diff options
33 files changed, 375 insertions, 1104 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 4d73c844c..f87185d6a 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -48,8 +48,5 @@ "wireguard": ["interfaces-wireguard"], "wireless": ["interfaces-wireless"], "wwan": ["interfaces-wwan"] - }, - "vpp": { - "ethernet": ["interfaces-ethernet"] } } diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index f59428509..555a033d3 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -14,6 +14,11 @@ ippool [core] thread-count={{ thread_count }} +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + [log] syslog=accel-ipoe,daemon copy=1 diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index a2f9c9fc7..b089d3e71 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -20,6 +20,11 @@ ipv6_dhcp [core] thread-count={{ thread_cnt }} +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + [log] syslog=accel-l2tp,daemon copy=1 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index dd53edd28..e1ae3660e 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -62,10 +62,13 @@ wins{{ loop.index }}={{ server }} {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} -{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} [common] +{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} single-session={{ session_control }} {% endif %} +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} [ppp] verbose=1 diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 index 0082e55bf..46a9f933a 100644 --- a/data/templates/accel-ppp/pptp.config.j2 +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -16,6 +16,11 @@ ippool [core] thread-count={{ thread_cnt }} +[common] +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} + [log] syslog=accel-pptp,daemon copy=1 diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2 index 7ee28dd21..cf1d23f54 100644 --- a/data/templates/accel-ppp/sstp.config.j2 +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -16,6 +16,9 @@ thread-count={{ thread_count }} [common] single-session=replace +{% if max_concurrent_sessions is vyos_defined %} +max-starting={{ max_concurrent_sessions }} +{% endif %} [log] syslog=accel-sstp,daemon diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2 index dff904129..8ca167803 100644 --- a/data/templates/rsyslog/rsyslog.conf.j2 +++ b/data/templates/rsyslog/rsyslog.conf.j2 @@ -15,7 +15,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }} {% if global.facility is vyos_defined %} {% set tmp = [] %} {% for facility, facility_options in global.facility.items() %} -{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} {% endfor %} {{ tmp | join(';') }} :omfile:$global {% endif %} @@ -27,7 +27,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }} $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }} {% if file_options.facility is vyos_defined %} {% for facility, facility_options in file_options.facility.items() %} -{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} {% endfor %} {% endif %} {{ tmp | join(';') }} :omfile:${{ file }} @@ -38,7 +38,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv # Console logging {% set tmp = [] %} {% for facility, facility_options in console.facility.items() %} -{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} {% endfor %} {{ tmp | join(';') }} /dev/console {% endif %} @@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv {% set tmp = [] %} {% if host_options.facility is vyos_defined %} {% for facility, facility_options in host_options.facility.items() %} -{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} {% endfor %} {% endif %} {% if host_options.protocol is vyos_defined('tcp') %} @@ -70,7 +70,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv {% set tmp = [] %} {% if user_options.facility is vyos_defined %} {% for facility, facility_options in user_options.facility.items() %} -{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %} +{% set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %} {% endfor %} {% endif %} {{ tmp | join(';') }} :omusrmsg:{{ username }} diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2 index 5852d6232..02a9656da 100644 --- a/data/templates/telegraf/telegraf.j2 +++ b/data/templates/telegraf/telegraf.j2 @@ -89,7 +89,7 @@ ignore_fs = ["devtmpfs", "devfs"] [[inputs.diskio]] [[inputs.mem]] -[[inputs.net]] +[[inputs.nstat]] [[inputs.system]] [[inputs.netstat]] [[inputs.processes]] diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2 deleted file mode 100644 index a2c2b04ed..000000000 --- a/data/templates/vpp/override.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -After= -After=vyos-router.service -ConditionPathExists= -ConditionPathExists=/run/vpp/vpp.conf - -[Service] -EnvironmentFile= -ExecStart= -ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf -WorkingDirectory= -WorkingDirectory=/run/vpp -Restart=always -RestartSec=10 diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2 deleted file mode 100644 index f33539fba..000000000 --- a/data/templates/vpp/startup.conf.j2 +++ /dev/null @@ -1,116 +0,0 @@ -# Generated by /usr/libexec/vyos/conf_mode/vpp.py - -unix { - nodaemon - log /var/log/vpp.log - full-coredump - cli-listen /run/vpp/cli.sock - gid vpp - # exec /etc/vpp/bootstrap.vpp -{% if unix is vyos_defined %} -{% if unix.poll_sleep_usec is vyos_defined %} - poll-sleep-usec {{ unix.poll_sleep_usec }} -{% endif %} -{% endif %} -} - -{% if cpu is vyos_defined %} -cpu { -{% if cpu.main_core is vyos_defined %} - main-core {{ cpu.main_core }} -{% endif %} -{% if cpu.corelist_workers is vyos_defined %} - corelist-workers {{ cpu.corelist_workers | join(',') }} -{% endif %} -{% if cpu.skip_cores is vyos_defined %} - skip-cores {{ cpu.skip_cores }} -{% endif %} -{% if cpu.workers is vyos_defined %} - workers {{ cpu.workers }} -{% endif %} -} -{% endif %} - -{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #} -{# vlib_call_all_config_functions: unknown input `ip heap-size 32M ' #} -{% if ip is vyos_defined %} -#ip { -#{% if ip.heap_size is vyos_defined %} -# heap-size {{ ip.heap_size }}M -#{% endif %} -#} -{% endif %} - -{% if ip6 is vyos_defined %} -ip6 { -{% if ip6.hash_buckets is vyos_defined %} - hash-buckets {{ ip6.hash_buckets }} -{% endif %} -{% if ip6.heap_size is vyos_defined %} - heap-size {{ ip6.heap_size }}M -{% endif %} -} -{% endif %} - -{% if l2learn is vyos_defined %} -l2learn { -{% if l2learn.limit is vyos_defined %} - limit {{ l2learn.limit }} -{% endif %} -} -{% endif %} - -{% if logging is vyos_defined %} -logging { -{% if logging.default_log_level is vyos_defined %} - default-log-level {{ logging.default_log_level }} -{% endif %} -} -{% endif %} - -{% if physmem is vyos_defined %} -physmem { -{% if physmem.max_size is vyos_defined %} - max-size {{ physmem.max_size.upper() }} -{% endif %} -} -{% endif %} - -plugins { - path /usr/lib/x86_64-linux-gnu/vpp_plugins/ - plugin default { disable } - plugin dpdk_plugin.so { enable } - plugin linux_cp_plugin.so { enable } - plugin linux_nl_plugin.so { enable } -} - -linux-cp { - lcp-sync - lcp-auto-subint -} - -dpdk { - # Whitelist the fake PCI address 0000:00:00.0 - # This prevents all devices from being added to VPP-DPDK by default - dev 0000:00:00.0 -{% for iface, iface_config in interface.items() %} -{% if iface_config.pci is vyos_defined %} - dev {{ iface_config.pci }} { - name {{ iface }} -{% if iface_config.num_rx_desc is vyos_defined %} - num-rx-desc {{ iface_config.num_rx_desc }} -{% endif %} -{% if iface_config.num_tx_desc is vyos_defined %} - num-tx-desc {{ iface_config.num_tx_desc }} -{% endif %} -{% if iface_config.num_rx_queues is vyos_defined %} - num-rx-queues {{ iface_config.num_rx_queues }} -{% endif %} -{% if iface_config.num_tx_queues is vyos_defined %} - num-tx-queues {{ iface_config.num_tx_queues }} -{% endif %} - } -{% endif %} -{% endfor %} - uio-bind-force -} diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 860319edf..22b50ce2a 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -201,14 +201,3 @@ systemctl enable vyos-config-cloud-init.service # Update XML cache python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py -# T1797: disable VPP support for rolling release, should be used by developers -# only (in the initial phase). If you wan't to enable VPP use the below command -# on your VyOS installation: -# -# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp -if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then - if [ -d /opt/vyatta/share/vyatta-cfg/vpp ]; then - rm -rf /opt/vyatta/share/vyatta-cfg/vpp - fi - mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp -fi diff --git a/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i b/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i new file mode 100644 index 000000000..f6ef41019 --- /dev/null +++ b/interface-definitions/include/accel-ppp/max-concurrent-sessions.xml.i @@ -0,0 +1,15 @@ +<!