diff options
28 files changed, 150 insertions, 73 deletions
diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 60e738e01..6dabc5e1c 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -338,7 +338,7 @@ </tagNode> <tagNode name="static-route"> <properties> - <help>Classless static route destination subnet [REQUIRED]</help> + <help>Classless static route destination subnet</help> <valueHelp> <format>ipv4net</format> <description>IPv4 address and prefix length</description> diff --git a/interface-definitions/dhcpv6-server.xml.in b/interface-definitions/dhcpv6-server.xml.in index 10335b07e..9dff68a24 100644 --- a/interface-definitions/dhcpv6-server.xml.in +++ b/interface-definitions/dhcpv6-server.xml.in @@ -32,7 +32,7 @@ </leafNode> <tagNode name="shared-network-name"> <properties> - <help>DHCPv6 shared network name [REQUIRED]</help> + <help>DHCPv6 shared network name</help> <constraint> <regex>[-_a-zA-Z0-9.]+</regex> </constraint> @@ -64,7 +64,7 @@ </node> <tagNode name="subnet"> <properties> - <help>IPv6 DHCP subnet for this shared network [REQUIRED]</help> + <help>IPv6 DHCP subnet for this shared network</help> <valueHelp> <format>ipv6net</format> <description>IPv6 address and prefix length</description> diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in index 0d6418272..70b2fb271 100644 --- a/interface-definitions/dns-domain-name.xml.in +++ b/interface-definitions/dns-domain-name.xml.in @@ -91,7 +91,7 @@ </leafNode> <leafNode name="inet"> <properties> - <help>IP Address [REQUIRED]</help> + <help>IP Address</help> <valueHelp> <format>ipv4</format> <description>IPv4 address</description> diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index 6bc467b76..e41ba7f60 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -14,7 +14,7 @@ <children> <tagNode name="interface"> <properties> - <help>Interface to send DDNS updates for [REQUIRED]</help> + <help>Interface to send DDNS updates for</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> @@ -27,7 +27,7 @@ <children> <leafNode name="key"> <properties> - <help>File containing the secret key shared with remote DNS server [REQUIRED]</help> + <help>File containing the secret key shared with remote DNS server</help> <valueHelp> <format>filename</format> <description>File in /config/auth directory</description> @@ -36,13 +36,13 @@ </leafNode> <leafNode name="record"> <properties> - <help>Record to be updated [REQUIRED]</help> + <help>Record to be updated</help> <multi/> </properties> </leafNode> <leafNode name="server"> <properties> - <help>Server to be updated [REQUIRED]</help> + <help>Server to be updated</help> </properties> </leafNode> <leafNode name="ttl"> @@ -60,14 +60,14 @@ </leafNode> <leafNode name="zone"> <properties> - <help>Zone to be updated [REQUIRED]</help> + <help>Zone to be updated</help> </properties> </leafNode> </children> </tagNode> <tagNode name="service"> <properties> - <help>Service being used for Dynamic DNS [REQUIRED]</help> + <help>Service being used for Dynamic DNS</help> <completionHelp> <list>afraid changeip cloudflare dnspark dslreports dyndns easydns namecheap noip sitelutions zoneedit</list> </completionHelp> @@ -127,23 +127,23 @@ <children> <leafNode name="host-name"> <properties> - <help>Hostname registered with DDNS service [REQUIRED]</help> + <help>Hostname registered with DDNS service</help> <multi/> </properties> </leafNode> <leafNode name="login"> <properties> - <help>Login for DDNS service [REQUIRED]</help> + <help>Login for DDNS service</help> </properties> </leafNode> <leafNode name="password"> <properties> - <help>Password for DDNS service [REQUIRED]</help> + <help>Password for DDNS service</help> </properties> </leafNode> <leafNode name="protocol"> <properties> - <help>ddclient protocol used for DDNS service [REQUIRED FOR CUSTOM]</help> + <help>ddclient protocol used for DDNS service</help> <completionHelp> <list>changeip cloudflare dnsmadeeasy dnspark dondominio dslreports1 dtdns duckdns dyndns2 easydns freedns freemyip googledomains hammernode1 namecheap