diff options
44 files changed, 747 insertions, 318 deletions
diff --git a/data/templates/accel-ppp/config_extended_scripts.j2 b/data/templates/accel-ppp/config_extended_scripts.j2 new file mode 100644 index 000000000..ded0a0a39 --- /dev/null +++ b/data/templates/accel-ppp/config_extended_scripts.j2 @@ -0,0 +1,9 @@ +{% if extended_scripts is vyos_defined %} +[pppd-compat] +verbose=1 +radattr-prefix=/run/accel-pppd/radattr +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} +{{ script_name[script] }}={{ extended_scripts[script] }} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_limits.j2 b/data/templates/accel-ppp/config_limits.j2 new file mode 100644 index 000000000..f10dfccd7 --- /dev/null +++ b/data/templates/accel-ppp/config_limits.j2 @@ -0,0 +1,12 @@ +{% if limits is vyos_defined %} +[connlimit] +{% if limits.connection_limit is vyos_defined %} +limit={{ limits.connection_limit }} +{% endif %} +{% if limits.burst is vyos_defined %} +burst={{ limits.burst }} +{% endif %} +{% if limits.timeout is vyos_defined %} +timeout={{ limits.timeout }} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/accel-ppp/config_snmp.j2 b/data/templates/accel-ppp/config_snmp.j2 new file mode 100644 index 000000000..11526dd81 --- /dev/null +++ b/data/templates/accel-ppp/config_snmp.j2 @@ -0,0 +1,4 @@ +{% if snmp.master_agent is vyos_defined %} +[snmp] +master=1 +{% endif %} diff --git a/data/templates/accel-ppp/config_wins_server.j2 b/data/templates/accel-ppp/config_wins_server.j2 new file mode 100644 index 000000000..23312f92e --- /dev/null +++ b/data/templates/accel-ppp/config_wins_server.j2 @@ -0,0 +1,6 @@ +{% if wins_server is vyos_defined %} +[wins] +{% for server in wins_server %} +wins{{ loop.index }}={{ server }} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 8b022eaa5..c89812985 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -6,10 +6,16 @@ ipoe shaper {# Common authentication backend definitions #} {% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool ipv6pool ipv6_nd ipv6_dhcp -ippool +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -19,6 +25,7 @@ thread-count={{ thread_count }} max-starting={{ max_concurrent_sessions }} {% endif %} + [log] syslog=accel-ipoe,daemon copy=1 @@ -84,5 +91,14 @@ proxy-arp=1 {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2002 diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index 203a9772e..4ce9042c2 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -24,15 +30,8 @@ syslog=accel-l2tp,daemon copy=1 level=5 -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} +[client-ip-range] +0.0.0.0/0 [l2tp] verbose=1 @@ -56,24 +55,36 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -[client-ip-range] -0.0.0.0/0 - {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} {# Common ppp-options definitions #} {% include 'accel-ppp/ppp-options.j2' %} -{# Common IPv6 pool definitions #} -{% include 'accel-ppp/config_ipv6_pool.j2' %} - {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2004 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index bf7b2eb72..6b01958e5 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -10,7 +10,6 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} - {% if snmp is vyos_defined %} net-snmp {% endif %} @@ -35,32 +34,8 @@ level=5 noauth=1 {% endif %} -{% if snmp.master_agent is vyos_defined %} -[snmp] -master=1 -{% endif %} - [client-ip-range] -disable - -{# Common IP pool definitions #} -{% include 'accel-ppp/config_ip_pool.j2' %} - -{# Common IPv6 pool definitions #} -{% include 'accel-ppp/config_ipv6_pool.j2' %} - -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} - -{# Common chap-secrets and RADIUS server/option definitions #} -{% include 'accel-ppp/config_chap_secrets_radius.j2' %} +0.0.0.0/0 [common] {% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} @@ -70,9 +45,6 @@ single-session={{ session_control }} max-starting={{ max_concurrent_sessions }} {% endif %} -{# Common ppp-options definitions #} -{% include 'accel-ppp/ppp-options.j2' %} - [pppoe] verbose=1 ac-name={{ access_concentrator }} @@ -116,31 +88,35 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -{% if limits is vyos_defined %} -[connlimit] -{% if limits.connection_limit is vyos_defined %} -limit={{ limits.connection_limit }} -{% endif %} -{% if limits.burst is vyos_defined %} -burst={{ limits.burst }} -{% endif %} -{% if limits.timeout is vyos_defined %} -timeout={{ limits.timeout }} -{% endif %} -{% endif %} +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} -{% if extended_scripts is vyos_defined %} -[pppd-compat] -verbose=1 -radattr-prefix=/run/accel-pppd/radattr -{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} -{% for script in extended_scripts %} -{{ script_name[script] }}={{ extended_scripts[script] }} -{% endfor %} -{% endif %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} [cli] tcp=127.0.0.1:2001 diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 index 290e6235d..a04bd40c0 100644 --- a/data/templates/accel-ppp/pptp.config.j2 +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -24,15 +30,8 @@ syslog=accel-pptp,daemon copy=1 level=5 -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} +[client-ip-range] +0.0.0.0/0 [pptp] ifname=pptp%d @@ -52,24 +51,36 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -[client-ip-range] -0.0.0.0/0 - {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} {# Common IPv6 pool definitions #} {% include 'accel-ppp/config_ipv6_pool.j2' %} -{# Common ppp-options definitions #} -{% include 'accel-ppp/ppp-options.j2' %} +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2003 diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2 index c0bc62d9f..b624f83a3 100644 --- a/data/templates/accel-ppp/sstp.config.j2 +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -26,7 +32,7 @@ copy=1 level=5 [client-ip-range] -disable +0.0.0.0/0 [sstp] verbose=1 @@ -53,6 +59,9 @@ ipv6-pool-delegate={{ default_ipv6_pool }} {# Common DNS name-server definition #} {% include 'accel-ppp/config_name_server.j2' %} +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} @@ -62,5 +71,14 @@ ipv6-pool-delegate={{ default_ipv6_pool }} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2005 diff --git a/data/templates/frr/zebra.route-map.frr.j2 b/data/templates/frr/zebra.route-map.frr.j2 index 8e18abbde..669d58354 100644 --- a/data/templates/frr/zebra.route-map.frr.j2 +++ b/data/templates/frr/zebra.route-map.frr.j2 @@ -1,4 +1,8 @@ ! +{% if nht.no_resolve_via_default is vyos_defined %} +no {{ afi }} nht resolve-via-default +{% endif %} +! {% if protocol is vyos_defined %} {% for protocol_name, protocol_config in protocol.items() %} {% if protocol_name is vyos_defined('ospfv3') %} @@ -7,3 +11,4 @@ {{ afi }} protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} {% endfor %} {% endif %} +! diff --git a/data/templates/frr/zebra.vrf.route-map.frr.j2 b/data/templates/frr/zebra.vrf.route-map.frr.j2 index 4e1206374..f1cc6fe66 100644 --- a/data/templates/frr/zebra.vrf.route-map.frr.j2 +++ b/data/templates/frr/zebra.vrf.route-map.frr.j2 @@ -6,6 +6,12 @@ {% continue %} {% endif %} vrf {{ vrf }} +{% if vrf_config.ip.nht.no_resolve_via_default is vyos_defined %} + no ip nht resolve-via-default +{% endif %} +{% if vrf_config.ipv6.nht.no_resolve_via_default is vyos_defined %} + no ipv6 nht resolve-via-default +{% endif %} {% if vrf_config.ip.protocol is vyos_defined %} {% for protocol_name, protocol_config in vrf_config.ip.protocol.items() %} ip protocol {{ protocol_name }} route-map {{ protocol_config.route_map }} diff --git a/interface-definitions/include/accel-ppp/extended-scripts.xml.i b/interface-definitions/include/accel-ppp/extended-scripts.xml.i new file mode 100644 index 000000000..4bba76e32 --- /dev/null +++ b/interface-definitions/include/accel-ppp/extended-scripts.xml.i @@ -0,0 +1,41 @@ +<!-- include start from accel-ppp/extended-scripts.xml.i --> +<node name="extended-scripts"> + <properties> + <help>Extended script execution</help> + </properties> + <children> + <leafNode name="on-pre-up"> + <properties> + <help>Script to run before PPPoE session interface comes up</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-up"> + <properties> + <help>Script to run when PPPoE session interface is completely configured and started</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-down"> + <properties> + <help>Script to run when PPPoE session interface going to terminate</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-change"> + <properties> + <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/limits.xml.i b/interface-definitions/include/accel-ppp/limits.xml.i new file mode 100644 index 000000000..df72b79d4 --- /dev/null +++ b/interface-definitions/include/accel-ppp/limits.xml.i @@ -0,0 +1,28 @@ +<!-- include start from accel-ppp/limits.xml.i --> +<node name="limits"> + <properties> + <help>Limits the connection rate from a single source</help> + </properties> + <children> + <leafNode name="connection-limit"> + <properties> + <help>Acceptable rate of connections (e.g. 1/min, 60/sec)</help> + <constraint> + <regex>[0-9]+\/(min|sec)</regex> + </constraint> + <constraintErrorMessage>illegal value</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="burst"> + <properties> + <help>Burst count</help> + </properties> + </leafNode> + <leafNode name="timeout"> + <properties> + <help>Timeout in seconds</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/snmp.xml.i b/interface-definitions/include/accel-ppp/snmp.xml.i new file mode 100644 index 000000000..373ced16f --- /dev/null +++ b/interface-definitions/include/accel-ppp/snmp.xml.i @@ -0,0 +1,15 @@ +<!-- include start from accel-ppp/snmp.xml.i --> +<node name="snmp"> + <properties> + <help>Enable SNMP</help> + </properties> + <children> + <leafNode name="master-agent"> + <properties> + <help>Enable SNMP master agent mode</help> + <valueless /> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/system-ip-nht.xml.i b/interface-definitions/include/system-ip-nht.xml.i new file mode 100644 index 000000000..4074043cd --- /dev/null +++ b/interface-definitions/include/system-ip-nht.xml.i @@ -0,0 +1,15 @@ +<!-- include start from syslog-facility.xml.i --> +<node name="nht"> + <properties> + <help>Filter Next Hop tracking route resolution</help> + </properties> + <children> + <leafNode name="no-resolve-via-default"> + <properties> + <help>Do not resolve via default route</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/version/l2tp-version.xml.i b/interface-definitions/include/version/l2tp-version.xml.i index 01004c5a0..5397407fb 100644 --- a/interface-definitions/include/version/l2tp-version.xml.i +++ b/interface-definitions/include/version/l2tp-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/l2tp-version.xml.i --> -<syntaxVersion component='l2tp' version='8'></syntaxVersion> +<syntaxVersion component='l2tp' version='9'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/service_ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in index 23d6e54d1..414c9a731 100644 --- a/interface-definitions/service_ipoe-server.xml.in +++ b/interface-definitions/service_ipoe-server.xml.in @@ -177,13 +177,18 @@ #include <include/accel-ppp/vlan.xml.i> </children> </tagNode> - #include <include/accel-ppp/max-concurrent-sessions.xml.i> - #include <include/name-server-ipv4-ipv6.xml.i> #include <include/accel-ppp/client-ip-pool.xml.i> - #include <include/accel-ppp/gateway-address-multi.xml.i> #include <include/accel-ppp/client-ipv6-pool.xml.i> #include <include/accel-ppp/default-pool.xml.i> #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/extended-scripts.xml.i> + #include <include/accel-ppp/gateway-address-multi.xml.i> + #include <include/accel-ppp/limits.