diff options
35 files changed, 1327 insertions, 176 deletions
diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies.json index ccee359d1..91a757c16 100644 --- a/data/config-mode-dependencies.json +++ b/data/config-mode-dependencies.json @@ -28,5 +28,8 @@ "wireguard": ["interfaces-wireguard"], "wireless": ["interfaces-wireless"], "wwan": ["interfaces-wwan"] + }, + "vpp": { + "ethernet": ["interfaces-ethernet"] } } diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 7a89d29e4..1c9bda64f 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -11,7 +11,7 @@ table ip vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route is vyos_defined %} {% for route_text, conf in route.items() if conf.interface is vyos_defined %} - iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }} + iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }} {% endfor %} {% endif %} } @@ -22,7 +22,7 @@ table ip vyos_mangle { {% if route is vyos_defined %} {% for route_text, conf in route.items() %} - chain VYOS_PBR_{{ route_text }} { + chain VYOS_PBR_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} @@ -40,7 +40,7 @@ table ip6 vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route6 is vyos_defined %} {% for route_text, conf in route6.items() if conf.interface is vyos_defined %} - iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }} + iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }} {% endfor %} {% endif %} } @@ -51,7 +51,7 @@ table ip6 vyos_mangle { {% if route6 is vyos_defined %} {% for route_text, conf in route6.items() %} - chain VYOS_PBR6_{{ route_text }} { + chain VYOS_PBR6_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index 3f97b7325..1ee8d8752 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -72,6 +72,9 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% endfor %} {% endfor %} {% endif %} +{% if aggregation.timer is vyos_defined %} + aggregation timer {{ aggregation.timer }} +{% endif %} {% if area is vyos_defined %} {% for area_id, area_config in area.items() %} {% if area_config.area_type is vyos_defined %} @@ -200,6 +203,11 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if refresh.timers is vyos_defined %} refresh timer {{ refresh.timers }} {% endif %} +{% if summary_address is vyos_defined %} +{% for prefix, prefix_options in summary_address.items() %} + summary-address {{ prefix }} {{ 'tag ' + prefix_options.tag if prefix_options.tag is vyos_defined }}{{ 'no-advertise' if prefix_options.no_advertise is vyos_defined }} +{% endfor %} +{% endif %} {% if segment_routing is vyos_defined %} {% if segment_routing.maximum_label_depth is vyos_defined %} segment-routing node-msd {{ segment_routing.maximum_label_depth }} diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2 new file mode 100644 index 000000000..a2c2b04ed --- /dev/null +++ b/data/templates/vpp/override.conf.j2 @@ -0,0 +1,14 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/vpp/vpp.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf +WorkingDirectory= +WorkingDirectory=/run/vpp +Restart=always +RestartSec=10 diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2 new file mode 100644 index 000000000..f33539fba --- /dev/null +++ b/data/templates/vpp/startup.conf.j2 @@ -0,0 +1,116 @@ +# Generated by /usr/libexec/vyos/conf_mode/vpp.py + +unix { + nodaemon + log /var/log/vpp.log + full-coredump + cli-listen /run/vpp/cli.sock + gid vpp + # exec /etc/vpp/bootstrap.vpp +{% if unix is vyos_defined %} +{% if unix.poll_sleep_usec is vyos_defined %} + poll-sleep-usec {{ unix.poll_sleep_usec }} +{% endif %} +{% endif %} +} + +{% if cpu is vyos_defined %} +cpu { +{% if cpu.main_core is vyos_defined %} + main-core {{ cpu.main_core }} +{% endif %} +{% if cpu.corelist_workers is vyos_defined %} + corelist-workers {{ cpu.corelist_workers | join(',') }} +{% endif %} +{% if cpu.skip_cores is vyos_defined %} + skip-cores {{ cpu.skip_cores }} +{% endif %} +{% if cpu.workers is vyos_defined %} + workers {{ cpu.workers }} +{% endif %} +} +{% endif %} + +{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #} +{# vlib_call_all_config_functions: unknown input `ip heap-size 32M ' #} +{% if ip is vyos_defined %} +#ip { +#{% if ip.heap_size is vyos_defined %} +# heap-size {{ ip.heap_size }}M +#{% endif %} +#} +{% endif %} + +{% if ip6 is vyos_defined %} +ip6 { +{% if ip6.hash_buckets is vyos_defined %} + hash-buckets {{ ip6.hash_buckets }} +{% endif %} +{% if ip6.heap_size is vyos_defined %} + heap-size {{ ip6.heap_size }}M +{% endif %} +} +{% endif %} + +{% if l2learn is vyos_defined %} +l2learn { +{% if l2learn.limit is vyos_defined %} + limit {{ l2learn.limit }} +{% endif %} +} +{% endif %} + +{% if logging is vyos_defined %} +logging { +{% if logging.default_log_level is vyos_defined %} + default-log-level {{ logging.default_log_level }} +{% endif %} +} +{% endif %} + +{% if physmem is vyos_defined %} +physmem { +{% if physmem.max_size is vyos_defined %} + max-size {{ physmem.max_size.upper() }} +{% endif %} +} +{% endif %} + +plugins { + path /usr/lib/x86_64-linux-gnu/vpp_plugins/ + plugin default { disable } + plugin dpdk_plugin.so { enable } + plugin linux_cp_plugin.so { enable } + plugin linux_nl_plugin.so { enable } +} + +linux-cp { + lcp-sync + lcp-auto-subint +} + +dpdk { + # Whitelist the fake PCI address 0000:00:00.0 + # This prevents all devices from being added to VPP-DPDK by default + dev 0000:00:00.0 +{% for iface, iface_config in interface.items() %} +{% if iface_config.pci is vyos_defined %} + dev {{ iface_config.pci }} { + name {{ iface }} +{% if iface_config.num_rx_desc is vyos_defined %} + num-rx-desc {{ iface_config.num_rx_desc }} +{% endif %} +{% if iface_config.num_tx_desc is vyos_defined %} + num-tx-desc {{ iface_config.num_tx_desc }} +{% endif %} +{% if iface_config.num_rx_queues is vyos_defined %} + num-rx-queues {{ iface_config.num_rx_queues }} +{% endif %} +{% if iface_config.num_tx_queues is vyos_defined %} + num-tx-queues {{ iface_config.num_tx_queues }} +{% endif %} + } +{% endif %} +{% endfor %} + uio-bind-force +} diff --git a/debian/control b/debian/control index dcce8036a..40920cadc 100644 --- a/debian/control +++ b/debian/control @@ -27,9 +27,9 @@ Standards-Version: 3.9.6 Package: vyos-1x Architecture: amd64 arm64 Pre-Depends: - libnss-tacplus (>= 1.0.4), - libpam-tacplus (>= 1.4.3), - libpam-radius-auth (>= 1.5.0) + libnss-tacplus [amd64], + libpam-tacplus [amd64], + libpam-radius-auth [amd64] Depends: ${python3:Depends} (>= 3.10), aardvark-dns, @@ -90,6 +90,7 @@ Depends: libqmi-utils, libstrongswan-extra-plugins (>=5.9), libstrongswan-standard-plugins (>=5.9), + libvppinfra, libvyosconfig0, lldpd, lm-sensors, @@ -142,6 +143,7 @@ Depends: python3-tabulate, python3-vici (>= 5.7.2), python3-voluptuous, + python3-vpp-api, python3-xmltodict, python3-zmq, qrencode, @@ -176,6 +178,9 @@ Depends: uidmap, usb-modeswitch, usbutils, + vpp, + vpp-plugin-core, + vpp-plugin-dpdk, vyatta-bash, vyatta-cfg, vyos-http-api-tools, diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 9822ce286..2958afd0a 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -179,3 +179,12 @@ systemctl enable vyos-config-cloud-init.service # Generate API GraphQL schema /usr/libexec/vyos/services/api/graphql/generate/generate_schema.py + +# T1797: disable VPP support for rolling release, should be used by developers +# only (in the initial phase). If you wan't to enable VPP use the below command +# on your VyOS installation: +# +# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp +if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then + mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp +fi diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index bfbeb112c..92037a915 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -7,3 +7,4 @@ dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile +dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf diff --git a/interface-definitions/include/interface/parameters-innerproto.xml.i b/interface-definitions/include/interface/parameters-innerproto.xml.i new file mode 100644 index 000000000..9cafebd11 --- /dev/null +++ b/interface-definitions/include/interface/parameters-innerproto.xml.i @@ -0,0 +1,8 @@ +<!