diff options
345 files changed, 5408 insertions, 3548 deletions
diff --git a/.gitignore b/.gitignore index e766a2c27..7707e94ca 100644 --- a/.gitignore +++ b/.gitignore @@ -144,3 +144,4 @@ debian/*.substvars data/component-versions.json # vyos-1x XML cache python/vyos/xml_ref/cache.py +python/vyos/xml_ref/pkg_cache/*_cache.py diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3ff00df88..48cdbd5a7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,7 +21,7 @@ file(s) history by invoking git log path/to/file.txt. In a big system, such as VyOS, that is comprised of multiple components, it’s impossible to keep track of all the changes and bugs/feature requests in one’s -head. We use a bugtracker known as Phabricator for it (“issue tracker” would +head. We use a bugtracker named Phorge (formerly known Phabricator) for it (“issue tracker” would be a better term, but this one stuck). The information is used in three ways: @@ -35,14 +35,14 @@ The information is used in three ways: To make this approach work, every change must be associated with a task number (prefixed with **T**) and a component. If there is no bug report/feature -request for the changes you are going to make, you have to create a Phabricator -task first. Once there is an entry in Phabricator, you should reference its id +request for the changes you are going to make, you have to create a development portal +task first. Once there is an entry in the development portal, you should reference its id in your commit message, as shown below: * `ddclient: T1030: auto create runtime directories` * `Jenkins: add current Git commit ID to build description` -If there is no [Phabricator](https://vyos.dev) reference in the +If there is no [development portal](https://vyos.dev) reference in the commits of your pull request, we have to ask you to amend the commit message. Otherwise we will have to reject it. @@ -57,7 +57,7 @@ development environments. * A single, short, summary of the commit (recommended 50 characters or less, not exceeding 80 characters) containing a prefix of the changed component - and the corresponding Phabricator reference e.g. `snmp: T1111:` or + and the corresponding development portal reference e.g. `snmp: T1111:` or `ethernet: T2222:` - multiple components could be concatenated as in `snmp: ethernet: T3333` * In some contexts, the first line is treated as the subject of an email and @@ -126,7 +126,7 @@ also contain information that is helpful for the development team. ### Reporting In order to open up a bug-report/feature request you need to create yourself -an account on [Phabricator](https://vyos.dev). On the left +an account in the [development portal](https://vyos.dev). On the left side of the specific project (VyOS 1.2 or VyOS 1.3) you will find quick-links for opening a bug-report/feature request. @@ -141,7 +141,7 @@ for opening a bug-report/feature request. You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request -please search [Phabricator](https://vyos.dev) if there is already a +please search the [development portal](https://vyos.dev) if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project. @@ -26,7 +26,7 @@ interface_definitions: $(config_xml_obj) $(CURDIR)/scripts/override-default $(BUILD_DIR)/interface-definitions - $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions + $(CURDIR)/python/vyos/xml_ref/generate_cache.py --xml-dir $(BUILD_DIR)/interface-definitions || exit 1 find $(BUILD_DIR)/interface-definitions -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 @@ -1,8 +1,5 @@ # vyos-1x: VyOS command definitions, configuration scripts, and data -[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=vyos_vyos-1x&metric=coverage)](https://sonarcloud.io/component_measures?id=vyos_vyos-1x&metric=coverage) -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvyos%2Fvyos-1x.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvyos%2Fvyos-1x?ref=badge_shield) - VyOS 1.1.x had its codebase split into way too many submodules for no good reason, which made it hard to navigate or write meaningful changelogs. As the code undergoes rewrite in the new style in VyOS 1.2.0+, we consolidate the @@ -56,7 +53,7 @@ The guidelines in a nutshell: for the common structure * Use the `get_config_dict()` API as much as possible when retrieving values from the CLI * Use a template processor when the format is more complex than just one line - (Jinja2 and pystache are acceptable options) + (our standard is Jinja2) ## Tests @@ -74,5 +71,3 @@ Runtime tests are executed by the CI system on a running VyOS instance inside QEMU. The testcases can be found inside the smoketest subdirectory which will be placed into the vyos-1x-smoketest package. -## License -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fvyos%2Fvyos-1x.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fvyos%2Fvyos-1x?ref=badge_large) diff --git a/data/templates/dhcp-client/daemon-options.j2 b/data/templates/dhcp-client/daemon-options.j2 deleted file mode 100644 index b21ad08ab..000000000 --- a/data/templates/dhcp-client/daemon-options.j2 +++ /dev/null @@ -1,4 +0,0 @@ -### Autogenerated by interface.py ### -{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} -DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases {{ if_metric }} {{ ifname }}" - diff --git a/data/templates/dhcp-client/ipv6.override.conf.j2 b/data/templates/dhcp-client/ipv6.override.conf.j2 new file mode 100644 index 000000000..b0c0e0544 --- /dev/null +++ b/data/templates/dhcp-client/ipv6.override.conf.j2 @@ -0,0 +1,12 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} +{% set dhcp6c_options = '-D -k ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.sock -c ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.conf -p ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.pid ' ~ no_release %} + +[Unit] +ConditionPathExists={{ dhcp6_client_dir }}/dhcp6c.%i.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/dhcp6c {{ dhcp6c_options }} {{ ifname }} +WorkingDirectory={{ dhcp6_client_dir }} +PIDFile={{ dhcp6_client_dir }}/dhcp6c.%i.pid diff --git a/data/templates/dhcp-client/override.conf.j2 b/data/templates/dhcp-client/override.conf.j2 new file mode 100644 index 000000000..03fd71bf1 --- /dev/null +++ b/data/templates/dhcp-client/override.conf.j2 @@ -0,0 +1,15 @@ +### Autogenerated by interface.py ### +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} +{% set dhclient_options = '-d -nw -cf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.conf -pf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.pid -lf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.leases ' ~ if_metric %} + +[Unit] +ConditionPathExists={{ isc_dhclient_dir }}/dhclient_%i.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/sbin/dhclient -4 {{ dhclient_options }} {{ ifname }} +ExecStop= +ExecStop=/sbin/dhclient -4 -r {{ dhclient_options }} {{ ifname }} +WorkingDirectory={{ isc_dhclient_dir }} +PIDFile={{ isc_dhclient_dir }}/dhclient_%i.pid diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 index 4da7153c7..3446a9d1b 100644 --- a/data/templates/dns-dynamic/ddclient.conf.j2 +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -23,7 +23,7 @@ if{{ ipv }}={{ address }}, \ {{ host }} {% endmacro %} ### Autogenerated by dns_dynamic.py ### -daemon=1m +daemon={{ timeout }} syslog=yes ssl=yes pid={{ config_file | replace('.conf', '.pid') }} diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 1c9bda64f..699349e2b 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -25,7 +25,7 @@ table ip vyos_mangle { chain VYOS_PBR_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} + {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }} {% endfor %} {% endif %} } @@ -54,7 +54,7 @@ table ip6 vyos_mangle { chain VYOS_PBR6_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} + {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }} {% endfor %} {% endif %} } diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 2c7115134..10cbc68cb 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -1,78 +1,101 @@ #!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} -{% import 'firewall/nftables-zone.j2' as zone_tmpl %} {% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { - chain VYOS_FW_FORWARD { - type filter hook forward priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %} - iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }} -{% endif %} -{% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %} - oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW - } - chain VYOS_FW_LOCAL { - type filter hook input priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %} - iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW +{% if ipv4 is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% if ipv4.forward is vyos_defined %} +{% for prior, conf in ipv4.forward.items() %} +{% set def_action = conf.default_action %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_FW_OUTPUT { - type filter hook output priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} - jump VYOS_POST_FW +{% endfor %} +{% endif %} + +{% if ipv4.input is vyos_defined %} +{% for prior, conf in ipv4.input.items() %} +{% set def_action = conf.default_action %} + chain VYOS_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP',prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_POST_FW { - return +{% endfor %} +{% endif %} + +{% if ipv4.output is vyos_defined %} +{% for prior, conf in ipv4.output.items() %} +{% set def_action = conf.default_action %} + chain VYOS_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } +{% endfor %} +{% endif %} chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } -{% if name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in name.items() %} +{% if ipv4.prerouting is vyos_defined %} +{% for prior, conf in ipv4.prerouting.items() %} +{% set def_action = conf.default_action %} + chain VYOS_PREROUTING_{{ prior }} { + type filter hook prerouting priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('PRE', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(prior) }} + } +{% endfor %} +{% endif %} + +{% if ipv4.name is vyos_defined %} +{% for name_text, conf in ipv4.name.items() %} chain NAME_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(name_text, rule_id) }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} -{% endif %} -{% endfor %} -{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ip_fqdn %} - set FQDN_{{ set_name }} { - type ipv4_addr - flags interval - } -{% endfor %} +{% endfor %} +{% endif %} + {% for set_name in ns.sets %} set RECENT_{{ set_name }} { type ipv4_addr @@ -80,6 +103,12 @@ table ip vyos_filter { flags dynamic } {% endfor %} +{% for set_name in ip_fqdn %} + set FQDN_{{ set_name }} { + type ipv4_addr + flags interval + } +{% endfor %} {% if geoip_updated.name is vyos_defined %} {% for setname in geoip_updated.name %} set {{ setname }} { @@ -89,99 +118,87 @@ table ip vyos_filter { {% endfor %} {% endif %} {% endif %} - {{ group_tmpl.groups(group, False) }} - -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }} -{% endif %} - -{% if state_policy is vyos_defined %} - chain VYOS_STATE_POLICY { -{% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related') }} -{% endif %} - return - } -{% endif %} } {% if first_install is not vyos_defined %} delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { - chain VYOS_FW6_FORWARD { - type filter hook forward priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %} - iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }} -{% endif %} -{% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %} - oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW6 - } - chain VYOS_FW6_LOCAL { - type filter hook input priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %} - iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW6 +{% if ipv6 is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% if ipv6.forward is vyos_defined %} +{% for prior, conf in ipv6.forward.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_FW6_OUTPUT { - type filter hook output priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} - jump VYOS_POST_FW6 +{% endfor %} +{% endif %} + +{% if ipv6.input is vyos_defined %} +{% for prior, conf in ipv6.input.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_POST_FW6 { - return +{% endfor %} +{% endif %} + +{% if ipv6.output is vyos_defined %} +{% for prior, conf in ipv6.output.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } +{% endfor %} +{% endif %} + chain VYOS_FRAG6_MARK { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0xffff1 return } -{% if ipv6_name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in ipv6_name.items() %} + +{% if ipv6.name is vyos_defined %} +{% for name_text, conf in ipv6.name.items() %} chain NAME6_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} -{% endif %} -{% endfor %} -{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(name_text, ipv6=True) }} } -{% endfor %} -{% for set_name in ip6_fqdn %} - set FQDN_{{ set_name }} { - type ipv6_addr - flags interval - } -{% endfor %} +{% endfor %} +{% endif %} + {% for set_name in ns.sets %} set RECENT6_{{ set_name }} { type ipv6_addr @@ -189,6 +206,12 @@ table ip6 vyos_filter { flags dynamic } {% endfor %} +{% for set_name in ip6_fqdn %} + set FQDN_{{ set_name }} { + type ipv6_addr + flags interval + } +{% endfor %} {% if geoip_updated.ipv6_name is vyos_defined %} {% for setname in geoip_updated.ipv6_name %} set {{ setname }} { @@ -198,25 +221,5 @@ table ip6 vyos_filter { {% endfor %} {% endif %} {% endif %} - {{ group_tmpl.groups(group, True) }} - -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }} -{% endif %} - -{% if state_policy is vyos_defined %} - chain VYOS_STATE_POLICY6 { -{% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related') }} -{% endif %} - return - } -{% endif %} -} +}
\ No newline at end of file diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index ddfba2306..4535758da 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -481,7 +481,7 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} bgp bestpath compare-routerid {% endif %} {% if parameters.bestpath.med is vyos_defined %} - bgp bestpath med {{ 'confed' if parameters.bestpath.med.confed is vyos_defined }} {{ 'missing-as-worst' if parameters.bestpath.med.missing_as_worst is vyos_defined }} + bgp bestpath med {{ parameters.bestpath.med | join(' ') | replace('_', '-') }} {% endif %} {% if parameters.bestpath.peer_type is vyos_defined %} bgp bestpath peer-type {{ 'multipath-relax' if parameters.bestpath.peer_type.multipath_relax is vyos_defined }} diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl index fdff9772a..3aad8e8dd 100644 --- a/data/templates/frr/daemons.frr.tmpl +++ b/data/templates/frr/daemons.frr.tmpl @@ -41,6 +41,7 @@ pimd_options=" --daemon -A 127.0.0.1" ldpd_options=" --daemon -A 127.0.0.1 {%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%} " +mgmtd_options=" --daemon -A 127.0.0.1" nhrpd_options=" --daemon -A 127.0.0.1" eigrpd_options=" --daemon -A 127.0.0.1" babeld_options=" --daemon -A 127.0.0.1" diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index d144529f3..a9bd45370 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -200,6 +200,14 @@ tls-client {% elif tls.role is vyos_defined('passive') %} tls-server {% endif %} + +{% if peer_fingerprint is vyos_defined %} +<peer-fingerprint> +{% for fp in peer_fingerprint %} +{{ fp }} +{% endfor %} +</peer-fingerprint> +{% endif %} {% endif %} # Encryption options diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2 new file mode 100644 index 000000000..7c296e8fd --- /dev/null +++ b/data/templates/zabbix-agent/10-override.conf.j2 @@ -0,0 +1,14 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/zabbix/zabbix-agent2.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground +WorkingDirectory= +WorkingDirectory=/run/zabbix +Restart=always +RestartSec=10 diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2 new file mode 100644 index 000000000..77f57f32f --- /dev/null +++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2 @@ -0,0 +1,73 @@ +# Generated by ${vyos_conf_scripts_dir}/service_zabbix_agent.py + +PidFile=/run/zabbix/zabbix_agent2.pid +LogFile=/var/log/zabbix/zabbix_agent2.log +ControlSocket=/run/zabbix/agent.sock + +{% if log is vyos_defined %} +{% if log.size is vyos_defined %} +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Range: 0-1024 +LogFileSize={{ log.size }} +{% endif %} +{% if log.remote_commands is vyos_defined %} +LogRemoteCommands=1 +{% endif %} +{% if log.debug_level is vyos_defined %} +{% set mapping = { + 'basic': 0, + 'critical': 1, + 'error': 2, + 'warning': 3, + 'debug': 4, + 'extended-debug': 5 + } %} +DebugLevel={{ mapping[log.debug_level] }} +{% endif %} +{% endif %} + +{% if server is vyos_defined %} +Server={{ server | bracketize_ipv6 | join(',') }} +{% endif %} +{% if server_active is vyos_defined %} +{% set servers = [] %} +{% for key, value in server_active.items() %} +{% if value.port %} +{% set serv_item = key | bracketize_ipv6 + ':' + value.port %} +{% set _ = servers.append(serv_item) %} +{% else %} +{% set _ = servers.append(key | bracketize_ipv6) %} +{% endif %} +{% endfor %} +ServerActive={{ servers | join(',') }} +{% endif %} + +{% if port is vyos_defined %} +ListenPort={{ port }} +{% endif %} +{% if listen_address is vyos_defined %} +ListenIP={{ listen_address | join(',') }} +{% endif %} + +{% if limits is vyos_defined %} +{% if limits.buffer_flush_interval is vyos_defined %} +BufferSend={{ limits.buffer_flush_interval }} +{% endif %} +{% if limits.buffer_size is vyos_defined %} +BufferSize={{ limits.buffer_size }} +{% endif %} +{% endif %} + +{% if directory is vyos_defined %} +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +Include={{ directory }}/*.conf +{% endif %} + +{% if timeout is vyos_defined %} +Timeout={{ timeout }} +{% endif %} + diff --git a/debian/control b/debian/control index 8e9aaa702..ee45a5fe3 100644 --- a/debian/control +++ b/debian/control @@ -91,7 +91,7 @@ Depends: libqmi-utils, libstrongswan-extra-plugins (>=5.9), libstrongswan-standard-plugins (>=5.9), - libvppinfra, + libvppinfra [amd64], libvyosconfig0, linux-cpupower, lldpd, @@ -145,7 +145,7 @@ Depends: python3-tabulate, python3-vici (>= 5.7.2), python3-voluptuous, - python3-vpp-api, + python3-vpp-api [amd64], python3-xmltodict, python3-zmq, qrencode, @@ -180,9 +180,9 @@ Depends: uidmap, usb-modeswitch, usbutils, - vpp, - vpp-plugin-core, - vpp-plugin-dpdk, + vpp [amd64], + vpp-plugin-core [amd64], + vpp-plugin-dpdk [amd64], vyatta-bash, vyatta-cfg, vyos-http-api-tools, @@ -191,6 +191,7 @@ Depends: wireguard-tools, wireless-regdb, wpasupplicant (>= 0.6.7), + zabbix-agent2, ndppd, miniupnpd-nftables Description: VyOS configuration scripts and data diff --git a/debian/rules b/debian/rules index 9ada2bf87..e6bbeeafb 100755 --- a/debian/rules +++ b/debian/rules @@ -32,9 +32,6 @@ override_dh_auto_build: override_dh_auto_install: dh_auto_install - # convert the XML to dictionaries - env PYTHONPATH=python python3 python/vyos/xml/generate.py - cd python; python3 setup.py install --install-layout=deb --root ../$(DIR); cd .. # Install scripts diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 93e7ced9b..f3dc00b46 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -120,9 +120,24 @@ if ! grep -q '^dhcpd' /etc/passwd; then adduser --quiet dhcpd hostsd fi -# ensure hte proxy user has a proper shell +# ensure the proxy user has a proper shell chsh -s /bin/sh proxy +# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script +PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script +if [ ! -x $PRECONFIG_SCRIPT ]; then + mkdir -p $(dirname $PRECONFIG_SCRIPT) + touch $PRECONFIG_SCRIPT + chmod 755 $PRECONFIG_SCRIPT + cat <<EOF >>$PRECONFIG_SCRIPT +#!/bin/sh +# This script is executed at boot time before VyOS configuration is applied. +# Any modifications required to work around unfixed bugs or use +# services not available through the VyOS CLI system can be placed here. + +EOF +fi + # create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script if [ ! -x $POSTCONFIG_SCRIPT ]; then @@ -180,6 +195,9 @@ systemctl enable vyos-config-cloud-init.service # Generate API GraphQL schema /usr/libexec/vyos/services/api/graphql/generate/generate_schema.py +# Update XML cache +python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py + # T1797: disable VPP support for rolling release, should be used by developers # only (in the initial phase). If you wan't to enable VPP use the below command # on your VyOS installation: diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index d36b34941..6d2eb18d0 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -3,7 +3,7 @@ <node name="container" owner="${vyos_conf_scripts_dir}/container.py"> <properties> <help>Container applications</help> - <priority>1280</priority> + <priority>450</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 1830cc1ad..583de7ba9 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -129,7 +129,7 @@ <properties> <help>Bootstrap file name</help> <constraint> - <regex>[-_a-zA-Z0-9./]+</regex> + <regex>[[:ascii:]]{1,253}</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index c7b45b8f7..a0720f3aa 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -150,6 +150,20 @@ </tagNode> </children> </tagNode> + <leafNode name="timeout"> + <properties> + <help>Time in seconds to wait between DNS updates</help> + <valueHelp> + <format>u32:60-3600</format> + <description>Time in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 60-3600"/> + </constraint> + <constraintErrorMessage>Timeout must be between 60 and 3600 seconds</constraintErrorMessage> + </properties> + <defaultValue>300</defaultValue> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 1cdc7b819..127f4b7e7 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -6,66 +6,7 @@ <help>Firewall</help> </properties> <children> - <leafNode name="all-ping"> - <properties> - <help>Policy for handling of all IPv4 ICMP echo requests</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of all IPv4 ICMP echo requests</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of all IPv4 ICMP echo requests</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="broadcast-ping"> - <properties> - <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="config-trap"> - <properties> - <help>SNMP trap generation on firewall configuration changes</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable sending SNMP trap on firewall configuration change</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable sending SNMP trap on firewall configuration change</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> + #include <include/firewall/global-options.xml.i> <node name="group"> <properties> <help>Firewall group</help> @@ -343,645 +284,28 @@ </tagNode> </children> </node> - <tagNode name="interface"> + <node name="ipv4"> <properties> - <help>Interface name to apply firewall configuration</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - </completionHelp> - <constraint> - #include <include/constraint/interface-name-with-wildcard.xml.i> - </constraint> + <help>IPv4 firewall</help> </properties> <children> - <node name="in"> - <properties> - <help>Forwarded packets on inbound interface</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - <node name="out"> - <properties> - <help>Forwarded packets on outbound interface</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - <node name="local"> - <properties> - <help>Packets destined for this router</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - </children> - </tagNode> - <leafNode name="ip-src-route"> - <properties> - <help>Policy for handling IPv4 packets with source route option</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of IPv4 packets with source route option</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of IPv4 packets with source route option</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <tagNode name="ipv6-name"> - <properties> - <help>IPv6 firewall rule-set name</help> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/firewall/default-action.xml.i> - #include <include/firewall/enable-default-log.xml.i> - #include <include/generic-description.xml.i> - <leafNode name="default-jump-target"> - <properties> - <help>Set jump target. Action jump must be defined in default-action to use this setting</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <tagNode name="rule"> - <properties> - <help>Firewall rule number (IPv6)</help> - <valueHelp> - <format>u32:1-999999</format> - <description>Number for this Firewall rule</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-999999"/> - </constraint> - <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> - </properties> - <children> - #include <include/firewall/action.xml.i> - #include <include/generic-description.xml.i> - <node name="destination"> - <properties> - <help>Destination parameters</help> - </properties> - <children> - #include <include/firewall/address-ipv6.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group-ipv6.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask-ipv6.xml.i> - </children> - </node> - <node name="source"> - <properties> - <help>Source parameters</help> - </properties> - <children> - #include <include/firewall/address-ipv6.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group-ipv6.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask-ipv6.xml.i> - </children> - </node> - #include <include/firewall/common-rule.xml.i> - #include <include/firewall/dscp.xml.i> - #include <include/firewall/packet-options.xml.i> - #include <include/firewall/hop-limit.xml.i> - #include <include/firewall/connection-mark.xml.i> - <node name="icmpv6"> - <properties> - <help>ICMPv6 type and code information</help> - </properties> - <children> - <leafNode name="code"> - <properties> - <help>ICMPv6 code</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMPv6 code (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="type"> - <properties> - <help>ICMPv6 type</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMPv6 type (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - #include <include/firewall/icmpv6-type-name.xml.i> - </children> - </node> - <leafNode name="jump-target"> - <properties> - <help>Set jump target. Action jump must be defined to use this setting</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - #include <include/firewall/nft-queue.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <leafNode name="ipv6-receive-redirects"> - <properties> - <help>Policy for handling received ICMPv6 redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of received ICMPv6 redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of received ICMPv6 redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="ipv6-src-route"> - <properties> - <help>Policy for handling IPv6 packets with routing extension header</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of IPv6 packets with routing header type 2</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of IPv6 packets with routing header</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="log-martians"> - <properties> - <help>Policy for logging IPv4 packets with invalid addresses</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable logging of IPv4 packets with invalid addresses</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable logging of Ipv4 packets with invalid addresses</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <tagNode name="name"> - <properties> - <help>IPv4 firewall rule-set name</help> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/firewall/default-action.xml.i> - #include <include/firewall/enable-default-log.xml.i> - #include <include/generic-description.xml.i> - <leafNode name="default-jump-target"> - <properties> - <help>Set jump target. Action jump must be defined in default-action to use this setting</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <tagNode name="rule"> - <properties> - <help>Firewall rule number (IPv4)</help> - <valueHelp> - <format>u32:1-999999</format> - <description>Number for this Firewall rule</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-999999"/> - </constraint> - <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> - </properties> - <children> - #include <include/firewall/action.xml.i> - #include <include/generic-description.xml.i> - <node name="destination"> - <properties> - <help>Destination parameters</help> - </properties> - <children> - #include <include/firewall/address.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask.xml.i> - </children> - </node> - <node name="source"> - <properties> - <help>Source parameters</help> - </properties> - <children> - #include <include/firewall/address.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask.xml.i> - </children> - </node> - #include <include/firewall/common-rule.xml.i> - #include <include/firewall/dscp.xml.i> - #include <include/firewall/packet-options.xml.i> - #include <include/firewall/connection-mark.xml.i> - <node name="icmp"> - <properties> - <help>ICMP type and code information</help> - </properties> - <children> - <leafNode name="code"> - <properties> - <help>ICMP code</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMP code (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="type"> - <properties> - <help>ICMP type</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMP type (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - #include <include/firewall/icmp-type-name.xml.i> - </children> - </node> - <leafNode name="jump-target"> - <properties> - <help>Set jump target. Action jump must be defined to use this setting</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - #include <include/firewall/ttl.xml.i> - #include <include/firewall/nft-queue.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <leafNode name="receive-redirects"> - <properties> - <help>Policy for handling received IPv4 ICMP redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of received IPv4 ICMP redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of received IPv4 ICMP redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="resolver-cache"> - <properties> - <help>Retains last successful value if domain resolution fails</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="resolver-interval"> - <properties> - <help>Domain resolver update interval</help> - <valueHelp> - <format>u32:10-3600</format> - <description>Interval (seconds)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 10-3600"/> - </constraint> - </properties> - <defaultValue>300</defaultValue> - </leafNode> - <leafNode name="send-redirects"> - <properties> - <help>Policy for sending IPv4 ICMP redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable sending IPv4 ICMP redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable sending IPv4 ICMP redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="source-validation"> - <properties> - <help>Policy for source validation by reversed path, as specified in RFC3704</help> - <completionHelp> - <list>strict loose disable</list> - </completionHelp> - <valueHelp> - <format>strict</format> - <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> - </valueHelp> - <valueHelp> - <format>loose</format> - <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>No source validation</description> - </valueHelp> - <constraint> - <regex>(strict|loose|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <node name="state-policy"> - <properties> - <help>Global firewall state-policy</help> - </properties> - <children> - <node name="established"> - <properties> - <help>Global firewall policy for packets part of an established connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> - <node name="invalid"> - <properties> - <help>Global firewall policy for packets part of an invalid connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> - <node name="related"> - <properties> - <help>Global firewall policy for packets part of a related connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> + #include <include/firewall/ipv4-hook-forward.xml.i> + #include <include/firewall/ipv4-hook-input.xml.i> + #include <include/firewall/ipv4-hook-output.xml.i> + #include <include/firewall/ipv4-custom-name.xml.i> </children> </node> - <leafNode name="syn-cookies"> - <properties> - <help>Policy for using TCP SYN cookies with IPv4</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable use of TCP SYN cookies with IPv4</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable use of TCP SYN cookies with IPv4</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="twa-hazards-protection"> + <node name="ipv6"> <properties> - <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable RFC1337 TIME-WAIT hazards protection</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable RFC1337 TIME-WAIT hazards protection</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <tagNode name="zone"> - <properties> - <help>Zone-policy</help> - <valueHelp> - <format>txt</format> - <description>Zone name</description> - </valueHelp> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> + <help>IPv6 firewall</help> </properties> <children> - #include <include/generic-description.xml.i> - #include <include/firewall/enable-default-log.xml.i> - <leafNode name="default-action"> - <properties> - <help>Default-action for traffic coming into this zone</help> - <completionHelp> - <list>drop reject</list> - </completionHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <valueHelp> - <format>reject</format> - <description>Drop and notify source</description> - </valueHelp> - <constraint> - <regex>(drop|reject)</regex> - </constraint> - </properties> - <defaultValue>drop</defaultValue> - </leafNode> - <tagNode name="from"> - <properties> - <help>Zone from which to filter traffic</help> - <completionHelp> - <path>zone-policy zone</path> - </completionHelp> - </properties> - <children> - <node name="firewall"> - <properties> - <help>Firewall options</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - <leafNode name="interface"> - <properties> - <help>Interface associated with zone</help> - <valueHelp> - <format>txt</format> - <description>Interface associated with zone</description> - </valueHelp> - <valueHelp> - <format>vrf</format> - <description>VRF associated with zone</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - <path>vrf name</path> - </completionHelp> - <multi/> - </properties> - </leafNode> - <node name="intra-zone-filtering"> - <properties> - <help>Intra-zone filtering</help> - </properties> - <children> - <leafNode name="action"> - <properties> - <help>Action for intra-zone traffic</help> - <completionHelp> - <list>accept drop</list> - </completionHelp> - <valueHelp> - <format>accept</format> - <description>Accept traffic</description> - </valueHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <constraint> - <regex>(accept|drop)</regex> - </constraint> - </properties> - </leafNode> - <node name="firewall"> - <properties> - <help>Use the specified firewall chain</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - <leafNode name="local-zone"> - <properties> - <help>Zone to be local-zone</help> - <valueless/> - </properties> - </leafNode> + #include <include/firewall/ipv6-hook-forward.xml.i> + #include <include/firewall/ipv6-hook-input.xml.i> + #include <include/firewall/ipv6-hook-output.xml.i> + #include <include/firewall/ipv6-custom-name.xml.i> </children> - </tagNode> + </node> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index 12024ed8b..504385b53 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1123,25 +1123,26 @@ <valueless/> </properties> </leafNode> - <node name="med"> + <leafNode name="med"> <properties> <help>MED attribute comparison parameters</help> + <completionHelp> + <list>confed missing-as-worst</list> + </completionHelp> + <valueHelp> + <format>confed</format> + <description>Compare MEDs among confederation paths</description> + </valueHelp> + <valueHelp> + <format>missing-as-worst</format> + <description>Treat missing route as a MED as the least preferred one</description> + </valueHelp> + <constraint> + <regex>(confed|missing-as-worst)</regex> + </constraint> + <multi/> </properties> - <children> - <leafNode name="confed"> - <properties> - <help>Compare MEDs among confederation paths</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="missing-as-worst"> - <properties> - <help>Treat missing route as a MED as the least preferred one</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> + </leafNode> <node name="peer-type"> <properties> <help>Peer type</help> diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i new file mode 100644 index 000000000..5f81a1451 --- /dev/null +++ b/interface-definitions/include/firewall/action-and-notrack.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/action-and-notrack.xml.i --> +<leafNode name="action"> + <properties> + <help>Rule action</help> + <completionHelp> + <list>accept jump notrack reject return drop queue</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Accept matching entries</description> + </valueHelp> + <valueHelp> + <format>jump</format> + <description>Jump to another chain</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Reject matching entries</description> + </valueHelp> + <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop matching entries</description> + </valueHelp> + <valueHelp> + <format>queue</format> + <description>Enqueue packet to userspace</description> + </valueHelp> + <valueHelp> + <format>notrack</format> + <description>Igone connection tracking</description> + </valueHelp> + <constraint> + <regex>(accept|jump|notrack|reject|return|drop|queue)</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i new file mode 100644 index 000000000..7a2eb86d4 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -0,0 +1,374 @@ +<!-- include start from firewall/common-rule-inet.xml.i --> +#include <include/firewall/action.xml.i> +#include <include/generic-description.xml.i> +#include <include/firewall/dscp.xml.i> +#include <include/firewall/packet-options.xml.i> +#include <include/firewall/connection-mark.xml.i> +#include <include/firewall/nft-queue.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Maximum number of packets to allow in excess of rate</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>txt</format> + <description>integer/unit (Example: 5/minute)</description> + </valueHelp> + <constraint> + <regex>\d+/(second|minute|hour|day)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +#include <include/firewall/rule-log-options.xml.i> +<node name="connection-status"> + <properties> + <help>Connection status</help> + </properties> + <children> + <leafNode name="nat"> + <properties> + <help>NAT connection status</help> + <completionHelp> + <list>destination source</list> + </completionHelp> + <valueHelp> + <format>destination</format> + <description>Match connections that are subject to destination NAT</description> + </valueHelp> + <valueHelp> + <format>source</format> + <description>Match connections that are subject to source NAT</description> + </valueHelp> + <constraint> + <regex>(destination|source)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last second/minute/hour</help> + <completionHelp> + <list>second minute hour</list> + </completionHelp> + <valueHelp> + <format>second</format> + <description>Source addresses seen COUNT times in the last second</description> + </valueHelp> + <valueHelp> + <format>minute</format> + <description>Source addresses seen COUNT times in the last minute</description> + </valueHelp> + <valueHelp> + <format>hour</format> + <description>Source addresses seen COUNT times in the last hour</description> + </valueHelp> + <constraint> + <regex>(second|minute|hour)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="state"> + <properties> + <help>Session state</help> + </properties> + <children> + <leafNode name="established"> + <properties> + <help>Established state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="invalid"> + <properties> + <help>Invalid state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="new"> + <properties> + <help>New state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="related"> + <properties> + <help>Related state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +#include <include/firewall/tcp-flags.xml.i> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Comma separated weekdays to match rule on</help> + <valueHelp> + <format>txt</format> + <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description> + </valueHelp> + <valueHelp> + <format>u32:0-6</format> + <description>Day number (0 = Sunday ... 6 = Saturday)</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i new file mode 100644 index 000000000..a1071a09a --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -0,0 +1,331 @@ +<!-- include start from firewall/common-rule-ipv4-raw.xml.i --> +#include <include/firewall/action-and-notrack.xml.i> +#include <include/generic-description.xml.i> +#include <include/firewall/dscp.xml.i> +#include <include/firewall/ttl.xml.i> +#include <include/firewall/nft-queue.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Maximum number of packets to allow in excess of rate</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>txt</format> + <description>integer/unit (Example: 5/minute)</description> + </valueHelp> + <constraint> + <regex>\d+/(second|minute|hour|day)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +#include <include/firewall/rule-log-options.xml.i> +<node name="connection-status"> + <properties> + <help>Connection status</help> + </properties> + <children> + <leafNode name="nat"> + <properties> + <help>NAT connection status</help> + <completionHelp> + <list>destination source</list> + </completionHelp> + <valueHelp> + <format>destination</format> + <description>Match connections that are subject to destination NAT</description> + </valueHelp> + <valueHelp> + <format>source</format> + <description>Match connections that are subject to source NAT</description> + </valueHelp> + <constraint> + <regex>(destination|source)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last second/minute/hour</help> + <completionHelp> + <list>second minute hour</list> + </completionHelp> + <valueHelp> + <format>second</format> + <description>Source addresses seen COUNT times in the last second</description> + </valueHelp> + <valueHelp> + <format>minute</format> + <description>Source addresses seen COUNT times in the last minute</description> + </valueHelp> + <valueHelp> + <format>hour</format> + <description>Source addresses seen COUNT times in the last hour</description> + </valueHelp> + <constraint> + <regex>(second|minute|hour)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +#include <include/firewall/tcp-flags.xml.i> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Comma separated weekdays to match rule on</help> + <valueHelp> + <format>txt</format> + <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description> + </valueHelp> + <valueHelp> + <format>u32:0-6</format> + <description>Day number (0 = Sunday ... 6 = Saturday)</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i new file mode 100644 index 000000000..4ed179ae7 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -0,0 +1,72 @@ +<!-- include start from firewall/common-rule-ipv4.xml.i --> +#include <include/firewall/common-rule-inet.xml.i> +#include <include/firewall/ttl.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> +</node> +<leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> +</leafNode> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i new file mode 100644 index 000000000..6219557db --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -0,0 +1,72 @@ +<!-- include start from firewall/common-rule-ipv6.xml.i --> +#include <include/firewall/common-rule-inet.xml.i> +#include <include/firewall/hop-limit.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/address-mask-ipv6.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-ipv6.xml.i> + </children> +</node> +<node name="icmpv6"> + <properties> + <help>ICMPv6 type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMPv6 code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMPv6 code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMPv6 type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMPv6 type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmpv6-type-name.xml.i> + </children> +</node> +<leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv6 name</path> + </completionHelp> + </properties> +</leafNode> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/address-mask-ipv6.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-ipv6.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i new file mode 100644 index 000000000..aa62abf3d --- /dev/null +++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i @@ -0,0 +1,22 @@ +<!-- include start from firewall/default-action-base-chains.xml.i --> +<leafNode name="default-action"> + <properties> + <help>Default-action for rule-set</help> + <completionHelp> + <list>drop accept</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop if no prior rules are hit</description> + </valueHelp> + <valueHelp> + <format>accept</format> + <description>Accept if no prior rules are hit</description> + </valueHelp> + <constraint> + <regex>(drop|accept)</regex> + </constraint> + </properties> + <defaultValue>accept</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i new file mode 100644 index 000000000..7f34de3ba --- /dev/null +++ b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/firewall-hashing-parameters.xml.i --> +<leafNode name="hash"> + <properties> + <help>Define the parameters of the packet header to apply the hashing</help> + <completionHelp> + <list>source-address destination-address source-port destination-port random</list> + </completionHelp> + <valueHelp> + <format>source-address</format> + <description>Use source IP address for hashing</description> + </valueHelp> + <valueHelp> + <format>destination-address</format> + <description>Use destination IP address for hashing</description> + </valueHelp> + <valueHelp> + <format>source-port</format> + <description>Use source port for hashing</description> + </valueHelp> + <valueHelp> + <format>destination-port</format> + <description>Use destination port for hashing</description> + </valueHelp> + <valueHelp> + <format>random</format> + <description>Do not use information from ip header. Use random value.</description> + </valueHelp> + <constraint> + <regex>(source-address|destination-address|source-port|destination-port|random)</regex> + </constraint> + <multi/> + </properties> + <defaultValue>random</defaultValue> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i new file mode 100644 index 000000000..a63874cb0 --- /dev/null +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -0,0 +1,252 @@ +<!-- include start from firewall/global-options.xml.i --> +<node name="global-options"> + <properties> + <help>Global Options</help> + </properties> + <children> + <leafNode name="all-ping"> + <properties> + <help>Policy for handling of all IPv4 ICMP echo requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="broadcast-ping"> + <properties> + <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ip-src-route"> + <properties> + <help>Policy for handling IPv4 packets with source route option</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv4 packets with source route option</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv4 packets with source route option</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="log-martians"> + <properties> + <help>Policy for logging IPv4 packets with invalid addresses</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable logging of IPv4 packets with invalid addresses</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable logging of Ipv4 packets with invalid addresses</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="receive-redirects"> + <properties> + <help>Policy for handling received IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="resolver-cache"> + <properties> + <help>Retains last successful value if domain resolution fails</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="resolver-interval"> + <properties> + <help>Domain resolver update interval</help> + <valueHelp> + <format>u32:10-3600</format> + <description>Interval (seconds)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 10-3600"/> + </constraint> + </properties> + <defaultValue>300</defaultValue> + </leafNode> + <leafNode name="send-redirects"> + <properties> + <help>Policy for sending IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="source-validation"> + <properties> + <help>Policy for source validation by reversed path, as specified in RFC3704</help> + <completionHelp> + <list>strict loose disable</list> + </completionHelp> + <valueHelp> + <format>strict</format> + <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>loose</format> + <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>No source validation</description> + </valueHelp> + <constraint> + <regex>(strict|loose|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="syn-cookies"> + <properties> + <help>Policy for using TCP SYN cookies with IPv4</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="twa-hazards-protection"> + <properties> + <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ipv6-receive-redirects"> + <properties> + <help>Policy for handling received ICMPv6 redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ipv6-src-route"> + <properties> + <help>Policy for handling IPv6 packets with routing extension header</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv6 packets with routing header type 2</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv6 packets with routing header</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i new file mode 100644 index 000000000..13df71de3 --- /dev/null +++ b/interface-definitions/include/firewall/inbound-interface.xml.i @@ -0,0 +1,10 @@ +<!