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> + #include <include/accel-ppp/shaper.xml.i> + #include <include/accel-ppp/snmp.xml.i> + #include <include/generic-description.xml.i> + #include <include/name-server-ipv4-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 477ed115f..9b5e4d3fb 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -49,9 +49,6 @@ </node> </children> </node> - #include <include/accel-ppp/client-ip-pool.xml.i> - #include <include/accel-ppp/client-ipv6-pool.xml.i> - #include <include/name-server-ipv4-ipv6.xml.i> <tagNode name="interface"> <properties> <help>interface(s) to listen on</help> @@ -63,35 +60,6 @@ #include <include/accel-ppp/vlan.xml.i> </children> </tagNode> - #include <include/accel-ppp/gateway-address.xml.i> - #include <include/accel-ppp/max-concurrent-sessions.xml.i> - #include <include/accel-ppp/mtu-128-16384.xml.i> - <node name="limits"> - <properties> - <help>Limits the connection rate from a single source</help> - </properties> - <children> - <leafNode name="connection-limit"> - <properties> - <help>Acceptable rate of connections (e.g. 1/min, 60/sec)</help> - <constraint> - <regex>[0-9]+\/(min|sec)</regex> - </constraint> - <constraintErrorMessage>illegal value</constraintErrorMessage> - </properties> - </leafNode> - <leafNode name="burst"> - <properties> - <help>Burst count</help> - </properties> - </leafNode> - <leafNode name="timeout"> - <properties> - <help>Timeout in seconds</help> - </properties> - </leafNode> - </children> - </node> <leafNode name="service-name"> <properties> <help>Service name</help> @@ -102,15 +70,6 @@ <multi/> </properties> </leafNode> - #include <include/accel-ppp/wins-server.xml.i> - #include <include/accel-ppp/ppp-options.xml.i> - <node name="ppp-options"> - <children> - <leafNode name="min-mtu"> - <defaultValue>1280</defaultValue> - </leafNode> - </children> - </node> <tagNode name="pado-delay"> <properties> <help>PADO delays</help> @@ -164,61 +123,28 @@ </properties> <defaultValue>replace</defaultValue> </leafNode> - #include <include/accel-ppp/shaper.xml.i> - <node name="snmp"> - <properties> - <help>Enable SNMP</help> - </properties> - <children> - <leafNode name="master-agent"> - <properties> - <help>enable SNMP master agent mode</help> - <valueless /> - </properties> - </leafNode> - </children> - </node> - <node name="extended-scripts"> - <properties> - <help>Extended script execution</help> - </properties> + #include <include/accel-ppp/client-ip-pool.xml.i> + #include <include/accel-ppp/client-ipv6-pool.xml.i> + #include <include/accel-ppp/default-pool.xml.i> + #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/extended-scripts.xml.i> + #include <include/accel-ppp/gateway-address.xml.i> + #include <include/accel-ppp/limits.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> + #include <include/accel-ppp/mtu-128-16384.xml.i> + #include <include/accel-ppp/ppp-options.xml.i> + <node name="ppp-options"> <children> - <leafNode name="on-pre-up"> - <properties> - <help>Script to run before PPPoE session interface comes up</help> - <constraint> - <validator name="script"/> - </constraint> - </properties> - </leafNode> - <leafNode name="on-up"> - <properties> - <help>Script to run when PPPoE session interface is completely configured and started</help> - <constraint> - <validator name="script"/> - </constraint> - </properties> - </leafNode> - <leafNode name="on-down"> - <properties> - <help>Script to run when PPPoE session interface going to terminate</help> - <constraint> - <validator name="script"/> - </constraint> - </properties> - </leafNode> - <leafNode name="on-change"> - <properties> - <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help> - <constraint> - <validator name="script"/> - </constraint> - </properties> + <leafNode name="min-mtu"> + <defaultValue>1280</defaultValue> </leafNode> </children> </node> - #include <include/accel-ppp/default-pool.xml.i> - #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/shaper.xml.i> + #include <include/accel-ppp/snmp.xml.i> + #include <include/accel-ppp/wins-server.xml.i> + #include <include/generic-description.xml.i> + #include <include/name-server-ipv4-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/system_ip.xml.in b/interface-definitions/system_ip.xml.in index 6e3b7d5d0..015eb270f 100644 --- a/interface-definitions/system_ip.xml.in +++ b/interface-definitions/system_ip.xml.in @@ -48,6 +48,7 @@ </leafNode> </children> </node> + #include <include/system-ip-nht.xml.i> <node name="tcp"> <properties> <help>IPv4 TCP parameters</help> diff --git a/interface-definitions/system_ipv6.xml.in b/interface-definitions/system_ipv6.xml.in index 8957cb6a7..dda00af38 100644 --- a/interface-definitions/system_ipv6.xml.in +++ b/interface-definitions/system_ipv6.xml.in @@ -36,6 +36,7 @@ #include <include/arp-ndp-table-size.xml.i> </children> </node> + #include <include/system-ip-nht.xml.i> #include <include/system-ipv6-protocol.xml.i> <leafNode name="strict-dad"> <properties> diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 6148e3269..85a375db4 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -30,42 +30,6 @@ </node> </children> </node> - #include <include/accel-ppp/max-concurrent-sessions.xml.i> - #include <include/accel-ppp/mtu-128-16384.xml.i> - <leafNode name="mtu"> - <defaultValue>1436</defaultValue> - </leafNode> - <leafNode name="outside-address"> - <properties> - <help>External IP address to which VPN clients will connect</help> - <constraint> - <validator name="ipv4-address"/> - </constraint> - </properties> - </leafNode> - #include <include/accel-ppp/gateway-address.xml.i> - #include <include/name-server-ipv4-ipv6.xml.i> - <node