-- include start from accel-ppp/max-concurrent-sessions.xml.i --> +<leafNode name="max-concurrent-sessions"> + <properties> + <help>Maximum number of concurrent session start attempts</help> + <valueHelp> + <format>u32:0-65535</format> + <description>Maximum number of concurrent session start attempts</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-65535"/> + </constraint> + <constraintErrorMessage>Maximum concurent sessions must be in range 0-65535</constraintErrorMessage> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i index b8dbe73b2..c0367b891 100644 --- a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i @@ -13,12 +13,6 @@ <leafNode name="vendor"> <properties> <help>Vendor dictionary</help> - <completionHelp> - <list>alcatel cisco microsoft mikrotik</list> - </completionHelp> - <constraint> - <validator name="accel-radius-dictionary" /> - </constraint> </properties> </leafNode> <leafNode name="enable"> diff --git a/interface-definitions/include/version/nat-version.xml.i b/interface-definitions/include/version/nat-version.xml.i index 027216a07..656da6e14 100644 --- a/interface-definitions/include/version/nat-version.xml.i +++ b/interface-definitions/include/version/nat-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/nat-version.xml.i --> -<syntaxVersion component='nat' version='5'></syntaxVersion> +<syntaxVersion component='nat' version='7'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/nat66-version.xml.i b/interface-definitions/include/version/nat66-version.xml.i index 7b7123dcc..478ca080f 100644 --- a/interface-definitions/include/version/nat66-version.xml.i +++ b/interface-definitions/include/version/nat66-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/nat66-version.xml.i --> -<syntaxVersion component='nat66' version='1'></syntaxVersion> +<syntaxVersion component='nat66' version='2'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 3fae17178..f20743a65 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -19,12 +19,6 @@ #include <include/interface/address-ipv4-ipv6.xml.i> #include <include/generic-description.xml.i> #include <include/interface/disable.xml.i> - <leafNode name="external"> - <properties> - <help>Use external control plane</help> - <valueless/> - </properties> - </leafNode> <leafNode name="gpe"> <properties> <help>Enable Generic Protocol extension (VXLAN-GPE)</help> @@ -83,12 +77,24 @@ #include <include/interface/parameters-flowlabel.xml.i> </children> </node> + <leafNode name="external"> + <properties> + <help>Use external control plane</help> + <valueless/> + </properties> + </leafNode> <leafNode name="nolearning"> <properties> <help>Do not add unknown addresses into forwarding database</help> <valueless/> </properties> </leafNode> + <leafNode name="neighbor-suppress"> + <properties> + <help>Enable neighbor discovery (ARP and ND) suppression</help> + <valueless/> + </properties> + </leafNode> </children> </node> #include <include/port-number.xml.i> diff --git a/interface-definitions/service-ipoe-server.xml.in b/interface-definitions/service-ipoe-server.xml.in index b6e6503d3..9ac0c8fdf 100644 --- a/interface-definitions/service-ipoe-server.xml.in +++ b/interface-definitions/service-ipoe-server.xml.in @@ -102,6 +102,7 @@ #include <include/accel-ppp/vlan.xml.i> </children> </tagNode> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/name-server-ipv4-ipv6.xml.i> <node name="client-ip-pool"> <properties> diff --git a/interface-definitions/service-pppoe-server.xml.in b/interface-definitions/service-pppoe-server.xml.in index 022ac2885..44b689fe1 100644 --- a/interface-definitions/service-pppoe-server.xml.in +++ b/interface-definitions/service-pppoe-server.xml.in @@ -73,6 +73,7 @@ </children> </tagNode> #include <include/accel-ppp/gateway-address.xml.i> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/accel-ppp/mtu-128-16384.xml.i> <node name="limits"> <properties> diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in index ee0edc3e3..60a1d323b 100644 --- a/interface-definitions/vpn-l2tp.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in @@ -13,6 +13,7 @@ <help>Remote access L2TP VPN</help> </properties> <children> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/accel-ppp/mtu-128-16384.xml.i> <leafNode name="outside-address"> <properties> diff --git a/interface-definitions/vpn-pptp.xml.in b/interface-definitions/vpn-pptp.xml.in index 5a8b4a78a..964c4d21e 100644 --- a/interface-definitions/vpn-pptp.xml.in +++ b/interface-definitions/vpn-pptp.xml.in @@ -13,6 +13,7 @@ <help>Remote access PPTP VPN</help> </properties> <children> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/accel-ppp/mtu-128-16384.xml.i> <leafNode name="outside-address"> <properties> diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in index 9e912063f..9c818ba60 100644 --- a/interface-definitions/vpn-sstp.xml.in +++ b/interface-definitions/vpn-sstp.xml.in @@ -25,6 +25,7 @@ </node> </children> </node> + #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/interface/mtu-68-1500.xml.i> #include <include/accel-ppp/gateway-address.xml.i> #include <include/name-server-ipv4-ipv6.xml.i> diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in deleted file mode 100644 index 3f0758c0a..000000000 --- a/interface-definitions/vpp.xml.in +++ /dev/null @@ -1,342 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="vpp" owner="${vyos_conf_scripts_dir}/vpp.py"> - <properties> - <help>Accelerated data-plane</help> - <priority>295</priority> - </properties> - <children> - <node name="cpu"> - <properties> - <help>CPU settings</help> - </properties> - <children> - <leafNode name="corelist-workers"> - <properties> - <help>List of cores worker threads</help> - <valueHelp> - <format><id></format> - <description>CPU core id</description> - </valueHelp> - <valueHelp> - <format><idN>-<idM></format> - <description>CPU core id range (use '-' as delimiter)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--allow-range --range 0-512"/> - </constraint> - <constraintErrorMessage>not a valid CPU core value or range</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="main-core"> - <properties> - <help>Main core</help> - <valueHelp> - <format>u32:0-512</format> - <description>Assign main thread to specific core</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-512"/> - </constraint> - </properties> - </leafNode> - <leafNode name="skip-cores"> - <properties> - <help>Skip cores</help> - <valueHelp> - <format>u32:0-512</format> - <description>Skip cores</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-512"/> - </constraint> - </properties> - </leafNode> - <leafNode name="workers"> - <properties> - <help>Create worker threads</help> - <valueHelp> - <format>u32:0-4294967295</format> - <description>Worker