# don't initialize if we are in configure mode
+if [ "$_OFR_CONFIGURE" == "ok" ]; then
+ return 0
+fi
+
+if [[ "$VYATTA_USER_LEVEL_DIR" != "/opt/vyatta/etc/shell/level/admin" ]]; then
+ vyatta_unpriv_init $@
+else
+ _vyatta_op_init $@
+fi
+
+### Local Variables:
+### mode: shell-script
+### End:
diff --git a/src/etc/default/vyatta b/src/etc/default/vyatta
new file mode 100644
index 000000000..e5fa3bb30
--- /dev/null
+++ b/src/etc/default/vyatta
@@ -0,0 +1,217 @@
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+
+# declare configured Vyatta shell environment variables
+
+# first set vars per args of the "source /etc/default/vyatta VAR=FOO"
+_vyatta_extglob=$(shopt -p extglob)
+shopt -s extglob
+for arg ; do
+ [[ $arg == *=* ]] && \
+ eval declare -x $arg
+done
+eval $_vyatta_extglob
+unset _vyatta_extglob
+
+{
+ # These declarations must go within braces in order to be able to silence
+ # readonly variable errors.
+
+ for var in prefix exec_prefix datarootdir ; do
+ eval test -n \"\$$var\" \&\& _vyatta_save_$var=\$$var
+ done
+
+ prefix=/opt/vyatta
+ exec_prefix=${prefix}
+ datarootdir=${prefix}/share
+
+ if test -z "$vyatta_prefix" ; then
+ if test -n "/opt/vyatta" ; then
+ declare -x -r vyatta_prefix=/opt/vyatta
+ declare -x -r vyos_prefix=/opt/vyatta
+ else
+ declare -x -r vyatta_prefix=/opt/vyatta
+ declare -x -r vyos_prefix=/opt/vyatta
+ fi
+ fi
+ if test -z "$vyatta_exec_prefix" ; then
+ if test -n "${prefix}" ; then
+ declare -x -r vyatta_prefix=${prefix}
+ declare -x -r vyos_prefix=${prefix}
+ else
+ declare -x -r vyatta_prefix=$vyatta_prefix
+ declare -x -r vyos_prefix=$vyatta_prefix
+ fi
+ fi
+ if test -z "$vyatta_datarootdir" ; then
+ if test -n "${prefix}/share" ; then
+ declare -x -r vyatta_datarootdir=${prefix}/share
+ declare -x -r vyos_datarootdir=${prefix}/share
+ else
+ declare -x -r vyatta_datarootdir=$vyatta_prefix/share
+ declare -x -r vyos_datarootdir=$vyatta_prefix/share
+ fi
+ fi
+ if test -z "$vyatta_bindir" ; then
+ if test -n "${exec_prefix}/bin" ; then
+ declare -x -r vyatta_bindir=${exec_prefix}/bin
+ else
+ declare -x -r vyatta_bindir=$vyatta_exec_prefix/bin
+ fi
+ fi
+ if test -z "$vyatta_sbindir" ; then
+ if test -n "${exec_prefix}/sbin" ; then
+ declare -x -r vyatta_sbindir=${exec_prefix}/sbin
+ else
+ declare -x -r vyatta_sbindir=$vyatta_exec_prefix/sbin
+ fi
+ fi
+ if test -z "$vyatta_libdir" ; then
+ if test -n "${exec_prefix}/lib" ; then
+ declare -x -r vyatta_libdir=${exec_prefix}/lib
+ declare -x -r vyos_libdir=${exec_prefix}/lib
+ else
+ declare -x -r vyatta_libdir=$vyatta_exec_prefix/lib
+ declare -x -r vyos_libdir=$vyatta_exec_prefix/lib
+ fi
+ fi
+ if test -z "$vyatta_libexecdir" ; then
+ if test -n "${exec_prefix}/libexec" ; then
+ declare -x -r vyatta_libexecdir=${exec_prefix}/libexec
+ else
+ declare -x -r vyatta_libexecdir=$vyatta_exec_prefix/libexec
+ fi
+ fi
+ if test -z "$vyatta_datadir" ; then
+ if test -n "${datarootdir}" ; then
+ declare -x -r vyatta_datadir=${datarootdir}
+ declare -x -r vyos_datadir=${datarootdir}
+ else
+ declare -x -r vyatta_datadir=$vyatta_datarootdir
+ declare -x -r vyos_datadir=$vyatta_datarootdir
