summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.github/reviewers.yml4
-rw-r--r--.github/workflows/auto-author-assign.yml2
-rw-r--r--Makefile5
-rw-r--r--data/op-mode-standardized.json1
-rw-r--r--data/templates/accel-ppp/l2tp.config.j28
-rw-r--r--data/templates/container/storage.conf.j22
-rw-r--r--data/templates/dhcp-server/dhcpd.conf.j24
-rw-r--r--data/templates/firewall/nftables-defines.j213
-rw-r--r--data/templates/high-availability/keepalived.conf.j212
-rw-r--r--data/templates/protocols/systemd_vyos_failover_service.j211
-rw-r--r--data/templates/router-advert/radvd.conf.j27
-rw-r--r--data/templates/snmp/etc.snmpd.conf.j21
-rw-r--r--data/templates/squid/sg_acl.conf.j21
-rw-r--r--data/templates/squid/squidGuard.conf.j2122
-rw-r--r--data/templates/sstp-client/peer.j29
-rw-r--r--data/templates/system/ssh_config.j23
-rw-r--r--debian/control3
-rw-r--r--interface-definitions/container.xml.in11
-rw-r--r--interface-definitions/dhcp-server.xml.in13
-rw-r--r--interface-definitions/firewall.xml.in31
-rw-r--r--interface-definitions/high-availability.xml.in20
-rw-r--r--interface-definitions/include/accel-ppp/ppp-options-ipv6-interface-id.xml.i54
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i34
-rw-r--r--interface-definitions/include/firewall/connection-mark.xml.i15
-rw-r--r--interface-definitions/include/firewall/fwmark.xml.i14
-rw-r--r--interface-definitions/include/firewall/icmpv6-type-name.xml.i16
-rw-r--r--interface-definitions/include/firewall/match-interface.xml.i18
-rw-r--r--interface-definitions/include/firewall/rule-log-level.xml.i2
-rw-r--r--interface-definitions/include/interface/mirror.xml.i18
-rw-r--r--interface-definitions/include/interface/redirect.xml.i4
-rw-r--r--interface-definitions/include/policy/route-common.xml.i12
-rw-r--r--interface-definitions/include/port-number-start-zero.xml.i15
-rw-r--r--interface-definitions/include/qos/bandwidth-auto.xml.i47
-rw-r--r--interface-definitions/include/qos/bandwidth.xml.i32
-rw-r--r--interface-definitions/include/qos/class-match-ipv4-address.xml.i19
-rw-r--r--interface-definitions/include/qos/class-match-ipv6-address.xml.i14
-rw-r--r--interface-definitions/include/qos/class-match.xml.i (renamed from interface-definitions/include/qos/match.xml.i)58
-rw-r--r--interface-definitions/include/qos/class-police-exceed.xml.i (renamed from interface-definitions/include/qos/limiter-actions.xml.i)14
-rw-r--r--interface-definitions/include/qos/class-priority.xml.i15
-rw-r--r--interface-definitions/include/qos/match-dscp.xml.i (renamed from interface-definitions/include/qos/dscp.xml.i)3
-rw-r--r--interface-definitions/include/qos/max-length.xml.i8
-rw-r--r--interface-definitions/include/qos/queue-type.xml.i17
-rw-r--r--interface-definitions/include/qos/set-dscp.xml.i84
-rw-r--r--interface-definitions/include/version/container-version.xml.i3
-rw-r--r--interface-definitions/include/version/firewall-version.xml.i2
-rw-r--r--interface-definitions/include/version/qos-version.xml.i2
-rw-r--r--interface-definitions/interfaces-dummy.xml.in19
-rw-r--r--interface-definitions/policy-route.xml.in2
-rw-r--r--interface-definitions/protocols-failover.xml.in114
-rw-r--r--interface-definitions/qos.xml.in457
-rw-r--r--interface-definitions/service-pppoe-server.xml.in47
-rw-r--r--interface-definitions/service-router-advert.xml.in13
-rw-r--r--interface-definitions/system-option.xml.in1
-rw-r--r--interface-definitions/vpn-l2tp.xml.in1
-rw-r--r--interface-definitions/xml-component-version.xml.in1
-rw-r--r--op-mode-definitions/dhcp.xml.in28
-rwxr-xr-xop-mode-definitions/generate-system-login-user.xml.in90
-rw-r--r--op-mode-definitions/generate-wireguard.xml.in18
-rw-r--r--op-mode-definitions/monitor-log.xml.in8
-rw-r--r--op-mode-definitions/nat.xml.in30
-rw-r--r--op-mode-definitions/nat66.xml.in22
-rw-r--r--op-mode-definitions/openvpn.xml.in7
-rw-r--r--op-mode-definitions/show-acceleration.xml.in10
-rw-r--r--op-mode-definitions/show-interfaces-bonding.xml.in12
-rw-r--r--op-mode-definitions/show-interfaces-bridge.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-dummy.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-ethernet.xml.in12
-rw-r--r--op-mode-definitions/show-interfaces-geneve.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-input.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-l2tpv3.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-loopback.xml.in12
-rw-r--r--op-mode-definitions/show-interfaces-pppoe.xml.in6
-rw-r--r--op-mode-definitions/show-interfaces-pseudo-ethernet.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-sstpc.xml.in6
-rw-r--r--op-mode-definitions/show-interfaces-tunnel.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-virtual-ethernet.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-vti.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-vxlan.xml.in8
-rw-r--r--op-mode-definitions/show-interfaces-wireguard.xml.in6
-rw-r--r--op-mode-definitions/show-interfaces-wireless.xml.in12
-rw-r--r--op-mode-definitions/show-interfaces-wwan.xml.in6
-rw-r--r--op-mode-definitions/show-interfaces.xml.in6
-rw-r--r--op-mode-definitions/show-log.xml.in10
-rw-r--r--op-mode-definitions/show-raid.xml.in2
-rw-r--r--python/vyos/configdiff.py31
-rw-r--r--python/vyos/firewall.py23
-rw-r--r--python/vyos/qos/__init__.py28
-rw-r--r--python/vyos/qos/base.py282
-rw-r--r--python/vyos/qos/cake.py55
-rw-r--r--python/vyos/qos/droptail.py28
-rw-r--r--python/vyos/qos/fairqueue.py31
-rw-r--r--python/vyos/qos/fqcodel.py40
-rw-r--r--python/vyos/qos/limiter.py27
-rw-r--r--python/vyos/qos/netem.py53
-rw-r--r--python/vyos/qos/priority.py41
-rw-r--r--python/vyos/qos/randomdetect.py54
-rw-r--r--python/vyos/qos/ratelimiter.py37
-rw-r--r--python/vyos/qos/roundrobin.py44
-rw-r--r--python/vyos/qos/trafficshaper.py106
-rwxr-xr-xscripts/check-pr-title-and-commit-messages.py9
-rw-r--r--smoketest/configs/dialup-router-medium-vpn24
-rw-r--r--smoketest/configs/qos-basic9
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py21
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_dummy.py1
-rwxr-xr-xsmoketest/scripts/cli/test_policy_route.py21
-rwxr-xr-xsmoketest/scripts/cli/test_qos.py546
-rwxr-xr-xsmoketest/scripts/cli/test_service_dhcp-server.py23
-rwxr-xr-xsmoketest/scripts/cli/test_service_router-advert.py39
-rwxr-xr-xsmoketest/scripts/cli/test_vpn_ipsec.py7
-rwxr-xr-xsrc/conf_mode/container.py23
-rwxr-xr-xsrc/conf_mode/firewall.py3
-rwxr-xr-xsrc/conf_mode/high-availability.py8
-rwxr-xr-xsrc/conf_mode/interfaces-bonding.py5
-rwxr-xr-xsrc/conf_mode/interfaces-geneve.py10
-rwxr-xr-xsrc/conf_mode/interfaces-pseudo-ethernet.py4
-rwxr-xr-xsrc/conf_mode/interfaces-sstpc.py5
-rwxr-xr-xsrc/conf_mode/interfaces-tunnel.py4
-rwxr-xr-xsrc/conf_mode/interfaces-vxlan.py8
-rwxr-xr-xsrc/conf_mode/pki.py5
-rwxr-xr-xsrc/conf_mode/policy-route.py3
-rwxr-xr-xsrc/conf_mode/protocols_failover.py121
-rwxr-xr-xsrc/conf_mode/qos.py194
-rwxr-xr-xsrc/conf_mode/service_webproxy.py100
-rwxr-xr-xsrc/conf_mode/system-option.py17
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py2
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py12
-rwxr-xr-xsrc/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook2
-rwxr-xr-xsrc/helpers/vyos-failover.py184
-rwxr-xr-xsrc/migration-scripts/container/0-to-177
-rwxr-xr-xsrc/migration-scripts/firewall/8-to-991
-rwxr-xr-xsrc/migration-scripts/ipsec/9-to-108
-rwxr-xr-xsrc/migration-scripts/qos/1-to-2126
-rwxr-xr-xsrc/op_mode/conntrack.py2
-rwxr-xr-xsrc/op_mode/container.py11
-rwxr-xr-xsrc/op_mode/dhcp.py71
-rwxr-xr-xsrc/op_mode/generate_system_login_user.py77
-rwxr-xr-xsrc/op_mode/interfaces.py412
-rwxr-xr-xsrc/op_mode/nat.py46
-rwxr-xr-xsrc/op_mode/show_acceleration.py22
-rwxr-xr-xsrc/op_mode/show_dhcp.py260
-rwxr-xr-xsrc/op_mode/show_dhcpv6.py220
-rwxr-xr-xsrc/op_mode/show_ipsec_sa.py130
-rwxr-xr-xsrc/op_mode/show_nat66_statistics.py63
-rwxr-xr-xsrc/op_mode/show_nat66_translations.py204
-rwxr-xr-xsrc/op_mode/show_nat_statistics.py63
-rwxr-xr-xsrc/op_mode/show_nat_translations.py216
-rwxr-xr-xsrc/op_mode/show_raid.sh10
-rwxr-xr-xsrc/op_mode/vpn_ipsec.py32
-rwxr-xr-xsrc/op_mode/webproxy_update_blacklist.sh27
-rw-r--r--src/services/api/graphql/libs/op_mode.py2
150 files changed, 4380 insertions, 1921 deletions
diff --git a/.github/reviewers.yml b/.github/reviewers.yml
index 1748ddbbc..a1647d20d 100644
--- a/.github/reviewers.yml
+++ b/.github/reviewers.yml
@@ -1,5 +1,3 @@
---
"**/*":
- - vyos/reviewers
- - vyos/reviewers
- - vyos/reviewers
+ - team: reviewers
diff --git a/.github/workflows/auto-author-assign.yml b/.github/workflows/auto-author-assign.yml
index a769145f8..13bfd9bb1 100644
--- a/.github/workflows/auto-author-assign.yml
+++ b/.github/workflows/auto-author-assign.yml
@@ -23,5 +23,5 @@ jobs:
- name: Request review based on files changes and/or groups the author belongs to
uses: shufo/auto-assign-reviewer-by-files@v1.1.4
with:
- token: ${{ secrets.GITHUB_TOKEN }}
+ token: ${{ secrets.PR_ACTION_ASSIGN_REVIEWERS }}
config: .github/reviewers.yml
diff --git a/Makefile b/Makefile
index 0a968563c..a4bfac17d 100644
--- a/Makefile
+++ b/Makefile
@@ -33,11 +33,6 @@ interface_definitions: $(config_xml_obj)
# IPSec VPN EAP-RADIUS does not support source-address
rm -rf $(TMPL_DIR)/vpn/ipsec/remote-access/radius/source-address
- # T4284 neq QoS implementation is not yet live
- find $(TMPL_DIR)/interfaces -name redirect -type d -exec rm -rf {} \;
- rm -rf $(TMPL_DIR)/qos
- rm -rf $(TMPL_DIR)/interfaces/input
-
# T2472 - EIGRP support
rm -rf $(TMPL_DIR)/protocols/eigrp
# T2773 - EIGRP support for VRF
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index a69cf55e9..2ea4d945a 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -7,6 +7,7 @@
"cpu.py",
"dhcp.py",
"dns.py",
+"interfaces.py",
"log.py",
"memory.py",
"nat.py",
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index 3d1e835a9..5914fd375 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -126,7 +126,13 @@ ipv6={{ ppp_ipv6 }}
{% else %}
{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
{% endif %}
-
+{% if ppp_ipv6_intf_id is vyos_defined %}
+ipv6-intf-id={{ ppp_ipv6_intf_id }}
+{% endif %}
+{% if ppp_ipv6_peer_intf_id is vyos_defined %}
+ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
+{% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
{% if client_ipv6_pool %}
[ipv6-pool]
diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2
index 665f9bf95..39a072c70 100644
--- a/data/templates/container/storage.conf.j2
+++ b/data/templates/container/storage.conf.j2
@@ -1,4 +1,4 @@
### Autogenerated by container.py ###
[storage]
- driver = "vfs"
+ driver = "overlay2"
graphroot = "/usr/lib/live/mount/persistence/container/storage"
diff --git a/data/templates/dhcp-server/dhcpd.conf.j2 b/data/templates/dhcp-server/dhcpd.conf.j2
index 4c2da0aa5..639526532 100644
--- a/data/templates/dhcp-server/dhcpd.conf.j2
+++ b/data/templates/dhcp-server/dhcpd.conf.j2
@@ -22,6 +22,7 @@ ddns-update-style {{ 'interim' if dynamic_dns_update is vyos_defined else 'none'
option rfc3442-static-route code 121 = array of integer 8;
option windows-static-route code 249 = array of integer 8;
option wpad-url code 252 = text;
+option rfc8925-ipv6-only-preferred code 108 = unsigned integer 32;
# Vendor specific options - Ubiquiti Networks
option space ubnt;
@@ -127,6 +128,9 @@ shared-network {{ network }} {
{% if subnet_config.wins_server is vyos_defined %}
option netbios-name-servers {{ subnet_config.wins_server | join(', ') }};
{% endif %}
+{% if subnet_config.ipv6_only_preferred is vyos_defined %}
+ option rfc8925-ipv6-only-preferred {{ subnet_config.ipv6_only_preferred }};
+{% endif %}
{% if subnet_config.static_route is vyos_defined %}
{% set static_default_route = '' %}
{% if subnet_config.default_router is vyos_defined %}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index dd06dee28..0a7e79edd 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -85,5 +85,18 @@
}
{% endfor %}
{% endif %}
+{% if group.interface_group is vyos_defined %}
+{% for group_name, group_conf in group.interface_group.items() %}
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set I_{{ group_name }} {
+ type ifname
+ flags interval
+ auto-merge
+{% if group_conf.interface is vyos_defined or includes %}
+ elements = { {{ group_conf.interface | nft_nested_group(includes, group.interface_group, 'interface') | join(",") }} }
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% endmacro %}
diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2
index 706e1c5ae..ebff52e1f 100644
--- a/data/templates/high-availability/keepalived.conf.j2
+++ b/data/templates/high-availability/keepalived.conf.j2
@@ -126,7 +126,12 @@ vrrp_sync_group {{ name }} {
{% if virtual_server is vyos_defined %}
# Virtual-server configuration
{% for vserver, vserver_config in virtual_server.items() %}
+# Vserver {{ vserver }}
+{% if vserver_config.port is vyos_defined %}
virtual_server {{ vserver }} {{ vserver_config.port }} {
+{% else %}
+virtual_server fwmark {{ vserver_config.fwmark }} {
+{% endif %}
delay_loop {{ vserver_config.delay_loop }}
{% if vserver_config.algorithm is vyos_defined('round-robin') %}
lb_algo rr
@@ -156,9 +161,14 @@ virtual_server {{ vserver }} {{ vserver_config.port }} {
{% for rserver, rserver_config in vserver_config.real_server.items() %}
real_server {{ rserver }} {{ rserver_config.port }} {
weight 1
+{% if rserver_config.health_check.script is vyos_defined %}
+ MISC_CHECK {
+ misc_path {{ rserver_config.health_check.script }}
+{% else %}
{{ vserver_config.protocol | upper }}_CHECK {
-{% if rserver_config.connection_timeout is vyos_defined %}
+{% if rserver_config.connection_timeout is vyos_defined %}
connect_timeout {{ rserver_config.connection_timeout }}
+{% endif %}
{% endif %}
}
}
diff --git a/data/templates/protocols/systemd_vyos_failover_service.j2 b/data/templates/protocols/systemd_vyos_failover_service.j2
new file mode 100644
index 000000000..e6501e0f5
--- /dev/null
+++ b/data/templates/protocols/systemd_vyos_failover_service.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=Failover route service
+After=vyos-router.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2
index a464795ad..4ef4751dd 100644
--- a/data/templates/router-advert/radvd.conf.j2
+++ b/data/templates/router-advert/radvd.conf.j2
@@ -43,6 +43,13 @@ interface {{ iface }} {
};
{% endfor %}
{% endif %}
+{% if iface_config.source_address is vyos_defined %}
+ AdvRASrcAddress {
+{% for source_address in iface_config.source_address %}
+ {{ source_address }};
+{% endfor %}
+ };
+{% endif %}
{% if iface_config.prefix is vyos_defined %}
{% for prefix, prefix_options in iface_config.prefix.items() %}
prefix {{ prefix }} {
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 57ad704c0..47bf6878f 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -76,6 +76,7 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy
{% endif %}
{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %}
{{ comm_config.authorization }}community {{ comm }}
+{{ comm_config.authorization }}community6 {{ comm }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2
index ce72b173a..78297a2b8 100644
--- a/data/templates/squid/sg_acl.conf.j2
+++ b/data/templates/squid/sg_acl.conf.j2
@@ -1,6 +1,5 @@
### generated by service_webproxy.py ###
dbhome {{ squidguard_db_dir }}
-
dest {{ category }}-{{ rule }} {
{% if list_type == 'domains' %}
domainlist {{ category }}/domains
diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2
index 1bc4c984f..a93f878df 100644
--- a/data/templates/squid/squidGuard.conf.j2
+++ b/data/templates/squid/squidGuard.conf.j2
@@ -1,10 +1,16 @@
### generated by service_webproxy.py ###
-{% macro sg_rule(category, log, db_dir) %}
+{% macro sg_rule(category, rule, log, db_dir) %}
+{% set domains = db_dir + '/' + category + '/domains' %}
+{% set urls = db_dir + '/' + category + '/urls' %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
-dest {{ category }}-default {
+dest {{ category }}-{{ rule }}{
+{% if domains | is_file %}
domainlist {{ category }}/domains
+{% endif %}
+{% if urls | is_file %}
urllist {{ category }}/urls
+{% endif %}
{% if expressions | is_file %}
expressionlist {{ category }}/expressions
{% endif %}
@@ -17,8 +23,9 @@ dest {{ category }}-default {
{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %}
{% if url_filtering.squidguard is vyos_defined %}
{% set sg_config = url_filtering.squidguard %}
-{% set acl = namespace(value='local-ok-default') %}
+{% set acl = namespace(value='') %}
{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+{% set ruleacls = {} %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
@@ -38,24 +45,28 @@ dest local-ok-default {
domainlist local-ok-default/domains
}
{% endif %}
+
{% if sg_config.local_ok_url is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
domainlist local-block-default/domains
}
{% endif %}
+
{% if sg_config.local_block_url is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
urllist local-block-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block_keyword is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
@@ -65,16 +76,100 @@ dest local-block-keyword-default {
{% if sg_config.block_category is vyos_defined %}
{% for category in sg_config.block_category %}
-{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }}
{% set acl.value = acl.value + ' !' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.allow_category is vyos_defined %}
{% for category in sg_config.allow_category %}
-{{ sg_rule(category, False, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', False, squidguard_db_dir) }}
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
+
+
+{% if sg_config.rule is vyos_defined %}
+{% for rule, rule_config in sg_config.rule.items() %}
+{% if rule_config.local_ok is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %}
+{% endif %}
+dest local-ok-{{ rule }} {
+ domainlist local-ok-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_ok_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %}
+{% endif %}
+dest local-ok-url-{{ rule }} {
+ urllist local-ok-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %}
+{% endif %}
+dest local-block-{{ rule }} {
+ domainlist local-block-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_block_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %}
+{% endif %}
+dest local-block-url-{{ rule }} {
+ urllist local-block-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block_keyword is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %}
+{% endif %}
+dest local-block-keyword-{{ rule }} {
+ expressionlist local-block-keyword-{{ rule }}/expressions
+}
+{% endif %}
+
+{% if rule_config.block_category is vyos_defined %}
+{% for b_category in rule_config.block_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+
+{% if rule_config.allow_category is vyos_defined %}
+{% for a_category in rule_config.allow_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+
{% if sg_config.source_group is vyos_defined %}
{% for sgroup, sg_config in sg_config.source_group.items() %}
{% if sg_config.address is vyos_defined %}
@@ -83,28 +178,15 @@ src {{ sgroup }} {
ip {{ address }}
{% endfor %}
}
-
{% endif %}
{% endfor %}
{% endif %}
-{% if sg_config.rule is vyos_defined %}
-{% for rule, rule_config in sg_config.rule.items() %}
-{% for b_category in rule_config.block_category %}
-dest {{ b_category }} {
- domainlist {{ b_category }}/domains
- urllist {{ b_category }}/urls
-}
-{% endfor %}
-{% endfor %}
-{% endif %}
acl {
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{{ rule_config.source_group }} {
-{% for b_category in rule_config.block_category %}
- pass local-ok-1 !in-addr !{{ b_category }} all
-{% endfor %}
+ pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }}
}
{% endfor %}
{% endif %}
@@ -113,7 +195,7 @@ acl {
{% if sg_config.enable_safe_search is vyos_defined %}
rewrite safesearch
{% endif %}
- pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }}
redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is vyos_defined %}
log blacklist.log
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 1127d0564..7a0b0e1f7 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -17,7 +17,7 @@ pty "sstpc --ipparam {{ ifname }} --nolaunchpppd {{ server }}:{{ port }} --ca-ce
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
-# Don't try to authenticate the remote node
+# We don't need the server to auth itself
noauth
# We won't want EAP
@@ -37,6 +37,13 @@ sstp-sock /var/run/sstpc/sstpc-{{ ifname }}
persist
debug
+# pppd should create a UUCP-style lock file for the serial device to ensure
+# exclusive access to the device. By default, pppd will not create a lock file.