threads</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-512"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - <tagNode name="interface"> - <properties> - <help>Interface</help> - <valueHelp> - <format>ethN</format> - <description>Interface name</description> - </valueHelp> - <constraint> - <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex> - </constraint> - <constraintErrorMessage>Invalid interface name</constraintErrorMessage> - </properties> - <children> - <leafNode name="num-rx-desc"> - <properties> - <help>Number of receive ring descriptors</help> - <valueHelp> - <format>u32:256-8192</format> - <description>Number of receive ring descriptors</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 256-8192"/> - </constraint> - </properties> - </leafNode> - <leafNode name="num-tx-desc"> - <properties> - <help>Number of tranceive ring descriptors</help> - <valueHelp> - <format>u32:256-8192</format> - <description>Number of tranceive ring descriptors</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 256-8192"/> - </constraint> - </properties> - </leafNode> - <leafNode name="num-rx-queues"> - <properties> - <help>Number of receive ring descriptors</help> - <valueHelp> - <format>u32:256-8192</format> - <description>Number of receive queues</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 256-8192"/> - </constraint> - </properties> - </leafNode> - <leafNode name="num-tx-queues"> - <properties> - <help>Number of tranceive ring descriptors</help> - <valueHelp> - <format>u32:256-8192</format> - <description>Number of tranceive queues</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 256-8192"/> - </constraint> - </properties> - </leafNode> - <leafNode name='pci'> - <properties> - <help>PCI address allocation</help> - <valueHelp> - <format>auto</format> - <description>Auto detect PCI address</description> - </valueHelp> - <valueHelp> - <format><xxxx:xx:xx.x></format> - <description>Set Peripheral Component Interconnect (PCI) address</description> - </valueHelp> - <constraint> - <regex>(auto|[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F])</regex> - </constraint> - </properties> - <defaultValue>auto</defaultValue> - </leafNode> - <leafNode name="rx-mode"> - <properties> - <help>Receive packet processing mode</help> - <completionHelp> - <list>polling interrupt adaptive</list> - </completionHelp> - <valueHelp> - <format>polling</format> - <description>Constantly check for new data</description> - </valueHelp> - <valueHelp> - <format>interrupt</format> - <description>Interrupt mode</description> - </valueHelp> - <valueHelp> - <format>adaptive</format> - <description>Adaptive mode</description> - </valueHelp> - <constraint> - <regex>(polling|interrupt|adaptive)</regex> - </constraint> - </properties> - </leafNode> - </children> - </tagNode> - <node name="ip"> - <properties> - <help>IP settings</help> - </properties> - <children> - <leafNode name="heap-size"> - <properties> - <help>IPv4 heap size</help> - <valueHelp> - <format>u32:0-4294967295</format> - <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-4294967295"/> - </constraint> - </properties> - <defaultValue>32</defaultValue> - </leafNode> - </children> - </node> - <node name="ip6"> - <properties> - <help>IPv6 settings</help> - </properties> - <children> - <leafNode name="heap-size"> - <properties> - <help>IPv6 heap size</help> - <valueHelp> - <format>u32:0-4294967295</format> - <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-4294967295"/> - </constraint> - </properties> - <defaultValue>32</defaultValue> - </leafNode> - <leafNode name="hash-buckets"> - <properties> - <help>IPv6 forwarding table hash buckets</help> - <valueHelp> - <format>u32:1-4294967295</format> - <description>IPv6 forwarding table hash buckets</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-4294967295"/> - </constraint> - </properties> - <defaultValue>65536</defaultValue> - </leafNode> - </children> - </node> - <node name="l2learn"> - <properties> - <help>Level 2 MAC address learning settings</help> - </properties> - <children> - <leafNode name="limit"> - <properties> - <help>Number of MAC addresses in the L2 FIB</help> - <valueHelp> - <format>u32:1-4294967295</format> - <description>Number of concurent entries</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-4294967295"/> - </constraint> - </properties> - <defaultValue>4194304</defaultValue> - </leafNode> - </children> - </node> - <node name="logging"> - <properties> - <help>Loggint settings</help> - </properties> - <children> - <leafNode name="default-log-level"> - <properties> - <help>default-log-level</help> - <completionHelp> - <list>alert crit debug disabled emerg err info notice warn</list> - </completionHelp> - <valueHelp> - <format>alert</format> - <description>Alert</description> - </valueHelp> - <valueHelp> - <format>crit</format> - <description>Critical</description> - </valueHelp> - <valueHelp> - <format>debug</format> - <description>Debug</description> - </valueHelp> - <valueHelp> - <format>disabled</format> - <description>Disabled</description> - </valueHelp> - <valueHelp> - <format>emerg</format> - <description>Emergency</description> - </valueHelp> - <valueHelp> - <format>err</format> - <description>Error</description> - </valueHelp> - <valueHelp> - <format>info</format> - <description>Informational</description> - </valueHelp> - <valueHelp> - <format>notice</format> - <description>Notice</description> - </valueHelp> - <valueHelp> - <format>warn</format> - <description>Warning</description> - </valueHelp> - <constraint> - <regex>(alert|crit|debug|disabled|emerg|err|info|notice|warn)</regex> - </constraint> - </properties> - </leafNode> - </children> - </node> - <node name="physmem"> - <properties> - <help>Memory settings</help> - </properties> - <children> - <leafNode name="max-size"> - <properties> - <help>Set memory size for protectable memory allocator (pmalloc) memory space</help> - <valueHelp> - <format><number>m</format> - <description>Megabyte</description> - </valueHelp> - <valueHelp> - <format><number>g</format> - <description>Gigabyte</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - <node name="unix"> - <properties> - <help>Unix settings</help> - </properties> - <children> - <leafNode name="poll-sleep-usec"> - <properties> - <help>Add a fixed-sleep between main loop poll</help> - <valueHelp> - <format>u32:0-4294967295</format> - <description>Number of receive queues</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-4294967295"/> - </constraint> - </properties> - <defaultValue>0</defaultValue> - </leafNode> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/op-mode-definitions/nat66.xml.in b/op-mode-definitions/nat66.xml.in index 6a8a39000..4df20d847 100644 --- a/op-mode-definitions/nat66.xml.in +++ b/op-mode-definitions/nat66.xml.in @@ -16,7 +16,7 @@ <properties> <help>Show configured source NAT66 rules</help> </properties> - <command>${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command> + <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet6</command> </node> <node name="statistics"> <properties> @@ -39,7 +39,7 @@ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6 --address "$6"</command> </tagNode> </children> - <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command> + <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command> </node> </children> </node> @@ -52,7 +52,7 @@ <properties> <help>Show configured destination NAT66 rules</help> </properties> - <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command> + <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet6</command> </node> <node name="statistics"> <properties> @@ -75,7 +75,7 @@ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6 --address "$6"</command> </tagNode> </children> - <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command> + <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command> </node> </children> </node> diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index 1fe5db7cd..8c5a0220e 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -56,6 +56,10 @@ class VXLANIf(Interface): } _command_set = {**Interface._command_set, **{ + 'neigh_suppress': { + 'validate': lambda v: assert_list(v, ['on', 'off']), + 'shellcmd': 'bridge link set dev {ifname} neigh_suppress {value} learning off', + }, 'vlan_tunnel': { 'validate': lambda v: assert_list(v, ['on', 'off']), 'shellcmd': 'bridge link set dev {ifname} vlan_tunnel {value}', @@ -68,8 +72,8 @@ class VXLANIf(Interface): # - https://man7.org/linux/man-pages/man8/ip-link.8.html mapping = { 'group' : 'group', - 'external' : 'external', 'gpe' : 'gpe', + 'parameters.external' : 'external', 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', @@ -113,6 +117,19 @@ class VXLANIf(Interface): 'port {port} dev {ifname}' self._cmd(cmd.format(**self.config)) + def set_neigh_suppress(self, state): + """ + Controls whether neigh discovery (arp and nd) proxy and suppression + is enabled on the port. By default this flag is off. + """ + + # Determine current OS Kernel neigh_suppress setting - only adjust when needed + tmp = get_interface_config(self.ifname) + cur_state = 'on' if dict_search(f'linkinfo.info_slave_data.neigh_suppress', tmp) == True else 'off' + new_state = 'on' if state else 'off' + if cur_state != new_state: + self.set_interface('neigh_suppress', state) + def set_vlan_vni_mapping(self, state): """ Controls whether vlan to tunnel mapping is enabled on the port. @@ -163,3 +180,9 @@ class VXLANIf(Interface): # Enable/Disable VLAN tunnel mapping # This is only possible after the interface was assigned to the bridge self.set_vlan_vni_mapping(dict_search('vlan_to_vni', config) != None) + + # Enable/Disable neighbor suppression and learning, there is no need to + # explicitly "disable" it, as VXLAN interface will be recreated if anything + # under "parameters" changes. + if dict_search('parameters.neighbor_suppress', config) != None: + self.set_neigh_suppress('on') diff --git a/python/vyos/vpp.py b/python/vyos/vpp.py deleted file mode 100644 index 76e5d29c3..000000000 --- a/python/vyos/vpp.py +++ /dev/null @@ -1,315 +0,0 @@ -# Copyright 2023 VyOS maintainers and contributors <maintainers@vyos.io> -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library. If not, see <http://www.gnu.org/licenses/>. - -from functools import wraps -from pathlib import Path -from re import search as re_search, fullmatch as re_fullmatch, MULTILINE as re_M -from subprocess import run -from time import sleep - -from vpp_papi import VPPApiClient -from vpp_papi import VPPIOError, VPPValueError - - -class VPPControl: - """Control VPP network stack - """ - - class _Decorators: - """Decorators for VPPControl - """ - - @classmethod - def api_call(cls, decorated_func): - """Check if API is connected before API call - - Args: - decorated_func: function to decorate - - Raises: - VPPIOError: Connection to API is not established - """ - - @wraps(decorated_func) - def api_safe_wrapper(cls, *args, **kwargs): - if not cls.vpp_api_client.transport.connected: - raise VPPIOError(2, 'VPP API is not connected') - return decorated_func(cls, *args, **kwargs) - - return api_safe_wrapper - - @classmethod - def check_retval(cls, decorated_func): - """Check retval from API response - - Args: - decorated_func: function to decorate - - Raises: - VPPValueError: raised when retval is not 0 - """ - - @wraps(decorated_func) - def check_retval_wrapper(cls, *args, **kwargs): - return_value = decorated_func(cls, *args, **kwargs) - if not return_value.retval == 0: - raise VPPValueError( - f'VPP API call failed: {return_value.retval}') - return return_value - - return check_retval_wrapper - - def __init__(self, attempts: int = 5, interval: int = 1000) -> None: - """Create VPP API connection - - Args: - attempts (int, optional): attempts to connect. Defaults to 5. - interval (int, optional): interval between attempts in ms. Defaults to 1000. - - Raises: - VPPIOError: Connection to API cannot be established - """ - self.vpp_api_client = VPPApiClient() - # connect with interval - while attempts: - try: - attempts -= 1 - self.vpp_api_client.connect('vpp-vyos') - break - except (ConnectionRefusedError, FileNotFoundError) as err: - print(f'VPP API connection timeout: {err}') - sleep(interval / 1000) - # raise exception if connection was not successful in the end - if not self.vpp_api_client.transport.connected: - raise VPPIOError(2, 'Cannot connect to VPP API') - - def __del__(self) -> None: - """Disconnect from VPP API (destructor) - """ - self.disconnect() - - def disconnect(self) -> None: - """Disconnect from VPP API - """ - if self.vpp_api_client.transport.connected: - self.vpp_api_client.disconnect() - - @_Decorators.check_retval - @_Decorators.api_call - def cli_cmd(self, command: str): - """Send raw CLI command - - Args: - command (str): command to send - - Returns: - vpp_papi.vpp_serializer.cli_inband_reply: CLI reply class - """ - return self.vpp_api_client.api.cli_inband(cmd=command) - - @_Decorators.api_call - def get_mac(self, ifname: str) -> str: - """Find MAC address by interface name in VPP - - Args: - ifname (str): interface name inside VPP - - Returns: - str: MAC address - """ - for iface in self.vpp_api_client.api.sw_interface_dump(): - if iface.interface_name == ifname: - return iface.l2_address.mac_string - return '' - - @_Decorators.api_call - def get_sw_if_index(self, ifname: str) -> int | None: - """Find interface index by interface name in VPP - - Args: - ifname (str): interface name inside VPP - - Returns: - int | None: Interface index or None (if was not fount) - """ - for iface in self.vpp_api_client.api.sw_interface_dump(): - if iface.interface_name == ifname: - return iface.sw_if_index - return None - - @_Decorators.check_retval - @_Decorators.api_call - def lcp_pair_add(self, iface_name_vpp: str, iface_name_kernel: str) -> None: - """Create LCP interface pair between VPP and kernel - - Args: - iface_name_vpp (str): interface name in VPP - iface_name_kernel (str): interface name in kernel - """ - iface_index = self.get_sw_if_index(iface_name_vpp) - if iface_index: - return self.vpp_api_client.api.lcp_itf_pair_add_del( - is_add=True, - sw_if_index=iface_index, - host_if_name=iface_name_kernel) - - @_Decorators.check_retval - @_Decorators.api_call - def lcp_pair_del(self, iface_name_vpp: str, iface_name_kernel: str) -> None: - """Delete LCP interface pair between VPP and kernel - - Args: - iface_name_vpp (str): interface name in VPP - iface_name_kernel (str): interface name in kernel - """ - iface_index = self.get_sw_if_index(iface_name_vpp) - if iface_index: - return self.vpp_api_client.api.lcp_itf_pair_add_del( - is_add=False, - sw_if_index=iface_index, - host_if_name=iface_name_kernel) - - @_Decorators.check_retval - @_Decorators.api_call - def iface_rxmode(self, iface_name: str, rx_mode: str) -> None: - """Set interface rx-mode in VPP - - Args: - iface_name (str): interface name in VPP - rx_mode (str): mode (polling, interrupt, adaptive) - """ - modes_dict: dict[str, int] = { - 'polling': 1, - 'interrupt': 2, - 'adaptive': 3 - } - if rx_mode not in modes_dict: - raise VPPValueError(f'Mode {rx_mode} is not known') - iface_index = self.get_sw_if_index(iface_name) - return self.vpp_api_client.api.sw_interface_set_rx_mode( - sw_if_index=iface_index, mode=modes_dict[rx_mode]) - - @_Decorators.api_call - def get_pci_addr(self, ifname: str) -> str: - """Find PCI address of interface by interface name in VPP - - Args: - ifname (str): interface name inside VPP - - Returns: - str: PCI address - """ - hw_info = self.cli_cmd(f'show hardware-interfaces {ifname}').reply - - regex_filter = r'^\s+pci: device (?P<device>\w+:\w+) subsystem (?P<subsystem>\w+:\w+) address (?P<address>\w+:\w+:\w+\.