+ fi
+ fi
+ if test -z "$vyatta_htmldir" ; then
+ if test -n "${docdir}" ; then
+ declare -x -r vyatta_htmldir=${docdir}
+ else
+ declare -x -r vyatta_htmldir=$vyatta_datarootdir/html
+ fi
+ fi
+ if test -z "$vyatta_infodir" ; then
+ if test -n "${prefix}/share/info" ; then
+ declare -x -r vyatta_infodir=${prefix}/share/info
+ else
+ declare -x -r vyatta_infodir=$vyatta_datarootdir/info
+ fi
+ fi
+ if test -z "$vyatta_mandir" ; then
+ if test -n "${prefix}/share/man" ; then
+ declare -x -r vyatta_htmldir=${prefix}/share/man
+ else
+ declare -x -r vyatta_htmldir=$vyatta_datarootdir/man
+ fi
+ fi
+ if test -z "$vyatta_localedir" ; then
+ if test -n "${datarootdir}/locale" ; then
+ declare -x -r vyatta_localedir=${datarootdir}/locale
+ else
+ declare -x -r vyatta_localedir=$vyatta_datarootdir/locale
+ fi
+ fi
+ if test -z "$vyatta_localstatedir" ; then
+ if test -n "${prefix}/var" ; then
+ declare -x -r vyatta_localstatedir=${prefix}/var
+ else
+ declare -x -r vyatta_localstatedir=$vyatta_prefix/var
+ fi
+ fi
+ if test -z "$vyatta_sharedstatedir" ; then
+ if test -n "${prefix}/com" ; then
+ declare -x -r vyatta_sharedstatedir=${prefix}/com
+ else
+ declare -x -r vyatta_sharedstatedir=$vyatta_prefix/com
+ fi
+ fi
+ if test -z "$vyatta_sysconfdir" ; then
+ if test -n "${prefix}/etc" ; then
+ declare -x -r vyatta_sysconfdir=${prefix}/etc
+ else
+ declare -x -r vyatta_sysconfdir=$vyatta_prefix/etc
+ fi
+ fi
+ if test -z "$vyatta_op_templates" ; then
+ declare -x -r vyatta_op_templates=$vyatta_datadir/vyatta-op/templates
+ declare -x -r vyos_op_templates=$vyatta_datadir/vyatta-op/templates
+ fi
+ if test -z "$vyatta_cfg_templates" ; then
+ declare -x -r vyatta_cfg_templates=$vyatta_datadir/vyatta-cfg/templates
+ declare -x -r vyos_cfg_templates=$vyatta_datadir/vyatta-cfg/templates
+ fi
+ if test -z "$vyatta_configdir" ; then
+ declare -x -r vyatta_configdir=$vyatta_prefix/config
+ declare -x -r vyos_configdir=$vyatta_prefix/config
+ fi
+
+ for var in prefix exec_prefix datarootdir ; do
+ eval test -n \"\$_vyatta_save_$var\" \&\& $var=\$_vyatta_save_$var
+ done
+
+ # It's not like we do, or should support installing VyOS at a different prefix
+ declare -x -r vyos_libexec_dir=/usr/libexec/vyos
+ declare -x -r vyos_bin_dir=/usr/bin
+ declare -x -r vyos_sbin_dir=/usr/sbin
+ declare -x -r vyos_share_dir=/usr/share
+
+ if test -z "$vyos_conf_scripts_dir" ; then
+ declare -x -r vyos_conf_scripts_dir=$vyos_libexec_dir/conf_mode
+ fi
+ if test -z "$vyos_op_scripts_dir" ; then
+ declare -x -r vyos_op_scripts_dir=$vyos_libexec_dir/op_mode
+ fi
+ if test -z "$vyos_completion_dir" ; then
+ declare -x -r vyos_completion_dir=$vyos_libexec_dir/completion
+ fi
+ if test -z "$vyos_validators_dir" ; then
+ declare -x -r vyos_validators_dir=$vyos_libexec_dir/validators
+ fi
+ if test -z "$vyos_data_dir" ; then
+ declare -x -r vyos_data_dir=$vyos_share_dir/vyos
+ fi
+ if test -z "$vyos_persistence_dir" ; then
+ UNION_NAME=$(cat /proc/cmdline | sed -e s+^.*vyos-union=++ | sed -e 's/ .*$//')
+ declare -x -r vyos_persistence_dir="/usr/lib/live/mount/persistence/${UNION_NAME}"
+ fi