+lock
+
+# Disables Deflate compression
+nodeflate
+
{% if authentication is vyos_defined %}
{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }}
{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }}
diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2
index 1449f95b1..d3ede0971 100644
--- a/data/templates/system/ssh_config.j2
+++ b/data/templates/system/ssh_config.j2
@@ -1,3 +1,6 @@
{% if ssh_client.source_address is vyos_defined %}
BindAddress {{ ssh_client.source_address }}
{% endif %}
+{% if ssh_client.source_interface is vyos_defined %}
+BindInterface {{ ssh_client.source_interface }}
+{% endif %}
diff --git a/debian/control b/debian/control
index 7e69003ff..696f8902d 100644
--- a/debian/control
+++ b/debian/control
@@ -39,6 +39,7 @@ Depends:
beep,
bmon,
bsdmainutils,
+ charon-systemd,
conntrack,
conntrackd,
conserver-client,
@@ -68,7 +69,7 @@ Depends:
ipaddrcheck,
iperf,
iperf3,
- iproute2,
+ iproute2 (>= 6.0.0),
iputils-arping,
isc-dhcp-client,
isc-dhcp-relay,
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in
index d50039665..4bac305d1 100644
--- a/interface-definitions/container.xml.in
+++ b/interface-definitions/container.xml.in
@@ -207,14 +207,23 @@
</leafNode>
<leafNode name="protocol">
<properties>
- <help>Protocol tcp/udp</help>
+ <help>Transport protocol used for port mapping</help>
<completionHelp>
<list>tcp udp</list>
</completionHelp>
+ <valueHelp>
+ <format>tcp</format>
+ <description>Use Transmission Control Protocol for given port</description>
+ </valueHelp>
+ <valueHelp>
+ <format>udp</format>
+ <description>Use User Datagram Protocol for given port</description>
+ </valueHelp>
<constraint>
<regex>(tcp|udp)</regex>
</constraint>
</properties>
+ <defaultValue>tcp</defaultValue>
</leafNode>
</children>
</tagNode>
diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in
index 6e1592200..1830cc1ad 100644
--- a/interface-definitions/dhcp-server.xml.in
+++ b/interface-definitions/dhcp-server.xml.in
@@ -373,6 +373,19 @@
</leafNode>
</children>
</tagNode >
+ <leafNode name="ipv6-only-preferred">
+ <properties>
+ <help>Disable IPv4 on IPv6 only hosts (RFC 8925)</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ <constraintErrorMessage>Seconds must be between 0 and 4294967295 (49 days)</constraintErrorMessage>
+ </properties>
+ </leafNode>
<leafNode name="subnet-parameters">
<properties>
<help>Additional subnet parameters for DHCP server. You must use the syntax of dhcpd.conf in this text-field. Using this without proper knowledge may result in a crashed DHCP server. Check system log to look for errors.</help>
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 3bce69fc4..7d7e0a38f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -134,6 +134,35 @@
#include <include/generic-description.xml.i>
</children>
</tagNode>
+ <tagNode name="interface-group">
+ <properties>
+ <help>Firewall interface-group</help>
+ <constraint>
+ <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="interface">
+ <properties>
+ <help>Interface-group member</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="include">
+ <properties>
+ <help>Include another interface-group</help>
+ <completionHelp>
+ <path>firewall group interface-group</path>
+ </completionHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ #include <include/generic-description.xml.i>
+ </children>
+ </tagNode>
<tagNode name="ipv6-address-group">
<properties>
<help>Firewall ipv6-address-group</help>
@@ -432,6 +461,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/hop-limit.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
<node name="icmpv6">
<properties>
<help>ICMPv6 type and code information</help>
@@ -599,6 +629,7 @@
#include <include/firewall/common-rule.xml.i>
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
<node name="icmp">
<properties>
<help>ICMP type and code information</help>
diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in
index 784e51151..d67a142d1 100644
--- a/interface-definitions/high-availability.xml.in
+++ b/interface-definitions/high-availability.xml.in
@@ -365,7 +365,8 @@
</properties>
<defaultValue>nat</defaultValue>
</leafNode>
- #include <include/port-number.xml.i>
+ #include <include/firewall/fwmark.xml.i>
+ #include <include/port-number-start-zero.xml.i>
<leafNode name="persistence-timeout">
<properties>
<help>Timeout for persistent connections</help>
@@ -404,7 +405,7 @@
<help>Real server address</help>
</properties>
<children>
- #include <include/port-number.xml.i>
+ #include <include/port-number-start-zero.xml.i>
<leafNode name="connection-timeout">
<properties>
<help>Server connection timeout</help>
@@ -417,6 +418,21 @@
</constraint>
</properties>
</leafNode>
+ <node name="health-check">
+ <properties>
+ <help>Health check script</help>
+ </properties>
+ <children>
+ <leafNode name="script">
+ <properties>
+ <help>Health check script file</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
</children>
</tagNode>
</children>
diff --git a/interface-definitions/include/accel-ppp/ppp-options-ipv6-interface-id.xml.i b/interface-definitions/include/accel-ppp/ppp-options-ipv6-interface-id.xml.i
new file mode 100644
index 000000000..265f7f97c
--- /dev/null
+++ b/interface-definitions/include/accel-ppp/ppp-options-ipv6-interface-id.xml.i
@@ -0,0 +1,54 @@
+<!-- include start from accel-ppp/ppp-options-ipv6-interface-id.xml.i -->
+<leafNode name="ipv6-intf-id">
+ <properties>
+ <help>Fixed or random interface identifier for IPv6</help>
+ <completionHelp>
+ <list>random</list>
+ </completionHelp>
+ <valueHelp>
+ <format>random</format>
+ <description>Random interface identifier for IPv6</description>
+ </valueHelp>
+ <valueHelp>
+ <format>x:x:x:x</format>
+ <description>specify interface identifier for IPv6</description>
+ </valueHelp>
+ <constraint>
+ <regex>(random|((\d+){1,4}:){3}(\d+){1,4})</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="ipv6-peer-intf-id">
+ <properties>
+ <help>Peer interface identifier for IPv6</help>
+ <completionHelp>
+ <list>random calling-sid ipv4</list>
+ </completionHelp>
+ <valueHelp>
+ <format>x:x:x:x</format>
+ <description>Interface identifier for IPv6</description>
+ </valueHelp>
+ <valueHelp>
+ <format>random</format>
+ <description>Use a random interface identifier for IPv6</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Calculate interface identifier from IPv4 address, for example 192:168:0:1</description>
+ </valueHelp>
+ <valueHelp>
+ <format>calling-sid</format>
+ <description>Calculate interface identifier from calling-station-id</description>
+ </valueHelp>
+ <constraint>
+ <regex>(random|calling-sid|ipv4|((\d+){1,4}:){3}(\d+){1,4})</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="ipv6-accept-peer-intf-id">
+ <properties>
+ <help>Accept peer interface identifier</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 75ad427f9..3fe3ca872 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -1,6 +1,14 @@
<!-- include start from firewall/common-rule.xml.i -->
#include <include/firewall/action.xml.i>
#include <include/generic-description.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/mac-address.xml.i>
+ </children>
+</node>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
@@ -26,14 +34,22 @@
</leafNode>
</children>
</node>
-<leafNode name="inbound-interface">
+<node name="inbound-interface">
<properties>
<help>Match inbound-interface</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
</properties>
-</leafNode>
+ <children>
+ #include <include/firewall/match-interface.xml.i>
+ </children>
+</node>
+<node name="outbound-interface">
+ <properties>
+ <help>Match outbound-interface</help>
+ </properties>
+ <children>
+ #include <include/firewall/match-interface.xml.i>
+ </children>
+</node>
<node name="ipsec">
<properties>
<help>Inbound IPsec packets</help>
@@ -130,14 +146,6 @@
</leafNode>
</children>
</node>
-<leafNode name="outbound-interface">
- <properties>
- <help>Match outbound-interface</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- </properties>
-</leafNode>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
diff --git a/interface-definitions/include/firewall/connection-mark.xml.i b/interface-definitions/include/firewall/connection-mark.xml.i
new file mode 100644
index 000000000..2cb826635
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-mark.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from firewall/connection-mark.xml.i -->
+<leafNode name="connection-mark">
+ <properties>
+ <help>Connection mark</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Connection-mark to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/fwmark.xml.i b/interface-definitions/include/firewall/fwmark.xml.i
new file mode 100644
index 000000000..4607ef58f
--- /dev/null
+++ b/interface-definitions/include/firewall/fwmark.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fwmark.xml.i -->
+<leafNode name="fwmark">
+ <properties>
+ <help>Match fwmark value</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Match firewall mark value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/icmpv6-type-name.xml.i b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
index a2e68abfb..e17a20e17 100644
--- a/interface-definitions/include/firewall/icmpv6-type-name.xml.i
+++ b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>ICMPv6 type-name</help>
<completionHelp>
- <list>destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering</list>
+ <list>destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering ind-neighbor-solicit ind-neighbor-advert mld2-listener-report</list>
</completionHelp>
<valueHelp>
<format>destination-unreachable</format>
@@ -65,8 +65,20 @@
<format>router-renumbering</format>
<description>ICMPv6 type 138: router-renumbering</description>
</valueHelp>
+ <valueHelp>
+ <format>ind-neighbor-solicit</format>
+ <description>ICMPv6 type 141: ind-neighbor-solicit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ind-neighbor-advert</format>
+ <description>ICMPv6 type 142: ind-neighbor-advert</description>
+ </valueHelp>
+ <valueHelp>
+ <format>mld2-listener-report</format>
+ <description>ICMPv6 type 143: mld2-listener-report</description>
+ </valueHelp>
<constraint>
- <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering)</regex>
+ <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering|ind-neighbor-solicit|ind-neighbor-advert|mld2-listener-report)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
new file mode 100644
index 000000000..675a87574
--- /dev/null
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from firewall/match-interface.xml.i -->
+<leafNode name="interface-name">
+ <properties>
+ <help>Match interface</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+</leafNode>
+<leafNode name="interface-group">
+ <properties>
+ <help>Match interface-group</help>
+ <completionHelp>
+ <path>firewall group interface-group</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/rule-log-level.xml.i b/interface-definitions/include/firewall/rule-log-level.xml.i
index 10c8de5e3..3ac473844 100644
--- a/interface-definitions/include/firewall/rule-log-level.xml.i
+++ b/interface-definitions/include/firewall/rule-log-level.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from firewall/common-rule.xml.i -->
+<!-- include start from firewall/rule-log-level.xml.i -->
<leafNode name="log-level">
<properties>
<help>Set log-level. Log must be enable.</help>
diff --git a/interface-definitions/include/interface/mirror.xml.i b/interface-definitions/include/interface/mirror.xml.i
index 2959551f0..74a172b50 100644
--- a/interface-definitions/include/interface/mirror.xml.i
+++ b/interface-definitions/include/interface/mirror.xml.i
@@ -1,23 +1,31 @@
<!-- include start from interface/mirror.xml.i -->
<node name="mirror">
<properties>
- <help>Incoming/outgoing packet mirroring destination</help>
+ <help>Mirror ingress/egress packets</help>
</properties>
<children>
<leafNode name="ingress">
<properties>
- <help>Mirror the ingress traffic of the interface to the destination interface</help>
+ <help>Mirror ingress traffic to destination interface</help>
<completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Destination interface name</description>
+ </valueHelp>
</properties>
</leafNode>
<leafNode name="egress">
<properties>
- <help>Mirror the egress traffic of the interface to the destination interface</help>
+ <help>Mirror egress traffic to destination interface</help>
<completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Destination interface name</description>
+ </valueHelp>
</properties>
</leafNode>
</children>
diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i
index 8df8957ac..b01e486ce 100644
--- a/interface-definitions/include/interface/redirect.xml.i
+++ b/interface-definitions/include/interface/redirect.xml.i
@@ -1,13 +1,13 @@
<!-- include start from interface/redirect.xml.i -->
<leafNode name="redirect">
<properties>
- <help>Incoming packet redirection destination</help>
+ <help>Redirect incoming packet to destination</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Interface name</description>
+ <description>Destination interface name</description>
</valueHelp>
<constraint>
#include <include/constraint/interface-name.xml.in>
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index 8b959c2a4..6973d7a8f 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -159,6 +159,18 @@
<help>Packet modifications</help>
</properties>
<children>
+ <leafNode name="connection-mark">
+ <properties>
+ <help>Connection marking</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Connection marking</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+ </leafNode>
<leafNode name="dscp">
<properties>
<help>Packet Differentiated Services Codepoint (DSCP)</help>
diff --git a/interface-definitions/include/port-number-start-zero.xml.i b/interface-definitions/include/port-number-start-zero.xml.i
new file mode 100644
index 000000000..04a144216
--- /dev/null
+++ b/interface-definitions/include/port-number-start-zero.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from port-number-start-zero.xml.i -->
+<leafNode name="port">
+ <properties>
+ <help>Port number used by connection</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Numeric IP port</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ <constraintErrorMessage>Port number must be in range 0 to 65535</constraintErrorMessage>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/qos/bandwidth-auto.xml.i b/interface-definitions/include/qos/bandwidth-auto.xml.i
new file mode 100644
index 000000000..a86f28296
--- /dev/null
+++ b/interface-definitions/include/qos/bandwidth-auto.xml.i
@@ -0,0 +1,47 @@
+<!-- include start from qos/bandwidth-auto.xml.i -->
+<leafNode name="bandwidth">
+ <properties>
+ <help>Available bandwidth for this policy</help>
+ <completionHelp>
+ <list>auto</list>
+ </completionHelp>
+ <valueHelp>
+ <format>auto</format>
+ <description>Bandwidth matches interface speed</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;</format>
+ <description>Bits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;bit</format>
+ <description>Bits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;kbit</format>
+ <description>Kilobits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;mbit</format>
+ <description>Megabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;gbit</format>
+ <description>Gigabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;tbit</format>
+ <description>Terabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;%%</format>
+ <description>Percentage of interface link speed</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--positive"/>
+ <regex>(auto|\d+(bit|kbit|mbit|gbit|tbit)|(100|\d(\d)?)%)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>auto</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/qos/bandwidth.xml.i b/interface-definitions/include/qos/bandwidth.xml.i
index 82af22f42..f2848f066 100644
--- a/interface-definitions/include/qos/bandwidth.xml.i
+++ b/interface-definitions/include/qos/bandwidth.xml.i
@@ -1,15 +1,39 @@
<!-- include start from qos/bandwidth.xml.i -->
<leafNode name="bandwidth">
<properties>
- <help>Traffic-limit used for this class</help>
+ <help>Available bandwidth for this policy</help>
<valueHelp>
<format>&lt;number&gt;</format>
- <description>Rate in kbit (kilobit per second)</description>
+ <description>Bits per second</description>
</valueHelp>
<valueHelp>
- <format>&lt;number&gt;&lt;suffix&gt;</format>
- <description>Rate with scaling suffix (mbit, mbps, ...)</description>
+ <format>&lt;number&gt;bit</format>
+ <description>Bits per second</description>
</valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;kbit</format>
+ <description>Kilobits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;mbit</format>
+ <description>Megabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;gbit</format>
+ <description>Gigabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;tbit</format>
+ <description>Terabits per second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;%</format>
+ <description>Percentage of interface link speed</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--positive"/>
+ <regex>(\d+(bit|kbit|mbit|gbit|tbit)|(100|\d(\d)?)%)</regex>
+ </constraint>
</properties>
</leafNode>
<!-- include end -->
diff --git a/interface-definitions/include/qos/class-match-ipv4-address.xml.i b/interface-definitions/include/qos/class-match-ipv4-address.xml.i
new file mode 100644
index 000000000..8e84c988a
--- /dev/null
+++ b/interface-definitions/include/qos/class-match-ipv4-address.xml.i
@@ -0,0 +1,19 @@
+<!-- include start from qos/class-match-ipv4-address.xml.i -->
+<leafNode name="address">
+ <properties>
+ <help>IPv4 destination address for this match</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/qos/class-match-ipv6-address.xml.i b/interface-definitions/include/qos/class-match-ipv6-address.xml.i
new file mode 100644
index 000000000..fd7388127
--- /dev/null
+++ b/interface-definitions/include/qos/class-match-ipv6-address.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from qos/class-match-ipv6-address.xml.i -->
+<leafNode name="address">
+ <properties>
+ <help>IPv6 destination address for this match</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/qos/match.xml.i b/interface-definitions/include/qos/class-match.xml.i
index 7d89e4460..d9c35731d 100644
--- a/interface-definitions/include/qos/match.xml.i
+++ b/interface-definitions/include/qos/class-match.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from qos/match.xml.i -->
+<!-- include start from qos/class-match.xml.i -->
<tagNode name="match">
<properties>
<help>Class matching rule name</help>
@@ -99,22 +99,11 @@
<help>Match on destination port or address</help>
</properties>
<children>
- <leafNode name="address">
- <properties>
- <help>IPv4 destination address for this match</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>IPv4 address and prefix length</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/qos/class-match-ipv4-address.xml.i>
#include <include/port-number.xml.i>
</children>
</node>
- #include <include/qos/dscp.xml.i>
+ #include <include/qos/match-dscp.xml.i>
#include <include/qos/max-length.xml.i>
#include <include/ip-protocol.xml.i>
<node name="source">
@@ -122,18 +111,7 @@
<help>Match on source port or address</help>
</properties>
<children>
- <leafNode name="address">