-- include start from interface/parameters-innerproto.xml.i --> +<leafNode name="innerproto"> + <properties> + <help>Use IPv4 as inner protocol instead of Ethernet</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index b7f22cb88..3492b873f 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -1,4 +1,24 @@ <!-- include start from ospf/protocol-common-config.xml.i --> +<node name="aggregation"> + <properties> + <help>External route aggregation</help> + </properties> + <children> + <leafNode name="timer"> + <properties> + <help>Delay timer</help> + <valueHelp> + <format>u32:5-1800</format> + <description>Timer interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-1800"/> + </constraint> + </properties> + <defaultValue>5</defaultValue> + </leafNode> + </children> +</node> <tagNode name="access-list"> <properties> <help>Access list to filter networks in routing updates</help> @@ -816,6 +836,38 @@ </leafNode> </children> </node> +<tagNode name="summary-address"> + <properties> + <help>External summary address</help> + <valueHelp> + <format>ipv4net</format> + <description>OSPF area number in dotted decimal notation</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="no-advertise"> + <properties> + <help>Don not advertise summary route</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="tag"> + <properties> + <help>Router tag</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Router tag value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</tagNode> <node name="timers"> <properties> <help>Adjust routing timers</help> diff --git a/interface-definitions/include/policy/tag.xml.i b/interface-definitions/include/policy/tag.xml.i new file mode 100644 index 000000000..ec25b9391 --- /dev/null +++ b/interface-definitions/include/policy/tag.xml.i @@ -0,0 +1,14 @@ +<!-- include start from policy/tag.xml.i --> +<leafNode name="tag"> + <properties> + <help>Route tag value</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Route tag</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 330dadd95..29b563a09 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -36,6 +36,7 @@ #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> + #include <include/interface/parameters-innerproto.xml.i> </children> </node> <node name="ipv6"> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 03f169c05..dd1e8e511 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -5,7 +5,7 @@ <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/interfaces-wireguard.py"> <properties> <help>WireGuard Interface</help> - <priority>381</priority> + <priority>379</priority> <constraint> <regex>wg[0-9]+</regex> </constraint> diff --git a/interface-definitions/netns.xml.in b/interface-definitions/netns.xml.in index 87880e96a..5d958968f 100644 --- a/interface-definitions/netns.xml.in +++ b/interface-definitions/netns.xml.in @@ -3,7 +3,7 @@ <node name="netns" owner="${vyos_conf_scripts_dir}/netns.py"> <properties> <help>Network namespace</help> - <priority>299</priority> + <priority>291</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index aa39950c2..c470cfdb3 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1052,18 +1052,7 @@ </constraint> </properties> </leafNode> - <leafNode name="tag"> - <properties> - <help>Route tag to match</help> - <valueHelp> - <format>u32:1-65535</format> - <description>Route tag</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> + #include <include/policy/tag.xml.i> </children> </node> <node name="on-match"> @@ -1548,18 +1537,7 @@ </constraint> </properties> </leafNode> - <leafNode name="tag"> - <properties> - <help>Tag value for routing protocol</help> - <valueHelp> - <format>u32:1-65535</format> - <description>Tag value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> + #include <include/policy/tag.xml.i> <leafNode name="weight"> <properties> <help>BGP weight attribute</help> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 0fa349e0b..efab50a66 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -36,7 +36,7 @@ <properties> <help>System keyboard layout, type ISO2</help> <completionHelp> - <list>us uk fr de es fi jp106 no dk dvorak</list> + <list>us uk fr de es fi jp106 no dk se-latin1 dvorak</list> </completionHelp> <valueHelp> <format>us</format> @@ -75,11 +75,15 @@ <description>Denmark</description> </valueHelp> <valueHelp> + <format>se-latin1</format> + <description>Sweden</description> + </valueHelp> + <valueHelp> <format>dvorak</format> <description>Dvorak</description> </valueHelp> <constraint> - <regex>(us|uk|fr|de|es|fi|jp106|no|dk|dvorak)</regex> + <regex>(us|uk|fr|de|es|fi|jp106|no|dk|se-latin1|dvorak)</regex> </constraint> <constraintErrorMessage>Invalid keyboard layout</constraintErrorMessage> </properties> diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in new file mode 100644 index 000000000..3f0758c0a --- /dev/null +++ b/interface-definitions/vpp.xml.in @@ -0,0 +1,342 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="vpp" owner="${vyos_conf_scripts_dir}/vpp.py"> + <properties> + <help>Accelerated data-plane</help> + <priority>295</priority> + </properties> + <children> + <node name="cpu"> + <properties> + <help>CPU settings</help> + </properties> + <children> + <leafNode name="corelist-workers"> + <properties> + <help>List of cores worker threads</help> + <valueHelp> + <format><id></format> + <description>CPU core id</description> + </valueHelp> + <valueHelp> + <format><idN>-<idM></format> + <description>CPU core id range (use '-' as delimiter)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-512"/> + </constraint> + <constraintErrorMessage>not a valid CPU core value or range</constraintErrorMessage> + <multi/> + </properties> + </leafNode> + <leafNode name="main-core"> + <properties> + <help>Main core</help> + <valueHelp> + <format>u32:0-512</format> + <description>Assign main thread to specific core</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + <leafNode name="skip-cores"> + <properties> + <help>Skip cores</help> + <valueHelp> + <format>u32:0-512</format> + <description>Skip cores</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + <leafNode name="workers"> + <properties> + <help>Create