\w+) numa (?P<numa>\w+)$' - re_obj = re_search(regex_filter, hw_info, re_M) - - # return empty string if no interface or no PCI info was found - if not hw_info or not re_obj: - return '' - - address = re_obj.groupdict().get('address', '') - - # we need to modify address to math kernel style - # for example: 0000:06:14.00 -> 0000:06:14.0 - address_chunks: list[str] = address.split('.') - address_normalized: str = f'{address_chunks[0]}.{int(address_chunks[1])}' - - return address_normalized - - -class HostControl: - """Control Linux host - """ - - @staticmethod - def pci_rescan(pci_addr: str = '') -> None: - """Rescan PCI device by removing it and rescan PCI bus - - If PCI address is not defined - just rescan PCI bus - - Args: - address (str, optional): PCI address of device. Defaults to ''. - """ - if pci_addr: - device_file = Path(f'/sys/bus/pci/devices/{pci_addr}/remove') - if device_file.exists(): - device_file.write_text('1') - # wait 10 seconds max until device will be removed - attempts = 100 - while device_file.exists() and attempts: - attempts -= 1 - sleep(0.1) - if device_file.exists(): - raise TimeoutError( - f'Timeout was reached for removing PCI device {pci_addr}' - ) - else: - raise FileNotFoundError(f'PCI device {pci_addr} does not exist') - rescan_file = Path('/sys/bus/pci/rescan') - rescan_file.write_text('1') - if pci_addr: - # wait 10 seconds max until device will be installed - attempts = 100 - while not device_file.exists() and attempts: - attempts -= 1 - sleep(0.1) - if not device_file.exists(): - raise TimeoutError( - f'Timeout was reached for installing PCI device {pci_addr}') - - @staticmethod - def get_eth_name(pci_addr: str) -> str: - """Find Ethernet interface name by PCI address - - Args: - pci_addr (str): PCI address - - Raises: - FileNotFoundError: no Ethernet interface was found - - Returns: - str: Ethernet interface name - """ - # find all PCI devices with eth* names - net_devs: dict[str, str] = {} - net_devs_dir = Path('/sys/class/net') - regex_filter = r'^/sys/devices/pci[\w/:\.]+/(?P<pci_addr>\w+:\w+:\w+\.\w+)/[\w/:\.]+/(?P<iface_name>eth\d+)$' - for dir in net_devs_dir.iterdir(): - real_dir: str = dir.resolve().as_posix() - re_obj = re_fullmatch(regex_filter, real_dir) - if re_obj: - iface_name: str = re_obj.group('iface_name') - iface_addr: str = re_obj.group('pci_addr') - net_devs.update({iface_addr: iface_name}) - # match to provided PCI address and return a name if found - if pci_addr in net_devs: - return net_devs[pci_addr] - # raise error if device was not found - raise FileNotFoundError( - f'PCI device {pci_addr} not found in ethernet interfaces') - - @staticmethod - def rename_iface(name_old: str, name_new: str) -> None: - """Rename interface - - Args: - name_old (str): old name - name_new (str): new name - """ - rename_cmd: list[str] = [ - 'ip', 'link', 'set', name_old, 'name', name_new - ] - run(rename_cmd) diff --git a/smoketest/config-tests/dialup-router-medium-vpn b/smoketest/config-tests/dialup-router-medium-vpn index 37baee0fd..e10adbbc6 100644 --- a/smoketest/config-tests/dialup-router-medium-vpn +++ b/smoketest/config-tests/dialup-router-medium-vpn @@ -141,65 +141,65 @@ set interfaces wireguard wg1 peer sam preshared-key 'XpFtzx2Z+nR8pBv9/sSf7I94OkZ set interfaces wireguard wg1 peer sam public-key 'v5zfKGvH6W/lfDXJ0en96lvKo1gfFxMUWxe02+Fj5BU=' set interfaces wireguard wg1 port '7778' set nat destination rule 50 destination port '49371' -set nat destination rule 50 inbound-interface 'pppoe0' +set nat destination rule 50 inbound-interface name 'pppoe0' set nat destination rule 50 protocol 'tcp_udp' set nat destination rule 50 translation address '192.168.0.5' set nat destination rule 51 destination port '58050-58051' -set nat destination rule 51 inbound-interface 'pppoe0' +set nat destination rule 51 inbound-interface name 'pppoe0' set nat destination rule 51 protocol 'tcp' set nat destination rule 51 translation address '192.168.0.5' set nat destination rule 52 destination port '22067-22070' -set nat destination rule 52 inbound-interface 'pppoe0' +set nat destination rule 52 inbound-interface name 'pppoe0' set nat destination rule 52 protocol 'tcp' set nat destination rule 52 translation address '192.168.0.5' set nat destination rule 53 destination port '34342' -set nat destination rule 53 inbound-interface 'pppoe0' +set nat destination rule 53 inbound-interface name 'pppoe0' set nat destination rule 53 protocol 'tcp_udp' set nat destination rule 53 translation address '192.168.0.121' set nat destination rule 54 destination port '45459' -set nat destination rule 54 inbound-interface 'pppoe0' +set nat destination rule 54 inbound-interface name 'pppoe0' set nat destination rule 54 protocol 'tcp_udp' set nat destination rule 54 translation address '192.168.0.120' set nat destination rule 55 destination port '22' -set nat destination rule 55 inbound-interface 'pppoe0' +set nat destination rule 55 inbound-interface name 'pppoe0' set nat destination rule 55 protocol 'tcp' set nat destination rule 55 translation address '192.168.0.5' set nat destination rule 56 destination port '8920' -set nat destination rule 56 inbound-interface 'pppoe0' +set nat destination rule 56 inbound-interface name 'pppoe0' set nat destination rule 56 protocol 'tcp' set nat destination rule 56 translation address '192.168.0.5' set nat destination rule 60 destination port '80,443' -set nat destination rule 60 inbound-interface 'pppoe0' +set nat destination rule 60 inbound-interface name 'pppoe0' set nat destination rule 60 protocol 'tcp' set nat destination rule 60 translation address '192.168.0.5' set nat destination rule 70 destination port '5001' -set nat destination rule 70 inbound-interface 'pppoe0' +set nat destination rule 70 inbound-interface name 'pppoe0' set nat destination rule 70 protocol 'tcp' set nat destination rule 70 translation address '192.168.0.5' set nat destination rule 80 destination port '25' -set nat destination rule 80 inbound-interface 'pppoe0' +set nat destination rule 80 inbound-interface name 'pppoe0' set nat destination rule 80 protocol 'tcp' set nat destination rule 80 translation address '192.168.0.5' set nat destination rule 90 destination port '8123' -set nat destination rule 90 inbound-interface 'pppoe0' +set nat destination rule 90 inbound-interface name 'pppoe0' set nat destination rule 90 protocol 'tcp' set nat destination rule 90 translation address '192.168.0.7' set nat destination rule 91 destination port '1880' -set nat destination rule 91 inbound-interface 'pppoe0' +set nat destination rule 91 inbound-interface name 'pppoe0' set nat destination rule 91 protocol 'tcp' set nat destination rule 91 translation address '192.168.0.7' set nat destination rule 500 destination address '!192.168.0.0/24' set nat destination rule 500 destination port '53' -set nat destination rule 500 inbound-interface 'eth1' +set nat destination rule 500 inbound-interface name 'eth1' set nat destination rule 500 protocol 'tcp_udp' set nat destination rule 500 source address '!192.168.0.1-192.168.0.5' set nat destination rule 500 translation address '192.168.0.1' -set nat source rule 1000 outbound-interface 'pppoe0' +set nat source rule 1000 outbound-interface name 'pppoe0' set nat source rule 1000 translation address 'masquerade' -set nat source rule 2000 outbound-interface 'vtun0' +set nat source rule 2000 outbound-interface name 'vtun0' set nat source rule 2000 source address '192.168.0.0/16' set nat source rule 2000 translation address 'masquerade' -set nat source rule 3000 outbound-interface 'vtun1' +set nat source rule 