name="lns"> - <properties> - <help>L2TP Network Server (LNS)</help> - </properties> - <children> - <leafNode name="shared-secret"> - <properties> - <help>Tunnel password used to authenticate the client (LAC)</help> - </properties> - </leafNode> - <leafNode name="host-name"> - <properties> - <help>Sent to the client (LAC) in the Host-Name attribute</help> - <constraint> - #include <include/constraint/host-name.xml.i> - </constraint> - <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> - </properties> - </leafNode> - </children> - </node> <node name="ipsec-settings"> <properties> <help>Internet Protocol Security (IPsec) for remote access L2TP VPN</help> @@ -129,14 +93,53 @@ #include <include/ipsec/ike-group.xml.i> </children> </node> - #include <include/accel-ppp/wins-server.xml.i> + <node name="lns"> + <properties> + <help>L2TP Network Server (LNS)</help> + </properties> + <children> + <leafNode name="shared-secret"> + <properties> + <help>Tunnel password used to authenticate the client (LAC)</help> + </properties> + </leafNode> + <leafNode name="host-name"> + <properties> + <help>Sent to the client (LAC) in the Host-Name attribute</help> + <constraint> + #include <include/constraint/host-name.xml.i> + </constraint> + <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> + <leafNode name="outside-address"> + <properties> + <help>External IP address to which VPN clients will connect</help> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> #include <include/accel-ppp/client-ip-pool.xml.i> #include <include/accel-ppp/client-ipv6-pool.xml.i> - #include <include/generic-description.xml.i> - #include <include/dhcp-interface.xml.i> - #include <include/accel-ppp/ppp-options.xml.i> #include <include/accel-ppp/default-pool.xml.i> #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/extended-scripts.xml.i> + #include <include/accel-ppp/gateway-address.xml.i> + #include <include/accel-ppp/limits.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> + #include <include/accel-ppp/mtu-128-16384.xml.i> + <leafNode name="mtu"> + <defaultValue>1436</defaultValue> + </leafNode> + #include <include/accel-ppp/ppp-options.xml.i> + #include <include/accel-ppp/shaper.xml.i> + #include <include/accel-ppp/snmp.xml.i> + #include <include/accel-ppp/wins-server.xml.i> + #include <include/generic-description.xml.i> + #include <include/name-server-ipv4-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 2e2a3bec4..a63633f57 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -30,11 +30,6 @@ </node> </children> </node> - #include <include/accel-ppp/max-concurrent-sessions.xml.i> - #include <include/accel-ppp/mtu-128-16384.xml.i> - <leafNode name="mtu"> - <defaultValue>1436</defaultValue> - </leafNode> <leafNode name="outside-address"> <properties> <help>External IP address to which VPN clients will connect</help> @@ -43,14 +38,24 @@ </constraint> </properties> </leafNode> - #include <include/accel-ppp/gateway-address.xml.i> - #include <include/name-server-ipv4-ipv6.xml.i> - #include <include/accel-ppp/wins-server.xml.i> #include <include/accel-ppp/client-ip-pool.xml.i> - #include <include/accel-ppp/default-pool.xml.i> #include <include/accel-ppp/client-ipv6-pool.xml.i> + #include <include/accel-ppp/default-pool.xml.i> #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/extended-scripts.xml.i> + #include <include/accel-ppp/gateway-address.xml.i> + #include <include/accel-ppp/limits.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> + #include <include/accel-ppp/mtu-128-16384.xml.i> + <leafNode name="mtu"> + <defaultValue>1436</defaultValue> + </leafNode> #include <include/accel-ppp/ppp-options.xml.i> + #include <include/accel-ppp/shaper.xml.i> + #include <include/accel-ppp/snmp.xml.i> + #include <include/accel-ppp/wins-server.xml.i> + #include <include/generic-description.xml.i> + #include <include/name-server-ipv4-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index 0d5d53301..d23a001d5 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -25,19 +25,6 @@ </node> </children> </node> - #include <include/accel-ppp/max-concurrent-sessions.xml.i> - #include <include/interface/mtu-68-1500.xml.i> - #include <include/accel-ppp/gateway-address.xml.i> - #include <include/name-server-ipv4-ipv6.xml.i> - #include <include/accel-ppp/client-ip-pool.xml.i> - #include <include/accel-ppp/client-ipv6-pool.xml.i> - #include <include/port-number.xml.i> - <leafNode name="port"> - <defaultValue>443</defaultValue> - </leafNode> - #include <include/accel-ppp/default-pool.xml.i> - #include <include/accel-ppp/default-ipv6-pool.xml.i> - #include <include/accel-ppp/ppp-options.xml.i> <node name="ssl"> <properties> <help>SSL Certificate, SSL Key and CA</help> @@ -47,6 +34,25 @@ #include <include/pki/certificate.xml.i> </children> </node> + #include <include/accel-ppp/client-ip-pool.xml.i> + #include <include/accel-ppp/client-ipv6-pool.xml.i> + #include <include/accel-ppp/default-pool.xml.i> + #include <include/accel-ppp/default-ipv6-pool.xml.i> + #include <include/accel-ppp/extended-scripts.xml.i> + #include <include/accel-ppp/gateway-address.xml.i> + #include <include/accel-ppp/limits.