- <properties>
- <help>IPv4 source address for this match</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>IPv4 address and prefix length</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/qos/class-match-ipv4-address.xml.i>
#include <include/port-number.xml.i>
</children>
</node>
@@ -150,22 +128,11 @@
<help>Match on destination port or address</help>
</properties>
<children>
- <leafNode name="address">
- <properties>
- <help>IPv6 destination address for this match</help>
- <valueHelp>
- <format>ipv6net</format>
- <description>IPv6 address and prefix length</description>
- </valueHelp>
- <constraint>
- <validator name="ipv6"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/qos/class-match-ipv6-address.xml.i>
#include <include/port-number.xml.i>
</children>
</node>
- #include <include/qos/dscp.xml.i>
+ #include <include/qos/match-dscp.xml.i>
#include <include/qos/max-length.xml.i>
#include <include/ip-protocol.xml.i>
<node name="source">
@@ -173,18 +140,7 @@
<help>Match on source port or address</help>
</properties>
<children>
- <leafNode name="address">
- <properties>
- <help>IPv6 source address for this match</help>
- <valueHelp>
- <format>ipv6net</format>
- <description>IPv6 address and prefix length</description>
- </valueHelp>
- <constraint>
- <validator name="ipv6"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/qos/class-match-ipv6-address.xml.i>
#include <include/port-number.xml.i>
</children>
</node>
diff --git a/interface-definitions/include/qos/limiter-actions.xml.i b/interface-definitions/include/qos/class-police-exceed.xml.i
index a993423aa..ee2ce16a8 100644
--- a/interface-definitions/include/qos/limiter-actions.xml.i
+++ b/interface-definitions/include/qos/class-police-exceed.xml.i
@@ -1,13 +1,13 @@
-<!-- include start from qos/limiter-actions.xml.i -->
-<leafNode name="exceed-action">
+<!-- include start from qos/police.xml.i -->
+<leafNode name="exceed">
<properties>
- <help>Default action for packets exceeding the limiter (default: drop)</help>
+ <help>Default action for packets exceeding the limiter</help>
<completionHelp>
<list>continue drop ok reclassify pipe</list>
</completionHelp>
<valueHelp>
<format>continue</format>
- <description>Don't do anything, just continue with the next action in line</description>
+ <description>Do not do anything, just continue with the next action in line</description>
</valueHelp>
<valueHelp>
<format>drop</format>
@@ -31,15 +31,15 @@
</properties>
<defaultValue>drop</defaultValue>
</leafNode>
-<leafNode name="notexceed-action">
+<leafNode name="not-exceed">
<properties>
- <help>Default action for packets not exceeding the limiter (default: ok)</help>
+ <help>Default action for packets not exceeding the limiter</help>
<completionHelp>
<list>continue drop ok reclassify pipe</list>
</completionHelp>
<valueHelp>
<format>continue</format>
- <description>Don't do anything, just continue with the next action in line</description>
+ <description>Do not do anything, just continue with the next action in line</description>
</valueHelp>
<valueHelp>
<format>drop</format>
diff --git a/interface-definitions/include/qos/class-priority.xml.i b/interface-definitions/include/qos/class-priority.xml.i
new file mode 100644
index 000000000..3fd848c93
--- /dev/null
+++ b/interface-definitions/include/qos/class-priority.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from qos/class-priority.xml.i -->
+<leafNode name="priority">
+ <properties>
+ <help>Priority for rule evaluation</help>
+ <valueHelp>
+ <format>u32:0-20</format>
+ <description>Priority for match rule evaluation</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-20"/>
+ </constraint>
+ <constraintErrorMessage>Priority must be between 0 and 20</constraintErrorMessage>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/qos/dscp.xml.i b/interface-definitions/include/qos/match-dscp.xml.i
index bb90850ac..2d2fd0a57 100644
--- a/interface-definitions/include/qos/dscp.xml.i
+++ b/interface-definitions/include/qos/match-dscp.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from qos/dscp.xml.i -->
+<!-- include start from qos/match-dscp.xml.i -->
<leafNode name="dscp">
<properties>
<help>Match on Differentiated Services Codepoint (DSCP)</help>
@@ -137,7 +137,6 @@
<validator name="numeric" argument="--range 0-63"/>
<regex>(default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network|AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF)</regex>
</constraint>
- <constraintErrorMessage>Priority must be between 0 and 63</constraintErrorMessage>
</properties>
</leafNode>
<!-- include end -->
diff --git a/interface-definitions/include/qos/max-length.xml.i b/interface-definitions/include/qos/max-length.xml.i
index 4cc20f8c4..64cdd02ec 100644
--- a/interface-definitions/include/qos/max-length.xml.i
+++ b/interface-definitions/include/qos/max-length.xml.i
@@ -1,15 +1,15 @@
<!-- include start from qos/max-length.xml.i -->
<leafNode name="max-length">
<properties>
- <help>Maximum packet length (ipv4)</help>
+ <help>Maximum packet length</help>
<valueHelp>
- <format>u32:0-65535</format>
+ <format>u32:1-65535</format>
<description>Maximum packet/payload length</description>
</valueHelp>
<constraint>
- <validator name="numeric" argument="--range 0-65535"/>
+ <validator name="numeric" argument="--range 1-65535"/>
</constraint>
- <constraintErrorMessage>Maximum IPv4 total packet length is 65535</constraintErrorMessage>
+ <constraintErrorMessage>Maximum packet length is 65535</constraintErrorMessage>
</properties>
</leafNode>
<!-- include end -->
diff --git a/interface-definitions/include/qos/queue-type.xml.i b/interface-definitions/include/qos/queue-type.xml.i
index 634f61024..c7d4cde82 100644
--- a/interface-definitions/include/qos/queue-type.xml.i
+++ b/interface-definitions/include/qos/queue-type.xml.i
@@ -3,28 +3,31 @@
<properties>
<help>Queue type for default traffic</help>
<completionHelp>
- <list>fq-codel fair-queue drop-tail random-detect</list>
+ <list>drop-tail fair-queue fq-codel priority random-detect</list>
</completionHelp>
<valueHelp>
- <format>fq-codel</format>
- <description>Fair Queue Codel</description>
+ <format>drop-tail</format>
+ <description>First-In-First-Out (FIFO)</description>
</valueHelp>
<valueHelp>
<format>fair-queue</format>
<description>Stochastic Fair Queue (SFQ)</description>
</valueHelp>
<valueHelp>
- <format>drop-tail</format>
- <description>First-In-First-Out (FIFO)</description>
+ <format>fq-codel</format>
+ <description>Fair Queue Codel</description>
+ </valueHelp>
+ <valueHelp>
+ <format>priority</format>
+ <description>Priority queuing</description>
</valueHelp>
<valueHelp>
<format>random-detect</format>
<description>Random Early Detection (RED)</description>
</valueHelp>
<constraint>
- <regex>(fq-codel|fair-queue|drop-tail|random-detect)</regex>
+ <regex>(drop-tail|fair-queue|fq-codel|priority|random-detect)</regex>
</constraint>
</properties>
- <defaultValue>drop-tail</defaultValue>
</leafNode>
<!-- include end -->
diff --git a/interface-definitions/include/qos/set-dscp.xml.i b/interface-definitions/include/qos/set-dscp.xml.i
index 55c0ea44d..07f33783f 100644
--- a/interface-definitions/include/qos/set-dscp.xml.i
+++ b/interface-definitions/include/qos/set-dscp.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Change the Differentiated Services (DiffServ) field in the IP header</help>
<completionHelp>
- <list>default reliability throughput lowdelay priority immediate flash flash-override critical internet network</list>
+ <list>default reliability throughput lowdelay priority immediate flash flash-override critical internet network AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF</list>
</completionHelp>
<valueHelp>
<format>u32:0-63</format>
@@ -53,9 +53,89 @@
<format>network</format>
<description>match DSCP (111000)</description>
</valueHelp>
+ <valueHelp>
+ <format>AF11</format>
+ <description>High-throughput data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF12</format>
+ <description>High-throughput data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF13</format>
+ <description>High-throughput data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF21</format>
+ <description>Low-latency data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF22</format>
+ <description>Low-latency data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF23</format>
+ <description>Low-latency data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF31</format>
+ <description>Multimedia streaming</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF32</format>
+ <description>Multimedia streaming</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF33</format>
+ <description>Multimedia streaming</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF41</format>
+ <description>Multimedia conferencing</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF42</format>
+ <description>Multimedia conferencing</description>
+ </valueHelp>
+ <valueHelp>
+ <format>AF43</format>
+ <description>Multimedia conferencing</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS1</format>
+ <description>Low-priority data</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS2</format>
+ <description>OAM</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS3</format>
+ <description>Broadcast video</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS4</format>
+ <description>Real-time interactive</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS5</format>
+ <description>Signaling</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS6</format>
+ <description>Network control</description>
+ </valueHelp>
+ <valueHelp>
+ <format>CS7</format>
+ <description></description>
+ </valueHelp>
+ <valueHelp>
+ <format>EF</format>
+ <description>Expedited Forwarding</description>
+ </valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-63"/>
- <regex>(default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network)</regex>
+ <regex>(default|reliability|throughput|lowdelay|priority|immediate|flash|flash-override|critical|internet|network|AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF)</regex>
</constraint>
<constraintErrorMessage>Priority must be between 0 and 63</constraintErrorMessage>
</properties>
diff --git a/interface-definitions/include/version/container-version.xml.i b/interface-definitions/include/version/container-version.xml.i
new file mode 100644
index 000000000..129469cec
--- /dev/null
+++ b/interface-definitions/include/version/container-version.xml.i
@@ -0,0 +1,3 @@
+<!-- include start from include/version/container-version.xml.i -->
+<syntaxVersion component='container' version='1'></syntaxVersion>
+<!-- include end -->
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index 065925319..bc04f8d51 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
<!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='8'></syntaxVersion>
+<syntaxVersion component='firewall' version='9'></syntaxVersion>
<!-- include end -->
diff --git a/interface-definitions/include/version/qos-version.xml.i b/interface-definitions/include/version/qos-version.xml.i
index e4d139349..c67e61e91 100644
--- a/interface-definitions/include/version/qos-version.xml.i
+++ b/interface-definitions/include/version/qos-version.xml.i
@@ -1,3 +1,3 @@
<!-- include start from include/version/qos-version.xml.i -->
-<syntaxVersion component='qos' version='1'></syntaxVersion>
+<syntaxVersion component='qos' version='2'></syntaxVersion>
<!-- include end -->
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in
index eb525b547..201e9b179 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces-dummy.xml.in
@@ -25,8 +25,27 @@
</properties>
<children>
#include <include/interface/source-validation.xml.i>
+ #include <include/interface/disable-forwarding.xml.i>
</children>
</node>
+ <node name="ipv6">
+ <properties>
+ <help>IPv6 routing parameters</help>
+ </properties>
+ <children>
+ #include <include/interface/disable-forwarding.xml.i>
+ <node name="address">
+ <properties>
+ <help>IPv6 address configuration modes</help>
+ </properties>
+ <children>
+ #include <include/interface/ipv6-address-eui64.xml.i>
+ #include <include/interface/ipv6-address-no-default-link-local.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
+ #include <include/interface/mtu-68-16000.xml.i>
#include <include/interface/mirror.xml.i>
#include <include/interface/netns.xml.i>
#include <include/interface/redirect.xml.i>
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index 48a5bf7d1..d7b159839 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -52,6 +52,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/hop-limit.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
</children>
</tagNode>
</children>
@@ -106,6 +107,7 @@
#include <include/firewall/dscp.xml.i>
#include <include/firewall/packet-length.xml.i>
#include <include/firewall/ttl.xml.i>
+ #include <include/firewall/connection-mark.xml.i>
</children>
</tagNode>
</children>
diff --git a/interface-definitions/protocols-failover.xml.in b/interface-definitions/protocols-failover.xml.in
new file mode 100644
index 000000000..900c76eab
--- /dev/null
+++ b/interface-definitions/protocols-failover.xml.in
@@ -0,0 +1,114 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="protocols">
+ <children>
+ <node name="failover" owner="${vyos_conf_scripts_dir}/protocols_failover.py">
+ <properties>
+ <help>Failover Routing</help>
+ <priority>490</priority>
+ </properties>
+ <children>
+ <tagNode name="route">
+ <properties>
+ <help>Failover IPv4 route</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 failover route</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ </properties>
+ <children>
+ <tagNode name="next-hop">
+ <properties>
+ <help>Next-hop IPv4 router address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Next-hop router address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ <children>
+ <node name="check">
+ <properties>
+ <help>Check target options</help>
+ </properties>
+ <children>
+ #include <include/port-number.xml.i>
+ <leafNode name="target">
+ <properties>
+ <help>Check target address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Address to check</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="timeout">
+ <properties>
+ <help>Timeout between checks</help>
+ <valueHelp>
+ <format>u32:1-300</format>
+ <description>Timeout in seconds between checks</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ <defaultValue>10</defaultValue>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>Check type</help>
+ <completionHelp>
+ <list>arp icmp tcp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>arp</format>
+ <description>Check target by ARP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>icmp</format>
+ <description>Check target by ICMP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp</format>
+ <description>Check target by TCP</description>
+ </valueHelp>
+ <constraint>
+ <regex>(arp|icmp|tcp)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>icmp</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ #include <include/static/static-route-interface.xml.i>
+ <leafNode name="metric">
+ <properties>
+ <help>Route metric for this gateway</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Route metric</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ <defaultValue>1</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in
index dc807781e..8809369ff 100644
--- a/interface-definitions/qos.xml.in
+++ b/interface-definitions/qos.xml.in
@@ -3,6 +3,7 @@
<node name="qos" owner="${vyos_conf_scripts_dir}/qos.py">
<properties>
<help>Quality of Service (QoS)</help>
+ <priority>900</priority>
</properties>
<children>
<tagNode name="interface">
@@ -24,17 +25,7 @@
<properties>
<help>Interface ingress traffic policy</help>
<completionHelp>
- <path>traffic-policy drop-tail</path>
- <path>traffic-policy fair-queue</path>
- <path>traffic-policy fq-codel</path>
- <path>traffic-policy limiter</path>
- <path>traffic-policy network-emulator</path>
- <path>traffic-policy priority-queue</path>
- <path>traffic-policy random-detect</path>
- <path>traffic-policy rate-control</path>
- <path>traffic-policy round-robin</path>
- <path>traffic-policy shaper</path>
- <path>traffic-policy shaper-hfsc</path>
+ <path>qos policy limiter</path>
</completionHelp>
<valueHelp>
<format>txt</format>
@@ -46,17 +37,17 @@
<properties>
<help>Interface egress traffic policy</help>
<completionHelp>
- <path>traffic-policy drop-tail</path>
- <path>traffic-policy fair-queue</path>
- <path>traffic-policy fq-codel</path>
- <path>traffic-policy limiter</path>
- <path>traffic-policy network-emulator</path>
- <path>traffic-policy priority-queue</path>
- <path>traffic-policy random-detect</path>
- <path>traffic-policy rate-control</path>
- <path>traffic-policy round-robin</path>
- <path>traffic-policy shaper</path>
- <path>traffic-policy shaper-hfsc</path>
+ <path>qos policy cake</path>
+ <path>qos policy drop-tail</path>
+ <path>qos policy fair-queue</path>
+ <path>qos policy fq-codel</path>
+ <path>qos policy network-emulator</path>
+ <path>qos policy priority-queue</path>
+ <path>qos policy random-detect</path>
+ <path>qos policy rate-control</path>
+ <path>qos policy round-robin</path>
+ <path>qos policy shaper</path>
+ <path>qos policy shaper-hfsc</path>
</completionHelp>
<valueHelp>
<format>txt</format>
@@ -66,12 +57,97 @@
</leafNode>
</children>
</tagNode>
- <node name="policy" owner="${vyos_conf_scripts_dir}/qos.py">
+ <node name="policy">
<properties>
<help>Service Policy definitions</help>
- <priority>900</priority>
</properties>
<children>
+ <tagNode name="cake">
+ <properties>
+ <help>Common Applications Kept Enhanced (CAKE)</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Policy name</description>
+ </valueHelp>
+ <constraint>
+ <regex>[[:alnum:]][-_[:alnum:]]*</regex>
+ </constraint>
+ <constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth.xml.i>
+ <node name="flow-isolation">
+ <properties>
+ <help>Flow isolation settings</help>
+ </properties>
+ <children>
+ <leafNode name="blind">
+ <properties>
+ <help>Disables flow isolation, all traffic passes through a single queue</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="src-host">
+ <properties>
+ <help>Flows are defined only by source address</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="dst-host">
+ <properties>
+ <help>Flows are defined only by destination address</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="host">
+ <properties>
+ <help>Flows are defined by source-destination host pairs</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="flow">
+ <properties>
+ <help>Flows are defined by the entire 5-tuple</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="dual-src-host">
+ <properties>
+ <help>Flows are defined by the 5-tuple, and fairness is applied first over source addresses, then over individual flows</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="dual-dst-host">
+ <properties>
+ <help>Flows are defined by the 5-tuple, and fairness is applied first over destination addresses, then over individual flows</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="nat">
+ <properties>
+ <help>Perform NAT lookup before applying flow-isolation rules</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="rtt">
+ <properties>
+ <help>Round-Trip-Time for Active Queue Management (AQM)</help>
