diff options
19 files changed, 469 insertions, 228 deletions
diff --git a/data/templates/ntp/ntpd.conf.j2 b/data/templates/ntp/ntpd.conf.j2 index da610051e..8921826fa 100644 --- a/data/templates/ntp/ntpd.conf.j2 +++ b/data/templates/ntp/ntpd.conf.j2 @@ -33,10 +33,17 @@ restrict {{ address | address_from_cidr }} mask {{ address | netmask_from_cidr } {% endfor %} {% endif %} -{% if listen_address %} +{% if listen_address is vyos_defined or interface is vyos_defined %} # NTP should listen on configured addresses only interface ignore wildcard -{% for address in listen_address %} +{% if listen_address is vyos_defined %} +{% for address in listen_address %} interface listen {{ address }} -{% endfor %} +{% endfor %} +{% endif %} +{% if interface is vyos_defined %} +{% for ifname in interface %} +interface listen {{ ifname }} +{% endfor %} +{% endif %} {% endif %} diff --git a/interface-definitions/include/firewall/geoip.xml.i b/interface-definitions/include/firewall/geoip.xml.i index f6208f718..9fb37a574 100644 --- a/interface-definitions/include/firewall/geoip.xml.i +++ b/interface-definitions/include/firewall/geoip.xml.i @@ -17,6 +17,12 @@ <multi /> </properties> </leafNode> + <leafNode name="inverse-match"> + <properties> + <help>Inverse match of country-codes</help> + <valueless/> + </properties> + </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/generic-interface-multi.xml.i b/interface-definitions/include/generic-interface-multi.xml.i index 44e87775c..65aae28ae 100644 --- a/interface-definitions/include/generic-interface-multi.xml.i +++ b/interface-definitions/include/generic-interface-multi.xml.i @@ -1,7 +1,7 @@ <!-- include start from generic-interface-multi.xml.i --> <leafNode name="interface"> <properties> - <help>Interface Name to use</help> + <help>Interface to use</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> diff --git a/interface-definitions/include/generic-interface.xml.i b/interface-definitions/include/generic-interface.xml.i index 50af718a5..8b4cf1d65 100644 --- a/interface-definitions/include/generic-interface.xml.i +++ b/interface-definitions/include/generic-interface.xml.i @@ -1,7 +1,7 @@ <!-- include start from generic-interface.xml.i --> <leafNode name="interface"> <properties> - <help>Interface Name to use</help> + <help>Interface to use</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index a518a9def..85636a50f 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -81,6 +81,7 @@ </leafNode> </children> </node> + #include <include/generic-interface-multi.xml.i> #include <include/listen-address.xml.i> #include <include/interface/vrf.xml.i> </children> diff --git a/op-mode-definitions/include/bgp/reset-bgp-afi-common.xml.i b/op-mode-definitions/include/bgp/reset-bgp-afi-common.xml.i new file mode 100644 index 000000000..2f88daad3 --- /dev/null +++ b/op-mode-definitions/include/bgp/reset-bgp-afi-common.xml.i @@ -0,0 +1,20 @@ +<!-- included start from bgp/reset-bgp-afi-common.xml.i --> +<node name="external"> + <properties> + <help>Reset all external peers</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> +</node> +<tagNode name="1-4294967295"> + <properties> + <help>Reset peers with the AS number</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> +</tagNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/reset-bgp-neighbor-options.xml.i b/op-mode-definitions/include/bgp/reset-bgp-neighbor-options.xml.i new file mode 100644 index 000000000..d9feee18a --- /dev/null +++ b/op-mode-definitions/include/bgp/reset-bgp-neighbor-options.xml.i @@ -0,0 +1,48 @@ +<!-- included start from bgp/reset-bgp-neighbor-options.xml.i --> +<node name="in"> + <properties> + <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + <leafNode name="prefix-filter"> + <properties> + <help>Push out prefix-list ORF and do inbound soft reconfig</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </leafNode> + </children> +</node> +<leafNode name="message-stats"> + <properties> + <help>Reset message statistics</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<leafNode name="out"> + <properties> + <help>Resend all outbound updates</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> +</leafNode> +<node name="soft"> + <properties> + <help>Soft reconfig inbound and outbound updates</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + <node name="in"> + <properties> + <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </node> + <node name="out"> + <properties> + <help>Resend all outbound updates</help> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </node> + </children> +</node> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/reset-bgp-peer-group-vrf.xml.i b/op-mode-definitions/include/bgp/reset-bgp-peer-group-vrf.xml.i new file mode 100644 index 000000000..c1a24bae2 --- /dev/null +++ b/op-mode-definitions/include/bgp/reset-bgp-peer-group-vrf.xml.i @@ -0,0 +1,14 @@ +<!