+ if test -z "$vyos_rootfs_dir" ; then
+ ROOTFS=$(mount -t squashfs | grep loop0 | cut -d' ' -f3)
+ declare -x -r vyos_rootfs_dir="${ROOTFS}"
+ fi
+ if test -z "$VRF" ; then
+ VRF=$(ip vrf identify)
+ [ -n "$VRF" ] && declare -x -r VRF="${VRF}"
+ fi
+ if test -z "$NETNS" ; then
+ NETNS=$(ip netns identify)
+ [ -n "$NETNS" ] && declare -x -r NETNS="${NETNS}"
+ fi
+
+} 2>/dev/null || :
+
+[ -r /etc/default/vyatta-cfg ] && source /etc/default/vyatta-cfg
+
+[ -r /etc/default/vyatta-local-env ] && source /etc/default/vyatta-local-env
+
+### Local Variables:
+### mode: shell-script
+### End:
diff --git a/src/op_mode/connect_disconnect.py b/src/op_mode/connect_disconnect.py
index 373f9e953..379890c54 100755
--- a/src/op_mode/connect_disconnect.py
+++ b/src/op_mode/connect_disconnect.py
@@ -95,17 +95,21 @@ def disconnect(interface):
def main():
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group()
- group.add_argument("--connect", help="Bring up a connection-oriented network interface", action="store")
- group.add_argument("--disconnect", help="Take down connection-oriented network interface", action="store")
+ group.add_argument("--connect", help="Bring up a connection-oriented network interface", action="store_true")
+ group.add_argument("--disconnect", help="Take down connection-oriented network interface", action="store_true")
+ group.add_argument("--interface", help="Interface name", action="store", required=True)
args = parser.parse_args()
- if args.connect:
- if commit_in_progress():
- print('Cannot connect while a commit is in progress')
- exit(1)
- connect(args.connect)
- elif args.disconnect:
- disconnect(args.disconnect)
+ if args.connect or args.disconnect:
+ if args.disconnect:
+ disconnect(args.interface)
+
+ if args.connect:
+ if commit_in_progress():
+ print('Cannot connect while a commit is in progress')
+ exit(1)
+ connect(args.interface)
+
else:
parser.print_help()
diff --git a/src/opt/vyatta/bin/restricted-shell b/src/opt/vyatta/bin/restricted-shell
new file mode 100755
index 000000000..ffcbb53b7
--- /dev/null
+++ b/src/opt/vyatta/bin/restricted-shell
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ $# != 0 ]; then
+ echo "Remote command execution is not allowed for operator level users"
+ args=($@)
+ args_str=$(IFS=" " ; echo "${args[*]}")
+ logger "Operator level user $USER attempted remote command execution: $args_str"
+ exit 1
+fi
+
+exec vbash
diff --git a/src/opt/vyatta/bin/vyatta-op-cmd-wrapper b/src/opt/vyatta/bin/vyatta-op-cmd-wrapper
new file mode 100755
index 000000000..a89211b2b
--- /dev/null
+++ b/src/opt/vyatta/bin/vyatta-op-cmd-wrapper
@@ -0,0 +1,6 @@
+#!/bin/vbash
+shopt -s expand_aliases
+source /etc/default/vyatta
+source /etc/bash_completion.d/vyatta-op
+_vyatta_op_init
+_vyatta_op_run "$@"
diff --git a/src/opt/vyatta/etc/LICENSE b/src/opt/vyatta/etc/LICENSE
new file mode 100644
index 000000000..6d45519c8
--- /dev/null
+++ b/src/opt/vyatta/etc/LICENSE
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/src/opt/vyatta/etc/shell/level/users/allowed-op b/src/opt/vyatta/etc/shell/level/users/allowed-op
new file mode 100644
index 000000000..74c45af37