nfsn noip sitelutions woima yandex zoneedit1</list> </completionHelp> @@ -239,7 +239,7 @@ </leafNode> <leafNode name="server"> <properties> - <help>Server to send DDNS update to [REQUIRED FOR CUSTOM]</help> + <help>Server to send DDNS update to</help> <valueHelp> <format>IPv4</format> <description>IP address of DDNS server</description> diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 6ead3e199..12dc11de5 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -140,7 +140,7 @@ <children> <leafNode name="address"> <properties> - <help>IPv4 address [REQUIRED]</help> + <help>IPv4 address</help> <valueHelp> <format>ipv4</format> <description>IPv4 address</description> @@ -173,7 +173,7 @@ <children> <leafNode name="address"> <properties> - <help>IPv6 address [REQUIRED]</help> + <help>IPv6 address</help> <valueHelp> <format>ipv6</format> <description>IPv6 address</description> @@ -206,7 +206,7 @@ <children> <leafNode name="target"> <properties> - <help>Target DNS name [REQUIRED]</help> + <help>Target DNS name</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> @@ -238,7 +238,7 @@ <children> <tagNode name="server"> <properties> - <help>Mail server [REQUIRED]</help> + <help>Mail server</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> @@ -285,7 +285,7 @@ <children> <leafNode name="target"> <properties> - <help>Target DNS name [REQUIRED]</help> + <help>Target DNS name</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> @@ -317,7 +317,7 @@ <children> <leafNode name="value"> <properties> - <help>Record contents [REQUIRED]</help> + <help>Record contents</help> <valueHelp> <format>text</format> <description>Record contents</description> @@ -347,7 +347,7 @@ <children> <leafNode name="value"> <properties> - <help>Record contents [REQUIRED]</help> + <help>Record contents</help> <valueHelp> <format>text</format> <description>Record contents</description> @@ -376,7 +376,7 @@ <children> <tagNode name="entry"> <properties> - <help>Service entry [REQUIRED]</help> + <help>Service entry</help> <valueHelp> <format>u32:0-65535</format> <description>Entry number</description> @@ -388,7 +388,7 @@ <children> <leafNode name="hostname"> <properties> - <help>Server hostname [REQUIRED]</help> + <help>Server hostname</help> <valueHelp> <format>name.example.com</format> <description>An absolute DNS name</description> @@ -400,7 +400,7 @@ </leafNode> <leafNode name="port"> <properties> - <help>Port number [REQUIRED]</help> + <help>Port number</help> <valueHelp> <format>u32:0-65535</format> <description>TCP/UDP port number</description> @@ -460,7 +460,7 @@ <children> <tagNode name="rule"> <properties> - <help>NAPTR rule [REQUIRED]</help> + <help>NAPTR rule</help> <valueHelp> <format>u32:0-65535</format> <description>Rule number</description> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 6ab11c790..719088d03 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -126,7 +126,7 @@ <description>Domain address to match</description> </valueHelp> <constraint> - <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}?(\/.*)?</regex> + <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)?</regex> </constraint> <multi/> </properties> @@ -599,6 +599,49 @@ #include <include/firewall/icmp-type-name.xml.i> </children> </node> + <node name="ttl"> + <properties> + <help>Time to live limit</help> + </properties> + <children> + <leafNode name="eq"> + <properties> + <help>Value to match a ttl equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>ttl equal to value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="gt"> + <properties> + <help>Value to match a ttl greater than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>ttl greater than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="lt"> + <properties> + <help>Value to match a ttl less than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>ttl less than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> </children> </tagNode> </children> diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/igmp-proxy.xml.in