+ <valueHelp>
+ <format>u32:1-3600000</format>
+ <description>RTT in ms</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-3600000"/>
+ </constraint>
+ <constraintErrorMessage>RTT must be in range 1 to 3600000 milli-seconds</constraintErrorMessage>
+ </properties>
+ <defaultValue>100</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
<tagNode name="drop-tail">
<properties>
<help>Packet limited First In, First Out queue</help>
@@ -125,13 +201,13 @@
<properties>
<help>Upper limit of the SFQ</help>
<valueHelp>
- <format>u32:2-127</format>
+ <format>u32:1-127</format>
<description>Queue size in packets</description>
</valueHelp>
<constraint>
- <validator name="numeric" argument="--range 2-127"/>
+ <validator name="numeric" argument="--range 1-127"/>
</constraint>
- <constraintErrorMessage>Queue limit must greater than 1 and less than 128</constraintErrorMessage>
+ <constraintErrorMessage>Queue limit must be in range 1 to 127</constraintErrorMessage>
</properties>
<defaultValue>127</defaultValue>
</leafNode>
@@ -139,7 +215,7 @@
</tagNode>
<tagNode name="fq-codel">
<properties>
- <help>Fair Queuing Controlled Delay</help>
+ <help>Fair Queuing (FQ) with Controlled Delay (CoDel)</help>
<valueHelp>
<format>txt</format>
<description>Policy name</description>
@@ -171,6 +247,7 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
+ #include <include/generic-description.xml.i>
<tagNode name="class">
<properties>
<help>Class ID</help>
@@ -184,23 +261,13 @@
<constraintErrorMessage>Class identifier must be between 1 and 4090</constraintErrorMessage>
</properties>
<children>
+ #include <include/generic-description.xml.i>
#include <include/qos/bandwidth.xml.i>
#include <include/qos/burst.xml.i>
- #include <include/generic-description.xml.i>
- #include <include/qos/match.xml.i>
- #include <include/qos/limiter-actions.xml.i>
+ #include <include/qos/class-police-exceed.xml.i>
+ #include <include/qos/class-match.xml.i>
+ #include <include/qos/class-priority.xml.i>
<leafNode name="priority">
- <properties>
- <help>Priority for rule evaluation</help>
- <valueHelp>
- <format>u32:0-20</format>
- <description>Priority for match rule evaluation</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-20"/>
- </constraint>
- <constraintErrorMessage>Priority must be between 0 and 20</constraintErrorMessage>
- </properties>
<defaultValue>20</defaultValue>
</leafNode>
</children>
@@ -212,10 +279,9 @@
<children>
#include <include/qos/bandwidth.xml.i>
#include <include/qos/burst.xml.i>
- #include <include/qos/limiter-actions.xml.i>
+ #include <include/qos/class-police-exceed.xml.i>
</children>
</node>
- #include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="network-emulator">
@@ -231,10 +297,9 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/bandwidth.xml.i>
- #include <include/qos/burst.xml.i>
#include <include/generic-description.xml.i>
- <leafNode name="network-delay">
+ #include <include/qos/bandwidth.xml.i>
+ <leafNode name="delay">
<properties>
<help>Adds delay to packets outgoing to chosen network interface</help>
<valueHelp>
@@ -247,7 +312,7 @@
<constraintErrorMessage>Priority must be between 0 and 65535</constraintErrorMessage>
</properties>
</leafNode>
- <leafNode name="packet-corruption">
+ <leafNode name="corruption">
<properties>
<help>Introducing error in a random position for chosen percent of packets</help>
<valueHelp>
@@ -260,9 +325,9 @@
<constraintErrorMessage>Priority must be between 0 and 100</constraintErrorMessage>
</properties>
</leafNode>
- <leafNode name="packet-loss">
+ <leafNode name="duplicate">
<properties>
- <help>Add independent loss probability to the packets outgoing to chosen network interface</help>
+ <help>Cosen percent of packets is duplicated before queuing them</help>
<valueHelp>
<format>&lt;number&gt;</format>
<description>Percentage of packets affected</description>
@@ -270,10 +335,10 @@
<constraint>
<validator name="numeric" argument="--range 0-100"/>
</constraint>
- <constraintErrorMessage>Must be between 0 and 100</constraintErrorMessage>
+ <constraintErrorMessage>Priority must be between 0 and 100</constraintErrorMessage>
</properties>
</leafNode>
- <leafNode name="packet-loss">
+ <leafNode name="loss">
<properties>
<help>Add independent loss probability to the packets outgoing to chosen network interface</help>
<valueHelp>
@@ -286,9 +351,9 @@
<constraintErrorMessage>Must be between 0 and 100</constraintErrorMessage>
</properties>
</leafNode>
- <leafNode name="packet-loss">
+ <leafNode name="reordering">
<properties>
- <help>Packet reordering percentage</help>
+ <help>Emulated packet reordering percentage</help>
<valueHelp>
<format>&lt;number&gt;</format>
<description>Percentage of packets affected</description>
@@ -315,6 +380,7 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
+ #include <include/generic-description.xml.i>
<tagNode name="class">
<properties>
<help>Class Handle</help>
@@ -332,10 +398,13 @@
#include <include/qos/codel-quantum.xml.i>
#include <include/qos/flows.xml.i>
#include <include/qos/interval.xml.i>
- #include <include/qos/match.xml.i>
- #include <include/qos/queue-limit-2-10999.xml.i>
- #include <include/qos/target.xml.i>
+ #include <include/qos/class-match.xml.i>
+ #include <include/qos/queue-limit-1-4294967295.xml.i>
#include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>drop-tail</defaultValue>
+ </leafNode>
+ #include <include/qos/target.xml.i>
</children>
</tagNode>
<node name="default">
@@ -343,21 +412,22 @@
<help>Default policy</help>
</properties>
<children>
- #include <include/generic-description.xml.i>
#include <include/qos/codel-quantum.xml.i>
#include <include/qos/flows.xml.i>
#include <include/qos/interval.xml.i>
- #include <include/qos/queue-limit-2-10999.xml.i>
- #include <include/qos/target.xml.i>
+ #include <include/qos/queue-limit-1-4294967295.xml.i>
#include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>drop-tail</defaultValue>
+ </leafNode>
+ #include <include/qos/target.xml.i>
</children>
</node>
- #include <include/generic-description.xml.i>
</children>
</tagNode>
<tagNode name="random-detect">
<properties>
- <help>Priority queuing based policy</help>
+ <help>Weighted Random Early Detect policy</help>
<valueHelp>
<format>txt</format>
<description>Policy name</description>
@@ -368,11 +438,8 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/bandwidth.xml.i>
- <leafNode name="bandwidth">
- <defaultValue>auto</defaultValue>
- </leafNode>
#include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth-auto.xml.i>
<tagNode name="precedence">
<properties>
<help>IP precedence</help>
@@ -413,6 +480,7 @@
</constraint>
<constraintErrorMessage>Mark probability must be greater than 0</constraintErrorMessage>
</properties>
+ <defaultValue>10</defaultValue>
</leafNode>
<leafNode name="maximum-threshold">
<properties>
@@ -426,6 +494,7 @@
</constraint>
<constraintErrorMessage>Threshold must be between 0 and 4096</constraintErrorMessage>
</properties>
+ <defaultValue>18</defaultValue>
</leafNode>
<leafNode name="minimum-threshold">
<properties>
@@ -457,8 +526,8 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/bandwidth.xml.i>
#include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth.xml.i>
#include <include/qos/burst.xml.i>
<leafNode name="latency">
<properties>
@@ -478,7 +547,7 @@
</tagNode>
<tagNode name="round-robin">
<properties>
- <help>Round-Robin based policy</help>
+ <help>Deficit Round Robin Scheduler</help>
<valueHelp>
<format>txt</format>
<description>Policy name</description>
@@ -503,11 +572,11 @@
<constraintErrorMessage>Class identifier must be between 1 and 4095</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/codel-quantum.xml.i>
#include <include/generic-description.xml.i>
+ #include <include/qos/codel-quantum.xml.i>
#include <include/qos/flows.xml.i>
#include <include/qos/interval.xml.i>
- #include <include/qos/match.xml.i>
+ #include <include/qos/class-match.xml.i>
<leafNode name="quantum">
<properties>
<help>Packet scheduling quantum</help>
@@ -523,111 +592,26 @@
</leafNode>
#include <include/qos/queue-limit-1-4294967295.xml.i>
#include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>drop-tail</defaultValue>
+ </leafNode>
#include <include/qos/target.xml.i>
</children>
</tagNode>
- </children>
- </tagNode>
- <tagNode name="shaper-hfsc">
- <properties>
- <help>Hierarchical Fair Service Curve's policy</help>
- <valueHelp>
- <format>txt</format>
- <description>Policy name</description>
- </valueHelp>
- <constraint>
- <regex>[[:alnum:]][-_[:alnum:]]*</regex>
- </constraint>
- <constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
- </properties>
- <children>
- #include <include/qos/bandwidth.xml.i>
- <leafNode name="bandwidth">
- <defaultValue>auto</defaultValue>
- </leafNode>
- #include <include/generic-description.xml.i>
- <tagNode name="class">
- <properties>
- <help>Class ID</help>
- <valueHelp>
- <format>u32:1-4095</format>
- <description>Class Identifier</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-4095"/>
- </constraint>
- <constraintErrorMessage>Class identifier must be between 1 and 4095</constraintErrorMessage>
- </properties>
- <children>
- #include <include/generic-description.xml.i>
- <node name="linkshare">
- <properties>
- <help>Linkshare class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
- #include <include/qos/match.xml.i>
- <node name="realtime">
- <properties>
- <help>Realtime class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
- <node name="upperlimit">
- <properties>
- <help>Upperlimit class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
- </children>
- </tagNode>
<node name="default">
<properties>
<help>Default policy</help>
</properties>
<children>
- <node name="linkshare">
- <properties>
- <help>Linkshare class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
- <node name="realtime">
- <properties>
- <help>Realtime class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
- <node name="upperlimit">
- <properties>
- <help>Upperlimit class settings</help>
- </properties>
- <children>
- #include <include/qos/hfsc-d.xml.i>
- #include <include/qos/hfsc-m1.xml.i>
- #include <include/qos/hfsc-m2.xml.i>
- </children>
- </node>
+ #include <include/qos/codel-quantum.xml.i>
+ #include <include/qos/flows.xml.i>
+ #include <include/qos/interval.xml.i>
+ #include <include/qos/queue-limit-1-4294967295.xml.i>
+ #include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>fair-queue</defaultValue>
+ </leafNode>
+ #include <include/qos/target.xml.i>
</children>
</node>
</children>
@@ -645,10 +629,8 @@
<constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/bandwidth.xml.i>
- <leafNode name="bandwidth">
- <defaultValue>auto</defaultValue>
- </leafNode>
+ #include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth-auto.xml.i>
<tagNode name="class">
<properties>
<help>Class ID</help>
@@ -662,10 +644,8 @@
<constraintErrorMessage>Class identifier must be between 2 and 4095</constraintErrorMessage>
</properties>
<children>
- #include <include/qos/bandwidth.xml.i>
- <leafNode name="bandwidth">
- <defaultValue>100%</defaultValue>
- </leafNode>
+ #include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth-auto.xml.i>
#include <include/qos/burst.xml.i>
<leafNode name="ceiling">
<properties>
@@ -697,31 +677,19 @@
</properties>
</leafNode>
#include <include/qos/codel-quantum.xml.i>
- #include <include/generic-description.xml.i>
#include <include/qos/flows.xml.i>
#include <include/qos/interval.xml.i>
- #include <include/qos/match.xml.i>
- <leafNode name="priority">
- <properties>
- <help>Priority for usage of excess bandwidth</help>
- <valueHelp>
- <format>u32:0-7</format>
- <description>Priority order for bandwidth pool</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-7"/>
- </constraint>
- <constraintErrorMessage>Priority must be between 0 and 7</constraintErrorMessage>
- </properties>
- <defaultValue>20</defaultValue>
- </leafNode>
+ #include <include/qos/class-match.xml.i>
+ #include <include/qos/class-priority.xml.i>
#include <include/qos/queue-limit-1-4294967295.xml.i>
#include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>fq-codel</defaultValue>
+ </leafNode>
#include <include/qos/set-dscp.xml.i>
#include <include/qos/target.xml.i>
</children>
</tagNode>
- #include <include/generic-description.xml.i>
<node name="default">
<properties>
<help>Default policy</help>
@@ -759,7 +727,6 @@
</properties>
</leafNode>
#include <include/qos/codel-quantum.xml.i>
- #include <include/generic-description.xml.i>
#include <include/qos/flows.xml.i>
#include <include/qos/interval.xml.i>
<leafNode name="priority">
@@ -778,12 +745,116 @@
</leafNode>
#include <include/qos/queue-limit-1-4294967295.xml.i>
#include <include/qos/queue-type.xml.i>
+ <leafNode name="queue-type">
+ <defaultValue>fq-codel</defaultValue>
+ </leafNode>
#include <include/qos/set-dscp.xml.i>
#include <include/qos/target.xml.i>
</children>
</node>
</children>
</tagNode>
+ <tagNode name="shaper-hfsc">
+ <properties>
+ <help>Hierarchical Fair Service Curve's policy</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Policy name</description>
+ </valueHelp>
+ <constraint>
+ <regex>[[:alnum:]][-_[:alnum:]]*</regex>
+ </constraint>
+ <constraintErrorMessage>Only alpha-numeric policy name allowed</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/generic-description.xml.i>
+ #include <include/qos/bandwidth-auto.xml.i>
+ <tagNode name="class">
+ <properties>
+ <help>Class ID</help>
+ <valueHelp>
+ <format>u32:1-4095</format>
+ <description>Class Identifier</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4095"/>
+ </constraint>
+ <constraintErrorMessage>Class identifier must be between 1 and 4095</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/generic-description.xml.i>
+ <node name="linkshare">
+ <properties>
+ <help>Linkshare class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ #include <include/qos/class-match.xml.i>
+ <node name="realtime">
+ <properties>
+ <help>Realtime class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ <node name="upperlimit">
+ <properties>
+ <help>Upperlimit class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ <node name="default">
+ <properties>
+ <help>Default policy</help>
+ </properties>
+ <children>
+ <node name="linkshare">
+ <properties>
+ <help>Linkshare class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ <node name="realtime">
+ <properties>
+ <help>Realtime class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ <node name="upperlimit">
+ <properties>
+ <help>Upperlimit class settings</help>
+ </properties>
+ <children>
+ #include <include/qos/hfsc-d.xml.i>
+ #include <include/qos/hfsc-m1.xml.i>
+ #include <include/qos/hfsc-m2.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </tagNode>
</children>
</node>
</children>
diff --git a/interface-definitions/service-pppoe-server.xml.in b/interface-definitions/service-pppoe-server.xml.in
index b31109296..47ad96582 100644
--- a/interface-definitions/service-pppoe-server.xml.in
+++ b/interface-definitions/service-pppoe-server.xml.in
@@ -170,52 +170,7 @@
</properties>
</leafNode>
#include <include/accel-ppp/ppp-options-ipv6.xml.i>
- <leafNode name="ipv6-intf-id">
- <properties>
- <help>Fixed or random interface identifier for IPv6</help>
- <completionHelp>
- <list>random</list>
- </completionHelp>
- <valueHelp>
- <format>random</format>
- <description>Random interface identifier for IPv6</description>
- </valueHelp>
- <valueHelp>
- <format>x:x:x:x</format>
- <description>specify interface identifier for IPv6</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="ipv6-peer-intf-id">
- <properties>
- <help>Peer interface identifier for IPv6</help>
- <completionHelp>
- <list>random calling-sid ipv4</list>
- </completionHelp>
- <valueHelp>
- <format>x:x:x:x</format>
- <description>Interface identifier for IPv6</description>
- </valueHelp>
- <valueHelp>
- <format>random</format>
- <description>Use a random interface identifier for IPv6</description>
- </valueHelp>
- <valueHelp>
- <format>ipv4</format>
- <description>Calculate interface identifier from IPv4 address, for example 192:168:0:1</description>
- </valueHelp>
- <valueHelp>
- <format>calling-sid</format>
- <description>Calculate interface identifier from calling-station-id</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="ipv6-accept-peer-intf-id">
- <properties>
- <help>Accept peer interface identifier</help>
- <valueless />
- </properties>
- </leafNode>
+ #include <include/accel-ppp/ppp-options-ipv6-interface-id.xml.i>
</children>
</node>
<tagNode name="pado-delay">
diff --git a/interface-definitions/service-router-advert.xml.in b/interface-definitions/service-router-advert.xml.in
index 87ec512d6..8b7364a8c 100644
--- a/interface-definitions/service-router-advert.xml.in
+++ b/interface-definitions/service-router-advert.xml.in
@@ -305,6 +305,19 @@
</leafNode>
</children>
</tagNode>
+ <leafNode name="source-address">
+ <properties>
+ <help>Use IPv6 address as source address. Useful with VRRP.</help>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to be advertized (must be configured on interface)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
<leafNode name="reachable-time">
<properties>
<help>Time, in milliseconds, that a node assumes a neighbor is reachable after having received a reachability confirmation</help>
diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in
index a9fed81fe..bb15e467e 100644
--- a/interface-definitions/system-option.xml.in
+++ b/interface-definitions/system-option.xml.in
@@ -121,6 +121,7 @@
</properties>
<children>
#include <include/source-address-ipv4-ipv6.xml.i>
+ #include <include/source-interface.xml.i>
</children>
</node>
<leafNode name="startup-beep">
diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in
index 06ca4ece5..86aeb324e 100644
--- a/interface-definitions/vpn-l2tp.xml.in
+++ b/interface-definitions/vpn-l2tp.xml.in
@@ -251,6 +251,7 @@
<children>
#include <include/accel-ppp/lcp-echo-interval-failure.xml.i>
#include <include/accel-ppp/ppp-options-ipv6.xml.i>
+ #include <include/accel-ppp/ppp-options-ipv6-interface-id.xml.i>
</children>
</node>
</children>
diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in
index 914e3bc69..2e6506efc 100644
--- a/interface-definitions/xml-component-version.xml.in
+++ b/interface-definitions/xml-component-version.xml.in
@@ -6,6 +6,7 @@
#include <include/version/config-management-version.xml.i>
#include <include/version/conntrack-sync-version.xml.i>
#include <include/version/conntrack-version.xml.i>
+ #include <include/version/container-version.xml.i>
#include <include/version/dhcp-relay-version.xml.i>
#include <include/version/dhcp-server-version.xml.i>
#include <include/version/dhcpv6-server-version.xml.i>
diff --git a/op-mode-definitions/dhcp.xml.in b/op-mode-definitions/dhcp.xml.in
index ce4026ff4..419abe7ad 100644
--- a/op-mode-definitions/dhcp.xml.in
+++ b/op-mode-definitions/dhcp.xml.in
@@ -16,7 +16,7 @@
<properties>
<help>Show DHCP server leases</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet</command>
<children>
<tagNode name="pool">
<properties>
@@ -25,25 +25,25 @@
<path>service dhcp-server shared-network-name</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --pool $6</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet --pool $6</command>
</tagNode>
<tagNode name="sort">
<properties>