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> + #include <include/interface/mtu-68-1500.xml.i> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>443</defaultValue> + </leafNode> + #include <include/accel-ppp/ppp-options.xml.i> + #include <include/accel-ppp/shaper.xml.i> + #include <include/accel-ppp/snmp.xml.i> + #include <include/accel-ppp/wins-server.xml.i> + #include <include/generic-description.xml.i> + #include <include/name-server-ipv4-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index e5ec539d3..25f26d0cc 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -34,6 +34,7 @@ </properties> <children> #include <include/interface/disable-forwarding.xml.i> + #include <include/system-ip-nht.xml.i> #include <include/system-ip-protocol.xml.i> </children> </node> @@ -43,6 +44,7 @@ </properties> <children> #include <include/interface/disable-forwarding.xml.i> + #include <include/system-ip-nht.xml.i> #include <include/system-ipv6-protocol.xml.i> </children> </node> diff --git a/python/vyos/accel_ppp_util.py b/python/vyos/accel_ppp_util.py index bd0c46a19..845b2f5f0 100644 --- a/python/vyos/accel_ppp_util.py +++ b/python/vyos/accel_ppp_util.py @@ -106,7 +106,26 @@ def get_pools_in_order(data: dict) -> list: return pools -def verify_accel_ppp_base_service(config, local_users=True): +def verify_accel_ppp_name_servers(config): + if "name_server_ipv4" in config: + if len(config["name_server_ipv4"]) > 2: + raise ConfigError( + "Not more then two IPv4 DNS name-servers " "can be configured" + ) + if "name_server_ipv6" in config: + if len(config["name_server_ipv6"]) > 3: + raise ConfigError( + "Not more then three IPv6 DNS name-servers " "can be configured" + ) + + +def verify_accel_ppp_wins_servers(config): + if 'wins_server' in config and len(config['wins_server']) > 2: + raise ConfigError( + 'Not more then two WINS name-servers can be configured') + + +def verify_accel_ppp_authentication(config, local_users=True): """ Common helper function which must be used by all Accel-PPP services based on get_config_dict() @@ -148,17 +167,6 @@ def verify_accel_ppp_base_service(config, local_users=True): if not dict_search('authentication.radius.dynamic_author.key', config): raise ConfigError('DAE/CoA server key required!') - if "name_server_ipv4" in config: - if len(config["name_server_ipv4"]) > 2: - raise ConfigError( - "Not more then two IPv4 DNS name-servers " "can be configured" - ) - - if "name_server_ipv6" in config: - if len(config["name_server_ipv6"]) > 3: - raise ConfigError( - "Not more then three IPv6 DNS name-servers " "can be configured" - ) diff --git a/smoketest/config-tests/rpki-only b/smoketest/config-tests/rpki-only new file mode 100644 index 000000000..569463b12 --- /dev/null +++ b/smoketest/config-tests/rpki-only @@ -0,0 +1,30 @@ +set interfaces ethernet eth0 address '192.0.2.1/24' +set interfaces ethernet eth0 address '2001:db8::1/64' +set interfaces loopback lo +set pki openssh rpki-5.6.7.8 private key 'b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAweDyflDFR4qyEwETbJkZ2ZZc+sJNiDTvYpwGsWIkju49lJSxHe1xKf8FhwfyMu40Snt1yDlRmmmz4CsbLgbuZGMPvXG11e34+C0pSVUvpF6aqRTeLl1pDRK7Rnjgm3su+I8SRLQR4qbLG6VXWOFuVpwiqbExLaU0hFYTPNP+dArNpsWEEKsohk6pTXdhg3VzWp3vCMjl2JTshDa3lD7p2xISSAReEY0fnfEAmQzH4Z6DIwwGdFuMWoQIg+oFBM9ARrO2/FIjRsz6AecR/WeU72JEw4aJic1/cAJQA6PiQBHwkuo3Wll1tbpxeRZoB2NQG22ETyJLvhfTaooNLT9HpQAAA8joU5dM6FOXTAAAAAdzc2gtcnNhAAABAQDB4PJ+UMVHirITARNsmRnZllz6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVhM80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfhnoMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6jdaWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0elAAAAAwEAAQAAAQACkDlUjzfUhtJs6uY5WNrdJB5NmHUS+HQzzxFNlhkapK6+wKqI1UNaRUtq6iF7J+gcFf7MK2nXS098BsXguWm8fQzPuemoDvHsQhiaJhyvpSqRUrvPTB/f8t/0AhQiKiJIWgfpTaIw53inAGwjujNNxNm2eafHTThhCYxOkRT7rsT6bnSio6yeqPy5QHg7IKFztp5FXDUyiOS3aX3SvzQcDUkMXALdvzX50t1XIk+X48Rgkq72dL4VpV2oMNDu3hM6FqBUplf9Mv3s51FNSma/cibCQoVufrIfoqYjkNTjIpYFUcq4zZ0/KvgXgzSsy9VN/4TtbalrOuu7X/SHJbvhAAAAgGPFsXgONYQvXxCnK1dIueozgaZg1I/n522E2ZCOXBW4dYJVyNpppwRreDzuFzTDEe061MpNHfScjVBJCCulivFYWscL6oaGsryDbFxO3QmB4I98UBqrds2yan9/JGc6EYe299yvaHy7Y64+NC0+fN8H2RAZ61T4w10JrCaJRyvzAAAAgQDvBfuV1U7o9k/fbU+U7W2UYnWblpOZAMfi1XQP6IJJeyWs90PdTdXh+l0eIQrCawIiRJytNfxMmbD4huwTf77fWiyCcPznmALQ7ex/yJ+W5Z0V4dPGF3h7o1uiS236JhQ7mfcliCkhp/1PIklBIMPcCp0zl+s9wMv2hX7w1Pah9QAAAIEAz6YgU9Xute+J+dBwoWxEQ+igR6KE55Um7O9AvSrqnCm9r7lSFsXC2ErYOxoDSJ3yIBEV0b4XAGn6tbbVIs3jS8BnLHxclAHQecOx1PGn7PKbnPW0oJRq/X9QCIEelKYvlykpayn7uZooTXqcDaPZxfPpmPdye8chVJvdygi7kPEAAAAMY3BvQExSMS53dWUzAQIDBAUGBw==' +set pki openssh rpki-5.6.7.8 public key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDB4PJ+UMVHirITARNsmRnZllz6wk2INO9inAaxYiSO7j2UlLEd7XEp/wWHB/Iy7jRKe3XIOVGaabPgKxsuBu5kYw+9cbXV7fj4LSlJVS+kXpqpFN4uXWkNErtGeOCbey74jxJEtBHipssbpVdY4W5WnCKpsTEtpTSEVhM80/50Cs2mxYQQqyiGTqlNd2GDdXNane8IyOXYlOyENreUPunbEhJIBF4RjR+d8QCZDMfhnoMjDAZ0W4xahAiD6gUEz0BGs7b8UiNGzPoB5xH9Z5TvYkTDhomJzX9wAlADo+JAEfCS6jdaWXW1unF5FmgHY1AbbYRPIku+F9Nqig0tP0el' +set pki openssh rpki-5.6.7.8 public type 'ssh-rsa' +set policy route-map ROUTES-IN rule 10 action 'permit' +set policy route-map ROUTES-IN rule 10 match rpki 'valid' +set policy route-map ROUTES-IN rule 10 set local-preference '300' +set policy route-map ROUTES-IN rule 20 action 'permit' +set policy route-map ROUTES-IN rule 20 match rpki 'notfound' +set policy route-map ROUTES-IN rule 20 set local-preference '125' +set policy route-map ROUTES-IN rule 30 action 'deny' +set policy route-map ROUTES-IN rule 30 match rpki 'invalid' +set protocols bgp neighbor 192.0.2.200 address-family ipv4-unicast route-map import 'ROUTES-IN' +set protocols bgp neighbor 192.0.2.200 remote-as '200' +set protocols bgp neighbor 2001:db8::200 address-family ipv6-unicast route-map import 'ROUTES-IN' +set protocols bgp neighbor 2001:db8::200 remote-as '200' +set protocols bgp system-as '100' +set protocols rpki cache 1.2.3.4 port '3323' +set protocols rpki cache 1.2.3.4 preference '10' +set protocols rpki cache 5.6.7.8 port '2222' +set protocols rpki cache 5.6.7.8 preference '20' +set protocols rpki cache 5.6.7.8 ssh key 'rpki-5.6.7.8' +set protocols rpki cache 5.6.7.8 ssh username 'vyos' +set system host-name 'vyos' +set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0' +set system login user vyos authentication plaintext-password '' +set system syslog global facility all level 'debug' +set system console device ttyS0 speed '115200' diff --git a/smoketest/configs/basic-vyos