index 8e738fa7f..50cb33a93 100644 --- a/interface-definitions/igmp-proxy.xml.in +++ b/interface-definitions/igmp-proxy.xml.in @@ -18,7 +18,7 @@ </leafNode> <tagNode name="interface"> <properties> - <help>Interface for IGMP proxy [REQUIRED]</help> + <help>Interface for IGMP proxy</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index abaff5232..c1b465e43 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1156,7 +1156,7 @@ <children> <leafNode name="identifier"> <properties> - <help>Confederation AS identifier [REQUIRED]</help> + <help>Confederation AS identifier</help> <valueHelp> <format>u32:1-4294967294</format> <description>Confederation AS id</description> @@ -1208,7 +1208,7 @@ <children> <leafNode name="half-life"> <properties> - <help>Half-life time for dampening [REQUIRED]</help> + <help>Half-life time for dampening</help> <valueHelp> <format>u32:1-45</format> <description>Half-life penalty in minutes</description> @@ -1220,7 +1220,7 @@ </leafNode> <leafNode name="max-suppress-time"> <properties> - <help>Maximum duration to suppress a stable route [REQUIRED]</help> + <help>Maximum duration to suppress a stable route</help> <valueHelp> <format>u32:1-255</format> <description>Maximum suppress duration in minutes</description> @@ -1232,7 +1232,7 @@ </leafNode> <leafNode name="re-use"> <properties> - <help>Threshold to start reusing a route [REQUIRED]</help> + <help>Threshold to start reusing a route</help> <valueHelp> <format>u32:1-20000</format> <description>Re-use penalty points</description> @@ -1244,7 +1244,7 @@ </leafNode> <leafNode name="start-suppress-time"> <properties> - <help>When to start suppressing a route [REQUIRED]</help> + <help>When to start suppressing a route</help> <valueHelp> <format>u32:1-20000</format> <description>Start-suppress penalty points</description> diff --git a/interface-definitions/include/bgp/remote-as.xml.i b/interface-definitions/include/bgp/remote-as.xml.i index 58595b3b9..79d3b95a9 100644 --- a/interface-definitions/include/bgp/remote-as.xml.i +++ b/interface-definitions/include/bgp/remote-as.xml.i @@ -1,7 +1,7 @@ <!-- include start from bgp/remote-as.xml.i --> <leafNode name="remote-as"> <properties> - <help>Neighbor BGP AS number [REQUIRED]</help> + <help>Neighbor BGP AS number</help> <completionHelp> <list>external internal</list> </completionHelp> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 0f60e3c38..512cc23bd 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -1,7 +1,7 @@ <!-- include start from firewall/action.xml.i --> <leafNode name="action"> <properties> - <help>Rule action [REQUIRED]</help> + <help>Rule action</help> <completionHelp> <list>accept reject drop</list> </completionHelp> diff --git a/interface-definitions/include/monitoring/url.xml.i b/interface-definitions/include/monitoring/url.xml.i index 32c81122d..fd61c38ea 100644 --- a/interface-definitions/include/monitoring/url.xml.i +++ b/interface-definitions/include/monitoring/url.xml.i @@ -1,7 +1,7 @@ <!-- include start from monitoring/url.xml.i --> <leafNode name="url"> <properties> - <help>Remote URL [REQUIRED]</help> + <help>Remote URL</help> <valueHelp> <format>url</format> <description>Remote URL</description> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index c156d5b1c..791bbc0f8 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -16,7 +16,7 @@ <children> <leafNode name="export"> <properties> - <help>Filter for outgoing routing update [REQUIRED]</help> + <help>Filter for outgoing routing update</help> <completionHelp> <list>bgp connected kernel rip static</list> </completionHelp> @@ -178,10 +178,10 @@ </leafNode> <leafNode name="network"> <properties> - <help>OSPF network [REQUIRED]</help> + <help>OSPF network</help> <valueHelp> <format>ipv4net</format> - <description>OSPF network [REQUIRED]</description> + <description>OSPF network</description> </valueHelp> <constraint> <validator name="ipv4-prefix"/> diff --git a/interface-definitions/include/policy/action.xml.i b/interface-definitions/include/policy/action.xml.i index 0a3dc158a..5aa865523 100644 --- a/interface-definitions/include/policy/action.xml.i +++ b/interface-definitions/include/policy/action.xml.i @@ -1,7 +1,7 @@ <!