<help>Show DHCP server leases sorted by the specified key</help>
<completionHelp>
- <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed sort</script>
+ <list>end hostname ip mac pool remaining start state</list>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --sort $6</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet --sort $6</command>
</tagNode>
<tagNode name="state">
<properties>
<help>Show DHCP server leases with a specific state (can be multiple, comma-separated)</help>
<completionHelp>
- <script>sudo ${vyos_op_scripts_dir}/show_dhcp.py --allowed state</script>
+ <list>abandoned active all backup expired free released reset</list>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --leases --state $(echo $6 | tr , " ")</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet --state $6</command>
</tagNode>
</children>
</node>
@@ -51,7 +51,7 @@
<properties>
<help>Show DHCP server statistics</help>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --statistics</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_pool_statistics --family inet</command>
<children>
<tagNode name="pool">
<properties>
@@ -60,7 +60,7 @@
<path>service dhcp-server shared-network-name</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcp.py --statistics --pool $6</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_pool_statistics --family inet --pool $6</command>
</tagNode>
</children>
</node>
@@ -88,28 +88,28 @@
<properties>
<help>Show DHCPv6 server leases for a specific pool</help>
<completionHelp>
- <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed pool</script>
+ <path>service dhcpv6-server shared-network-name</path>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --pool $6</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet6 --pool $6</command>
</tagNode>
<tagNode name="sort">
<properties>
<help>Show DHCPv6 server leases sorted by the specified key</help>
<completionHelp>
- <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed sort</script>
+ <list>end iaid_duid ip last_communication pool remaining state type</list>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --sort $6</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet6 --sort $6</command>
</tagNode>
<tagNode name="state">
<properties>
<help>Show DHCPv6 server leases with a specific state (can be multiple, comma-separated)</help>
<completionHelp>
- <script>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --allowed state</script>
+ <list>abandoned active all backup expired free released reset</list>
</completionHelp>
</properties>
- <command>sudo ${vyos_op_scripts_dir}/show_dhcpv6.py --leases --state $(echo $6 | tr , " ")</command>
+ <command>${vyos_op_scripts_dir}/dhcp.py show_server_leases --family inet6 --state $6</command>
</tagNode>
</children>
</node>
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
new file mode 100755
index 000000000..d0519b6bd
--- /dev/null
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -0,0 +1,90 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="generate">
+ <children>
+ <node name="system">
+ <properties>
+ <help>Generate system related parameters</help>
+ </properties>
+ <children>
+ <node name="login">
+ <properties>
+ <help>Generate system login related parameters</help>
+ </properties>
+ <children>
+ <tagNode name="username">
+ <properties>
+ <help>Username used for authentication</help>
+ <completionHelp>
+ <list>&lt;username&gt;</list>
+ </completionHelp>
+ </properties>
+ <children>
+ <node name="otp-key">
+ <properties>
+ <help>Generate OpenConnect OTP token</help>
+ </properties>
+ <children>
+ <node name="hotp-time">
+ <properties>
+ <help>HOTP time-based token</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command>
+ <children>
+ <tagNode name="rate-limit">
+ <properties>
+ <help>Duration of single time interval</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9"</command>
+ <children>
+ <tagNode name="rate-time">
+ <properties>
+ <help>The number of digits in the one-time password</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" </command>
+ <children>
+ <tagNode name="window-size">
+ <properties>
+ <help>The number of digits in the one-time password</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "$9" --rate_time "${11}" --window_size "${13}"</command>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <tagNode name="window-size">
+ <properties>
+ <help>The number of digits in the one-time password</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window_size "${9}"</command>
+ <children>
+ <tagNode name="rate-limit">
+ <properties>
+ <help>Duration of single time interval</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --window_size "${9}"</command>
+ <children>
+ <tagNode name="rate-time">
+ <properties>
+ <help>Duration of single time interval</help>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate_limit "${11}" --rate_time "${13}" --window_size "${9}"</command>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/generate-wireguard.xml.in b/op-mode-definitions/generate-wireguard.xml.in
index 259c9a898..0ef983cd2 100644
--- a/op-mode-definitions/generate-wireguard.xml.in
+++ b/op-mode-definitions/generate-wireguard.xml.in
@@ -7,24 +7,6 @@
<help>Generate WireGuard keys</help>
</properties>
<children>
- <leafNode name="default-keypair">
- <properties>
- <help>generates the wireguard default-keypair</help>
- </properties>
- <command>echo "This command is deprecated. Please use: \"generate pki wireguard key-pair\""</command>
- </leafNode>
- <leafNode name="preshared-key">
- <properties>
- <help>generate a wireguard preshared key</help>
- </properties>
- <command>echo "This command is deprecated. Please use: \"generate pki wireguard pre-shared-key\""</command>
- </leafNode>
- <tagNode name="named-keypairs">
- <properties>
- <help>Generates named wireguard keypairs</help>
- </properties>
- <command>echo "This command is deprecated. Please use: \"generate pki wireguard key-pair install wgN\""</command>
- </tagNode>
<tagNode name="client-config">
<properties>
<help>Generate Client config QR code</help>
diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in
index 1b1f53dc2..c14f45d75 100644
--- a/op-mode-definitions/monitor-log.xml.in
+++ b/op-mode-definitions/monitor-log.xml.in
@@ -212,6 +212,12 @@
</tagNode>
</children>
</node>
+ <leafNode name="router-advert">
+ <properties>
+ <help>Monitor last lines of Router Advertisement Daemon (radvd)</help>
+ </properties>
+ <command>journalctl --no-hostname --boot --follow --unit radvd.service</command>
+ </leafNode>
<leafNode name="snmp">
<properties>
<help>Monitor last lines of Simple Network Monitoring Protocol (SNMP)</help>
@@ -256,7 +262,7 @@
<properties>
<help>Monitor last lines of IPsec</help>
</properties>
- <command>journalctl --no-hostname --boot --follow --unit strongswan-starter.service</command>
+ <command>journalctl --no-hostname --boot --follow --unit strongswan.service</command>
</leafNode>
<leafNode name="l2tp">
<properties>
diff --git a/op-mode-definitions/nat.xml.in b/op-mode-definitions/nat.xml.in
index 50abb1555..307a91337 100644
--- a/op-mode-definitions/nat.xml.in
+++ b/op-mode-definitions/nat.xml.in
@@ -4,7 +4,7 @@
<children>
<node name="nat">
<properties>
- <help>Show IPv4 to IPv4 Network Address Translation (NAT) information</help>
+ <help>Show IPv4 Network Address Translation (NAT) information</help>
</properties>
<children>
<node name="source">
@@ -16,13 +16,13 @@
<properties>
<help>Show configured source NAT rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction source --family inet</command>
</node>
<node name="statistics">
<properties>
<help>Show statistics for configured source NAT rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet</command>
</node>
<node name="translations">
<properties>
@@ -36,16 +36,10 @@
<list>&lt;x.x.x.x&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat_translations.py --type=source --verbose --ipaddr="$6"</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet --address "$6"</command>
</tagNode>
- <node name="detail">
- <properties>
- <help>Show active source NAT translations detail</help>
- </properties>
- <command>${vyos_op_scripts_dir}/show_nat_translations.py --type=source --verbose</command>
- </node>
</children>
- <command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet</command>
</node>
</children>
</node>
@@ -58,13 +52,13 @@
<properties>
<help>Show configured destination NAT rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_rules --direction destination --family inet</command>
</node>
<node name="statistics">
<properties>
<help>Show statistics for configured destination NAT rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet</command>
</node>
<node name="translations">
<properties>
@@ -78,16 +72,10 @@
<list>&lt;x.x.x.x&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat_translations.py --type=destination --verbose --ipaddr="$6"</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet --address "$6"</command>
</tagNode>
- <node name="detail">
- <properties>
- <help>Show active destination NAT translations detail</help>
- </properties>
- <command>${vyos_op_scripts_dir}/show_nat_translations.py --type=destination --verbose</command>
- </node>
</children>
- <command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet</command>
</node>
</children>
</node>
diff --git a/op-mode-definitions/nat66.xml.in b/op-mode-definitions/nat66.xml.in
index 25aa04d59..6a8a39000 100644
--- a/op-mode-definitions/nat66.xml.in
+++ b/op-mode-definitions/nat66.xml.in
@@ -4,7 +4,7 @@
<children>
<node name="nat66">
<properties>
- <help>Show IPv6 to IPv6 Network Address Translation (NAT66) information</help>
+ <help>Show IPv6 Network Address Translation (NAT66) information</help>
</properties>
<children>
<node name="source">
@@ -22,7 +22,7 @@
<properties>
<help>Show statistics for configured source NAT66 rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat66_statistics.py --source</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction source --family inet6</command>
</node>
<node name="translations">
<properties>
@@ -36,14 +36,8 @@
<list>&lt;h:h:h:h:h:h:h:h&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat66_translations.py --type=source --verbose --ipaddr="$6"</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6 --address "$6"</command>
</tagNode>
- <node name="detail">
- <properties>
- <help>Show active source NAT66 translations detail</help>
- </properties>
- <command>${vyos_op_scripts_dir}/show_nat66_translations.py --type=source --verbose</command>
- </node>
</children>
<command>${vyos_op_scripts_dir}/nat.py show_translations --direction source --family inet6</command>
</node>
@@ -64,7 +58,7 @@
<properties>
<help>Show statistics for configured destination NAT66 rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat66_statistics.py --destination</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_statistics --direction destination --family inet6</command>
</node>
<node name="translations">
<properties>
@@ -78,14 +72,8 @@
<list>&lt;h:h:h:h:h:h:h:h&gt;</list>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat66_translations.py --type=destination --verbose --ipaddr="$6"</command>
+ <command>sudo ${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6 --address "$6"</command>
</tagNode>
- <node name="detail">
- <properties>
- <help>Show active destination NAT66 translations detail</help>
- </properties>
- <command>${vyos_op_scripts_dir}/show_nat66_translations.py --type=destination --verbose</command>
- </node>
</children>
<command>${vyos_op_scripts_dir}/nat.py show_translations --direction destination --family inet6</command>
</node>
diff --git a/op-mode-definitions/openvpn.xml.in b/op-mode-definitions/openvpn.xml.in
index aec09fa48..b2763da81 100644
--- a/op-mode-definitions/openvpn.xml.in
+++ b/op-mode-definitions/openvpn.xml.in
@@ -37,12 +37,13 @@
<properties>
<help>Show OpenVPN interface information</help>
</properties>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=openvpn</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed OpenVPN interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=openvpn --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=openvpn</command>
</leafNode>
</children>
</node>
@@ -53,7 +54,7 @@
<script>sudo ${vyos_completion_dir}/list_interfaces.py --type openvpn</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf=$4</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name=$4</command>
<children>
<tagNode name="user">
<properties>
@@ -94,7 +95,7 @@
<properties>
<help>Show summary of specified OpenVPN interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
diff --git a/op-mode-definitions/show-acceleration.xml.in b/op-mode-definitions/show-acceleration.xml.in
index d0dcea2d6..6fd3babf5 100644
--- a/op-mode-definitions/show-acceleration.xml.in
+++ b/op-mode-definitions/show-acceleration.xml.in
@@ -29,13 +29,13 @@
<properties>
<help>Intel QAT flows</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_acceleration.py --flow --dev $6</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --flow --dev $6</command>
</node>
<node name="config">
<properties>
<help>Intel QAT configuration</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_acceleration.py --conf --dev $6</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --conf --dev $6</command>
</node>
</children>
</tagNode>
@@ -43,16 +43,16 @@
<properties>
<help>Intel QAT status</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_acceleration.py --status</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --status</command>
</node>
<node name="interrupts">
<properties>
<help>Intel QAT interrupts</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_acceleration.py --interrupts</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --interrupts</command>
</node>
</children>
- <command>${vyos_op_scripts_dir}/show_acceleration.py --hw</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_acceleration.py --hw</command>
</node>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-bonding.xml.in b/op-mode-definitions/show-interfaces-bonding.xml.in
index c5f82b70e..6908153dd 100644
--- a/op-mode-definitions/show-interfaces-bonding.xml.in
+++ b/op-mode-definitions/show-interfaces-bonding.xml.in
@@ -11,13 +11,13 @@
<path>interfaces bonding</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified bonding interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
<leafNode name="detail">
<properties>
@@ -38,13 +38,13 @@
<path>interfaces bonding ${COMP_WORDS[3]} vif</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4.$6"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of specified virtual network interface (vif) information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4.$6"</command>
</leafNode>
</children>
</tagNode>
@@ -60,13 +60,13 @@
<properties>
<help>Show Bonding interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bonding --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=bonding</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed bonding interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bonding --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=bonding</command>
</leafNode>
<leafNode name="slaves">
<properties>
diff --git a/op-mode-definitions/show-interfaces-bridge.xml.in b/op-mode-definitions/show-interfaces-bridge.xml.in
index e1444bd84..b950c3a17 100644
--- a/op-mode-definitions/show-interfaces-bridge.xml.in
+++ b/op-mode-definitions/show-interfaces-bridge.xml.in
@@ -11,13 +11,13 @@
<path>interfaces bridge</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified bridge interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Bridge interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bridge --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=bridge</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed bridge interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=bridge --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=bridge</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-dummy.xml.in b/op-mode-definitions/show-interfaces-dummy.xml.in
index 52d2cc7ee..398e00636 100644
--- a/op-mode-definitions/show-interfaces-dummy.xml.in
+++ b/op-mode-definitions/show-interfaces-dummy.xml.in
@@ -11,13 +11,13 @@
<path>interfaces dummy</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified dummy interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Dummy interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=dummy --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=dummy</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed dummy interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=dummy --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=dummy</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-ethernet.xml.in b/op-mode-definitions/show-interfaces-ethernet.xml.in
index f8d1c9395..40d4adbb2 100644
--- a/op-mode-definitions/show-interfaces-ethernet.xml.in
+++ b/op-mode-definitions/show-interfaces-ethernet.xml.in
@@ -11,13 +11,13 @@
<path>interfaces ethernet</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
<leafNode name="identify">
<properties>
@@ -58,13 +58,13 @@
<path>interfaces ethernet ${COMP_WORDS[3]} vif</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4.$6"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of specified virtual network interface (vif) information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4.$6"</command>
</leafNode>
</children>
</tagNode>
@@ -80,13 +80,13 @@
<properties>
<help>Show Ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=ethernet --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=ethernet</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=ethernet --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=ethernet</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-geneve.xml.in b/op-mode-definitions/show-interfaces-geneve.xml.in
index a47933315..be3084af3 100644
--- a/op-mode-definitions/show-interfaces-geneve.xml.in
+++ b/op-mode-definitions/show-interfaces-geneve.xml.in
@@ -11,13 +11,13 @@
<path>interfaces geneve</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified GENEVE interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show GENEVE interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=geneve --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=geneve</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed GENEVE interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=geneve --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=geneve</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-input.xml.in b/op-mode-definitions/show-interfaces-input.xml.in
index 9ae3828c8..1f8505160 100644
--- a/op-mode-definitions/show-interfaces-input.xml.in
+++ b/op-mode-definitions/show-interfaces-input.xml.in
@@ -11,13 +11,13 @@
<path>interfaces input</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified input interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Input (ifb) interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=input --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=input</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed input interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=input --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=input</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-l2tpv3.xml.in b/op-mode-definitions/show-interfaces-l2tpv3.xml.in