b/smoketest/configs/basic-vyos index c42f14841..76aa52039 100644 --- a/smoketest/configs/basic-vyos +++ b/smoketest/configs/basic-vyos @@ -22,6 +22,7 @@ interfaces { address 100.64.200.254/24 vif-c 201 { address 100.64.201.254/24 + address fe89::1/56 } vif-c 202 { address 100.64.202.254/24 @@ -111,6 +112,24 @@ service { } } } + subnet fe89::/56 { + address-range { + prefix fe89::/60 { + temporary + } + start fe89:0000:0000:fe:: { + stop fe89:0000:0000:ff:: + } + } + domain-search vyos.net + name-server fe89::1 + prefix-delegation { + start fe89:0000:0000:0001:: { + prefix-length 64 + stop fe89:0000:0000:0010:: + } + } + } } } dns { diff --git a/smoketest/configs/egb-igp-route-maps b/smoketest/configs/egp-igp-route-maps index ca36691d4..ca36691d4 100644 --- a/smoketest/configs/egb-igp-route-maps +++ b/smoketest/configs/egp-igp-route-maps diff --git a/smoketest/configs/rpki-only b/smoketest/configs/rpki-only index 0f89b9a1b..98e9892ad 100644 --- a/smoketest/configs/rpki-only +++ b/smoketest/configs/rpki-only @@ -3,11 +3,62 @@ interfaces { duplex auto speed auto address 192.0.2.1/24 + address 2001:db8::1/64 } loopback lo { } } +policy { + route-map ROUTES-IN { + rule 10 { + action permit + match { + rpki valid + } + set { + local-preference 300 + } + } + rule 20 { + action permit + match { + rpki notfound + } + set { + local-preference 125 + } + } + rule 30 { + action deny + match { + rpki invalid + } + } + } +} protocols { + bgp 100 { + neighbor 192.0.2.200 { + address-family { + ipv4-unicast { + route-map { + import ROUTES-IN + } + } + } + remote-as 200 + } + neighbor 2001:db8::200 { + address-family { + ipv6-unicast { + route-map { + import ROUTES-IN + } + } + } + remote-as 200 + } + } rpki { cache 1.2.3.4 { port 3323 diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py index 0e6e522b9..ac4bbcfe5 100644 --- a/smoketest/scripts/cli/base_accel_ppp_test.py +++ b/smoketest/scripts/cli/base_accel_ppp_test.py @@ -558,4 +558,53 @@ delegate={delegate_2_prefix},{delegate_mask},name={pool_name}""" self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id')) self.assertEqual(conf['ppp']['lcp-echo-failure'], lcp_failure) self.assertEqual(conf['ppp']['lcp-echo-interval'], lcp_interval) - self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_timeout)
\ No newline at end of file + self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_timeout) + + + def test_accel_wins_server(self): + self.basic_config() + winsservers = ["192.0.2.1", "192.0.2.2"] + for wins in winsservers: + self.set(["wins-server", wins]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + for ws in winsservers: + self.assertIn(ws, [conf["wins"]["wins1"], conf["wins"]["wins2"]]) + + def test_accel_snmp(self): + self.basic_config() + self.set(['snmp', 'master-agent']) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['net-snmp'], None) + self.assertEqual(conf['snmp']['master'],'1') + + def test_accel_shaper(self): + self.basic_config() + fwmark = '2' + self.set(['shaper', 'fwmark', fwmark]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['shaper'], None) + self.assertEqual(conf['shaper']['verbose'], '1') + self.assertEqual(conf['shaper']['down-limiter'], 'tbf') + self.assertEqual(conf['shaper']['fwmark'], fwmark) + + def test_accel_limits(self): + self.basic_config() + burst = '100' + timeout = '20' + limits = '1/min' + self.set(['limits', 'connection-limit', limits]) + self.set(['limits', 'timeout', timeout]) + self.set(['limits', 'burst', burst]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['connlimit'], None) + self.assertEqual(conf['connlimit']['limit'], limits) + self.assertEqual(conf['connlimit']['burst'], burst) + self.assertEqual(conf['connlimit']['timeout'], timeout) diff --git a/smoketest/scripts/cli/test_service_ipoe-server.py b/smoketest/scripts/cli/test_service_ipoe-server.py index 20a168b58..5f1cf9ad1 100755 --- a/smoketest/scripts/cli/test_service_ipoe-server.py +++ b/smoketest/scripts/cli/test_service_ipoe-server.py @@ -232,5 +232,9 @@ delegate={delegate_2_prefix},{delegate_mask},name={pool_name}""" def test_accel_ppp_options(self): pass + @unittest.skip("WINS server is not used in IPoE") + def test_accel_wins_server(self): + pass + if __name__ == "__main__": unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_ip.py b/smoketest/scripts/cli/test_system_ip.py index 567416774..ac8b74236 100755 --- a/smoketest/scripts/cli/test_system_ip.py +++ b/smoketest/scripts/cli/test_system_ip.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2023 VyOS maintainers and contributors +# Copyright (C) 2020-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -120,5 +120,18 @@ class TestSystemIP(VyOSUnitTestSHIM.TestCase): # Commit again self.cli_commit() + def test_system_ip_nht(self): + self.cli_set(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config applied to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertIn(f'no ip nht resolve-via-default', frrconfig) + + self.cli_delete(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config removed to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertNotIn(f'no ip nht resolve-via-default', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py index 225c2d666..bc0f7aa8c 100755 --- a/smoketest/scripts/cli/test_system_ipv6.py +++ b/smoketest/scripts/cli/test_system_ipv6.