--- /dev/null
+++ b/src/opt/vyatta/etc/shell/level/users/allowed-op
@@ -0,0 +1,20 @@
+c
+cl
+cle
+clea
+clear
+connect
+delete
+disconnect
+exit
+force
+monitor
+ping
+reset
+release
+renew
+set
+show
+telnet
+traceroute
+update
diff --git a/src/opt/vyatta/etc/shell/level/users/allowed-op.in b/src/opt/vyatta/etc/shell/level/users/allowed-op.in
new file mode 100644
index 000000000..1976904e4
--- /dev/null
+++ b/src/opt/vyatta/etc/shell/level/users/allowed-op.in
@@ -0,0 +1,16 @@
+clear
+connect
+delete
+disconnect
+exit
+force
+monitor
+ping
+reset
+release
+renew
+set
+show
+telnet
+traceroute
+update
diff --git a/src/opt/vyatta/sbin/if-mib-alias b/src/opt/vyatta/sbin/if-mib-alias
new file mode 100755
index 000000000..bc86f999f
--- /dev/null
+++ b/src/opt/vyatta/sbin/if-mib-alias
@@ -0,0 +1,130 @@
+#! /usr/bin/perl
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Stephen Hemminger
+# Date: October 2010
+# Description: script is run as net-snmp extension to read interface alias
+#
+# **** End License ****
+
+use strict;
+use warnings;
+use feature "switch";
+no warnings 'experimental::smartmatch';
+
+# Collect interface all alias values
+sub get_alias {
+ my @interfaces;
+
+ open (my $ip, '-|', 'ip li')
+ or die "Can't run ip command\n";
+ my $index;
+ while(<$ip>) {
+ if (/^(\d+): ([^:]*): /) {
+ $index = $1;
+ $interfaces[$index] = $2;
+ } elsif (/^ +alias (.*)$/) {
+ $interfaces[$index] = $1;
+ }
+ }
+ close $ip;
+ return @interfaces;
+}
+
+sub get_oid {
+ my $oid = shift;
+ die "Not a valid Object ID: $oid"
+ unless ($oid =~ /.(\d+)$/);
+
+ my $ifindex = $1;
+ my @interfaces = get_alias();
+
+ my $ifalias = $interfaces[$ifindex];
+ print "$oid\nstring\n$ifalias\n" if $ifalias;
+}
+
+# OID of ifAlias [RFC2863]
+my $BASE = '.1.3.6.1.2.1.31.1.1.1.18';
+
+sub get_next {
+ my $oid = shift;
+
+ return get_next("$BASE.0")
+ if ($oid eq $BASE);
+
+ die "Not a valid Object ID: $oid"
+ unless ($oid =~ /^(\S*)\.(\d+)$/);
+
+ my $base = $1;
+ my $ifindex = $2;
+ my @interfaces = get_alias();
+
+ while (++$ifindex <= $#interfaces) {
+ my $ifalias = $interfaces[$ifindex];
+ if ($ifalias) {
+ print "$base.$ifindex\nstring\n$ifalias\n";
+ last;
+ }
+ }
+}
+
+sub ifindextoname {
+ my $ifindex = shift;
+
+ open (my $ip, '-|', 'ip li')
+ or die "Can't run ip command\n";
+ my $index;
+ while(<$ip>) {
+ next unless (/^(\d+): ([^:]*): /);
+ return $2 if ($1 == $ifindex);
+ }
+ return;
+}
+
+sub set_oid {
+ my ($oid, $target, $value) = @_;
+ die "Not a valid Object ID: $oid"
+ unless ($oid =~ /\.(\d+)$/);
+ my $ifindex = $1;
+ unless ($target eq 'string') {
+ print "wrong-type\n";
+ return;
+ }
+
+ my $ifname = ifindextoname($ifindex);
+ if ($ifname) {
+ system("ip li set $ifname alias '$value' >/dev/null 2>&1");
+ print "not-writeable\n" if ($? != 0);
+ }
+}
+
+sub usage {
+ warn "Usage: $0 {-g|-n} OID\n";
+ warn " $0 -s OID TARGET VALUE\n";
+ exit 1;
+}
+
+usage unless $#ARGV >= 1;
+
+given ($ARGV[0]) {
+ when ('-g') { get_oid ($ARGV[1]); }
+ when ('-n') { get_next ($ARGV[1]); }
+ when ('-s') { set_oid ($ARGV[1], $ARGV[2], $ARGV[3]); }
+ default {
+ warn "$ARGV[0] unknown flag\n";