index 2a1d6a1c6..ff08b8266 100644
--- a/op-mode-definitions/show-interfaces-l2tpv3.xml.in
+++ b/op-mode-definitions/show-interfaces-l2tpv3.xml.in
@@ -11,13 +11,13 @@
<path>interfaces l2tpv3</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified L2TPv3 interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show L2TPv3 interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=l2tpv3 --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=l2tpv3</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed L2TPv3 interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=l2tpv3 --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=l2tpv3</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-loopback.xml.in b/op-mode-definitions/show-interfaces-loopback.xml.in
index 25a75ffff..9919bf32b 100644
--- a/op-mode-definitions/show-interfaces-loopback.xml.in
+++ b/op-mode-definitions/show-interfaces-loopback.xml.in
@@ -11,13 +11,13 @@
<path>interfaces loopback</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
- <help>Show summary of the specified dummy interface information</help>
+ <help>Show summary of the specified Loopback interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Loopback interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=loopback --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=loopback</command>
<children>
<leafNode name="detail">
<properties>
- <help>Show detailed dummy interface information</help>
+ <help>Show detailed Loopback interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=dummy --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=loopback</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-pppoe.xml.in b/op-mode-definitions/show-interfaces-pppoe.xml.in
index 09608bc04..80bfd00ff 100644
--- a/op-mode-definitions/show-interfaces-pppoe.xml.in
+++ b/op-mode-definitions/show-interfaces-pppoe.xml.in
@@ -11,7 +11,7 @@
<path>interfaces pppoe</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="log">
<properties>
@@ -34,13 +34,13 @@
<properties>
<help>Show PPPoE interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pppoe --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=pppoe</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed PPPoE interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pppoe --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=pppoe</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-pseudo-ethernet.xml.in b/op-mode-definitions/show-interfaces-pseudo-ethernet.xml.in
index 2ae4b5a9e..0c00dbdd0 100644
--- a/op-mode-definitions/show-interfaces-pseudo-ethernet.xml.in
+++ b/op-mode-definitions/show-interfaces-pseudo-ethernet.xml.in
@@ -11,13 +11,13 @@
<path>interfaces pseudo-ethernet</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified pseudo-ethernet/MACvlan interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Pseudo-Ethernet/MACvlan interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pseudo-ethernet --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=pseudo-ethernet</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed pseudo-ethernet/MACvlan interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=pseudo-ethernet --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=pseudo-ethernet</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-sstpc.xml.in b/op-mode-definitions/show-interfaces-sstpc.xml.in
index e66d3a0ac..c473f9822 100644
--- a/op-mode-definitions/show-interfaces-sstpc.xml.in
+++ b/op-mode-definitions/show-interfaces-sstpc.xml.in
@@ -11,7 +11,7 @@
<path>interfaces sstpc</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="log">
<properties>
@@ -34,13 +34,13 @@
<properties>
<help>Show SSTP client interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=sstpc --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=sstpc</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed SSTP client interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=sstpc --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=sstpc</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-tunnel.xml.in b/op-mode-definitions/show-interfaces-tunnel.xml.in
index 51b25efd9..4af90b813 100644
--- a/op-mode-definitions/show-interfaces-tunnel.xml.in
+++ b/op-mode-definitions/show-interfaces-tunnel.xml.in
@@ -11,13 +11,13 @@
<path>interfaces tunnel</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified tunnel interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show Tunnel interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=tunnel --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=tunnel</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed tunnel interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=tunnel --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=tunnel</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-virtual-ethernet.xml.in b/op-mode-definitions/show-interfaces-virtual-ethernet.xml.in
index c70f1e3d1..2aa71c687 100644
--- a/op-mode-definitions/show-interfaces-virtual-ethernet.xml.in
+++ b/op-mode-definitions/show-interfaces-virtual-ethernet.xml.in
@@ -11,13 +11,13 @@
<path>interfaces virtual-ethernet</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified virtual-ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show virtual-ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=virtual-ethernet --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=virtual-ethernet</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed virtual-ethernet interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=virtual-ethernet --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=virtual-ethernet</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-vti.xml.in b/op-mode-definitions/show-interfaces-vti.xml.in
index b436b8414..195e1d5da 100644
--- a/op-mode-definitions/show-interfaces-vti.xml.in
+++ b/op-mode-definitions/show-interfaces-vti.xml.in
@@ -11,13 +11,13 @@
<path>interfaces vti</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified vti interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show VTI interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=vti --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=vti</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed vti interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=vti --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=vti</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-vxlan.xml.in b/op-mode-definitions/show-interfaces-vxlan.xml.in
index 1befd428c..a1d01a6af 100644
--- a/op-mode-definitions/show-interfaces-vxlan.xml.in
+++ b/op-mode-definitions/show-interfaces-vxlan.xml.in
@@ -11,13 +11,13 @@
<path>interfaces vxlan</path>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified VXLAN interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
</children>
</tagNode>
@@ -25,13 +25,13 @@
<properties>
<help>Show VXLAN interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=vxlan --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=vxlan</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed VXLAN interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=vxlan --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=vxlan</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-wireguard.xml.in b/op-mode-definitions/show-interfaces-wireguard.xml.in
index c9b754dcd..55879cfff 100644
--- a/op-mode-definitions/show-interfaces-wireguard.xml.in
+++ b/op-mode-definitions/show-interfaces-wireguard.xml.in
@@ -11,7 +11,7 @@
<script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="allowed-ips">
<properties>
@@ -49,13 +49,13 @@
<properties>
<help>Show WireGuard interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=wireguard</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed Wireguard interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=wireguard</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces-wireless.xml.in b/op-mode-definitions/show-interfaces-wireless.xml.in
index 4a37417aa..7ae2c8ce4 100644
--- a/op-mode-definitions/show-interfaces-wireless.xml.in
+++ b/op-mode-definitions/show-interfaces-wireless.xml.in
@@ -8,13 +8,13 @@
<properties>
<help>Show Wireless (WLAN) interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireless --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=wireless</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed wireless interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireless --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=wireless</command>
</leafNode>
<leafNode name="info">
<properties>
@@ -31,13 +31,13 @@
<script>${vyos_completion_dir}/list_interfaces.py --type wireless</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of the specified wireless interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4"</command>
</leafNode>
<node name="scan">
<properties>
@@ -63,13 +63,13 @@
<properties>
<help>Show specified virtual network interface (vif) information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4.$6"</command>
<children>
<leafNode name="brief">
<properties>
<help>Show summary of specified virtual network interface (vif) information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4.$6" --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_name="$4.$6"</command>
</leafNode>
</children>
</tagNode>
diff --git a/op-mode-definitions/show-interfaces-wwan.xml.in b/op-mode-definitions/show-interfaces-wwan.xml.in
index 3cd29b38a..8ac5933a2 100644
--- a/op-mode-definitions/show-interfaces-wwan.xml.in
+++ b/op-mode-definitions/show-interfaces-wwan.xml.in
@@ -12,7 +12,7 @@
<script>cd /sys/class/net; ls -d wwan*</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf="$4"</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_name="$4"</command>
<children>
<leafNode name="capabilities">
<properties>
@@ -86,13 +86,13 @@
<properties>
<help>Show Wireless Modem (WWAN) interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary --intf_type=wirelessmodem</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed Wireless Modem (WWAN( interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wirelessmodem --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show --intf_type=wirelessmodem</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-interfaces.xml.in b/op-mode-definitions/show-interfaces.xml.in
index 39b0f0a2c..dc61a6f5c 100644
--- a/op-mode-definitions/show-interfaces.xml.in
+++ b/op-mode-definitions/show-interfaces.xml.in
@@ -6,19 +6,19 @@
<properties>
<help>Show network interface information</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --action=show-brief</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_summary</command>
<children>
<leafNode name="counters">
<properties>
<help>Show network interface counters</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --action=show-count</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show_counters</command>
</leafNode>
<leafNode name="detail">
<properties>
<help>Show detailed information of all interfaces</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_interfaces.py --action=show</command>
+ <command>${vyos_op_scripts_dir}/interfaces.py show</command>
</leafNode>
</children>
</node>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index 64a54015b..70afaaf6e 100644
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -344,6 +344,12 @@
</leafNode>
</children>
</node>
+ <leafNode name="router-advert">
+ <properties>
+ <help>Show log for Router Advertisement Daemon (radvd)</help>
+ </properties>
+ <command>journalctl --no-hostname --boot --unit radvd.service</command>
+ </leafNode>
<leafNode name="snmp">
<properties>
<help>Show log for Simple Network Monitoring Protocol (SNMP)</help>
@@ -397,13 +403,13 @@
<properties>
<help>Show log for ALL</help>
</properties>
- <command>journalctl --no-hostname --boot --unit strongswan-starter.service --unit accel-ppp@*.service</command>
+ <command>journalctl --no-hostname --boot --unit strongswan.service --unit accel-ppp@*.service</command>
</leafNode>
<leafNode name="ipsec">
<properties>
<help>Show log for IPsec</help>
</properties>
- <command>journalctl --no-hostname --boot --unit strongswan-starter.service</command>
+ <command>journalctl --no-hostname --boot --unit strongswan.service</command>
</leafNode>
<leafNode name="l2tp">
<properties>
diff --git a/op-mode-definitions/show-raid.xml.in b/op-mode-definitions/show-raid.xml.in
index 8bf394552..2ae3fad6a 100644
--- a/op-mode-definitions/show-raid.xml.in
+++ b/op-mode-definitions/show-raid.xml.in
@@ -9,7 +9,7 @@
<script>${vyos_completion_dir}/list_raidset.sh</script>
</completionHelp>
</properties>
- <command>${vyos_op_scripts_dir}/show_raid.sh $3</command>
+ <command>sudo ${vyos_op_scripts_dir}/show_raid.sh $3</command>
</tagNode>
</children>
</node>
diff --git a/python/vyos/configdiff.py b/python/vyos/configdiff.py
index 9185575df..ac86af09c 100644
--- a/python/vyos/configdiff.py
+++ b/python/vyos/configdiff.py
@@ -78,23 +78,34 @@ def get_config_diff(config, key_mangling=None):
isinstance(key_mangling[1], str)):
raise ValueError("key_mangling must be a tuple of two strings")
- diff_t = DiffTree(config._running_config, config._session_config)
+ if hasattr(config, 'cached_diff_tree'):
+ diff_t = getattr(config, 'cached_diff_tree')
+ else:
+ diff_t = DiffTree(config._running_config, config._session_config)
+ setattr(config, 'cached_diff_tree', diff_t)
- return ConfigDiff(config, key_mangling, diff_tree=diff_t)
+ if hasattr(config, 'cached_diff_dict'):
+ diff_d = getattr(config, 'cached_diff_dict')
+ else:
+ diff_d = diff_t.dict
+ setattr(config, 'cached_diff_dict', diff_d)
+
+ return ConfigDiff(config, key_mangling, diff_tree=diff_t,
+ diff_dict=diff_d)
class ConfigDiff(object):
"""
The class of config changes as represented by comparison between the
session config dict and the effective config dict.
"""
- def __init__(self, config, key_mangling=None, diff_tree=None):
+ def __init__(self, config, key_mangling=None, diff_tree=None, diff_dict=None):
self._level = config.get_level()
self._session_config_dict = config.get_cached_root_dict(effective=False)
self._effective_config_dict = config.get_cached_root_dict(effective=True)
self._key_mangling = key_mangling
self._diff_tree = diff_tree
- self._diff_dict = diff_tree.dict if diff_tree else {}
+ self._diff_dict = diff_dict
# mirrored from Config; allow path arguments relative to level
def _make_path(self, path):
@@ -209,9 +220,9 @@ class ConfigDiff(object):
if self._diff_tree is None:
raise NotImplementedError("diff_tree class not available")
else:
- add = get_sub_dict(self._diff_tree.dict, ['add'], get_first_key=True)
- sub = get_sub_dict(self._diff_tree.dict, ['sub'], get_first_key=True)
- inter = get_sub_dict(self._diff_tree.dict, ['inter'], get_first_key=True)
+ add = get_sub_dict(self._diff_dict, ['add'], get_first_key=True)
+ sub = get_sub_dict(self._diff_dict, ['sub'], get_first_key=True)
+ inter = get_sub_dict(self._diff_dict, ['inter'], get_first_key=True)
ret = {}
ret[enum_to_key(Diff.MERGE)] = session_dict
ret[enum_to_key(Diff.DELETE)] = get_sub_dict(sub, self._make_path(path),
@@ -284,9 +295,9 @@ class ConfigDiff(object):
if self._diff_tree is None:
raise NotImplementedError("diff_tree class not available")
else:
- add = get_sub_dict(self._diff_tree.dict, ['add'], get_first_key=True)
- sub = get_sub_dict(self._diff_tree.dict, ['sub'], get_first_key=True)
- inter = get_sub_dict(self._diff_tree.dict, ['inter'], get_first_key=True)
+ add = get_sub_dict(self._diff_dict, ['add'], get_first_key=True)
+ sub = get_sub_dict(self._diff_dict, ['sub'], get_first_key=True)
+ inter = get_sub_dict(self._diff_dict, ['inter'], get_first_key=True)
ret = {}
ret[enum_to_key(Diff.MERGE)] = session_dict
ret[enum_to_key(Diff.DELETE)] = get_sub_dict(sub, self._make_path(path))
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 48263eef5..b4b9e67bb 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -236,12 +236,20 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
output.append(f'ip6 hoplimit {operator} {value}')
if 'inbound_interface' in rule_conf:
- iiface = rule_conf['inbound_interface']
- output.append(f'iifname {iiface}')
+ if 'interface_name' in rule_conf['inbound_interface']:
+ iiface = rule_conf['inbound_interface']['interface_name']
+ output.append(f'iifname {{{iiface}}}')
+ else:
+ iiface = rule_conf['inbound_interface']['interface_group']
+ output.append(f'iifname @I_{iiface}')
if 'outbound_interface' in rule_conf:
- oiface = rule_conf['outbound_interface']
- output.append(f'oifname {oiface}')
+ if 'interface_name' in rule_conf['outbound_interface']:
+ oiface = rule_conf['outbound_interface']['interface_name']
+ output.append(f'oifname {{{oiface}}}')
+ else:
+ oiface = rule_conf['outbound_interface']['interface_group']
+ output.append(f'oifname @I_{oiface}')
if 'ttl' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
@@ -314,6 +322,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if tcp_mss:
output.append(f'tcp option maxseg size {tcp_mss}')
+ if 'connection_mark' in rule_conf:
+ conn_mark_str = ','.join(rule_conf['connection_mark'])
+ output.append(f'ct mark {{{conn_mark_str}}}')
+
output.append('counter')
if 'set' in rule_conf:
@@ -360,6 +372,9 @@ def parse_time(time):
def parse_policy_set(set_conf, def_suffix):
out = []
+ if 'connection_mark' in set_conf:
+ conn_mark = set_conf['connection_mark']
+ out.append(f'ct mark set {conn_mark}')
if 'dscp' in set_conf:
dscp = set_conf['dscp']
out.append(f'ip{def_suffix} dscp set {dscp}')
diff --git a/python/vyos/qos/__init__.py b/python/vyos/qos/__init__.py
new file mode 100644
index 000000000..a2980ccde
--- /dev/null
+++ b/python/vyos/qos/__init__.py
@@ -0,0 +1,28 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+from vyos.qos.cake import CAKE
+from vyos.qos.droptail import DropTail
+from vyos.qos.fairqueue import FairQueue
+from vyos.qos.fqcodel import FQCodel
+from vyos.qos.limiter import Limiter
+from vyos.qos.netem import NetEm
+from vyos.qos.priority import Priority
+from vyos.qos.randomdetect import RandomDetect
+from vyos.qos.ratelimiter import RateLimiter
+from vyos.qos.roundrobin import RoundRobin
+from vyos.qos.trafficshaper import TrafficShaper
+from vyos.qos.trafficshaper import TrafficShaperHFSC
diff --git a/python/vyos/qos/base.py b/python/vyos/qos/base.py
new file mode 100644
index 000000000..28635b5e7
--- /dev/null
+++ b/python/vyos/qos/base.py
@@ -0,0 +1,282 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from vyos.base import Warning
+from vyos.util import cmd
+from vyos.util import dict_search
+from vyos.util import read_file
+
+class QoSBase:
+ _debug = False
+ _direction = ['egress']
+ _parent = 0xffff
+
+ def __init__(self, interface):
+ if os.path.exists('/tmp/vyos.qos.debug'):
+ self._debug = True
+ self._interface = interface
+
+ def _cmd(self, command):
+ if self._debug:
+ print(f'DEBUG/QoS: {command}')
+ return cmd(command)
+
+ def get_direction(self) -> list:
+ return self._direction
+
+ def _get_class_max_id(self, config) -> int:
+ if 'class' in config:
+ tmp = list(config['class'].keys())
+ tmp.sort(key=lambda ii: int(ii))
+ return tmp[-1]
+ return None
+
+ def _build_base_qdisc(self, config : dict, cls_id : int):
+ """
+ Add/replace qdisc for every class (also default is a class). This is
+ a genetic method which need an implementation "per" queue-type.