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2023 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -131,5 +131,18 @@ class TestSystemIPv6(VyOSUnitTestSHIM.TestCase): # Commit again self.cli_commit() + def test_system_ipv6_nht(self): + self.cli_set(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config applied to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertIn(f'no ipv6 nht resolve-via-default', frrconfig) + + self.cli_delete(base_path + ['nht', 'no-resolve-via-default']) + self.cli_commit() + # Verify CLI config removed to FRR + frrconfig = self.getFRRconfig('', end='', daemon='zebra') + self.assertNotIn(f'no ipv6 nht resolve-via-default', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py index a3090ee41..438387f2d 100755 --- a/smoketest/scripts/cli/test_vrf.py +++ b/smoketest/scripts/cli/test_vrf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2023 VyOS maintainers and contributors +# Copyright (C) 2020-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -495,6 +495,39 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): frrconfig = self.getFRRconfig(f'vrf {vrf}') self.assertNotIn('vni', frrconfig) + def test_vrf_ip_ipv6_nht(self): + table = '6910' + + for vrf in vrfs: + base = base_path + ['name', vrf] + self.cli_set(base + ['table', table]) + self.cli_set(base + ['ip', 'nht', 'no-resolve-via-default']) + self.cli_set(base + ['ipv6', 'nht', 'no-resolve-via-default']) + + table = str(int(table) + 1) + + self.cli_commit() + + # Verify route-map properly applied to FRR + for vrf in vrfs: + frrconfig = self.getFRRconfig(f'vrf {vrf}', daemon='zebra') + self.assertIn(f'vrf {vrf}', frrconfig) + self.assertIn(f' no ip nht resolve-via-default', frrconfig) + self.assertIn(f' no ipv6 nht resolve-via-default', frrconfig) + + # Delete route-maps + for vrf in vrfs: + base = base_path + ['name', vrf] + self.cli_delete(base + ['ip']) + self.cli_delete(base + ['ipv6']) + + self.cli_commit() + + # Verify route-map properly is removed from FRR + for vrf in vrfs: + frrconfig = self.getFRRconfig(f'vrf {vrf}', daemon='zebra') + self.assertNotIn(f' no ip nht resolve-via-default', frrconfig) + self.assertNotIn(f' no ipv6 nht resolve-via-default', frrconfig) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 5f72b983c..852b714eb 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -25,8 +25,10 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.accel_ppp_util import get_pools_in_order +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers from vyos.accel_ppp_util import verify_accel_ppp_ip_pool -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos import ConfigError from vyos import airbag airbag.enable() @@ -69,8 +71,10 @@ def verify(ipoe): raise ConfigError('Option "client-subnet" incompatible with "vlan"!' 'Use "ipoe client-ip-pool" instead.') - verify_accel_ppp_base_service(ipoe, local_users=False) + verify_accel_ppp_authentication(ipoe, local_users=False) verify_accel_ppp_ip_pool(ipoe) + verify_accel_ppp_name_servers(ipoe) + verify_accel_ppp_wins_servers(ipoe) return None diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index c2dfbdb44..c9d1e805f 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -25,7 +25,9 @@ from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -67,11 +69,11 @@ def verify(pppoe): if not pppoe: return None - verify_accel_ppp_base_service(pppoe) + verify_accel_ppp_authentication(pppoe) verify_accel_ppp_ip_pool(pppoe) + verify_accel_ppp_name_servers(pppoe) + verify_accel_ppp_wins_servers(pppoe) - if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2: - raise ConfigError('Not more then two WINS name-servers can be configured') if 'interface' not in pppoe: raise ConfigError('At least one listen interface must be defined!') diff --git a/src/conf_mode/system_ip.py b/src/conf_mode/system_ip.py index 7612e2c0d..833f89554 100755 --- a/src/conf_mode/system_ip.py +++ b/src/conf_mode/system_ip.py @@ -127,6 +127,7 @@ def apply(opt): # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ip nht resolve-via-default') frr_cfg.modify_section(r'ip protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) diff --git a/src/conf_mode/system_ipv6.py b/src/conf_mode/system_ipv6.py index 90a1a8087..00d440e35 100755 --- a/src/conf_mode/system_ipv6.py +++ b/src/conf_mode/system_ipv6.py @@ -104,6 +104,7 @@ def apply(opt): # The route-map used for the FIB (zebra) is part of the zebra daemon frr_cfg.load_configuration(zebra_daemon) + frr_cfg.modify_section(r'no ipv6 nht resolve-via-default') frr_cfg.modify_section(r'ipv6 protocol \w+ route-map [-a-zA-Z0-9.]+', stop_pattern='(\s|!)') if 'frr_zebra_config' in opt: frr_cfg.add_before(frr.default_add_before, opt['frr_zebra_config']) diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 266381754..04ccbcec3 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -24,7 +24,9 @@ from vyos.configdict import get_accel_dict from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -62,12 +64,10 @@ def verify(l2tp): if not l2tp: return None - verify_accel_ppp_base_service(l2tp) + verify_accel_ppp_authentication(l2tp) verify_accel_ppp_ip_pool(l2tp) - - if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(l2tp) + verify_accel_ppp_wins_servers(l2tp) return None diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index b1d5067d5..c0d8330bd 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -22,7 +22,9 @@ from vyos.config import Config from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -60,12 +62,10 @@ def verify(pptp): if not pptp: return None - verify_accel_ppp_base_service(pptp) + verify_accel_ppp_authentication(pptp) verify_accel_ppp_ip_pool(pptp) - - if 'wins_server' in pptp and len(pptp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(pptp) + verify_accel_ppp_wins_servers(pptp) def generate(pptp): diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 5c229fe62..8661a8aff 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -26,7 +26,9 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos.utils.network import is_listen_port_bind_service @@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem') cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key') ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem') -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'sstp'] - if not