+ usage;
+ }
+}
diff --git a/src/opt/vyatta/sbin/vyos-persistpath b/src/opt/vyatta/sbin/vyos-persistpath
new file mode 100755
index 000000000..d7199b09a
--- /dev/null
+++ b/src/opt/vyatta/sbin/vyos-persistpath
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+if grep -q -e '^overlay.*/filesystem.squashfs' /proc/mounts; then
+ # Live CD boot
+ exit 2
+
+elif grep -q 'upperdir=/live/persistence/' /proc/mounts && egrep -q 'overlay / overlay ' /proc/mounts; then
+ # union boot
+
+ boot_device=`grep -o 'upperdir=/live/persistence/[^/]*/boot' /proc/mounts | cut -d / -f 4`
+ persist_path="/lib/live/mount/persistence/$boot_device"
+
+ echo $persist_path
+ exit 0
+else
+ # old style boot
+
+ exit 1
+fi \ No newline at end of file
diff --git a/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-common b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-common
new file mode 100644
index 000000000..e749f0217
--- /dev/null
+++ b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-common
@@ -0,0 +1,82 @@
+# vyatta bash completion common functions
+
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# A copy of the GNU General Public License is available as
+# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution
+# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'.
+# You can also obtain it by writing to the Free Software Foundation,
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+#
+# Author: Vyatta
+# Description: bash completion common functions
+#
+# **** End License ****
+
+get_prefix_filtered_list ()
+{
+ # $1: prefix
+ # $2: \@list
+ # $3: \@filtered
+ declare -a olist
+ local pfx=$1
+ pfx=${pfx#\"}
+ eval "olist=( \"\${$2[@]}\" )"
+ local idx=0
+ for elem in "${olist[@]}"; do
+ local sub="${elem#$pfx}"
+ if [[ "$elem" == "$sub" ]] && [[ -n "$pfx" ]]; then
+ continue
+ fi
+ eval "$3[$idx]=\$elem"
+ (( idx++ ))
+ done
+}
+
+get_prefix_filtered_list2 ()
+{
+ # $1: prefix
+ # $2: \@list
+ # $3: \@filtered
+ # $4: \@list2
+ # $5: \@filtered2
+ declare -a olist
+ local pfx=$1
+ pfx=${pfx#\"}
+ eval "olist=( \"\${$2[@]}\" )"
+ eval "local orig_len=\${#$2[@]}"
+ local orig_idx=0
+ local idx=0
+ for (( orig_idx = 0; orig_idx < orig_len; orig_idx++ )); do
+ eval "local elem=\${$2[$orig_idx]}"
+ eval "local elem2=\${$4[$orig_idx]}"
+ local sub="${elem#$pfx}"
+ if [[ "$elem" == "$sub" ]] && [[ -n "$pfx" ]]; then
+ continue
+ fi
+ eval "$3[$idx]=\$elem"
+ eval "$5[$idx]=\$elem2"
+ (( idx++ ))
+ done
+}
+
+is_elem_of () {
+ local elem="$1"
+ local -a olist
+ eval "olist=( \"\${$2[@]}\" )"
+ for e in "${olist[@]}"; do
+ if [[ "$e" == "$elem" ]]; then
+ return 0
+ fi
+ done
+ return 1
+}
diff --git a/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run
new file mode 100644
index 000000000..f0479ae88
--- /dev/null
+++ b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run
@@ -0,0 +1,240 @@
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Tom Grennan
+# Date: 2007
+# Description: setup bash completion for Vyatta operational commands
+#
+# **** End License ****
+
+_vyatta_op_init ()
+{
+ # empty and default line compeletion
+ complete -E -F _vyatta_op_expand