-- include start from firewall/inbound-interface.xml.i --> +<node name="inbound-interface"> + <properties> + <help>Match inbound-interface</help> + </properties> + <children> + #include <include/firewall/match-interface.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i new file mode 100644 index 000000000..9d6ecfaf2 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/ipv4-custom-name.xml.i --> +<tagNode name="name"> + <properties> + <help>IPv4 custom firewall</help> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall custom rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i new file mode 100644 index 000000000..08ee96419 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/ipv4-hook-forward.xml.i --> +<node name="forward"> + <properties> + <help>IPv4 forward firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall forward filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall forward filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i new file mode 100644 index 000000000..32b0ec94f --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv4-hook-input.xml.i --> +<node name="input"> + <properties> + <help>IPv4 input firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall input filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall input filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i new file mode 100644 index 000000000..d50d1e93b --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv4-hook-output.xml.i --> +<node name="output"> + <properties> + <help>IPv4 output firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall output filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall output filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i new file mode 100644 index 000000000..c38918375 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -0,0 +1,85 @@ +<!-- include start from firewall/ipv4-hook-prerouting.xml.i --> +<node name="prerouting"> + <properties> + <help>IPv4 prerouting firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall prerouting filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall prerouting filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + <leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <node name="raw"> + <properties> + <help>IPv4 firewall prerouting raw</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall prerouting raw rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4-raw.xml.i> + #include <include/firewall/inbound-interface.xml.i> + <leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i new file mode 100644 index 000000000..81610babf --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/ipv6-custom-name.xml.i --> +<tagNode name="name"> + <properties> + <help>IPv6 custom firewall</help> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv6 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall custom rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i new file mode 100644 index 000000000..20ab8dbe8 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/ipv6-hook-forward.xml.i --> +<node name="forward"> + <properties> + <help>IPv6 forward firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall forward filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall forward filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i new file mode 100644 index 000000000..e34958f28 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv6-hook-input.xml.i --> +<node name="input"> + <properties> + <help>IPv6 input firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall input filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall input filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i new file mode 100644 index 000000000..eb4ea7ac3 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv6-hook-output.xml.i --> +<node name="output"> + <properties> + <help>IPv6 output firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall output filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall output filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i index 3e52422cf..a62bf8d89 100644 --- a/interface-definitions/include/firewall/match-interface.xml.i +++ b/interface-definitions/include/firewall/match-interface.xml.i @@ -5,6 +5,13 @@ <completionHelp> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface name, wildcard (*) supported</description> + </valueHelp> + <constraint> + #include <include/constraint/interface-name-with-wildcard.xml.i> + </constraint> </properties> </leafNode> <leafNode name="interface-group"> diff --git a/interface-definitions/include/firewall/nat-balance.xml.i b/interface-definitions/include/firewall/nat-balance.xml.i new file mode 100644 index 000000000..01793f06b --- /dev/null +++ b/interface-definitions/include/firewall/nat-balance.xml.i @@ -0,0 +1,28 @@ +<!-- include start from firewall/nat-balance.xml.i --> +<tagNode name="backend"> + <properties> + <help>Translated IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + <children> + <leafNode name="weight"> + <properties> + <help>Set probability for this output value</help> + <valueHelp> + <format>u32:1-100</format> + <description>Set probability for this output value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 1-100"/> + </constraint> + </properties> + </leafNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i new file mode 100644 index 000000000..8654dfd80 --- /dev/null +++ b/interface-definitions/include/firewall/outbound-interface.xml.i @@ -0,0 +1,10 @@ +<!-- include start from firewall/outbound-interface.xml.i --> +<node name="outbound-interface"> + <properties> + <help>Match outbound-interface</help> + </properties> + <children> + #include <include/firewall/match-interface.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i index 609af1a2b..5ca1d525f 100644 --- a/interface-definitions/include/interface/dhcpv6-options.xml.i +++ b/interface-definitions/include/interface/dhcpv6-options.xml.i @@ -95,6 +95,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="no-release"> + <properties> + <help>Do not send a release message on client exit</help> + <valueless/> + </properties> + </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-accept-dad.xml.i b/interface-definitions/include/interface/ipv6-accept-dad.xml.i new file mode 100644 index 000000000..7554b270a --- /dev/null +++ b/interface-definitions/include/interface/ipv6-accept-dad.xml.i @@ -0,0 +1,20 @@ +<!-- include start from interface/ipv6-accept-dad.xml.i --> +<leafNode name="accept-dad"> + <properties> + <help>Accept Duplicate Address Detection</help> + <valueHelp> + <format>0</format> + <description>Disable DAD</description> + </valueHelp> + <valueHelp> + <format>1</format> + <description>Enable DAD</description> + </valueHelp> + <valueHelp> + <format>2</format> + <description>Enable DAD - disable IPv6 if MAC-based duplicate link-local address found</description> + </valueHelp> + </properties> + <defaultValue>1</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i index babe6d20f..3b9294dd0 100644 --- a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i +++ b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/ipv6-dup-addr-detect-transmits.xml.i --> <leafNode name="dup-addr-detect-transmits"> <properties> - <help>Number of NS messages to send while performing DAD (default: 1)</help> + <help>Number of NS messages to send while performing DAD</help> <valueHelp> <format>u32:0</format> <description>Disable Duplicate Address Dectection (DAD)</description> @@ -14,5 +14,6 @@ <validator name="numeric" argument="--non-negative"/> </constraint> </properties> + <defaultValue>1</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-options.xml.i b/interface-definitions/include/interface/ipv6-options.xml.i index f740ce0c2..d2e47de91 100644 --- a/interface-definitions/include/interface/ipv6-options.xml.i +++ b/interface-definitions/include/interface/ipv6-options.xml.i @@ -6,6 +6,7 @@ <children> #include <include/interface/adjust-mss.xml.i> #include <include/interface/disable-forwarding.xml.i> + #include <include/interface/ipv6-accept-dad.xml.i> #include <include/interface/ipv6-address.xml.i> #include <include/interface/ipv6-dup-addr-detect-transmits.xml.i> </children> diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index 7b3b8804e..6234e6195 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -25,6 +25,15 @@ </node> #include <include/generic-disable-node.xml.i> #include <include/nat-exclude.xml.i> + <node name="load-balance"> + <properties> + <help>Apply NAT load balance</help> + </properties> + <children> + #include <include/firewall/firewall-hashing-parameters.xml.i> + #include <include/firewall/nat-balance.xml.i> + </children> + </node> <leafNode name="log"> <properties> <help>NAT rule logging</help> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index c32484542..dd21bfaca 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='10'></syntaxVersion> +<syntaxVersion component='firewall' version='11'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i index 4a2b3f9ab..3d11ce888 100644 --- a/interface-definitions/include/version/interfaces-version.xml.i +++ b/interface-definitions/include/version/interfaces-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/interfaces-version.xml.i --> -<syntaxVersion component='interfaces' version='29'></syntaxVersion> +<syntaxVersion component='interfaces' version='30'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 127a8179b..831659250 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -752,6 +752,16 @@ </completionHelp> </properties> </leafNode> + <leafNode name="peer-fingerprint"> + <properties> + <multi/> + <help>Peer certificate SHA256 fingerprint</help> + <constraint> + <regex>[0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2}</regex> + </constraint> + <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage> + </properties> + </leafNode> <leafNode name="tls-version-min"> <properties> <help>Specify the minimum required TLS version</help> diff --git a/interface-definitions/service-monitoring-zabbix-agent.xml.in b/interface-definitions/service-monitoring-zabbix-agent.xml.in new file mode 100644 index 000000000..cfeb02ce0 --- /dev/null +++ b/interface-definitions/service-monitoring-zabbix-agent.xml.in @@ -0,0 +1,184 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="service"> + <children> + <node name="monitoring"> + <children> + <node name="zabbix-agent" owner="${vyos_conf_scripts_dir}/service_monitoring_zabbix-agent.py"> + <properties> + <help>Zabbix-agent settings</help> + </properties> + <children> + <leafNode name="directory"> + <properties> + <help>Folder containing individual Zabbix-agent configuration files</help> + <constraint> + <validator name="file-path" argument="--directory"/> + </constraint> + </properties> + </leafNode> + <node name="limits"> + <properties> + <help>Limit settings</help> + </properties> + <children> + <leafNode name="buffer-flush-interval"> + <properties> + <help>Do not keep data longer than N seconds in buffer</help> + <valueHelp> + <format>u32:1-3600</format> + <description>Seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-3600"/> + </constraint> + <constraintErrorMessage>buffer-flush-interval must be between 1 and 3600 seconds</constraintErrorMessage> + </properties> + <defaultValue>5</defaultValue> + </leafNode> + <leafNode name="buffer-size"> + <properties> + <help>Maximum number of values in a memory buffer</help> + <valueHelp> + <format>u32:2-65535</format> + <description>Maximum number of values in a memory buffer</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 2-65535"/> + </constraint> + <constraintErrorMessage>Buffer-size must be between 2 and 65535</constraintErrorMessage> + </properties> + <defaultValue>100</defaultValue> + </leafNode> + </children> + </node> + <node name="log"> + <properties> + <help>Log settings</help> + </properties> + <children> + <leafNode name="debug-level"> + <properties> + <help>Debug level</help> + <completionHelp> + <list>basic critical error warning debug extended-debug</list> + </completionHelp> + <valueHelp> + <format>basic</format> + <description>Basic information</description> + </valueHelp> + <valueHelp> + <format>critical</format> + <description>Critical information</description> + </valueHelp> + <valueHelp> + <format>error</format> + <description>Error information</description> + </valueHelp> + <valueHelp> + <format>warning</format> + <description>Warnings</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug information</description> + </valueHelp> + <valueHelp> + <format>extended-debug</format> + <description>Extended debug information</description> + </valueHelp> + <constraint> + <regex>(basic|critical|error|warning|debug|extended-debug)</regex> + </constraint> + </properties> + <defaultValue>warning</defaultValue> + </leafNode> + <leafNode name="remote-commands"> + <properties> + <help>Enable logging of executed shell commands as warnings</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="size"> + <properties> + <help>Log file size in megabytes</help> + <valueHelp> + <format>u32:0-1024</format> + <description>Megabytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-1024"/> + </constraint> + <constraintErrorMessage>Size must be between 0 and 1024 Megabytes</constraintErrorMessage> + </properties> + <defaultValue>0</defaultValue> + </leafNode> + </children> + </node> + #include <include/listen-address.xml.i> + <leafNode name="listen-address"> + <defaultValue>0.0.0.0</defaultValue> + </leafNode> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>10050</defaultValue> + </leafNode> + <leafNode name="server"> + <properties> + <help>Remote server to connect to</help> + <valueHelp> + <format>ipv4</format> + <description>Server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Server IPv6 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Server hostname/FQDN</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + <tagNode name="server-active"> + <properties> + <help>Remote server address to get active checks from</help> + <valueHelp> + <format>ipv4</format> + <description>Server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Server IPv6 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Server hostname/FQDN</description> + </valueHelp> + </properties> + <children> + #include <include/port-number.xml.i> + </children> + </tagNode> + <leafNode name="timeout"> + <properties> + <help>Item processing timeout in seconds</help> + <valueHelp> + <format>u32:1-30</format> + <description>Item processing timeout</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-30"/> + </constraint> + <constraintErrorMessage>Timeout must be between 1 and 30 seconds</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index efab50a66..b1b5f7fae 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -144,6 +144,26 @@ <valueless/> </properties> </leafNode> + <leafNode name="time-format"> + <properties> + <help>System time-format</help> + <completionHelp> + <list>12-hour 24-hour</list> + </completionHelp> + <valueHelp> + <format>12-hour</format> + <description>12 hour time format</description> + </valueHelp> + <valueHelp> + <format>24-hour</format> + <description>24 hour time format</description> + </valueHelp> + <constraint> + <regex>(12-hour|24-hour)</regex> + </constraint> + </properties> + <defaultValue>12-hour</defaultValue> + </leafNode> </children> </node> </children> diff --git a/op-mode-definitions/clear-dhcp-server-lease.xml.in b/op-mode-definitions/clear-dhcp-server-lease.xml.in index b1241588c..aef0eb22a 100644 --- a/op-mode-definitions/clear-dhcp-server-lease.xml.in +++ b/op-mode-definitions/clear-dhcp-server-lease.xml.in @@ -4,7 +4,7 @@ <children> <node name="dhcp-server"> <properties> - <help>clear DHCP server lease</help> + <help>Clear DHCP server lease</help> </properties> <children> <tagNode name="lease"> diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in index 66584efc3..6855fe447 100644 --- a/op-mode-definitions/dhcp.xml.in +++ b/op-mode-definitions/dhcp.xml.in @@ -7,6 +7,30 @@ <help>Show DHCP (Dynamic Host Configuration Protocol) information</help> </properties> <children> + <node name="client"> + <properties> + <help>Show DHCP client information</help> + </properties> + <children> + <node name="leases"> + <properties> + <help>Show DHCP client leases</help> + </properties> + <children> + <tagNode name="interface"> + <properties> + <help> Show DHCP client information for a given interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces --broadcast</script> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet --interface $6</command> + </tagNode> + </children> + <command>${vyos_op_scripts_dir}/dhcp.py show_client_leases --family inet</command> + </node> + </children> + </node> <node name="server"> <properties> <help>Show DHCP server information</help> diff --git a/op-mode-definitions/dns-dynamic.xml.in b/op-mode-definitions/dns-dynamic.xml.in index 8f32f63f9..79478f392 100644 --- a/op-mode-definitions/dns-dynamic.xml.in +++ b/op-mode-definitions/dns-dynamic.xml.in @@ -1,5 +1,29 @@ <?xml version="1.0"?> <interfaceDefinition> + <node name="clear"> + <children> + <node name="dns"> + <properties> + <help>Clear Domain Name System</help> + </properties> + <children> + <node name="dynamic"> + <properties> + <help>Clear Dynamic DNS information</help> + </properties> + <children> + <leafNode name="cache"> + <properties> + <help>Clear Dynamic DNS information cache (ddclient)</help> + </properties> + <command>sudo rm -f /run/ddclient/ddclient.cache</command> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> <node name="monitor"> <children> <node name="log"> diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index b5dee7c9e..164ce6b60 100644 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -131,46 +131,206 @@ </properties> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group</command> </leafNode> - <tagNode name="ipv6-name"> + <node name="ipv6"> <properties> - <help>Show IPv6 firewall chains</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> + <help>Show IPv6 firewall</help> </properties> <children> - <tagNode name="rule"> + <node name="forward"> + <properties> + <help>Show IPv6 forward firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv6 forward filter firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv6 forward filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 forward filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command> + </node> + </children> + </node> + <node name="input"> + <properties> + <help>Show IPv6 input firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv6 forward input firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv6 input filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 input filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command> + </node> + </children> + </node> + <node name="output"> + <properties> + <help>Show IPv6 output firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv6 output filter firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv6 output filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 output filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command> + </node> + </children> + </node> + <tagNode name="ipv6-name"> <properties> - <help>Show summary of IPv6 firewall rules</help> + <help>Show IPv6 custom firewall chains</help> <completionHelp> - <path>firewall ipv6-name ${COMP_WORDS[6]} rule</path> + <path>firewall ipv6 ipv6-name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --rule $6 --ipv6</command> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv6 custom firewall ruleset</help> + <completionHelp> + <path>firewall ipv6 ipv6-name ${COMP_WORDS[6]} rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7 --ipv6</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --ipv6</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --ipv6</command> - </tagNode> - <tagNode name="name"> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> + </node> + <node name="ipv4"> <properties> - <help>Show IPv4 firewall chains</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> + <help>Show IPv4 firewall</help> </properties> <children> - <tagNode name="rule"> + <node name="forward"> + <properties> + <help>Show IPv4 forward firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv4 forward filter firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv4 forward filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 forward filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command> + </node> + </children> + </node> + <node name="input"> + <properties> + <help>Show IPv4 input firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv4 forward input firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv4 input filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 input filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command> + </node> + </children> + </node> + <node name="output"> + <properties> + <help>Show IPv4 output firewall ruleset</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>Show IPv4 output filter firewall ruleset</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv4 output filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 output filter rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command> + </node> + </children> + </node> + <tagNode name="name"> <properties> - <help>Show summary of IPv4 firewall rules</help> + <help>Show IPv4 custom firewall chains</help> <completionHelp> - <path>firewall name ${COMP_WORDS[6]} rule</path> + <path>firewall ipv4 name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4 --rule $6</command> + <children> + <tagNode name="rule"> + <properties> + <help>Show summary of IPv4 custom firewall ruleset</help> + <completionHelp> + <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command> + </tagNode> + </children> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5</command> </tagNode> </children> - <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --name $4</command> - </tagNode> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> + </node> <leafNode name="statistics"> <properties> <help>Show statistics of firewall application</help> diff --git a/op-mode-definitions/include/ospfv3/detail.xml.i b/op-mode-definitions/include/frr-detail.xml.i index 4e3c91268..4edf82eab 100644 --- a/op-mode-definitions/include/ospfv3/detail.xml.i +++ b/op-mode-definitions/include/frr-detail.xml.i @@ -1,8 +1,8 @@ -<!-- included start from ospfv3/detail.xml.i --> -<node name="detail"> +<!-- included start from frr-detail.xml.i --> +<leafNode name="detail"> <properties> <help>Show detailed information</help> </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> -</node> +</leafNode> <!-- included end --> diff --git a/op-mode-definitions/include/monitor-background.xml.i b/op-mode-definitions/include/monitor-background.xml.i deleted file mode 100644 index 9931127e3..000000000 --- a/op-mode-definitions/include/monitor-background.xml.i +++ /dev/null @@ -1,21 +0,0 @@ -<!-- included start from monitor-background.xml.i --> -<node name="background"> - <properties> - <help>Monitor in background</help> - </properties> - <children> - <node name="start"> - <properties> - <help>Start background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background ${3^^} ${3}</command> - </node> - <node name="stop"> - <properties> - <help>Stop background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background-stop ${3^^}</command> - </node> - </children> -</node> -<!-- included end --> diff --git a/op-mode-definitions/include/ospf/common.xml.i b/op-mode-definitions/include/ospf/common.xml.i index c8341bd3e..684073cc5 100644 --- a/op-mode-definitions/include/ospf/common.xml.i +++ b/op-mode-definitions/include/ospf/common.xml.i @@ -524,12 +524,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - <node name="detail"> - <properties> - <help>Show detailed IPv4 OSPF neighbor information</help> - </properties> - <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> - </node> + #include <include/frr-detail.xml.i> </children> </node> <tagNode name="neighbor"> diff --git a/op-mode-definitions/include/ospfv3/adv-router-id-node-tag.xml.i b/op-mode-definitions/include/ospfv3/adv-router-id-node-tag.xml.i index a1bd67a90..806366444 100644 --- a/op-mode-definitions/include/ospfv3/adv-router-id-node-tag.xml.i +++ b/op-mode-definitions/include/ospfv3/adv-router-id-node-tag.xml.i @@ -8,7 +8,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> </children> diff --git a/op-mode-definitions/include/ospfv3/adv-router.xml.i b/op-mode-definitions/include/ospfv3/adv-router.xml.i index a14fc39db..238242d11 100644 --- a/op-mode-definitions/include/ospfv3/adv-router.xml.i +++ b/op-mode-definitions/include/ospfv3/adv-router.xml.i @@ -7,7 +7,7 @@ </completionHelp> </properties> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> diff --git a/op-mode-definitions/include/ospfv3/border-routers.xml.i b/op-mode-definitions/include/ospfv3/border-routers.xml.i index b6fac6785..e8827a2c4 100644 --- a/op-mode-definitions/include/ospfv3/border-routers.xml.i +++ b/op-mode-definitions/include/ospfv3/border-routers.xml.i @@ -5,7 +5,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <tagNode name="border-routers"> diff --git a/op-mode-definitions/include/ospfv3/database.xml.i b/op-mode-definitions/include/ospfv3/database.xml.i index e98f9e35b..fdc45f184 100644 --- a/op-mode-definitions/include/ospfv3/database.xml.i +++ b/op-mode-definitions/include/ospfv3/database.xml.i @@ -29,7 +29,7 @@ </completionHelp> </properties> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> </children> @@ -45,7 +45,7 @@ </properties> <command>vtysh -c "show ipv6 ospf6 database * $6"</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/adv-router-id-node-tag.xml.i> @@ -67,12 +67,12 @@ </properties> <command>vtysh -c "show ipv6 ospf6 database as-external * $7"</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> </children> </tagNode> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -87,14 +87,14 @@ </completionHelp> </properties> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/self-originated.xml.i> #include <include/ospfv3/adv-router-id-node-tag.xml.i> </children> </tagNode> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> #include <include/ospfv3/self-originated.xml.i> @@ -105,7 +105,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -120,7 +120,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -135,7 +135,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -150,7 +150,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -165,7 +165,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -180,7 +180,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -195,7 +195,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -210,7 +210,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> @@ -225,7 +225,7 @@ <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> #include <include/ospfv3/adv-router.xml.i> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/linkstate-id.xml.i> diff --git a/op-mode-definitions/include/ospfv3/interface.xml.i b/op-mode-definitions/include/ospfv3/interface.xml.i index 7a0b8ea48..45d5dbd45 100644 --- a/op-mode-definitions/include/ospfv3/interface.xml.i +++ b/op-mode-definitions/include/ospfv3/interface.xml.i @@ -11,7 +11,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <tagNode name="prefix"> @@ -23,7 +23,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> <node name="match"> <properties> <help>Matched interface prefix information</help> @@ -49,7 +49,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <tagNode name="prefix"> @@ -61,7 +61,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> <node name="match"> <properties> <help>Matched interface prefix information</help> diff --git a/op-mode-definitions/include/ospfv3/linkstate-id-node-tag.xml.i b/op-mode-definitions/include/ospfv3/linkstate-id-node-tag.xml.i index ee3863b35..66674e754 100644 --- a/op-mode-definitions/include/ospfv3/linkstate-id-node-tag.xml.i +++ b/op-mode-definitions/include/ospfv3/linkstate-id-node-tag.xml.i @@ -8,7 +8,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> #include <include/ospfv3/self-originated.xml.i> diff --git a/op-mode-definitions/include/ospfv3/linkstate-id.xml.i b/op-mode-definitions/include/ospfv3/linkstate-id.xml.i index 9ead17c20..aa226c988 100644 --- a/op-mode-definitions/include/ospfv3/linkstate-id.xml.i +++ b/op-mode-definitions/include/ospfv3/linkstate-id.xml.i @@ -7,7 +7,7 @@ </completionHelp> </properties> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> </children> diff --git a/op-mode-definitions/include/ospfv3/linkstate.xml.i b/op-mode-definitions/include/ospfv3/linkstate.xml.i index 78ef3efa1..030dc7923 100644 --- a/op-mode-definitions/include/ospfv3/linkstate.xml.i +++ b/op-mode-definitions/include/ospfv3/linkstate.xml.i @@ -4,7 +4,7 @@ <help>Show OSPFv3 linkstate routing information</help> </properties> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> <tagNode name="network"> <properties> <help>Show linkstate Network information</help> diff --git a/op-mode-definitions/include/ospfv3/neighbor.xml.i b/op-mode-definitions/include/ospfv3/neighbor.xml.i index 37859f815..b736270be 100644 --- a/op-mode-definitions/include/ospfv3/neighbor.xml.i +++ b/op-mode-definitions/include/ospfv3/neighbor.xml.i @@ -5,7 +5,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> <node name="drchoice"> <properties> <help>Show neighbor DR choice information</help> diff --git a/op-mode-definitions/include/ospfv3/route.xml.i b/op-mode-definitions/include/ospfv3/route.xml.i index 9271c9c3a..a5b97cd05 100644 --- a/op-mode-definitions/include/ospfv3/route.xml.i +++ b/op-mode-definitions/include/ospfv3/route.xml.i @@ -11,7 +11,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <node name="external-2"> @@ -20,7 +20,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <node name="inter-area"> @@ -29,7 +29,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> <node name="intra-area"> @@ -38,10 +38,10 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> <node name="summary"> <properties> <help>Show route table summary</help> @@ -71,7 +71,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> </children> </node> </children> diff --git a/op-mode-definitions/include/ospfv3/self-originated.xml.i b/op-mode-definitions/include/ospfv3/self-originated.xml.i index 734f3f8ad..7549ccb2c 100644 --- a/op-mode-definitions/include/ospfv3/self-originated.xml.i +++ b/op-mode-definitions/include/ospfv3/self-originated.xml.i @@ -5,7 +5,7 @@ </properties> <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> <children> - #include <include/ospfv3/detail.xml.i> + #include <include/frr-detail.xml.i> #include <include/ospfv3/dump.xml.i> #include <include/ospfv3/internal.xml.i> </children> diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index c7be07aa8..ee52a7eb8 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -339,12 +339,6 @@ </properties> <command>journalctl --no-hostname --boot --follow --unit keepalived.service</command> </leafNode> - <leafNode name="webproxy"> - <properties> - <help>Monitor last lines of Webproxy log</help> - </properties> - <command>journalctl --no-hostname --boot --follow --unit squid.service</command> - </leafNode> </children> </node> </children> diff --git a/op-mode-definitions/monitor-protocol.xml.in b/op-mode-definitions/monitor-protocol.xml.in index f3af3575c..f05a1945f 100644 --- a/op-mode-definitions/monitor-protocol.xml.in +++ b/op-mode-definitions/monitor-protocol.xml.in @@ -12,7 +12,6 @@ <help>Monitor the Border Gateway Protocol (BGP)</help> </properties> <children> - #include <include/monitor-background.xml.i> <node name="disable"> <properties> <help>Disable Border Gateway Protocol (BGP) debugging</help> @@ -266,7 +265,6 @@ <help>Monitor Open Shortest Path First (OSPF) protocol</help> </properties> <children> - #include <include/monitor-background.xml.i> <node name="disable"> <properties> <help>Disable Open Shortest Path First (OSPF) debugging</help> @@ -650,25 +648,6 @@ <help>Monitor the IPv6 Open Shortest Path First (OSPFv3) protocol</help> </properties> <children> - <node name="background"> - <properties> - <help>Monitor in background</help> - </properties> - <children> - <node name="start"> - <properties> - <help>Start background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background OSPFv3 ospf6</command> - </node> - <node name="stop"> - <properties> - <help>Stop background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background-stop OSPFv3</command> - </node> - </children> - </node> <node name="disable"> <properties> <help>Disable IPv6 Open Shortest Path First (OSPFv3) protocol debugging</help> @@ -1192,25 +1171,6 @@ <help>Monitor the Routing Information Base (RIB)</help> </properties> <children> - <node name="background"> - <properties> - <help>Monitor in background</help> - </properties> - <children> - <node name="start"> - <properties> - <help>Start background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background RIB zebra</command> - </node> - <node name="stop"> - <properties> - <help>Stop background monitoring</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor-background-stop RIB</command> - </node> - </children> - </node> <node name="disable"> <properties> <help>Disable Route Information Base (RIB) debugging</help> @@ -1360,7 +1320,6 @@ <help>Monitor the Routing Information Protocol (RIP)</help> </properties> <children> - #include <include/monitor-background.xml.i> <node name="disable"> <properties> <help>Disable Routing Information Protocol (RIP) debugging</help> @@ -1452,7 +1411,6 @@ <help>Monitor the Routing Information Protocol Next Generation (RIPng) protocol</help> </properties> <children> - #include <include/monitor-background.xml.i> <node name="disable"> <properties> <help>Disable Routing Information Protocol Next Generation (RIPNG) debugging</help> diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in index c5abf86cd..ca0eb3687 100644 --- a/op-mode-definitions/pki.xml.in +++ b/op-mode-definitions/pki.xml.in @@ -535,6 +535,15 @@ </properties> <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --pem</command> </leafNode> + <tagNode name="fingerprint"> + <properties> + <help>Show x509 certificate fingerprint</help> + <completionHelp> + <list>sha256 sha384 sha512</list> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --fingerprint "$6"</command> + </tagNode> </children> </tagNode> <leafNode name="crl"> diff --git a/op-mode-definitions/show-rpki.xml.in b/op-mode-definitions/rpki.xml.in index c1902ccec..72d378b88 100644 --- a/op-mode-definitions/show-rpki.xml.in +++ b/op-mode-definitions/rpki.xml.in @@ -29,4 +29,14 @@ </node> </children> </node> + <node name="reset"> + <children> + <leafNode name="rpki"> + <properties> + <help>Reset RPKI</help> + </properties> + <command>vtysh -c "rpki reset"</command> + </leafNode> + </children> + </node> </interfaceDefinition> diff --git a/op-mode-definitions/show-bridge.xml.in b/op-mode-definitions/show-bridge.xml.in index a272ea204..fad3f3418 100644 --- a/op-mode-definitions/show-bridge.xml.in +++ b/op-mode-definitions/show-bridge.xml.in @@ -7,12 +7,20 @@ <help>Show bridging information</help> </properties> <children> - <leafNode name="vlan"> + <node name="vlan"> <properties> <help>View the VLAN filter settings of the bridge</help> </properties> <command>${vyos_op_scripts_dir}/bridge.py show_vlan</command> - </leafNode> + <children> + <leafNode name="tunnel"> + <properties> + <help>Show bridge VLAN tunnel mapping</help> + </properties> + <command>${vyos_op_scripts_dir}/bridge.py show_vlan --tunnel</command> + </leafNode> + </children> + </node> </children> </node> <leafNode name="bridge"> diff --git a/op-mode-definitions/show-evpn.xml.in b/op-mode-definitions/show-evpn.xml.in index 0bdb41e7a..a005cbc30 100644 --- a/op-mode-definitions/show-evpn.xml.in +++ b/op-mode-definitions/show-evpn.xml.in @@ -7,6 +7,34 @@ <help>Show Ethernet VPN (EVPN) information</help> </properties> <children> + <node name="access-vlan"> + <properties> + <help>Access VLANs</help> + </properties> + <children> + #include <include/frr-detail.xml.i> + </children> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </node> + <tagNode name="access-vlan"> + <properties> + <help>Access VLANs interface name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces --bridgeable --no-vlan-subinterfaces</script> + </completionHelp> + </properties> + <children> + <node name="node.tag"> + <properties> + <help>VLAN ID</help> + <completionHelp> + <list><1-4094></list> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command> + </node> + </children> + </tagNode> <node name="arp-cache"> <properties> <help>ARP and ND cache</help> diff --git a/op-mode-definitions/webproxy.xml.in b/op-mode-definitions/webproxy.xml.in index 5ae1577d8..57df44ff8 100644 --- a/op-mode-definitions/webproxy.xml.in +++ b/op-mode-definitions/webproxy.xml.in @@ -2,43 +2,28 @@ <interfaceDefinition> <node name="monitor"> <children> - <node name="webproxy"> - <properties> - <help>Monitor WebProxy service</help> - </properties> - <command>${vyatta_bindir}/vyatta-monitor Webproxy squid</command> + <node name="log"> <children> - <node name="access-log"> - <properties> - <help>Monitor the last lines of the squid access log</help> - </properties> - <command>if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command> - </node> - <node name="background"> + <node name="webproxy"> <properties> - <help>Monitor Webproxy in the background</help> + <help>Monitor last lines of Webproxy log</help> </properties> + <command>journalctl --no-hostname --boot --follow --unit squid.service</command> <children> - <node name="start"> + <leafNode name="access-log"> <properties> - <help>Start background monitoring of Webproxy</help> + <help>Monitor the last lines of the Webproxy access log</help> </properties> - <command>${vyatta_bindir}/vyatta-monitor-background Webproxy squid</command> - </node> - <node name="stop"> + <command>if [ -f /var/log/squid/access.log ]; then sudo tail --follow=name /var/log/squid/access.log; else echo "WebProxy access-log does not exist"; fi</command> + </leafNode> + <leafNode name="cache-log"> <properties> - <help>Stop background monitoring of Webproxy</help> + <help>Monitor the last lines of the Webproxy cache log</help> </properties> - <command>${vyatta_bindir}/vyatta-monitor-background-stop Webproxy </command> - </node> + <command>if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command> + </leafNode> </children> </node> - <node name="cache-log"> - <properties> - <help>Monitor the last lines of the squid cache log</help> - </properties> - <command>if [ -f /var/log/squid/cache.log ]; then sudo tail --follow=name /var/log/squid/cache.log; else echo "WebProxy cache-log does not exist"; fi</command> - </node> </children> </node> </children> @@ -102,6 +87,17 @@ <help>Update the webproxy blacklist database</help> </properties> <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist</command> + <children> + <tagNode name="vrf"> + <properties> + <help>Update webproxy blacklist database via specified VRF</help> + <completionHelp> + <path>vrf name</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/webproxy_update_blacklist.sh --update-blacklist --vrf "${5}" </command> + </tagNode> + </children> </node> </children> </node> diff --git a/python/vyos/component_version.py b/python/vyos/component_version.py index a4e318d08..84e0ae51a 100644 --- a/python/vyos/component_version.py +++ b/python/vyos/component_version.py @@ -37,7 +37,7 @@ import re import sys import fileinput -from vyos.xml import component_version +from vyos.xml_ref import component_version from vyos.version import get_version from vyos.defaults import directories diff --git a/python/vyos/config.py b/python/vyos/config.py index 179f60c43..6fececd76 100644 --- a/python/vyos/config.py +++ b/python/vyos/config.py @@ -66,17 +66,31 @@ In operational mode, all functions return values from the running config. import re import json from copy import deepcopy +from typing import Union import vyos.configtree -from vyos.xml_ref import multi_to_list, from_source -from vyos.xml_ref import merge_defaults, relative_defaults -from vyos.utils.dict import get_sub_dict, mangle_dict_keys -from vyos.configsource import ConfigSource, ConfigSourceSession +from vyos.xml_ref import multi_to_list +from vyos.xml_ref import from_source +from vyos.xml_ref import ext_dict_merge +from vyos.xml_ref import relative_defaults +from vyos.utils.dict import get_sub_dict +from vyos.utils.dict import mangle_dict_keys +from vyos.configsource import ConfigSource +from vyos.configsource import ConfigSourceSession class ConfigDict(dict): _from_defaults = {} - def from_defaults(self, path: list[str]): + _dict_kwargs = {} + def from_defaults(self, path: list[str]) -> bool: return from_source(self._from_defaults, path) + @property + def kwargs(self) -> dict: + return self._dict_kwargs + +def config_dict_merge(src: dict, dest: Union[dict, ConfigDict]) -> ConfigDict: + if not isinstance(dest, ConfigDict): + dest = ConfigDict(dest) + return ext_dict_merge(src, dest) class Config(object): """ @@ -229,6 +243,13 @@ class Config(object): return config_dict + def verify_mangling(self, key_mangling): + if not (isinstance(key_mangling, tuple) and \ + (len(key_mangling) == 2) and \ + isinstance(key_mangling[0], str) and \ + isinstance(key_mangling[1], str)): + raise ValueError("key_mangling must be a tuple of two strings") + def get_config_dict(self, path=[], effective=False, key_mangling=None, get_first_key=False, no_multi_convert=False, no_tag_node_value_mangle=False, @@ -243,44 +264,37 @@ class Config(object): Returns: a dict representation of the config under path """ + kwargs = locals().copy() + del kwargs['self'] + del kwargs['no_multi_convert'] + del kwargs['with_defaults'] + del kwargs['with_recursive_defaults'] + lpath = self._make_path(path) root_dict = self.get_cached_root_dict(effective) conf_dict = get_sub_dict(root_dict, lpath, get_first_key=get_first_key) - if key_mangling is None and no_multi_convert and not (with_defaults or with_recursive_defaults): - return deepcopy(conf_dict) - rpath = lpath if get_first_key else lpath[:-1] if not no_multi_convert: conf_dict = multi_to_list(rpath, conf_dict) + if key_mangling is not None: + self.verify_mangling(key_mangling) + conf_dict = mangle_dict_keys(conf_dict, + key_mangling[0], key_mangling[1], + abs_path=rpath, + no_tag_node_value_mangle=no_tag_node_value_mangle) + if with_defaults or with_recursive_defaults: + defaults = self.get_config_defaults(**kwargs, + recursive=with_recursive_defaults) + conf_dict = config_dict_merge(defaults, conf_dict) + else: conf_dict = ConfigDict(conf_dict) - conf_dict = merge_defaults(lpath, conf_dict, - get_first_key=get_first_key, - recursive=with_recursive_defaults) - if key_mangling is None: - return conf_dict - - if not (isinstance(key_mangling, tuple) and \ - (len(key_mangling) == 2) and \ - isinstance(key_mangling[0], str) and \ - isinstance(key_mangling[1], str)): - raise ValueError("key_mangling must be a tuple of two strings") - - def mangle(obj): - return mangle_dict_keys(obj, key_mangling[0], key_mangling[1], - abs_path=rpath, - no_tag_node_value_mangle=no_tag_node_value_mangle) - - if isinstance(conf_dict, ConfigDict): - from_defaults = mangle(conf_dict._from_defaults) - conf_dict = mangle(conf_dict) - conf_dict._from_defaults = from_defaults - else: - conf_dict = mangle(conf_dict) + # save optional args for a call to get_config_defaults + setattr(conf_dict, '_dict_kwargs', kwargs) return conf_dict @@ -294,21 +308,29 @@ class Config(object): defaults = relative_defaults(lpath, conf_dict, get_first_key=get_first_key, recursive=recursive) - if key_mangling is None: - return defaults rpath = lpath if get_first_key else lpath[:-1] - if not (isinstance(key_mangling, tuple) and \ - (len(key_mangling) == 2) and \ - isinstance(key_mangling[0], str) and \ - isinstance(key_mangling[1], str)): - raise ValueError("key_mangling must be a tuple of two strings") - - defaults = mangle_dict_keys(defaults, key_mangling[0], key_mangling[1], abs_path=rpath, no_tag_node_value_mangle=no_tag_node_value_mangle) + if key_mangling is not None: + self.verify_mangling(key_mangling) + defaults = mangle_dict_keys(defaults, + key_mangling[0], key_mangling[1], + abs_path=rpath, + no_tag_node_value_mangle=no_tag_node_value_mangle) return defaults + def merge_defaults(self, config_dict: ConfigDict, recursive=False): + if not isinstance(config_dict, ConfigDict): + raise TypeError('argument is not of type ConfigDict') + if not config_dict.kwargs: + raise ValueError('argument missing metadata') + + args = config_dict.kwargs + d = self.get_config_defaults(**args, recursive=recursive) + config_dict = config_dict_merge(d, config_dict) + return config_dict + def is_multi(self, path): """ Args: diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index f642d38f2..71a06b625 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -20,7 +20,6 @@ import os import json from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos.utils.process import cmd def retrieve_config(path_hash, base_path, config): @@ -177,24 +176,6 @@ def get_removed_vlans(conf, path, dict): return dict -def T2665_set_dhcpv6pd_defaults(config_dict): - """ Properly configure DHCPv6 default options in the dictionary. If there is - no DHCPv6 configured at all, it is safe to remove the entire configuration. - """ - # As this is the same for every interface type it is safe to assume this - # for ethernet - pd_defaults = defaults(['interfaces', 'ethernet', 'dhcpv6-options', 'pd']) - - # Implant default dictionary for DHCPv6-PD instances - if dict_search('dhcpv6_options.pd.length', config_dict): - del config_dict['dhcpv6_options']['pd']['length'] - - for pd in (dict_search('dhcpv6_options.pd', config_dict) or []): - config_dict['dhcpv6_options']['pd'][pd] = dict_merge(pd_defaults, - config_dict['dhcpv6_options']['pd'][pd]) - - return config_dict - def is_member(conf, interface, intftype=None): """ Checks if passed interface is member of other interface of specified type. @@ -263,6 +244,48 @@ def is_mirror_intf(conf, interface, direction=None): return ret_val +def has_address_configured(conf, intf): + """ + Checks if interface has an address configured. + Checks the following config nodes: + 'address', 'ipv6 address eui64', 'ipv6 address autoconf' + + Returns True if interface has address configured, False if it doesn't. + """ + from vyos.ifconfig import Section + ret = False + + old_level = conf.get_level() + conf.set_level([]) + + intfpath = 'interfaces ' + Section.get_config_path(intf) + if ( conf.exists(f'{intfpath} address') or + conf.exists(f'{intfpath} ipv6 address autoconf') or + conf.exists(f'{intfpath} ipv6 address eui64') ): + ret = True + + conf.set_level(old_level) + return ret + +def has_vrf_configured(conf, intf): + """ + Checks if interface has a VRF configured. + + Returns True if interface has VRF configured, False if it doesn't. + """ + from vyos.ifconfig import Section + ret = False + + old_level = conf.get_level() + conf.set_level([]) + + tmp = ['interfaces', Section.get_config_path(intf), 'vrf'] + if conf.exists(tmp): + ret = True + + conf.set_level(old_level) + return ret + def has_vlan_subinterface_configured(conf, intf): """ Checks if interface has an VLAN subinterface configured. @@ -455,6 +478,10 @@ def get_interface_dict(config, base, ifname='', recursive_defaults=True): dhcp = is_node_changed(config, base + [ifname, 'dhcp-options']) if dhcp: dict.update({'dhcp_options_changed' : {}}) + # Changine interface VRF assignemnts require a DHCP restart, too + dhcp = is_node_changed(config, base + [ifname, 'vrf']) + if dhcp: dict.update({'dhcp_options_changed' : {}}) + # Some interfaces come with a source_interface which must also not be part # of any other bond or bridge interface as it is exclusivly assigned as the # Kernels "lower" interface to this new "virtual/upper" interface. diff --git a/python/vyos/configdiff.py b/python/vyos/configdiff.py index 0caa204c3..1ec2dfafe 100644 --- a/python/vyos/configdiff.py +++ b/python/vyos/configdiff.py @@ -22,7 +22,7 @@ from vyos.configdict import list_diff from vyos.utils.dict import get_sub_dict from vyos.utils.dict import mangle_dict_keys from vyos.utils.dict import dict_search_args -from vyos.xml import defaults +from vyos.xml_ref import get_defaults class ConfigDiffError(Exception): """ @@ -240,7 +240,9 @@ class ConfigDiff(object): if self._key_mangling: ret[k] = self._mangle_dict_keys(ret[k]) if k in target_defaults and not no_defaults: - default_values = defaults(self._make_path(path)) + default_values = get_defaults(self._make_path(path), + get_first_key=True, + recursive=True) ret[k] = dict_merge(default_values, ret[k]) return ret @@ -264,7 +266,9 @@ class ConfigDiff(object): ret[k] = self._mangle_dict_keys(ret[k]) if k in target_defaults and not no_defaults: - default_values = defaults(self._make_path(path)) + default_values = get_defaults(self._make_path(path), + get_first_key=True, + recursive=True) ret[k] = dict_merge(default_values, ret[k]) return ret @@ -312,7 +316,9 @@ class ConfigDiff(object): if self._key_mangling: ret[k] = self._mangle_dict_keys(ret[k]) if k in target_defaults and not no_defaults: - default_values = defaults(self._make_path(path)) + default_values = get_defaults(self._make_path(path), + get_first_key=True, + recursive=True) ret[k] = dict_merge(default_values, ret[k]) return ret @@ -335,7 +341,9 @@ class ConfigDiff(object): ret[k] = self._mangle_dict_keys(ret[k]) if k in target_defaults and not no_defaults: - default_values = defaults(self._make_path(path)) + default_values = get_defaults(self._make_path(path), + get_first_key=True, + recursive=True) ret[k] = dict_merge(default_values, ret[k]) return ret diff --git a/python/vyos/configtree.py b/python/vyos/configtree.py index d0cd87464..09cfd43d3 100644 --- a/python/vyos/configtree.py +++ b/python/vyos/configtree.py @@ -383,14 +383,16 @@ def union(left, right, libpath=LIBPATH): return tree def reference_tree_to_json(from_dir, to_file, libpath=LIBPATH): - __lib = cdll.LoadLibrary(libpath) - __reference_tree_to_json = __lib.reference_tree_to_json - __reference_tree_to_json.argtypes = [c_char_p, c_char_p] - __get_error = __lib.get_error - __get_error.argtypes = [] - __get_error.restype = c_char_p - - res = __reference_tree_to_json(from_dir.encode(), to_file.encode()) + try: + __lib = cdll.LoadLibrary(libpath) + __reference_tree_to_json = __lib.reference_tree_to_json + __reference_tree_to_json.argtypes = [c_char_p, c_char_p] + __get_error = __lib.get_error + __get_error.argtypes = [] + __get_error.restype = c_char_p + res = __reference_tree_to_json(from_dir.encode(), to_file.encode()) + except Exception as e: + raise ConfigTreeError(e) if res == 1: msg = __get_error().decode() raise ConfigTreeError(msg) @@ -418,10 +420,6 @@ class DiffTree: self.