worker threads</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Worker threads</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <tagNode name="interface"> + <properties> + <help>Interface</help> + <valueHelp> + <format>ethN</format> + <description>Interface name</description> + </valueHelp> + <constraint> + <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex> + </constraint> + <constraintErrorMessage>Invalid interface name</constraintErrorMessage> + </properties> + <children> + <leafNode name="num-rx-desc"> + <properties> + <help>Number of receive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of receive ring descriptors</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-tx-desc"> + <properties> + <help>Number of tranceive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of tranceive ring descriptors</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-rx-queues"> + <properties> + <help>Number of receive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of receive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-tx-queues"> + <properties> + <help>Number of tranceive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of tranceive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name='pci'> + <properties> + <help>PCI address allocation</help> + <valueHelp> + <format>auto</format> + <description>Auto detect PCI address</description> + </valueHelp> + <valueHelp> + <format><xxxx:xx:xx.x></format> + <description>Set Peripheral Component Interconnect (PCI) address</description> + </valueHelp> + <constraint> + <regex>(auto|[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F])</regex> + </constraint> + </properties> + <defaultValue>auto</defaultValue> + </leafNode> + <leafNode name="rx-mode"> + <properties> + <help>Receive packet processing mode</help> + <completionHelp> + <list>polling interrupt adaptive</list> + </completionHelp> + <valueHelp> + <format>polling</format> + <description>Constantly check for new data</description> + </valueHelp> + <valueHelp> + <format>interrupt</format> + <description>Interrupt mode</description> + </valueHelp> + <valueHelp> + <format>adaptive</format> + <description>Adaptive mode</description> + </valueHelp> + <constraint> + <regex>(polling|interrupt|adaptive)</regex> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + <node name="ip"> + <properties> + <help>IP settings</help> + </properties> + <children> + <leafNode name="heap-size"> + <properties> + <help>IPv4 heap size</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>32</defaultValue> + </leafNode> + </children> + </node> + <node name="ip6"> + <properties> + <help>IPv6 settings</help> + </properties> + <children> + <leafNode name="heap-size"> + <properties> + <help>IPv6 heap size</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>32</defaultValue> + </leafNode> + <leafNode name="hash-buckets"> + <properties> + <help>IPv6 forwarding table hash buckets</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>IPv6 forwarding table hash buckets</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>65536</defaultValue> + </leafNode> + </children> + </node> + <node name="l2learn"> + <properties> + <help>Level 2 MAC address learning settings</help> + </properties> + <children> + <leafNode name="limit"> + <properties> + <help>Number of MAC addresses in the L2 FIB</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Number of concurent entries</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>4194304</defaultValue> + </leafNode> + </children> + </node> + <node name="logging"> + <properties> + <help>Loggint settings</help> + </properties> + <children> + <leafNode name="default-log-level"> + <properties> + <help>default-log-level</help> + <completionHelp> + <list>alert crit debug disabled emerg err info notice warn</list> + </completionHelp> + <valueHelp> + <format>alert</format> + <description>Alert</description> + </valueHelp> + <valueHelp> + <format>crit</format> + <description>Critical</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug</description> + </valueHelp> + <valueHelp> + <format>disabled</format> + <description>Disabled</description> + </valueHelp> + <valueHelp> + <format>emerg</format> + <description>Emergency</description> + </valueHelp> + <valueHelp> + <format>err</format> + <description>Error</description> + </valueHelp> + <valueHelp> + <format>info</format> + <description>Informational</description> + </valueHelp> + <valueHelp> + <format>notice</format> + <description>Notice</description> + </valueHelp> + <valueHelp> + <format>warn</format> + <description>Warning</description> + </valueHelp> + <constraint> + <regex>(alert|crit|debug|disabled|emerg|err|info|notice|warn)</regex> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="physmem"> + <properties> + <help>Memory settings</help> + </properties> + <children> + <leafNode name="max-size"> + <properties> + <help>Set memory size for protectable memory allocator (pmalloc) memory space</help> + <valueHelp> + <format><number>m</format> + <description>Megabyte</description> + </valueHelp> + <valueHelp> + <format><number>g</format> + <description>Gigabyte</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + <node name="unix"> + <properties> + <help>Unix settings</help> + </properties> + <children> + <leafNode name="poll-sleep-usec"> + <properties> + <help>Add a fixed-sleep between main loop poll</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Number of receive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + <defaultValue>0</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 9618ec93e..1205342df 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -595,40 +595,8 @@ def get_accel_dict(config, base, chap_secrets): dict = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, - no_tag_node_value_mangle=True) - - # We have gathered the dict representation of the CLI, but there are default - # options which we need to update into the dictionary retrived. - default_values = defaults(base) - - # T2665: defaults include RADIUS server specifics per TAG node which need to - # be added to individual RADIUS servers instead - so we can simply delete them - if dict_search('authentication.radius.server', default_values): - del default_values['authentication']['radius']['server'] - - # T2665: defaults include static-ip address per TAG node which need to be - # added to individual local users instead - so we can simply delete them - if dict_search('authentication.local_users.username', default_values): - del default_values['authentication']['local_users']['username'] - - # T2665: defaults include IPv6 client-pool mask per TAG node which need to be - # added to individual local users instead - so we can simply delete them - if dict_search('client_ipv6_pool.prefix.mask', default_values): - del default_values['client_ipv6_pool']['prefix']['mask'] - # delete empty dicts - if len (default_values['client_ipv6_pool']['prefix']) == 0: - del default_values['client_ipv6_pool']['prefix'] - if len (default_values['client_ipv6_pool']) == 0: - del default_values['client_ipv6_pool'] - - # T2665: IPoE only - it has an interface tag node - # added to