-- include start from policy/action.xml.i --> <leafNode name="action"> <properties> - <help>Action to take on entries matching this rule [REQUIRED]</help> + <help>Action to take on entries matching this rule</help> <completionHelp> <list>permit deny</list> </completionHelp> diff --git a/interface-definitions/include/policy/route-rule-action.xml.i b/interface-definitions/include/policy/route-rule-action.xml.i index 1217055f2..456a21400 100644 --- a/interface-definitions/include/policy/route-rule-action.xml.i +++ b/interface-definitions/include/policy/route-rule-action.xml.i @@ -1,7 +1,7 @@ <!-- include start from policy/route-rule-action.xml.i --> <leafNode name="action"> <properties> - <help>Rule action [REQUIRED]</help> + <help>Rule action</help> <completionHelp> <list>drop</list> </completionHelp> diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in index 1e08c6873..d7663c095 100644 --- a/interface-definitions/protocols-nhrp.xml.in +++ b/interface-definitions/protocols-nhrp.xml.in @@ -10,7 +10,7 @@ <children> <tagNode name="tunnel"> <properties> - <help>Tunnel for NHRP [REQUIRED]</help> + <help>Tunnel for NHRP</help> <constraint> <regex>tun[0-9]+</regex> </constraint> @@ -27,6 +27,10 @@ <format>txt</format> <description>Pass phrase for cisco authentication</description> </valueHelp> + <constraint> + <regex>[^[:space:]]{1,8}</regex> + </constraint> + <constraintErrorMessage>Password should contain up to eight non-whitespace characters</constraintErrorMessage> </properties> </leafNode> <tagNode name="dynamic-map"> @@ -40,7 +44,7 @@ <children> <leafNode name="nbma-domain-name"> <properties> - <help>Set HUB fqdn (nbma-address - fqdn) [REQUIRED]</help> + <help>Set HUB fqdn (nbma-address - fqdn)</help> <valueHelp> <format><fqdn></format> <description>Set the external HUB fqdn</description> @@ -67,7 +71,7 @@ </leafNode> <leafNode name="nbma-address"> <properties> - <help>Set HUB address (nbma-address - external hub address or fqdn) [REQUIRED]</help> + <help>Set HUB address (nbma-address - external hub address or fqdn)</help> </properties> </leafNode> <leafNode name="register"> diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in index bd528ea33..d0d9202c1 100644 --- a/interface-definitions/service_monitoring_telegraf.xml.in +++ b/interface-definitions/service_monitoring_telegraf.xml.in @@ -20,7 +20,7 @@ <children> <leafNode name="organization"> <properties> - <help>Authentication organization for InfluxDB v2 [REQUIRED]</help> + <help>Authentication organization for InfluxDB v2</help> <constraint> <regex>[a-zA-Z][1-9a-zA-Z@_\-.]{2,50}</regex> </constraint> @@ -29,7 +29,7 @@ </leafNode> <leafNode name="token"> <properties> - <help>Authentication token for InfluxDB v2 [REQUIRED]</help> + <help>Authentication token for InfluxDB v2</help> <valueHelp> <format>txt</format> <description>Authentication token</description> @@ -83,7 +83,7 @@ </node> <leafNode name="database"> <properties> - <help>Remote database name [REQUIRED]</help> + <help>Remote database name</help> <valueHelp> <format>txt</format> <description>Remote database name</description> @@ -281,7 +281,7 @@ </node> <leafNode name="url"> <properties> - <help>Remote URL [REQUIRED]</help> + <help>Remote URL</help> <valueHelp> <format>url</format> <description>Remote URL to Splunk collector</description> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index bb11e9cd0..40dac23ca 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -10,7 +10,7 @@ <children> <tagNode name="interface"> <properties> - <help>Interface to send RA on [REQUIRED]</help> + <help>Interface to send RA on</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in index 9a75bc27d..42f5bba9f 100644 --- a/interface-definitions/service_webproxy.xml.in +++ b/interface-definitions/service_webproxy.xml.in @@ -288,7 +288,7 @@ </leafNode> <tagNode name="listen-address"> <properties> - <help>IPv4 