__diff_tree.argtypes = [c_char_p, c_void_p, c_void_p] self.__diff_tree.restype = c_void_p - self.__trim_tree = self.__lib.trim_tree - self.__trim_tree.argtypes = [c_void_p, c_void_p] - self.__trim_tree.restype = c_void_p - check_path(path) path_str = " ".join(map(str, path)).encode() @@ -435,11 +433,7 @@ class DiffTree: self.add = self.full.get_subtree(['add']) self.sub = self.full.get_subtree(['sub']) self.inter = self.full.get_subtree(['inter']) - - # trim sub(-tract) tree to get delete tree for commands - ref = self.right.get_subtree(path, with_node=True) if path else self.right - res = self.__trim_tree(self.sub._get_config(), ref._get_config()) - self.delete = ConfigTree(address=res) + self.delete = self.full.get_subtree(['del']) def to_commands(self): add = self.add.to_commands() diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py index d4ffc249e..a5314790d 100644 --- a/python/vyos/defaults.py +++ b/python/vyos/defaults.py @@ -32,7 +32,9 @@ directories = { 'api_schema': f'{base_dir}/services/api/graphql/graphql/schema/', 'api_client_op': f'{base_dir}/services/api/graphql/graphql/client_op/', 'api_templates': f'{base_dir}/services/api/graphql/session/templates/', - 'vyos_udev_dir' : '/run/udev/vyos' + 'vyos_udev_dir' : '/run/udev/vyos', + 'isc_dhclient_dir' : '/run/dhclient', + 'dhcp6_client_dir' : '/run/dhcp6c', } config_status = '/tmp/vyos-config-status' diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 2793b201c..4aa509fe2 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -41,14 +41,19 @@ def fqdn_config_parse(firewall): firewall['ip6_fqdn'] = {} for domain, path in dict_search_recursive(firewall, 'fqdn'): - fw_name = path[1] # name/ipv6-name - rule = path[3] # rule id - suffix = path[4][0] # source/destination (1 char) - set_name = f'{fw_name}_{rule}_{suffix}' - - if path[0] == 'name': + hook_name = path[1] + priority = path[2] + + fw_name = path[2] + rule = path[4] + suffix = path[5][0] + set_name = f'{hook_name}_{priority}_{rule}_{suffix}' + + if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'): firewall['ip_fqdn'][set_name] = domain - elif path[0] == 'ipv6_name': + elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'): + if path[1] == 'name': + set_name = f'name6_{priority}_{rule}_{suffix}' firewall['ip6_fqdn'][set_name] = domain def fqdn_resolve(fqdn, ipv6=False): @@ -80,7 +85,7 @@ def nft_action(vyos_action): return 'return' return vyos_action -def parse_rule(rule_conf, fw_name, rule_id, ip_name): +def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output = [] def_suffix = '6' if ip_name == 'ip6' else '' @@ -129,16 +134,34 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'fqdn' in side_conf: fqdn = side_conf['fqdn'] + hook_name = '' operator = '' if fqdn[0] == '!': operator = '!=' - output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{fw_name}_{rule_id}_{prefix}') + if hook == 'FWD': + hook_name = 'forward' + if hook == 'INP': + hook_name = 'input' + if hook == 'OUT': + hook_name = 'output' + if hook == 'NAM': + hook_name = f'name{def_suffix}' + output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{hook_name}_{fw_name}_{rule_id}_{prefix}') if dict_search_args(side_conf, 'geoip', 'country_code'): operator = '' + hook_name = '' if dict_search_args(side_conf, 'geoip', 'inverse_match') != None: operator = '!=' - output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC_{fw_name}_{rule_id}') + if hook == 'FWD': + hook_name = 'forward' + if hook == 'INP': + hook_name = 'input' + if hook == 'OUT': + hook_name = 'output' + if hook == 'NAM': + hook_name = f'name' + output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC{def_suffix}_{hook_name}_{fw_name}_{rule_id}') if 'mac_address' in side_conf: suffix = side_conf["mac_address"] @@ -304,7 +327,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'ipsec' in rule_conf: if 'match_ipsec' in rule_conf['ipsec']: output.append('meta ipsec == 1') - if 'match_non_ipsec' in rule_conf['ipsec']: + if 'match_none' in rule_conf['ipsec']: output.append('meta ipsec == 0') if 'fragment' in rule_conf: @@ -324,7 +347,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'recent' in rule_conf: count = rule_conf['recent']['count'] time = rule_conf['recent']['time'] - output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}') + output.append(f'add @RECENT{def_suffix}_{hook}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}') if 'time' in rule_conf: output.append(parse_time(rule_conf['time'])) @@ -348,7 +371,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): output.append(parse_policy_set(rule_conf['set'], def_suffix)) if 'action' in rule_conf: - output.append(nft_action(rule_conf['action'])) + # Change action=return to action=action + # #output.append(nft_action(rule_conf['action'])) + output.append(f'{rule_conf["action"]}') if 'jump' in rule_conf['action']: target = rule_conf['jump_target'] output.append(f'NAME{def_suffix}_{target}') @@ -365,7 +390,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): else: output.append('return') - output.append(f'comment "{fw_name}-{rule_id}"') + output.append(f'comment "{hook}-{fw_name}-{rule_id}"') return " ".join(output) def parse_tcp_flags(flags): @@ -493,11 +518,12 @@ def geoip_update(firewall, force=False): # Map country codes to set names for codes, path in dict_search_recursive(firewall, 'country_code'): - set_name = f'GEOIP_CC_{path[1]}_{path[3]}' - if path[0] == 'name': + set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}' + if ( path[0] == 'ipv4'): for code in codes: ipv4_codes.setdefault(code, []).append(set_name) - elif path[0] == 'ipv6_name': + elif ( path[0] == 'ipv6' ): + set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}' for code in codes: ipv6_codes.setdefault(code, []).append(set_name) diff --git a/python/vyos/ifconfig/bond.py b/python/vyos/ifconfig/bond.py index e88f860be..d1d7d48c4 100644 --- a/python/vyos/ifconfig/bond.py +++ b/python/vyos/ifconfig/bond.py @@ -18,8 +18,8 @@ import os from vyos.ifconfig.interface import Interface from vyos.utils.process import cmd from vyos.utils.dict import dict_search -from vyos.validate import assert_list -from vyos.validate import assert_positive +from vyos.utils.assertion import assert_list +from vyos.utils.assertion import assert_positive @Interface.register class BondIf(Interface): diff --git a/python/vyos/ifconfig/bridge.py b/python/vyos/ifconfig/bridge.py index b103b49d8..b29e71394 100644 --- a/python/vyos/ifconfig/bridge.py +++ b/python/vyos/ifconfig/bridge.py @@ -17,8 +17,8 @@ from netifaces import interfaces import json from vyos.ifconfig.interface import Interface -from vyos.validate import assert_boolean -from vyos.validate import assert_positive +from vyos.utils.assertion import assert_boolean +from vyos.utils.assertion import assert_positive from vyos.utils.process import cmd from vyos.utils.dict import dict_search from vyos.configdict import get_vlan_ids diff --git a/python/vyos/ifconfig/ethernet.py b/python/vyos/ifconfig/ethernet.py index 4ff044c23..24ce3a803 100644 --- a/python/vyos/ifconfig/ethernet.py +++ b/python/vyos/ifconfig/ethernet.py @@ -23,7 +23,7 @@ from vyos.ifconfig.interface import Interface from vyos.utils.dict import dict_search from vyos.utils.file import read_file from vyos.utils.process import run -from vyos.validate import assert_list +from vyos.utils.assertion import assert_list @Interface.register class EthernetIf(Interface): diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 120f2131b..cc6149428 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -31,6 +31,7 @@ from vyos import ConfigError from vyos.configdict import list_diff from vyos.configdict import dict_merge from vyos.configdict import get_vlan_ids +from vyos.defaults import directories from vyos.template import render from vyos.utils.network import mac2eui64 from vyos.utils.dict import dict_search @@ -40,14 +41,14 @@ from vyos.utils.network import get_interface_namespace from vyos.utils.process import is_systemd_service_active from vyos.template import is_ipv4 from vyos.template import is_ipv6 -from vyos.validate import is_intf_addr_assigned -from vyos.validate import is_ipv6_link_local -from vyos.validate import assert_boolean -from vyos.validate import assert_list -from vyos.validate import assert_mac -from vyos.validate import assert_mtu -from vyos.validate import assert_positive -from vyos.validate import assert_range +from vyos.utils.network import is_intf_addr_assigned +from vyos.utils.network import is_ipv6_link_local +from vyos.utils.assertion import assert_boolean +from vyos.utils.assertion import assert_list +from vyos.utils.assertion import assert_mac +from vyos.utils.assertion import assert_mtu +from vyos.utils.assertion import assert_positive +from vyos.utils.assertion import assert_range from vyos.ifconfig.control import Control from vyos.ifconfig.vrrp import VRRP @@ -190,6 +191,10 @@ class Interface(Control): 'validate': lambda fwd: assert_range(fwd,0,2), 'location': '/proc/sys/net/ipv6/conf/{ifname}/forwarding', }, + 'ipv6_accept_dad': { + 'validate': lambda dad: assert_range(dad,0,3), + 'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_dad', + }, 'ipv6_dad_transmits': { 'validate': assert_positive, 'location': '/proc/sys/net/ipv6/conf/{ifname}/dad_transmits', @@ -255,6 +260,9 @@ class Interface(Control): 'ipv6_forwarding': { 'location': '/proc/sys/net/ipv6/conf/{ifname}/forwarding', }, + 'ipv6_accept_dad': { + 'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_dad', + }, 'ipv6_dad_transmits': { 'location': '/proc/sys/net/ipv6/conf/{ifname}/dad_transmits', }, @@ -845,6 +853,13 @@ class Interface(Control): return None return self.set_interface('ipv6_forwarding', forwarding) + def set_ipv6_dad_accept(self, dad): + """Whether to accept DAD (Duplicate Address Detection)""" + tmp = self.get_interface('ipv6_accept_dad') + if tmp == dad: + return None + return self.set_interface('ipv6_accept_dad', dad) + def set_ipv6_dad_messages(self, dad): """ The amount of Duplicate Address Detection probes to send. @@ -1240,44 +1255,49 @@ class Interface(Control): raise ValueError() ifname = self.ifname - config_base = r'/var/lib/dhcp/dhclient' - config_file = f'{config_base}_{ifname}.conf' - options_file = f'{config_base}_{ifname}.options' - pid_file = f'{config_base}_{ifname}.pid' - lease_file = f'{config_base}_{ifname}.leases' + config_base = directories['isc_dhclient_dir'] + '/dhclient' + dhclient_config_file = f'{config_base}_{ifname}.conf' + dhclient_lease_file = f'{config_base}_{ifname}.leases' + systemd_override_file = f'/run/systemd/system/dhclient@{ifname}.service.d/10-override.conf' systemd_service = f'dhclient@{ifname}.service' + # Rendered client configuration files require the apsolute config path + self.config['isc_dhclient_dir'] = directories['isc_dhclient_dir'] + # 'up' check is mandatory b/c even if the interface is A/D, as soon as # the DHCP client is started the interface will be placed in u/u state. # This is not what we intended to do when disabling an interface. - if enable and 'disable' not in self._config: - if dict_search('dhcp_options.host_name', self._config) == None: + if enable and 'disable' not in self.config: + if dict_search('dhcp_options.host_name', self.config) == None: # read configured system hostname. # maybe change to vyos hostd client ??? hostname = 'vyos' with open('/etc/hostname', 'r') as f: hostname = f.read().rstrip('\n') tmp = {'dhcp_options' : { 'host_name' : hostname}} - self._config = dict_merge(tmp, self._config) + self.config = dict_merge(tmp, self.config) - render(options_file, 'dhcp-client/daemon-options.j2', self._config) - render(config_file, 'dhcp-client/ipv4.j2', self._config) + render(systemd_override_file, 'dhcp-client/override.conf.j2', self.config) + render(dhclient_config_file, 'dhcp-client/ipv4.j2', self.config) + + # Reload systemd unit definitons as some options are dynamically generated + self._cmd('systemctl daemon-reload') # When the DHCP client is restarted a brief outage will occur, as # the old lease is released a new one is acquired (T4203). We will # only restart DHCP client if it's option changed, or if it's not # running, but it should be running (e.g. on system startup) - if 'dhcp_options_changed' in self._config or not is_systemd_service_active(systemd_service): + if 'dhcp_options_changed' in self.config or not is_systemd_service_active(systemd_service): return self._cmd(f'systemctl restart {systemd_service}') - return None else: if is_systemd_service_active(systemd_service): self._cmd(f'systemctl stop {systemd_service}') # cleanup old config files - for file in [config_file, options_file, pid_file, lease_file]: + for file in [dhclient_config_file, systemd_override_file, dhclient_lease_file]: if os.path.isfile(file): os.remove(file) + return None def set_dhcpv6(self, enable): """ @@ -1287,11 +1307,20 @@ class Interface(Control): raise ValueError() ifname = self.ifname - config_file = f'/run/dhcp6c/dhcp6c.{ifname}.conf' + config_base = directories['dhcp6_client_dir'] + config_file = f'{config_base}/dhcp6c.{ifname}.conf' + systemd_override_file = f'/run/systemd/system/dhcp6c@{ifname}.service.d/10-override.conf' systemd_service = f'dhcp6c@{ifname}.service' - if enable and 'disable' not in self._config: - render(config_file, 'dhcp-client/ipv6.j2', self._config) + # Rendered client configuration files require the apsolute config path + self.config['dhcp6_client_dir'] = directories['dhcp6_client_dir'] + + if enable and 'disable' not in self.config: + render(systemd_override_file, 'dhcp-client/ipv6.override.conf.j2', self.config) + render(config_file, 'dhcp-client/ipv6.j2', self.config) + + # Reload systemd unit definitons as some options are dynamically generated + self._cmd('systemctl daemon-reload') # We must ignore any return codes. This is required to enable # DHCPv6-PD for interfaces which are yet not up and running. @@ -1302,26 +1331,28 @@ class Interface(Control): if os.path.isfile(config_file): os.remove(config_file) + return None + def set_mirror_redirect(self): # Please refer to the document for details # - https://man7.org/linux/man-pages/man8/tc.8.html # - https://man7.org/linux/man-pages/man8/tc-mirred.8.html # Depening if we are the source or the target interface of the port # mirror we need to setup some variables. - source_if = self._config['ifname'] + source_if = self.config['ifname'] mirror_config = None - if 'mirror' in self._config: - mirror_config = self._config['mirror'] - if 'is_mirror_intf' in self._config: - source_if = next(iter(self._config['is_mirror_intf'])) - mirror_config = self._config['is_mirror_intf'][source_if].get('mirror', None) + if 'mirror' in self.config: + mirror_config = self.config['mirror'] + if 'is_mirror_intf' in self.config: + source_if = next(iter(self.config['is_mirror_intf'])) + mirror_config = self.config['is_mirror_intf'][source_if].get('mirror', None) redirect_config = None # clear existing ingess - ignore errors (e.g. "Error: Cannot find specified # qdisc on specified device") - we simply cleanup all stuff here - if not 'traffic_policy' in self._config: + if not 'traffic_policy' in self.config: self._popen(f'tc qdisc del dev {source_if} parent ffff: 2>/dev/null'); self._popen(f'tc qdisc del dev {source_if} parent 1: 2>/dev/null'); @@ -1345,11 +1376,11 @@ class Interface(Control): if err: print('tc qdisc(filter for mirror port failed') # Apply interface traffic redirection policy - elif 'redirect' in self._config: + elif 'redirect' in self.config: _, err = self._popen(f'tc qdisc add dev {source_if} handle ffff: ingress') if err: print(f'tc qdisc add for redirect failed!') - target_if = self._config['redirect'] + target_if = self.config['redirect'] _, err = self._popen(f'tc filter add dev {source_if} parent ffff: protocol '\ f'all prio 10 u32 match u32 0 0 flowid 1:1 action mirred '\ f'egress redirect dev {target_if}') @@ -1368,7 +1399,7 @@ class Interface(Control): # Cache the configuration - it will be reused inside e.g. DHCP handler # XXX: maybe pass the option via __init__ in the future and rename this # method to apply()? - self._config = config + self.config = config # Change interface MAC address - re-set to real hardware address (hw-id) # if custom mac is removed. Skip if bond member. @@ -1534,10 +1565,17 @@ class Interface(Control): value = '1' if (tmp != None) else '0' self.set_ipv6_autoconf(value) - # IPv6 Duplicate Address Detection (DAD) tries + # Whether to accept IPv6 DAD (Duplicate Address Detection) packets + tmp = dict_search('ipv6.accept_dad', config) + # Not all interface types got this CLI option, but if they do, there + # is an XML defaultValue available + if (tmp != None): self.set_ipv6_dad_accept(tmp) + + # IPv6 DAD tries tmp = dict_search('ipv6.dup_addr_detect_transmits', config) - value = tmp if (tmp != None) else '1' - self.set_ipv6_dad_messages(value) + # Not all interface types got this CLI option, but if they do, there + # is an XML defaultValue available + if (tmp != None): self.set_ipv6_dad_messages(tmp) # Delete old IPv6 EUI64 addresses before changing MAC for addr in (dict_search('ipv6.address.eui64_old', config) or []): diff --git a/python/vyos/ifconfig/pppoe.py b/python/vyos/ifconfig/pppoe.py index fd4590beb..febf1452d 100644 --- a/python/vyos/ifconfig/pppoe.py +++ b/python/vyos/ifconfig/pppoe.py @@ -14,7 +14,7 @@ # License along with this library. If not, see <http://www.gnu.org/licenses/>. from vyos.ifconfig.interface import Interface -from vyos.validate import assert_range +from vyos.utils.assertion import assert_range from vyos.utils.network import get_interface_config @Interface.register diff --git a/python/vyos/ifconfig/tunnel.py b/python/vyos/ifconfig/tunnel.py index fb2f38e2b..9ba7b31a6 100644 --- a/python/vyos/ifconfig/tunnel.py +++ b/python/vyos/ifconfig/tunnel.py @@ -18,7 +18,7 @@ from vyos.ifconfig.interface import Interface from vyos.utils.dict import dict_search -from vyos.validate import assert_list +from vyos.utils.assertion import assert_list def enable_to_on(value): if value == 'enable': diff --git a/python/vyos/ipsec.py b/python/vyos/ipsec.py index bb5611025..4603aab22 100644 --- a/python/vyos/ipsec.py +++ b/python/vyos/ipsec.py @@ -33,9 +33,11 @@ def get_vici_sas(): session = vici_session() except Exception: raise ViciInitiateError("IPsec not initialized") - sas = list(session.list_sas()) - return sas - + try: + sas = list(session.list_sas()) + return sas + except Exception: + raise ViciCommandError(f'Failed to get SAs') def get_vici_connections(): from vici import Session as vici_session @@ -44,9 +46,11 @@ def get_vici_connections(): session = vici_session() except Exception: raise ViciInitiateError("IPsec not initialized") - connections = list(session.list_conns()) - return connections - + try: + connections = list(session.list_conns()) + return connections + except Exception: + raise ViciCommandError(f'Failed to get connections') def get_vici_sas_by_name(ike_name: str, tunnel: str) -> list: """ diff --git a/python/vyos/nat.py b/python/vyos/nat.py index 603fedb9b..b6702f7e2 100644 --- a/python/vyos/nat.py +++ b/python/vyos/nat.py @@ -94,6 +94,39 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False): if options: translation_str += f' {",".join(options)}' + if not ipv6 and 'backend' in rule_conf['load_balance']: + hash_input_items = [] + current_prob = 0 + nat_map = [] + + for trans_addr, addr in rule_conf['load_balance']['backend'].items(): + item_prob = int(addr['weight']) + upper_limit = current_prob + item_prob - 1 + hash_val = str(current_prob) + '-' + str(upper_limit) + element = hash_val + " : " + trans_addr + nat_map.append(element) + current_prob = current_prob + item_prob + + elements = ' , '.join(nat_map) + + if 'hash' in rule_conf['load_balance'] and 'random' in rule_conf['load_balance']['hash']: + translation_str += ' numgen random mod 100 map ' + '{ ' + f'{elements}' + ' }' + else: + for input_param in rule_conf['load_balance']['hash']: + if input_param == 'source-address': + param = 'ip saddr' + elif input_param == 'destination-address': + param = 'ip daddr' + elif input_param == 'source-port': + prot = rule_conf['protocol'] + param = f'{prot} sport' + elif input_param == 'destination-port': + prot = rule_conf['protocol'] + param = f'{prot} dport' + hash_input_items.append(param) + hash_input = ' . '.join(hash_input_items) + translation_str += f' jhash ' + f'{hash_input}' + ' mod 100 map ' + '{ ' + f'{elements}' + ' }' + for target in ['source', 'destination']: if target not in rule_conf: continue diff --git a/python/vyos/pki.py b/python/vyos/pki.py index cd15e3878..792e24b76 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -63,6 +63,18 @@ private_format_map = { 'OpenSSH': serialization.PrivateFormat.OpenSSH } +hash_map = { + 'sha256': hashes.SHA256, + 'sha384': hashes.SHA384, + 'sha512': hashes.SHA512, +} + +def get_certificate_fingerprint(cert, hash): + hash_algorithm = hash_map[hash]() + fp = cert.fingerprint(hash_algorithm) + + return fp.hex(':').upper() + def encode_certificate(cert): return cert.public_bytes(encoding=serialization.Encoding.PEM).decode('utf-8') diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py index 6c5a3d79c..d8bbfe970 100644 --- a/python/vyos/qos/base.py +++ b/python/vyos/qos/base.py @@ -107,7 +107,8 @@ class QoSBase: queue_limit = dict_search('queue_limit', config) for ii in range(1, 4): - tmp = f'tc qdisc replace dev {self._interface} parent {handle:x}:{ii:x} pfifo limit {queue_limit}' + tmp = f'tc qdisc replace dev {self._interface} parent {handle:x}:{ii:x} pfifo' + if queue_limit: tmp += f' limit {queue_limit}' self._cmd(tmp) elif queue_type == 'fair-queue': @@ -297,6 +298,27 @@ class QoSBase: filter_cmd += f' flowid {self._parent:x}:{cls:x}' self._cmd(filter_cmd) + if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in cls_config): + filter_cmd += f' action police' + + if 'exceed' in cls_config: + action = cls_config['exceed'] + filter_cmd += f' conform-exceed {action}' + if 'not_exceed' in cls_config: + action = cls_config['not_exceed'] + filter_cmd += f'/{action}' + + if 'bandwidth' in cls_config: + rate = self._rate_convert(cls_config['bandwidth']) + filter_cmd += f' rate {rate}' + + if 'burst' in cls_config: + burst = cls_config['burst'] + filter_cmd += f' burst {burst}' + cls = int(cls) + filter_cmd += f' flowid {self._parent:x}:{cls:x}' + self._cmd(filter_cmd) + else: filter_cmd += ' basic' diff --git a/python/vyos/template.py b/python/vyos/template.py index 7d1c3970f..e167488c6 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -420,7 +420,7 @@ def get_dhcp_router(interface): Returns False of no router is found, returns the IP address as string if a router is found. """ - lease_file = f'/var/lib/dhcp/dhclient_{interface}.leases' + lease_file = directories['isc_dhclient_dir'] + f'/dhclient_{interface}.leases' if not os.path.exists(lease_file): return None @@ -574,9 +574,9 @@ def nft_action(vyos_action): return vyos_action @register_filter('nft_rule') -def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'): +def nft_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name='ip'): from vyos.firewall import parse_rule - return parse_rule(rule_conf, fw_name, rule_id, ip_name) + return parse_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name) @register_filter('nft_default_rule') def nft_default_rule(fw_conf, fw_name, ipv6=False): @@ -587,7 +587,8 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False): action_suffix = default_action[:1].upper() output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"') - output.append(nft_action(default_action)) + #output.append(nft_action(default_action)) + output.append(f'{default_action}') if 'default_jump_target' in fw_conf: target = fw_conf['default_jump_target'] def_suffix = '6' if ipv6 else '' diff --git a/python/vyos/utils/__init__.py b/python/vyos/utils/__init__.py index f2783113a..12ef2d3b8 100644 --- a/python/vyos/utils/__init__.py +++ b/python/vyos/utils/__init__.py @@ -13,6 +13,7 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see <http://www.gnu.org/licenses/>. +from vyos.utils import assertion from vyos.utils import auth from vyos.utils import boot from vyos.utils import commit diff --git a/python/vyos/utils/assertion.py b/python/vyos/utils/assertion.py new file mode 100644 index 000000000..1aaa54dff --- /dev/null +++ b/python/vyos/utils/assertion.py @@ -0,0 +1,81 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +def assert_boolean(b): + if int(b) not in (0, 1): + raise ValueError(f'Value {b} out of range') + +def assert_range(value, lower=0, count=3): + if int(value, 16) not in range(lower, lower+count): + raise ValueError("Value out of range") + +def assert_list(s, l): + if s not in l: + o = ' or '.join([f'"{n}"' for n in l]) + raise ValueError(f'state must be {o}, got {s}') + +def assert_number(n): + if not str(n).isnumeric(): + raise ValueError(f'{n} must be a number') + +def assert_positive(n, smaller=0): + assert_number(n) + if int(n) < smaller: + raise ValueError(f'{n} is smaller than {smaller}') + +def assert_mtu(mtu, ifname): + assert_number(mtu) + + import json + from vyos.utils.process import cmd + out = cmd(f'ip -j -d link show dev {ifname}') + # [{"ifindex":2,"ifname":"eth0","flags":["BROADCAST","MULTICAST","UP","LOWER_UP"],"mtu":1500,"qdisc":"pfifo_fast","operstate":"UP","linkmode":"DEFAULT","group":"default","txqlen":1000,"link_type":"ether","address":"08:00:27:d9:5b:04","broadcast":"ff:ff:ff:ff:ff:ff","promiscuity":0,"min_mtu":46,"max_mtu":16110,"inet6_addr_gen_mode":"none","num_tx_queues":1,"num_rx_queues":1,"gso_max_size":65536,"gso_max_segs":65535}] + parsed = json.loads(out)[0] + min_mtu = int(parsed.get('min_mtu', '0')) + # cur_mtu = parsed.get('mtu',0), + max_mtu = int(parsed.get('max_mtu', '0')) + cur_mtu = int(mtu) + + if (min_mtu and cur_mtu < min_mtu) or cur_mtu < 68: + raise ValueError(f'MTU is too small for interface "{ifname}": {mtu} < {min_mtu}') + if (max_mtu and cur_mtu > max_mtu) or cur_mtu > 65536: + raise ValueError(f'MTU is too small for interface "{ifname}": {mtu} > {max_mtu}') + +def assert_mac(m): + split = m.split(':') + size = len(split) + + # a mac address consits out of 6 octets + if size != 6: + raise ValueError(f'wrong number of MAC octets ({size}): {m}') + + octets = [] + try: + for octet in split: + octets.append(int(octet, 16)) + except ValueError: + raise ValueError(f'invalid hex number "{octet}" in : {m}') + + # validate against the first mac address byte if it's a multicast + # address + if octets[0] & 1: + raise ValueError(f'{m} is a multicast MAC address') + + # overall mac address is not allowed to be 00:00:00:00:00:00 + if sum(octets) == 0: + raise ValueError('00:00:00:00:00:00 is not a valid MAC address') + + if octets[:5] == (0, 0, 94, 0, 1): + raise ValueError(f'{m} is a VRRP MAC address') diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py index 3786caf26..3f9a3ef4b 100644 --- a/python/vyos/utils/network.py +++ b/python/vyos/utils/network.py @@ -13,7 +13,15 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see <http://www.gnu.org/licenses/>. -import os +def _are_same_ip(one, two): + from socket import AF_INET + from socket import AF_INET6 + from socket import inet_pton + from vyos.template import is_ipv4 + # compare the binary representation of the IP + f_one = AF_INET if is_ipv4(one) else AF_INET6 + s_two = AF_INET if is_ipv4(two) else AF_INET6 + return inet_pton(f_one, one) == inet_pton(f_one, two) def get_protocol_by_name(protocol_name): """Get protocol number by protocol name @@ -48,6 +56,7 @@ def get_interface_config(interface): """ Returns the used encapsulation protocol for given interface. If interface does not exist, None is returned. """ + import os if not os.path.exists(f'/sys/class/net/{interface}'): return None from json import loads @@ -59,6 +68,7 @@ def get_interface_address(interface): """ Returns the used encapsulation protocol for given interface. If interface does not exist, None is returned. """ + import os if not os.path.exists(f'/sys/class/net/{interface}'): return None from json import loads @@ -85,7 +95,6 @@ def get_interface_namespace(iface): if iface == tmp["ifname"]: return netns - def is_wwan_connected(interface): """ Determine if a given WWAN interface, e.g. wwan0 is connected to the carrier network or not """ @@ -110,6 +119,7 @@ def is_wwan_connected(interface): def get_bridge_fdb(interface): """ Returns the forwarding database entries for a given interface """ + import os if not os.path.exists(f'/sys/class/net/{interface}'): return None from json import loads @@ -211,3 +221,175 @@ def is_listen_port_bind_service(port: int, service: str) -> bool: if service == pid_name and port == pid_port: return True return False + +def is_ipv6_link_local(addr): + """ Check if addrsss is an IPv6 link-local address. Returns True/False """ + from ipaddress import ip_interface + from vyos.template import is_ipv6 + addr = addr.split('%')[0] + if is_ipv6(addr): + if ip_interface(addr).is_link_local: + return True + + return False + +def is_addr_assigned(ip_address, vrf=None) -> bool: + """ Verify if the given IPv4/IPv6 address is assigned to any interface """ + from netifaces import interfaces + from vyos.utils.network import get_interface_config + from vyos.utils.dict import dict_search + + for interface in interfaces(): + # Check if interface belongs to the requested VRF, if this is not the + # case there is no need to proceed with this data set - continue loop + # with next element + tmp = get_interface_config(interface) + if dict_search('master', tmp) != vrf: + continue + + if is_intf_addr_assigned(interface, ip_address): + return True + + return False + +def is_intf_addr_assigned(intf, address) -> bool: + """ + Verify if the given IPv4/IPv6 address is assigned to specific interface. + It can check both a single IP address (e.g. 192.0.2.1 or a assigned CIDR + address 192.0.2.1/24. + """ + from vyos.template import is_ipv4 + + from netifaces import ifaddresses + from netifaces import AF_INET + from netifaces import AF_INET6 + + # check if the requested address type is configured at all + # { + # 17: [{'addr': '08:00:27:d9:5b:04', 'broadcast': 'ff:ff:ff:ff:ff:ff'}], + # 2: [{'addr': '10.0.2.15', 'netmask': '255.255.255.0', 'broadcast': '10.0.2.255'}], + # 10: [{'addr': 'fe80::a00:27ff:fed9:5b04%eth0', 'netmask': 'ffff:ffff:ffff:ffff::'}] + # } + try: + addresses = ifaddresses(intf) + except ValueError as e: + print(e) + return False + + # determine IP version (AF_INET or AF_INET6) depending on passed address + addr_type = AF_INET if is_ipv4(address) else AF_INET6 + + # Check every IP address on this interface for a match + netmask = None + if '/' in address: + address, netmask = address.split('/') + for ip in addresses.get(addr_type, []): + # ip can have the interface name in the 'addr' field, we need to remove it + # {'addr': 'fe80::a00:27ff:fec5:f821%eth2', 'netmask': 'ffff:ffff:ffff:ffff::'} + ip_addr = ip['addr'].split('%')[0] + + if not _are_same_ip(address, ip_addr): + continue + + # we do not have a netmask to compare against, they are the same + if not netmask: + return True + + prefixlen = '' + if is_ipv4(ip_addr): + prefixlen = sum([bin(int(_)).count('1') for _ in ip['netmask'].split('.')]) + else: + prefixlen = sum([bin(int(_,16)).count('1') for _ in ip['netmask'].split('/')[0].split(':') if _]) + + if str(prefixlen) == netmask: + return True + + return False + +def is_loopback_addr(addr): + """ Check if supplied IPv4/IPv6 address is a loopback address """ + from ipaddress import ip_address + return ip_address(addr).is_loopback + +def is_wireguard_key_pair(private_key: str, public_key:str) -> bool: + """ + Checks if public/private keys are keypair + :param private_key: Wireguard private key + :type private_key: str + :param public_key: Wireguard public key + :type public_key: str + :return: If public/private keys are keypair returns True else False + :rtype: bool + """ + from vyos.utils.process import cmd + gen_public_key = cmd('wg pubkey', input=private_key) + if gen_public_key == public_key: + return True + else: + return False + +def is_subnet_connected(subnet, primary=False): + """ + Verify is the given IPv4/IPv6 subnet is connected to any interface on this + system. + + primary check if the subnet is reachable via the primary IP address of this + interface, or in other words has a broadcast address configured. ISC DHCP + for instance will complain if it should listen on non broadcast interfaces. + + Return True/False + """ + from ipaddress import ip_address + from ipaddress import ip_network + + from netifaces import ifaddresses + from netifaces import interfaces + from netifaces import AF_INET + from netifaces import AF_INET6 + + from vyos.template import is_ipv6 + + # determine IP version (AF_INET or AF_INET6) depending on passed address + addr_type = AF_INET + if is_ipv6(subnet): + addr_type = AF_INET6 + + for interface in interfaces(): + # check if the requested address type is configured at all + if addr_type not in ifaddresses(interface).keys(): + continue + + # An interface can have multiple addresses, but some software components + # only support the primary address :( + if primary: + ip = ifaddresses(interface)[addr_type][0]['addr'] + if ip_address(ip) in ip_network(subnet): + return True + else: + # Check every assigned IP address if it is connected to the subnet + # in question + for ip in ifaddresses(interface)[addr_type]: + # remove interface extension (e.g. %eth0) that gets thrown on the end of _some_ addrs + addr = ip['addr'].split('%')[0] + if ip_address(addr) in ip_network(subnet): + return True + + return False + +def is_afi_configured(interface, afi): + """ Check if given address family is configured, or in other words - an IP + address is assigned to the interface. """ + from netifaces import ifaddresses + from netifaces import AF_INET + from netifaces import AF_INET6 + + if afi not in [AF_INET, AF_INET6]: + raise ValueError('Address family must be in [AF_INET, AF_INET6]') + + try: + addresses = ifaddresses(interface) + except ValueError as e: + print(e) + return False + + return afi in addresses diff --git a/python/vyos/validate.py b/python/vyos/validate.py deleted file mode 100644 index 567f4c972..000000000 --- a/python/vyos/validate.py +++ /dev/null @@ -1,304 +0,0 @@ -# Copyright 2018-2021 VyOS maintainers and contributors <maintainers@vyos.io> -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see <http://www.gnu.org/licenses/>. - -# Important note when you are adding new validation functions: -# -# The Control class will analyse the signature of the function in this file -# and will build the parameters to be passed to it. -# -# The parameter names "ifname" and "self" will get the Interface name and class -# parameters with default will be left unset -# all other paramters will receive the value to check - -def is_ipv6_link_local(addr): - """ Check if addrsss is an IPv6 link-local address. Returns True/False """ - from ipaddress import ip_interface - from vyos.template import is_ipv6 - addr = addr.split('%')[0] - if is_ipv6(addr): - if ip_interface(addr).is_link_local: - return True - - return False - -def _are_same_ip(one, two): - from socket import AF_INET - from socket import AF_INET6 - from socket import inet_pton - from vyos.template import is_ipv4 - # compare the binary representation of the IP - f_one = AF_INET if is_ipv4(one) else AF_INET6 - s_two = AF_INET if is_ipv4(two) else AF_INET6 - return inet_pton(f_one, one) == inet_pton(f_one, two) - -def is_intf_addr_assigned(intf, address) -> bool: - """ - Verify if the given IPv4/IPv6 address is assigned to specific interface. - It can check both a single IP address (e.g. 192.0.2.1 or a assigned CIDR - address 192.0.2.1/24. - """ - from vyos.template import is_ipv4 - - from netifaces import ifaddresses - from netifaces import AF_INET - from netifaces import AF_INET6 - - # check if the requested address type is configured at all - # { - # 17: [{'addr': '08:00:27:d9:5b:04', 'broadcast': 'ff:ff:ff:ff:ff:ff'}], - # 2: [{'addr': '10.0.2.15', 'netmask': '255.255.255.0', 'broadcast': '10.0.2.255'}], - # 10: [{'addr': 'fe80::a00:27ff:fed9:5b04%eth0', 'netmask': 'ffff:ffff:ffff:ffff::'}] - # } - try: - addresses = ifaddresses(intf) - except ValueError as e: - print(e) - return False - - # determine IP version (AF_INET or AF_INET6) depending on passed address - addr_type = AF_INET if is_ipv4(address) else AF_INET6 - - # Check every IP address on this interface for a match - netmask = None - if '/' in address: - address, netmask = address.split('/') - for ip in addresses.get(addr_type, []): - # ip can have the interface name in the 'addr' field, we need to remove it - # {'addr': 'fe80::a00:27ff:fec5:f821%eth2', 'netmask': 'ffff:ffff:ffff:ffff::'} - ip_addr = ip['addr'].split('%')[0] - - if not _are_same_ip(address, ip_addr): - continue - - # we do not have a netmask to compare against, they are the same - if not netmask: - return True - - prefixlen = '' - if is_ipv4(ip_addr): - prefixlen = sum([bin(int(_)).count('1') for _ in ip['netmask'].split('.')]) - else: - prefixlen = sum([bin(int(_,16)).count('1') for _ in ip['netmask'].split('/')[0].split(':') if _]) - - if str(prefixlen) == netmask: - return True - - return False - -def is_addr_assigned(ip_address, vrf=None) -> bool: - """ Verify if the given IPv4/IPv6 address is assigned to any interface """ - from netifaces import interfaces - from vyos.utils.network import get_interface_config - from vyos.utils.dict import dict_search - - for interface in interfaces(): - # Check if interface belongs to the requested VRF, if this is not the - # case there is no need to proceed with this data set - continue loop - # with next element - tmp = get_interface_config(interface) - if dict_search('master', tmp) != vrf: - continue - - if is_intf_addr_assigned(interface, ip_address): - return True - - return False - -def is_afi_configured(interface, afi): - """ Check if given address family is configured, or in other words - an IP - address is assigned to the interface. """ - from netifaces import ifaddresses - from netifaces import AF_INET - from netifaces import AF_INET6 - - if afi not in [AF_INET, AF_INET6]: - raise ValueError('Address family must be in [AF_INET, AF_INET6]') - - try: - addresses = ifaddresses(interface) - except ValueError as e: - print(e) - return False - - return afi in addresses - -def is_loopback_addr(addr): - """ Check if supplied IPv4/IPv6 address is a loopback address """ - from ipaddress import ip_address - return ip_address(addr).is_loopback - -def is_subnet_connected(subnet, primary=False): - """ - Verify is the given IPv4/IPv6 subnet is connected to any interface on this - system. - - primary check if the subnet is reachable via the primary IP address of this - interface, or in other words has a broadcast address configured. ISC DHCP - for instance will complain if it should listen on non broadcast interfaces. - - Return True/False - """ - from ipaddress import ip_address - from ipaddress import ip_network - - from netifaces import ifaddresses - from netifaces import interfaces - from netifaces import AF_INET - from netifaces import AF_INET6 - - from vyos.template import is_ipv6 - - # determine IP version (AF_INET or AF_INET6) depending on passed address - addr_type = AF_INET - if is_ipv6(subnet): - addr_type = AF_INET6 - - for interface in interfaces(): - # check if the requested address type is configured at all - if addr_type not in ifaddresses(interface).keys(): - continue - - # An interface can have multiple addresses, but some software components - # only support the primary address :( - if primary: - ip = ifaddresses(interface)[addr_type][0]['addr'] - if ip_address(ip) in ip_network(subnet): - return True - else: - # Check every assigned IP address if it is connected to the subnet - # in question - for ip in ifaddresses(interface)[addr_type]: - # remove interface extension (e.g. %eth0) that gets thrown on the end of _some_ addrs - addr = ip['addr'].split('%')[0] - if ip_address(addr) in ip_network(subnet): - return True - - return False - - -def assert_boolean(b): - if int(b) not in (0, 1): - raise ValueError(f'Value {b} out of range') - - -def assert_range(value, lower=0, count=3): - if int(value, 16) not in range(lower, lower+count): - raise ValueError("Value out of range") - - -def assert_list(s, l): - if s not in l: - o = ' or '.join([f'"{n}"' for n in l]) - raise ValueError(f'state must be {o}, got {s}') - - -def assert_number(n): - if not str(n).isnumeric(): - raise ValueError(f'{n} must be a number') - - -def assert_positive(n, smaller=0): - assert_number(n) - if int(n) < smaller: - raise ValueError(f'{n} is smaller than {smaller}') - - -def assert_mtu(mtu, ifname): - assert_number(mtu) - - import json - from vyos.utils.process import cmd - out = cmd(f'ip -j -d link show dev {ifname}') - # [{"ifindex":2,"ifname":"eth0","flags":["BROADCAST","MULTICAST","UP","LOWER_UP"],"mtu":1500,"qdisc":"pfifo_fast","operstate":"UP","linkmode":"DEFAULT","group":"default","txqlen":1000,"link_type":"ether","address":"08:00:27:d9:5b:04","broadcast":"ff:ff:ff:ff:ff:ff","promiscuity":0,"min_mtu":46,"max_mtu":16110,"inet6_addr_gen_mode":"none","num_tx_queues":1,"num_rx_queues":1,"gso_max_size":65536,"gso_max_segs":65535}] - parsed = json.loads(out)[0] - min_mtu = int(parsed.get('min_mtu', '0')) - # cur_mtu = parsed.get('mtu',0), - max_mtu = int(parsed.get('max_mtu', '0')) - cur_mtu = int(mtu) - - if (min_mtu and cur_mtu < min_mtu) or cur_mtu < 68: - raise ValueError(f'MTU is too small for interface "{ifname}": {mtu} < {min_mtu}') - if (max_mtu and cur_mtu > max_mtu) or cur_mtu > 65536: - raise ValueError(f'MTU is too small for interface "{ifname}": {mtu} > {max_mtu}') - - -def assert_mac(m): - split = m.split(':') - size = len(split) - - # a mac address consits out of 6 octets - if size != 6: - raise ValueError(f'wrong number of MAC octets ({size}): {m}') - - octets = [] - try: - for octet in split: - octets.append(int(octet, 16)) - except ValueError: - raise ValueError(f'invalid hex number "{octet}" in : {m}') - - # validate against the first mac address byte if it's a multicast - # address - if octets[0] & 1: - raise ValueError(f'{m} is a multicast MAC address') - - # overall mac address is not allowed to be 00:00:00:00:00:00 - if sum(octets) == 0: - raise ValueError('00:00:00:00:00:00 is not a valid MAC address') - - if octets[:5] == (0, 0, 94, 0, 1): - raise ValueError(f'{m} is a VRRP MAC address') - -def has_address_configured(conf, intf): - """ - Checks if interface has an address configured. - Checks the following config nodes: - 'address', 'ipv6 address eui64', 'ipv6 address autoconf' - - Returns True if interface has address configured, False if it doesn't. - """ - from vyos.ifconfig import Section - ret = False - - old_level = conf.get_level() - conf.set_level([]) - - intfpath = 'interfaces ' + Section.get_config_path(intf) - if ( conf.exists(f'{intfpath} address') or - conf.exists(f'{intfpath} ipv6 address autoconf') or - conf.exists(f'{intfpath} ipv6 address eui64') ): - ret = True - - conf.set_level(old_level) - return ret - -def has_vrf_configured(conf, intf): - """ - Checks if interface has a VRF configured. - - Returns True if interface has VRF configured, False if it doesn't. - """ - from vyos.ifconfig import Section - ret = False - - old_level = conf.get_level() - conf.set_level([]) - - tmp = ['interfaces', Section.get_config_path(intf), 'vrf'] - if conf.exists(tmp): - ret = True - - conf.set_level(old_level) - return ret diff --git a/python/vyos/xml_ref/__init__.py b/python/vyos/xml_ref/__init__.py index ad2130dca..bf434865d 100644 --- a/python/vyos/xml_ref/__init__.py +++ b/python/vyos/xml_ref/__init__.py @@ -13,8 +13,12 @@ # You should have received a copy of the GNU Lesser General Public License # along with this library. If not, see <http://www.gnu.org/licenses/>. +from typing import Optional, Union, TYPE_CHECKING from vyos.xml_ref import definition +if TYPE_CHECKING: + from vyos.config import ConfigDict + def load_reference(cache=[]): if cache: return cache[0] @@ -23,11 +27,15 @@ def load_reference(cache=[]): try: from vyos.xml_ref.cache import reference - xml.define(reference) - cache.append(xml) except Exception: raise ImportError('no xml reference cache !!') + if not reference: + raise ValueError('empty xml reference cache !!') + + xml.define(reference) + cache.append(xml) + return xml def is_tag(path: list) -> bool: @@ -48,12 +56,12 @@ def is_leaf(path: list) -> bool: def cli_defined(path: list, node: str, non_local=False) -> bool: return load_reference().cli_defined(path, node, non_local=non_local) -def from_source(d: dict, path: list) -> bool: - return load_reference().from_source(d, path) - def component_version() -> dict: return load_reference().component_version() +def default_value(path: list) -> Optional[Union[str, list]]: + return load_reference().default_value(path) + def multi_to_list(rpath: list, conf: dict) -> dict: return load_reference().multi_to_list(rpath, conf) @@ -68,8 +76,8 @@ def relative_defaults(rpath: list, conf: dict, get_first_key=False, get_first_key=get_first_key, recursive=recursive) -def merge_defaults(path: list, conf: dict, get_first_key=False, - recursive=False) -> dict: - return load_reference().merge_defaults(path, conf, - get_first_key=get_first_key, - recursive=recursive) +def from_source(d: dict, path: list) -> bool: + return definition.from_source(d, path) + +def ext_dict_merge(source: dict, destination: Union[dict, 'ConfigDict']): + return definition.ext_dict_merge(source, destination) diff --git a/python/vyos/xml_ref/definition.py b/python/vyos/xml_ref/definition.py index d95d580e2..c90c5ddbc 100644 --- a/python/vyos/xml_ref/definition.py +++ b/python/vyos/xml_ref/definition.py @@ -20,6 +20,45 @@ from typing import Optional, Union, Any, TYPE_CHECKING if TYPE_CHECKING: from vyos.config import ConfigDict +def set_source_recursive(o: Union[dict, str, list], b: bool): + d = {} + if not isinstance(o, dict): + d = {'_source': b} + else: + for k, v in o.items(): + d[k] = set_source_recursive(v, b) + d |= {'_source': b} + return d + +def source_dict_merge(src: dict, dest: dict): + from copy import deepcopy + dst = deepcopy(dest) + from_src = {} + + for key, value in src.items(): + if key not in dst: + dst[key] = value + from_src[key] = set_source_recursive(value, True) + elif isinstance(src[key], dict): + dst[key], f = source_dict_merge(src[key], dst[key]) + f |= {'_source': False} + from_src[key] = f + + return dst, from_src + +def ext_dict_merge(src: dict, dest: Union[dict, 'ConfigDict']): + d, f = source_dict_merge(src, dest) + if hasattr(d, '_from_defaults'): + setattr(d, '_from_defaults', f) + return d + +def from_source(d: dict, path: list) -> bool: + for key in path: + d = d[key] if key in d else {} + if not d or not isinstance(d, dict): + return False + return d.get('_source', False) + class Xml: def __init__(self): self.ref = {} @@ -123,7 +162,7 @@ class Xml: def component_version(self) -> dict: d = {} - for k, v in self.ref['component_version']: + for k, v in self.ref['component_version'].items(): d[k] = int(v) return d @@ -153,6 +192,15 @@ class Xml: return default.split() return default + def default_value(self, path: list) -> Optional[Union[str, list]]: + d = self._get_ref_path(path) + default = self._get_default_value(d) + if default is None: + return None + if self._is_multi_node(d) or self._is_tag_node(d): + return default.split() + return default + def get_defaults(self, path: list, get_first_key=False, recursive=False) -> dict: """Return dict containing default values below path @@ -212,43 +260,6 @@ class Xml: return False return True - def _set_source_recursive(self, o: Union[dict, str, list], b: bool): - d = {} - if not isinstance(o, dict): - d = {'_source': b} - else: - for k, v in o.items(): - d[k] = self._set_source_recursive(v, b) - d |= {'_source': b} - return d - - # use local copy of function in module configdict, to avoid circular - # import - # - # extend dict_merge to keep track of keys only in source - def _dict_merge(self, source, destination): - from copy import deepcopy - dest = deepcopy(destination) - from_source = {} - - for key, value in source.items(): - if key not in dest: - dest[key] = value - from_source[key] = self._set_source_recursive(value, True) - elif isinstance(source[key], dict): - dest[key], f = self._dict_merge(source[key], dest[key]) - f |= {'_source': False} - from_source[key] = f - - return dest, from_source - - def from_source(self, d: dict, path: list) -> bool: - for key in path: - d = d[key] if key in d else {} - if not d or not isinstance(d, dict): - return False - return d.get('_source', False) - def _relative_defaults(self, rpath: list, conf: dict, recursive=False) -> dict: res: dict = {} res = self.get_defaults(rpath, recursive=recursive, @@ -289,17 +300,3 @@ class Xml: res = {} return res - - def merge_defaults(self, path: list, conf: Union[dict, 'ConfigDict'], - get_first_key=False, recursive=False) -> dict: - """Return config dict with defaults non-destructively merged - - This merges non-recursive defaults relative to the config dict. - """ - d = self.relative_defaults(path, conf, get_first_key=get_first_key, - recursive=recursive) - d, f = self._dict_merge(d, conf) - d = type(conf)(d) - if hasattr(d, '_from_defaults'): - setattr(d, '_from_defaults', f) - return d diff --git a/python/vyos/xml_ref/generate_cache.py b/python/vyos/xml_ref/generate_cache.py index 792c6eea7..6a05d4608 100755 --- a/python/vyos/xml_ref/generate_cache.py +++ b/python/vyos/xml_ref/generate_cache.py @@ -18,10 +18,14 @@ import sys import json -import argparse +from argparse import ArgumentParser +from argparse import ArgumentTypeError +from os import getcwd +from os import makedirs from os.path import join from os.path import abspath from os.path import dirname +from os.path import basename from xmltodict import parse _here = dirname(__file__) @@ -29,9 +33,10 @@ _here = dirname(__file__) sys.path.append(join(_here, '..')) from configtree import reference_tree_to_json, ConfigTreeError -xml_cache = abspath(join(_here, 'cache.py')) xml_cache_json = 'xml_cache.json' xml_tmp = join('/tmp', xml_cache_json) +pkg_cache = abspath(join(_here, 'pkg_cache')) +ref_cache = abspath(join(_here, 'cache.py')) node_data_fields = ("node_type", "multi", "valueless", "default_value") @@ -45,16 +50,26 @@ def trim_node_data(cache: dict): if isinstance(cache[k], dict): trim_node_data(cache[k]) +def non_trivial(s): + if not s: + raise ArgumentTypeError("Argument must be non empty string") + return s + def main(): - parser = argparse.ArgumentParser(description='generate and save dict from xml defintions') + parser = ArgumentParser(description='generate and save dict from xml defintions') parser.add_argument('--xml-dir', type=str, required=True, help='transcluded xml interface-definition directory') - parser.add_argument('--save-json-dir', type=str, - help='directory to save json cache if needed') - args = parser.parse_args() - - xml_dir = abspath(args.xml_dir) - save_dir = abspath(args.save_json_dir) if args.save_json_dir else None + parser.add_argument('--package-name', type=non_trivial, default='vyos-1x', + help='name of current package') + parser.add_argument('--output-path', help='path to generated cache') + args = vars(parser.parse_args()) + + xml_dir = abspath(args['xml_dir']) + pkg_name = args['package_name'].replace('-','_') + cache_name = pkg_name + '_cache.py' + out_path = args['output_path'] + path = out_path if out_path is not None else pkg_cache + xml_cache = abspath(join(path, cache_name)) try: reference_tree_to_json(xml_dir, xml_tmp) @@ -67,21 +82,30 @@ def main(): trim_node_data(d) - if save_dir is not None: - save_file = join(save_dir, xml_cache_json) - with open(save_file, 'w') as f: - f.write(json.dumps(d)) - syntax_version = join(xml_dir, 'xml-component-version.xml') - with open(syntax_version) as f: - content = f.read() + try: + with open(syntax_version) as f: + component = f.read() + except FileNotFoundError: + if pkg_name != 'vyos_1x': + component = '' + else: + print("\nWARNING: missing xml-component-version.xml\n") + sys.exit(1) - parsed = parse(content) - converted = parsed['interfaceDefinition']['syntaxVersion'] + if component: + parsed = parse(component) + else: + parsed = None version = {} - for i in converted: - tmp = {i['@component']: i['@version']} - version |= tmp + # addon package definitions may have empty (== 0) version info + if parsed is not None and parsed['interfaceDefinition'] is not None: + converted = parsed['interfaceDefinition']['syntaxVersion'] + if not isinstance(converted, list): + converted = [converted] + for i in converted: + tmp = {i['@component']: i['@version']} + version |= tmp version = {"component_version": version} @@ -90,5 +114,7 @@ def main(): with open(xml_cache, 'w') as f: f.write(f'reference = {str(d)}') + print(cache_name) + if __name__ == '__main__': main() diff --git a/python/vyos/xml_ref/pkg_cache/__init__.py b/python/vyos/xml_ref/pkg_cache/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/python/vyos/xml_ref/pkg_cache/__init__.py diff --git a/python/vyos/xml_ref/update_cache.py b/python/vyos/xml_ref/update_cache.py new file mode 100755 index 000000000..0842bcbe9 --- /dev/null +++ b/python/vyos/xml_ref/update_cache.