individual local users instead - so we can simply delete them - if dict_search('authentication.interface', default_values): - del default_values['authentication']['interface'] - if dict_search('interface', default_values): - del default_values['interface'] - - dict = dict_merge(default_values, dict) + no_tag_node_value_mangle=True, + with_recursive_defaults=True) # set CPUs cores to process requests dict.update({'thread_count' : get_half_cpus()}) @@ -648,43 +616,9 @@ def get_accel_dict(config, base, chap_secrets): dict.update({'name_server_ipv4' : ns_v4, 'name_server_ipv6' : ns_v6}) del dict['name_server'] - # T2665: Add individual RADIUS server default values - if dict_search('authentication.radius.server', dict): - default_values = defaults(base + ['authentication', 'radius', 'server']) - for server in dict_search('authentication.radius.server', dict): - dict['authentication']['radius']['server'][server] = dict_merge( - default_values, dict['authentication']['radius']['server'][server]) - - # Check option "disable-accounting" per server and replace default value from '1813' to '0' - # set vpn sstp authentication radius server x.x.x.x disable-accounting - if 'disable_accounting' in dict['authentication']['radius']['server'][server]: - dict['authentication']['radius']['server'][server]['acct_port'] = '0' - - # T2665: Add individual local-user default values - if dict_search('authentication.local_users.username', dict): - default_values = defaults(base + ['authentication', 'local-users', 'username']) - for username in dict_search('authentication.local_users.username', dict): - dict['authentication']['local_users']['username'][username] = dict_merge( - default_values, dict['authentication']['local_users']['username'][username]) - - # T2665: Add individual IPv6 client-pool default mask if required - if dict_search('client_ipv6_pool.prefix', dict): - default_values = defaults(base + ['client-ipv6-pool', 'prefix']) - for prefix in dict_search('client_ipv6_pool.prefix', dict): - dict['client_ipv6_pool']['prefix'][prefix] = dict_merge( - default_values, dict['client_ipv6_pool']['prefix'][prefix]) - - # T2665: IPoE only - add individual local-user default values - if dict_search('authentication.interface', dict): - default_values = defaults(base + ['authentication', 'interface']) - for interface in dict_search('authentication.interface', dict): - dict['authentication']['interface'][interface] = dict_merge( - default_values, dict['authentication']['interface'][interface]) - - if dict_search('interface', dict): - default_values = defaults(base + ['interface']) - for interface in dict_search('interface', dict): - dict['interface'][interface] = dict_merge(default_values, - dict['interface'][interface]) + # Check option "disable-accounting" per server and replace default value from '1813' to '0' + for server in (dict_search('authentication.radius.server', dict) or []): + if 'disable_accounting' in dict['authentication']['radius']['server'][server]: + dict['authentication']['radius']['server'][server]['acct_port'] = '0' return dict diff --git a/python/vyos/ethtool.py b/python/vyos/ethtool.py index 68234089c..9b7da89fa 100644 --- a/python/vyos/ethtool.py +++ b/python/vyos/ethtool.py @@ -21,7 +21,8 @@ from vyos.util import popen # These drivers do not support using ethtool to change the speed, duplex, or # flow control settings _drivers_without_speed_duplex_flow = ['vmxnet3', 'virtio_net', 'xen_netfront', - 'iavf', 'ice', 'i40e', 'hv_netvsc', 'veth', 'ixgbevf'] + 'iavf', 'ice', 'i40e', 'hv_netvsc', 'veth', 'ixgbevf', + 'tun'] class Ethtool: """ diff --git a/python/vyos/ifconfig/geneve.py b/python/vyos/ifconfig/geneve.py index 276c34cd7..7a05e47a7 100644 --- a/python/vyos/ifconfig/geneve.py +++ b/python/vyos/ifconfig/geneve.py @@ -45,6 +45,7 @@ class GeneveIf(Interface): 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', + 'parameters.ip.innerproto' : 'innerprotoinherit', 'parameters.ipv6.flowlabel' : 'flowlabel', } diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py index 26ec65535..3983b1bc0 100644 --- a/python/vyos/qos/base.py +++ b/python/vyos/qos/base.py @@ -61,6 +61,7 @@ class QoSBase: "CS7": 0xE0, "EF": 0xB8 } + qostype = None def __init__(self, interface): if os.path.exists('/tmp/vyos.qos.debug'): @@ -203,18 +204,21 @@ class QoSBase: self._build_base_qdisc(cls_config, int(cls)) # every match criteria has it's tc instance - filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}:' + filter_cmd_base = f'tc filter add dev {self._interface} parent {self._parent:x}:' if priority: - filter_cmd += f' prio {cls}' + filter_cmd_base += f' prio {cls}' elif 'priority' in cls_config: prio = cls_config['priority'] - filter_cmd += f' prio {prio}' + filter_cmd_base += f' prio {prio}' - filter_cmd += ' protocol all' + filter_cmd_base += ' protocol all' if 'match' in cls_config: - for match, match_config in cls_config['match'].items(): + for index, (match, match_config) in enumerate(cls_config['match'].items(), start=1): + filter_cmd = filter_cmd_base + if self.qostype == 'shaper' and 'prio ' not in filter_cmd: + filter_cmd += f' prio {index}' if 'mark' in match_config: mark = match_config['mark'] filter_cmd += f' handle {mark} fw' @@ -289,10 +293,19 @@ class QoSBase: elif af == 'ipv6': filter_cmd += f' match u8 {mask} {mask} at 53' + cls = int(cls) + filter_cmd += f' flowid {self._parent:x}:{cls:x}' + self._cmd(filter_cmd) + else: filter_cmd += ' basic' + cls = int(cls) + filter_cmd += f' flowid {self._parent:x}:{cls:x}' + self._cmd(filter_cmd) + + # The police block allows limiting of the byte or packet rate of # traffic matched by the filter it is attached to. # https://man7.org/linux/man-pages/man8/tc-police.8.html @@ -318,48 +331,41 @@ class QoSBase: # burst = cls_config['burst'] # filter_cmd += f' burst {burst}' - cls = int(cls) - filter_cmd += f' flowid {self._parent:x}:{cls:x}' - self._cmd(filter_cmd) + if 'default' in config: + default_cls_id = 1 + if 'class' in config: + class_id_max = self._get_class_max_id(config) + default_cls_id = int(class_id_max) +1 + self._build_base_qdisc(config['default'], default_cls_id) + + if self.qostype == 'limiter': + if 'default' in config: + filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}: ' + filter_cmd += 'prio 255 protocol all basic' + + # The police block allows limiting of the byte or packet rate of + # traffic matched by the filter it is attached to. + # https://man7.org/linux/man-pages/man8/tc-police.8.html + if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in + config['default']): + filter_cmd += f' action police' + + if 'exceed' in config['default']: + action = config['default']['exceed'] + filter_cmd += f' conform-exceed {action}' + if 'not_exceed' in config['default']: + action = config['default']['not_exceed'] + filter_cmd += f'/{action}' + + if 'bandwidth' in config['default']: + rate = self._rate_convert(config['default']['bandwidth']) + filter_cmd += f' rate {rate}' - # T5295: Do not do any tc filter action for 'default' - # In VyOS 1.4, we have the following configuration: - # tc filter replace dev eth0 parent 1: prio 255 protocol all basic action police rate 300000000 burst 15k - # However, this caused unexpected random speeds. - # In VyOS 1.3, we do not use any 'tc filter' for rate limits, - # It gets rate from tc class classid 1:1 - # - # if 'default' in config: - # if 'class' in config: - # class_id_max = self._get_class_max_id(config) - # default_cls_id = int(class_id_max) +1 - # self._build_base_qdisc(config['default'], default_cls_id) - # - # filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}: ' - # filter_cmd += 'prio 255 protocol all basic' - # - # # The police block allows limiting of the byte or packet rate of - # # traffic matched by the filter it is attached to. - # # https://man7.org/linux/man-pages/man8/tc-police.8.html - # if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in config['default']): - # filter_cmd += f' action police' - # - # if 'exceed' in config['default']: - # action = config['default']['exceed'] - # filter_cmd += f' conform-exceed {action}' - # if 'not_exceed' in config['default']: - # action = config['default']['not_exceed'] - # filter_cmd += f'/{action}' - # - # if 'bandwidth' in config['default']: - # rate = self._rate_convert(config['default']['bandwidth']) - # filter_cmd += f' rate {rate}' - # - # if 'burst' in config['default']: - # burst = config['default']['burst'] - # filter_cmd += f' burst {burst}' - # - # if 'class' in config: - # filter_cmd += f' flowid {self._parent:x}:{default_cls_id:x}' - # - # self._cmd(filter_cmd) + if 'burst' in config['default']: + burst = config['default']['burst'] + filter_cmd += f' burst {burst}' + + if 'class' in config: + filter_cmd += f' flowid {self._parent:x}:{default_cls_id:x}' + + self._cmd(filter_cmd) diff --git a/python/vyos/qos/limiter.py b/python/vyos/qos/limiter.py index ace0c0b6c..3f5c11112 100644 --- a/python/vyos/qos/limiter.py +++ b/python/vyos/qos/limiter.py @@ -17,6 +17,7 @@ from vyos.qos.base import QoSBase class Limiter(QoSBase): _direction = ['ingress'] + qostype = 'limiter' def update(self, config, direction): tmp = f'tc qdisc add dev {self._interface} handle {self._parent:x}: {direction}' diff --git a/python/vyos/qos/trafficshaper.py b/python/vyos/qos/trafficshaper.py index 573283833..c63c7cf39 100644 --- a/python/vyos/qos/trafficshaper.py +++ b/python/vyos/qos/trafficshaper.py @@ -22,6 +22,7 @@ MINQUANTUM = 1000 class TrafficShaper(QoSBase): _parent = 1 + qostype = 'shaper' # https://man7.org/linux/man-pages/man8/tc-htb.8.html def update(self, config, direction): diff --git a/python/vyos/utils/system.py b/python/vyos/utils/system.py new file mode 100644 index 000000000..7102d5985 --- /dev/null +++ b/python/vyos/utils/system.py @@ -0,0 +1,82 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +from subprocess import run + + +def sysctl_read(name: str) -> str: + """Read and return current value of sysctl() option + + Args: + name (str): sysctl key name + + Returns: + str: sysctl key value + """ + tmp = run(['sysctl', '-nb', name], capture_output=True) + return tmp.stdout.decode() + + +def sysctl_write(name: str, value: str | int) -> bool: + """Change value via sysctl() + + Args: + name (str): sysctl key name + value (str | int): sysctl key value + + Returns: + bool: True if changed, False otherwise + """ + # convert other types to string before comparison + if not isinstance(value, str): + value = str(value) + # do not change anything if a value is already configured + if sysctl_read(name) == value: + return True + # return False if sysctl call failed + if run(['sysctl', '-wq', f'{name}={value}']).returncode != 0: + return False + # compare old and new values + # sysctl may apply value, but its actual value will be + # different from requested + if sysctl_read(name) == value: + return True + # False in other cases + return False + + +def sysctl_apply(sysctl_dict: dict[str, str], revert: bool = True) -> bool: + """Apply sysctl values. + + Args: + sysctl_dict (dict[str, str]): dictionary with sysctl keys with values + revert (bool, optional): Revert to original values if new were not + applied. Defaults to True. + + Returns: + bool: True if all params configured properly, False in other cases + """ + # get current values + sysctl_original: dict[str, str] = {} + for key_name in sysctl_dict.keys(): + sysctl_original[key_name] = sysctl_read(key_name) + # apply new values and revert in case one of them was not applied + for key_name, value in sysctl_dict.items(): + if not sysctl_write(key_name, value): + if revert: + sysctl_apply(sysctl_original, revert=False) + return False + # everything applied + return True diff --git a/python/vyos/vpp.py b/python/vyos/vpp.py new file mode 100644 index 000000000..76e5d29c3 --- /dev/null +++ b/python/vyos/vpp.py @@ -0,0 +1,315 @@ +# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +from functools import wraps +from pathlib import Path +from re import search as re_search, fullmatch as re_fullmatch, MULTILINE as re_M +from subprocess import run +from time import sleep + +from vpp_papi import VPPApiClient +from vpp_papi import VPPIOError, VPPValueError + + +class VPPControl: + """Control VPP network stack + """ + + class _Decorators: + """Decorators for VPPControl + """ + + @classmethod + def api_call(cls, decorated_func): + """Check if API is connected before API call + + Args: + decorated_func: function to decorate + + Raises: + VPPIOError: Connection to API is not established + """ + + @wraps(decorated_func) + def api_safe_wrapper(cls, *args, **kwargs): + if not cls.vpp_api_client.transport.connected: + raise VPPIOError(2, 'VPP API is not connected') + return decorated_func(cls, *args, **kwargs) + + return api_safe_wrapper + + @classmethod + def check_retval(cls, decorated_func): + """Check retval from API response + + Args: + decorated_func: function to decorate + + Raises: + VPPValueError: raised when retval is not 0 + """ + + @wraps(decorated_func) + def check_retval_wrapper(cls, *args, **kwargs): + return_value = decorated_func(cls, *args, **kwargs) + if not return_value.retval == 0: + raise VPPValueError( + f'VPP API call failed: {return_value.retval}') + return return_value + + return check_retval_wrapper + + def __init__(self, attempts: int = 5, interval: int = 1000) -> None: + """Create VPP API connection + + Args: + attempts (int, optional): attempts to connect. Defaults to 5. + interval (int, optional): interval between attempts in ms. Defaults to 1000. + + Raises: + VPPIOError: Connection to API cannot be established + """ + self.vpp_api_client = VPPApiClient() + # connect with interval + while attempts: + try: + attempts -= 1 + self.vpp_api_client.connect('vpp-vyos') + break + except (ConnectionRefusedError, FileNotFoundError) as err: + print(f'VPP API connection timeout: {err}') + sleep(interval / 1000) + # raise exception if connection was not successful in the end + if not self.vpp_api_client.transport.connected: + raise VPPIOError(2, 'Cannot connect to VPP API') + + def __del__(self) -> None: + """Disconnect from VPP API (destructor) + """ + self.disconnect() + + def disconnect(self) -> None: + """Disconnect from VPP API + """ + if self.vpp_api_client.transport.connected: + self.vpp_api_client.disconnect() + + @_Decorators.check_retval + @_Decorators.api_call + def