+
+ This matches the old mapping as defined in Perl here:
+ https://github.com/vyos/vyatta-cfg-qos/blob/equuleus/lib/Vyatta/Qos/ShaperClass.pm#L223-L229
+ """
+ queue_type = dict_search('queue_type', config)
+ default_tc = f'tc qdisc replace dev {self._interface} parent {self._parent}:{cls_id:x}'
+
+ if queue_type == 'priority':
+ handle = 0x4000 + cls_id
+ default_tc += f' handle {handle:x}: prio'
+ self._cmd(default_tc)
+
+ queue_limit = dict_search('queue_limit', config)
+ for ii in range(1, 4):
+ tmp = f'tc qdisc replace dev {self._interface} parent {handle:x}:{ii:x} pfifo limit {queue_limit}'
+ self._cmd(tmp)
+
+ elif queue_type == 'fair-queue':
+ default_tc += f' sfq'
+
+ tmp = dict_search('queue_limit', config)
+ if tmp: default_tc += f' limit {tmp}'
+
+ self._cmd(default_tc)
+
+ elif queue_type == 'fq-codel':
+ default_tc += f' fq_codel'
+ tmp = dict_search('codel_quantum', config)
+ if tmp: default_tc += f' quantum {tmp}'
+
+ tmp = dict_search('flows', config)
+ if tmp: default_tc += f' flows {tmp}'
+
+ tmp = dict_search('interval', config)
+ if tmp: default_tc += f' interval {tmp}'
+
+ tmp = dict_search('interval', config)
+ if tmp: default_tc += f' interval {tmp}'
+
+ tmp = dict_search('queue_limit', config)
+ if tmp: default_tc += f' limit {tmp}'
+
+ tmp = dict_search('target', config)
+ if tmp: default_tc += f' target {tmp}'
+
+ default_tc += f' noecn'
+
+ self._cmd(default_tc)
+
+ elif queue_type == 'random-detect':
+ default_tc += f' red'
+
+ self._cmd(default_tc)
+
+ elif queue_type == 'drop-tail':
+ default_tc += f' pfifo'
+
+ tmp = dict_search('queue_limit', config)
+ if tmp: default_tc += f' limit {tmp}'
+
+ self._cmd(default_tc)
+
+ def _rate_convert(self, rate) -> int:
+ rates = {
+ 'bit' : 1,
+ 'kbit' : 1000,
+ 'mbit' : 1000000,
+ 'gbit' : 1000000000,
+ 'tbit' : 1000000000000,
+ }
+
+ if rate == 'auto' or rate.endswith('%'):
+ speed = read_file(f'/sys/class/net/{self._interface}/speed')
+ if not speed.isnumeric():
+ Warning('Interface speed cannot be determined (assuming 10 Mbit/s)')
+ speed = 10
+ if rate.endswith('%'):
+ percent = rate.rstrip('%')
+ speed = int(speed) * int(percent) // 100
+ return int(speed) *1000000 # convert to MBit/s
+
+ rate_numeric = int(''.join([n for n in rate if n.isdigit()]))
+ rate_scale = ''.join([n for n in rate if not n.isdigit()])
+
+ if int(rate_numeric) <= 0:
+ raise ValueError(f'{rate_numeric} is not a valid bandwidth <= 0')
+
+ if rate_scale:
+ return int(rate_numeric * rates[rate_scale])
+ else:
+ # No suffix implies Kbps just as Cisco IOS
+ return int(rate_numeric * 1000)
+
+ def update(self, config, direction, priority=None):
+ """ method must be called from derived class after it has completed qdisc setup """
+
+ if 'class' in config:
+ for cls, cls_config in config['class'].items():
+ self._build_base_qdisc(cls_config, int(cls))
+
+ if 'match' in cls_config:
+ for match, match_config in cls_config['match'].items():
+ for af in ['ip', 'ipv6']:
+ # every match criteria has it's tc instance
+ filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}:'
+
+ if priority:
+ filter_cmd += f' prio {cls}'
+ elif 'priority' in cls_config:
+ prio = cls_config['priority']
+ filter_cmd += f' prio {prio}'
+
+ filter_cmd += ' protocol all u32'
+
+ tc_af = af
+ if af == 'ipv6':
+ tc_af = 'ip6'
+
+ if af in match_config:
+ tmp = dict_search(f'{af}.source.address', match_config)
+ if tmp: filter_cmd += f' match {tc_af} src {tmp}'
+
+ tmp = dict_search(f'{af}.source.port', match_config)
+ if tmp: filter_cmd += f' match {tc_af} sport {tmp} 0xffff'
+
+ tmp = dict_search(f'{af}.destination.address', match_config)
+ if tmp: filter_cmd += f' match {tc_af} dst {tmp}'
+
+ tmp = dict_search(f'{af}.destination.port', match_config)
+ if tmp: filter_cmd += f' match {tc_af} dport {tmp} 0xffff'
+
+ tmp = dict_search(f'{af}.protocol', match_config)
+ if tmp: filter_cmd += f' match {tc_af} protocol {tmp} 0xff'
+
+ # Will match against total length of an IPv4 packet and
+ # payload length of an IPv6 packet.
+ #
+ # IPv4 : match u16 0x0000 ~MAXLEN at 2
+ # IPv6 : match u16 0x0000 ~MAXLEN at 4
+ tmp = dict_search(f'{af}.max_length', match_config)
+ if tmp:
+ # We need the 16 bit two's complement of the maximum
+ # packet length
+ tmp = hex(0xffff & ~int(tmp))
+
+ if af == 'ip':
+ filter_cmd += f' match u16 0x0000 {tmp} at 2'
+ elif af == 'ipv6':
+ filter_cmd += f' match u16 0x0000 {tmp} at 4'
+
+ # We match against specific TCP flags - we assume the IPv4
+ # header length is 20 bytes and assume the IPv6 packet is
+ # not using extension headers (hence a ip header length of 40 bytes)
+ # TCP Flags are set on byte 13 of the TCP header.
+ # IPv4 : match u8 X X at 33
+ # IPv6 : match u8 X X at 53
+ # with X = 0x02 for SYN and X = 0x10 for ACK
+ tmp = dict_search(f'{af}.tcp', match_config)
+ if tmp:
+ mask = 0
+ if 'ack' in tmp:
+ mask |= 0x10
+ if 'syn' in tmp:
+ mask |= 0x02
+ mask = hex(mask)
+
+ if af == 'ip':
+ filter_cmd += f' match u8 {mask} {mask} at 33'
+ elif af == 'ipv6':
+ filter_cmd += f' match u8 {mask} {mask} at 53'
+
+ # The police block allows limiting of the byte or packet rate of
+ # traffic matched by the filter it is attached to.
+ # https://man7.org/linux/man-pages/man8/tc-police.8.html
+ if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in cls_config):
+ filter_cmd += f' action police'
+
+ if 'exceed' in cls_config:
+ action = cls_config['exceed']
+ filter_cmd += f' conform-exceed {action}'
+ if 'not_exceed' in cls_config:
+ action = cls_config['not_exceed']
+ filter_cmd += f'/{action}'
+
+ if 'bandwidth' in cls_config:
+ rate = self._rate_convert(cls_config['bandwidth'])
+ filter_cmd += f' rate {rate}'
+
+ if 'burst' in cls_config:
+ burst = cls_config['burst']
+ filter_cmd += f' burst {burst}'
+
+ cls = int(cls)
+ filter_cmd += f' flowid {self._parent:x}:{cls:x}'
+ self._cmd(filter_cmd)
+
+ if 'default' in config:
+ if 'class' in config:
+ class_id_max = self._get_class_max_id(config)
+ default_cls_id = int(class_id_max) +1
+ self._build_base_qdisc(config['default'], default_cls_id)
+
+ filter_cmd = f'tc filter replace dev {self._interface} parent {self._parent:x}: '
+ filter_cmd += 'prio 255 protocol all basic'
+
+ # The police block allows limiting of the byte or packet rate of
+ # traffic matched by the filter it is attached to.
+ # https://man7.org/linux/man-pages/man8/tc-police.8.html
+ if any(tmp in ['exceed', 'bandwidth', 'burst'] for tmp in config['default']):
+ filter_cmd += f' action police'
+
+ if 'exceed' in config['default']:
+ action = config['default']['exceed']
+ filter_cmd += f' conform-exceed {action}'
+ if 'not_exceed' in config['default']:
+ action = config['default']['not_exceed']
+ filter_cmd += f'/{action}'
+
+ if 'bandwidth' in config['default']:
+ rate = self._rate_convert(config['default']['bandwidth'])
+ filter_cmd += f' rate {rate}'
+
+ if 'burst' in config['default']:
+ burst = config['default']['burst']
+ filter_cmd += f' burst {burst}'
+
+ if 'class' in config:
+ filter_cmd += f' flowid {self._parent:x}:{default_cls_id:x}'
+
+ self._cmd(filter_cmd)
+
diff --git a/python/vyos/qos/cake.py b/python/vyos/qos/cake.py
new file mode 100644
index 000000000..a89b1de1e
--- /dev/null
+++ b/python/vyos/qos/cake.py
@@ -0,0 +1,55 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class CAKE(QoSBase):
+ _direction = ['egress']
+
+ # https://man7.org/linux/man-pages/man8/tc-cake.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root handle 1: cake {direction}'
+ if 'bandwidth' in config:
+ bandwidth = self._rate_convert(config['bandwidth'])
+ tmp += f' bandwidth {bandwidth}'
+
+ if 'rtt' in config:
+ rtt = config['rtt']
+ tmp += f' rtt {rtt}ms'
+
+ if 'flow_isolation' in config:
+ if 'blind' in config['flow_isolation']:
+ tmp += f' flowblind'
+ if 'dst_host' in config['flow_isolation']:
+ tmp += f' dsthost'
+ if 'dual_dst_host' in config['flow_isolation']:
+ tmp += f' dual-dsthost'
+ if 'dual_src_host' in config['flow_isolation']:
+ tmp += f' dual-srchost'
+ if 'flow' in config['flow_isolation']:
+ tmp += f' flows'
+ if 'host' in config['flow_isolation']:
+ tmp += f' hosts'
+ if 'nat' in config['flow_isolation']:
+ tmp += f' nat'
+ if 'src_host' in config['flow_isolation']:
+ tmp += f' srchost '
+ else:
+ tmp += f' nonat'
+
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/droptail.py b/python/vyos/qos/droptail.py
new file mode 100644
index 000000000..427d43d19
--- /dev/null
+++ b/python/vyos/qos/droptail.py
@@ -0,0 +1,28 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class DropTail(QoSBase):
+ # https://man7.org/linux/man-pages/man8/tc-pfifo.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root pfifo'
+ if 'queue_limit' in config:
+ limit = config["queue_limit"]
+ tmp += f' limit {limit}'
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/fairqueue.py b/python/vyos/qos/fairqueue.py
new file mode 100644
index 000000000..f41d098fb
--- /dev/null
+++ b/python/vyos/qos/fairqueue.py
@@ -0,0 +1,31 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class FairQueue(QoSBase):
+ # https://man7.org/linux/man-pages/man8/tc-sfq.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root sfq'
+
+ if 'hash_interval' in config:
+ tmp += f' perturb {config["hash_interval"]}'
+ if 'queue_limit' in config:
+ tmp += f' limit {config["queue_limit"]}'
+
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/fqcodel.py b/python/vyos/qos/fqcodel.py
new file mode 100644
index 000000000..cd2340aa2
--- /dev/null
+++ b/python/vyos/qos/fqcodel.py
@@ -0,0 +1,40 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class FQCodel(QoSBase):
+ # https://man7.org/linux/man-pages/man8/tc-fq_codel.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root fq_codel'
+
+ if 'codel_quantum' in config:
+ tmp += f' quantum {config["codel_quantum"]}'
+ if 'flows' in config:
+ tmp += f' flows {config["flows"]}'
+ if 'interval' in config:
+ interval = int(config['interval']) * 1000
+ tmp += f' interval {interval}'
+ if 'queue_limit' in config:
+ tmp += f' limit {config["queue_limit"]}'
+ if 'target' in config:
+ target = int(config['target']) * 1000
+ tmp += f' target {target}'
+
+ tmp += f' noecn'
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/limiter.py b/python/vyos/qos/limiter.py
new file mode 100644
index 000000000..ace0c0b6c
--- /dev/null
+++ b/python/vyos/qos/limiter.py
@@ -0,0 +1,27 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class Limiter(QoSBase):
+ _direction = ['ingress']
+
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} handle {self._parent:x}: {direction}'
+ self._cmd(tmp)
+
+ # base class must be called last
+ super().update(config, direction)
+
diff --git a/python/vyos/qos/netem.py b/python/vyos/qos/netem.py
new file mode 100644
index 000000000..8bdef300b
--- /dev/null
+++ b/python/vyos/qos/netem.py
@@ -0,0 +1,53 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class NetEm(QoSBase):
+ # https://man7.org/linux/man-pages/man8/tc-netem.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root netem'
+ if 'bandwidth' in config:
+ rate = self._rate_convert(config["bandwidth"])
+ tmp += f' rate {rate}'
+
+ if 'queue_limit' in config:
+ limit = config["queue_limit"]
+ tmp += f' limit {limit}'
+
+ if 'delay' in config:
+ delay = config["delay"]
+ tmp += f' delay {delay}ms'
+
+ if 'loss' in config:
+ drop = config["loss"]
+ tmp += f' drop {drop}%'
+
+ if 'corruption' in config:
+ corrupt = config["corruption"]
+ tmp += f' corrupt {corrupt}%'
+
+ if 'reordering' in config:
+ reorder = config["reordering"]
+ tmp += f' reorder {reorder}%'
+
+ if 'duplicate' in config:
+ duplicate = config["duplicate"]
+ tmp += f' duplicate {duplicate}%'
+
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/priority.py b/python/vyos/qos/priority.py
new file mode 100644
index 000000000..6d4a60a43
--- /dev/null
+++ b/python/vyos/qos/priority.py
@@ -0,0 +1,41 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+from vyos.util import dict_search
+
+class Priority(QoSBase):
+ _parent = 1
+
+ # https://man7.org/linux/man-pages/man8/tc-prio.8.html
+ def update(self, config, direction):
+ if 'class' in config:
+ class_id_max = self._get_class_max_id(config)
+ bands = int(class_id_max) +1
+
+ tmp = f'tc qdisc add dev {self._interface} root handle {self._parent:x}: prio bands {bands} priomap ' \
+ f'{class_id_max} {class_id_max} {class_id_max} {class_id_max} ' \
+ f'{class_id_max} {class_id_max} {class_id_max} {class_id_max} ' \
+ f'{class_id_max} {class_id_max} {class_id_max} {class_id_max} ' \
+ f'{class_id_max} {class_id_max} {class_id_max} {class_id_max} '
+ self._cmd(tmp)
+
+ for cls in config['class']:
+ cls = int(cls)
+ tmp = f'tc qdisc add dev {self._interface} parent {self._parent:x}:{cls:x} pfifo'
+ self._cmd(tmp)
+
+ # base class must be called last
+ super().update(config, direction, priority=True)
diff --git a/python/vyos/qos/randomdetect.py b/python/vyos/qos/randomdetect.py
new file mode 100644
index 000000000..d7d84260f
--- /dev/null
+++ b/python/vyos/qos/randomdetect.py
@@ -0,0 +1,54 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class RandomDetect(QoSBase):
+ _parent = 1
+
+ # https://man7.org/linux/man-pages/man8/tc.8.html
+ def update(self, config, direction):
+
+ tmp = f'tc qdisc add dev {self._interface} root handle {self._parent}:0 dsmark indices 8 set_tc_index'
+ self._cmd(tmp)
+
+ tmp = f'tc filter add dev {self._interface} parent {self._parent}:0 protocol ip prio 1 tcindex mask 0xe0 shift 5'
+ self._cmd(tmp)
+
+ # Generalized Random Early Detection
+ handle = self._parent +1
+ tmp = f'tc qdisc add dev {self._interface} parent {self._parent}:0 handle {handle}:0 gred setup DPs 8 default 0 grio'
+ self._cmd(tmp)
+
+ bandwidth = self._rate_convert(config['bandwidth'])
+
+ # set VQ (virtual queue) parameters
+ for precedence, precedence_config in config['precedence'].items():
+ precedence = int(precedence)
+ avg_pkt = int(precedence_config['average_packet'])
+ limit = int(precedence_config['queue_limit']) * avg_pkt
+ min_val = int(precedence_config['minimum_threshold']) * avg_pkt
+ max_val = int(precedence_config['maximum_threshold']) * avg_pkt
+
+ tmp = f'tc qdisc change dev {self._interface} handle {handle}:0 gred limit {limit} min {min_val} max {max_val} avpkt {avg_pkt} '
+
+ burst = (2 * int(precedence_config['minimum_threshold']) + int(precedence_config['maximum_threshold'])) // 3
+ probability = 1 / int(precedence_config['mark_probability'])
+ tmp += f'burst {burst} bandwidth {bandwidth} probability {probability} DP {precedence} prio {8 - precedence:x}'
+
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
diff --git a/python/vyos/qos/ratelimiter.py b/python/vyos/qos/ratelimiter.py
new file mode 100644
index 000000000..a4f80a1be
--- /dev/null
+++ b/python/vyos/qos/ratelimiter.py
@@ -0,0 +1,37 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class RateLimiter(QoSBase):
+ # https://man7.org/linux/man-pages/man8/tc-tbf.8.html
+ def update(self, config, direction):
+ # call base class
+ super().update(config, direction)
+
+ tmp = f'tc qdisc add dev {self._interface} root tbf'
+ if 'bandwidth' in config:
+ rate = self._rate_convert(config['bandwidth'])
+ tmp += f' rate {rate}'
+
+ if 'burst' in config:
+ burst = config['burst']
+ tmp += f' burst {burst}'
+
+ if 'latency' in config:
+ latency = config['latency']
+ tmp += f' latency {latency}ms'
+
+ self._cmd(tmp)
diff --git a/python/vyos/qos/roundrobin.py b/python/vyos/qos/roundrobin.py
new file mode 100644
index 000000000..80814ddfb
--- /dev/null
+++ b/python/vyos/qos/roundrobin.py
@@ -0,0 +1,44 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.qos.base import QoSBase
+
+class RoundRobin(QoSBase):
+ _parent = 1
+
+ # https://man7.org/linux/man-pages/man8/tc-drr.8.html
+ def update(self, config, direction):
+ tmp = f'tc qdisc add dev {self._interface} root handle 1: drr'
+ self._cmd(tmp)
+
+ if 'class' in config:
+ for cls in config['class']:
+ cls = int(cls)