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# +import os +from copy import deepcopy +from generate_cache import pkg_cache +from generate_cache import ref_cache + +def dict_merge(source, destination): + dest = deepcopy(destination) + + for key, value in source.items(): + if key not in dest: + dest[key] = value + elif isinstance(source[key], dict): + dest[key] = dict_merge(source[key], dest[key]) + + return dest + +def main(): + res = {} + cache_dir = os.path.basename(pkg_cache) + for mod in os.listdir(pkg_cache): + mod = os.path.splitext(mod)[0] + if not mod.endswith('_cache'): + continue + d = getattr(__import__(f'{cache_dir}.{mod}', fromlist=[mod]), 'reference') + if mod == 'vyos_1x_cache': + res = dict_merge(res, d) + else: + res = dict_merge(d, res) + + with open(ref_cache, 'w') as f: + f.write(f'reference = {str(res)}') + +if __name__ == '__main__': + main() diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index b4afac0e2..b5b65e253 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -26,17 +26,24 @@ from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError +from vyos.defaults import directories from vyos.ifconfig import Interface from vyos.ifconfig import Section from vyos.utils.file import read_file from vyos.utils.dict import dict_search from vyos.utils.process import process_named_running from vyos.utils.network import get_interface_config +from vyos.utils.network import get_interface_vrf from vyos.utils.process import cmd -from vyos.validate import is_intf_addr_assigned -from vyos.validate import is_ipv6_link_local +from vyos.utils.network import is_intf_addr_assigned +from vyos.utils.network import is_ipv6_link_local from vyos.xml_ref import cli_defined +dhclient_base_dir = directories['isc_dhclient_dir'] +dhclient_process_name = 'dhclient' +dhcp6c_base_dir = directories['dhcp6_client_dir'] +dhcp6c_process_name = 'dhcp6c' + def is_mirrored_to(interface, mirror_if, qdisc): """ Ask TC if we are mirroring traffic to a discrete interface. @@ -66,6 +73,7 @@ class BasicInterfaceTest: _test_ipv6_pd = False _test_ipv6_dhcpc6 = False _test_mirror = False + _test_vrf = False _base_path = [] _options = {} @@ -93,6 +101,7 @@ class BasicInterfaceTest: cls._test_ipv6_dhcpc6 = cli_defined(cls._base_path, 'dhcpv6-options') cls._test_ipv6_pd = cli_defined(cls._base_path + ['dhcpv6-options'], 'pd') cls._test_mtu = cli_defined(cls._base_path, 'mtu') + cls._test_vrf = cli_defined(cls._base_path, 'vrf') # Setup mirror interfaces for SPAN (Switch Port Analyzer) for span in cls._mirror_interfaces: @@ -137,8 +146,6 @@ class BasicInterfaceTest: for option in self._options.get(interface, []): self.cli_set(self._base_path + [interface] + option.split()) - self.cli_set(self._base_path + [interface, 'disable']) - # Also enable DHCP (ISC DHCP always places interface in admin up # state so we check that we do not start DHCP client. # https://vyos.dev/T2767 @@ -151,6 +158,99 @@ class BasicInterfaceTest: flags = read_file(f'/sys/class/net/{interface}/flags') self.assertEqual(int(flags, 16) & 1, 0) + def test_dhcp_client_options(self): + if not self._test_dhcp or not self._test_vrf: + self.skipTest('not supported') + + distance = '100' + + for interface in self._interfaces: + for option in self._options.get(interface, []): + self.cli_set(self._base_path + [interface] + option.split()) + + self.cli_set(self._base_path + [interface, 'address', 'dhcp']) + self.cli_set(self._base_path + [interface, 'dhcp-options', 'default-route-distance', distance]) + + self.cli_commit() + + for interface in self._interfaces: + # Check if dhclient process runs + dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface) + self.assertTrue(dhclient_pid) + + dhclient_config = read_file(f'{dhclient_base_dir}/dhclient_{interface}.conf') + self.assertIn('request subnet-mask, broadcast-address, routers, domain-name-servers', dhclient_config) + self.assertIn('require subnet-mask;', dhclient_config) + + # and the commandline has the appropriate options + cmdline = read_file(f'/proc/{dhclient_pid}/cmdline') + self.assertIn(f'-e\x00IF_METRIC={distance}', cmdline) + + def test_dhcp_vrf(self): + if not self._test_dhcp or not self._test_vrf: + self.skipTest('not supported') + + vrf_name = 'purple4' + self.cli_set(['vrf', 'name', vrf_name, 'table', '65000']) + + for interface in self._interfaces: + for option in self._options.get(interface, []): + self.cli_set(self._base_path + [interface] + option.split()) + + self.cli_set(self._base_path + [interface, 'address', 'dhcp']) + self.cli_set(self._base_path + [interface, 'vrf', vrf_name]) + + self.cli_commit() + + # Validate interface state + for interface in self._interfaces: + tmp = get_interface_vrf(interface) + self.assertEqual(tmp, vrf_name) + + # Check if dhclient process runs + dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface) + self.assertTrue(dhclient_pid) + # .. inside the appropriate VRF instance + vrf_pids = cmd(f'ip vrf pids {vrf_name}') + self.assertIn(str(dhclient_pid), vrf_pids) + # and the commandline has the appropriate options + cmdline = read_file(f'/proc/{dhclient_pid}/cmdline') + self.assertIn('-e\x00IF_METRIC=210', cmdline) # 210 is the default value + + self.cli_delete(['vrf', 'name', vrf_name]) + + def test_dhcpv6_vrf(self): + if not self._test_ipv6_dhcpc6 or not self._test_vrf: + self.skipTest('not supported') + + vrf_name = 'purple6' + self.cli_set(['vrf', 'name', vrf_name, 'table', '65001']) + + # When interface is configured as admin down, it must be admin down + # even when dhcpc starts on the given interface + for interface in self._interfaces: + for option in self._options.get(interface, []): + self.cli_set(self._base_path + [interface] + option.split()) + + self.cli_set(self._base_path + [interface, 'address', 'dhcpv6']) + self.cli_set(self._base_path + [interface, 'vrf', vrf_name]) + + self.cli_commit() + + # Validate interface state + for interface in self._interfaces: + tmp = get_interface_vrf(interface) + self.assertEqual(tmp, vrf_name) + + # Check if dhclient process runs + tmp = process_named_running(dhcp6c_process_name, cmdline=interface) + self.assertTrue(tmp) + # .. inside the appropriate VRF instance + vrf_pids = cmd(f'ip vrf pids {vrf_name}') + self.assertIn(str(tmp), vrf_pids) + + self.cli_delete(['vrf', 'name', vrf_name]) + def test_span_mirror(self): if not self._mirror_interfaces: self.skipTest('not supported') @@ -743,6 +843,7 @@ class BasicInterfaceTest: mss = '1400' dad_transmits = '10' + accept_dad = '0' for interface in self._interfaces: path = self._base_path + [interface] @@ -753,6 +854,9 @@ class BasicInterfaceTest: if cli_defined(self._base_path + ['ipv6'], 'adjust-mss'): self.cli_set(path + ['ipv6', 'adjust-mss', mss]) + if cli_defined(self._base_path + ['ipv6'], 'accept-dad'): + self.cli_set(path + ['ipv6', 'accept-dad', accept_dad]) + if cli_defined(self._base_path + ['ipv6'], 'dup-addr-detect-transmits'): self.cli_set(path + ['ipv6', 'dup-addr-detect-transmits', dad_transmits]) @@ -770,6 +874,10 @@ class BasicInterfaceTest: if line.startswith(base_options): self.assertIn(f'tcp option maxseg size set {mss}', line) + if cli_defined(self._base_path + ['ipv6'], 'accept-dad'): + tmp = read_file(f'{proc_base}/accept_dad') + self.assertEqual(accept_dad, tmp) + if cli_defined(self._base_path + ['ipv6'], 'dup-addr-detect-transmits'): tmp = read_file(f'{proc_base}/dad_transmits') self.assertEqual(dad_transmits, tmp) @@ -791,6 +899,7 @@ class BasicInterfaceTest: # Enable DHCPv6 client self.cli_set(path + ['address', 'dhcpv6']) + self.cli_set(path + ['dhcpv6-options', 'no-release']) self.cli_set(path + ['dhcpv6-options', 'rapid-commit']) self.cli_set(path + ['dhcpv6-options', 'parameters-only']) self.cli_set(path + ['dhcpv6-options', 'duid', duid]) @@ -801,7 +910,7 @@ class BasicInterfaceTest: duid_base = 10 for interface in self._interfaces: duid = '00:01:00:01:27:71:db:f0:00:50:00:00:00:{}'.format(duid_base) - dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf') + dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf') self.assertIn(f'interface {interface} ' + '{', dhcpc6_config) self.assertIn(f' request domain-name-servers;', dhcpc6_config) self.assertIn(f' request domain-name;', dhcpc6_config) @@ -812,8 +921,12 @@ class BasicInterfaceTest: self.assertIn('};', dhcpc6_config) duid_base += 1 - # Check for running process - self.assertTrue(process_named_running('dhcp6c')) + # Better ask the process about it's commandline in the future + pid = process_named_running(dhcp6c_process_name, cmdline=interface) + self.assertTrue(pid) + + dhcp6c_options = read_file(f'/proc/{pid}/cmdline') + self.assertIn('-n', dhcp6c_options) def test_dhcpv6pd_auto_sla_id(self): if not self._test_ipv6_pd: @@ -849,7 +962,7 @@ class BasicInterfaceTest: self.cli_commit() for interface in self._interfaces: - dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf') + dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf') # verify DHCPv6 prefix delegation self.assertIn(f'prefix ::/{prefix_len} infinity;', dhcpc6_config) @@ -867,8 +980,8 @@ class BasicInterfaceTest: # increment interface address address = str(int(address) + 1) - # Check for running process - self.assertTrue(process_named_running('dhcp6c')) + # Check for running process + self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface)) for delegatee in delegatees: # we can already cleanup the test delegatee interface here @@ -917,7 +1030,7 @@ class BasicInterfaceTest: for interface in self._interfaces: address = '1' sla_id = '1' - dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf') + dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf') # verify DHCPv6 prefix delegation self.assertIn(f'prefix ::/{prefix_len} infinity;', dhcpc6_config) @@ -934,7 +1047,7 @@ class BasicInterfaceTest: address = str(int(address) + 1) # Check for running process - self.assertTrue(process_named_running('dhcp6c', interface)) + self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface)) for delegatee in delegatees: # we can already cleanup the test delegatee interface here diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 0c56c2c93..7a13f396f 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -90,19 +90,19 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): return False def test_geoip(self): - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) self.cli_commit() nftables_search = [ - ['ip saddr @GEOIP_CC_smoketest_1', 'drop'], - ['ip saddr != @GEOIP_CC_smoketest_2', 'return'] + ['ip saddr @GEOIP_CC_name_smoketest_1', 'drop'], + ['ip saddr != @GEOIP_CC_name_smoketest_2', 'accept'] ] # -t prevents 1000+ GeoIP elements being returned @@ -127,36 +127,33 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0']) self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface']) - - self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface']) self.cli_commit() self.wait_for_domain_resolver('ip vyos_filter', 'D_smoketest_domain', '192.0.2.5') nftables_search = [ - ['iifname "eth0"', 'jump NAME_smoketest'], - ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'return'], + ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'accept'], ['elements = { 172.16.99.0/24 }'], ['elements = { 53, 123 }'], - ['ether saddr @M_smoketest_mac', 'return'], + ['ether saddr @M_smoketest_mac', 'accept'], ['elements = { 00:01:02:03:04:05 }'], ['set D_smoketest_domain'], ['elements = { 192.0.2.5, 192.0.2.8,'], ['192.0.2.10, 192.0.2.11 }'], - ['ip saddr @D_smoketest_domain', 'return'], - ['oifname @I_smoketest_interface', 'return'] + ['ip saddr @D_smoketest_domain', 'accept'], + ['oifname @I_smoketest_interface', 'accept'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -170,12 +167,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53']) self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123']) self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1']) - self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp']) - - self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1']) + self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp']) self.cli_commit() @@ -187,8 +182,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_delete(['firewall', 'group', 'network-group', 'smoketest_network', 'include', 'smoketest_network1']) nftables_search = [ - ['iifname "eth0"', 'jump NAME_smoketest'], - ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'return'], + ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'accept'], ['elements = { 172.16.99.0/24, 172.16.101.0/24 }'], ['elements = { 53, 123 }'] ] @@ -202,61 +196,75 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): mss_range = '501-1460' conn_mark = '555' - self.cli_set(['firewall', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'protocol', 'tcp']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'destination', 'port', '8888']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'protocol', 'tcp']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'destination', 'port', '22']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'limit', 'rate', '5/minute']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'log', 'disable']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'drop']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'protocol', 'tcp']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'destination', 'port', '22']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'count', '10']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'time', 'minute']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'packet-type', 'host']) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'protocol', 'tcp']) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'flags', 'syn']) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'mss', mss_range]) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'packet-type', 'broadcast']) - self.cli_set(['firewall', 'name', name, 'rule', '5', 'inbound-interface', 'interface-name', interface]) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface]) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark]) - - self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) - self.cli_set(['firewall', 'interface', interface_wc, 'in', 'name', name]) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102']) + + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host']) + + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range]) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface]) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark]) + + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc]) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp']) + self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark]) self.cli_commit() mark_hex = "{0:#010x}".format(int(conn_mark)) nftables_search = [ - [f'iifname "{interface}"', f'jump NAME_{name}'], - [f'iifname "{interface_wc}"', f'jump NAME_{name}'], - ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'], + ['chain VYOS_FORWARD_filter'], + ['type filter hook forward priority filter; policy drop;'], + ['tcp dport 22', 'limit rate 5/minute', 'accept'], + ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'], + ['chain VYOS_INPUT_filter'], + ['type filter hook input priority filter; policy accept;'], + ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast', 'accept'], + ['meta l4proto gre', f'ct mark {mark_hex}', 'return'], + ['chain VYOS_OUTPUT_filter'], + ['type filter hook output priority filter; policy accept;'], + ['meta l4proto gre', f'oifname "{interface_wc}"', 'drop'], + ['meta l4proto icmp', f'ct mark {mark_hex}', 'return'], + ['chain NAME_smoketest'], + ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'], ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'], - ['tcp dport 22', 'limit rate 5/minute', 'return'], - ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'], - ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'], - ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast'], - ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return'] + ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -266,55 +274,54 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name2 = 'smoketest-adv2' interface = 'eth0' - self.cli_set(['firewall', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'name', name, 'enable-default-log']) - - self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '64']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '512']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '17']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '52']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'log', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'group', '66']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) - self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) - - self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000']) - self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535']) - self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp', '3-11']) - self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) - - self.cli_set(['firewall', 'name', name2, 'default-action', 'jump']) - self.cli_set(['firewall', 'name', name2, 'default-jump-target', name]) - self.cli_set(['firewall', 'name', name2, 'enable-default-log']) - self.cli_set(['firewall', 'name', name2, 'rule', '1', 'source', 'address', '198.51.100.1']) - self.cli_set(['firewall', 'name', name2, 'rule', '1', 'action', 'jump']) - self.cli_set(['firewall', 'name', name2, 'rule', '1', 'jump-target', name]) - - self.cli_set(['firewall', 'name', name2, 'rule', '2', 'protocol', 'tcp']) - self.cli_set(['firewall', 'name', name2, 'rule', '2', 'action', 'queue']) - self.cli_set(['firewall', 'name', name2, 'rule', '2', 'queue', '3']) - self.cli_set(['firewall', 'name', name2, 'rule', '3', 'protocol', 'udp']) - self.cli_set(['firewall', 'name', name2, 'rule', '3', 'action', 'queue']) - self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'fanout']) - self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'bypass']) - self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue', '0-15']) - - self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) + + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) + + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass']) + self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15']) self.cli_commit() nftables_search = [ - [f'iifname "{interface}"', f'jump NAME_{name}'], - ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'return'], - ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'return'], - [f'log prefix "[{name}-default-D]"', 'drop'], + ['chain VYOS_FORWARD_filter'], + ['type filter hook forward priority filter; policy drop;'], ['ip saddr 198.51.100.1', f'jump NAME_{name}'], - [f'log prefix "[{name2}-default-J]"', f'jump NAME_{name}'], + ['chain VYOS_INPUT_filter'], + ['type filter hook input priority filter; policy accept;'], [f'meta l4proto tcp','queue to 3'], - [f'meta l4proto udp','queue flags bypass,fanout to 0-15'] + [f'meta l4proto udp','queue flags bypass,fanout to 0-15'], + [f'chain NAME_{name}'], + ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'], + ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'], + [f'log prefix "[{name}-default-D]"', 'drop'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -325,22 +332,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1']) - self.cli_set(['firewall', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'drop']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'drop']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255']) - - self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255']) self.cli_commit() @@ -357,34 +362,46 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name = 'v6-smoketest' interface = 'eth0' - self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log', 'enable']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log', 'enable']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'destination', 'port', '8888']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'inbound-interface', 'interface-name', interface]) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'action', 'reject']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'protocol', 'tcp_udp']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'destination', 'port', '8888']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'interface-name', interface]) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'return']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'protocol', 'gre']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'outbound-interface', 'interface-name', interface]) + self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'action', 'return']) + self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'protocol', 'gre']) + self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'interface-name', interface]) - self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name]) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'interface-name', interface]) self.cli_commit() nftables_search = [ - [f'iifname "{interface}"', f'jump NAME6_{name}'], - ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'return'], + ['chain VYOS_IPV6_FORWARD_filter'], + ['type filter hook forward priority filter; policy accept;'], ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'], + ['chain VYOS_IPV6_INPUT_filter'], + ['type filter hook input priority filter; policy accept;'], + ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'], + ['chain VYOS_IPV6_OUTPUT_filter'], + ['type filter hook output priority filter; policy drop;'], ['meta l4proto gre', f'oifname "{interface}"', 'return'], - ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop'] + [f'chain NAME6_{name}'], + ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'accept'], + [f'"{name} default-action drop"', f'log prefix "[{name}-default-D]"', 'drop'] ] self.verify_nftables(nftables_search, 'ip6 vyos_filter') @@ -394,40 +411,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): name2 = 'v6-smoketest-adv2' interface = 'eth0' - self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log']) - - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '65']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '513']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '1025']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '18']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '53']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length', '1-1999']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length-exclude', '60000-65535']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp', '4-14']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp-exclude', '31-35']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '65']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '513']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '1025']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '18']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '53']) - self.cli_set(['firewall', 'ipv6-name', name2, 'default-action', 'jump']) - self.cli_set(['firewall', 'ipv6-name', name2, 'default-jump-target', name]) - self.cli_set(['firewall', 'ipv6-name', name2, 'enable-default-log']) - self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'source', 'address', '2001:db8::/64']) - self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'action', 'jump']) - self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'jump-target', name]) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length', '1-1999']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length-exclude', '60000-65535']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp', '4-14']) + self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp-exclude', '31-35']) - self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name]) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'default-action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'source', 'address', '2001:db8::/64']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'action', 'jump']) + self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'jump-target', name]) self.cli_commit() nftables_search = [ - [f'iifname "{interface}"', f'jump NAME6_{name}'], - ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'return'], - ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'return'], - [f'log prefix "[{name}-default-D]"', 'drop'], + ['chain VYOS_IPV6_FORWARD_filter'], + ['type filter hook forward priority filter; policy accept;'], + ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'], + ['chain VYOS_IPV6_INPUT_filter'], + ['type filter hook input priority filter; policy accept;'], ['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'], - [f'log prefix "[{name2}-default-J]"', f'jump NAME6_{name}'] + [f'chain NAME6_{name}'], + ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'], + [f'log prefix "[{name}-default-D]"', 'drop'] ] self.verify_nftables(nftables_search, 'ip6 vyos_filter') @@ -438,22 +454,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'group', 'ipv6-address-group', 'mask_group', 'address', '::beef']) - self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'drop']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'drop']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) - self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff']) - - self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name]) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff']) self.cli_commit() @@ -465,52 +479,32 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip6 vyos_filter') - def test_state_policy(self): - self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept']) - self.cli_set(['firewall', 'state-policy', 'related', 'action', 'accept']) - self.cli_set(['firewall', 'state-policy', 'invalid', 'action', 'drop']) - - self.cli_commit() - - chains = { - 'ip vyos_filter': ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'], - 'ip6 vyos_filter': ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] - } - - for table in ['ip vyos_filter', 'ip6 vyos_filter']: - for chain in chains[table]: - nftables_output = cmd(f'sudo nft list chain {table} {chain}') - self.assertTrue('jump VYOS_STATE_POLICY' in nftables_output) - def test_ipv4_state_and_status_rules(self): name = 'smoketest-state' interface = 'eth0' - self.cli_set(['firewall', 'name', name, 'default-action', 'drop']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'established', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'related', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject']) - self.cli_set(['firewall', 'name', name, 'rule', '2', 'state', 'invalid', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '3', 'state', 'new', 'enable']) - - self.cli_set(['firewall', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'accept']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'new', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'established', 'enable']) - self.cli_set(['firewall', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source']) - - self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) + self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable']) + + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable']) + self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source']) self.cli_commit() nftables_search = [ - [f'iifname "{interface}"', f'jump NAME_{name}'], - ['ct state { established, related }', 'return'], + ['ct state { established, related }', 'accept'], ['ct state invalid', 'reject'], - ['ct state new', 'ct status dnat', 'return'], - ['ct state { established, new }', 'ct status snat', 'return'], + ['ct state new', 'ct status dnat', 'accept'], + ['ct state { established, new }', 'ct status snat', 'accept'], ['drop', f'comment "{name} default-action drop"'] ] @@ -523,7 +517,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): with open(path, 'r') as f: self.assertEqual(f.read().strip(), conf['default'], msg=path) - self.cli_set(['firewall', name.replace("_", "-"), conf['test_value']]) + self.cli_set(['firewall', 'global-options', name.replace("_", "-"), conf['test_value']]) self.cli_commit() @@ -533,35 +527,5 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): with open(path, 'r') as f: self.assertNotEqual(f.read().strip(), conf['default'], msg=path) - def test_zone_basic(self): - self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop']) - self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0']) - self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest']) - self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone']) - self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest']) - - self.cli_commit() - - nftables_search = [ - ['chain VZONE_smoketest-eth0'], - ['chain VZONE_smoketest-local_IN'], - ['chain VZONE_smoketest-local_OUT'], - ['oifname "eth0"', 'jump VZONE_smoketest-eth0'], - ['jump VZONE_smoketest-local_IN'], - ['jump VZONE_smoketest-local_OUT'], - ['iifname "eth0"', 'jump NAME_smoketest'], - ['oifname "eth0"', 'jump NAME_smoketest'] - ] - - nftables_output = cmd('sudo nft list table ip vyos_filter') - - for search in nftables_search: - matched = False - for line in nftables_output.split("\n"): - if all(item in line for item in search): - matched = True - break - self.assertTrue(matched) - if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py index d8e6bde5c..8867cb427 100755 --- a/smoketest/scripts/cli/test_interfaces_bonding.py +++ b/smoketest/scripts/cli/test_interfaces_bonding.py @@ -37,9 +37,8 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase): if 'TEST_ETH' in os.environ: cls._members = os.environ['TEST_ETH'].split() else: - for tmp in Section.interfaces('ethernet'): - if not '.' in tmp: - cls._members.append(tmp) + for tmp in Section.interfaces('ethernet', vlan=False): + cls._members.append(tmp) cls._options = {'bond0' : []} for member in cls._members: diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py index 674b0535a..cdff49f4b 100755 --- a/smoketest/scripts/cli/test_interfaces_bridge.py +++ b/smoketest/scripts/cli/test_interfaces_bridge.py @@ -27,7 +27,7 @@ from vyos.ifconfig import Section from vyos.utils.process import cmd from vyos.utils.file import read_file from vyos.utils.network import get_interface_config -from vyos.validate import is_intf_addr_assigned +from vyos.utils.network import is_intf_addr_assigned class BridgeInterfaceTest(BasicInterfaceTest.TestCase): @classmethod @@ -41,9 +41,8 @@ class BridgeInterfaceTest(BasicInterfaceTest.TestCase): if 'TEST_ETH' in os.environ: cls._members = os.environ['TEST_ETH'].split() else: - for tmp in Section.interfaces('ethernet'): - if not '.' in tmp: - cls._members.append(tmp) + for tmp in Section.interfaces('ethernet', vlan=False): + cls._members.append(tmp) cls._options['br0'] = [] for member in cls._members: diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py index eec3ddbe8..5ea21fea8 100755 --- a/smoketest/scripts/cli/test_interfaces_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_ethernet.py @@ -31,7 +31,7 @@ from vyos.template import is_ipv6 from vyos.utils.process import cmd from vyos.utils.process import process_named_running from vyos.utils.file import read_file -from vyos.validate import is_ipv6_link_local +from vyos.utils.network import is_ipv6_link_local server_ca_root_cert_data = """ MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw diff --git a/smoketest/scripts/cli/test_interfaces_loopback.py b/smoketest/scripts/cli/test_interfaces_loopback.py index cde90189b..0454dc658 100755 --- a/smoketest/scripts/cli/test_interfaces_loopback.py +++ b/smoketest/scripts/cli/test_interfaces_loopback.py @@ -19,7 +19,7 @@ import unittest from base_interfaces_test import BasicInterfaceTest from netifaces import interfaces -from vyos.validate import is_intf_addr_assigned +from vyos.utils.network import is_intf_addr_assigned loopbacks = ['127.0.0.1', '::1'] diff --git a/smoketest/scripts/cli/test_interfaces_wireguard.py b/smoketest/scripts/cli/test_interfaces_wireguard.py index 14fc8d109..f84ce159d 100755 --- a/smoketest/scripts/cli/test_interfaces_wireguard.py +++ b/smoketest/scripts/cli/test_interfaces_wireguard.py @@ -100,5 +100,34 @@ class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): self.cli_delete(base_path + [interface, 'peer', 'PEER01']) self.cli_commit() + def test_wireguard_same_public_key(self): + # T2939: Create WireGuard interfaces with associated peers. + # Remove one of the configured peers. + # T4774: Test prevention of duplicate peer public keys + interface = 'wg0' + port = '12345' + privkey = 'OOjcXGfgQlAuM6q8Z9aAYduCua7pxf7UKYvIqoUPoGQ=' + pubkey_fail = 'eiVeYKq66mqKLbrZLzlckSP9voaw8jSFyVNiNTdZDjU=' + pubkey_ok = 'ebFx/1G0ti8tvuZd94sEIosAZZIznX+dBAKG/8DFm0I=' + + self.cli_set(base_path + [interface, 'address', '172.16.0.1/24']) + self.cli_set(base_path + [interface, 'private-key', privkey]) + + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'public-key', pubkey_fail]) + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'port', port]) + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'allowed-ips', '10.205.212.10/32']) + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'address', '192.0.2.1']) + + # The same pubkey as the interface wg0 + with self.assertRaises(ConfigSessionError): + self.cli_commit() + + self.cli_set(base_path + [interface, 'peer', 'PEER01', 'public-key', pubkey_ok]) + + # Commit peers + self.cli_commit() + + self.assertTrue(os.path.isdir(f'/sys/class/net/{interface}')) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index 28d566eba..e6eaedeff 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -252,5 +252,41 @@ class TestNAT(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip vyos_nat') + def test_nat_balance(self): + ifname = 'eth0' + member_1 = '198.51.100.1' + weight_1 = '10' + member_2 = '198.51.100.2' + weight_2 = '90' + member_3 = '192.0.2.1' + weight_3 = '35' + member_4 = '192.0.2.2' + weight_4 = '65' + dst_port = '443' + + self.cli_set(dst_path + ['rule', '1', 'inbound-interface', ifname]) + self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp']) + self.cli_set(dst_path + ['rule', '1', 'destination', 'port', dst_port]) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'source-address']) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'source-port']) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'destination-address']) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'destination-port']) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_1, 'weight', weight_1]) + self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_2, 'weight', weight_2]) + + self.cli_set(src_path + ['rule', '1', 'outbound-interface', ifname]) + self.cli_set(src_path + ['rule', '1', 'load-balance', 'hash', 'random']) + self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_3, 'weight', weight_3]) + self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_4, 'weight', weight_4]) + + self.cli_commit() + + nftables_search = [ + [f'iifname "{ifname}"', f'tcp dport {dst_port}', f'dnat to jhash ip saddr . tcp sport . ip daddr . tcp dport mod 100 map', f'0-9 : {member_1}, 10-99 : {member_2}'], + [f'oifname "{ifname}"', f'snat to numgen random mod 100 map', f'0-34 : {member_3}, 35-99 : {member_4}'] + ] + + self.verify_nftables(nftables_search, 'ip vyos_nat') + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py index f6c42e8c9..ee8a07b37 100755 --- a/smoketest/scripts/cli/test_service_dns_dynamic.py +++ b/smoketest/scripts/cli/test_service_dns_dynamic.py @@ -14,7 +14,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import re import os import unittest import tempfile @@ -34,13 +33,6 @@ zone = 'vyos.io' password = 'paSS_@4ord' interface = 'eth0' - -def get_config_value(key): - tmp = cmd(f'sudo cat {DDCLIENT_CONF}') - vals = re.findall(r'\n?{}=([.-@_A-Za-z0-9]+),? \\'.format(key), tmp) - return vals[0] if vals else '' - - class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): def tearDown(self): # Check for running process @@ -54,45 +46,54 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): self.assertFalse(os.path.exists(DDCLIENT_PID)) # IPv4 standard DDNS service configuration - def test_dyndns_service_standard(self): + def test_01_dyndns_service_standard(self): ddns = ['address', interface, 'service'] services = {'cloudflare': {'protocol': 'cloudflare'}, 'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}, 'zoneedit': {'protocol': 'zoneedit1', 'username': 'vyos_user'}} for svc, details in services.items(): + # Always start with a clean CLI instance self.cli_delete(base_path) + self.cli_set(base_path + ddns + [svc, 'host-name', hostname]) - for opt, value in details.items(): - self.cli_set(base_path + ddns + [svc, opt, value]) self.cli_set(base_path + ddns + [svc, 'password', password]) self.cli_set(base_path + ddns + [svc, 'zone', zone]) + for opt, value in details.items(): + self.cli_set(base_path + ddns + [svc, opt, value]) # commit changes if details['protocol'] == 'cloudflare': - self.cli_commit() + pass else: # zone option does not work on all protocols, an exception is # raised for all others with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_delete(base_path + ddns + [svc, 'zone', zone]) - # commit changes again - now it should work - self.cli_commit() + + # commit changes + self.cli_commit() # Check the generating config parameters - self.assertEqual(get_config_value('use'), 'if') - self.assertEqual(get_config_value('if'), interface) - self.assertEqual(get_config_value('password'), password) + ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') + # default value 300 seconds + self.assertIn(f'daemon=300', ddclient_conf) + self.assertIn(f'use=if', ddclient_conf) + self.assertIn(f'if={interface}', ddclient_conf) + self.assertIn(f'password={password}', ddclient_conf) for opt in details.keys(): if opt == 'username': - self.assertEqual(get_config_value('login'), details[opt]) + login = details[opt] + self.assertIn(f'login={login}', ddclient_conf) else: - self.assertEqual(get_config_value(opt), details[opt]) + tmp = details[opt] + self.assertIn(f'{opt}={tmp}', ddclient_conf) # IPv6 only DDNS service configuration - def test_dyndns_service_ipv6(self): + def test_02_dyndns_service_ipv6(self): + timeout = '60' ddns = ['address', interface, 'service', 'dynv6'] proto = 'dyndns2' user = 'none' @@ -100,6 +101,7 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): srv = 'ddns.vyos.io' ip_version = 'ipv6' + self.cli_set(base_path + ['timeout', timeout]) self.cli_set(base_path + ddns + ['ip-version', ip_version]) self.cli_set(base_path + ddns + ['protocol', proto]) self.cli_set(base_path + ddns + ['server', srv]) @@ -111,15 +113,17 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): self.cli_commit() # Check the generating config parameters - self.assertEqual(get_config_value('usev6'), 'ifv6') - self.assertEqual(get_config_value('ifv6'), interface) - self.assertEqual(get_config_value('protocol'), proto) - self.assertEqual(get_config_value('server'), srv) - self.assertEqual(get_config_value('login'), user) - self.assertEqual(get_config_value('password'), password) + ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') + self.assertIn(f'daemon={timeout}', ddclient_conf) + self.assertIn(f'usev6=ifv6', ddclient_conf) + self.assertIn(f'ifv6={interface}', ddclient_conf) + self.assertIn(f'protocol={proto}', ddclient_conf) + self.assertIn(f'server={srv}', ddclient_conf) + self.assertIn(f'login={user}', ddclient_conf) + self.assertIn(f'password={password}', ddclient_conf) # IPv4+IPv6 dual DDNS service configuration - def test_dyndns_service_dual_stack(self): + def test_03_dyndns_service_dual_stack(self): ddns = ['address', interface, 'service'] services = {'cloudflare': {'protocol': 'cloudflare', 'zone': 'vyos.io'}, 'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}} @@ -127,30 +131,35 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): ip_version = 'both' for svc, details in services.items(): + # Always start with a clean CLI instance self.cli_delete(base_path) + self.cli_set(base_path + ddns + [svc, 'host-name', hostname]) - for opt, value in details.items(): - self.cli_set(base_path + ddns + [svc, opt, value]) self.cli_set(base_path + ddns + [svc, 'password', password]) self.cli_set(base_path + ddns + [svc, 'ip-version', ip_version]) + for opt, value in details.items(): + self.cli_set(base_path + ddns + [svc, opt, value]) # commit changes self.cli_commit() # Check the generating config parameters - self.assertEqual(get_config_value('usev4'), 'ifv4') - self.assertEqual(get_config_value('usev6'), 'ifv6') - self.assertEqual(get_config_value('ifv4'), interface) - self.assertEqual(get_config_value('ifv6'), interface) - self.assertEqual(get_config_value('password'), password) + ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') + self.assertIn(f'usev4=ifv4', ddclient_conf) + self.assertIn(f'usev6=ifv6', ddclient_conf) + self.assertIn(f'ifv4={interface}', ddclient_conf) + self.assertIn(f'ifv6={interface}', ddclient_conf) + self.assertIn(f'password={password}', ddclient_conf) for opt in details.keys(): if opt == 'username': - self.assertEqual(get_config_value('login'), details[opt]) + login = details[opt] + self.assertIn(f'login={login}', ddclient_conf) else: - self.assertEqual(get_config_value(opt), details[opt]) + tmp = details[opt] + self.assertIn(f'{opt}={tmp}', ddclient_conf) - def test_dyndns_rfc2136(self): + def test_04_dyndns_rfc2136(self): # Check if DDNS service can be configured and runs ddns = ['address', interface, 'rfc2136', 'vyos'] srv = 'ns1.vyos.io' @@ -170,14 +179,14 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase): self.cli_commit() # Check some generating config parameters - self.assertEqual(get_config_value('use'), 'if') - self.assertEqual(get_config_value('if'), interface) - self.assertEqual(get_config_value('protocol'), 'nsupdate') - self.assertEqual(get_config_value('server'), srv) - self.assertEqual(get_config_value('zone'), zone) - self.assertEqual(get_config_value('password'), key_file.name) - self.assertEqual(get_config_value('ttl'), ttl) - + ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}') + self.assertIn(f'use=if', ddclient_conf) + self.assertIn(f'if={interface}', ddclient_conf) + self.assertIn(f'protocol=nsupdate', ddclient_conf) + self.assertIn(f'server={srv}', ddclient_conf) + self.assertIn(f'zone={zone}', ddclient_conf) + self.assertIn(f'password={key_file.name}', ddclient_conf) + self.assertIn(f'ttl={ttl}', ddclient_conf) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py new file mode 100755 index 000000000..7cc661688 --- /dev/null +++ b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM +from vyos.configsession import ConfigSessionError +from vyos.utils.process import process_named_running +from vyos.utils.file import read_file + + +PROCESS_NAME = 'zabbix_agent2' +ZABBIX_AGENT_CONF = '/run/zabbix/zabbix-agent2.conf' +base_path = ['service', 'monitoring', 'zabbix-agent'] + + +class TestZabbixAgent(VyOSUnitTestSHIM.TestCase): + def tearDown(self): + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + self.cli_delete(base_path) + self.cli_commit() + + # Process must be terminated after deleting the config + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_01_zabbix_agent(self): + directory = '/tmp' + buffer_send = '8' + buffer_size = '120' + log_level = {'warning': '3'} + log_size = '1' + servers = ['192.0.2.1', '2001:db8::1'] + servers_active = {'192.0.2.5': {'port': '10051'}, '2001:db8::123': {'port': '10052'}} + port = '10050' + timeout = '5' + listen_ip = '0.0.0.0' + + self.cli_set(base_path + ['directory', directory]) + self.cli_set(base_path + ['limits', 'buffer-flush-interval', buffer_send]) + self.cli_set(base_path + ['limits', 'buffer-size', buffer_size]) + self.cli_set(base_path + ['log', 'debug-level', next(iter(log_level))]) + self.cli_set(base_path + ['log', 'size', log_size]) + for server in servers: + self.cli_set(base_path + ['server', server]) + for server_active, server_config in servers_active.items(): + self.cli_set(base_path + ['server-active', server_active, 'port', server_config['port']]) + self.cli_set(base_path + ['timeout', timeout]) + + # commit changes + self.cli_commit() + + config = read_file(ZABBIX_AGENT_CONF) + + self.assertIn(f'LogFileSize={log_size}', config) + self.assertIn(f'DebugLevel={log_level.get("warning")}', config) + + self.assertIn(f'Server={",".join(sorted(servers))}', config) + tmp = 'ServerActive=192.0.2.5:10051,[2001:db8::123]:10052' + self.assertIn(tmp, config) + + self.assertIn(f'ListenPort={port}', config) + self.assertIn(f'ListenIP={listen_ip}', config) + self.assertIn(f'BufferSend={buffer_send}', config) + self.assertIn(f'BufferSize={buffer_size}', config) + self.assertIn(f'Include={directory}/*.conf', config) + self.assertIn(f'Timeout={timeout}', config) + + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py index b540be9ff..978af3766 100755 --- a/smoketest/scripts/cli/test_system_ipv6.py +++ b/smoketest/scripts/cli/test_system_ipv6.py @@ -22,7 +22,7 @@ from vyos.configsession import ConfigSessionError from vyos.template import is_ipv4 from vyos.utils.file import read_file from vyos.utils.network import get_interface_config -from vyos.validate import is_intf_addr_assigned +from vyos.utils.network import is_intf_addr_assigned base_path = ['system', 'ipv6'] diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py index 932f7b4f1..5fb599a87 100755 --- a/smoketest/scripts/cli/test_vrf.py +++ b/smoketest/scripts/cli/test_vrf.py @@ -29,7 +29,7 @@ from vyos.template import is_ipv4 from vyos.utils.process import cmd from vyos.utils.file import read_file from vyos.utils.network import get_interface_config -from vyos.validate import is_intf_addr_assigned +from vyos.utils.network import is_intf_addr_assigned base_path = ['vrf'] vrfs = ['red', 'green', 'blue', 'foo-bar', 'baz_foo'] @@ -47,9 +47,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): tmp = os.environ['TEST_ETH'].split() cls._interfaces = tmp else: - for tmp in Section.interfaces('ethernet'): - if not '.' in tmp: - cls._interfaces.append(tmp) + for tmp in