diff options
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 1 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_interfaces_openvpn.py | 76 | ||||
| -rwxr-xr-x | src/conf_mode/system-ip.py | 28 | ||||
| -rwxr-xr-x | src/conf_mode/system-ipv6.py | 25 |
4 files changed, 33 insertions, 97 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 1b764c9da..723c9c3a2 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -273,7 +273,6 @@ table bridge vyos_filter { } {% endif %} {{ group_tmpl.groups(group, True) }} -} table inet vyos_offload delete table inet vyos_offload diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index d1ece84d6..4a7e2418c 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -421,7 +421,7 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): # IP pool configuration netmask = IPv4Network(subnet).netmask network = IPv4Network(subnet).network_address - self.assertIn(f'server {network} {netmask} nopool', config) + self.assertIn(f'server {network} {netmask}', config) # Verify client client_config = read_file(client_config_file) @@ -442,80 +442,6 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): interface = f'vtun{ii}' self.assertNotIn(interface, interfaces()) - def test_openvpn_server_net30_topology(self): - # Create OpenVPN server interfaces (net30) using different client - # subnets. Validate configuration afterwards. - auth_hash = 'sha256' - num_range = range(20, 25) - port = '' - for ii in num_range: - interface = f'vtun{ii}' - subnet = f'192.0.{ii}.0/24' - path = base_path + [interface] - port = str(2000 + ii) - - self.cli_set(path + ['device-type', 'tun']) - self.cli_set(path + ['encryption', 'cipher', 'aes192']) - self.cli_set(path + ['hash', auth_hash]) - self.cli_set(path + ['mode', 'server']) - self.cli_set(path + ['local-port', port]) - self.cli_set(path + ['server', 'subnet', subnet]) - self.cli_set(path + ['server', 'topology', 'net30']) - self.cli_set(path + ['replace-default-route']) - self.cli_set(path + ['keep-alive', 'failure-count', '10']) - self.cli_set(path + ['keep-alive', 'interval', '5']) - self.cli_set(path + ['tls', 'ca-certificate', 'ovpn_test']) - self.cli_set(path + ['tls', 'certificate', 'ovpn_test']) - self.cli_set(path + ['tls', 'dh-params', 'ovpn_test']) - self.cli_set(path + ['vrf', vrf_name]) - - self.cli_commit() - - for ii in num_range: - interface = f'vtun{ii}' - subnet = f'192.0.{ii}.0/24' - start_addr = inc_ip(subnet, '4') - stop_addr = dec_ip(last_host_address(subnet), '1') - port = str(2000 + ii) - - config_file = f'/run/openvpn/{interface}.conf' - config = read_file(config_file) - - self.assertIn(f'dev {interface}', config) - self.assertIn(f'dev-type tun', config) - self.assertIn(f'persist-key', config) - self.assertIn(f'proto udp', config) # default protocol - self.assertIn(f'auth {auth_hash}', config) - self.assertIn(f'cipher AES-192-CBC', config) - self.assertIn(f'topology net30', config) - self.assertIn(f'lport {port}', config) - self.assertIn(f'push "redirect-gateway def1"', config) - self.assertIn(f'keepalive 5 50', config) - - # TLS options - self.assertIn(f'ca /run/openvpn/{interface}_ca.pem', config) - self.assertIn(f'cert /run/openvpn/{interface}_cert.pem', config) - self.assertIn(f'key /run/openvpn/{interface}_cert.key', config) - self.assertIn(f'dh /run/openvpn/{interface}_dh.pem', config) - - # IP pool configuration - netmask = IPv4Network(subnet).netmask - network = IPv4Network(subnet).network_address - self.assertIn(f'server {network} {netmask} nopool', config) - self.assertIn(f'ifconfig-pool {start_addr} {stop_addr}', config) - - self.assertTrue(process_named_running(PROCESS_NAME)) - self.assertEqual(get_vrf(interface), vrf_name) - self.assertIn(interface, interfaces()) - - # check that no interface remained after deleting them - self.cli_delete(base_path) - self.cli_commit() - - for ii in num_range: - interface = f'vtun{ii}' - self.assertNotIn(interface, interfaces()) - def test_openvpn_site2site_verify(self): # Create one OpenVPN site2site interface and check required # verify() stages diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py index 5e4e5ec28..7612e2c0d 100755 --- a/src/conf_mode/system-ip.py +++ b/src/conf_mode/system-ip.py @@ -20,10 +20,12 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configverify import verify_route_map from vyos.template import render_to_string -from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.utils.file import write_file +from vyos.utils.process import call +from vyos.utils.process import is_systemd_service_active from vyos.utils.system import sysctl_write + from vyos import ConfigError from vyos import frr from vyos import airbag @@ -115,16 +117,20 @@ def apply(opt): value = '48' if (tmp is None) else tmp sysctl_write('net.ipv4.tcp_mtu_probe_floor', value) - zebra_daemon = 'zebra' - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() - - # The route-map used for the FIB (zebra) is part of the zebra daemon - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') - if 'frr_zebra_config' in opt: - frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) - frr_cfg.commit_configuration(zebra_daemon) + # During startup of vyos-router that brings up FRR, the service is not yet + # running when this script is called first. Skip this part and wait for initial + # commit of the configuration to trigger this statement + if is_systemd_service_active('frr.service'): + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() + + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') + if 'frr_zebra_config' in opt: + frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) + frr_cfg.commit_configuration(zebra_daemon) if __name__ == '__main__': try: diff --git a/src/conf_mode/system-ipv6.py b/src/conf_mode/system-ipv6.py index e40ed38e2..90a1a8087 100755 --- a/src/conf_mode/system-ipv6.py +++ b/src/conf_mode/system-ipv6.py @@ -22,8 +22,9 @@ from vyos.configdict import dict_merge from vyos.configverify import verify_route_map from vyos.template import render_to_string from vyos.utils.dict import dict_search -from vyos.utils.system import sysctl_write from vyos.utils.file import write_file +from vyos.utils.process import is_systemd_service_active +from vyos.utils.system import sysctl_write from vyos import ConfigError from vyos import frr from vyos import airbag @@ -93,16 +94,20 @@ def apply(opt): if name == 'accept_dad': write_file(os.path.join(root, name), value) - zebra_daemon = 'zebra' - # Save original configuration prior to starting any commit actions - frr_cfg = frr.FRRConfig() + # During startup of vyos-router that brings up FRR, the service is not yet + # running when this script is called first. Skip this part and wait for initial + # commit of the configuration to trigger this statement + if is_systemd_service_active('frr.service'): + zebra_daemon = 'zebra' + # Save original configuration prior to starting any commit actions + frr_cfg = frr.FRRConfig() - # The route-map used for the FIB (zebra) is part of the zebra daemon - frr_cfg.load_configuration(zebra_daemon) - frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') - if 'frr_zebra_config' in opt: - frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) - frr_cfg.commit_configuration(zebra_daemon) + # The route-map used for the FIB (zebra) is part of the zebra daemon + frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') + if 'frr_zebra_config' in opt: + frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) + frr_cfg.commit_configuration(zebra_daemon) if __name__ == '__main__': try: |