-- included start from bgp/reset-bgp-peer-group-vrf.xml.i --> +<tagNode name="peer-group"> + <properties> + <help>Reset all members of peer-group</help> + <completionHelp> + <path>vrf name ${COMP_WORDS[4]} protocols bgp peer-group</path> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> +</tagNode> +<!-- included end --> diff --git a/op-mode-definitions/include/bgp/reset-bgp-peer-group.xml.i b/op-mode-definitions/include/bgp/reset-bgp-peer-group.xml.i new file mode 100644 index 000000000..c26e47b47 --- /dev/null +++ b/op-mode-definitions/include/bgp/reset-bgp-peer-group.xml.i @@ -0,0 +1,14 @@ +<!-- included start from bgp/reset-bgp-peer-group.xml.i --> +<tagNode name="peer-group"> + <properties> + <help>Reset all members of peer-group</help> + <completionHelp> + <path>protocols bgp peer-group</path> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> +</tagNode> +<!-- included end --> diff --git a/op-mode-definitions/reset-bgp.xml.in b/op-mode-definitions/reset-bgp.xml.in new file mode 100644 index 000000000..a1d42d4a3 --- /dev/null +++ b/op-mode-definitions/reset-bgp.xml.in @@ -0,0 +1,258 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="reset"> + <children> + <node name="bgp"> + <properties> + <help>Border Gateway Protocol (BGP) information</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group.xml.i> + <tagNode name="prefix"> + <properties> + <help>Clear bestpath and re-advertise</help> + <completionHelp> + <list><x.x.x.x/x></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </tagNode> + <node name="ipv4"> + <properties> + <help>IPv4 Address Family</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp ipv4 *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group.xml.i> + </children> + </node> + <tagNode name="ipv4"> + <properties> + <help>IPv4 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv4</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + <node name="ipv6"> + <properties> + <help>IPv6 Address Family</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp ipv6 *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group.xml.i> + </children> + </node> + <tagNode name="ipv6"> + <properties> + <help>IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv6</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + <node name="l2vpn"> + <properties> + <help>Layer 2 Virtual Private Network Address Family</help> + </properties> + <children> + <node name="evpn"> + <properties> + <help>Ethernet Virtual Private Network</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp l2vpn evpn *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group.xml.i> + </children> + </node> + <tagNode name="evpn"> + <properties> + <help>BGP IPv4/IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --both</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + </children> + </node> + <tagNode name="vrf"> + <properties> + <help>Virtual Routing and Forwarding (VRF)</help> + <completionHelp> + <path>vrf name</path> + </completionHelp> + </properties> + <children> + <node name="node.tag"> + <properties> + <help>IPv4/IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --both --vrf ${COMP_WORDS[3]}</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </node> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp vrf $4 *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group-vrf.xml.i> + <tagNode name="prefix"> + <properties> + <help>Clear bestpath and re-advertise</help> + <completionHelp> + <list><x.x.x.x/x></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </tagNode> + <node name="ipv4"> + <properties> + <help>IPv4 Address Family</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp vrf $4 ipv4 *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group-vrf.xml.i> + </children> + </node> + <tagNode name="ipv4"> + <properties> + <help>IPv4 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv4 --vrf ${COMP_WORDS[3]}</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + <node name="ipv6"> + <properties> + <help>IPv6 Address Family</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp vrf $4 ipv6 *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group-vrf.xml.i> + </children> + </node> + <tagNode name="ipv6"> + <properties> + <help>IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv6 --vrf ${COMP_WORDS[3]}</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + <node name="l2vpn"> + <properties> + <help>Layer 2 Virtual Private Network Address Family</help> + </properties> + <children> + <node name="evpn"> + <properties> + <help>Ethernet Virtual Private Network</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>Clear