Section.interfaces('ethernet', vlan=False): + cls._interfaces.append(tmp) # call base-classes classmethod super(VRFTest, cls).setUpClass() diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index ced5d212e..31c552f5a 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -24,7 +24,7 @@ from vyos.config import Config from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call -from vyos.validate import is_afi_configured +from vyos.utils.network import is_afi_configured from vyos import ConfigError from vyos import airbag airbag.enable() diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 2a77540f7..9c43640a9 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -20,7 +20,6 @@ import re from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.firewall import find_nftables_rule from vyos.firewall import remove_nftables_rule from vyos.utils.process import process_named_running @@ -28,7 +27,6 @@ from vyos.utils.dict import dict_search from vyos.utils.process import cmd from vyos.utils.process import run from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -77,16 +75,8 @@ def get_config(config=None): base = ['system', 'conntrack'] conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'timeout' in default_values and 'custom' in default_values['timeout']: - del default_values['timeout']['custom'] - conntrack = dict_merge(default_values, conntrack) + get_first_key=True, + with_recursive_defaults=True) return conntrack diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py index a83c2274d..4fb2ce27f 100755 --- a/src/conf_mode/conntrack_sync.py +++ b/src/conf_mode/conntrack_sync.py @@ -18,7 +18,6 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_interface_exists from vyos.utils.dict import dict_search from vyos.utils.process import process_named_running @@ -27,8 +26,7 @@ from vyos.utils.process import call from vyos.utils.process import run from vyos.template import render from vyos.template import get_ipv4 -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -50,11 +48,7 @@ def get_config(config=None): return None conntrack = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - conntrack = dict_merge(default_values, conntrack) + get_first_key=True, with_defaults=True) conntrack['hash_size'] = read_file('/sys/module/nf_conntrack/parameters/hashsize') conntrack['table_size'] = read_file('/proc/sys/net/netfilter/nf_conntrack_max') diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 3378aac63..ed7cc809c 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -37,7 +37,7 @@ from vyos.template import inc_ip from vyos.template import is_ipv4 from vyos.template import is_ipv6 from vyos.template import render -from vyos.xml import defaults +from vyos.xml_ref import default_value from vyos import ConfigError from vyos import airbag airbag.enable() @@ -66,58 +66,26 @@ def get_config(config=None): base = ['container'] container = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # container base default values can not be merged here - remove and add them later - if 'name' in default_values: - del default_values['name'] - # registry will be handled below - if 'registry' in default_values: - del default_values['registry'] - container = dict_merge(default_values, container) - - # Merge per-container default values - if 'name' in container: - default_values = defaults(base + ['name']) - if 'port' in default_values: - del default_values['port'] - if 'volume' in default_values: - del default_values['volume'] - for name in container['name']: - container['name'][name] = dict_merge(default_values, container['name'][name]) - - # T5047: Any container related configuration changed? We only - # wan't to restart the required containers and not all of them ... - tmp = is_node_changed(conf, base + ['name', name]) - if tmp: - if 'container_restart' not in container: - container['container_restart'] = [name] - else: - container['container_restart'].append(name) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'port' in container['name'][name]: - for port in container['name'][name]['port']: - default_values_port = defaults(base + ['name', 'port']) - container['name'][name]['port'][port] = dict_merge( - default_values_port, container['name'][name]['port'][port]) - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'volume' in container['name'][name]: - for volume in container['name'][name]['volume']: - default_values_volume = defaults(base + ['name', 'volume']) - container['name'][name]['volume'][volume] = dict_merge( - default_values_volume, container['name'][name]['volume'][volume]) + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + + for name in container.get('name', []): + # T5047: Any container related configuration changed? We only + # wan't to restart the required containers and not all of them ... + tmp = is_node_changed(conf, base + ['name', name]) + if tmp: + if 'container_restart' not in container: + container['container_restart'] = [name] + else: + container['container_restart'].append(name) # registry is a tagNode with default values - merge the list from # default_values['registry'] into the tagNode variables if 'registry' not in container: container.update({'registry' : {}}) - default_values = defaults(base) - for registry in default_values['registry'].split(): + default_values = default_value(base + ['registry']) + for registry in default_values: tmp = {registry : {}} container['registry'] = dict_merge(tmp, container['registry']) diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py index fd39bd9fe..37d708847 100755 --- a/src/conf_mode/dhcp_relay.py +++ b/src/conf_mode/dhcp_relay.py @@ -20,12 +20,10 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.base import Warning from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -41,11 +39,9 @@ def get_config(config=None): if not conf.exists(base): return None - relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - relay = dict_merge(default_values, relay) + relay = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return relay diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index c29270367..280057f04 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -23,14 +23,12 @@ from netaddr import IPRange from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.dict import dict_search from vyos.utils.process import call from vyos.utils.process import run -from vyos.validate import is_subnet_connected -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_subnet_connected +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -109,19 +107,15 @@ def get_config(config=None): if not conf.exists(base): return None - dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - # T2665: defaults include lease time per TAG node which need to be added to - # individual subnet definitions - default_values = defaults(base + ['shared-network-name', 'subnet']) + dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) if 'shared_network_name' in dhcp: for network, network_config in dhcp['shared_network_name'].items(): if 'subnet' in network_config: for subnet, subnet_config in network_config['subnet'].items(): - if 'lease' not in subnet_config: - dhcp['shared_network_name'][network]['subnet'][subnet] = dict_merge( - default_values, dhcp['shared_network_name'][network]['subnet'][subnet]) - # If exclude IP addresses are defined we need to slice them out of # the defined ranges if {'exclude', 'range'} <= set(subnet_config): diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py index 0e7da6f89..6537ca3c2 100755 --- a/src/conf_mode/dhcpv6_relay.py +++ b/src/conf_mode/dhcpv6_relay.py @@ -19,14 +19,11 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.ifconfig import Interface from vyos.template import render from vyos.template import is_ipv6 from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.validate import is_ipv6_link_local -from vyos.xml import defaults +from vyos.utils.network import is_ipv6_link_local from vyos import ConfigError from vyos import airbag airbag.enable() @@ -42,11 +39,9 @@ def get_config(config=None): if not conf.exists(base): return None - relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - relay = dict_merge(default_values, relay) + relay = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return relay diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index f89ad5b9c..427001609 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -25,7 +25,7 @@ from vyos.template import render from vyos.template import is_ipv6 from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.validate import is_subnet_connected +from vyos.utils.network import is_subnet_connected from vyos import ConfigError from vyos import airbag airbag.enable() diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py index d78eb70bc..ab80defe8 100755 --- a/src/conf_mode/dns_dynamic.py +++ b/src/conf_mode/dns_dynamic.py @@ -19,10 +19,8 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -49,16 +47,10 @@ def get_config(config=None): if not conf.exists(base_level): return None - dyndns = conf.get_config_dict(base_level, key_mangling=('-', '_'), get_first_key=True) - - if 'address' in dyndns: - for address in dyndns['address']: - # Apply service specific defaults (svc_type = ['rfc2136', 'service']) - for svc_type in dyndns['address'][address]: - default_values = defaults(base_level + ['address', svc_type]) - for svc_cfg in dyndns['address'][address][svc_type]: - dyndns['address'][address][svc_type][svc_cfg] = dict_merge( - default_values, dyndns['address'][address][svc_type][svc_cfg]) + dyndns = conf.get_config_dict(base_level, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) dyndns['config_file'] = config_file return dyndns diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index 2d98bffe3..c186f47af 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -21,14 +21,12 @@ from sys import exit from glob import glob from vyos.config import Config -from vyos.configdict import dict_merge from vyos.hostsd_client import Client as hostsd_client from vyos.template import render from vyos.template import bracketize_ipv6 from vyos.utils.process import call from vyos.utils.permission import chown from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -52,31 +50,10 @@ def get_config(config=None): if not conf.exists(base): return None - dns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrieved. - default_values = defaults(base) - # T2665 due to how defaults under tag nodes work, we must clear these out before we merge - del default_values['authoritative_domain'] - del default_values['name_server'] - del default_values['domain']['name_server'] - dns = dict_merge(default_values, dns) - - # T2665: we cleared default values for tag node 'name_server' above. - # We now need to add them back back in a granular way. - if 'name_server' in dns: - default_values = defaults(base + ['name-server']) - for server in dns['name_server']: - dns['name_server'][server] = dict_merge(default_values, dns['name_server'][server]) - - # T2665: we cleared default values for tag node 'domain' above. - # We now need to add them back back in a granular way. - if 'domain' in dns: - default_values = defaults(base + ['domain', 'name-server']) - for domain in dns['domain'].keys(): - for server in dns['domain'][domain]['name_server']: - dns['domain'][domain]['name_server'][server] = dict_merge( - default_values, dns['domain'][domain]['name_server'][server]) + dns = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) # some additions to the default dictionary if 'system' in dns: @@ -109,9 +86,6 @@ def get_config(config=None): rdata = recorddata[rtype][subnode] if rtype in [ 'a', 'aaaa' ]: - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - rdata = dict_merge(rdefaults, rdata) - if not 'address' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one address is required') continue @@ -127,9 +101,6 @@ def get_config(config=None): 'value': address }) elif rtype in ['cname', 'ptr', 'ns']: - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - rdata = dict_merge(rdefaults, rdata) - if not 'target' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: target is required') continue @@ -141,18 +112,12 @@ def get_config(config=None): 'value': '{}.'.format(rdata['target']) }) elif rtype == 'mx': - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - del rdefaults['server'] - rdata = dict_merge(rdefaults, rdata) - if not 'server' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one server is required') continue for servername in rdata['server']: serverdata = rdata['server'][servername] - serverdefaults = defaults(base + ['authoritative-domain', 'records', rtype, 'server']) # T2665 - serverdata = dict_merge(serverdefaults, serverdata) zone['records'].append({ 'name': subnode, 'type': rtype.upper(), @@ -160,9 +125,6 @@ def get_config(config=None): 'value': '{} {}.'.format(serverdata['priority'], servername) }) elif rtype == 'txt': - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - rdata = dict_merge(rdefaults, rdata) - if not 'value' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one value is required') continue @@ -175,9 +137,6 @@ def get_config(config=None): 'value': "\"{}\"".format(value.replace("\"", "\\\"")) }) elif rtype == 'spf': - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - rdata = dict_merge(rdefaults, rdata) - if not 'value' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: value is required') continue @@ -189,19 +148,12 @@ def get_config(config=None): 'value': '"{}"'.format(rdata['value'].replace("\"", "\\\"")) }) elif rtype == 'srv': - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - del rdefaults['entry'] - rdata = dict_merge(rdefaults, rdata) - if not 'entry' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one entry is required') continue for entryno in rdata['entry']: entrydata = rdata['entry'][entryno] - entrydefaults = defaults(base + ['authoritative-domain', 'records', rtype, 'entry']) # T2665 - entrydata = dict_merge(entrydefaults, entrydata) - if not 'hostname' in entrydata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: hostname is required for entry {entryno}') continue @@ -217,19 +169,12 @@ def get_config(config=None): 'value': '{} {} {} {}.'.format(entrydata['priority'], entrydata['weight'], entrydata['port'], entrydata['hostname']) }) elif rtype == 'naptr': - rdefaults = defaults(base + ['authoritative-domain', 'records', rtype]) # T2665 - del rdefaults['rule'] - rdata = dict_merge(rdefaults, rdata) - - if not 'rule' in rdata: dns['authoritative_zone_errors'].append(f'{subnode}.{node}: at least one rule is required') continue for ruleno in rdata['rule']: ruledata = rdata['rule'][ruleno] - ruledefaults = defaults(base + ['authoritative-domain', 'records', rtype, 'rule']) # T2665 - ruledata = dict_merge(ruledefaults, ruledata) flags = "" if 'lookup-srv' in ruledata: flags += "S" diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 07166d457..e946704b3 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -23,7 +23,6 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configdiff import get_config_diff, Diff from vyos.configdep import set_dependents, call_dependents @@ -37,7 +36,6 @@ from vyos.utils.dict import dict_search_args from vyos.utils.dict import dict_search_recursive from vyos.utils.process import process_named_running from vyos.utils.process import rc_cmd -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -97,19 +95,22 @@ def geoip_updated(conf, firewall): updated = False for key, path in dict_search_recursive(firewall, 'geoip'): - set_name = f'GEOIP_CC_{path[1]}_{path[3]}' - if path[0] == 'name': + set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}' + if (path[0] == 'ipv4'): out['name'].append(set_name) - elif path[0] == 'ipv6_name': + elif (path[0] == 'ipv6'): + set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}' out['ipv6_name'].append(set_name) + updated = True if 'delete' in node_diff: for key, path in dict_search_recursive(node_diff['delete'], 'geoip'): - set_name = f'GEOIP_CC_{path[1]}_{path[3]}' - if path[0] == 'name': + set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}' + if (path[0] == 'ipv4'): out['deleted_name'].append(set_name) - elif path[0] == 'ipv6-name': + elif (path[0] == 'ipv6'): + set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}' out['deleted_ipv6_name'].append(set_name) updated = True @@ -125,54 +126,17 @@ def get_config(config=None): conf = Config() base = ['firewall'] - firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - # We have gathered the dict representation of the CLI, but there are - # default options which we need to update into the dictionary retrived. - # XXX: T2665: we currently have no nice way for defaults under tag - # nodes, thus we load the defaults "by hand" - default_values = defaults(base) - for tmp in ['name', 'ipv6_name']: - if tmp in default_values: - del default_values[tmp] - - if 'zone' in default_values: - del default_values['zone'] - - firewall = dict_merge(default_values, firewall) - - # Merge in defaults for IPv4 ruleset - if 'name' in firewall: - default_values = defaults(base + ['name']) - for name in firewall['name']: - firewall['name'][name] = dict_merge(default_values, - firewall['name'][name]) - - # Merge in defaults for IPv6 ruleset - if 'ipv6_name' in firewall: - default_values = defaults(base + ['ipv6-name']) - for ipv6_name in firewall['ipv6_name']: - firewall['ipv6_name'][ipv6_name] = dict_merge(default_values, - firewall['ipv6_name'][ipv6_name]) - - if 'zone' in firewall: - default_values = defaults(base + ['zone']) - for zone in firewall['zone']: - firewall['zone'][zone] = dict_merge(default_values, firewall['zone'][zone]) + firewall = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) + firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group'])) if firewall['group_resync']: # Update nat and policy-route as firewall groups were updated set_dependents('group_resync', conf) - if 'config_trap' in firewall and firewall['config_trap'] == 'enable': - diff = get_config_diff(conf) - firewall['trap_diff'] = diff.get_child_nodes_diff_str(base) - firewall['trap_targets'] = conf.get_config_dict(['service', 'snmp', 'trap-target'], - key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - firewall['geoip_updated'] = geoip_updated(conf, firewall) fqdn_config_parse(firewall) @@ -191,11 +155,11 @@ def verify_rule(firewall, rule_conf, ipv6): raise ConfigError('jump-target defined, but action jump needed and it is not defined') target = rule_conf['jump_target'] if not ipv6: - if target not in dict_search_args(firewall, 'name'): + if target not in dict_search_args(firewall, 'ipv4', 'name'): raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system') else: - if target not in dict_search_args(firewall, 'ipv6_name'): - raise ConfigError(f'Invalid jump-target. Firewall ipv6-name {target} does not exist on the system') + if target not in dict_search_args(firewall, 'ipv6', 'name'): + raise ConfigError(f'Invalid jump-target. Firewall ipv6 name {target} does not exist on the system') if 'queue_options' in rule_conf: if 'queue' not in rule_conf['action']: @@ -312,10 +276,6 @@ def verify_nested_group(group_name, group, groups, seen): verify_nested_group(g, groups[g], groups, seen) def verify(firewall): - if 'config_trap' in firewall and firewall['config_trap'] == 'enable': - if not firewall['trap_targets']: - raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined') - if 'group' in firewall: for group_type in nested_group_types: if group_type in firewall['group']: @@ -323,95 +283,45 @@ def verify(firewall): for group_name, group in groups.items(): verify_nested_group(group_name, group, groups, []) - for name in ['name', 'ipv6_name']: - if name in firewall: - for name_id, name_conf in firewall[name].items(): - if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf: - raise ConfigError('default-action set to jump, but no default-jump-target specified') - if 'default_jump_target' in name_conf: - target = name_conf['default_jump_target'] - if 'jump' not in name_conf['default_action']: - raise ConfigError('default-jump-target defined,but default-action jump needed and it is not defined') - if name_conf['default_jump_target'] == name_id: - raise ConfigError(f'Loop detected on default-jump-target.') - ## Now need to check that default-jump-target exists (other firewall chain/name) - if target not in dict_search_args(firewall, name): - raise ConfigError(f'Invalid jump-target. Firewall {name} {target} does not exist on the system') - - if 'rule' in name_conf: - for rule_id, rule_conf in name_conf['rule'].items(): - verify_rule(firewall, rule_conf, name == 'ipv6_name') - - if 'interface' in firewall: - for ifname, if_firewall in firewall['interface'].items(): - # verify ifname needs to be disabled, dynamic devices come up later - # verify_interface_exists(ifname) - - for direction in ['in', 'out', 'local']: - name = dict_search_args(if_firewall, direction, 'name') - ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name') - - if name and dict_search_args(firewall, 'name', name) == None: - raise ConfigError(f'Invalid firewall name "{name}" referenced on interface {ifname}') - - if ipv6_name and dict_search_args(firewall, 'ipv6_name', ipv6_name) == None: - raise ConfigError(f'Invalid firewall ipv6-name "{ipv6_name}" referenced on interface {ifname}') - - local_zone = False - zone_interfaces = [] - - if 'zone' in firewall: - for zone, zone_conf in firewall['zone'].items(): - if 'local_zone' not in zone_conf and 'interface' not in zone_conf: - raise ConfigError(f'Zone "{zone}" has no interfaces and is not the local zone') - - if 'local_zone' in zone_conf: - if local_zone: - raise ConfigError('There cannot be multiple local zones') - if 'interface' in zone_conf: - raise ConfigError('Local zone cannot have interfaces assigned') - if 'intra_zone_filtering' in zone_conf: - raise ConfigError('Local zone cannot use intra-zone-filtering') - local_zone = True - - if 'interface' in zone_conf: - found_duplicates = [intf for intf in zone_conf['interface'] if intf in zone_interfaces] - - if found_duplicates: - raise ConfigError(f'Interfaces cannot be assigned to multiple zones') - - zone_interfaces += zone_conf['interface'] - - if 'intra_zone_filtering' in zone_conf: - intra_zone = zone_conf['intra_zone_filtering'] - - if len(intra_zone) > 1: - raise ConfigError('Only one intra-zone-filtering action must be specified') - - if 'firewall' in intra_zone: - v4_name = dict_search_args(intra_zone, 'firewall', 'name') - if v4_name and not dict_search_args(firewall, 'name', v4_name): - raise ConfigError(f'Firewall name "{v4_name}" does not exist') - - v6_name = dict_search_args(intra_zone, 'firewall', 'ipv6_name') - if v6_name and not dict_search_args(firewall, 'ipv6_name', v6_name): - raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist') - - if not v4_name and not v6_name: - raise ConfigError('No firewall names specified for intra-zone-filtering') - - if 'from' in zone_conf: - for from_zone, from_conf in zone_conf['from'].items(): - if from_zone not in firewall['zone']: - raise ConfigError(f'Zone "{zone}" refers to a non-existent or deleted zone "{from_zone}"') - - v4_name = dict_search_args(from_conf, 'firewall', 'name') - if v4_name and not dict_search_args(firewall, 'name', v4_name): - raise ConfigError(f'Firewall name "{v4_name}" does not exist') - - v6_name = dict_search_args(from_conf, 'firewall', 'ipv6_name') - if v6_name and not dict_search_args(firewall, 'ipv6_name', v6_name): - raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist') + if 'ipv4' in firewall: + for name in ['name','forward','input','output']: + if name in firewall['ipv4']: + for name_id, name_conf in firewall['ipv4'][name].items(): + if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf: + raise ConfigError('default-action set to jump, but no default-jump-target specified') + if 'default_jump_target' in name_conf: + target = name_conf['default_jump_target'] + if 'jump' not in name_conf['default_action']: + raise ConfigError('default-jump-target defined, but default-action jump needed and it is not defined') + if name_conf['default_jump_target'] == name_id: + raise ConfigError(f'Loop detected on default-jump-target.') + ## Now need to check that default-jump-target exists (other firewall chain/name) + if target not in dict_search_args(firewall['ipv4'], 'name'): + raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system') + + if 'rule' in name_conf: + for rule_id, rule_conf in name_conf['rule'].items(): + verify_rule(firewall, rule_conf, False) + + if 'ipv6' in firewall: + for name in ['name','forward','input','output']: + if name in firewall['ipv6']: + for name_id, name_conf in firewall['ipv6'][name].items(): + if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf: + raise ConfigError('default-action set to jump, but no default-jump-target specified') + if 'default_jump_target' in name_conf: + target = name_conf['default_jump_target'] + if 'jump' not in name_conf['default_action']: + raise ConfigError('default-jump-target defined, but default-action jump needed and it is not defined') + if name_conf['default_jump_target'] == name_id: + raise ConfigError(f'Loop detected on default-jump-target.') + ## Now need to check that default-jump-target exists (other firewall chain/name) + if target not in dict_search_args(firewall['ipv6'], 'name'): + raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system') + + if 'rule' in name_conf: + for rule_id, rule_conf in name_conf['rule'].items(): + verify_rule(firewall, rule_conf, True) return None @@ -419,19 +329,6 @@ def generate(firewall): if not os.path.exists(nftables_conf): firewall['first_install'] = True - if 'zone' in firewall: - for local_zone, local_zone_conf in firewall['zone'].items(): - if 'local_zone' not in local_zone_conf: - continue - - local_zone_conf['from_local'] = {} - - for zone, zone_conf in firewall['zone'].items(): - if zone == local_zone or 'from' not in zone_conf: - continue - if local_zone in zone_conf['from']: - local_zone_conf['from_local'][zone] = zone_conf['from'][local_zone] - render(nftables_conf, 'firewall/nftables.j2', firewall) return None @@ -440,9 +337,8 @@ def apply_sysfs(firewall): paths = glob(conf['sysfs']) value = None - if name in firewall: - conf_value = firewall[name] - + if name in firewall['global_options']: + conf_value = firewall['global_options'][name] if conf_value in conf: value = conf[conf_value] elif conf_value == 'enable': @@ -459,9 +355,6 @@ def post_apply_trap(firewall): if 'first_install' in firewall: return None - if 'config_trap' not in firewall or firewall['config_trap'] != 'enable': - return None - if not process_named_running('snmpd'): return None diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index bfe906c87..71acd69fa 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -22,14 +22,13 @@ from ipaddress import ip_address from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge +from vyos.config import config_dict_merge from vyos.configverify import verify_vrf from vyos.ifconfig import Section from vyos.template import render from vyos.utils.process import call from vyos.utils.process import cmd -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -128,30 +127,19 @@ def get_config(config=None): flow_accounting = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) + # We have gathered the dict representation of the CLI, but there are + # default values which we need to conditionally update into the + # dictionary retrieved. + default_values = conf.get_config_defaults(**flow_accounting.kwargs, + recursive=True) - # delete individual flow type default - should only be added if user uses - # this feature + # delete individual flow type defaults - should only be added if user + # sets this feature for flow_type in ['sflow', 'netflow']: - if flow_type in default_values: + if flow_type not in flow_accounting and flow_type in default_values: del default_values[flow_type] - flow_accounting = dict_merge(default_values, flow_accounting) - for flow_type in ['sflow', 'netflow']: - if flow_type in flow_accounting: - default_values = defaults(base + [flow_type]) - # we need to merge individual server configurations - if 'server' in default_values: - del default_values['server'] - flow_accounting[flow_type] = dict_merge(default_values, flow_accounting[flow_type]) - - if 'server' in flow_accounting[flow_type]: - default_values = defaults(base + [flow_type, 'server']) - for server in flow_accounting[flow_type]['server']: - flow_accounting[flow_type]['server'][server] = dict_merge( - default_values,flow_accounting[flow_type]['server'][server]) + flow_accounting = config_dict_merge(default_values, flow_accounting) return flow_accounting diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py index 0cbd4c49c..626a3757e 100755 --- a/src/conf_mode/high-availability.py +++ b/src/conf_mode/high-availability.py @@ -14,7 +14,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os from sys import exit from ipaddress import ip_interface @@ -23,14 +22,11 @@ from ipaddress import IPv6Interface from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.ifconfig.vrrp import VRRP from vyos.template import render from vyos.template import is_ipv4 from vyos.template import is_ipv6 from vyos.utils.process import call -from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -42,42 +38,12 @@ def get_config(config=None): conf = Config() base = ['high-availability'] - base_vrrp = ['high-availability', 'vrrp'] if not conf.exists(base): return None ha = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - if 'vrrp' in ha: - if dict_search('vrrp.global_parameters.garp', ha) != None: - default_values = defaults(base_vrrp + ['global-parameters', 'garp']) - ha['vrrp']['global_parameters']['garp'] = dict_merge( - default_values, ha['vrrp']['global_parameters']['garp']) - - if 'group' in ha['vrrp']: - default_values = defaults(base_vrrp + ['group']) - default_values_garp = defaults(base_vrrp + ['group', 'garp']) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'garp' in default_values: - del default_values['garp'] - for group in ha['vrrp']['group']: - ha['vrrp']['group'][group] = dict_merge(default_values, ha['vrrp']['group'][group]) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'garp' in ha['vrrp']['group'][group]: - ha['vrrp']['group'][group]['garp'] = dict_merge( - default_values_garp, ha['vrrp']['group'][group]['garp']) - - # Merge per virtual-server default values - if 'virtual_server' in ha: - default_values = defaults(base + ['virtual-server']) - for vs in ha['virtual_server']: - ha['virtual_server'][vs] = dict_merge(default_values, ha['virtual_server'][vs]) + no_tag_node_value_mangle=True, + get_first_key=True, with_defaults=True) ## Get the sync group used for conntrack-sync conntrack_path = ['service', 'conntrack-sync', 'failover-mechanism', 'vrrp', 'sync-group'] @@ -112,7 +78,7 @@ def verify(ha): from vyos.utils.dict import check_mutually_exclusive_options try: check_mutually_exclusive_options(group_config["health_check"], health_check_types, required=True) - except ValueError as e: + except ValueError: Warning(f'Health check configuration for VRRP group "{group}" will remain unused ' \ f'until it has one of the following options: {health_check_types}') # XXX: health check has default options so we need to remove it diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py index 7bdf448a3..793a90d88 100755 --- a/src/conf_mode/http-api.py +++ b/src/conf_mode/http-api.py @@ -24,12 +24,9 @@ from copy import deepcopy import vyos.defaults from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configdep import set_dependents, call_dependents from vyos.template import render -from vyos.utils.process import cmd from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -72,8 +69,9 @@ def get_config(config=None): return None api_dict = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True) + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) # One needs to 'flatten' the keys dict from the config into the # http-api.conf format for api_keys: @@ -93,8 +91,8 @@ def get_config(config=None): if 'api_keys' in api_dict: keys_added = True - if 'graphql' in api_dict: - api_dict = dict_merge(defaults(base), api_dict) + if api_dict.from_defaults(['graphql']): + del api_dict['graphql'] http_api.update(api_dict) diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/igmp_proxy.py index 4ec2f1835..40db417dd 100755 --- a/src/conf_mode/igmp_proxy.py +++ b/src/conf_mode/igmp_proxy.py @@ -21,11 +21,9 @@ from netifaces import interfaces from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -39,16 +37,9 @@ def get_config(config=None): conf = Config() base = ['protocols', 'igmp-proxy'] - igmp_proxy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - if 'interface' in igmp_proxy: - # T2665: we must add the tagNode defaults individually until this is - # moved to the base class - default_values = defaults(base + ['interface']) - for interface in igmp_proxy['interface']: - igmp_proxy['interface'][interface] = dict_merge(default_values, - igmp_proxy['interface'][interface]) - + igmp_proxy = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_defaults=True) if conf.exists(['protocols', 'igmp']): igmp_proxy.update({'igmp_configured': ''}) diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py index c2a569fa9..0bd306ed0 100755 --- a/src/conf_mode/interfaces-bonding.py +++ b/src/conf_mode/interfaces-bonding.py @@ -36,8 +36,8 @@ from vyos.configverify import verify_vrf from vyos.ifconfig import BondIf from vyos.ifconfig import Section from vyos.utils.dict import dict_search -from vyos.validate import has_address_configured -from vyos.validate import has_vrf_configured +from vyos.configdict import has_address_configured +from vyos.configdict import has_vrf_configured from vyos import ConfigError from vyos import airbag airbag.enable() @@ -195,11 +195,11 @@ def verify(bond): raise ConfigError(error_msg + 'it does not exist!') if 'is_bridge_member' in interface_config: - tmp = interface_config['is_bridge_member'] + tmp = next(iter(interface_config['is_bridge_member'])) raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!') if 'is_bond_member' in interface_config: - tmp = interface_config['is_bond_member'] + tmp = next(iter(interface_config['is_bond_member'])) raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!') if 'is_source_interface' in interface_config: diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py index 087ead20a..c82f01e53 100755 --- a/src/conf_mode/interfaces-bridge.py +++ b/src/conf_mode/interfaces-bridge.py @@ -14,10 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os - from sys import exit -from netifaces import interfaces from vyos.config import Config from vyos.configdict import get_interface_dict @@ -25,16 +22,13 @@ from vyos.configdict import node_changed from vyos.configdict import is_member from vyos.configdict import is_source_interface from vyos.configdict import has_vlan_subinterface_configured -from vyos.configdict import dict_merge from vyos.configverify import verify_dhcpv6 from vyos.configverify import verify_mirror_redirect from vyos.configverify import verify_vrf from vyos.ifconfig import BridgeIf -from vyos.validate import has_address_configured -from vyos.validate import has_vrf_configured -from vyos.xml import defaults +from vyos.configdict import has_address_configured +from vyos.configdict import has_vrf_configured -from vyos.utils.process import cmd from vyos.utils.dict import dict_search from vyos import ConfigError @@ -61,22 +55,8 @@ def get_config(config=None): else: bridge.update({'member' : {'interface_remove' : tmp }}) - if dict_search('member.interface', bridge) != None: - # XXX: T2665: we need a copy of the dict keys for iteration, else we will get: - # RuntimeError: dictionary changed size during iteration + if dict_search('member.interface', bridge) is not None: for interface in list(bridge['member']['interface']): - for key in ['cost', 'priority']: - if interface == key: - del bridge['member']['interface'][key] - continue - - # the default dictionary is not properly paged into the dict (see T2665) - # thus we will ammend it ourself - default_member_values = defaults(base + ['member', 'interface']) - for interface,interface_config in bridge['member']['interface'].items(): - bridge['member']['interface'][interface] = dict_merge( - default_member_values, bridge['member']['interface'][interface]) - # Check if member interface is already member of another bridge tmp = is_member(conf, interface, 'bridge') if tmp and bridge['ifname'] not in tmp: diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 6efeac302..e1db3206e 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -29,7 +29,7 @@ from vyos.configverify import verify_mirror_redirect from vyos.configverify import verify_bond_bridge_member from vyos.ifconfig import L2TPv3If from vyos.utils.kernel import check_kmod -from vyos.validate import is_addr_assigned +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 3bef9b8f6..26b217d98 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -61,7 +61,7 @@ from vyos.utils.kernel import unload_kmod from vyos.utils.process import call from vyos.utils.permission import chown from vyos.utils.process import cmd -from vyos.validate import is_addr_assigned +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag @@ -189,16 +189,7 @@ def verify_pki(openvpn): if dict_search_args(pki, 'certificate', tls['certificate'], 'private', 'password_protected') is not None: raise ConfigError(f'Cannot use encrypted private key on openvpn interface {interface}') - if mode == 'server' and 'dh_params' not in tls and not is_ec_private_key(pki, tls['certificate']): - raise ConfigError('Must specify "tls dh-params" when not using EC keys in server mode') - if 'dh_params' in tls: - if 'dh' not in pki: - raise ConfigError('There are no DH parameters in PKI configuration') - - if tls['dh_params'] not in pki['dh']: - raise ConfigError(f'Invalid dh-params on openvpn interface {interface}') - pki_dh = pki['dh'][tls['dh_params']] dh_params = load_dh_parameters(pki_dh['parameters']) dh_numbers = dh_params.parameter_numbers() @@ -207,6 +198,7 @@ def verify_pki(openvpn): if dh_bits < 2048: raise ConfigError(f'Minimum DH key-size is 2048 bits') + if 'auth_key' in tls or 'crypt_key' in tls: if not dict_search_args(pki, 'openvpn', 'shared_secret'): raise ConfigError('There are no openvpn shared-secrets in PKI configuration') @@ -495,9 +487,6 @@ def verify(openvpn): if openvpn['protocol'] == 'tcp-active': raise ConfigError('Cannot specify "tcp-active" when "tls role" is "passive"') - if not dict_search('tls.dh_params', openvpn): - raise ConfigError('Must specify "tls dh-params" when "tls role" is "passive"') - if 'certificate' in openvpn['tls'] and is_ec_private_key(openvpn['pki'], openvpn['tls']['certificate']): if 'dh_params' in openvpn['tls']: print('Warning: using dh-params and EC keys simultaneously will ' \ diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index 6a075970e..91aed9cc3 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -55,6 +55,9 @@ def get_config(config=None): tmp = is_node_changed(conf, base + [ifname, 'encapsulation']) if tmp: tunnel.update({'encapsulation_changed': {}}) + tmp = is_node_changed(conf, base + [ifname, 'parameters', 'ip', 'key']) + if tmp: tunnel.update({'key_changed': {}}) + # We also need to inspect other configured tunnels as there are Kernel # restrictions where we need to comply. E.g. GRE tunnel key can't be used # twice, or with multiple GRE tunnels to the same location we must specify @@ -197,7 +200,8 @@ def apply(tunnel): remote = dict_search('linkinfo.info_data.remote', tmp) if ('deleted' in tunnel or 'encapsulation_changed' in tunnel or encap in - ['gretap', 'ip6gretap', 'erspan', 'ip6erspan'] or remote in ['any']): + ['gretap', 'ip6gretap', 'erspan', 'ip6erspan'] or remote in ['any'] or + 'key_changed' in tunnel): if interface in interfaces(): tmp = Interface(interface) tmp.remove() diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index b1536148c..a3b0867e0 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -87,8 +87,8 @@ def verify(vxlan): raise ConfigError('Multicast VXLAN requires an underlaying interface') verify_source_interface(vxlan) - if not any(tmp in ['group', 'remote', 'source_address'] for tmp in vxlan): - raise ConfigError('Group, remote or source-address must be configured') + if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan): + raise ConfigError('Group, remote, source-address or source-interface must be configured') if 'vni' not in vxlan and 'external' not in vxlan: raise ConfigError( diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index a02baba82..446399255 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2022 VyOS maintainers and contributors +# Copyright (C) 2018-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -29,10 +29,12 @@ from vyos.configverify import verify_bond_bridge_member from vyos.ifconfig import WireGuardIf from vyos.utils.kernel import check_kmod from vyos.utils.network import check_port_availability +from vyos.utils.network import is_wireguard_key_pair from vyos import ConfigError from vyos import airbag airbag.enable() + def get_config(config=None): """ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the @@ -105,6 +107,9 @@ def verify(wireguard): if peer['public_key'] in public_keys: raise ConfigError(f'Duplicate public-key defined on peer "{tmp}"') + if 'disable' not in peer and is_wireguard_key_pair(wireguard['private_key'], peer['public_key']): + raise ConfigError(f'Peer "{tmp}" has the same public key as the interface "{wireguard["ifname"]}"') + public_keys.append(peer['public_key']) def apply(wireguard): diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index 42326bea0..e49ad25ac 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -79,27 +79,9 @@ def get_config(config=None): ifname, wifi = get_interface_dict(conf, base) - # Cleanup "delete" default values when required user selectable values are - # not defined at all - tmp = conf.get_config_dict(base + [ifname], key_mangling=('-', '_'), - get_first_key=True) - if not (dict_search('security.wpa.passphrase', tmp) or - dict_search('security.wpa.radius', tmp)): - if 'deleted' not in wifi: - del wifi['security']['wpa'] - # if 'security' key is empty, drop it too - if len(wifi['security']) == 0: - del wifi['security'] - - # defaults include RADIUS server specifics per TAG node which need to be - # added to individual RADIUS servers instead - so we can simply delete them - if dict_search('security.wpa.radius.server.port', wifi) != None: - del wifi['security']['wpa']['radius']['server']['port'] - if not len(wifi['security']['wpa']['radius']['server']): - del wifi['security']['wpa']['radius'] - if not len(wifi['security']['wpa']): - del wifi['security']['wpa'] - if not len(wifi['security']): + if 'deleted' not in wifi: + # then get_interface_dict provides default keys + if wifi.from_defaults(['security']): # if not set by user del wifi['security'] if 'security' in wifi and 'wpa' in wifi['security']: @@ -120,14 +102,6 @@ def get_config(config=None): tmp = find_other_stations(conf, base, wifi['ifname']) if tmp: wifi['station_interfaces'] = tmp - # Add individual RADIUS server default values - if dict_search('security.wpa.radius.server', wifi): - default_values = defaults(base + ['security', 'wpa', 'radius', 'server']) - - for server in dict_search('security.wpa.radius.server', wifi): - wifi['security']['wpa']['radius']['server'][server] = dict_merge( - default_values, wifi['security']['wpa']['radius']['server'][server]) - return wifi def verify(wifi): diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index 0e5fc29d3..c2e87d171 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -20,13 +20,11 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.validate import is_addr_assigned -from vyos.validate import is_loopback_addr +from vyos.utils.network import is_addr_assigned +from vyos.utils.network import is_loopback_addr from vyos.version import get_version_data from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos.template import render from vyos import ConfigError from vyos import airbag @@ -46,7 +44,9 @@ def get_config(config=None): return {} lldp = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) if conf.exists(['service', 'snmp']): lldp['system_snmp_enabled'] = '' @@ -54,27 +54,12 @@ def get_config(config=None): version_data = get_version_data() lldp['version'] = version_data['version'] - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - # location coordinates have a default value - if 'interface' in lldp: - for interface, interface_config in lldp['interface'].items(): - default_values = defaults(base + ['interface']) - if dict_search('location.coordinate_based', interface_config) == None: - # no location specified - no need to add defaults - del default_values['location']['coordinate_based']['datum'] - del default_values['location']['coordinate_based']['altitude'] - - # cleanup default_values dictionary from inner to outer - # this might feel overkill here, but it does support easy extension - # in the future with additional default values - if len(default_values['location']['coordinate_based']) == 0: - del default_values['location']['coordinate_based'] - if len(default_values['location']) == 0: - del default_values['location'] - - lldp['interface'][interface] = dict_merge(default_values, - lldp['interface'][interface]) + # prune location information if not set by user + for interface in lldp.get('interface', []): + if lldp.from_defaults(['interface', interface, 'location']): + del lldp['interface'][interface]['location'] + elif lldp.from_defaults(['interface', interface, 'location','coordinate_based']): + del lldp['interface'][interface]['location']['coordinate_based'] return lldp diff --git a/src/conf_mode/load-balancing-haproxy.py b/src/conf_mode/load-balancing-haproxy.py index 2fb0edf8e..8fe429653 100755 --- a/src/conf_mode/load-balancing-haproxy.py +++ b/src/conf_mode/load-balancing-haproxy.py @@ -20,14 +20,12 @@ from sys import exit from shutil import rmtree from vyos.config import Config -from vyos.configdict import dict_merge from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.network import is_listen_port_bind_service from vyos.pki import wrap_certificate from vyos.pki import wrap_private_key from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -54,18 +52,8 @@ def get_config(config=None): lb['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - if 'backend' in default_values: - del default_values['backend'] if lb: - lb = dict_merge(default_values, lb) - - if 'backend' in lb: - for backend in lb['backend']: - default_balues_backend = defaults(base + ['backend']) - lb['backend'][backend] = dict_merge(default_balues_backend, lb['backend'][backend]) + lb = conf.merge_defaults(lb, recursive=True) return lb diff --git a/src/conf_mode/load-balancing-wan.py b/src/conf_mode/load-balancing-wan.py index 3533a5a04..ad9c80d72 100755 --- a/src/conf_mode/load-balancing-wan.py +++ b/src/conf_mode/load-balancing-wan.py @@ -21,10 +21,8 @@ from shutil import rmtree from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.utils.process import cmd from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -41,48 +39,15 @@ def get_config(config=None): conf = Config() base = ['load-balancing', 'wan'] - lb = conf.get_config_dict(base, + lb = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, get_first_key=True, - key_mangling=('-', '_'), - no_tag_node_value_mangle=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # lb base default values can not be merged here - remove and add them later - if 'interface_health' in default_values: - del default_values['interface_health'] - if 'rule' in default_values: - del default_values['rule'] - lb = dict_merge(default_values, lb) - - if 'interface_health' in lb: - for iface in lb.get('interface_health'): - default_values_iface = defaults(base + ['interface-health']) - if 'test' in default_values_iface: - del default_values_iface['test'] - lb['interface_health'][iface] = dict_merge( - default_values_iface, lb['interface_health'][iface]) - if 'test' in lb['interface_health'][iface]: - for node_test in lb['interface_health'][iface]['test']: - default_values_test = defaults(base + - ['interface-health', 'test']) - lb['interface_health'][iface]['test'][node_test] = dict_merge( - default_values_test, - lb['interface_health'][iface]['test'][node_test]) - - if 'rule' in lb: - for rule in lb.get('rule'): - default_values_rule = defaults(base + ['rule']) - if 'interface' in default_values_rule: - del default_values_rule['interface'] - lb['rule'][rule] = dict_merge(default_values_rule, lb['rule'][rule]) - if not conf.exists(base + ['rule', rule, 'limit']): - del lb['rule'][rule]['limit'] - if 'interface' in lb['rule'][rule]: - for iface in lb['rule'][rule]['interface']: - default_values_rule_iface = defaults(base + ['rule', 'interface']) - lb['rule'][rule]['interface'][iface] = dict_merge(default_values_rule_iface, lb['rule'][rule]['interface'][iface]) + with_recursive_defaults=True) + + # prune limit key if not set by user + for rule in lb.get('rule', []): + if lb.from_defaults(['rule', rule, 'limit']): + del lb['rule'][rule]['limit'] return lb diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index e19b12937..f9d711b36 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -25,7 +25,6 @@ from netifaces import interfaces from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.template import is_ip_network from vyos.utils.kernel import check_kmod @@ -33,8 +32,7 @@ from vyos.utils.dict import dict_search from vyos.utils.dict import dict_search_args from vyos.utils.process import cmd from vyos.utils.process import run -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag @@ -126,6 +124,18 @@ def verify_rule(config, err_msg, groups_dict): if config['protocol'] not in ['tcp', 'udp', 'tcp_udp']: raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port-group') + if 'load_balance' in config: + for item in ['source-port', 'destination-port']: + if item in config['load_balance']['hash'] and config['protocol'] not in ['tcp', 'udp']: + raise