cli_cmd(self, command: str): + """Send raw CLI command + + Args: + command (str): command to send + + Returns: + vpp_papi.vpp_serializer.cli_inband_reply: CLI reply class + """ + return self.vpp_api_client.api.cli_inband(cmd=command) + + @_Decorators.api_call + def get_mac(self, ifname: str) -> str: + """Find MAC address by interface name in VPP + + Args: + ifname (str): interface name inside VPP + + Returns: + str: MAC address + """ + for iface in self.vpp_api_client.api.sw_interface_dump(): + if iface.interface_name == ifname: + return iface.l2_address.mac_string + return '' + + @_Decorators.api_call + def get_sw_if_index(self, ifname: str) -> int | None: + """Find interface index by interface name in VPP + + Args: + ifname (str): interface name inside VPP + + Returns: + int | None: Interface index or None (if was not fount) + """ + for iface in self.vpp_api_client.api.sw_interface_dump(): + if iface.interface_name == ifname: + return iface.sw_if_index + return None + + @_Decorators.check_retval + @_Decorators.api_call + def lcp_pair_add(self, iface_name_vpp: str, iface_name_kernel: str) -> None: + """Create LCP interface pair between VPP and kernel + + Args: + iface_name_vpp (str): interface name in VPP + iface_name_kernel (str): interface name in kernel + """ + iface_index = self.get_sw_if_index(iface_name_vpp) + if iface_index: + return self.vpp_api_client.api.lcp_itf_pair_add_del( + is_add=True, + sw_if_index=iface_index, + host_if_name=iface_name_kernel) + + @_Decorators.check_retval + @_Decorators.api_call + def lcp_pair_del(self, iface_name_vpp: str, iface_name_kernel: str) -> None: + """Delete LCP interface pair between VPP and kernel + + Args: + iface_name_vpp (str): interface name in VPP + iface_name_kernel (str): interface name in kernel + """ + iface_index = self.get_sw_if_index(iface_name_vpp) + if iface_index: + return self.vpp_api_client.api.lcp_itf_pair_add_del( + is_add=False, + sw_if_index=iface_index, + host_if_name=iface_name_kernel) + + @_Decorators.check_retval + @_Decorators.api_call + def iface_rxmode(self, iface_name: str, rx_mode: str) -> None: + """Set interface rx-mode in VPP + + Args: + iface_name (str): interface name in VPP + rx_mode (str): mode (polling, interrupt, adaptive) + """ + modes_dict: dict[str, int] = { + 'polling': 1, + 'interrupt': 2, + 'adaptive': 3 + } + if rx_mode not in modes_dict: + raise VPPValueError(f'Mode {rx_mode} is not known') + iface_index = self.get_sw_if_index(iface_name) + return self.vpp_api_client.api.sw_interface_set_rx_mode( + sw_if_index=iface_index, mode=modes_dict[rx_mode]) + + @_Decorators.api_call + def get_pci_addr(self, ifname: str) -> str: + """Find PCI address of interface by interface name in VPP + + Args: + ifname (str): interface name inside VPP + + Returns: + str: PCI address + """ + hw_info = self.cli_cmd(f'show hardware-interfaces {ifname}').reply + + regex_filter = r'^\s+pci: device (?P<device>\w+:\w+) subsystem (?P<subsystem>\w+:\w+) address (?P<address>\w+:\w+:\w+\.\w+) numa (?P<numa>\w+)$' + re_obj = re_search(regex_filter, hw_info, re_M) + + # return empty string if no interface or no PCI info was found + if not hw_info or not re_obj: + return '' + + address = re_obj.groupdict().get('address', '') + + # we need to modify address to math kernel style + # for example: 0000:06:14.00 -> 0000:06:14.0 + address_chunks: list[str] = address.split('.') + address_normalized: str = f'{address_chunks[0]}.{int(address_chunks[1])}' + + return address_normalized + + +class HostControl: + """Control Linux host + """ + + @staticmethod + def pci_rescan(pci_addr: str = '') -> None: + """Rescan PCI device by removing it and rescan PCI bus + + If PCI address is not defined - just rescan PCI bus + + Args: + address (str, optional): PCI address of device. Defaults to ''. + """ + if pci_addr: + device_file = Path(f'/sys/bus/pci/devices/{pci_addr}/remove') + if device_file.exists(): + device_file.write_text('1') + # wait 10 seconds max until device will be removed + attempts = 100 + while device_file.exists() and attempts: + attempts -= 1 + sleep(0.1) + if device_file.exists(): + raise TimeoutError( + f'Timeout was reached for removing PCI device {pci_addr}' + ) + else: + raise FileNotFoundError(f'PCI device {pci_addr} does not exist') + rescan_file = Path('/sys/bus/pci/rescan') + rescan_file.write_text('1') + if pci_addr: + # wait 10 seconds max until device will be installed + attempts = 100 + while not device_file.exists() and attempts: + attempts -= 1 + sleep(0.1) + if not device_file.exists(): + raise TimeoutError( + f'Timeout was reached for installing PCI device {pci_addr}') + + @staticmethod + def get_eth_name(pci_addr: str) -> str: + """Find Ethernet interface name by PCI address + + Args: + pci_addr (str): PCI address + + Raises: + FileNotFoundError: no Ethernet interface was found + + Returns: + str: Ethernet interface name + """ + # find all PCI devices with eth* names + net_devs: dict[str, str] = {} + net_devs_dir = Path('/sys/class/net') + regex_filter = r'^/sys/devices/pci[\w/:\.]+/(?P<pci_addr>\w+:\w+:\w+\.\w+)/[\w/:\.]+/(?P<iface_name>eth\d+)$' + for dir in net_devs_dir.iterdir(): + real_dir: str = dir.resolve().as_posix() + re_obj = re_fullmatch(regex_filter, real_dir) + if re_obj: + iface_name: str = re_obj.group('iface_name') + iface_addr: str = re_obj.group('pci_addr') + net_devs.update({iface_addr: iface_name}) + # match to provided PCI address and return a name if found + if pci_addr in net_devs: + return net_devs[pci_addr] + # raise error if device was not found + raise FileNotFoundError( + f'PCI device {pci_addr} not found in ethernet interfaces') + + @staticmethod + def rename_iface(name_old: str, name_new: str) -> None: + """Rename interface + + Args: + name_old (str): old name + name_new (str): new name + """ + rename_cmd: list[str] = [ + 'ip', 'link', 'set', name_old, 'name', name_new + ] + run(rename_cmd) diff --git a/python/vyos/xml_ref/definition.py b/python/vyos/xml_ref/definition.py index 7fd7a7b77..33a49ca69 100644 --- a/python/vyos/xml_ref/definition.py +++ b/python/vyos/xml_ref/definition.py @@ -147,8 +147,8 @@ class Xml: default = self._get_default_value(node) if default is None: return None - if self._is_multi_node(node) and not isinstance(default, list): - return [default] + if self._is_multi_node(node): + return default.split() return default def get_defaults(self, path: list, get_first_key=False, recursive=False) -> dict: diff --git a/smoketest/scripts/cli/test_interfaces_geneve.py b/smoketest/scripts/cli/test_interfaces_geneve.py index 24d350aeb..b2efb0349 100755 --- a/smoketest/scripts/cli/test_interfaces_geneve.py +++ b/smoketest/scripts/cli/test_interfaces_geneve.py @@ -43,6 +43,7 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase): self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) + self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'innerproto']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 @@ -67,6 +68,11 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase): label = options['linkinfo']['info_data']['label'] self.assertIn(f'parameters ipv6 flowlabel {label}', self._options[interface]) + if any('innerproto' in