conf.exists(base): - return None - - # retrieve common dictionary keys - sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) - if dict_search('client_ip_pool', sstp): - # Multiple named pools require ordered values T5099 - sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) - - sstp['server_type'] = 'sstp' - return sstp - - -def verify(sstp): - if not sstp: - return None - - port = sstp.get('port') - proto = 'tcp' - if check_port_availability('0.0.0.0', int(port), proto) is not True and \ - not is_listen_port_bind_service(int(port), 'accel-pppd'): - raise ConfigError(f'"{proto}" port "{port}" is used by another service') - - verify_accel_ppp_base_service(sstp) - verify_accel_ppp_ip_pool(sstp) +def verify_certificate(config): # # SSL certificate checks # - if not sstp['pki']: + if not config['pki']: raise ConfigError('PKI is not configured') - if 'ssl' not in sstp: + if 'ssl' not in config: raise ConfigError('SSL missing on SSTP config') - ssl = sstp['ssl'] + ssl = config['ssl'] # CA if 'ca_certificate' not in ssl: @@ -92,10 +64,10 @@ def verify(sstp): ca_name = ssl['ca_certificate'] - if ca_name not in sstp['pki']['ca']: + if ca_name not in config['pki']['ca']: raise ConfigError('Invalid CA certificate on SSTP config') - if 'certificate' not in sstp['pki']['ca'][ca_name]: + if 'certificate' not in config['pki']['ca'][ca_name]: raise ConfigError('Missing certificate data for CA certificate on SSTP config') # Certificate @@ -104,10 +76,10 @@ def verify(sstp): cert_name = ssl['certificate'] - if cert_name not in sstp['pki']['certificate']: + if cert_name not in config['pki']['certificate']: raise ConfigError('Invalid certificate on SSTP config') - pki_cert = sstp['pki']['certificate'][cert_name] + pki_cert = config['pki']['certificate'][cert_name] if 'certificate' not in pki_cert: raise ConfigError('Missing certificate data for certificate on SSTP config') @@ -118,6 +90,43 @@ def verify(sstp): if 'password_protected' in pki_cert['private']: raise ConfigError('Encrypted private key is not supported on SSTP config') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['vpn', 'sstp'] + if not conf.exists(base): + return None + + # retrieve common dictionary keys + sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) + if dict_search('client_ip_pool', sstp): + # Multiple named pools require ordered values T5099 + sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) + + sstp['server_type'] = 'sstp' + return sstp + + +def verify(sstp): + if not sstp: + return None + + port = sstp.get('port') + proto = 'tcp' + if check_port_availability('0.0.0.0', int(port), proto) is not True and \ + not is_listen_port_bind_service(int(port), 'accel-pppd'): + raise ConfigError(f'"{proto}" port "{port}" is used by another service') + + verify_accel_ppp_authentication(sstp) + verify_accel_ppp_ip_pool(sstp) + verify_accel_ppp_name_servers(sstp) + verify_accel_ppp_wins_servers(sstp) + verify_certificate(sstp) + + def generate(sstp): if not sstp: return None @@ -143,6 +152,7 @@ def generate(sstp): return sstp + def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') diff --git a/src/migration-scripts/dhcpv6-server/4-to-5 b/src/migration-scripts/dhcpv6-server/4-to-5 index e808edbe0..ae506b9c5 100755 --- a/src/migration-scripts/dhcpv6-server/4-to-5 +++ b/src/migration-scripts/dhcpv6-server/4-to-5 @@ -39,14 +39,34 @@ if not config.exists(base): def find_subnet_interface(subnet): subnet_net = ip_network(subnet) + def check_addr(if_path): + if config.exists(if_path + ['address']): + for addr in config.return_values(if_path + ['address']): + if ip_network(addr, strict=False) == subnet_net: + return True + return None + for iftype in config.list_nodes(['interfaces']): for ifname in config.list_nodes(['interfaces', iftype]): if_base = ['interfaces', iftype, ifname] - if config.exists(if_base + ['address']): - for addr in config.return_values(if_base + ['address']): - if ip_network(addr, strict=False) == subnet_net: - return ifname + if check_addr(if_base): + return ifname + + if config.exists(if_base + ['vif']): + for vif in config.list_nodes(if_base + ['vif']): + if check_addr(if_base + ['vif', vif]): + return f'{ifname}.{vif}' + + if config.exists(if_base + ['vif-s']): + for vifs in config.list_nodes(if_base + ['vif-s']): + if check_addr(if_base + ['vif-s', vifs]): + return f'{ifname}.{vifs}' + + if config.exists(if_base + ['vif-s', vifs, 'vif-c']): + for vifc in config.list_nodes(if_base + ['vif-s', vifs, 'vif-c']): + if check_addr(if_base + ['vif-s', vifs, 'vif-c', vifc]): + return f'{ifname}.{vifs}.{vifc}' return False diff --git a/src/migration-scripts/l2tp/8-to-9 b/src/migration-scripts/l2tp/8-to-9 new file mode 100755 index 000000000..e85a3892b --- /dev/null +++ b/src/migration-scripts/l2tp/8-to-9 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Deleted 'dhcp-interface' from l2tp + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'l2tp', 'remote-access'] +if not config.exists(base): + exit(0) + +#deleting unused dhcp-interface +if config.exists(base + ['dhcp-interface']): + config.delete(base + ['dhcp-interface']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py index 069c12069..7186bdec2 100755 --- a/src/op_mode/vpn_ike_sa.py +++ b/src/op_mode/vpn_ike_sa.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -57,7 +57,7 @@ def ike_sa(peer, nat): dh_group = s(sa['dh-group']) if 'dh-group' in sa else 'n/a' natt = 'yes' if 'nat-local' in sa and s(sa['nat-local']) == 'yes' else 'no' atime = s(sa['established']) if 'established' in sa else '0' - ltime = s(sa['rekey-time']) if 'rekey_time' in sa else '0' + ltime = s(sa['rekey-time']) if 'rekey-time' in sa else '0' print(ike_sa_tunnel_prefix) print(' %-6s %-6s %-12s %-13s %-14s %-6s %-7s %-7s\n' % (state, version, encryption, integrity, dh_group, natt, atime, ltime)) |