all peers</help> + </properties> + <command>vtysh -c "clear bgp vrf $4 l2vpn evpn *"</command> + </leafNode> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group-vrf.xml.i> + </children> + </node> + <tagNode name="evpn"> + <properties> + <help>BGP IPv4/IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --both --vrf ${COMP_WORDS[3]}</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + </children> + </node> + </children> + </tagNode> + </children> + </node> + <tagNode name="bgp"> + <properties> + <help>BGP IPv4/IPv6 neighbor to clear</help> + <completionHelp> + <script>${vyos_completion_dir}/list_bgp_neighbors.sh --both</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + <children> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/reset-ip-bgp.xml.in b/op-mode-definitions/reset-ip-bgp.xml.in index 931a2a9bc..34a4503d9 100644 --- a/op-mode-definitions/reset-ip-bgp.xml.in +++ b/op-mode-definitions/reset-ip-bgp.xml.in @@ -6,7 +6,7 @@ <children> <node name="bgp"> <properties> - <help>Clear Border Gateway Protocol (BGP) statistics or status</help> + <help>Border Gateway Protocol (BGP) information</help> </properties> <children> <leafNode name="all"> @@ -41,159 +41,45 @@ </leafNode> </children> </tagNode> - <node name="external"> + #include <include/bgp/reset-bgp-afi-common.xml.i> + #include <include/bgp/reset-bgp-peer-group.xml.i> + <tagNode name="vrf"> <properties> - <help>Clear all external peers</help> + <help>Clear BGP statistics or status for vrf</help> <completionHelp> - <list>WORD</list> + <path>vrf name</path> </completionHelp> </properties> - <command>vtysh -c "clear bgp ipv4 external"</command> <children> - <node name="in"> + <leafNode name="all"> <properties> - <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> + <help>Clear all BGP peering sessions for vrf</help> </properties> - <command>vtysh -c "clear bgp ipv4 external in"</command> - <children> - <leafNode name="prefix-filter"> - <properties> - <help>Push out prefix-list ORF and do inbound soft reconfig</help> - </properties> - <command>vtysh -c "clear bgp ipv4 external in prefix-filter"</command> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 external out"</command> - </node> - <node name="soft"> - <properties> - <help>Soft reconfig inbound and outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 external soft"</command> - <children> - <node name="in"> - <properties> - <help>Clear via soft reconfig of inbound update</help> - </properties> - <command>vtysh -c "clear bgp ipv4 external soft in"</command> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 external soft out"</command> - </node> - </children> - </node> - </children> - </node> - <tagNode name="peer-group"> - <properties> - <help>Clear BGP statistics or status for given peer-group</help> - <completionHelp> - <list>WORD</list> - </completionHelp> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5"</command> - <children> - <node name="in"> - <properties> - <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 in"</command> - <children> - <leafNode name="prefix-filter"> - <properties> - <help>Push out prefix-list ORF and do inbound soft reconfig</help> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 in prefix-filter"</command> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 out"</command> - </node> - <node name="soft"> + <command>vtysh -c "clear bgp vrf $5 *"</command> + </leafNode> + <leafNode name="node.tag"> <properties> - <help>Soft reconfig inbound and outbound updates</help> + <help>Clear BGP neighbor IP address</help> + <completionHelp> + <list><x.x.x.x></list> + </completionHelp> </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 soft"</command> - <children> - <node name="in"> - <properties> - <help>Clear via soft reconfig of inbound update</help> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 soft in"</command> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 peer-group $5 soft out"</command> - </node> - </children> - </node> + <command>vtysh -c "clear bgp vrf $5 $6"</command> + </leafNode> </children> </tagNode> </children> </node> <tagNode name="bgp"> <properties> - <help>Clear BGP neighbor IP address</help> + <help>BGP IPv4/IPv6 neighbor to clear</help> <completionHelp> <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv4</script> </completionHelp> </properties> - <command>vtysh -c "clear bgp ipv4 $4"</command> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - <node name="in"> - <properties> - <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 in"</command> - <children> - <leafNode name="prefix-filter"> - <properties> - <help>Push out prefix-list ORF and do inbound soft reconfig</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 in