listen-address for WebProxy [REQUIRED]</help> + <help>IPv4 listen-address for WebProxy</help> <completionHelp> <script>${vyos_completion_dir}/list_local_ips.sh --ipv4</script> </completionHelp> @@ -452,7 +452,7 @@ </leafNode> <leafNode name="source-group"> <properties> - <help>Source-group for this rule [REQUIRED]</help> + <help>Source-group for this rule</help> <valueHelp> <format>group</format> <description>Source group identifier for this rule</description> diff --git a/interface-definitions/system-lcd.xml.in b/interface-definitions/system-lcd.xml.in index 9b1a15317..0cf4de308 100644 --- a/interface-definitions/system-lcd.xml.in +++ b/interface-definitions/system-lcd.xml.in @@ -10,7 +10,7 @@ <children> <leafNode name="model"> <properties> - <help>Model of the display attached to this system [REQUIRED]</help> + <help>Model of the display attached to this system</help> <completionHelp> <list>cfa-533 cfa-631 cfa-633 cfa-635 hd44780 sdec</list> </completionHelp> diff --git a/interface-definitions/tftp-server.xml.in b/interface-definitions/tftp-server.xml.in index 4963eab3c..8ca4da883 100644 --- a/interface-definitions/tftp-server.xml.in +++ b/interface-definitions/tftp-server.xml.in @@ -11,7 +11,7 @@ <children> <leafNode name="directory"> <properties> - <help>Folder containing files served by TFTP [REQUIRED]</help> + <help>Folder containing files served by TFTP</help> </properties> </leafNode> <leafNode name="allow-upload"> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 555ba689f..d884d6ce6 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -209,7 +209,7 @@ </leafNode> <tagNode name="proposal"> <properties> - <help>ESP group proposal [REQUIRED]</help> + <help>ESP group proposal</help> <valueHelp> <format>u32:1-65535</format> <description>ESP group proposal number</description> @@ -669,7 +669,7 @@ #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> - <help>Authentication [REQUIRED]</help> + <help>Authentication</help> </properties> <children> <leafNode name="mode"> @@ -951,7 +951,7 @@ #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> - <help>Peer authentication [REQUIRED]</help> + <help>Peer authentication</help> </properties> <children> #include <include/ipsec/authentication-id.xml.i> @@ -1077,10 +1077,10 @@ #include <include/ipsec/local-address.xml.i> <tagNode name="tunnel"> <properties> - <help>Peer tunnel [REQUIRED]</help> + <help>Peer tunnel</help> <valueHelp> <format>u32</format> - <description>Peer tunnel [REQUIRED]</description> + <description>Peer tunnel</description> </valueHelp> </properties> <children> @@ -1144,7 +1144,7 @@ </leafNode> <node name="vti"> <properties> - <help>Virtual tunnel interface [REQUIRED]</help> + <help>Virtual tunnel interface</help> </properties> <children> <leafNode name="bind"> diff --git a/op-mode-definitions/show-ip.xml.in b/op-mode-definitions/show-ip.xml.in index d342ac192..d21c38ccc 100644 --- a/op-mode-definitions/show-ip.xml.in +++ b/op-mode-definitions/show-ip.xml.in @@ -7,6 +7,12 @@ <help>Show IPv4 networking information</help> </properties> <children> + <node name="external"> + <properties> + <help>Show IPv4 external address</help> + </properties> + <command>${vyos_op_scripts_dir}/show_ip_external.sh</command> + </node> <node name="neighbors"> <properties> <help>Show IPv4 neighbor (ARP) table</help> diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 31fe8b5e3..355ec44b0 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -231,6 +231,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): value = rule_conf['hop_limit'][op] output.append(f'ip6 hoplimit {operator} {value}') + if 'ttl' in rule_conf: + operators = {'eq': '==', 'gt': '>', 'lt': '<'} + for op, operator in operators.items(): + if op in rule_conf['ttl']: + value = rule_conf['ttl'][op] + output.append(f'ip ttl {operator} {value}') + for icmp in ['icmp', 'icmpv6']: if icmp in rule_conf: if 'type_name' in rule_conf[icmp]: diff --git a/scripts/build-command-templates b/scripts/build-command-templates index 876f5877c..729fc864c 