+ complete -D -F _vyatta_op_default_expand
+
+ # create the top level aliases for the unambiguous portions of the commands
+ # this is the only place we need an entire enumerated list of the subcommands
+ for cmd in $( ls /opt/vyatta/share/vyatta-op/templates/ ); do
+ for pos in $(seq 1 ${#cmd}); do
+ case ${cmd:0:$pos} in
+ for|do|done|if|fi|case|while|tr )
+ continue ;;
+ *) ;;
+ esac
+ complete -F _vyatta_op_expand ${cmd:0:$pos}
+ eval alias ${cmd:0:$pos}=\'_vyatta_op_run ${cmd:0:$pos}\'
+ done
+ done
+
+ shopt -s histverify
+}
+
+_vyatta_op_get_node_def_field ()
+{
+ local file=$1 field=$2
+
+ sed -n '/^'"$field"':/,$ {
+# strip field name and hold rest of line
+ s/[a-z]*: *//
+ h
+ :b
+# at EOF, print hold buffer and quit
+ $ { x; p; q }
+# input next line
+ n
+# if start of another field def, print hold buf and quit
+ /^[a-z]*:/ { x; p; q }
+# add to hold buf and branch to input next line
+ H
+ bb
+ }' $file
+}
+
+_vyatta_op_conv_node_path ()
+{
+ # is the node ok, ambiguous, or invalid
+ local node_path
+ local node
+ local -a ARR
+ node_path=$1
+ node=$2
+ ARR=( $(compgen -d $node_path/$node) )
+ if [[ "${#ARR[@]}" == "1" ]]; then
+ echo ${ARR[0]##*/}
+ elif [[ "${#ARR[@]}" == "0" ]]; then
+ if [[ -d "${node_path}/node.tag" ]]; then
+ echo "$node tag"
+ else
+ echo "$node invalid"
+ fi
+ elif [[ -d "$node_path/$node" ]]; then
+ echo $node
+ elif [[ "$VYATTA_USER_LEVEL_DIR" != "/opt/vyatta/etc/shell/level/admin" ]];then
+ # special handling for unprivledged completions.
+ # Since top level commands are different for unprivledged users
+ # we need a handler to expand them properly.
+ local -a filtered_cmds=()
+ local -a allowed=( $(cat $VYATTA_USER_LEVEL_DIR/allowed-op.in) )
+ get_prefix_filtered_list $node allowed filtered_cmds
+ if [[ "${#filtered_cmds[@]}" == "1" ]];then
+ echo ${filtered_cmds[0]}
+ else
+ echo "${node} ambiguous"
+ fi
+ else
+ echo "$node ambiguous"
+ fi
+}
+
+_vyatta_op_conv_run_cmd ()
+{
+ # Substitue bash positional variables
+ # for the same value in the expanded array
+ local restore_shopts=$( shopt -p extglob nullglob | tr \\n \; )
+ shopt -s extglob
+ shopt -u nullglob
+ local run_cmd="$1"
+ local line outline
+ local -i inquote=0;
+ local outcmd='';
+ local OIFS=$IFS
+ local re="([^']*')(.*)"
+
+ toggle_inquote()
+ {
+ if [[ $inquote == 0 ]]; then
+ inquote=1
+ else
+ inquote=0
+ fi
+ }
+
+ process_subline()
+ {
+ if [[ $inquote == 1 ]]; then
+ outline+="$1"
+ else
+ outline+=$(sed -e 's/\$\([0-9]\)/\$\{args\[\1\]\}/g' <<<"$1")
+ fi
+ }
+
+ run_cmd="${run_cmd/\"\$\@\"/${args[*]}}"
+ run_cmd="${run_cmd/\$\*/${args[*]}}"
+ run_cmd="${run_cmd//\\/\\\\}"
+ IFS=$'\n'
+ for line in ${run_cmd[@]}; do
+ outline=''
+ while [[ -n "$line" ]]; do
+ if [[ "$line" =~ $re ]]; then
+ process_subline "${BASH_REMATCH[1]}"
+ toggle_inquote
+ else
+ process_subline "$line"
+ fi
+ line="${BASH_REMATCH[2]}"
+ done
+ outcmd+="$outline\n"
+ done
+ IFS=$OIFS
+ eval "$restore_shopts"
+ echo -ne "$outcmd"
+}
+
+_vyatta_op_run ()
+{
+ # if run with bash builtin "set -/+*" run set and return
+ # this happens when a different completion script runs eval "set ..."