3000 outbound-interface name 'vtun1' set nat source rule 3000 translation address 'masquerade' set policy prefix-list user1-routes rule 1 action 'permit' set policy prefix-list user1-routes rule 1 prefix '192.168.0.0/24' diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py index e9c9e68fd..17e4fc36f 100755 --- a/smoketest/scripts/cli/test_interfaces_vxlan.py +++ b/smoketest/scripts/cli/test_interfaces_vxlan.py @@ -107,7 +107,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): def test_vxlan_external(self): interface = 'vxlan0' source_address = '192.0.2.1' - self.cli_set(self._base_path + [interface, 'external']) + self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-address', source_address]) # Both 'VNI' and 'external' can not be specified at the same time. @@ -150,7 +150,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): '31': '10031', } - self.cli_set(self._base_path + [interface, 'external']) + self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-interface', source_interface]) for vlan, vni in vlan_to_vni.items(): @@ -177,11 +177,50 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): tmp = get_interface_config(interface) self.assertEqual(tmp['master'], bridge) + self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress']) tmp = get_vxlan_vlan_tunnels('vxlan0') self.assertEqual(tmp, list(vlan_to_vni)) self.cli_delete(['interfaces', 'bridge', bridge]) + def test_vxlan_neighbor_suppress(self): + bridge = 'br555' + interface = 'vxlan555' + source_interface = 'eth0' + + self.cli_set(self._base_path + [interface, 'parameters', 'external']) + self.cli_set(self._base_path + [interface, 'source-interface', source_interface]) + + self.cli_set(self._base_path + [interface, 'parameters', 'neighbor-suppress']) + + # This must fail as this VXLAN interface is not associated with any bridge + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface]) + + # commit configuration + self.cli_commit() + + self.assertTrue(interface_exists(bridge)) + self.assertTrue(interface_exists(interface)) + + tmp = get_interface_config(interface) + self.assertEqual(tmp['master'], bridge) + self.assertTrue(tmp['linkinfo']['info_slave_data']['neigh_suppress']) + self.assertFalse(tmp['linkinfo']['info_slave_data']['learning']) + + # Remove neighbor suppress configuration and re-test + self.cli_delete(self._base_path + [interface, 'parameters', 'neighbor-suppress']) + # commit configuration + self.cli_commit() + + tmp = get_interface_config(interface) + self.assertEqual(tmp['master'], bridge) + self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress']) + self.assertTrue(tmp['linkinfo']['info_slave_data']['learning']) + + self.cli_delete(['interfaces', 'bridge', bridge]) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_syslog.py b/smoketest/scripts/cli/test_system_syslog.py new file mode 100755 index 000000000..933a5704c --- /dev/null +++ b/smoketest/scripts/cli/test_system_syslog.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2019-2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import re +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.configsession import ConfigSessionError +from vyos.template import is_ipv4 +from vyos.template import address_from_cidr +from vyos.utils.process import call +from vyos.utils.process import DEVNULL +from vyos.utils.file import read_file +from vyos.utils.process import process_named_running +from vyos.version import get_version_data + +PROCESS_NAME = 'rsyslogd' +RSYSLOG_CONF = '/etc/rsyslog.d/00-vyos.conf' + +base_path = ['system', 'syslog'] + +def get_config_value(key): + tmp = read_file(RSYSLOG_CONF) + tmp = re.findall(r'\n?{}\s+(.*)'.format(key), tmp) + return tmp[0] + +class TestRSYSLOGService(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestRSYSLOGService, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + def tearDown(self): + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + # delete testing SYSLOG config + self.cli_delete(base_path) + self.cli_commit() + + # Check for running process + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_syslog_basic(self): + host1 = '198.51.100.1' + host2 = '192.0.2.1' + + self.cli_set(base_path + ['host', host1, 'port', '999']) + self.cli_set(base_path + ['host', host1, 'facility', 'all', 'level', 'all']) + self.cli_set(base_path + ['host', host2, 'facility', 'kern', 'level', 'err']) + self.cli_set(base_path + ['console', 'facility', 'all', 'level', 'warning']) + + + self.cli_commit() + # verify log level and facilities in config file + # *.warning /dev/console + # *.* @198.51.100.1:999 + # kern.err @192.0.2.1:514 + config = [get_config_value('\*.\*'), get_config_value('kern.err'), get_config_value('\*.warning')] + expected = ['@198.51.100.1:999', '@192.0.2.1:514', '/dev/console'] + + for i in range(0,3): + self.assertIn(expected[i], config[i]) + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index ff8144e74..6bf3227d5 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -34,6 +34,7 @@ from vyos.configverify import verify_bond_bridge_member from vyos.ifconfig import Interface from vyos.ifconfig import VXLANIf from vyos.template import is_ipv6 +from vyos.utils.dict import dict_search from vyos import ConfigError from vyos import airbag airbag.enable() @@ -53,7 +54,7 @@ def get_config(config=None): # VXLAN interfaces are picky and require recreation if certain parameters # change. But a VXLAN interface should - of course - not be re-created if # it's description or IP address is adjusted. Feels somehow logic doesn't it? - for cli_option in ['parameters', 'external', 'gpe', 'group', 'port', 'remote', + for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote', 'source-address', 'source-interface', 'vni']: if is_node_changed(conf, base + [ifname, cli_option]): vxlan.update({'rebuild_required': {}}) @@ -94,17 +95,17 @@ def verify(vxlan): if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan): raise ConfigError('Group, remote, source-address or source-interface must be configured') - if 'vni' not in vxlan and 'external' not in vxlan: - raise ConfigError( - 'Must either configure VXLAN "vni" or use "external" CLI option!') + if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None: + raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!') - if {'external', 'vni'} <= set(vxlan): - raise ConfigError('Can not specify both "external" and "VNI"!') + if dict_search('parameters.external', vxlan): + if 'vni' in vxlan: + raise ConfigError('Can not specify both "external" and "VNI"!') - if {'external', 'other_tunnels'} <= set(vxlan): - other_tunnels = ', '.join(vxlan['other_tunnels']) - raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\ - f'CLI option is used. Additional tunnels: {other_tunnels}') + if 'other_tunnels' in vxlan: + other_tunnels = ', '.join(vxlan['other_tunnels']) + raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\ + f'CLI option is used. Additional tunnels: {other_tunnels}') if 'gpe' in vxlan and 'external' not in vxlan: raise ConfigError(f'VXLAN-GPE is only supported when "external" '\ @@ -164,6 +165,11 @@ def verify(vxlan): raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!') vnis_used.append(vni) + if dict_search('parameters.neighbor_suppress', vxlan): + if 'is_bridge_member' not in vxlan: + raise ConfigError('Neighbor suppression requires that VXLAN interface '\ + 'is member of a bridge interface!') + verify_mtu_ipv6(vxlan) verify_address(vxlan) verify_bond_bridge_member(vxlan) diff --git a/src/conf_mode/vpp.py b/src/conf_mode/vpp.py deleted file mode 100755 index 82c2f236e..000000000 --- a/src/conf_mode/vpp.py +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2023 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os -from psutil import virtual_memory - -from pathlib import Path -from re import search as re_search, MULTILINE as re_M - -from vyos.config import Config -from vyos.configdep import set_dependents, call_dependents -from vyos.configdict import node_changed -from vyos.ifconfig import Section -from vyos.utils.boot import boot_configuration_complete -from vyos.utils.process import call -from vyos.utils.process import rc_cmd -from vyos.utils.system import sysctl_read -from vyos.utils.system import sysctl_apply -from vyos.template import render - -from vyos import ConfigError -from vyos import airbag -from vyos.vpp import VPPControl -from vyos.vpp import HostControl - -airbag.enable() - -service_name = 'vpp' -service_conf = Path(f'/run/vpp/{service_name}.conf') -systemd_override = '/run/systemd/system/vpp.service.d/10-override.conf' - -# Free memory required for VPP -# 2 GB for hugepages + 1 GB for other services -MIN_AVAILABLE_MEMORY: int = 3 * 1024**3 - - -def _get_pci_address_by_interface(iface) -> str: - rc, out = rc_cmd(f'ethtool -i {iface}') - # if ethtool command was successful - if rc == 0 and out: - regex_filter = r'^bus-info: (?P<address>\w+:\w+:\w+\.