s for s in self._options[interface]): + inner = options['linkinfo']['info_data']['innerproto'] + self.assertIn(f'parameters ip {inner}', self._options[interface]) + + self.assertEqual('geneve', options['linkinfo']['info_kind']) self.assertEqual('set', options['linkinfo']['info_data']['df']) self.assertEqual(f'0x{tos}', options['linkinfo']['info_data']['tos']) diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index a3df6bf4d..c83e633b2 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2022 VyOS maintainers and contributors +# Copyright (C) 2021-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -100,7 +100,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): self.cli_commit() nftables_search = [ - [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'], ['ip daddr @N_smoketest_network1', 'ip saddr @N_smoketest_network'], ] @@ -119,7 +119,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): mark_hex = "{0:#010x}".format(int(mark)) nftables_search = [ - [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'], ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'meta mark set ' + mark_hex], ] @@ -138,7 +138,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): mark_hex_set = "{0:#010x}".format(int(conn_mark_set)) nftables_search = [ - [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'], ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set], ] @@ -164,7 +164,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv4 nftables_search = [ - [f'iifname "{interface}"', 'jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"', 'jump VYOS_PBR_UD_smoketest'], ['tcp flags syn / syn,ack', 'tcp dport 8888', 'meta mark set ' + mark_hex] ] @@ -173,7 +173,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv6 nftables6_search = [ - [f'iifname "{interface}"', 'jump VYOS_PBR6_smoketest'], + [f'iifname "{interface}"', 'jump VYOS_PBR6_UD_smoketest'], ['meta l4proto { tcp, udp }', 'th dport 8888', 'meta mark set ' + mark_hex] ] @@ -246,7 +246,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv4 nftables_search = [ - ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_smoketest'], + ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'], ['meta l4proto udp', 'drop'], ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex], ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex], @@ -258,7 +258,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv6 nftables6_search = [ - [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_smoketest'], + [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_UD_smoketest'], ['meta l4proto udp', 'drop'], ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex], ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex], diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index 6fe6dd979..e4907596e 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -159,6 +159,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): on_startup = '30' on_shutdown = '60' refresh = '50' + aggregation_timer = '100' + summary_nets = { + '10.0.1.0/24' : {}, + '10.0.2.0/24' : {'tag' : '50'}, + '10.0.3.0/24' : {'no_advertise' : {}}, + } self.cli_set(base_path + ['distance', 'global', global_distance]) self.cli_set(base_path + ['distance', 'ospf', 'external', external]) @@ -170,6 +176,15 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['mpls-te', 'enable']) self.cli_set(base_path + ['refresh', 'timers', refresh]) + self.cli_set(base_path + ['aggregation', 'timer', aggregation_timer]) + + for summary, summary_options in summary_nets.items(): + self.cli_set(base_path + ['summary-address', summary]) + if 'tag' in summary_options: + self.cli_set(base_path + ['summary-address', summary, 'tag', summary_options['tag']]) + if 'no_advertise' in summary_options: + self.cli_set(base_path + ['summary-address', summary, 'no-advertise']) + # commit changes self.cli_commit() @@ -184,6 +199,14 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertIn(f' max-metric router-lsa on-shutdown {on_shutdown}', frrconfig) self.assertIn(f' refresh timer {refresh}', frrconfig) + self.assertIn(f' aggregation timer {aggregation_timer}', frrconfig) + for summary, summary_options in summary_nets.items(): + self.assertIn(f' summary-address {summary}', frrconfig) + if 'tag' in summary_options: + tag = summary_options['tag'] + self.assertIn(f' summary-address {summary} tag {tag}', frrconfig) + if 'no_advertise' in summary_options: + self.assertIn(f' summary-address {summary} no-advertise', frrconfig) # enable inter-area self.cli_set(base_path + ['distance', 'ospf', 'inter-area', inter_area]) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index 459e4cdd4..7b93a31c0 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -52,11 +52,11 @@ def verify(relay): # we certainly require a UDP port to listen to if 'port' not in config: - raise ConfigError(f'Port number mandatory for udp broadcast relay "{instance}"') + raise ConfigError(f'Port number is mandatory for UDP broadcast relay "{instance}"') # Relaying data without two interface is kinda senseless ... if len(config.get('interface', [])) < 2: - raise ConfigError('At least two interfaces are required for udp broadcast relay "{instance}"') + raise ConfigError('At least two interfaces are required for UDP broadcast relay "{instance}"') for interface in config.get('interface', []): verify_interface_exists(interface) diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index b73483470..460c9f1a4 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -250,6 +250,13 @@ def verify(ospf): raise ConfigError(f'Segment routing prefix {prefix} cannot have both explicit-null '\ f'and no-php-flag configured at the same time.') + # Check route summarisation + if 'summary_address' in ospf: + for prefix, prefix_options in ospf['summary_address'].items(): + if {'tag', 'no_advertise'} <= set(prefix_options): + raise ConfigError(f'Can not set both "tag" and "no-advertise" for Type-5 '\ + f'and Type-7 route summarisation of "{prefix}"!') + return None def generate(ospf): diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 9b7c04eb0..f4611e15e 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -161,8 +161,12 @@ def verify(snmp): for address in snmp['listen_address']: # We only wan't to configure addresses that exist on the system. # Hint the user if they don't exist - if not is_addr_assigned(address): - Warning(f'SNMP listen address "{address}" not configured!') + if 'vrf' in snmp: + vrf_name = snmp['vrf'] + if not is_addr_assigned(address, vrf_name) and address not in ['::1','127.0.0.1']: + raise ConfigError(f'SNMP listen address "{address}" not configured in vrf "{vrf_name}"!') + elif not is_addr_assigned(address): + raise ConfigError(f'SNMP listen address "{address}" not configured in default vrf!') if 'trap_target' in snmp: for trap, trap_config in snmp['trap_target'].items(): diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py new file mode 100755 index 000000000..87ebc3ea9 --- /dev/null +++ b/src/conf_mode/vpp.py @@ -0,0 +1,216 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +from psutil import virtual_memory + +from pathlib import Path +from re import search as re_search, MULTILINE as re_M + +from vyos.config import Config +from vyos.configdep import set_dependents, call_dependents +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.ifconfig import Section +from vyos.util import call, rc_cmd, boot_configuration_complete +from vyos.utils.system import sysctl_read, sysctl_apply +from vyos.template import render +from vyos.xml import defaults + +from vyos import ConfigError +from vyos import airbag +from vyos.vpp import VPPControl +from vyos.vpp import HostControl + +airbag.enable() + +service_name = 'vpp' +service_conf = Path(f'/run/vpp/{service_name}.conf') +systemd_override = '/run/systemd/system/vpp.service.d/10-override.conf' + +# Free memory required for VPP +# 2 GB for hugepages + 1 GB for other services +MIN_AVAILABLE_MEMORY: int = 3 * 1024**3 + + +def _get_pci_address_by_interface(iface) -> str: + rc, out = rc_cmd(f'ethtool -i {iface}') + # if ethtool command was successful + if rc == 0 and out: + regex_filter = r'^bus-info: (?P<address>\w+:\w+:\w+\.