+ # (VyOS T1604)
+ if [[ "$1" == "set" && "$2" =~ ^(-|\+).* ]]; then
+ set "${@:2}"
+ return
+ fi
+
+ local -i estat
+ local tpath=$vyatta_op_templates
+ local restore_shopts=$( shopt -p extglob nullglob | tr \\n \; )
+ shopt -s extglob nullglob
+
+ _vyatta_op_last_comp=${_vyatta_op_last_comp_init}
+ false; estat=$?
+ stty echo 2> /dev/null # turn echo on, this is a workaround for bug 7570
+ # not a fix we need to look at why the readline library
+ # is getting confused on paged help text.
+
+ i=1
+ declare -a args # array of expanded arguments
+ for arg in "$@"; do
+ local orig_arg=$arg
+ if [[ $arg == "*" ]]; then
+ arg="*" #leave user defined wildcards alone
+ else
+ arg=( $(_vyatta_op_conv_node_path $tpath $arg) ) # expand the arguments
+ fi
+ # output proper error message based on the above expansion
+ if [[ "${arg[1]}" == "ambiguous" ]]; then
+ echo -ne "\n Ambiguous command: ${args[@]} [$arg]\n" >&2
+ local -a cmds=( $(compgen -d $tpath/$arg) )
+ _vyatta_op_node_path=$tpath
+ local comps=$(_vyatta_op_help $arg ${cmds[@]##*/})
+ echo -e "$comps\n" | sed -e 's/^P/ P/'
+ eval $restore_shopts
+ return 1
+ elif [[ "${arg[1]}" == "invalid" ]]; then
+ echo -ne "\n Invalid command: ${args[@]} [$arg]\n\n" >&2
+ eval $restore_shopts
+ return 1
+ fi
+
+ if [ -f "$tpath/$arg/node.def" ] ; then
+ tpath+=/$arg
+ elif [ -f $tpath/node.tag/node.def ] ; then
+ tpath+=/node.tag
+ else
+ echo -ne "\n Invalid command: ${args[@]} [$arg]\n\n" >&2
+ eval $restore_shopts
+ return 1
+ fi
+ if [[ "$arg" == "node.tag" ]]; then
+ args[$i]=$orig_arg
+ else
+ args[$i]=$arg
+ fi
+ let "i+=1"
+ done
+
+ local run_cmd=$(_vyatta_op_get_node_def_field $tpath/node.def run)
+ run_cmd=$(_vyatta_op_conv_run_cmd "$run_cmd") # convert the positional parameters
+ local ret=0
+ # Exception for the `show file` command
+ local file_cmd='\$\{vyos_op_scripts_dir\}\/file\.py'
+ local cmd_regex="^(LESSOPEN=|less|pager|tail|(sudo )?$file_cmd).*"
+ if [ -n "$run_cmd" ]; then
+ eval $restore_shopts
+ if [[ -t 1 && "${args[1]}" == "show" && ! $run_cmd =~ $cmd_regex ]] ; then
+ eval "($run_cmd) | ${VYATTA_PAGER:-cat}"
+ else
+ eval "$run_cmd"
+ fi
+ else
+ echo -ne "\n Incomplete command: ${args[@]}\n\n" >&2
+ eval $restore_shopts
+ ret=1
+ fi
+ return $ret
+}
+
+### Local Variables:
+### mode: shell-script
+### End:
diff --git a/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-unpriv b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-unpriv