\w+)$' - re_obj = re_search(regex_filter, out, re_M) - # if bus-info with PCI address found - if re_obj: - address = re_obj.groupdict().get('address', '') - return address - # use VPP - maybe interface already attached to it - vpp_control = VPPControl(attempts=20, interval=500) - pci_addr = vpp_control.get_pci_addr(iface) - if pci_addr: - return pci_addr - # raise error if PCI address was not found - raise ConfigError(f'Cannot find PCI address for interface {iface}') - - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - - base = ['vpp'] - base_ethernet = ['interfaces', 'ethernet'] - - # find interfaces removed from VPP - removed_ifaces = [] - tmp = node_changed(conf, base + ['interface']) - if tmp: - for removed_iface in tmp: - pci_address: str = _get_pci_address_by_interface(removed_iface) - removed_ifaces.append({ - 'iface_name': removed_iface, - 'iface_pci_addr': pci_address - }) - # add an interface to a list of interfaces that need - # to be reinitialized after the commit - set_dependents('ethernet', conf, removed_iface) - - if not conf.exists(base): - return {'removed_ifaces': removed_ifaces} - - config = conf.get_config_dict(base, key_mangling=('-', '_'), - no_tag_node_value_mangle=True, - get_first_key=True, - with_recursive_defaults=True) - - if 'interface' in config: - for iface, iface_config in config['interface'].items(): - # add an interface to a list of interfaces that need - # to be reinitialized after the commit - set_dependents('ethernet', conf, iface) - - # Get PCI address auto - if iface_config['pci'] == 'auto': - config['interface'][iface]['pci'] = _get_pci_address_by_interface(iface) - - config['other_interfaces'] = conf.get_config_dict(base_ethernet, key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - if removed_ifaces: - config['removed_ifaces'] = removed_ifaces - - return config - - -def verify(config): - # bail out early - looks like removal from running config - if not config or (len(config) == 1 and 'removed_ifaces' in config): - return None - - if 'interface' not in config: - raise ConfigError('"interface" is required but not set!') - - if 'cpu' in config: - if 'corelist_workers' in config['cpu'] and 'main_core' not in config[ - 'cpu']: - raise ConfigError('"cpu main-core" is required but not set!') - - memory_available: int = virtual_memory().available - if memory_available < MIN_AVAILABLE_MEMORY: - raise ConfigError( - 'Not enough free memory to start VPP:\n' - f'available: {round(memory_available / 1024**3, 1)}GB\n' - f'required: {round(MIN_AVAILABLE_MEMORY / 1024**3, 1)}GB') - - -def generate(config): - if not config or (len(config) == 1 and 'removed_ifaces' in config): - # Remove old config and return - service_conf.unlink(missing_ok=True) - return None - - render(service_conf, 'vpp/startup.conf.j2', config) - render(systemd_override, 'vpp/override.conf.j2', config) - - # apply default sysctl values from - # https://github.com/FDio/vpp/blob/v23.06/src/vpp/conf/80-vpp.conf - sysctl_config: dict[str, str] = { - 'vm.nr_hugepages': '1024', - 'vm.max_map_count': '3096', - 'vm.hugetlb_shm_group': '0', - 'kernel.shmmax': '2147483648' - } - # we do not want to reduce `kernel.shmmax` - kernel_shmnax_current: str = sysctl_read('kernel.shmmax') - if int(kernel_shmnax_current) > int(sysctl_config['kernel.shmmax']): - sysctl_config['kernel.shmmax'] = kernel_shmnax_current - - if not sysctl_apply(sysctl_config): - raise ConfigError('Cannot configure sysctl parameters for VPP') - - return None - - -def apply(config): - if not config or (len(config) == 1 and 'removed_ifaces' in config): - call(f'systemctl stop {service_name}.service') - else: - call('systemctl daemon-reload') - call(f'systemctl restart {service_name}.service') - - # Initialize interfaces removed from VPP - for iface in config.get('removed_ifaces', []): - host_control = HostControl() - # rescan PCI to use a proper driver - host_control.pci_rescan(iface['iface_pci_addr']) - # rename to the proper name - iface_new_name: str = host_control.get_eth_name(iface['iface_pci_addr']) - host_control.rename_iface(iface_new_name, iface['iface_name']) - - if 'interface' in config: - # connect to VPP - # must be performed multiple attempts because API is not available - # immediately after the service restart - vpp_control = VPPControl(attempts=20, interval=500) - for iface, _ in config['interface'].items(): - # Create lcp - if iface not in Section.interfaces(): - vpp_control.lcp_pair_add(iface, iface) - - # reinitialize interfaces, but not during the first boot - if boot_configuration_complete(): - call_dependents() - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/migration-scripts/interfaces/31-to-32 b/src/migration-scripts/interfaces/31-to-32 index 35b397c39..ca3d19320 100755 --- a/src/migration-scripts/interfaces/31-to-32 +++ b/src/migration-scripts/interfaces/31-to-32 @@ -27,7 +27,8 @@ if len(argv) < 2: file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() - base = ['interfaces', 'vxlan'] + +base = ['interfaces', 'vxlan'] config = ConfigTree(config_file) if not config.exists(base): @@ -35,7 +36,11 @@ if not config.exists(base): exit(0) for vxlan in config.list_nodes(base): - if not config.exists(base + ['port']): + if config.exists(base + [vxlan, 'external']): + config.delete(base + [vxlan, 'external']) + config.set(base + [vxlan, 'parameters', 'external']) + + if not config.exists(base + [vxlan, 'port']): config.set(base + [vxlan, 'port'], value='8472') try: diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 3434707ec..20f54b9ba 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -24,19 +24,28 @@ from vyos.config import Config from vyos.utils.process import cmd from vyos.utils.dict import dict_search_args -def get_config_firewall(conf, family=None, hook=None, priority=None): - config_path = ['firewall'] - if family: - config_path += [family] - if hook: - config_path += [hook] - if priority: - config_path += [priority] +def get_config_node(conf, node=None, family=None, hook=None, priority=None): + if node == 'nat': + if family == 'ipv6': + config_path = ['nat66'] + else: + config_path = ['nat'] - firewall = conf.get_config_dict(config_path, key_mangling=('-', '_'), + elif node == 'policy': + config_path = ['policy'] + else: + config_path = ['firewall'] + if family: + config_path += [family] + if hook: + config_path += [hook] + if priority: + config_path += [priority] + + node_config = conf.get_config_dict(config_path, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - return firewall + return node_config def get_nftables_details(family, hook, priority): if family == 'ipv6': @@ -102,7 +111,15 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N row.append(rule_details['conditions']) rows.append(row) - if 