\w+)$' + re_obj = re_search(regex_filter, out, re_M) + # if bus-info with PCI address found + if re_obj: + address = re_obj.groupdict().get('address', '') + return address + # use VPP - maybe interface already attached to it + vpp_control = VPPControl(attempts=20, interval=500) + pci_addr = vpp_control.get_pci_addr(iface) + if pci_addr: + return pci_addr + # raise error if PCI address was not found + raise ConfigError(f'Cannot find PCI address for interface {iface}') + + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + + base = ['vpp'] + base_ethernet = ['interfaces', 'ethernet'] + + # find interfaces removed from VPP + removed_ifaces = [] + tmp = node_changed(conf, base + ['interface']) + if tmp: + for removed_iface in tmp: + pci_address: str = _get_pci_address_by_interface(removed_iface) + removed_ifaces.append({ + 'iface_name': removed_iface, + 'iface_pci_addr': pci_address + }) + # add an interface to a list of interfaces that need + # to be reinitialized after the commit + set_dependents('ethernet', conf, removed_iface) + + if not conf.exists(base): + return {'removed_ifaces': removed_ifaces} + + config = conf.get_config_dict(base, + get_first_key=True, + key_mangling=('-', '_'), + no_tag_node_value_mangle=True) + + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + if 'interface' in default_values: + del default_values['interface'] + config = dict_merge(default_values, config) + + if 'interface' in config: + for iface, iface_config in config['interface'].items(): + default_values_iface = defaults(base + ['interface']) + config['interface'][iface] = dict_merge(default_values_iface, config['interface'][iface]) + # add an interface to a list of interfaces that need + # to be reinitialized after the commit + set_dependents('ethernet', conf, iface) + + # Get PCI address auto + for iface, iface_config in config['interface'].items(): + if iface_config['pci'] == 'auto': + config['interface'][iface]['pci'] = _get_pci_address_by_interface(iface) + + config['other_interfaces'] = conf.get_config_dict(base_ethernet, key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) + + if removed_ifaces: + config['removed_ifaces'] = removed_ifaces + + return config + + +def verify(config): + # bail out early - looks like removal from running config + if not config or (len(config) == 1 and 'removed_ifaces' in config): + return None + + if 'interface' not in config: + raise ConfigError('"interface" is required but not set!') + + if 'cpu' in config: + if 'corelist_workers' in config['cpu'] and 'main_core' not in config[ + 'cpu']: + raise ConfigError('"cpu main-core" is required but not set!') + + memory_available: int = virtual_memory().available + if memory_available < MIN_AVAILABLE_MEMORY: + raise ConfigError( + 'Not enough free memory to start VPP:\n' + f'available: {round(memory_available / 1024**3, 1)}GB\n' + f'required: {round(MIN_AVAILABLE_MEMORY / 1024**3, 1)}GB') + + +def generate(config): + if not config or (len(config) == 1 and 'removed_ifaces' in config): + # Remove old config and return + service_conf.unlink(missing_ok=True) + return None + + render(service_conf, 'vpp/startup.conf.j2', config) + render(systemd_override, 'vpp/override.conf.j2', config) + + # apply default sysctl values from + # https://github.com/FDio/vpp/blob/v23.06/src/vpp/conf/80-vpp.conf + sysctl_config: dict[str, str] = { + 'vm.nr_hugepages': '1024', + 'vm.max_map_count': '3096', + 'vm.hugetlb_shm_group': '0', + 'kernel.shmmax': '2147483648' + } + # we do not want to reduce `kernel.shmmax` + kernel_shmnax_current: str = sysctl_read('kernel.shmmax') + if int(kernel_shmnax_current) > int(sysctl_config['kernel.shmmax']): + sysctl_config['kernel.shmmax'] = kernel_shmnax_current + + if not sysctl_apply(sysctl_config): + raise ConfigError('Cannot configure sysctl parameters for VPP') + + return None + + +def apply(config): + if not config or (len(config) == 1 and 'removed_ifaces' in config): + call(f'systemctl stop {service_name}.service') + else: + call('systemctl daemon-reload') + call(f'systemctl restart {service_name}.service') + + # Initialize interfaces removed from VPP + for iface in config.get('removed_ifaces', []): + host_control = HostControl() + # rescan PCI to use a proper driver + host_control.pci_rescan(iface['iface_pci_addr']) + # rename to the proper name + iface_new_name: str = host_control.get_eth_name(iface['iface_pci_addr']) + host_control.rename_iface(iface_new_name, iface['iface_name']) + + if 'interface' in config: + # connect to VPP + # must be performed multiple attempts because API is not available + # immediately after the service restart + vpp_control = VPPControl(attempts=20, interval=500) + for iface, _ in config['interface'].items(): + # Create lcp + if iface not in Section.interfaces(): + vpp_control.lcp_pair_add(iface, iface) + + # reinitialize interfaces, but not during the first boot + if boot_configuration_complete(): + call_dependents() + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/migration-scripts/isis/0-to-1 b/src/migration-scripts/isis/0-to-1 index 93cbbbed5..b75a7f72c 100755 --- a/src/migration-scripts/isis/0-to-1 +++ b/src/migration-scripts/isis/0-to-1 @@ -37,12 +37,9 @@ if not config.exists(base): # Nothing to do exit(0) -# Only one IS-IS process is supported, thus this operation is save -isis_base = base + config.list_nodes(base) - # We need a temporary copy of the config tmp_base = ['protocols', 'isis2'] -config.copy(isis_base, tmp_base) +config.copy(base, tmp_base) # Now it's save to delete the old configuration config.delete(base) diff --git a/src/op_mode/policy_route.py b/src/op_mode/policy_route.py index 5953786f3..fae47adec 100755 --- a/src/op_mode/policy_route.py +++ b/src/op_mode/policy_route.py @@ -61,8 +61,10 @@ def output_policy_route(name, route_conf, ipv6=False, single_rule_id=None): ip_str = 'IPv6' if ipv6 else 'IPv4' print(f'\n---------------------------------\n{ip_str} Policy Route "{name}"\n') - if route_conf['interface']: + if route_conf.get('interface'): print('Active on: {0}\n'.format(" ".join(route_conf['interface']))) + else: + print('Inactive - Not applied to any interfaces\n') details = get_nftables_details(name, ipv6) rows = [] |