ConfigError('Protocol must be tcp or udp when specifying hash ports') + count = 0 + if 'backend' in config['load_balance']: + for member in config['load_balance']['backend']: + weight = config['load_balance']['backend'][member]['weight'] + count = count + int(weight) + if count != 100: + Warning(f'Sum of weight for nat load balance rule is not 100. You may get unexpected behaviour') + def get_config(config=None): if config: conf = config @@ -133,16 +143,9 @@ def get_config(config=None): conf = Config() base = ['nat'] - nat = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - # T2665: we must add the tagNode defaults individually until this is - # moved to the base class - for direction in ['source', 'destination', 'static']: - if direction in nat: - default_values = defaults(base + [direction, 'rule']) - for rule in dict_search(f'{direction}.rule', nat) or []: - nat[direction]['rule'][rule] = dict_merge(default_values, - nat[direction]['rule'][rule]) + nat = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) # read in current nftable (once) for further processing tmp = cmd('nft -j list table raw') @@ -199,7 +202,7 @@ def verify(nat): Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') if not dict_search('translation.address', config) and not dict_search('translation.port', config): - if 'exclude' not in config: + if 'exclude' not in config and 'backend' not in config['load_balance']: raise ConfigError(f'{err_msg} translation requires address and/or port') addr = dict_search('translation.address', config) @@ -211,7 +214,6 @@ def verify(nat): # common rule verification verify_rule(config, err_msg, nat['firewall_group']) - if dict_search('destination.rule', nat): for rule, config in dict_search('destination.rule', nat).items(): err_msg = f'Destination NAT configuration error in rule {rule}:' @@ -223,7 +225,7 @@ def verify(nat): Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') if not dict_search('translation.address', config) and not dict_search('translation.port', config) and not dict_search('translation.redirect.port', config): - if 'exclude' not in config: + if 'exclude' not in config and 'backend' not in config['load_balance']: raise ConfigError(f'{err_msg} translation requires address and/or port') # common rule verification diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index 25f625b84..4c12618bc 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -23,13 +23,11 @@ from netifaces import interfaces from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import cmd from vyos.utils.kernel import check_kmod from vyos.utils.dict import dict_search from vyos.template import is_ipv6 -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -60,16 +58,6 @@ def get_config(config=None): base = ['nat66'] nat = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # T2665: we must add the tagNode defaults individually until this is - # moved to the base class - for direction in ['source', 'destination']: - if direction in nat: - default_values = defaults(base + [direction, 'rule']) - if 'rule' in nat[direction]: - for rule in nat[direction]['rule']: - nat[direction]['rule'][rule] = dict_merge(default_values, - nat[direction]['rule'][rule]) - # read in current nftable (once) for further processing tmp = cmd('nft -j list table ip6 raw') nftable_json = json.loads(tmp) diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index eb8cb3940..34ba2fe69 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -18,7 +18,6 @@ from sys import exit from vyos.config import Config from vyos.configdep import set_dependents, call_dependents -from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.pki import is_ca_certificate from vyos.pki import load_certificate @@ -28,7 +27,6 @@ from vyos.pki import load_crl from vyos.pki import load_dh_parameters from vyos.utils.dict import dict_search_args from vyos.utils.dict import dict_search_recursive -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -113,8 +111,7 @@ def get_config(config=None): # We only merge on the defaults of there is a configuration at all if conf.exists(base): - default_values = defaults(base) - pki = dict_merge(default_values, pki) + pki = conf.merge_defaults(pki, recursive=True) # We need to get the entire system configuration to verify that we are not # deleting a certificate that is still referenced somewhere! diff --git a/src/conf_mode/protocols_babel.py b/src/conf_mode/protocols_babel.py index f5ac56f65..104711b55 100755 --- a/src/conf_mode/protocols_babel.py +++ b/src/conf_mode/protocols_babel.py @@ -19,13 +19,13 @@ import os from sys import exit from vyos.config import Config +from vyos.config import config_dict_merge from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_access_list from vyos.configverify import verify_prefix_list from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos.template import render_to_string from vyos import ConfigError from vyos import frr @@ -38,7 +38,8 @@ def get_config(config=None): else: conf = Config() base = ['protocols', 'babel'] - babel = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + babel = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True) # FRR has VRF support for different routing daemons. As interfaces belong # to VRFs - or the global VRF, we need to check for changed interfaces so @@ -54,15 +55,13 @@ def get_config(config=None): return babel # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) + # values which we need to update into the dictionary retrieved. + default_values = conf.get_config_defaults(base, key_mangling=('-', '_'), + get_first_key=True, + recursive=True) - # XXX: T2665: we currently have no nice way for defaults under tag nodes, - # clean them out and add them manually :( - del default_values['interface'] - - # merge in remaining default values - babel = dict_merge(default_values, babel) + # merge in default values + babel = config_dict_merge(default_values, babel) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py index 0436abaf9..dab784662 100755 --- a/src/conf_mode/protocols_bfd.py +++ b/src/conf_mode/protocols_bfd.py @@ -17,12 +17,10 @@ import os from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_vrf from vyos.template import is_ipv6 from vyos.template import render_to_string -from vyos.validate import is_ipv6_link_local -from vyos.xml import defaults +from vyos.utils.network import is_ipv6_link_local from vyos import ConfigError from vyos import frr from vyos import airbag @@ -41,18 +39,7 @@ def get_config(config=None): if not conf.exists(base): return bfd - # We have gathered the dict representation of the CLI, but there are - # default options which we need to update into the dictionary retrived. - # XXX: T2665: we currently have no nice way for defaults under tag - # nodes, thus we load the defaults "by hand" - default_values = defaults(base + ['peer']) - if 'peer' in bfd: - for peer in bfd['peer']: - bfd['peer'][peer] = dict_merge(default_values, bfd['peer'][peer]) - - if 'profile' in bfd: - for profile in bfd['profile']: - bfd['profile'][profile] = dict_merge(default_values, bfd['profile'][profile]) + bfd = conf.merge_defaults(bfd, recursive=True) return bfd diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 7b9f15505..00015023c 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -29,7 +29,7 @@ from vyos.template import is_interface from vyos.template import render_to_string from vyos.utils.dict import dict_search from vyos.utils.network import get_interface_vrf -from vyos.validate import is_addr_assigned +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import frr from vyos import airbag diff --git a/src/conf_mode/protocols_failover.py b/src/conf_mode/protocols_failover.py index faf56d741..e7e44db84 100755 --- a/src/conf_mode/protocols_failover.py +++ b/src/conf_mode/protocols_failover.py @@ -19,10 +19,8 @@ import json from pathlib import Path from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -42,15 +40,12 @@ def get_config(config=None): conf = Config() base = ['protocols', 'failover'] - failover = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + failover = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True) # Set default values only if we set config - if failover.get('route'): - for route, route_config in failover.get('route').items(): - for next_hop, next_hop_config in route_config.get('next_hop').items(): - default_values = defaults(base + ['route']) - failover['route'][route]['next_hop'][next_hop] = dict_merge( - default_values['next_hop'], failover['route'][route]['next_hop'][next_hop]) + if failover.get('route') is not None: + failover = conf.merge_defaults(failover, recursive=True) return failover diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py index 4c637a99f..e00c58ee4 100755 --- a/src/conf_mode/protocols_isis.py +++ b/src/conf_mode/protocols_isis.py @@ -28,7 +28,6 @@ from vyos.ifconfig import Interface from vyos.utils.dict import dict_search from vyos.utils.network import get_interface_config from vyos.template import render_to_string -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -64,19 +63,14 @@ def get_config(config=None): if interfaces_removed: isis['interface_removed'] = list(interfaces_removed) - # Bail out early if configuration tree does not exist + # Bail out early if configuration tree does no longer exist. this must + # be done after retrieving the list of interfaces to be removed. if not conf.exists(base): isis.update({'deleted' : ''}) return isis - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - # XXX: Note that we can not call defaults(base), as defaults does not work - # on an instance of a tag node. As we use the exact same CLI definition for - # both the non-vrf and vrf version this is absolutely safe! - default_values = defaults(base_path) # merge in default values - isis = dict_merge(default_values, isis) + isis = conf.merge_defaults(isis, recursive=True) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). @@ -254,7 +248,7 @@ def apply(isis): if key not in isis: continue for interface in isis[key]: - frr_cfg.modify_section(f'^interface {interface}{vrf}', stop_pattern='^exit', remove_stop_mark=True) + frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True) if 'frr_isisd_config' in isis: frr_cfg.add_before(frr.default_add_before, isis['frr_isisd_config']) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index f2075d25b..cddd3765e 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -20,6 +20,7 @@ from sys import exit from sys import argv from vyos.config import Config +from vyos.config import config_dict_merge from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configverify import verify_common_route_maps @@ -29,7 +30,6 @@ from vyos.configverify import verify_access_list from vyos.template import render_to_string from vyos.utils.dict import dict_search from vyos.utils.network import get_interface_config -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -65,17 +65,15 @@ def get_config(config=None): if interfaces_removed: ospf['interface_removed'] = list(interfaces_removed) - # Bail out early if configuration tree does not exist + # Bail out early if configuration tree does no longer exist. this must + # be done after retrieving the list of interfaces to be removed. if not conf.exists(base): ospf.update({'deleted' : ''}) return ospf # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - # XXX: Note that we can not call defaults(base), as defaults does not work - # on an instance of a tag node. As we use the exact same CLI definition for - # both the non-vrf and vrf version this is absolutely safe! - default_values = defaults(base_path) + default_values = conf.get_config_defaults(**ospf.kwargs, recursive=True) # We have to cleanup the default dict, as default values could enable features # which are not explicitly enabled on the CLI. Example: default-information @@ -84,62 +82,27 @@ def get_config(config=None): # need to check this first and probably drop that key. if dict_search('default_information.originate', ospf) is None: del default_values['default_information'] - if dict_search('area.area_type.nssa', ospf) is None: - del default_values['area']['area_type']['nssa'] if 'mpls_te' not in ospf: del default_values['mpls_te'] if 'graceful_restart' not in ospf: del default_values['graceful_restart'] + for area_num in default_values.get('area', []): + if dict_search(f'area.{area_num}.area_type.nssa', ospf) is None: + del default_values['area'][area_num]['area_type']['nssa'] - for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static', 'table']: - # table is a tagNode thus we need to clean out all occurances for the - # default values and load them in later individually - if protocol == 'table': - del default_values['redistribute']['table'] - continue + for protocol in ['babel', 'bgp', 'connected', 'isis', 'kernel', 'rip', 'static']: if dict_search(f'redistribute.{protocol}', ospf) is None: del default_values['redistribute'][protocol] - # XXX: T2665: we currently have no nice way for defaults under tag nodes, - # clean them out and add them manually :( - del default_values['neighbor'] - del default_values['area']['virtual_link'] - del default_values['interface'] - - # merge in remaining default values - ospf = dict_merge(default_values, ospf) - - if 'neighbor' in ospf: - default_values = defaults(base + ['neighbor']) - for neighbor in ospf['neighbor']: - ospf['neighbor'][neighbor] = dict_merge(default_values, ospf['neighbor'][neighbor]) + for interface in ospf.get('interface', []): + # We need to reload the defaults on every pass b/c of + # hello-multiplier dependency on dead-interval + # If hello-multiplier is set, we need to remove the default from + # dead-interval. + if 'hello_multiplier' in ospf['interface'][interface]: + del default_values['interface'][interface]['dead_interval'] - if 'area' in ospf: - default_values = defaults(base + ['area', 'virtual-link']) - for area, area_config in ospf['area'].items(): - if 'virtual_link' in area_config: - for virtual_link in area_config['virtual_link']: - ospf['area'][area]['virtual_link'][virtual_link] = dict_merge( - default_values, ospf['area'][area]['virtual_link'][virtual_link]) - - if 'interface' in ospf: - for interface in ospf['interface']: - # We need to reload the defaults on every pass b/c of - # hello-multiplier dependency on dead-interval - default_values = defaults(base + ['interface']) - # If hello-multiplier is set, we need to remove the default from - # dead-interval. - if 'hello_multiplier' in ospf['interface'][interface]: - del default_values['dead_interval'] - - ospf['interface'][interface] = dict_merge(default_values, - ospf['interface'][interface]) - - if 'redistribute' in ospf and 'table' in ospf['redistribute']: - default_values = defaults(base + ['redistribute', 'table']) - for table in ospf['redistribute']['table']: - ospf['redistribute']['table'][table] = dict_merge(default_values, - ospf['redistribute']['table'][table]) + ospf = config_dict_merge(default_values, ospf) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). @@ -287,7 +250,7 @@ def apply(ospf): if key not in ospf: continue for interface in ospf[key]: - frr_cfg.modify_section(f'^interface {interface}{vrf}', stop_pattern='^exit', remove_stop_mark=True) + frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True) if 'frr_ospfd_config' in ospf: frr_cfg.add_before(frr.default_add_before, ospf['frr_ospfd_config']) diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py index fbea51f56..5b1adce30 100755 --- a/src/conf_mode/protocols_ospfv3.py +++ b/src/conf_mode/protocols_ospfv3.py @@ -20,6 +20,7 @@ from sys import exit from sys import argv from vyos.config import Config +from vyos.config import config_dict_merge from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configverify import verify_common_route_maps @@ -29,7 +30,6 @@ from vyos.template import render_to_string from vyos.ifconfig import Interface from vyos.utils.dict import dict_search from vyos.utils.network import get_interface_config -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -64,17 +64,16 @@ def get_config(config=None): if interfaces_removed: ospfv3['interface_removed'] = list(interfaces_removed) - # Bail out early if configuration tree does not exist + # Bail out early if configuration tree does no longer exist. this must + # be done after retrieving the list of interfaces to be removed. if not conf.exists(base): ospfv3.update({'deleted' : ''}) return ospfv3 # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - # XXX: Note that we can not call defaults(base), as defaults does not work - # on an instance of a tag node. As we use the exact same CLI definition for - # both the non-vrf and vrf version this is absolutely safe! - default_values = defaults(base_path) + default_values = conf.get_config_defaults(**ospfv3.kwargs, + recursive=True) # We have to cleanup the default dict, as default values could enable features # which are not explicitly enabled on the CLI. Example: default-information @@ -86,12 +85,10 @@ def get_config(config=None): if 'graceful_restart' not in ospfv3: del default_values['graceful_restart'] - # XXX: T2665: we currently have no nice way for defaults under tag nodes, - # clean them out and add them manually :( - del default_values['interface'] + default_values.pop('interface', {}) # merge in remaining default values - ospfv3 = dict_merge(default_values, ospfv3) + ospfv3 = config_dict_merge(default_values, ospfv3) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). @@ -170,7 +167,7 @@ def apply(ospfv3): if key not in ospfv3: continue for interface in ospfv3[key]: - frr_cfg.modify_section(f'^interface {interface}{vrf}', stop_pattern='^exit', remove_stop_mark=True) + frr_cfg.modify_section(f'^interface {interface}', stop_pattern='^exit', remove_stop_mark=True) if 'new_frr_config' in ospfv3: frr_cfg.add_before(frr.default_add_before, ospfv3['new_frr_config']) diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index 5661dc377..bd47dfd00 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -25,7 +25,6 @@ from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_access_list from vyos.configverify import verify_prefix_list from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos.template import render_to_string from vyos import ConfigError from vyos import frr @@ -55,9 +54,7 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # merge in remaining default values - rip = dict_merge(default_values, rip) + rip = conf.merge_defaults(rip, recursive=True) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). diff --git a/src/conf_mode/protocols_ripng.py b/src/conf_mode/protocols_ripng.py index e3c904e33..dd1550033 100755 --- a/src/conf_mode/protocols_ripng.py +++ b/src/conf_mode/protocols_ripng.py @@ -24,7 +24,6 @@ from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_access_list from vyos.configverify import verify_prefix_list from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos.template import render_to_string from vyos import ConfigError from vyos import frr @@ -45,9 +44,7 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # merge in remaining default values - ripng = dict_merge(default_values, ripng) + ripng = conf.merge_defaults(ripng, recursive=True) # We also need some additional information from the config, prefix-lists # and route-maps for instance. They will be used in verify(). diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py index 035b7db05..05e876f3b 100755 --- a/src/conf_mode/protocols_rpki.py +++ b/src/conf_mode/protocols_rpki.py @@ -19,10 +19,8 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render_to_string from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -43,8 +41,7 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - rpki = dict_merge(default_values, rpki) + rpki = conf.merge_defaults(rpki, recursive=True) return rpki diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py index 53e9ff50d..5536adda2 100755 --- a/src/conf_mode/qos.py +++ b/src/conf_mode/qos.py @@ -38,7 +38,6 @@ from vyos.qos import TrafficShaper from vyos.qos import TrafficShaperHFSC from vyos.utils.process import call from vyos.utils.dict import dict_search_recursive -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -97,63 +96,32 @@ def get_config(config=None): type_node = path.split(" ")[1] # return only interface type node set_dependents(type_node, conf, ifname) - if 'policy' in qos: - for policy in qos['policy']: - # when calling defaults() we need to use the real CLI node, thus we - # need a hyphen - policy_hyphen = policy.replace('_', '-') - - if policy in ['random_detect']: - for rd_name, rd_config in qos['policy'][policy].items(): - # There are eight precedence levels - ensure all are present - # to be filled later down with the appropriate default values - default_precedence = {'precedence' : { '0' : {}, '1' : {}, '2' : {}, '3' : {}, - '4' : {}, '5' : {}, '6' : {}, '7' : {} }} - qos['policy']['random_detect'][rd_name] = dict_merge( - default_precedence, qos['policy']['random_detect'][rd_name]) - - for p_name, p_config in qos['policy'][policy].items(): - default_values = defaults(base + ['policy', policy_hyphen]) - - if policy in ['priority_queue']: - if 'default' not in p_config: - raise ConfigError(f'QoS policy {p_name} misses "default" class!') - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if 'class' in default_values: - del default_values['class'] - if 'precedence' in default_values: - del default_values['precedence'] - - qos['policy'][policy][p_name] = dict_merge( - default_values, qos['policy'][policy][p_name]) - - # class is another tag node which requires individual handling - if 'class' in p_config: - default_values = defaults(base + ['policy', policy_hyphen, 'class']) - for p_class in p_config['class']: - qos['policy'][policy][p_name]['class'][p_class] = dict_merge( - default_values, qos['policy'][policy][p_name]['class'][p_class]) - - if 'precedence' in p_config: - default_values = defaults(base + ['policy', policy_hyphen, 'precedence']) - # precedence values are a bit more complex as they are calculated - # under specific circumstances - thus we need to iterate two times. - # first blend in the defaults from XML / CLI - for precedence in p_config['precedence']: - qos['policy'][policy][p_name]['precedence'][precedence] = dict_merge( - default_values, qos['policy'][policy][p_name]['precedence'][precedence]) - # second calculate defaults based on actual dictionary - for precedence in p_config['precedence']: - max_thr = int(qos['policy'][policy][p_name]['precedence'][precedence]['maximum_threshold']) - if 'minimum_threshold' not in qos['policy'][policy][p_name]['precedence'][precedence]: - qos['policy'][policy][p_name]['precedence'][precedence]['minimum_threshold'] = str( - int((9 + int(precedence)) * max_thr) // 18); - - if 'queue_limit' not in qos['policy'][policy][p_name]['precedence'][precedence]: - qos['policy'][policy][p_name]['precedence'][precedence]['queue_limit'] = \ - str(int(4 * max_thr)) + for policy in qos.get('policy', []): + if policy in ['random_detect']: + for rd_name in list(qos['policy'][policy]): + # There are eight precedence levels - ensure all are present + # to be filled later down with the appropriate default values + default_precedence = {'precedence' : { '0' : {}, '1' : {}, '2' : {}, '3' : {}, + '4' : {}, '5' : {}, '6' : {}, '7' : {} }} + qos['policy']['random_detect'][rd_name] = dict_merge( + default_precedence, qos['policy']['random_detect'][rd_name]) + + qos = conf.merge_defaults(qos, recursive=True) + + for policy in qos.get('policy', []): + for p_name, p_config in qos['policy'][policy].items(): + if 'precedence' in p_config: + # precedence settings are a bit more complex as they are + # calculated under specific circumstances: + for precedence in p_config['precedence']: + max_thr = int(qos['policy'][policy][p_name]['precedence'][precedence]['maximum_threshold']) + if 'minimum_threshold' not in qos['policy'][policy][p_name]['precedence'][precedence]: + qos['policy'][policy][p_name]['precedence'][precedence]['minimum_threshold'] = str( + int((9 + int(precedence)) * max_thr) // 18); + + if 'queue_limit' not in qos['policy'][policy][p_name]['precedence'][precedence]: + qos['policy'][policy][p_name]['precedence'][precedence]['queue_limit'] = \ + str(int(4 * max_thr)) return qos @@ -202,7 +170,9 @@ def verify(qos): queue_lim = int(precedence_config['queue_limit']) if queue_lim < max_tr: raise ConfigError(f'Policy "{policy}" uses queue-limit "{queue_lim}" < max-threshold "{max_tr}"!') - + if policy_type in ['priority_queue']: + if 'default' not in policy_config: + raise ConfigError(f'Policy {policy} misses "default" class!') if 'default' in policy_config: if 'bandwidth' not in policy_config['default'] and policy_type not in ['priority_queue', 'round_robin']: raise ConfigError('Bandwidth not defined for default traffic!') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 3ff7880b2..a8fce8e01 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -22,12 +22,10 @@ from urllib3 import PoolManager from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos.utils.permission import chown -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -55,8 +53,7 @@ def get_config(config=None): salt['id'] = gethostname() # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - salt = dict_merge(default_values, salt) + salt = conf.merge_defaults(salt, recursive=True) if not conf.exists(base): return None diff --git a/src/conf_mode/service_config_sync.py b/src/conf_mode/service_config_sync.py index 5cde735a1..4b8a7f6ee 100755 --- a/src/conf_mode/service_config_sync.py +++ b/src/conf_mode/service_config_sync.py @@ -19,8 +19,6 @@ import json from pathlib import Path from vyos.config import Config -from vyos.configdict import dict_merge -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -42,12 +40,8 @@ def get_config(config=None): base = ['service', 'config-sync'] if not conf.exists(base): return None - config = conf.get_config_dict(base, - get_first_key=True, - no_tag_node_value_mangle=True) - - default_values = defaults(base) - config = dict_merge(default_values, config) + config = conf.get_config_dict(base, get_first_key=True, + with_recursive_defaults=True) return config diff --git a/src/conf_mode/service_console-server.py b/src/conf_mode/service_console-server.py index 7eb41ea87..b112add3f 100755 --- a/src/conf_mode/service_console-server.py +++ b/src/conf_mode/service_console-server.py @@ -20,10 +20,8 @@ from sys import exit from psutil import process_iter from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError config_file = '/run/conserver/conserver.cf' @@ -49,11 +47,7 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base + ['device']) - if 'device' in proxy: - for device in proxy['device']: - tmp = dict_merge(default_values, proxy['device'][device]) - proxy['device'][device] = tmp + proxy = conf.merge_defaults(proxy, recursive=True) return proxy diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index f6b80552b..276a71fcb 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -19,10 +19,8 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -41,11 +39,9 @@ def get_config(config=None): if not conf.exists(base): return None - fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - fastnetmon = dict_merge(default_values, fastnetmon) + fastnetmon = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return fastnetmon diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py index 0269bedd9..40eb13e23 100755 --- a/src/conf_mode/service_monitoring_telegraf.py +++ b/src/conf_mode/service_monitoring_telegraf.py @@ -22,7 +22,6 @@ from sys import exit from shutil import rmtree from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.ifconfig import Section @@ -30,7 +29,6 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.permission import chown from vyos.utils.process import cmd -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -83,8 +81,7 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - monitoring = dict_merge(default_values, monitoring) + monitoring = conf.merge_defaults(monitoring, recursive=True) monitoring['custom_scripts_dir'] = custom_scripts_dir monitoring['hostname'] = get_hostname() diff --git a/src/conf_mode/service_monitoring_zabbix-agent.py b/src/conf_mode/service_monitoring_zabbix-agent.py new file mode 100755 index 000000000..98d8a32ca --- /dev/null +++ b/src/conf_mode/service_monitoring_zabbix-agent.py @@ -0,0 +1,98 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from vyos.config import Config +from vyos.template import render +from vyos.utils.process import call +from vyos import ConfigError +from vyos import airbag +airbag.enable() + + +service_name = 'zabbix-agent2' +service_conf = f'/run/zabbix/{service_name}.conf' +systemd_override = r'/run/systemd/system/zabbix-agent2.service.d/10-override.conf' + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['service', 'monitoring', 'zabbix-agent'] + + if not conf.exists(base): + return None + + config = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True, + with_recursive_defaults=True) + + # Cut the / from the end, /tmp/ => /tmp + if 'directory' in config and config['directory'].endswith('/'): + config['directory'] = config['directory'][:-1] + + return config + + +def verify(config): + # bail out early - looks like removal from running config + if config is None: + return + + if 'server' not in config: + raise ConfigError('Server is required!') + + +def generate(config): + # bail out early - looks like removal from running config + if config is None: + # Remove old config and return + config_files = [service_conf, systemd_override] + for file in config_files: + if os.path.isfile(file): + os.unlink(file) + + return None + + # Write configuration file + render(service_conf, 'zabbix-agent/zabbix-agent.conf.j2', config) + render(systemd_override, 'zabbix-agent/10-override.conf.j2', config) + + return None + + +def apply(config): + call('systemctl daemon-reload') + if config: + call(f'systemctl restart {service_name}.service') + else: + call(f'systemctl stop {service_name}.service') + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py index fe33c43ea..dbb47de4e 100755 --- a/src/conf_mode/service_router-advert.py +++ b/src/conf_mode/service_router-advert.py @@ -19,10 +19,8 @@ import os from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -35,40 +33,9 @@ def get_config(config=None): else: conf = Config() base = ['service', 'router-advert'] - rtradv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_interface_values = defaults(base + ['interface']) - # we deal with prefix, route defaults later on - if 'prefix' in default_interface_values: - del default_interface_values['prefix'] - if 'route' in default_interface_values: - del default_interface_values['route'] - - default_prefix_values = defaults(base + ['interface', 'prefix']) - default_route_values = defaults(base + ['interface', 'route']) - - if 'interface' in rtradv: - for interface in rtradv['interface']: - rtradv['interface'][interface] = dict_merge( - default_interface_values, rtradv['interface'][interface]) - - if 'prefix' in rtradv['interface'][interface]: - for prefix in rtradv['interface'][interface]['prefix']: - rtradv['interface'][interface]['prefix'][prefix] = dict_merge( - default_prefix_values, rtradv['interface'][interface]['prefix'][prefix]) - - if 'route' in rtradv['interface'][interface]: - for route in rtradv['interface'][interface]['route']: - rtradv['interface'][interface]['route'][route] = dict_merge( - default_route_values, rtradv['interface'][interface]['route'][route]) - - if 'name_server' in rtradv['interface'][interface]: - # always use a list when dealing with nameservers - eases the template generation - if isinstance(rtradv['interface'][interface]['name_server'], str): - rtradv['interface'][interface]['name_server'] = [ - rtradv['interface'][interface]['name_server']] + rtradv = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return rtradv diff --git a/src/conf_mode/service_sla.py b/src/conf_mode/service_sla.py index 54b72e029..ba5e645f0 100755 --- a/src/conf_mode/service_sla.py +++ b/src/conf_mode/service_sla.py @@ -19,10 +19,8 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -44,11 +42,9 @@ def get_config(config=None): if not conf.exists(base): return None - sla = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - sla = dict_merge(default_values, sla) + sla = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) # Ignore default XML values if config doesn't exists # Delete key from dict diff --git a/src/conf_mode/service_upnp.py b/src/conf_mode/service_upnp.py index b37d502c2..cf26bf9ce 100755 --- a/src/conf_mode/service_upnp.py +++ b/src/conf_mode/service_upnp.py @@ -23,12 +23,10 @@ from ipaddress import IPv4Network from ipaddress import IPv6Network from vyos.config import Config -from vyos.configdict import dict_merge from vyos.utils.process import call from vyos.template import render from vyos.template import is_ipv4 from vyos.template import is_ipv6 -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -47,10 +45,7 @@ def get_config(config=None): if not upnpd: return None - if 'rule' in upnpd: - default_member_values = defaults(base + ['rule']) - for rule,rule_config in upnpd['rule'].items(): - upnpd['rule'][rule] = dict_merge(default_member_values, upnpd['rule'][rule]) + upnpd = conf.merge_defaults(upnpd, recursive=True) uuidgen = uuid.uuid1() upnpd.update({'uuid': uuidgen}) diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py index bbdb756bd..12ae4135e 100755 --- a/src/conf_mode/service_webproxy.py +++ b/src/conf_mode/service_webproxy.py @@ -20,14 +20,13 @@ from shutil import rmtree from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge +from vyos.config import config_dict_merge from vyos.template import render from vyos.utils.process import call from vyos.utils.permission import chmod_755 from vyos.utils.dict import dict_search from vyos.utils.file import write_file -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos.base import Warning from vyos import ConfigError from vyos import airbag @@ -125,7 +124,8 @@ def get_config(config=None): get_first_key=True) # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) + default_values = conf.get_config_defaults(**proxy.kwargs, + recursive=True) # if no authentication method is supplied, no need to add defaults if not dict_search('authentication.method', proxy): @@ -138,16 +138,7 @@ def get_config(config=None): proxy['squidguard_conf'] = squidguard_config_file proxy['squidguard_db_dir'] = squidguard_db_dir - # XXX: T2665: blend in proper cache-peer default values later - default_values.pop('cache_peer') - proxy = dict_merge(default_values, proxy) - - # XXX: T2665: blend in proper cache-peer default values - if 'cache_peer' in proxy: - default_values = defaults(base + ['cache-peer']) - for peer in proxy['cache_peer']: - proxy['cache_peer'][peer] = dict_merge(default_values, - proxy['cache_peer'][peer]) + proxy = config_dict_merge(default_values, proxy) return proxy diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 0f0d97ac3..7882f8510 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -29,9 +29,8 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.permission import chmod_755 from vyos.utils.dict import dict_search -from vyos.validate import is_addr_assigned +from vyos.utils.network import is_addr_assigned from vyos.version import get_version_data -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -70,26 +69,9 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - - # We can not merge defaults for tagNodes - those need to be blended in - # per tagNode instance - if 'listen_address' in default_values: - del default_values['listen_address'] - if 'community' in default_values: - del default_values['community'] - if 'trap_target' in default_values: - del default_values['trap_target'] - if 'v3' in default_values: - del default_values['v3'] - snmp = dict_merge(default_values, snmp) + snmp = conf.merge_defaults(snmp, recursive=True) if 'listen_address' in snmp: - default_values = defaults(base + ['listen-address']) - for address in snmp['listen_address']: - snmp['listen_address'][address] = dict_merge( - default_values, snmp['listen_address'][address]) - # Always listen on localhost if an explicit address has been configured # This is a safety measure to not end up with invalid listen addresses # that are not configured on this system. See https://vyos.dev/T850 @@ -101,41 +83,6 @@ def get_config(config=None): tmp = {'::1': {'port': '161'}} snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) - if 'community' in snmp: - default_values = defaults(base + ['community']) - if 'network' in default_values: - # convert multiple default networks to list - default_values['network'] = default_values['network'].split() - for community in snmp['community']: - snmp['community'][community] = dict_merge( - default_values, snmp['community'][community]) - - if 'trap_target' in snmp: - default_values = defaults(base + ['trap-target']) - for trap in snmp['trap_target']: - snmp['trap_target'][trap] = dict_merge( - default_values, snmp['trap_target'][trap]) - - if 'v3' in snmp: - default_values = defaults(base + ['v3']) - # tagNodes need to be merged in individually later on - for tmp in ['user', 'group', 'trap_target']: - del default_values[tmp] - snmp['v3'] = dict_merge(default_values, snmp['v3']) - - for user_group in ['user', 'group']: - if user_group in snmp['v3']: - default_values = defaults(base + ['v3', user_group]) - for tmp in snmp['v3'][user_group]: - snmp['v3'][user_group][tmp] = dict_merge( - default_values, snmp['v3'][user_group][tmp]) - - if 'trap_target' in snmp['v3']: - default_values = defaults(base + ['v3', 'trap-target']) - for trap in snmp['v3']['trap_target']: - snmp['v3']['trap_target'][trap] = dict_merge( - default_values, snmp['v3']['trap_target'][trap]) - return snmp def verify(snmp): diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 3b63fcb7d..ee5e1eca2 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -21,12 +21,10 @@ from syslog import syslog from syslog import LOG_INFO from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.utils.process import call from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -57,8 +55,8 @@ def get_config(config=None): # We have gathered the dict representation of the CLI, but there are default # options which we need to update into the dictionary retrived. - default_values = defaults(base) - ssh = dict_merge(default_values, ssh) + ssh = conf.merge_defaults(ssh, recursive=True) + # pass config file path - used in override template ssh['config_file'] = config_file diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py index cca996e4f..63dff0e36 100755 --- a/src/conf_mode/system-ip.py +++ b/src/conf_mode/system-ip.py @@ -24,7 +24,6 @@ from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.utils.file import write_file from vyos.utils.system import sysctl_write -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -37,11 +36,9 @@ def get_config(config=None): conf = Config() base = ['system', 'ip'] - opt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - opt = dict_merge(default_values, opt) + opt = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) # When working with FRR we need to know the corresponding address-family opt['afi'] = 'ip' diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py index 22210c27a..8a4df11fa 100755 --- a/src/conf_mode/system-ipv6.py +++ b/src/conf_mode/system-ipv6.py @@ -24,7 +24,6 @@ from vyos.template import render_to_string from vyos.utils.dict import dict_search from vyos.utils.system import sysctl_write from vyos.utils.file import write_file -from vyos.xml import defaults from vyos import ConfigError from vyos import frr from vyos import airbag @@ -37,12 +36,9 @@ def get_config(config=None): conf = Config() base = ['system', 'ipv6'] - opt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - opt = dict_merge(default_values, opt) + opt = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) # When working with FRR we need to know the corresponding address-family opt['afi'] = 'ipv6' diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index afd75913e..02c97afaa 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -24,7 +24,6 @@ from sys import exit from time import sleep from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_vrf from vyos.defaults import directories from vyos.template import render @@ -35,7 +34,6 @@ from vyos.utils.process import call from vyos.utils.process import rc_cmd from vyos.utils.process import run from vyos.utils.process import DEVNULL -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -54,7 +52,7 @@ MAX_USER_UID: int = 59999 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec MAX_RADIUS_TIMEOUT: int = 50 # MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) -MAX_RADIUS_COUNT: int = 25 +MAX_RADIUS_COUNT: int = 8 # Maximum number of supported TACACS servers MAX_TACACS_COUNT: int = 8 @@ -93,7 +91,9 @@ def get_config(config=None): conf = Config() base = ['system', 'login'] login = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, get_first_key=True) + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) # users no longer existing in the running configuration need to be deleted local_users = get_local_users() @@ -101,27 +101,9 @@ def get_config(config=None): if 'user' in login: cli_users = list(login['user']) - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - default_values = defaults(base + ['user']) - for user in login['user']: - login['user'][user] = dict_merge(default_values, login['user'][user]) - - # Add TACACS global defaults - if 'tacacs' in login: - default_values = defaults(base + ['tacacs']) - if 'server' in default_values: - del default_values['server'] - login['tacacs'] = dict_merge(default_values, login['tacacs']) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - for backend in ['radius', 'tacacs']: - default_values = defaults(base + [backend, 'server']) - for server in dict_search(f'{backend}.server', login) or []: - login[backend]['server'][server] = dict_merge(default_values, - login[backend]['server'][server]) - + # prune TACACS global defaults if not set by user + if login.from_defaults(['tacacs']): + del login['tacacs'] # create a list of all users, cli and users all_users = list(set(local_users + cli_users)) diff --git a/src/conf_mode/system-logs.py b/src/conf_mode/system-logs.py index 12145d641..8ad4875d4 100755 --- a/src/conf_mode/system-logs.py +++ b/src/conf_mode/system-logs.py @@ -19,11 +19,9 @@ from sys import exit from vyos import ConfigError from vyos import airbag from vyos.config import Config -from vyos.configdict import dict_merge from vyos.logger import syslog from vyos.template import render from vyos.utils.dict import dict_search -from vyos.xml import defaults airbag.enable() # path to logrotate configs @@ -38,11 +36,9 @@ def get_config(config=None): conf = Config() base = ['system', 'logs'] - default_values = defaults(base) - logs_config = conf.get_config_dict(base, - key_mangling=('-', '_'), - get_first_key=True) - logs_config = dict_merge(default_values, logs_config) + logs_config = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return logs_config diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index 5172b492e..d92121b3d 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2022 VyOS maintainers and contributors +# Copyright (C) 2019-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -21,14 +21,12 @@ from sys import exit from time import sleep from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_source_interface from vyos.template import render from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running -from vyos.validate import is_addr_assigned -from vyos.validate import is_intf_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned +from vyos.utils.network import is_intf_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -36,6 +34,11 @@ airbag.enable() curlrc_config = r'/etc/curlrc' ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf' systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target' +time_format_to_locale = { + '12-hour': 'en_US.UTF-8', + '24-hour': 'en_GB.UTF-8' +} + def get_config(config=None): if config: @@ -43,12 +46,9 @@ def get_config(config=None): else: conf = Config() base = ['system', 'option'] - options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - options = dict_merge(default_values, options) + options = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return options @@ -143,6 +143,11 @@ def apply(options): else: cmd('systemctl disable root-partition-auto-resize.service') + # Time format 12|24-hour + if 'time_format' in options: + time_format = time_format_to_locale.get(options['time_format']) + cmd(f'localectl set-locale LC_TIME={time_format}') + if __name__ == '__main__': try: c = get_config() diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py index 19c87bcee..07fbb0734 100755 --- a/src/conf_mode/system-syslog.py +++ b/src/conf_mode/system-syslog.py @@ -19,12 +19,10 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.utils.process import call from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -50,43 +48,9 @@ def get_config(config=None): tmp = is_node_changed(conf, base + ['vrf']) if tmp: syslog.update({'restart_required': {}}) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # XXX: some syslog default values can not be merged here (originating from - # a tagNode - remove and add them later per individual tagNode instance - if 'console' in default_values: - del default_values['console'] - for entity in ['global', 'user', 'host', 'file']: - if entity in default_values: - del default_values[entity] - - syslog = dict_merge(default_values, syslog) - - # XXX: add defaults for "console" tree - if 'console' in syslog and 'facility' in syslog['console']: - default_values = defaults(base + ['console', 'facility']) - for facility in syslog['console']['facility']: - syslog['console']['facility'][facility] = dict_merge(default_values, - syslog['console']['facility'][facility]) - - # XXX: add defaults for "host" tree - for syslog_type in ['host', 'user', 'file']: - # Bail out early if there is nothing to do - if syslog_type not in syslog: - continue - - default_values_host = defaults(base + [syslog_type]) - if 'facility' in default_values_host: - del default_values_host['facility'] - - for tmp, tmp_config in syslog[syslog_type].items(): - syslog[syslog_type][tmp] = dict_merge(default_values_host, syslog[syslog_type][tmp]) - if 'facility' in tmp_config: - default_values_facility = defaults(base + [syslog_type, 'facility']) - for facility in tmp_config['facility']: - syslog[syslog_type][tmp]['facility'][facility] = dict_merge(default_values_facility, - syslog[syslog_type][tmp]['facility'][facility]) + syslog = conf.merge_defaults(syslog, recursive=True) + if syslog.from_defaults(['global']): + del syslog['global'] return syslog diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py index 87d587959..ebf9a113b 100755 --- a/src/conf_mode/system_console.py +++ b/src/conf_mode/system_console.py @@ -19,12 +19,10 @@ import re from pathlib import Path from vyos.config import Config -from vyos.configdict import dict_merge from vyos.utils.process import call from vyos.utils.file import read_file from vyos.utils.file import write_file from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -45,16 +43,12 @@ def get_config(config=None): if 'device' not in console: return console - # convert CLI values to system values - default_values = defaults(base + ['device']) for device, device_config in console['device'].items(): if 'speed' not in device_config and device.startswith('hvc'): # XEN console has a different default console speed console['device'][device]['speed'] = 38400 - else: - # Merge in XML defaults - the proper way to do it - console['device'][device] = dict_merge(default_values, - console['device'][device]) + + console = conf.merge_defaults(console, recursive=True) return console diff --git a/src/conf_mode/system_sflow.py b/src/conf_mode/system_sflow.py index 9e3d41100..2df1bbb7a 100755 --- a/src/conf_mode/system_sflow.py +++ b/src/conf_mode/system_sflow.py @@ -19,11 +19,9 @@ import os from sys import exit from vyos.config import Config -from vyos.configdict import dict_merge from vyos.template import render from vyos.utils.process import call -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -42,26 +40,9 @@ def get_config(config=None): if not conf.exists(base): return None - sflow = conf.get_config_dict(base, - key_mangling=('-', '_'), - get_first_key=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - - sflow = dict_merge(default_values, sflow) - - # Ignore default XML values if config doesn't exists - # Delete key from dict - if 'port' in sflow['server']: - del sflow['server']['port'] - - # Set default values per server - if 'server' in sflow: - for server in sflow['server']: - default_values = defaults(base + ['server']) - sflow['server'][server] = dict_merge(default_values, sflow['server'][server]) + sflow = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return sflow diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/tftp_server.py index 2735772dc..3ad346e2e 100755 --- a/src/conf_mode/tftp_server.py +++ b/src/conf_mode/tftp_server.py @@ -24,14 +24,12 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.configverify import verify_vrf from vyos.template import render from vyos.template import is_ipv4 from vyos.utils.process import call from vyos.utils.permission import chmod_755 -from vyos.validate import is_addr_assigned -from vyos.xml import defaults +from vyos.utils.network import is_addr_assigned from vyos import ConfigError from vyos import airbag airbag.enable() @@ -48,11 +46,9 @@ def get_config(config=None): if not conf.exists(base): return None - tftpd = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - tftpd = dict_merge(default_values, tftpd) + tftpd = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) return tftpd def verify(tftpd): diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index b0825d0ee..fa271cbdb 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -27,7 +27,7 @@ from vyos.base import Warning from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists -from vyos.configdict import dict_merge +from vyos.defaults import directories from vyos.ifconfig import Interface from vyos.pki import encode_public_key from vyos.pki import load_private_key @@ -39,12 +39,11 @@ from vyos.template import ip_from_cidr from vyos.template import is_ipv4 from vyos.template import is_ipv6 from vyos.template import render -from vyos.validate import is_ipv6_link_local +from vyos.utils.network import is_ipv6_link_local from vyos.utils.dict import dict_search from vyos.utils.dict import dict_search_args from vyos.utils.process import call from vyos.utils.process import run -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -69,7 +68,6 @@ KEY_PATH = f'{swanctl_dir}/private/' CA_PATH = f'{swanctl_dir}/x509ca/' CRL_PATH = f'{swanctl_dir}/x509crl/' -DHCP_BASE = '/var/lib/dhcp/dhclient' DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting' def get_config(config=None): @@ -84,88 +82,23 @@ def get_config(config=None): # retrieve common dictionary keys ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - # XXX: T2665: we must safely remove default values for tag nodes, those are - # added in a more fine grained way later on - del default_values['esp_group'] - del default_values['ike_group'] - del default_values['remote_access'] - del default_values['site_to_site'] - ipsec = dict_merge(default_values, ipsec) - - if 'esp_group' in ipsec: - default_values = defaults(base + ['esp-group']) - for group in ipsec['esp_group']: - ipsec['esp_group'][group] = dict_merge(default_values, - ipsec['esp_group'][group]) - if 'ike_group' in ipsec: - default_values = defaults(base + ['ike-group']) - # proposal is a tag node which may come with individual defaults per node - if 'proposal' in default_values: - del default_values['proposal'] - - for group in ipsec['ike_group']: - ipsec['ike_group'][group] = dict_merge(default_values, - ipsec['ike_group'][group]) - - if 'proposal' in ipsec['ike_group'][group]: - default_values = defaults(base + ['ike-group', 'proposal']) - for proposal in ipsec['ike_group'][group]['proposal']: - ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values, - ipsec['ike_group'][group]['proposal'][proposal]) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if dict_search('remote_access.connection', ipsec): - default_values = defaults(base + ['remote-access', 'connection']) - for rw in ipsec['remote_access']['connection']: - ipsec['remote_access']['connection'][rw] = dict_merge(default_values, - ipsec['remote_access']['connection'][rw]) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if dict_search('remote_access.radius.server', ipsec): - # Fist handle the "base" stuff like RADIUS timeout - default_values = defaults(base + ['remote-access', 'radius']) - if 'server' in default_values: - del default_values['server'] - ipsec['remote_access']['radius'] = dict_merge(default_values, - ipsec['remote_access']['radius']) - - # Take care about individual RADIUS servers implemented as tagNodes - this - # requires special treatment - default_values = defaults(base + ['remote-access', 'radius', 'server']) - for server in ipsec['remote_access']['radius']['server']: - ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values, - ipsec['remote_access']['radius']['server'][server]) - - # XXX: T2665: we can not safely rely on the defaults() when there are - # tagNodes in place, it is better to blend in the defaults manually. - if dict_search('site_to_site.peer', ipsec): - default_values = defaults(base + ['site-to-site', 'peer']) - for peer in ipsec['site_to_site']['peer']: - ipsec['site_to_site']['peer'][peer] = dict_merge(default_values, - ipsec['site_to_site']['peer'][peer]) + no_tag_node_value_mangle=True, + get_first_key=True, + with_recursive_defaults=True) ipsec['dhcp_no_address'] = {} ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes ipsec['interface_change'] = leaf_node_changed(conf, base + ['interface']) ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) + no_tag_node_value_mangle=True, + get_first_key=True) tmp = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) + no_tag_node_value_mangle=True, + get_first_key=True) if tmp: - ipsec['l2tp'] = tmp - l2tp_defaults = defaults(l2tp_base) - ipsec['l2tp'] = dict_merge(l2tp_defaults, ipsec['l2tp']) + ipsec['l2tp'] = conf.merge_defaults(tmp, recursive=True) ipsec['l2tp_outside_address'] = conf.return_value(['vpn', 'l2tp', 'remote-access', 'outside-address']) ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024' ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1' @@ -433,8 +366,9 @@ def verify(ipsec): dhcp_interface = peer_conf['dhcp_interface'] verify_interface_exists(dhcp_interface) + dhcp_base = directories['isc_dhclient_dir'] - if not os.path.exists(f'{DHCP_BASE}_{dhcp_interface}.conf'): + if not os.path.exists(f'{dhcp_base}/dhclient_{dhcp_interface}.conf'): raise ConfigError(f"Invalid dhcp-interface on site-to-site peer {peer}") address = get_dhcp_address(dhcp_interface) diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index e82862fa3..a039172c4 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -19,7 +19,6 @@ from sys import exit from vyos.base import Warning from vyos.config import Config -from vyos.configdict import dict_merge from vyos.pki import wrap_certificate from vyos.pki import wrap_private_key from vyos.template import render @@ -28,7 +27,6 @@ from vyos.utils.network import check_port_availability from vyos.utils.process import is_systemd_service_running from vyos.utils.network import is_listen_port_bind_service from vyos.utils.dict import dict_search -from vyos.xml import defaults from vyos import ConfigError from passlib.hash import sha512_crypt from time import sleep @@ -47,66 +45,6 @@ radius_servers = cfg_dir + '/radius_servers' def get_hash(password): return sha512_crypt.hash(password) - - -def _default_dict_cleanup(origin: dict, default_values: dict) -> dict: - """ - https://vyos.dev/T2665 - Clear unnecessary key values in merged config by dict_merge function - :param origin: config - :type origin: dict - :param default_values: default values - :type default_values: dict - :return: merged dict - :rtype: dict - """ - if 'mode' in origin["authentication"] and "local" in \ - origin["authentication"]["mode"]: - del origin['authentication']['local_users']['username']['otp'] - if not origin["authentication"]["local_users"]["username"]: - raise ConfigError( - 'Openconnect authentication mode local requires at least one user') - default_ocserv_usr_values = \ - default_values['authentication']['local_users']['username']['otp'] - for user, params in origin['authentication']['local_users'][ - 'username'].items(): - # Not every configuration requires OTP settings - if origin['authentication']['local_users']['username'][user].get( - 'otp'): - origin['authentication']['local_users']['username'][user][ - 'otp'] = dict_merge(default_ocserv_usr_values, - origin['authentication'][ - 'local_users']['username'][user][ - 'otp']) - - if 'mode' in origin["authentication"] and "radius" in \ - origin["authentication"]["mode"]: - del origin['authentication']['radius']['server']['port'] - if not origin["authentication"]['radius']['server']: - raise ConfigError( - 'Openconnect authentication mode radius requires at least one RADIUS server') - default_values_radius_port = \ - default_values['authentication']['radius']['server']['port'] - for server, params in origin['authentication']['radius'][ - 'server'].items(): - if 'port' not in params: - params['port'] = default_values_radius_port - - if 'mode' in origin["accounting"] and "radius" in \ - origin["accounting"]["mode"]: - del origin['accounting']['radius']['server']['port'] - if not origin["accounting"]['radius']['server']: - raise ConfigError( - 'Openconnect accounting mode radius requires at least one RADIUS server') - default_values_radius_port = \ - default_values['accounting']['radius']['server']['port'] - for server, params in origin['accounting']['radius'][ - 'server'].items(): - if 'port' not in params: - params['port'] = default_values_radius_port - return origin - - def get_config(config=None): if config: conf = config @@ -116,16 +54,14 @@ def get_config(config=None): if not conf.exists(base): return None - ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - ocserv = dict_merge(default_values, ocserv) - # workaround a "know limitation" - https://vyos.dev/T2665 - ocserv = _default_dict_cleanup(ocserv, default_values) + ocserv = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + if ocserv: ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) + no_tag_node_value_mangle=True, + get_first_key=True) return ocserv @@ -142,6 +78,8 @@ def verify(ocserv): # Check accounting if "accounting" in ocserv: if "mode" in ocserv["accounting"] and "radius" in ocserv["accounting"]["mode"]: + if not origin["accounting"]['radius']['server']: + raise ConfigError('Openconnect accounting mode radius requires at least one RADIUS server') if "authentication" not in ocserv or "mode" not in ocserv["authentication"]: raise ConfigError('Accounting depends on OpenConnect authentication configuration') elif "radius" not in ocserv["authentication"]["mode"]: @@ -150,9 +88,13 @@ def verify(ocserv): # Check authentication if "authentication" in ocserv: if "mode" in ocserv["authentication"]: - if "local" in ocserv["authentication"]["mode"]: - if "radius" in ocserv["authentication"]["mode"]: + if ("local" in ocserv["authentication"]["mode"] and + "radius" in ocserv["authentication"]["mode"]): raise ConfigError('OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration') + if "radius" in ocserv["authentication"]["mode"]: + if not ocserv["authentication"]['radius']['server']: + raise ConfigError('Openconnect authentication mode radius requires at least one RADIUS server') + if "local" in ocserv["authentication"]["mode"]: if not ocserv["authentication"]["local_users"]: raise ConfigError('openconnect mode local required at least one user') if not ocserv["authentication"]["local_users"]["username"]: diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py index 80ce1e8e3..82c2f236e 100755 --- a/src/conf_mode/vpp.py +++ b/src/conf_mode/vpp.py @@ -22,7 +22,6 @@ from re import search as re_search, MULTILINE as re_M from vyos.config import Config from vyos.configdep import set_dependents, call_dependents -from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.ifconfig import Section from vyos.utils.boot import boot_configuration_complete @@ -31,7 +30,6 @@ from vyos.utils.process import rc_cmd from vyos.utils.system import sysctl_read from vyos.utils.system import sysctl_apply from vyos.template import render -from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -94,28 +92,18 @@ def get_config(config=None): if not conf.exists(base): return {'removed_ifaces': removed_ifaces} - config = conf.get_config_dict(base, + config = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, get_first_key=True, - key_mangling=('-', '_'), - no_tag_node_value_mangle=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - if 'interface' in default_values: - del default_values['interface'] - config = dict_merge(default_values, config) + with_recursive_defaults=True) if 'interface' in config: for iface, iface_config in config['interface'].items(): - default_values_iface = defaults(base + ['interface']) - config['interface'][iface] = dict_merge(default_values_iface, config['interface'][iface]) # add an interface to a list of interfaces that need # to be reinitialized after the commit set_dependents('ethernet', conf, iface) - # Get PCI address auto - for iface, iface_config in config['interface'].items(): + # Get PCI address auto if iface_config['pci'] == 'auto': config['interface'][iface]['pci'] = _get_pci_address_by_interface(iface) diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook index 49bb18372..35721d009 100644 --- a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyatta-dhclient-hook +++ b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook @@ -28,7 +28,8 @@ if [[ $reason =~ ^(REBOOT6|INIT6|EXPIRE6|RELEASE6|STOP6|INFORM6|BOUND6|REBIND6|D fi if [ "$RUN" = "yes" ]; then - LOG=/var/lib/dhcp/dhclient_"$interface"."$proto"lease + BASE_PATH=$(python3 -c "from vyos.defaults import directories; print(directories['isc_dhclient_dir'])") + LOG=${BASE_PATH}/dhclient_"$interface"."$proto"lease echo `date` > $LOG for i in reason interface new_expiry new_dhcp_lease_time medium \ diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py index 2036ca72e..7e2fe2462 100755 --- a/src/helpers/vyos-domain-resolver.py +++ b/src/helpers/vyos-domain-resolver.py @@ -26,7 +26,7 @@ from vyos.utils.commit import commit_in_progress from vyos.utils.dict import dict_search_args from vyos.utils.process import cmd from vyos.utils.process import run -from vyos.xml import defaults +from vyos.xml_ref import get_defaults base = ['firewall'] timeout = 300 @@ -49,13 +49,7 @@ def get_config(conf): firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - default_values = defaults(base) - for tmp in ['name', 'ipv6_name']: - if tmp in default_values: - del default_values[tmp] - - if 'zone' in default_values: - del default_values['zone'] + default_values = get_defaults(base, get_first_key=True) firewall = dict_merge(default_values, firewall) diff --git a/src/init/vyos-router b/src/init/vyos-router index 7b752b84b..96f163213 100755 --- a/src/init/vyos-router +++ b/src/init/vyos-router @@ -101,6 +101,16 @@ load_bootfile () ) } +# restore if missing pre-config script +restore_if_missing_preconfig_script () +{ + if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script ]; then + cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/ + chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script + chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-preconfig-bootup.script + fi +} + # execute the pre-config script run_preconfig_script () { @@ -109,6 +119,16 @@ run_preconfig_script () fi } +# restore if missing post-config script +restore_if_missing_postconfig_script () +{ + if [ ! -x ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script ]; then + cp ${vyos_rootfs_dir}/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ${vyatta_sysconfdir}/config/scripts/ + chgrp ${GROUP} ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script + chmod 750 ${vyatta_sysconfdir}/config/scripts/vyos-postconfig-bootup.script + fi +} + # execute the post-config scripts run_postconfig_scripts () { @@ -360,6 +380,8 @@ start () log_daemon_msg "Starting VyOS router" disabled migrate || migrate_bootfile + restore_if_missing_preconfig_script + run_preconfig_script run_postupgrade_script @@ -384,6 +406,8 @@ start () telinit q chmod g-w,o-w / + restore_if_missing_postconfig_script + run_postconfig_scripts } diff --git a/src/migration-scripts/bgp/0-to-1 b/src/migration-scripts/bgp/0-to-1 index 5e9dffe1f..03c45107b 100755 --- a/src/migration-scripts/bgp/0-to-1 +++ b/src/migration-scripts/bgp/0-to-1 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/bgp/1-to-2 b/src/migration-scripts/bgp/1-to-2 index e2d3fcd33..96b939b47 100755 --- a/src/migration-scripts/bgp/1-to-2 +++ b/src/migration-scripts/bgp/1-to-2 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/bgp/2-to-3 b/src/migration-scripts/bgp/2-to-3 index 7ced0a3b0..34d321a96 100755 --- a/src/migration-scripts/bgp/2-to-3 +++ b/src/migration-scripts/bgp/2-to-3 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/bgp/3-to-4 b/src/migration-scripts/bgp/3-to-4 index 0df2fbec4..894cdda2b 100755 --- a/src/migration-scripts/bgp/3-to-4 +++ b/src/migration-scripts/bgp/3-to-4 @@ -22,7 +22,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/config-management/0-to-1 b/src/migration-scripts/config-management/0-to-1 index 344359110..6528fd136 100755 --- a/src/migration-scripts/config-management/0-to-1 +++ b/src/migration-scripts/config-management/0-to-1 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/conntrack-sync/1-to-2 b/src/migration-scripts/conntrack-sync/1-to-2 index ebbd8c35a..a8e1007f3 100755 --- a/src/migration-scripts/conntrack-sync/1-to-2 +++ b/src/migration-scripts/conntrack-sync/1-to-2 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/conntrack/1-to-2 b/src/migration-scripts/conntrack/1-to-2 index 4fc88a1ed..c4fe667fc 100755 --- a/src/migration-scripts/conntrack/1-to-2 +++ b/src/migration-scripts/conntrack/1-to-2 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/conntrack/2-to-3 b/src/migration-scripts/conntrack/2-to-3 index 8a8b43279..6fb457b7f 100755 --- a/src/migration-scripts/conntrack/2-to-3 +++ b/src/migration-scripts/conntrack/2-to-3 @@ -8,7 +8,7 @@ import sys from vyos.configtree import ConfigTree from vyos.version import get_version -if len(sys.argv) < 1: +if len(sys.argv) < 2: print('Must specify file name!') sys.exit(1) diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1 index 86f89ee04..6b282e082 100755 --- a/src/migration-scripts/container/0-to-1 +++ b/src/migration-scripts/container/0-to-1 @@ -23,7 +23,7 @@ import sys from vyos.configtree import ConfigTree from vyos.utils.process import call -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dhcp-relay/1-to-2 b/src/migration-scripts/dhcp-relay/1-to-2 index b72da1028..508bac6be 100755 --- a/src/migration-scripts/dhcp-relay/1-to-2 +++ b/src/migration-scripts/dhcp-relay/1-to-2 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dhcp-server/4-to-5 b/src/migration-scripts/dhcp-server/4-to-5 index 313b5279a..d15e0baf5 100755 --- a/src/migration-scripts/dhcp-server/4-to-5 +++ b/src/migration-scripts/dhcp-server/4-to-5 @@ -9,7 +9,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dhcp-server/5-to-6 b/src/migration-scripts/dhcp-server/5-to-6 index aefe84737..f5c766a09 100755 --- a/src/migration-scripts/dhcp-server/5-to-6 +++ b/src/migration-scripts/dhcp-server/5-to-6 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dhcpv6-server/0-to-1 b/src/migration-scripts/dhcpv6-server/0-to-1 index 6f1150da1..deae1ca29 100755 --- a/src/migration-scripts/dhcpv6-server/0-to-1 +++ b/src/migration-scripts/dhcpv6-server/0-to-1 @@ -19,7 +19,7 @@ from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/dns-dynamic/0-to-1 b/src/migration-scripts/dns-dynamic/0-to-1 index cf0983b01..d80e8d44a 100755 --- a/src/migration-scripts/dns-dynamic/0-to-1 +++ b/src/migration-scripts/dns-dynamic/0-to-1 @@ -43,7 +43,7 @@ service_protocol_mapping = { 'zoneedit': 'zoneedit1' } -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dns-forwarding/0-to-1 b/src/migration-scripts/dns-forwarding/0-to-1 index 6e8720eef..7f4343652 100755 --- a/src/migration-scripts/dns-forwarding/0-to-1 +++ b/src/migration-scripts/dns-forwarding/0-to-1 @@ -22,7 +22,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dns-forwarding/1-to-2 b/src/migration-scripts/dns-forwarding/1-to-2 index a8c930be7..7df2d47e2 100755 --- a/src/migration-scripts/dns-forwarding/1-to-2 +++ b/src/migration-scripts/dns-forwarding/1-to-2 @@ -25,7 +25,7 @@ from sys import argv, exit from vyos.ifconfig import Interface from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/dns-forwarding/2-to-3 b/src/migration-scripts/dns-forwarding/2-to-3 index 01e445b22..d7ff9e260 100755 --- a/src/migration-scripts/dns-forwarding/2-to-3 +++ b/src/migration-scripts/dns-forwarding/2-to-3 @@ -21,7 +21,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/dns-forwarding/3-to-4 b/src/migration-scripts/dns-forwarding/3-to-4 index 55165c2c5..3d5316ed4 100755 --- a/src/migration-scripts/dns-forwarding/3-to-4 +++ b/src/migration-scripts/dns-forwarding/3-to-4 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 new file mode 100755 index 000000000..716c5a240 --- /dev/null +++ b/src/migration-scripts/firewall/10-to-11 @@ -0,0 +1,374 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# T5160: Firewall re-writing + +# cli changes from: +# set firewall name <name> ... +# set firewall ipv6-name <name> ... +# To +# set firewall ipv4 name <name> +# set firewall ipv6 name <name> + +## Also from 'firewall interface' removed. +## in and out: + # set firewall interface <iface> [in|out] [name | ipv6-name] <name> + # To + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface> + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name> +## local: + # set firewall interface <iface> local [name | ipv6-name] <name> + # To + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface> + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name> + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['firewall'] +config = ConfigTree(config_file) + +if not config.exists(base): + # Nothing to do + exit(0) + +### Migration of state policies +if config.exists(base + ['state-policy']): + for family in ['ipv4', 'ipv6']: + for hook in ['forward', 'input', 'output']: + for priority in ['filter']: + # Add default-action== accept for compatibility reasons: + config.set(base + [family, hook, priority, 'default-action'], value='accept') + position = 1 + for state in config.list_nodes(base + ['state-policy']): + action = config.return_value(base + ['state-policy', state, 'action']) + config.set(base + [family, hook, priority, 'rule']) + config.set_tag(base + [family, hook, priority, 'rule']) + config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable') + config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action) + position = position + 1 + config.delete(base + ['state-policy']) + +## migration of global options: +for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians', + 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']: + if config.exists(base + [option]): + if option != 'config-trap': + val = config.return_value(base + [option]) + config.set(base + ['global-options', option], value=val) + config.delete(base + [option]) + +### Migration of firewall name and ipv6-name +if config.exists(base + ['name']): + config.set(['firewall', 'ipv4', 'name']) + config.set_tag(['firewall', 'ipv4', 'name']) + + for ipv4name in config.list_nodes(base + ['name']): + config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) + config.delete(base + ['name']) + +if config.exists(base + ['ipv6-name']): + config.set(['firewall', 'ipv6', 'name']) + config.set_tag(['firewall', 'ipv6', 'name']) + + for ipv6name in config.list_nodes(base + ['ipv6-name']): + config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name]) + config.delete(base + ['ipv6-name']) + +### Migration of firewall interface +if config.exists(base + ['interface']): + fwd_ipv4_rule = 5 + inp_ipv4_rule = 5 + fwd_ipv6_rule = 5 + inp_ipv6_rule = 5 + for iface in config.list_nodes(base + ['interface']): + for direction in ['in', 'out', 'local']: + if config.exists(base + ['interface', iface, direction]): + if config.exists(base + ['interface', iface, direction, 'name']): + target = config.return_value(base + ['interface', iface, direction, 'name']) + if direction == 'in': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + elif direction == 'out': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + else: + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'input', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [inp_ipv4_rule, 'action'], value='jump') + config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target) + inp_ipv4_rule = inp_ipv4_rule + 5 + + if config.exists(base + ['interface', iface, direction, 'ipv6-name']): + target = config.return_value(base + ['interface', iface, direction, 'ipv6-name']) + if direction == 'in': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv6', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) + fwd_ipv6_rule = fwd_ipv6_rule + 5 + elif direction == 'out': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv6', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) + fwd_ipv6_rule = fwd_ipv6_rule + 5 + else: + new_base = base + ['ipv6', 'input', 'filter', 'rule'] + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [inp_ipv6_rule, 'action'], value='jump') + config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target) + inp_ipv6_rule = inp_ipv6_rule + 5 + + config.delete(base + ['interface']) + + +### Migration of zones: +### User interface groups +if config.exists(base + ['zone']): + inp_ipv4_rule = 101 + inp_ipv6_rule = 101 + fwd_ipv4_rule = 101 + fwd_ipv6_rule = 101 + out_ipv4_rule = 101 + out_ipv6_rule = 101 + local_zone = 'False' + + for zone in config.list_nodes(base + ['zone']): + if config.exists(base + ['zone', zone, 'local-zone']): + local_zone = 'True' + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept') + for from_zone in config.list_nodes(base + ['zone', zone, 'from']): + group_name = 'IG_' + from_zone + if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']): + # ipv4 input ruleset + target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + inp_ipv4_rule = inp_ipv4_rule + 5 + if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): + # ipv6 input ruleset + target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']) + config.set(base + ['ipv6', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'input', 'filter', 'rule']) + config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump') + config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain) + inp_ipv6_rule = inp_ipv6_rule + 5 + + # Migrate: set firewall zone <zone> default-action <action> + # Options: drop or reject. If not specified, is drop + if config.exists(base + ['zone', zone, 'default-action']): + local_def_action = config.return_value(base + ['zone', zone, 'default-action']) + else: + local_def_action = 'drop' + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv6', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'input', 'filter', 'rule']) + config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action) + if config.exists(base + ['zone', zone, 'enable-default-log']): + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable') + + else: + # It's not a local zone + group_name = 'IG_' + zone + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') + # intra-filtering migration. By default accept + intra_zone_ipv4_action = 'accept' + intra_zone_ipv6_action = 'accept' + + if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']): + intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action']) + intra_zone_ipv6_action = intra_zone_ipv4_action + else: + if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']): + intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']) + intra_zone_ipv4_action = 'jump' + if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): + intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) + intra_zone_ipv6_action = 'jump' + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action) + config.set(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action) + if intra_zone_ipv4_action == 'jump': + if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']): + intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target) + if intra_zone_ipv6_action == 'jump': + if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): + intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + fwd_ipv6_rule = fwd_ipv6_rule + 5 + + if config.exists(base + ['zone', zone, 'interface']): + # Create interface group IG_<zone> + group_name = 'IG_' + zone + config.set(base + ['group', 'interface-group'], value=group_name) + config.set_tag(base + ['group', 'interface-group']) + for iface in config.return_values(base + ['zone', zone, 'interface']): + config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False) + + if config.exists(base + ['zone', zone, 'from']): + for from_zone in config.list_nodes(base + ['zone', zone, 'from']): + from_group = 'IG_' + from_zone + if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']): + target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) + if config.exists(base + ['zone', from_zone, 'local-zone']): + # It's from LOCAL zone -> Output filtering + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + out_ipv4_rule = out_ipv4_rule + 5 + else: + # It's not LOCAL zone -> forward filtering + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): + target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']) + if config.exists(base + ['zone', from_zone, 'local-zone']): + # It's from LOCAL zone -> Output filtering + config.set(base + ['ipv6', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'output', 'filter', 'rule']) + config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump') + config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain) + out_ipv6_rule = out_ipv6_rule + 5 + else: + # It's not LOCAL zone -> forward filtering + config.set(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump') + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain) + fwd_ipv6_rule = fwd_ipv6_rule + 5 + + ## Now need to migrate: set firewall zone <zone> default-action <action> # action=drop if not specified. + if config.exists(base + ['zone', zone, 'default-action']): + def_action = config.return_value(base + ['zone', zone, 'default-action']) + else: + def_action = 'drop' + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action) + description = 'zone_' + zone + ' default-action' + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description) + config.set(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action) + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description) + + if config.exists(base + ['zone', zone, 'enable-default-log']): + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable') + fwd_ipv4_rule = fwd_ipv4_rule + 5 + fwd_ipv6_rule = fwd_ipv6_rule + 5 + + # Migrate default-action (force to be drop in output chain) if local zone is defined + if local_zone == 'True': + # General drop in output change if needed + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv6', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv6', 'output', 'filter', 'rule']) + config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action) + + config.delete(base + ['zone']) + +###### END migration zones + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1)
\ No newline at end of file diff --git a/src/migration-scripts/firewall/5-to-6 b/src/migration-scripts/firewall/5-to-6 index ccb86830a..e1eaea7a1 100755 --- a/src/migration-scripts/firewall/5-to-6 +++ b/src/migration-scripts/firewall/5-to-6 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) @@ -46,12 +46,54 @@ for interface in config.list_nodes(base): if config.exists(base + [interface, 'adjust-mss']): section = Section.section(interface) tmp = config.return_value(base + [interface, 'adjust-mss']) - config.set(['interfaces', section, interface, 'ip', 'adjust-mss'], value=tmp) + + vlan = interface.split('.') + base_interface_path = ['interfaces', section, vlan[0]] + + if len(vlan) == 1: + # Normal interface, no VLAN + config.set(base_interface_path + ['ip', 'adjust-mss'], value=tmp) + elif len(vlan) == 2: + # Regular VIF or VIF-S interface - we need to check the config + vif = vlan[1] + if config.exists(base_interface_path + ['vif', vif]): + config.set(base_interface_path + ['vif', vif, 'ip', 'adjust-mss'], value=tmp) + elif config.exists(base_interface_path + ['vif-s', vif]): + config.set(base_interface_path + ['vif-s', vif, 'ip', 'adjust-mss'], value=tmp) + elif len(vlan) == 3: + # VIF-S interface with VIF-C subinterface + vif_s = vlan[1] + vif_c = vlan[2] + config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ip', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif-s']) + config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) if config.exists(base + [interface, 'adjust-mss6']): section = Section.section(interface) tmp = config.return_value(base + [interface, 'adjust-mss6']) - config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp) + + vlan = interface.split('.') + base_interface_path = ['interfaces', section, vlan[0]] + + if len(vlan) == 1: + # Normal interface, no VLAN + config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp) + elif len(vlan) == 2: + # Regular VIF or VIF-S interface - we need to check the config + vif = vlan[1] + if config.exists(base_interface_path + ['vif', vif]): + config.set(base_interface_path + ['vif', vif, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif']) + elif config.exists(base_interface_path + ['vif-s', vif]): + config.set(base_interface_path + ['vif-s', vif, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif-s']) + elif len(vlan) == 3: + # VIF-S interface with VIF-C subinterface + vif_s = vlan[1] + vif_c = vlan[2] + config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif-s']) + config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) config.delete(['firewall', 'options']) diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7 index 626d6849f..9ad887acc 100755 --- a/src/migration-scripts/firewall/6-to-7 +++ b/src/migration-scripts/firewall/6-to-7 @@ -28,7 +28,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/firewall/7-to-8 b/src/migration-scripts/firewall/7-to-8 index ce527acf5..d06c3150a 100755 --- a/src/migration-scripts/firewall/7-to-8 +++ b/src/migration-scripts/firewall/7-to-8 @@ -25,7 +25,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/firewall/8-to-9 b/src/migration-scripts/firewall/8-to-9 index f7c1bb90d..d7647354a 100755 --- a/src/migration-scripts/firewall/8-to-9 +++ b/src/migration-scripts/firewall/8-to-9 @@ -28,7 +28,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/firewall/9-to-10 b/src/migration-scripts/firewall/9-to-10 index 6f67cc512..a70460718 100755 --- a/src/migration-scripts/firewall/9-to-10 +++ b/src/migration-scripts/firewall/9-to-10 @@ -28,7 +28,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/flow-accounting/0-to-1 b/src/migration-scripts/flow-accounting/0-to-1 index 72cce77b0..0f790fd9c 100755 --- a/src/migration-scripts/flow-accounting/0-to-1 +++ b/src/migration-scripts/flow-accounting/0-to-1 @@ -21,7 +21,7 @@ from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/https/2-to-3 b/src/migration-scripts/https/2-to-3 index fa29fdd18..2beba6d2b 100755 --- a/src/migration-scripts/https/2-to-3 +++ b/src/migration-scripts/https/2-to-3 @@ -25,7 +25,7 @@ from vyos.pki import create_private_key from vyos.pki import encode_certificate from vyos.pki import encode_private_key -if (len(sys.argv) < 2): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/https/3-to-4 b/src/migration-scripts/https/3-to-4 index 5ee528b31..b3cfca201 100755 --- a/src/migration-scripts/https/3-to-4 +++ b/src/migration-scripts/https/3-to-4 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 2): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ids/0-to-1 b/src/migration-scripts/ids/0-to-1 index 9f08f7dc7..8b7850a1a 100755 --- a/src/migration-scripts/ids/0-to-1 +++ b/src/migration-scripts/ids/0-to-1 @@ -19,7 +19,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/0-to-1 b/src/migration-scripts/interfaces/0-to-1 index c7f324661..25f6842eb 100755 --- a/src/migration-scripts/interfaces/0-to-1 +++ b/src/migration-scripts/interfaces/0-to-1 @@ -37,7 +37,7 @@ def migrate_bridge(config, tree, intf): if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/1-to-2 b/src/migration-scripts/interfaces/1-to-2 index c75404d85..c95623c2b 100755 --- a/src/migration-scripts/interfaces/1-to-2 +++ b/src/migration-scripts/interfaces/1-to-2 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/10-to-11 b/src/migration-scripts/interfaces/10-to-11 index 6b8e49ed9..cafaa3fa4 100755 --- a/src/migration-scripts/interfaces/10-to-11 +++ b/src/migration-scripts/interfaces/10-to-11 @@ -23,7 +23,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/11-to-12 b/src/migration-scripts/interfaces/11-to-12 index 0dad24642..e9eb7f939 100755 --- a/src/migration-scripts/interfaces/11-to-12 +++ b/src/migration-scripts/interfaces/11-to-12 @@ -22,7 +22,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/12-to-13 b/src/migration-scripts/interfaces/12-to-13 index f866ca9a6..ef1d93903 100755 --- a/src/migration-scripts/interfaces/12-to-13 +++ b/src/migration-scripts/interfaces/12-to-13 @@ -24,7 +24,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/13-to-14 b/src/migration-scripts/interfaces/13-to-14 index 6e6439c36..b20d8b4db 100755 --- a/src/migration-scripts/interfaces/13-to-14 +++ b/src/migration-scripts/interfaces/13-to-14 @@ -21,7 +21,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/14-to-15 b/src/migration-scripts/interfaces/14-to-15 index c38db0bf8..e21251f86 100755 --- a/src/migration-scripts/interfaces/14-to-15 +++ b/src/migration-scripts/interfaces/14-to-15 @@ -20,7 +20,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/15-to-16 b/src/migration-scripts/interfaces/15-to-16 index 804c48be0..ae3441b9f 100755 --- a/src/migration-scripts/interfaces/15-to-16 +++ b/src/migration-scripts/interfaces/15-to-16 @@ -20,7 +20,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/16-to-17 b/src/migration-scripts/interfaces/16-to-17 index d123be06f..75f160686 100755 --- a/src/migration-scripts/interfaces/16-to-17 +++ b/src/migration-scripts/interfaces/16-to-17 @@ -21,7 +21,7 @@ import sys from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) @@ -35,7 +35,7 @@ if __name__ == '__main__': if not config.exists(base): # Nothing to do sys.exit(0) - + for interface in config.list_nodes(base): mirror_old_base = base + [interface, 'mirror'] if config.exists(mirror_old_base): @@ -43,7 +43,7 @@ if __name__ == '__main__': if config.exists(mirror_old_base): config.delete(mirror_old_base) config.set(mirror_old_base + ['ingress'],intf[0]) - + try: with open(file_name, 'w') as f: f.write(config.to_string()) diff --git a/src/migration-scripts/interfaces/17-to-18 b/src/migration-scripts/interfaces/17-to-18 index b8cb8c119..51486ac37 100755 --- a/src/migration-scripts/interfaces/17-to-18 +++ b/src/migration-scripts/interfaces/17-to-18 @@ -22,7 +22,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/18-to-19 b/src/migration-scripts/interfaces/18-to-19 index a12c4a6cd..c3209f250 100755 --- a/src/migration-scripts/interfaces/18-to-19 +++ b/src/migration-scripts/interfaces/18-to-19 @@ -41,7 +41,7 @@ def replace_nat_interfaces(config, old, new): if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/19-to-20 b/src/migration-scripts/interfaces/19-to-20 index e96663e54..05abae898 100755 --- a/src/migration-scripts/interfaces/19-to-20 +++ b/src/migration-scripts/interfaces/19-to-20 @@ -19,7 +19,7 @@ from sys import exit from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/2-to-3 b/src/migration-scripts/interfaces/2-to-3 index 68d41de39..15c3bc8be 100755 --- a/src/migration-scripts/interfaces/2-to-3 +++ b/src/migration-scripts/interfaces/2-to-3 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/20-to-21 b/src/migration-scripts/interfaces/20-to-21 index cb1c36882..14ad0fe4d 100755 --- a/src/migration-scripts/interfaces/20-to-21 +++ b/src/migration-scripts/interfaces/20-to-21 @@ -23,7 +23,7 @@ from sys import argv from vyos.ethtool import Ethtool from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/21-to-22 b/src/migration-scripts/interfaces/21-to-22 index 098102102..1838eb1c0 100755 --- a/src/migration-scripts/interfaces/21-to-22 +++ b/src/migration-scripts/interfaces/21-to-22 @@ -17,7 +17,7 @@ from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 index 06e07572f..8b21fce51 100755 --- a/src/migration-scripts/interfaces/22-to-23 +++ b/src/migration-scripts/interfaces/22-to-23 @@ -75,7 +75,7 @@ def migrate_ripng(config, path, interface): config.delete(path[:-1]) if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/23-to-24 b/src/migration-scripts/interfaces/23-to-24 index d1ec2ad3e..8fd79ecc6 100755 --- a/src/migration-scripts/interfaces/23-to-24 +++ b/src/migration-scripts/interfaces/23-to-24 @@ -22,7 +22,7 @@ import sys from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/24-to-25 b/src/migration-scripts/interfaces/24-to-25 index f3a1dc464..9aa6ea5e3 100755 --- a/src/migration-scripts/interfaces/24-to-25 +++ b/src/migration-scripts/interfaces/24-to-25 @@ -53,7 +53,7 @@ def read_file_for_pki(config_auth_path): return output -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/25-to-26 b/src/migration-scripts/interfaces/25-to-26 index a8936235e..4967a29fa 100755 --- a/src/migration-scripts/interfaces/25-to-26 +++ b/src/migration-scripts/interfaces/25-to-26 @@ -22,7 +22,7 @@ from sys import argv from vyos.ethtool import Ethtool from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/26-to-27 b/src/migration-scripts/interfaces/26-to-27 index 949cc55b6..a0d043d11 100755 --- a/src/migration-scripts/interfaces/26-to-27 +++ b/src/migration-scripts/interfaces/26-to-27 @@ -22,7 +22,7 @@ from sys import argv from vyos.ethtool import Ethtool from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/27-to-28 b/src/migration-scripts/interfaces/27-to-28 index e36c95cc9..ad5bfa653 100755 --- a/src/migration-scripts/interfaces/27-to-28 +++ b/src/migration-scripts/interfaces/27-to-28 @@ -22,7 +22,7 @@ from sys import argv from vyos.ethtool import Ethtool from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/28-to-29 b/src/migration-scripts/interfaces/28-to-29 index 64c649b02..acb6ee1fb 100755 --- a/src/migration-scripts/interfaces/28-to-29 +++ b/src/migration-scripts/interfaces/28-to-29 @@ -21,7 +21,7 @@ from sys import argv from vyos.ethtool import Ethtool from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/29-to-30 b/src/migration-scripts/interfaces/29-to-30 new file mode 100755 index 000000000..97e1b329c --- /dev/null +++ b/src/migration-scripts/interfaces/29-to-30 @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# Deletes Wireguard peers if they have the same public key as the router has. +import sys +from vyos.configtree import ConfigTree +from vyos.utils.network import is_wireguard_key_pair + +if __name__ == '__main__': + if len(sys.argv) < 2: + print("Must specify file name!") + sys.exit(1) + + file_name = sys.argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + base = ['interfaces', 'wireguard'] + if not config.exists(base): + # Nothing to do + sys.exit(0) + for interface in config.list_nodes(base): + private_key = config.return_value(base + [interface, 'private-key']) + interface_base = base + [interface] + if config.exists(interface_base + ['peer']): + for peer in config.list_nodes(interface_base + ['peer']): + peer_base = interface_base + ['peer', peer] + peer_public_key = config.return_value(peer_base + ['public-key']) + if config.exists(peer_base + ['public-key']): + if not config.exists(peer_base + ['disable']) \ + and is_wireguard_key_pair(private_key, peer_public_key): + config.set(peer_base + ['disable']) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/interfaces/3-to-4 b/src/migration-scripts/interfaces/3-to-4 index e3bd25a68..c7fd7d01d 100755 --- a/src/migration-scripts/interfaces/3-to-4 +++ b/src/migration-scripts/interfaces/3-to-4 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/interfaces/4-to-5 b/src/migration-scripts/interfaces/4-to-5 index f645c5aeb..68d81e846 100755 --- a/src/migration-scripts/interfaces/4-to-5 +++ b/src/migration-scripts/interfaces/4-to-5 @@ -57,7 +57,7 @@ def migrate_dialer(config, tree, intf): if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/5-to-6 b/src/migration-scripts/interfaces/5-to-6 index ae79c1d1b..9d9a49c2d 100755 --- a/src/migration-scripts/interfaces/5-to-6 +++ b/src/migration-scripts/interfaces/5-to-6 @@ -98,7 +98,7 @@ def copy_rtradv(c, old_base, interface): c.delete(new_base + ['link-mtu']) if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/6-to-7 b/src/migration-scripts/interfaces/6-to-7 index 220c7e601..49b853d90 100755 --- a/src/migration-scripts/interfaces/6-to-7 +++ b/src/migration-scripts/interfaces/6-to-7 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(sys.argv) < 1): + if len(sys.argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/7-to-8 b/src/migration-scripts/interfaces/7-to-8 index 9845098a7..9343a48a8 100755 --- a/src/migration-scripts/interfaces/7-to-8 +++ b/src/migration-scripts/interfaces/7-to-8 @@ -37,7 +37,7 @@ def migrate_default_keys(): os.rename(f'{kdir}/public.key', f'{location}/public.key') if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/8-to-9 b/src/migration-scripts/interfaces/8-to-9 index 2d1efd418..960962be7 100755 --- a/src/migration-scripts/interfaces/8-to-9 +++ b/src/migration-scripts/interfaces/8-to-9 @@ -22,7 +22,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/interfaces/9-to-10 b/src/migration-scripts/interfaces/9-to-10 index 4aa2c42b5..e9b8cb784 100755 --- a/src/migration-scripts/interfaces/9-to-10 +++ b/src/migration-scripts/interfaces/9-to-10 @@ -23,7 +23,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipoe-server/0-to-1 b/src/migration-scripts/ipoe-server/0-to-1 index d768758ba..ac9d13abc 100755 --- a/src/migration-scripts/ipoe-server/0-to-1 +++ b/src/migration-scripts/ipoe-server/0-to-1 @@ -26,7 +26,7 @@ import sys from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/10-to-11 b/src/migration-scripts/ipsec/10-to-11 index 0707a5e3c..509216267 100755 --- a/src/migration-scripts/ipsec/10-to-11 +++ b/src/migration-scripts/ipsec/10-to-11 @@ -20,7 +20,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/11-to-12 b/src/migration-scripts/ipsec/11-to-12 index 8bbde5efa..e34882c23 100755 --- a/src/migration-scripts/ipsec/11-to-12 +++ b/src/migration-scripts/ipsec/11-to-12 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/4-to-5 b/src/migration-scripts/ipsec/4-to-5 index 4e959a7bf..772d05787 100755 --- a/src/migration-scripts/ipsec/4-to-5 +++ b/src/migration-scripts/ipsec/4-to-5 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6 index 3a8b3926d..7d7c777c6 100755 --- a/src/migration-scripts/ipsec/5-to-6 +++ b/src/migration-scripts/ipsec/5-to-6 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/6-to-7 b/src/migration-scripts/ipsec/6-to-7 index 649a18cb3..71fbbe8a1 100755 --- a/src/migration-scripts/ipsec/6-to-7 +++ b/src/migration-scripts/ipsec/6-to-7 @@ -29,7 +29,7 @@ from vyos.pki import encode_certificate from vyos.pki import encode_private_key from vyos.utils.process import run -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/7-to-8 b/src/migration-scripts/ipsec/7-to-8 index 5d48b2875..e002db0b1 100755 --- a/src/migration-scripts/ipsec/7-to-8 +++ b/src/migration-scripts/ipsec/7-to-8 @@ -31,7 +31,7 @@ from vyos.pki import load_private_key from vyos.pki import encode_public_key from vyos.pki import encode_private_key -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/8-to-9 b/src/migration-scripts/ipsec/8-to-9 index eb44b6216..c08411f83 100755 --- a/src/migration-scripts/ipsec/8-to-9 +++ b/src/migration-scripts/ipsec/8-to-9 @@ -19,7 +19,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ipsec/9-to-10 b/src/migration-scripts/ipsec/9-to-10 index de366ef3b..a4a71d38e 100755 --- a/src/migration-scripts/ipsec/9-to-10 +++ b/src/migration-scripts/ipsec/9-to-10 @@ -24,7 +24,7 @@ from vyos.template import is_ipv4 from vyos.template import is_ipv6 -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/isis/0-to-1 b/src/migration-scripts/isis/0-to-1 index b75a7f72c..0149c0c1f 100755 --- a/src/migration-scripts/isis/0-to-1 +++ b/src/migration-scripts/isis/0-to-1 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/isis/1-to-2 b/src/migration-scripts/isis/1-to-2 index f914ea995..9c110bf2a 100755 --- a/src/migration-scripts/isis/1-to-2 +++ b/src/migration-scripts/isis/1-to-2 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/isis/2-to-3 b/src/migration-scripts/isis/2-to-3 index 4490feb0a..78e3c1715 100755 --- a/src/migration-scripts/isis/2-to-3 +++ b/src/migration-scripts/isis/2-to-3 @@ -22,7 +22,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/l2tp/0-to-1 b/src/migration-scripts/l2tp/0-to-1 index 686ebc655..15d229822 100755 --- a/src/migration-scripts/l2tp/0-to-1 +++ b/src/migration-scripts/l2tp/0-to-1 @@ -8,7 +8,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/l2tp/1-to-2 b/src/migration-scripts/l2tp/1-to-2 index c46eba8f8..2ffb91c53 100755 --- a/src/migration-scripts/l2tp/1-to-2 +++ b/src/migration-scripts/l2tp/1-to-2 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/l2tp/2-to-3 b/src/migration-scripts/l2tp/2-to-3 index 3472ee3ed..b46b0f22e 100755 --- a/src/migration-scripts/l2tp/2-to-3 +++ b/src/migration-scripts/l2tp/2-to-3 @@ -23,7 +23,7 @@ import sys from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/l2tp/3-to-4 b/src/migration-scripts/l2tp/3-to-4 index ee6079864..8c2b909b7 100755 --- a/src/migration-scripts/l2tp/3-to-4 +++ b/src/migration-scripts/l2tp/3-to-4 @@ -29,7 +29,7 @@ from vyos.pki import encode_certificate from vyos.pki import encode_private_key from vyos.utils.process import run -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/lldp/0-to-1 b/src/migration-scripts/lldp/0-to-1 index 5f66570e7..a936cbdfc 100755 --- a/src/migration-scripts/lldp/0-to-1 +++ b/src/migration-scripts/lldp/0-to-1 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/monitoring/0-to-1 b/src/migration-scripts/monitoring/0-to-1 index 803cdb49c..384d22f8c 100755 --- a/src/migration-scripts/monitoring/0-to-1 +++ b/src/migration-scripts/monitoring/0-to-1 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/nat/4-to-5 b/src/migration-scripts/nat/4-to-5 index b791996e2..ce215d455 100755 --- a/src/migration-scripts/nat/4-to-5 +++ b/src/migration-scripts/nat/4-to-5 @@ -20,7 +20,7 @@ from sys import argv,exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 index 83b421926..444b2315f 100755 --- a/src/migration-scripts/nat66/0-to-1 +++ b/src/migration-scripts/nat66/0-to-1 @@ -17,7 +17,7 @@ from sys import argv,exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ntp/0-to-1 b/src/migration-scripts/ntp/0-to-1 index 294964580..cbce45b9b 100755 --- a/src/migration-scripts/ntp/0-to-1 +++ b/src/migration-scripts/ntp/0-to-1 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ntp/1-to-2 b/src/migration-scripts/ntp/1-to-2 index d1e510e4c..fd1f15d91 100755 --- a/src/migration-scripts/ntp/1-to-2 +++ b/src/migration-scripts/ntp/1-to-2 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ntp/2-to-3 b/src/migration-scripts/ntp/2-to-3 index 7d4e0bd83..a4351845e 100755 --- a/src/migration-scripts/ntp/2-to-3 +++ b/src/migration-scripts/ntp/2-to-3 @@ -24,7 +24,7 @@ from vyos.configtree import ConfigTree from vyos.template import is_ipv4 from vyos.template import is_ipv6 -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/openconnect/0-to-1 b/src/migration-scripts/openconnect/0-to-1 index b26023a5b..8be15fad1 100755 --- a/src/migration-scripts/openconnect/0-to-1 +++ b/src/migration-scripts/openconnect/0-to-1 @@ -28,7 +28,7 @@ from vyos.pki import encode_certificate from vyos.pki import encode_private_key from vyos.utils.process import run -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/openconnect/1-to-2 b/src/migration-scripts/openconnect/1-to-2 index 51cd6bc37..7978aa56e 100755 --- a/src/migration-scripts/openconnect/1-to-2 +++ b/src/migration-scripts/openconnect/1-to-2 @@ -20,7 +20,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ospf/0-to-1 b/src/migration-scripts/ospf/0-to-1 index 678569d9e..8f02acada 100755 --- a/src/migration-scripts/ospf/0-to-1 +++ b/src/migration-scripts/ospf/0-to-1 @@ -37,7 +37,7 @@ def ospf_passive_migration(config, ospf_base): config.set(ospf_base + ['interface', interface, 'passive', 'disable']) config.delete(ospf_base + ['passive-interface-exclude']) -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ospf/1-to-2 b/src/migration-scripts/ospf/1-to-2 index a6beaf04e..ba9499c60 100755 --- a/src/migration-scripts/ospf/1-to-2 +++ b/src/migration-scripts/ospf/1-to-2 @@ -22,7 +22,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/policy/0-to-1 b/src/migration-scripts/policy/0-to-1 index 7134920ad..8508b734a 100755 --- a/src/migration-scripts/policy/0-to-1 +++ b/src/migration-scripts/policy/0-to-1 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/policy/1-to-2 b/src/migration-scripts/policy/1-to-2 index eebbf9d41..c70490ce9 100755 --- a/src/migration-scripts/policy/1-to-2 +++ b/src/migration-scripts/policy/1-to-2 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/policy/2-to-3 b/src/migration-scripts/policy/2-to-3 index 84cb1ff4a..8a62c8e6f 100755 --- a/src/migration-scripts/policy/2-to-3 +++ b/src/migration-scripts/policy/2-to-3 @@ -23,7 +23,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/policy/3-to-4 b/src/migration-scripts/policy/3-to-4 index 49e0b4c38..1ebb248b0 100755 --- a/src/migration-scripts/policy/3-to-4 +++ b/src/migration-scripts/policy/3-to-4 @@ -98,7 +98,7 @@ def extcommunity_migrate(config: ConfigTree, rule: list[str]) -> None: config.set(rule + ['soo'], value=community, replace=False) -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/policy/4-to-5 b/src/migration-scripts/policy/4-to-5 index 33c9e6ade..f6f889c35 100755 --- a/src/migration-scripts/policy/4-to-5 +++ b/src/migration-scripts/policy/4-to-5 @@ -24,7 +24,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/0-to-1 b/src/migration-scripts/pppoe-server/0-to-1 index 063c7eb56..4d36f8545 100755 --- a/src/migration-scripts/pppoe-server/0-to-1 +++ b/src/migration-scripts/pppoe-server/0-to-1 @@ -20,7 +20,7 @@ from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/1-to-2 b/src/migration-scripts/pppoe-server/1-to-2 index 902efb86b..c73899ca1 100755 --- a/src/migration-scripts/pppoe-server/1-to-2 +++ b/src/migration-scripts/pppoe-server/1-to-2 @@ -21,7 +21,7 @@ import os from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3 index 7cae3b5bc..a7be060df 100755 --- a/src/migration-scripts/pppoe-server/2-to-3 +++ b/src/migration-scripts/pppoe-server/2-to-3 @@ -19,7 +19,7 @@ from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/3-to-4 b/src/migration-scripts/pppoe-server/3-to-4 index 5f9730a41..c07bbb1df 100755 --- a/src/migration-scripts/pppoe-server/3-to-4 +++ b/src/migration-scripts/pppoe-server/3-to-4 @@ -21,7 +21,7 @@ import os from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/4-to-5 b/src/migration-scripts/pppoe-server/4-to-5 index 05e9c17d6..5850db673 100755 --- a/src/migration-scripts/pppoe-server/4-to-5 +++ b/src/migration-scripts/pppoe-server/4-to-5 @@ -20,7 +20,7 @@ from vyos.configtree import ConfigTree from sys import argv from sys import exit -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pppoe-server/5-to-6 b/src/migration-scripts/pppoe-server/5-to-6 index e4888f4db..e079ae684 100755 --- a/src/migration-scripts/pppoe-server/5-to-6 +++ b/src/migration-scripts/pppoe-server/5-to-6 @@ -20,7 +20,7 @@ from vyos.configtree import ConfigTree from sys import argv from sys import exit -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/pptp/0-to-1 b/src/migration-scripts/pptp/0-to-1 index d0c7a83b5..1b7697c11 100755 --- a/src/migration-scripts/pptp/0-to-1 +++ b/src/migration-scripts/pptp/0-to-1 @@ -8,7 +8,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/pptp/1-to-2 b/src/migration-scripts/pptp/1-to-2 index a13cc3a4f..99624dceb 100755 --- a/src/migration-scripts/pptp/1-to-2 +++ b/src/migration-scripts/pptp/1-to-2 @@ -21,7 +21,7 @@ from sys import argv, exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/qos/1-to-2 b/src/migration-scripts/qos/1-to-2 index a689bacc5..cca32d06e 100755 --- a/src/migration-scripts/qos/1-to-2 +++ b/src/migration-scripts/qos/1-to-2 @@ -28,7 +28,7 @@ def bandwidth_percent_to_val(interface, percent) -> int: speed = int(speed) *1000000 # convert to MBit/s return speed * int(percent) // 100 # integer division -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/quagga/10-to-11 b/src/migration-scripts/quagga/10-to-11 index 04fc16f79..0ed4f5df6 100755 --- a/src/migration-scripts/quagga/10-to-11 +++ b/src/migration-scripts/quagga/10-to-11 @@ -22,7 +22,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/quagga/2-to-3 b/src/migration-scripts/quagga/2-to-3 index 4c1cd86a3..96b56da70 100755 --- a/src/migration-scripts/quagga/2-to-3 +++ b/src/migration-scripts/quagga/2-to-3 @@ -21,7 +21,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/quagga/3-to-4 b/src/migration-scripts/quagga/3-to-4 index be3528391..1e8c8e2f2 100755 --- a/src/migration-scripts/quagga/3-to-4 +++ b/src/migration-scripts/quagga/3-to-4 @@ -28,7 +28,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/quagga/4-to-5 b/src/migration-scripts/quagga/4-to-5 index f8c87ce8c..fcb496a9c 100755 --- a/src/migration-scripts/quagga/4-to-5 +++ b/src/migration-scripts/quagga/4-to-5 @@ -21,7 +21,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/quagga/5-to-6 b/src/migration-scripts/quagga/5-to-6 index a71851942..f075fc2e7 100755 --- a/src/migration-scripts/quagga/5-to-6 +++ b/src/migration-scripts/quagga/5-to-6 @@ -22,7 +22,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 2): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/quagga/6-to-7 b/src/migration-scripts/quagga/6-to-7 index 25cf5eebd..ed295a95c 100755 --- a/src/migration-scripts/quagga/6-to-7 +++ b/src/migration-scripts/quagga/6-to-7 @@ -23,7 +23,7 @@ from vyos.configtree import ConfigTree from vyos.template import is_ipv4 from vyos.template import is_ipv6 -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/quagga/7-to-8 b/src/migration-scripts/quagga/7-to-8 index 15c44924f..8f11bf390 100755 --- a/src/migration-scripts/quagga/7-to-8 +++ b/src/migration-scripts/quagga/7-to-8 @@ -22,7 +22,7 @@ from sys import argv from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/quagga/8-to-9 b/src/migration-scripts/quagga/8-to-9 index 38507bd3d..0f683d5a1 100755 --- a/src/migration-scripts/quagga/8-to-9 +++ b/src/migration-scripts/quagga/8-to-9 @@ -84,7 +84,7 @@ def migrate_route(config, base, path, route_route6): config.rename(vrf_path, 'vrf') -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/quagga/9-to-10 b/src/migration-scripts/quagga/9-to-10 index 249738822..3731762f7 100755 --- a/src/migration-scripts/quagga/9-to-10 +++ b/src/migration-scripts/quagga/9-to-10 @@ -21,7 +21,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/rip/0-to-1 b/src/migration-scripts/rip/0-to-1 index 60d510001..08a866374 100755 --- a/src/migration-scripts/rip/0-to-1 +++ b/src/migration-scripts/rip/0-to-1 @@ -22,7 +22,7 @@ from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/rpki/0-to-1 b/src/migration-scripts/rpki/0-to-1 index 5b4893205..a7b5d07d5 100755 --- a/src/migration-scripts/rpki/0-to-1 +++ b/src/migration-scripts/rpki/0-to-1 @@ -18,7 +18,7 @@ from sys import exit from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/salt/0-to-1 b/src/migration-scripts/salt/0-to-1 index 79053c056..481d9de8f 100755 --- a/src/migration-scripts/salt/0-to-1 +++ b/src/migration-scripts/salt/0-to-1 @@ -22,7 +22,7 @@ from sys import argv,exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/snmp/0-to-1 b/src/migration-scripts/snmp/0-to-1 index 096ba779d..b1e61b958 100755 --- a/src/migration-scripts/snmp/0-to-1 +++ b/src/migration-scripts/snmp/0-to-1 @@ -17,7 +17,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/snmp/1-to-2 b/src/migration-scripts/snmp/1-to-2 index 466a624e6..e02cd1aa1 100755 --- a/src/migration-scripts/snmp/1-to-2 +++ b/src/migration-scripts/snmp/1-to-2 @@ -43,7 +43,7 @@ def migrate_keys(config, path): config.set(config_path_priv, value=tmp) if __name__ == '__main__': - if (len(argv) < 1): + if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/snmp/2-to-3 b/src/migration-scripts/snmp/2-to-3 index 5f8d9c88d..30911aa27 100755 --- a/src/migration-scripts/snmp/2-to-3 +++ b/src/migration-scripts/snmp/2-to-3 @@ -28,7 +28,7 @@ from sys import exit from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/ssh/0-to-1 b/src/migration-scripts/ssh/0-to-1 index 91b832276..2595599ac 100755 --- a/src/migration-scripts/ssh/0-to-1 +++ b/src/migration-scripts/ssh/0-to-1 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/ssh/1-to-2 b/src/migration-scripts/ssh/1-to-2 index 31c40df16..79d65d7d4 100755 --- a/src/migration-scripts/ssh/1-to-2 +++ b/src/migration-scripts/ssh/1-to-2 @@ -21,7 +21,7 @@ from sys import argv,exit from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 index dc65bdeab..e2fe1ea8f 100755 --- a/src/migration-scripts/sstp/0-to-1 +++ b/src/migration-scripts/sstp/0-to-1 @@ -28,7 +28,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/sstp/1-to-2 b/src/migration-scripts/sstp/1-to-2 index 94cb04831..f7ecbb6d4 100755 --- a/src/migration-scripts/sstp/1-to-2 +++ b/src/migration-scripts/sstp/1-to-2 @@ -25,7 +25,7 @@ from shutil import copy2 from stat import S_IRUSR, S_IWUSR, S_IRGRP, S_IROTH from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/sstp/2-to-3 b/src/migration-scripts/sstp/2-to-3 index 963b2ba4b..245db7ad6 100755 --- a/src/migration-scripts/sstp/2-to-3 +++ b/src/migration-scripts/sstp/2-to-3 @@ -21,7 +21,7 @@ from vyos.configtree import ConfigTree from sys import argv from sys import exit -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/sstp/3-to-4 b/src/migration-scripts/sstp/3-to-4 index ea814fdc5..00ca7a52d 100755 --- a/src/migration-scripts/sstp/3-to-4 +++ b/src/migration-scripts/sstp/3-to-4 @@ -28,7 +28,7 @@ from vyos.pki import encode_certificate from vyos.pki import encode_private_key from vyos.utils.process import run -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/10-to-11 b/src/migration-scripts/system/10-to-11 index 3c49f0d95..5d662af40 100755 --- a/src/migration-scripts/system/10-to-11 +++ b/src/migration-scripts/system/10-to-11 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/11-to-12 b/src/migration-scripts/system/11-to-12 index 9cddaa1a7..880ab56dc 100755 --- a/src/migration-scripts/system/11-to-12 +++ b/src/migration-scripts/system/11-to-12 @@ -8,7 +8,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/12-to-13 b/src/migration-scripts/system/12-to-13 index 36311a19d..e6c4e3802 100755 --- a/src/migration-scripts/system/12-to-13 +++ b/src/migration-scripts/system/12-to-13 @@ -8,7 +8,7 @@ import re from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/13-to-14 b/src/migration-scripts/system/13-to-14 index 1751f1865..1fa781869 100755 --- a/src/migration-scripts/system/13-to-14 +++ b/src/migration-scripts/system/13-to-14 @@ -15,7 +15,7 @@ from vyos.configtree import ConfigTree from vyos.utils.process import cmd -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/14-to-15 b/src/migration-scripts/system/14-to-15 index c055dad1f..feaac37de 100755 --- a/src/migration-scripts/system/14-to-15 +++ b/src/migration-scripts/system/14-to-15 @@ -11,7 +11,7 @@ ipv6_blacklist_file = '/etc/modprobe.d/vyatta_blacklist_ipv6.conf' from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/15-to-16 b/src/migration-scripts/system/15-to-16 index 2491e3d0d..aa1c34032 100755 --- a/src/migration-scripts/system/15-to-16 +++ b/src/migration-scripts/system/15-to-16 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/16-to-17 b/src/migration-scripts/system/16-to-17 index e70893d55..37e02611d 100755 --- a/src/migration-scripts/system/16-to-17 +++ b/src/migration-scripts/system/16-to-17 @@ -25,7 +25,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/17-to-18 b/src/migration-scripts/system/17-to-18 index 8f762c0e2..f6adebb06 100755 --- a/src/migration-scripts/system/17-to-18 +++ b/src/migration-scripts/system/17-to-18 @@ -22,7 +22,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/18-to-19 b/src/migration-scripts/system/18-to-19 index 38479d222..fad1d17a4 100755 --- a/src/migration-scripts/system/18-to-19 +++ b/src/migration-scripts/system/18-to-19 @@ -24,7 +24,7 @@ from sys import argv, exit from vyos.ifconfig import Interface from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/19-to-20 b/src/migration-scripts/system/19-to-20 index eb20fd8db..c04e6a5a6 100755 --- a/src/migration-scripts/system/19-to-20 +++ b/src/migration-scripts/system/19-to-20 @@ -21,7 +21,7 @@ import os from sys import exit, argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/20-to-21 b/src/migration-scripts/system/20-to-21 index 1728995de..4bcf4edab 100755 --- a/src/migration-scripts/system/20-to-21 +++ b/src/migration-scripts/system/20-to-21 @@ -21,7 +21,7 @@ import os from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/21-to-22 b/src/migration-scripts/system/21-to-22 index ad41be646..810b634ab 100755 --- a/src/migration-scripts/system/21-to-22 +++ b/src/migration-scripts/system/21-to-22 @@ -19,7 +19,7 @@ import os from sys import exit, argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/22-to-23 b/src/migration-scripts/system/22-to-23 index 7f832e48a..8ed198383 100755 --- a/src/migration-scripts/system/22-to-23 +++ b/src/migration-scripts/system/22-to-23 @@ -19,7 +19,7 @@ import os from sys import exit, argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/23-to-24 b/src/migration-scripts/system/23-to-24 index 97fe82462..fd68dbf22 100755 --- a/src/migration-scripts/system/23-to-24 +++ b/src/migration-scripts/system/23-to-24 @@ -22,7 +22,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree from vyos.template import is_ipv4 -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/24-to-25 b/src/migration-scripts/system/24-to-25 index c2f70689d..1c81a76e7 100755 --- a/src/migration-scripts/system/24-to-25 +++ b/src/migration-scripts/system/24-to-25 @@ -19,7 +19,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/25-to-26 b/src/migration-scripts/system/25-to-26 index 615274430..7bdf3be98 100755 --- a/src/migration-scripts/system/25-to-26 +++ b/src/migration-scripts/system/25-to-26 @@ -21,7 +21,7 @@ from sys import exit, argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/system/6-to-7 b/src/migration-scripts/system/6-to-7 index bf07abf3a..d24521134 100755 --- a/src/migration-scripts/system/6-to-7 +++ b/src/migration-scripts/system/6-to-7 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/7-to-8 b/src/migration-scripts/system/7-to-8 index 4cbb21f17..5d084d2bf 100755 --- a/src/migration-scripts/system/7-to-8 +++ b/src/migration-scripts/system/7-to-8 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/system/8-to-9 b/src/migration-scripts/system/8-to-9 index db3fefdea..e3bb2bca8 100755 --- a/src/migration-scripts/system/8-to-9 +++ b/src/migration-scripts/system/8-to-9 @@ -6,7 +6,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/vrf/0-to-1 b/src/migration-scripts/vrf/0-to-1 index 5df751113..8187138d9 100755 --- a/src/migration-scripts/vrf/0-to-1 +++ b/src/migration-scripts/vrf/0-to-1 @@ -20,7 +20,7 @@ from sys import argv from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/vrf/1-to-2 b/src/migration-scripts/vrf/1-to-2 index 9bc704e02..52d4c2c7b 100755 --- a/src/migration-scripts/vrf/1-to-2 +++ b/src/migration-scripts/vrf/1-to-2 @@ -20,7 +20,7 @@ from sys import argv from sys import exit from vyos.configtree import ConfigTree -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/vrf/2-to-3 b/src/migration-scripts/vrf/2-to-3 index 8e0f97141..d45b185ee 100755 --- a/src/migration-scripts/vrf/2-to-3 +++ b/src/migration-scripts/vrf/2-to-3 @@ -69,7 +69,7 @@ def _search_tables(config_commands, table_num): return table_items -if (len(argv) < 2): +if len(argv) < 2: print("Must specify file name!") exit(1) diff --git a/src/migration-scripts/vrrp/1-to-2 b/src/migration-scripts/vrrp/1-to-2 index b2e61dd38..dba5af81c 100755 --- a/src/migration-scripts/vrrp/1-to-2 +++ b/src/migration-scripts/vrrp/1-to-2 @@ -21,7 +21,7 @@ import sys from vyos.configtree import ConfigTree -if (len(sys.argv) < 1): +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/migration-scripts/vrrp/2-to-3 b/src/migration-scripts/vrrp/2-to-3 index 1151ae18c..ed583b489 100755 --- a/src/migration-scripts/vrrp/2-to-3 +++ b/src/migration-scripts/vrrp/2-to-3 @@ -19,7 +19,7 @@ from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print('Must specify file name!') exit(1) diff --git a/src/migration-scripts/vrrp/3-to-4 b/src/migration-scripts/vrrp/3-to-4 index b0a6975c2..e5d93578c 100755 --- a/src/migration-scripts/vrrp/3-to-4 +++ b/src/migration-scripts/vrrp/3-to-4 @@ -17,7 +17,7 @@ from sys import argv from vyos.configtree import ConfigTree -if (len(argv) < 1): +if len(argv) < 2: print('Must specify file name!') exit(1) diff --git a/src/migration-scripts/webproxy/1-to-2 b/src/migration-scripts/webproxy/1-to-2 index 070ff356d..03f357878 100755 --- a/src/migration-scripts/webproxy/1-to-2 +++ b/src/migration-scripts/webproxy/1-to-2 @@ -7,7 +7,7 @@ import sys from vyos.configtree import ConfigTree -if len(sys.argv) < 1: +if len(sys.argv) < 2: print("Must specify file name!") sys.exit(1) diff --git a/src/op_mode/bridge.py b/src/op_mode/bridge.py index 1834b9cc9..185db4f20 100755 --- a/src/op_mode/bridge.py +++ b/src/op_mode/bridge.py @@ -29,7 +29,6 @@ from vyos.utils.dict import dict_search import vyos.opmode - def _get_json_data(): """ Get bridge data format JSON @@ -46,11 +45,14 @@ def _get_raw_data_summary(): return data_dict -def _get_raw_data_vlan(): +def _get_raw_data_vlan(tunnel:bool=False): """ :returns dict """ - json_data = cmd('bridge --json --compressvlans vlan show') + show = 'show' + if tunnel: + show = 'tunnel' + json_data = cmd(f'bridge --json --compressvlans vlan {show}') data_dict = json.loads(json_data) return data_dict @@ -134,10 +136,34 @@ def _get_formatted_output_vlan(data): flags = ', '.join(flags_raw if isinstance(flags_raw,list) else "").lower() data_entries.append([interface, vlan, flags]) - headers = ["Interface", "Vlan", "Flags"] + headers = ["Interface", "VLAN", "Flags"] output = tabulate(data_entries, headers) return output +def _get_formatted_output_vlan_tunnel(data): + data_entries = [] + for entry in data: + interface = entry.get('ifname') + first = True + for tunnel_entry in entry.get('tunnels'): + vlan = tunnel_entry.get('vlan') + vni = tunnel_entry.get('tunid') + if first: + data_entries.append([interface, vlan, vni]) + first = False + else: + # Group by VXLAN interface only - no need to repeat + # VXLAN interface name for every VLAN <-> VNI mapping + # + # Interface VLAN VNI + # ----------- ------ ----- + # vxlan0 100 100 + # 200 200 + data_entries.append(['', vlan, vni]) + + headers = ["Interface", "VLAN", "VNI"] + output = tabulate(data_entries, headers) + return output def _get_formatted_output_fdb(data): data_entries = [] @@ -192,12 +218,15 @@ def show(raw: bool): return _get_formatted_output_summary(bridge_data) -def show_vlan(raw: bool): - bridge_vlan = _get_raw_data_vlan() +def show_vlan(raw: bool, tunnel: typing.Optional[bool]): + bridge_vlan = _get_raw_data_vlan(tunnel) if raw: return bridge_vlan else: - return _get_formatted_output_vlan(bridge_vlan) + if tunnel: + return _get_formatted_output_vlan_tunnel(bridge_vlan) + else: + return _get_formatted_output_vlan(bridge_vlan) def show_fdb(raw: bool, interface: str): diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py index 3e51e990b..f558c18b7 100755 --- a/src/op_mode/dhcp.py +++ b/src/op_mode/dhcp.py @@ -14,10 +14,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +import os import sys import typing from datetime import datetime +from glob import glob from ipaddress import ip_address from isc_dhcp_leases import IscDhcpLeases from tabulate import tabulate @@ -27,10 +29,13 @@ import vyos.opmode from vyos.base import Warning from vyos.configquery import ConfigTreeQuery -from vyos.utils.process import cmd from vyos.utils.dict import dict_search +from vyos.utils.file import read_file +from vyos.utils.process import cmd from vyos.utils.process import is_systemd_service_running +time_string = "%a %b %d %H:%M:%S %Z %Y" + config = ConfigTreeQuery() lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup'] sort_valid_inet = ['end', 'mac', 'hostname', 'ip', 'pool', 'remaining', 'start', 'state'] @@ -287,6 +292,95 @@ def show_server_leases(raw: bool, family: ArgFamily, pool: typing.Optional[str], return _get_formatted_server_leases(lease_data, family=family) +def _get_raw_client_leases(family='inet', interface=None): + from time import mktime + from datetime import datetime + from vyos.defaults import directories + from vyos.utils.network import get_interface_vrf + + lease_dir = directories['isc_dhclient_dir'] + lease_files = [] + lease_data = [] + + if interface: + tmp = f'{lease_dir}/dhclient_{interface}.lease' + if os.path.exists(tmp): + lease_files.append(tmp) + else: + # All DHCP leases + lease_files = glob(f'{lease_dir}/dhclient_*.lease') + + for lease in lease_files: + tmp = {} + with open(lease, 'r') as f: + for line in f.readlines(): + line = line.rstrip() + if 'last_update' not in tmp: + # ISC dhcp client contains least_update timestamp in human readable + # format this makes less sense for an API and also the expiry + # timestamp is provided in UNIX time. Convert string (e.g. Sun Jul + # 30 18:13:44 CEST 2023) to UNIX time (1690733624) + tmp.update({'last_update' : int(mktime(datetime.strptime(line, time_string).timetuple()))}) + continue + + k, v = line.split('=') + tmp.update({k : v.replace("'", "")}) + + if 'interface' in tmp: + vrf = get_interface_vrf(tmp['interface']) + if vrf: tmp.update({'vrf' : vrf}) + + lease_data.append(tmp) + + return lease_data + +def _get_formatted_client_leases(lease_data, family): + from time import localtime + from time import strftime + + from vyos.validate import is_intf_addr_assigned + + data_entries = [] + for lease in lease_data: + data_entries.append(["Interface", lease['interface']]) + if 'new_ip_address' in lease: + tmp = '[Active]' if is_intf_addr_assigned(lease['interface'], lease['new_ip_address']) else '[Inactive]' + data_entries.append(["IP address", lease['new_ip_address'], tmp]) + if 'new_subnet_mask' in lease: + data_entries.append(["Subnet Mask", lease['new_subnet_mask']]) + if 'new_domain_name' in lease: + data_entries.append(["Domain Name", lease['new_domain_name']]) + if 'new_routers' in lease: + data_entries.append(["Router", lease['new_routers']]) + if 'new_domain_name_servers' in lease: + data_entries.append(["Name Server", lease['new_domain_name_servers']]) + if 'new_dhcp_server_identifier' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_server_identifier']]) + if 'new_dhcp_lease_time' in lease: + data_entries.append(["DHCP Server", lease['new_dhcp_lease_time']]) + if 'vrf' in lease: + data_entries.append(["VRF", lease['vrf']]) + if 'last_update' in lease: + tmp = strftime(time_string, localtime(int(lease['last_update']))) + data_entries.append(["Last Update", tmp]) + if 'new_expiry' in lease: + tmp = strftime(time_string, localtime(int(lease['new_expiry']))) + data_entries.append(["Expiry", tmp]) + + # Add empty marker + data_entries.append(['']) + + output = tabulate(data_entries, tablefmt='plain') + + return output + +def show_client_leases(raw: bool, family: ArgFamily, interface: typing.Optional[str]): + lease_data = _get_raw_client_leases(family=family, interface=interface) + if raw: + return lease_data + else: + return _get_formatted_client_leases(lease_data, family=family) + if __name__ == '__main__': try: res = vyos.opmode.run(sys.modules[__name__]) diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 8260bbb77..852a7248a 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -24,62 +24,27 @@ from vyos.config import Config from vyos.utils.process import cmd from vyos.utils.dict import dict_search_args -def get_firewall_interfaces(firewall, name=None, ipv6=False): - directions = ['in', 'out', 'local'] - - if 'interface' in firewall: - for ifname, if_conf in firewall['interface'].items(): - for direction in directions: - if direction not in if_conf: - continue - - fw_conf = if_conf[direction] - name_str = f'({ifname},{direction})' - - if 'name' in fw_conf: - fw_name = fw_conf['name'] - - if not name: - firewall['name'][fw_name]['interface'].append(name_str) - elif not ipv6 and name == fw_name: - firewall['interface'].append(name_str) - - if 'ipv6_name' in fw_conf: - fw_name = fw_conf['ipv6_name'] - - if not name: - firewall['ipv6_name'][fw_name]['interface'].append(name_str) - elif ipv6 and name == fw_name: - firewall['interface'].append(name_str) - - return firewall - -def get_config_firewall(conf, name=None, ipv6=False, interfaces=True): +def get_config_firewall(conf, hook=None, priority=None, ipv6=False, interfaces=True): config_path = ['firewall'] - if name: - config_path += ['ipv6-name' if ipv6 else 'name', name] + if hook: + config_path += ['ipv6' if ipv6 else 'ipv4', hook] + if priority: + config_path += [priority] firewall = conf.get_config_dict(config_path, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - if firewall and interfaces: - if name: - firewall['interface'] = {} - else: - if 'name' in firewall: - for fw_name, name_conf in firewall['name'].items(): - name_conf['interface'] = [] - if 'ipv6_name' in firewall: - for fw_name, name_conf in firewall['ipv6_name'].items(): - name_conf['interface'] = [] - - get_firewall_interfaces(firewall, name, ipv6) return firewall -def get_nftables_details(name, ipv6=False): +def get_nftables_details(hook, priority, ipv6=False): suffix = '6' if ipv6 else '' name_prefix = 'NAME6_' if ipv6 else 'NAME_' - command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{name}' + if hook == 'name' or hook == 'ipv6-name': + command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{priority}' + else: + up_hook = hook.upper() + command = f'sudo nft list chain ip{suffix} vyos_filter VYOS_{up_hook}_{priority}' + try: results = cmd(command) except: @@ -87,7 +52,7 @@ def get_nftables_details(name, ipv6=False): out = {} for line in results.split('\n'): - comment_search = re.search(rf'{name}[\- ](\d+|default-action)', line) + comment_search = re.search(rf'{priority}[\- ](\d+|default-action)', line) if not comment_search: continue @@ -102,18 +67,15 @@ def get_nftables_details(name, ipv6=False): out[rule_id] = rule return out -def output_firewall_name(name, name_conf, ipv6=False, single_rule_id=None): +def output_firewall_name(hook, priority, firewall_conf, ipv6=False, single_rule_id=None): ip_str = 'IPv6' if ipv6 else 'IPv4' - print(f'\n---------------------------------\n{ip_str} Firewall "{name}"\n') - - if name_conf['interface']: - print('Active on: {0}\n'.format(" ".join(name_conf['interface']))) + print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {priority}"\n') - details = get_nftables_details(name, ipv6) + details = get_nftables_details(hook, priority, ipv6) rows = [] - if 'rule' in name_conf: - for rule_id, rule_conf in name_conf['rule'].items(): + if 'rule' in firewall_conf: + for rule_id, rule_conf in firewall_conf['rule'].items(): if single_rule_id and rule_id != single_rule_id: continue @@ -128,8 +90,8 @@ def output_firewall_name(name, name_conf, ipv6=False, single_rule_id=None): row.append(rule_details['conditions']) rows.append(row) - if 'default_action' in name_conf and not single_rule_id: - row = ['default', name_conf['default_action'], 'all'] + if 'default_action' in firewall_conf and not single_rule_id: + row = ['default', firewall_conf['default_action'], 'all'] if 'default-action' in details: rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) @@ -140,18 +102,15 @@ def output_firewall_name(name, name_conf, ipv6=False, single_rule_id=None): header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] print(tabulate.tabulate(rows, header) + '\n') -def output_firewall_name_statistics(name, name_conf, ipv6=False, single_rule_id=None): +def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_rule_id=None): ip_str = 'IPv6' if ipv6 else 'IPv4' - print(f'\n---------------------------------\n{ip_str} Firewall "{name}"\n') + print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {prior}"\n') - if name_conf['interface']: - print('Active on: {0}\n'.format(" ".join(name_conf['interface']))) - - details = get_nftables_details(name, ipv6) + details = get_nftables_details(prior, ipv6) rows = [] - if 'rule' in name_conf: - for rule_id, rule_conf in name_conf['rule'].items(): + if 'rule' in prior_conf: + for rule_id, rule_conf in prior_conf['rule'].items(): if single_rule_id and rule_id != single_rule_id: continue @@ -174,7 +133,7 @@ def output_firewall_name_statistics(name, name_conf, ipv6=False, single_rule_id= row.append(dest_addr) rows.append(row) - if 'default_action' in name_conf and not single_rule_id: + if 'default_action' in prior_conf and not single_rule_id: row = ['default'] if 'default-action' in details: rule_details = details['default-action'] @@ -183,7 +142,7 @@ def output_firewall_name_statistics(name, name_conf, ipv6=False, single_rule_id= else: row.append('0') row.append('0') - row.append(name_conf['default_action']) + row.append(prior_conf['default_action']) row.append('0.0.0.0/0') # Source row.append('0.0.0.0/0') # Dest rows.append(row) @@ -201,29 +160,47 @@ def show_firewall(): if not firewall: return - if 'name' in firewall: - for name, name_conf in firewall['name'].items(): - output_firewall_name(name, name_conf, ipv6=False) + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): + output_firewall_name(hook, prior, prior_conf, ipv6=False) + + if 'ipv6' in firewall: + for hook, hook_conf in firewall['ipv6'].items(): + for prior, prior_conf in firewall['ipv6'][hook].items(): + output_firewall_name(hook, prior, prior_conf, ipv6=True) - if 'ipv6_name' in firewall: - for name, name_conf in firewall['ipv6_name'].items(): - output_firewall_name(name, name_conf, ipv6=True) +def show_firewall_family(family): + print(f'Rulesets {family} Information') -def show_firewall_name(name, ipv6=False): + conf = Config() + firewall = get_config_firewall(conf) + + if not firewall: + return + + for hook, hook_conf in firewall[family].items(): + for prior, prior_conf in firewall[family][hook].items(): + if family == 'ipv6': + output_firewall_name(hook, prior, prior_conf, ipv6=True) + else: + output_firewall_name(hook, prior, prior_conf, ipv6=False) + +def show_firewall_name(hook, priority, ipv6=False): print('Ruleset Information') conf = Config() - firewall = get_config_firewall(conf, name, ipv6) + firewall = get_config_firewall(conf, hook, priority, ipv6) if firewall: - output_firewall_name(name, firewall, ipv6) + output_firewall_name(hook, priority, firewall, ipv6) -def show_firewall_rule(name, rule_id, ipv6=False): +def show_firewall_rule(hook, priority, rule_id, ipv6=False): print('Rule Information') conf = Config() - firewall = get_config_firewall(conf, name, ipv6) + firewall = get_config_firewall(conf, hook, priority, ipv6) if firewall: - output_firewall_name(name, firewall, ipv6, rule_id) + output_firewall_name(hook, priority, firewall, ipv6, rule_id) def show_firewall_group(name=None): conf = Config() @@ -234,19 +211,32 @@ def show_firewall_group(name=None): def find_references(group_type, group_name): out = [] - for name_type in ['name', 'ipv6_name']: - if name_type not in firewall: - continue - for name, name_conf in firewall[name_type].items(): - if 'rule' not in name_conf: + family = [] + if group_type in ['address_group', 'network_group']: + family = ['ipv4'] + elif group_type == 'ipv6_address_group': + family = ['ipv6'] + group_type = 'address_group' + elif group_type == 'ipv6_network_group': + family = ['ipv6'] + group_type = 'network_group' + else: + family = ['ipv4', 'ipv6'] + + for item in family: + for name_type in ['name', 'ipv6_name', 'forward', 'input', 'output']: + if name_type not in firewall[item]: continue - for rule_id, rule_conf in name_conf['rule'].items(): - source_group = dict_search_args(rule_conf, 'source', 'group', group_type) - dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type) - if source_group and group_name == source_group: - out.append(f'{name}-{rule_id}') - elif dest_group and group_name == dest_group: - out.append(f'{name}-{rule_id}') + for name, name_conf in firewall[item][name_type].items(): + if 'rule' not in name_conf: + continue + for rule_id, rule_conf in name_conf['rule'].items(): + source_group = dict_search_args(rule_conf, 'source', 'group', group_type) + dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type) + if source_group and group_name == source_group: + out.append(f'{name}-{rule_id}') + elif dest_group and group_name == dest_group: + out.append(f'{name}-{rule_id}') return out header = ['Name', 'Type', 'References', 'Members'] @@ -284,28 +274,28 @@ def show_summary(): if not firewall: return - header = ['Ruleset Name', 'Description', 'References'] + header = ['Ruleset Hook', 'Ruleset Priority', 'Description', 'References'] v4_out = [] v6_out = [] - if 'name' in firewall: - for name, name_conf in firewall['name'].items(): - description = name_conf.get('description', '') - interfaces = ", ".join(name_conf['interface']) - v4_out.append([name, description, interfaces]) + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): + description = prior_conf.get('description', '') + v4_out.append([hook, prior, description]) - if 'ipv6_name' in firewall: - for name, name_conf in firewall['ipv6_name'].items(): - description = name_conf.get('description', '') - interfaces = ", ".join(name_conf['interface']) - v6_out.append([name, description, interfaces or 'N/A']) + if 'ipv6' in firewall: + for hook, hook_conf in firewall['ipv6'].items(): + for prior, prior_conf in firewall['ipv6'][hook].items(): + description = prior_conf.get('description', '') + v6_out.append([hook, prior, description]) if v6_out: - print('\nIPv6 name:\n') + print('\nIPv6 Ruleset:\n') print(tabulate.tabulate(v6_out, header) + '\n') if v4_out: - print('\nIPv4 name:\n') + print('\nIPv4 Ruleset:\n') print(tabulate.tabulate(v4_out, header) + '\n') show_firewall_group() @@ -319,18 +309,23 @@ def show_statistics(): if not firewall: return - if 'name' in firewall: - for name, name_conf in firewall['name'].items(): - output_firewall_name_statistics(name, name_conf, ipv6=False) + if 'ipv4' in firewall: + for hook, hook_conf in firewall['ipv4'].items(): + for prior, prior_conf in firewall['ipv4'][hook].items(): + output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False) - if 'ipv6_name' in firewall: - for name, name_conf in firewall['ipv6_name'].items(): - output_firewall_name_statistics(name, name_conf, ipv6=True) + if 'ipv6' in firewall: + for hook, hook_conf in firewall['ipv6'].items(): + for prior, prior_conf in firewall['ipv6'][hook].items(): + output_firewall_name_statistics(hook,prior, prior_conf, ipv6=True) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--action', help='Action', required=False) parser.add_argument('--name', help='Firewall name', required=False, action='store', nargs='?', default='') + parser.add_argument('--family', help='IP family', required=False, action='store', nargs='?', default='') + parser.add_argument('--hook', help='Firewall hook', required=False, action='store', nargs='?', default='') + parser.add_argument('--priority', help='Firewall priority', required=False, action='store', nargs='?', default='') parser.add_argument('--rule', help='Firewall Rule ID', required=False) parser.add_argument('--ipv6', help='IPv6 toggle', action='store_true') @@ -338,11 +333,13 @@ if __name__ == '__main__': if args.action == 'show': if not args.rule: - show_firewall_name(args.name, args.ipv6) + show_firewall_name(args.hook, args.priority, args.ipv6) else: - show_firewall_rule(args.name, args.rule, args.ipv6) + show_firewall_rule(args.hook, args.priority, args.rule, args.ipv6) elif args.action == 'show_all': show_firewall() + elif args.action == 'show_family': + show_firewall_family(args.family) elif args.action == 'show_group': show_firewall_group(args.name) elif args.action == 'show_statistics': diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 4c31291ad..aff4ad1ae 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -26,8 +26,8 @@ from cryptography.x509.oid import ExtendedKeyUsageOID from vyos.config import Config from vyos.configquery import ConfigTreeQuery -from vyos.configdict import dict_merge from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters +from vyos.pki import get_certificate_fingerprint from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list from vyos.pki import create_private_key from vyos.pki import create_dh_parameters @@ -38,7 +38,6 @@ from vyos.utils.io import ask_input from vyos.utils.io import ask_yes_no from vyos.utils.misc import install_into_config from vyos.utils.process import cmd -from vyos.xml import defaults CERT_REQ_END = '-----END CERTIFICATE REQUEST-----' auth_dir = '/config/auth' @@ -49,10 +48,9 @@ def get_default_values(): # Fetch default x509 values base = ['pki', 'x509', 'default'] x509_defaults = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, get_first_key=True, - no_tag_node_value_mangle=True) - default_values = defaults(base) - x509_defaults = dict_merge(default_values, x509_defaults) + with_recursive_defaults=True) return x509_defaults @@ -916,6 +914,12 @@ def show_certificate(name=None, pem=False): print("Certificates:") print(tabulate.tabulate(data, headers)) +def show_certificate_fingerprint(name, hash): + cert = get_config_certificate(name=name) + cert = load_certificate(cert['certificate']) + + print(get_certificate_fingerprint(cert, hash)) + def show_crl(name=None, pem=False): headers = ['CA Name', 'Updated', 'Revokes'] data = [] @@ -961,6 +965,7 @@ if __name__ == '__main__': parser.add_argument('--sign', help='Sign certificate with specified CA', required=False) parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true') parser.add_argument('--pem', help='Output using PEM encoding', action='store_true') + parser.add_argument('--fingerprint', help='Show fingerprint and exit', action='store') # SSH parser.add_argument('--ssh', help='SSH Key', required=False) @@ -1057,7 +1062,10 @@ if __name__ == '__main__': if not conf.exists(['pki', 'certificate', cert_name]): print(f'Certificate "{cert_name}" does not exist!') exit(1) - show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) + if args.fingerprint is None: + show_certificate(None if args.certificate == 'all' else args.certificate, args.pem) + else: + show_certificate_fingerprint(args.certificate, args.fingerprint) elif args.crl: show_crl(None if args.crl == 'all' else args.crl, args.pem) else: diff --git a/src/op_mode/show_openconnect_otp.py b/src/op_mode/show_openconnect_otp.py index 415a5f72c..3771fb385 100755 --- a/src/op_mode/show_openconnect_otp.py +++ b/src/op_mode/show_openconnect_otp.py @@ -17,12 +17,11 @@ import argparse import os +from base64 import b32encode from vyos.config import Config -from vyos.xml import defaults -from vyos.configdict import dict_merge +from vyos.utils.dict import dict_search_args from vyos.utils.process import popen -from base64 import b32encode otp_file = '/run/ocserv/users.oath' @@ -33,7 +32,7 @@ def check_uname_otp(username): config = Config() base_key = ['vpn', 'openconnect', 'authentication', 'local-users', 'username', username, 'otp', 'key'] if not config.exists(base_key): - return None + return False return True def get_otp_ocserv(username): @@ -41,21 +40,21 @@ def get_otp_ocserv(username): base = ['vpn', 'openconnect'] if not config.exists(base): return None - ocserv = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - ocserv = dict_merge(default_values, ocserv) - # workaround a "know limitation" - https://vyos.dev/T2665 - del ocserv['authentication']['local_users']['username']['otp'] - if not ocserv["authentication"]["local_users"]["username"]: + + ocserv = config.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + with_recursive_defaults=True) + + user_path = ['authentication', 'local_users', 'username'] + users = dict_search_args(ocserv, *user_path) + + if users is None: return None - default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] - for user, params in ocserv['authentication']['local_users']['username'].items(): - # Not every configuration requires OTP settings - if ocserv['authentication']['local_users']['username'][user].get('otp'): - ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) - result = ocserv['authentication']['local_users']['username'][username] + + # function is called conditionally, if check_uname_otp true, so username + # exists + result = users[username] + return result def display_otp_ocserv(username, params, info): @@ -101,8 +100,7 @@ if __name__ == '__main__': parser.add_argument('--info', action="store", type=str, default='full', help='Wich information to display') args = parser.parse_args() - check_otp = check_uname_otp(args.user) - if check_otp: + if check_uname_otp(args.user): user_otp_params = get_otp_ocserv(args.user) display_otp_ocserv(args.user, user_otp_params, args.info) else: diff --git a/src/op_mode/show_techsupport_report.py b/src/op_mode/show_techsupport_report.py index d27221e54..53144fd52 100644 --- a/src/op_mode/show_techsupport_report.py +++ b/src/op_mode/show_techsupport_report.py @@ -91,7 +91,8 @@ def show_package_repository_config() -> None: def show_user_startup_scripts() -> None: """Prints the user startup scripts.""" - execute_command('cat /config/scripts/vyos-postconfig-bootup.script', 'User Startup Scripts') + execute_command('cat /config/scripts/vyos-preconfig-bootup.script', 'User Startup Scripts (Preconfig)') + execute_command('cat /config/scripts/vyos-postconfig-bootup.script', 'User Startup Scripts (Postconfig)') def show_frr_config() -> None: diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh index 4fb9a54c6..05ea86f9e 100755 --- a/src/op_mode/webproxy_update_blacklist.sh +++ b/src/op_mode/webproxy_update_blacklist.sh @@ -45,6 +45,9 @@ do --auto-update-blacklist) auto="yes" ;; + --vrf) + vrf="yes" + ;; (-*) echo "$0: error - unrecognized option $1" 1>&2; exit 1;; (*) break;; esac @@ -76,7 +79,11 @@ fi if [[ -n $update ]] && [[ $update -eq "yes" ]]; then tmp_blacklists='/tmp/blacklists.gz' - curl -o $tmp_blacklists $blacklist_url + if [[ -n $vrf ]] && [[ $vrf -eq "yes" ]]; then + sudo ip vrf exec $1 curl -o $tmp_blacklists $blacklist_url + else + curl -o $tmp_blacklists $blacklist_url + fi if [ $? -ne 0 ]; then echo "Unable to download [$blacklist_url]!" exit 1 diff --git a/src/systemd/dhclient@.service b/src/systemd/dhclient@.service index 23cd4cfc3..099f7ed52 100644 --- a/src/systemd/dhclient@.service +++ b/src/systemd/dhclient@.service @@ -1,18 +1,17 @@ [Unit] Description=DHCP client on %i Documentation=man:dhclient(8) -ConditionPathExists=/var/lib/dhcp/dhclient_%i.conf -ConditionPathExists=/var/lib/dhcp/dhclient_%i.options +StartLimitIntervalSec=0 After=vyos-router.service [Service] -WorkingDirectory=/var/lib/dhcp Type=exec -EnvironmentFile=-/var/lib/dhcp/dhclient_%i.options -PIDFile=/var/lib/dhcp/dhclient_%i.pid -ExecStart=/sbin/dhclient -4 $DHCLIENT_OPTS -ExecStop=/sbin/dhclient -4 $DHCLIENT_OPTS -r +ExecStart=/sbin/dhclient -4 -d $DHCLIENT_OPTS +ExecStop=/sbin/dhclient -4 -r $DHCLIENT_OPTS Restart=always +RestartPreventExitStatus= +RestartSec=10 +RuntimeDirectoryPreserve=yes TimeoutStopSec=20 SendSIGKILL=true FinalKillSignal=SIGABRT diff --git a/src/systemd/dhcp6c@.service b/src/systemd/dhcp6c@.service index 9a97ee261..f634bd944 100644 --- a/src/systemd/dhcp6c@.service +++ b/src/systemd/dhcp6c@.service @@ -1,17 +1,19 @@ [Unit] Description=WIDE DHCPv6 client on %i Documentation=man:dhcp6c(8) man:dhcp6c.conf(5) -ConditionPathExists=/run/dhcp6c/dhcp6c.%i.conf -After=vyos-router.service StartLimitIntervalSec=0 +After=vyos-router.service [Service] -WorkingDirectory=/run/dhcp6c Type=forking +WorkingDirectory=/run/dhcp6c +EnvironmentFile=-/run/dhcp6c/dhcp6c.%i.options PIDFile=/run/dhcp6c/dhcp6c.%i.pid -ExecStart=/usr/sbin/dhcp6c -D -k /run/dhcp6c/dhcp6c.%i.sock -c /run/dhcp6c/dhcp6c.%i.conf -p /run/dhcp6c/dhcp6c.%i.pid %i -Restart=on-failure -RestartSec=20 +ExecStart=/usr/sbin/dhcp6c $DHCP6C_OPTS +Restart=always +RestartPreventExitStatus= +RestartSec=10 +RuntimeDirectoryPreserve=yes [Install] WantedBy=multi-user.target diff --git a/src/tests/test_initial_setup.py b/src/tests/test_initial_setup.py index cb843ff09..ba50d06cc 100644 --- a/src/tests/test_initial_setup.py +++ b/src/tests/test_initial_setup.py @@ -21,14 +21,16 @@ import vyos.configtree import vyos.initialsetup as vis from unittest import TestCase -from vyos import xml +from vyos.xml_ref import definition +from vyos.xml_ref.pkg_cache.vyos_1x_cache import reference class TestInitialSetup(TestCase): def setUp(self): with open('tests/data/config.boot.default', 'r') as f: config_string = f.read() self.config = vyos.configtree.ConfigTree(config_string) - self.xml = xml.load_configuration() + self.xml = definition.Xml() + self.xml.define(reference) def test_set_user_password(self): vis.set_user_password(self.config, 'vyos', 'vyosvyos') diff --git a/src/tests/test_util.py b/src/tests/test_utils.py index 27ee648d4..9ae329ced 100644 --- a/src/tests/test_util.py +++ b/src/tests/test_utils.py @@ -15,8 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from unittest import TestCase - -class TestVyOSUtil(TestCase): +class TestVyOSUtils(TestCase): def test_key_mangling(self): from vyos.utils.dict import mangle_dict_keys data = {"foo-bar": {"baz-quux": None}} diff --git a/src/tests/test_utils_network.py b/src/tests/test_utils_network.py new file mode 100644 index 000000000..5a6dc2586 --- /dev/null +++ b/src/tests/test_utils_network.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import vyos.utils.network +from unittest import TestCase + +class TestVyOSUtilsNetwork(TestCase): + def setUp(self): + pass + + def test_is_addr_assigned(self): + self.assertTrue(vyos.utils.network.is_addr_assigned('127.0.0.1')) + self.assertTrue(vyos.utils.network.is_addr_assigned('::1')) + self.assertFalse(vyos.utils.network.is_addr_assigned('127.251.255.123')) + + def test_is_ipv6_link_local(self): + self.assertFalse(vyos.utils.network.is_ipv6_link_local('169.254.0.1')) + self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::')) + self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::affe:1')) + self.assertTrue(vyos.utils.network.is_ipv6_link_local('fe80::affe:1%eth0')) + self.assertFalse(vyos.utils.network.is_ipv6_link_local('2001:db8::')) + self.assertFalse(vyos.utils.network.is_ipv6_link_local('2001:db8::%eth0')) + self.assertFalse(vyos.utils.network.is_ipv6_link_local('VyOS')) + self.assertFalse(vyos.utils.network.is_ipv6_link_local('::1')) + self.assertFalse(vyos.utils.network.is_ipv6_link_local('::1%lo')) + + def test_is_ipv6_link_local(self): + self.assertTrue(vyos.utils.network.is_loopback_addr('127.0.0.1')) + self.assertTrue(vyos.utils.network.is_loopback_addr('127.0.1.1')) + self.assertTrue(vyos.utils.network.is_loopback_addr('127.1.1.1')) + self.assertTrue(vyos.utils.network.is_loopback_addr('::1')) + + self.assertFalse(vyos.utils.network.is_loopback_addr('::2')) + self.assertFalse(vyos.utils.network.is_loopback_addr('192.0.2.1')) + + + diff --git a/src/tests/test_validate.py b/src/tests/test_validate.py deleted file mode 100644 index 68a257d25..000000000 --- a/src/tests/test_validate.py +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import vyos.validate -from unittest import TestCase - -class TestVyOSValidate(TestCase): - def setUp(self): - pass - - def test_is_addr_assigned(self): - self.assertTrue(vyos.validate.is_addr_assigned('127.0.0.1')) - self.assertTrue(vyos.validate.is_addr_assigned('::1')) - self.assertFalse(vyos.validate.is_addr_assigned('127.251.255.123')) - - def test_is_ipv6_link_local(self): - self.assertFalse(vyos.validate.is_ipv6_link_local('169.254.0.1')) - self.assertTrue(vyos.validate.is_ipv6_link_local('fe80::')) - self.assertTrue(vyos.validate.is_ipv6_link_local('fe80::affe:1')) - self.assertTrue(vyos.validate.is_ipv6_link_local('fe80::affe:1%eth0')) - self.assertFalse(vyos.validate.is_ipv6_link_local('2001:db8::')) - self.assertFalse(vyos.validate.is_ipv6_link_local('2001:db8::%eth0')) - self.assertFalse(vyos.validate.is_ipv6_link_local('VyOS')) - self.assertFalse(vyos.validate.is_ipv6_link_local('::1')) - self.assertFalse(vyos.validate.is_ipv6_link_local('::1%lo')) - - def test_is_ipv6_link_local(self): - self.assertTrue(vyos.validate.is_loopback_addr('127.0.0.1')) - self.assertTrue(vyos.validate.is_loopback_addr('127.0.1.1')) - self.assertTrue(vyos.validate.is_loopback_addr('127.1.1.1')) - self.assertTrue(vyos.validate.is_loopback_addr('::1')) - - self.assertFalse(vyos.validate.is_loopback_addr('::2')) - self.assertFalse(vyos.validate.is_loopback_addr('192.0.2.1')) - - - diff --git a/src/validators/ipv6-link-local b/src/validators/ipv6-link-local index 05e693b77..6ac3ea710 100755 --- a/src/validators/ipv6-link-local +++ b/src/validators/ipv6-link-local @@ -1,7 +1,7 @@ #!/usr/bin/python3 import sys -from vyos.validate import is_ipv6_link_local +from vyos.utils.network import is_ipv6_link_local if __name__ == '__main__': if len(sys.argv)>1: |