'default_action' in firewall_conf and not single_rule_id: + if hook in ['input', 'forward', 'output']: + def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'accept' + row = ['default', def_action, 'all'] + rule_details = details['default-action'] + row.append(rule_details.get('packets', 0)) + row.append(rule_details.get('bytes', 0)) + rows.append(row) + + elif 'default_action' in firewall_conf and not single_rule_id: row = ['default', firewall_conf['default_action'], 'all'] if 'default-action' in details: rule_details = details['default-action'] @@ -167,16 +184,16 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule dest_addr = 'any' # Get inbound interface - iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name') + iiface = dict_search_args(rule_conf, 'inbound_interface', 'name') if not iiface: - iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_group') + iiface = dict_search_args(rule_conf, 'inbound_interface', 'group') if not iiface: iiface = 'any' # Get outbound interface - oiface = dict_search_args(rule_conf, 'outbound_interface', 'interface_name') + oiface = dict_search_args(rule_conf, 'outbound_interface', 'name') if not oiface: - oiface = dict_search_args(rule_conf, 'outbound_interface', 'interface_group') + oiface = dict_search_args(rule_conf, 'outbound_interface', 'group') if not oiface: oiface = 'any' @@ -198,8 +215,9 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if hook in ['input', 'forward', 'output']: row = ['default'] - row.append('N/A') - row.append('N/A') + rule_details = details['default-action'] + row.append(rule_details.get('packets', 0)) + row.append(rule_details.get('bytes', 0)) if 'default_action' in prior_conf: row.append(prior_conf['default_action']) else: @@ -234,7 +252,7 @@ def show_firewall(): print('Rulesets Information') conf = Config() - firewall = get_config_firewall(conf) + firewall = get_config_node(conf) if not firewall: return @@ -249,7 +267,7 @@ def show_firewall_family(family): print(f'Rulesets {family} Information') conf = Config() - firewall = get_config_firewall(conf) + firewall = get_config_node(conf) if not firewall or family not in firewall: return @@ -262,7 +280,7 @@ def show_firewall_name(family, hook, priority): print('Ruleset Information') conf = Config() - firewall = get_config_firewall(conf, family, hook, priority) + firewall = get_config_node(conf, 'firewall', family, hook, priority) if firewall: output_firewall_name(family, hook, priority, firewall) @@ -270,17 +288,20 @@ def show_firewall_rule(family, hook, priority, rule_id): print('Rule Information') conf = Config() - firewall = get_config_firewall(conf, family, hook, priority) + firewall = get_config_node(conf, 'firewall', family, hook, priority) if firewall: output_firewall_name(family, hook, priority, firewall, rule_id) def show_firewall_group(name=None): conf = Config() - firewall = get_config_firewall(conf) + firewall = get_config_node(conf, node='firewall') if 'group' not in firewall: return + nat = get_config_node(conf, node='nat') + policy = get_config_node(conf, node='policy') + def find_references(group_type, group_name): out = [] family = [] @@ -296,6 +317,7 @@ def show_firewall_group(name=None): family = ['ipv4', 'ipv6'] for item in family: + # Look references in firewall for name_type in ['name', 'ipv6_name', 'forward', 'input', 'output']: if item in firewall: if name_type not in firewall[item]: @@ -308,8 +330,8 @@ def show_firewall_group(name=None): for rule_id, rule_conf in priority_conf['rule'].items(): source_group = dict_search_args(rule_conf, 'source', 'group', group_type) dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type) - in_interface = dict_search_args(rule_conf, 'inbound_interface', 'interface_group') - out_interface = dict_search_args(rule_conf, 'outbound_interface', 'interface_group') + in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group') + out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group') if source_group: if source_group[0] == "!": source_group = source_group[1:] @@ -330,6 +352,76 @@ def show_firewall_group(name=None): out_interface = out_interface[1:] if group_name == out_interface: out.append(f'{item}-{name_type}-{priority}-{rule_id}') + + # Look references in route | route6 + for name_type in ['route', 'route6']: + if name_type not in policy: + continue + if name_type == 'route' and item == 'ipv6': + continue + elif name_type == 'route6' and item == 'ipv4': + continue + else: + for policy_name, policy_conf in policy[name_type].items(): + if 'rule' not in policy_conf: + continue + for rule_id, rule_conf in policy_conf['rule'].items(): + source_group = dict_search_args(rule_conf, 'source', 'group', group_type) + dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type) + in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group') + out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group') + if source_group: + if source_group[0] == "!": + source_group = source_group[1:] + if group_name == source_group: + out.append(f'{name_type}-{policy_name}-{rule_id}') + if dest_group: + if dest_group[0] == "!": + dest_group = dest_group[1:] + if group_name == dest_group: + out.append(f'{name_type}-{policy_name}-{rule_id}') + if in_interface: + if in_interface[0] == "!": + in_interface = in_interface[1:] + if group_name == in_interface: + out.append(f'{name_type}-{policy_name}-{rule_id}') + if out_interface: + if out_interface[0] == "!": + out_interface = out_interface[1:] + if group_name == out_interface: + out.append(f'{name_type}-{policy_name}-{rule_id}') + + ## Look references in nat table + for direction in ['source', 'destination']: + if direction in nat: + if 'rule' not in nat[direction]: + continue + for rule_id, rule_conf in nat[direction]['rule'].items(): + source_group = dict_search_args(rule_conf, 'source', 'group', group_type) + dest_group = dict_search_args(rule_conf, 'destination', 'group', group_type) + in_interface = dict_search_args(rule_conf, 'inbound_interface', 'group') + out_interface = dict_search_args(rule_conf, 'outbound_interface', 'group') + if source_group: + if source_group[0] == "!": + source_group = source_group[1:] + if group_name == source_group: + out.append(f'nat-{direction}-{rule_id}') + if dest_group: + if dest_group[0] == "!": + dest_group = dest_group[1:] + if group_name == dest_group: + out.append(f'nat-{direction}-{rule_id}') + if in_interface: + if in_interface[0] == "!": + in_interface = in_interface[1:] + if group_name == in_interface: + out.append(f'nat-{direction}-{rule_id}') + if out_interface: + if out_interface[0] == "!": + out_interface = out_interface[1:] + if group_name == out_interface: + out.append(f'nat-{direction}-{rule_id}') + return out header = ['Name', 'Type', 'References', 'Members'] @@ -356,6 +448,7 @@ def show_firewall_group(name=None): row.append('N/D') rows.append(row) + if rows: print('Firewall Groups\n') print(tabulate.tabulate(rows, header)) @@ -364,7 +457,7 @@ def show_summary(): print('Ruleset Summary') conf = Config() - firewall = get_config_firewall(conf) + firewall = get_config_node(conf) if not firewall: return @@ -410,7 +503,7 @@ def show_statistics(): print('Rulesets Statistics') conf = Config() - firewall = get_config_firewall(conf) + firewall = get_config_node(conf) if not firewall: return diff --git a/src/validators/accel-radius-dictionary b/src/validators/accel-radius-dictionary deleted file mode 100755 index 05287e770..000000000 --- a/src/validators/accel-radius-dictionary +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -DICT_PATH=/usr/share/accel-ppp/radius -NAME=$1 - -if [ -n "$NAME" -a -e $DICT_PATH/dictionary.$NAME ]; then - exit 0 -else - echo "$NAME is not a valid RADIUS dictionary name" - echo "Please make sure that $DICT_PATH/dictionary.$NAME file exists" - exit 1 -fi - |