100755 --- a/scripts/build-command-templates +++ b/scripts/build-command-templates @@ -192,12 +192,12 @@ def get_properties(p, default=None): # so we get to emulate it comp_exprs = [] for i in lists: - comp_exprs.append("echo \"{0}\"".format(i.text)) + comp_exprs.append(f'echo "{i.text}"') for i in paths: - comp_exprs.append("/bin/cli-shell-api listNodes {0}".format(i.text)) + comp_exprs.append(f'/bin/cli-shell-api listNodes {i.text}') for i in scripts: - comp_exprs.append("sh -c \"{0}\"".format(i.text)) - comp_help = " && ".join(comp_exprs) + comp_exprs.append(f'sh -c "{i.text}"') + comp_help = ' && echo " " && '.join(comp_exprs) props["comp_help"] = comp_help except: props["comp_help"] = [] diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 2462e9a6a..998f1b3f3 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -155,6 +155,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'log', 'enable']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'log-level', 'debug']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'ttl', 'eq', '15']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'reject']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'destination', 'port', '8888']) @@ -162,6 +163,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'log-level', 'err']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'ttl', 'gt', '102']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'protocol', 'tcp']) self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'destination', 'port', '22']) @@ -174,8 +176,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['iifname "eth0"', 'jump NAME_smoketest'], - ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug','return'], - ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'log prefix "[smoketest-2-R]" level err', 'reject'], + ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15','return'], + ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'log prefix "[smoketest-2-R]" level err', 'ip ttl > 102', 'reject'], ['tcp dport { 22 }', 'limit rate 5/minute', 'return'], ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'] ] diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 82a51f4af..792e17b85 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -452,8 +452,9 @@ def apply(firewall): call('systemctl restart vyos-domain-group-resolve.service') for group, group_config in firewall['group']['domain_group'].items(): domains = [] - for address in group_config['address']: - domains.append(address) + if group_config.get('address') is not None: + for address in group_config.get('address'): + domains.append(address) # Add elements to domain-group, try to resolve domain => ip # and add elements to nft set ip_dict = get_ips_domains_dict(domains) diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py index 56939955d..b247ce2ab 100755 --- a/src/conf_mode/protocols_nhrp.py +++ b/src/conf_mode/protocols_nhrp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2022 VyOS maintainers and contributors +# Copyright (C) 2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -81,11 +81,6 @@ def verify(nhrp): for map_name, map_conf in nhrp_conf['dynamic_map'].items(): if 'nbma_domain_name' not in map_conf: raise ConfigError(f'nbma-domain-name missing on dynamic-map {map_name} on tunnel {name}') - - if 'cisco_authentication' in nhrp_conf: - if len(nhrp_conf['cisco_authentication']) > 8: - raise ConfigError('Maximum length of the secret is 8 characters!') - return None def generate(nhrp): diff --git a/src/op_mode/show_ip_external.sh b/src/op_mode/show_ip_external.sh new file mode 100755 index 000000000..275d05278 --- /dev/null +++ b/src/op_mode/show_ip_external.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +# Detect an external IP address +# Use random services for checking + + +array=( + ipinfo.io/ip + ifconfig.me + ipecho.net/plain + icanhazip.com + v4.ident.me + checkip.amazonaws.com +) + +size=${#array[@]} +index=$(($RANDOM % $size)) + +curl --silent ${array[$index]} | tr -d "[:space:]" && echo |