prefix-filter"</command> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 out"</command> - </node> - <node name="soft"> - <properties> - <help>Soft reconfig inbound and outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 soft"</command> - <children> - <node name="in"> - <properties> - <help>Clear via soft reconfig of inbound update</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 soft in"</command> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv4 $4 soft out"</command> - </node> - </children> - </node> + #include <include/bgp/reset-bgp-neighbor-options.xml.i> </children> </tagNode> </children> diff --git a/op-mode-definitions/reset-ipv6-bgp.xml.in b/op-mode-definitions/reset-ipv6-bgp.xml.in deleted file mode 100644 index 3c4275331..000000000 --- a/op-mode-definitions/reset-ipv6-bgp.xml.in +++ /dev/null @@ -1,62 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="reset"> - <children> - <node name="ipv6"> - <children> - <tagNode name="bgp"> - <properties> - <help>Clear BGP neighbor IP address</help> - <completionHelp> - <script>${vyos_completion_dir}/list_bgp_neighbors.sh --ipv6</script> - </completionHelp> - </properties> - <command>vtysh -c "clear bgp ipv6 $4"</command> - <children> - <node name="in"> - <properties> - <help>Send route-refresh unless using 'soft-reconfiguration inbound'</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 in"</command> - <children> - <leafNode name="prefix-filter"> - <properties> - <help>Push out prefix-list ORF and do inbound soft reconfig</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 in prefix-filter"</command> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 out"</command> - </node> - <node name="soft"> - <properties> - <help>Soft reconfig inbound and outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 soft"</command> - <children> - <node name="in"> - <properties> - <help>Clear via soft reconfig of inbound update</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 soft in"</command> - </node> - <node name="out"> - <properties> - <help>Resend all outbound updates</help> - </properties> - <command>vtysh -c "clear bgp ipv6 $4 soft out"</command> - </node> - </children> - </node> - </children> - </tagNode> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 7d1278d0e..3e2de4c3f 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -152,7 +152,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): output.append(f'{ip_name} {prefix}addr {suffix}') if dict_search_args(side_conf, 'geoip', 'country_code'): - output.append(f'{ip_name} {prefix}addr @GEOIP_CC_{fw_name}_{rule_id}') + operator = '' + if dict_search_args(side_conf, 'geoip', 'inverse_match') != None: + operator = '!=' + output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC_{fw_name}_{rule_id}') if 'mac_address' in side_conf: suffix = side_conf["mac_address"] @@ -429,22 +432,13 @@ def geoip_update(firewall, force=False): # Map country codes to set names for codes, path in dict_search_recursive(firewall, 'country_code'): + set_name = f'GEOIP_CC_{path[1]}_{path[3]}' if path[0] == 'name': - set_name = f'GEOIP_CC_{path[1]}_{path[3]}' - ipv4_sets[set_name] = [] for code in codes: - if code not in ipv4_codes: - ipv4_codes[code] = [set_name] - else: - ipv4_codes[code].append(set_n) + ipv4_codes.setdefault(code, []).append(set_name) elif path[0] == 'ipv6_name': - set_name = f'GEOIP_CC_{path[1]}_{path[3]}' - ipv6_sets[set_name] = [] for code in codes: - if code not in ipv6_codes: - ipv6_codes[code] = [set_name] - else: - ipv6_codes[code].append(set_name) + ipv6_codes.setdefault(code, []).append(set_name) if not ipv4_codes and not ipv6_codes: if force: @@ -459,11 +453,11 @@ def geoip_update(firewall, force=False): if code in ipv4_codes and ipv4: ip_range = f'{start}-{end}' if start != end else start for setname in ipv4_codes[code]: - ipv4_sets[setname].append(ip_range) + ipv4_sets.setdefault(setname, []).append(ip_range) if code in ipv6_codes and not ipv4: ip_range = f'{start}-{end}' if start != end else start for setname in ipv6_codes[code]: - ipv6_sets[setname].append(ip_range) + ipv6_sets.setdefault(setname, []).append(ip_range) render(nftables_geoip_conf, 'firewall/nftables-geoip-update.j2', { 'ipv4_sets': ipv4_sets, diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index ce06b9074..4de90e1ec 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -69,8 +69,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip filter', inverse=True) - def verify_nftables(self, nftables_search, table, inverse=False): - nftables_output = cmd(f'sudo nft list table {table}') + def verify_nftables(self, nftables_search, table, inverse=False, args=''): + nftables_output = cmd(f'sudo nft {args} list table {table}') for search in nftables_search: matched = False @@ -80,6 +80,24 