new file mode 100644
index 000000000..1507f4f0d
--- /dev/null
+++ b/src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-unpriv
@@ -0,0 +1,97 @@
+#!/bin/bash
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+#
+# **** End License ****
+
+source /opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-common
+
+declare -a op_allowed
+declare -a toplevel
+
+op_allowed=( $(cat /opt/vyatta/etc/shell/level/users/allowed-op.in) )
+toplevel=( $(ls /opt/vyatta/share/vyatta-op/templates/) )
+
+vyatta_unpriv_ambiguous ()
+{
+ local -a filtered_cmds=()
+ get_prefix_filtered_list $1 op_allowed filtered_cmds
+ _vyatta_op_node_path=${vyatta_op_templates}
+ comps=$(_vyatta_op_help $1 ${filtered_cmds[@]})
+ echo -ne "\n Ambiguous command: [$1]\n"
+ echo -e "$comps\n" | sed -e 's/^P/ P/'
+}
+
+vyatta_unpriv_init ()
+{
+ # empty and default line compeletion
+ complete -E -F _vyatta_op_expand
+ complete -D -F _vyatta_op_default_expand
+
+ for cmd in "${op_allowed[@]}"; do
+ if is_elem_of ${cmd} toplevel; then
+ for pos in $(seq 1 ${#cmd}); do
+ case ${cmd:0:$pos} in
+ for|do|done|if|fi|case|while|tr )
+ continue ;;
+ *) ;;
+ esac
+ local -a filtered_cmds=()
+ get_prefix_filtered_list ${cmd:0:$pos} op_allowed filtered_cmds
+ local found
+ is_elem_of "${cmd:0:$pos}" op_allowed
+ found=$?
+ if [[ "${#filtered_cmds[@]}" == "1" || "${cmd:0:$pos}" == "$cmd" || "$found" == "0" ]]; then
+ local fcmd
+ if [[ "${#filtered_cmds[@]}" == "1" ]]; then
+ fcmd=${filtered_cmds[0]}
+ elif is_elem_of "${cmd:0:$pos}" op_allowed; then
+ fcmd=${cmd:0:$pos}
+ else
+ fcmd=$cmd
+ fi
+ eval alias ${cmd:0:$pos}=\'_vyatta_op_run $fcmd\'
+ else
+ eval alias ${cmd:0:$pos}=\'vyatta_unpriv_ambiguous ${cmd:0:$pos}\'
+ fi
+ complete -F _vyatta_op_expand ${cmd:0:$pos}
+ done
+ fi
+ done
+ if [[ "$VYATTA_USER_LEVEL_DIR" == "/opt/vyatta/etc/shell/level/users" ]]; then
+ PS1='\u@\h> '
+ fi
+}
+
+vyatta_unpriv_gen_allowed () {
+ local -a allowed_cmds=()
+ rm -rf /opt/vyatta/etc/shell/level/users/allowed-op
+ for cmd in "${op_allowed[@]}"; do
+ if is_elem_of ${cmd} toplevel; then
+ for pos in $(seq 1 ${#cmd}); do
+ case ${cmd:0:$pos} in
+ for|do|done|if|fi|case|while|tr )
+ continue ;;
+ *) ;;
+ esac
+ if ! is_elem_of ${cmd:0:$pos} allowed_cmds; then
+ allowed_cmds+=( ${cmd:0:$pos} )
+ echo ${cmd:0:$pos} >> /opt/vyatta/etc/shell/level/users/allowed-op
+ fi
+ done
+ else
+ echo ${cmd} >> /opt/vyatta/etc/shell/level/users/allowed-op
+ fi
+ done
+}