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): break self.assertTrue(not matched if inverse else matched, msg=search) + def test_geoip(self): + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) + + self.cli_commit() + + nftables_search = [ + ['ip saddr @GEOIP_CC_smoketest_1', 'drop'], + ['ip saddr != @GEOIP_CC_smoketest_2', 'return'] + ] + # -t prevents 1000+ GeoIP elements being returned + self.verify_nftables(nftables_search, 'ip filter', args='-t') + def test_groups(self): hostmap_path = ['system', 'static-host-mapping', 'host-name'] example_org = ['192.0.2.8', '192.0.2.10', '192.0.2.11'] diff --git a/smoketest/scripts/cli/test_system_ntp.py b/smoketest/scripts/cli/test_system_ntp.py index e2821687c..a0806acf0 100755 --- a/smoketest/scripts/cli/test_system_ntp.py +++ b/smoketest/scripts/cli/test_system_ntp.py @@ -108,5 +108,22 @@ class TestSystemNTP(VyOSUnitTestSHIM.TestCase): for listen in listen_address: self.assertIn(f'interface listen {listen}', config) + def test_03_ntp_interface(self): + interfaces = ['eth0', 'eth1'] + for interface in interfaces: + self.cli_set(base_path + ['interface', interface]) + + servers = ['time1.vyos.net', 'time2.vyos.net'] + for server in servers: + self.cli_set(base_path + ['server', server]) + + self.cli_commit() + + # Check generated client address configuration + config = read_file(NTP_CONF) + self.assertIn('interface ignore wildcard', config) + for interface in interfaces: + self.assertIn(f'interface listen {interface}', config) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/completion/list_bgp_neighbors.sh b/src/completion/list_bgp_neighbors.sh index f74f102ef..869a7ab0a 100755 --- a/src/completion/list_bgp_neighbors.sh +++ b/src/completion/list_bgp_neighbors.sh @@ -1,5 +1,5 @@ #!/bin/sh -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -18,19 +18,21 @@ ipv4=0 ipv6=0 +vrf="" while [[ "$#" -gt 0 ]]; do case $1 in -4|--ipv4) ipv4=1 ;; -6|--ipv6) ipv6=1 ;; -b|--both) ipv4=1; ipv6=1 ;; + --vrf) vrf="vrf name $2"; shift ;; *) echo "Unknown parameter passed: $1" ;; esac shift done declare -a vals -eval "vals=($(cli-shell-api listActiveNodes protocols bgp neighbor))" +eval "vals=($(cli-shell-api listActiveNodes $vrf protocols bgp neighbor))" if [ $ipv4 -eq 1 ] && [ $ipv6 -eq 1 ]; then echo -n '<x.x.x.x>' '<h:h:h:h:h:h:h:h>' ${vals[@]} @@ -54,9 +56,10 @@ elif [ $ipv6 -eq 1 ] ; then done else echo "Usage:" - echo "-4|--ipv4 list only IPv4 peers" - echo "-6|--ipv6 list only IPv6 peers" - echo "--both list both IP4 and IPv6 peers" + echo "-4|--ipv4 list only IPv4 peers" + echo "-6|--ipv6 list only IPv6 peers" + echo "--both list both IP4 and IPv6 peers" + echo "--vrf <name> apply command to given VRF (optional)" echo "" exit 1 fi diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 0d6ec9ace..5490a794d 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -18,9 +18,11 @@ import os from vyos.config import Config from vyos.configverify import verify_vrf -from vyos import ConfigError +from vyos.configverify import verify_interface_exists from vyos.util import call +from vyos.util import get_interface_config from vyos.template import render +from vyos import ConfigError from vyos import airbag airbag.enable() @@ -49,6 +51,20 @@ def verify(ntp): raise ConfigError('NTP server not configured') verify_vrf(ntp) + + if 'interface' in ntp: + # If ntpd should listen on a given interface, ensure it exists + for interface in ntp['interface']: + verify_interface_exists(interface) + + # If we run in a VRF, our interface must belong to this VRF, too + if 'vrf' in ntp: + tmp = get_interface_config(interface) + vrf_name = ntp['vrf'] + if 'master' not in tmp or tmp['master'] != vrf_name: + raise ConfigError(f'NTP runs in VRF "{vrf_name}" - "{interface}" '\ + f'does not belong to this VRF!') + return None def generate(ntp): diff --git a/src/op_mode/vtysh_wrapper.sh b/src/op_mode/vtysh_wrapper.sh index 09980e14f..25d09ce77 100755 --- a/src/op_mode/vtysh_wrapper.sh +++ b/src/op_mode/vtysh_wrapper.sh @@ -1,5 +1,6 @@ #!/bin/sh declare -a tmp -# FRR uses ospf6 where we use ospfv3, thus alter the command -tmp=$(echo $@ | sed -e "s/ospfv3/ospf6/") +# FRR uses ospf6 where we use ospfv3, and we use reset over clear for BGP, +# thus alter the commands +tmp=$(echo $@ | sed -e "s/ospfv3/ospf6/" | sed -e "s/^reset bgp/clear bgp/" | sed -e "s/^reset ip bgp/clear ip bgp/") vtysh -c "$tmp" diff --git a/src/systemd/dhclient@.service b/src/systemd/dhclient@.service index 5cc7869cb..23cd4cfc3 100644 --- a/src/systemd/dhclient@.service +++ b/src/systemd/dhclient@.service @@ -14,7 +14,7 @@ ExecStart=/sbin/dhclient -4 $DHCLIENT_OPTS ExecStop=/sbin/dhclient -4 $DHCLIENT_OPTS -r Restart=always TimeoutStopSec=20 -SendSIGKILL=SIGKILL +SendSIGKILL=true FinalKillSignal=SIGABRT [Install] |