+ tmp = f'tc class replace dev {self._interface} parent 1:1 classid 1:{cls:x} drr'
+ self._cmd(tmp)
+
+ tmp = f'tc qdisc replace dev {self._interface} parent 1:{cls:x} pfifo'
+ self._cmd(tmp)
+
+ if 'default' in config:
+ class_id_max = self._get_class_max_id(config)
+ default_cls_id = int(class_id_max) +1
+
+ # class ID via CLI is in range 1-4095, thus 1000 hex = 4096
+ tmp = f'tc class replace dev {self._interface} parent 1:1 classid 1:{default_cls_id:x} drr'
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction, priority=True)
diff --git a/python/vyos/qos/trafficshaper.py b/python/vyos/qos/trafficshaper.py
new file mode 100644
index 000000000..f42f4d022
--- /dev/null
+++ b/python/vyos/qos/trafficshaper.py
@@ -0,0 +1,106 @@
+# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from math import ceil
+from vyos.qos.base import QoSBase
+
+# Kernel limits on quantum (bytes)
+MAXQUANTUM = 200000
+MINQUANTUM = 1000
+
+class TrafficShaper(QoSBase):
+ _parent = 1
+
+ # https://man7.org/linux/man-pages/man8/tc-htb.8.html
+ def update(self, config, direction):
+ class_id_max = 0
+ if 'class' in config:
+ tmp = list(config['class'])
+ tmp.sort()
+ class_id_max = tmp[-1]
+
+ r2q = 10
+ # bandwidth is a mandatory CLI node
+ speed = self._rate_convert(config['bandwidth'])
+ speed_bps = int(speed) // 8
+
+ # need a bigger r2q if going fast than 16 mbits/sec
+ if (speed_bps // r2q) >= MAXQUANTUM: # integer division
+ r2q = ceil(speed_bps // MAXQUANTUM)
+ else:
+ # if there is a slow class then may need smaller value
+ if 'class' in config:
+ min_speed = speed_bps
+ for cls, cls_options in config['class'].items():
+ # find class with the lowest bandwidth used
+ if 'bandwidth' in cls_options:
+ bw_bps = int(self._rate_convert(cls_options['bandwidth'])) // 8 # bandwidth in bytes per second
+ if bw_bps < min_speed:
+ min_speed = bw_bps
+
+ while (r2q > 1) and (min_speed // r2q) < MINQUANTUM:
+ tmp = r2q -1
+ if (speed_bps // tmp) >= MAXQUANTUM:
+ break
+ r2q = tmp
+
+
+ default_minor_id = int(class_id_max) +1
+ tmp = f'tc qdisc replace dev {self._interface} root handle {self._parent:x}: htb r2q {r2q} default {default_minor_id:x}' # default is in hex
+ self._cmd(tmp)
+
+ tmp = f'tc class replace dev {self._interface} parent {self._parent:x}: classid {self._parent:x}:1 htb rate {speed}'
+ self._cmd(tmp)
+
+ if 'class' in config:
+ for cls, cls_config in config['class'].items():
+ # class id is used later on and passed as hex, thus this needs to be an int
+ cls = int(cls)
+
+ # bandwidth is a mandatory CLI node
+ rate = self._rate_convert(cls_config['bandwidth'])
+ burst = cls_config['burst']
+ quantum = cls_config['codel_quantum']
+
+ tmp = f'tc class replace dev {self._interface} parent {self._parent:x}:1 classid {self._parent:x}:{cls:x} htb rate {rate} burst {burst} quantum {quantum}'
+ if 'priority' in cls_config:
+ priority = cls_config['priority']
+ tmp += f' prio {priority}'
+ self._cmd(tmp)
+
+ tmp = f'tc qdisc replace dev {self._interface} parent {self._parent:x}:{cls:x} sfq'
+ self._cmd(tmp)
+
+ if 'default' in config:
+ rate = self._rate_convert(config['default']['bandwidth'])
+ burst = config['default']['burst']
+ quantum = config['default']['codel_quantum']
+ tmp = f'tc class replace dev {self._interface} parent {self._parent:x}:1 classid {self._parent:x}:{default_minor_id:x} htb rate {rate} burst {burst} quantum {quantum}'
+ if 'priority' in config['default']:
+ priority = config['default']['priority']
+ tmp += f' prio {priority}'
+ self._cmd(tmp)
+
+ tmp = f'tc qdisc replace dev {self._interface} parent {self._parent:x}:{default_minor_id:x} sfq'
+ self._cmd(tmp)
+
+ # call base class
+ super().update(config, direction)
+
+class TrafficShaperHFSC(TrafficShaper):
+ def update(self, config, direction):
+ # call base class
+ super().update(config, direction)
+
diff --git a/scripts/check-pr-title-and-commit-messages.py b/scripts/check-pr-title-and-commit-messages.py
index 9801b7456..1d4a3cfe3 100755
--- a/scripts/check-pr-title-and-commit-messages.py
+++ b/scripts/check-pr-title-and-commit-messages.py
@@ -2,6 +2,7 @@
import re
import sys
+import time
import requests
from pprint import pprint
@@ -27,9 +28,17 @@ if __name__ == '__main__':
print("Please specify pull request URL!")
sys.exit(1)
+ # There seems to be a race condition that causes this scripts to receive
+ # an incomplete PR object that is missing certain fields,
+ # which causes temporary CI failures that require re-running the script
+ #
+ # It's probably better to add a small delay to prevent that
+ time.sleep(5)
+
# Get the pull request object
pr = requests.get(sys.argv[1]).json()
if "title" not in pr:
+ print("The PR object does not have a title field!")
print("Did not receive a valid pull request object, please check the URL!")
sys.exit(1)
diff --git a/smoketest/configs/dialup-router-medium-vpn b/smoketest/configs/dialup-router-medium-vpn
index 56722d222..503280017 100644
--- a/smoketest/configs/dialup-router-medium-vpn
+++ b/smoketest/configs/dialup-router-medium-vpn
@@ -68,9 +68,6 @@ interfaces {
mtu 1500
name-server auto
password password
- traffic-policy {
- out shape-17mbit
- }
user-id vyos
password vyos
}
@@ -96,9 +93,6 @@ interfaces {
}
smp-affinity auto
speed auto
- traffic-policy {
- out shape-94mbit
- }
}
loopback lo {
}
@@ -719,24 +713,6 @@ system {
}
time-zone Pacific/Auckland
}
-traffic-policy {
- shaper shape-17mbit {
- bandwidth 17mbit
- default {
- bandwidth 100%
- burst 15k
- queue-type fq-codel
- }
- }
- shaper shape-94mbit {
- bandwidth 94mbit
- default {
- bandwidth 100%
- burst 15k
- queue-type fq-codel
- }
- }
-}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.6 */
diff --git a/smoketest/configs/qos-basic b/smoketest/configs/qos-basic
index f94a5650d..96fa7bef4 100644
--- a/smoketest/configs/qos-basic
+++ b/smoketest/configs/qos-basic
@@ -16,6 +16,11 @@ interfaces {
traffic-policy {
out MY-HTB
}
+ vif 200 {
+ traffic-policy {
+ out foo-emulate
+ }
+ }
}
loopback lo {
}
@@ -198,6 +203,10 @@ traffic-policy {
queue-type fair-queue
}
}
+ network-emulator foo-emulate {
+ bandwidth 300mbit
+ burst 20000
+ }
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 09b520b72..f1c18d761 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -124,6 +124,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '123'])
self.cli_set(['firewall', 'group', 'domain-group', 'smoketest_domain', 'address', 'example.com'])
self.cli_set(['firewall', 'group', 'domain-group', 'smoketest_domain', 'address', 'example.org'])
+ self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0'])
+ self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
@@ -134,6 +136,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
@@ -151,7 +155,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['set D_smoketest_domain'],
['elements = { 192.0.2.5, 192.0.2.8,'],
['192.0.2.10, 192.0.2.11 }'],
- ['ip saddr @D_smoketest_domain', 'return']
+ ['ip saddr @D_smoketest_domain', 'return'],
+ ['oifname @I_smoketest_interface', 'return']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -194,6 +199,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name = 'smoketest'
interface = 'eth0'
mss_range = '501-1460'
+ conn_mark = '555'
self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
self.cli_set(['firewall', 'name', name, 'enable-default-log'])
@@ -225,15 +231,18 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'name', name, 'rule', '5', 'protocol', 'tcp'])
self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'flags', 'syn'])
self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'mss', mss_range])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'inbound-interface', interface])
+ self.cli_set(['firewall', 'name', name, 'rule', '5', 'inbound-interface', 'interface-name', interface])
self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', interface])
+ self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
self.cli_commit()
+ mark_hex = "{0:#010x}".format(int(conn_mark))
+
nftables_search = [
[f'iifname "{interface}"', f'jump NAME_{name}'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'],
@@ -242,7 +251,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'drop'],
['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"'],
- ['meta l4proto gre', f'oifname "{interface}"', 'return']
+ ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -340,11 +349,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject'])
self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp'])
self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'inbound-interface', interface])
+ self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'inbound-interface', 'interface-name', interface])
self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'return'])
self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'protocol', 'gre'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'outbound-interface', interface])
+ self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'outbound-interface', 'interface-name', interface])
self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
diff --git a/smoketest/scripts/cli/test_interfaces_dummy.py b/smoketest/scripts/cli/test_interfaces_dummy.py
index d96ec2c5d..a79e4cb1b 100755
--- a/smoketest/scripts/cli/test_interfaces_dummy.py
+++ b/smoketest/scripts/cli/test_interfaces_dummy.py
@@ -21,6 +21,7 @@ from base_interfaces_test import BasicInterfaceTest
class DummyInterfaceTest(BasicInterfaceTest.TestCase):
@classmethod
def setUpClass(cls):
+ cls._test_mtu = True
cls._base_path = ['interfaces', 'dummy']
cls._interfaces = ['dum435', 'dum8677', 'dum0931', 'dum089']
# call base-classes classmethod
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 11b3c678e..cb48a84ff 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -21,6 +21,8 @@ from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.util import cmd
mark = '100'
+conn_mark = '555'
+conn_mark_set = '111'
table_mark_offset = 0x7fffffff
table_id = '101'
interface = 'eth0'
@@ -122,6 +124,25 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_mangle')
+ def test_pbr_mark_connection(self):
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'connection-mark', conn_mark])
+ self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'connection-mark', conn_mark_set])
+ self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
+
+ self.cli_commit()
+
+ mark_hex = "{0:#010x}".format(int(conn_mark))
+ mark_hex_set = "{0:#010x}".format(int(conn_mark_set))
+
+ nftables_search = [
+ [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+ ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set],
+ ]
+
+ self.verify_nftables(nftables_search, 'ip vyos_mangle')
+
def test_pbr_table(self):
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])
diff --git a/smoketest/scripts/cli/test_qos.py b/smoketest/scripts/cli/test_qos.py
new file mode 100755
index 000000000..014870ec4
--- /dev/null
+++ b/smoketest/scripts/cli/test_qos.py
@@ -0,0 +1,546 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import unittest
+
+from json import loads
+from base_vyostest_shim import VyOSUnitTestSHIM
+
+from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
+from vyos.util import cmd
+
+base_path = ['qos']
+
+def get_tc_qdisc_json(interface) -> dict:
+ tmp = cmd(f'tc -detail -json qdisc show dev {interface}')
+ tmp = loads(tmp)
+ return next(iter(tmp))
+
+def get_tc_filter_json(interface, direction) -> list:
+ if direction not in ['ingress', 'egress']:
+ raise ValueError()
+ tmp = cmd(f'tc -detail -json filter show dev {interface} {direction}')
+ tmp = loads(tmp)
+ return tmp
+
+class TestQoS(VyOSUnitTestSHIM.TestCase):
+ @classmethod
+ def setUpClass(cls):
+ super(TestQoS, cls).setUpClass()
+
+ # ensure we can also run this test on a live system - so lets clean
+ # out the current configuration :)
+ cls.cli_delete(cls, base_path)
+
+ # We only test on physical interfaces and not VLAN (sub-)interfaces
+ cls._interfaces = []
+ if 'TEST_ETH' in os.environ:
+ tmp = os.environ['TEST_ETH'].split()
+ cls._interfaces = tmp
+ else:
+ for tmp in Section.interfaces('ethernet', vlan=False):
+ cls._interfaces.append(tmp)
+
+ def tearDown(self):
+ # delete testing SSH config
+ self.cli_delete(base_path)
+ self.cli_commit()
+
+ def test_01_cake(self):
+ bandwidth = 1000000
+ rtt = 200
+
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', 'cake', policy_name, 'bandwidth', str(bandwidth)])
+ self.cli_set(base_path + ['policy', 'cake', policy_name, 'rtt', str(rtt)])
+ self.cli_set(base_path + ['policy', 'cake', policy_name, 'flow-isolation', 'dual-src-host'])
+
+ bandwidth += 1000000
+ rtt += 20
+
+ # commit changes
+ self.cli_commit()
+
+ bandwidth = 1000000
+ rtt = 200
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+
+ self.assertEqual('cake', tmp['kind'])
+ # TC store rates as a 32-bit unsigned integer in bps (Bytes per second)
+ self.assertEqual(int(bandwidth *125), tmp['options']['bandwidth'])
+ # RTT internally is in us
+ self.assertEqual(int(rtt *1000), tmp['options']['rtt'])
+ self.assertEqual('dual-srchost', tmp['options']['flowmode'])
+ self.assertFalse(tmp['options']['ingress'])
+ self.assertFalse(tmp['options']['nat'])
+ self.assertTrue(tmp['options']['raw'])
+
+ bandwidth += 1000000
+ rtt += 20
+
+ def test_02_drop_tail(self):
+ queue_limit = 50
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', 'drop-tail', policy_name, 'queue-limit', str(queue_limit)])
+
+ queue_limit += 10
+
+ # commit changes
+ self.cli_commit()
+
+ queue_limit = 50
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+
+ self.assertEqual('pfifo', tmp['kind'])
+ self.assertEqual(queue_limit, tmp['options']['limit'])
+
+ queue_limit += 10
+
+ def test_03_fair_queue(self):
+ hash_interval = 10
+ queue_limit = 5
+ policy_type = 'fair-queue'
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'hash-interval', str(hash_interval)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'queue-limit', str(queue_limit)])
+
+ hash_interval += 1
+ queue_limit += 1
+
+ # commit changes
+ self.cli_commit()
+
+ hash_interval = 10
+ queue_limit = 5
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+
+ self.assertEqual('sfq', tmp['kind'])
+ self.assertEqual(hash_interval, tmp['options']['perturb'])
+ self.assertEqual(queue_limit, tmp['options']['limit'])
+
+ hash_interval += 1
+ queue_limit += 1
+
+ def test_04_fq_codel(self):
+ policy_type = 'fq-codel'
+ codel_quantum = 1500
+ flows = 512
+ interval = 100
+ queue_limit = 2048
+ target = 5
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'codel-quantum', str(codel_quantum)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'flows', str(flows)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'interval', str(interval)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'queue-limit', str(queue_limit)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'target', str(target)])
+
+ codel_quantum += 10
+ flows += 2
+ interval += 10
+ queue_limit += 512
+ target += 1
+
+ # commit changes
+ self.cli_commit()
+
+ codel_quantum = 1500
+ flows = 512
+ interval = 100
+ queue_limit = 2048
+ target = 5
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+
+ self.assertEqual('fq_codel', tmp['kind'])
+ self.assertEqual(codel_quantum, tmp['options']['quantum'])
+ self.assertEqual(flows, tmp['options']['flows'])
+ self.assertEqual(queue_limit, tmp['options']['limit'])
+
+ # due to internal rounding we need to substract 1 from interval and target after converting to milliseconds
+ # configuration of:
+ # tc qdisc add dev eth0 root fq_codel quantum 1500 flows 512 interval 100ms limit 2048 target 5ms noecn
+ # results in: tc -j qdisc show dev eth0
+ # [{"kind":"fq_codel","handle":"8046:","root":true,"refcnt":3,"options":{"limit":2048,"flows":512,
+ # "quantum":1500,"target":4999,"interval":99999,"memory_limit":33554432,"drop_batch":64}}]
+ self.assertEqual(interval *1000 -1, tmp['options']['interval'])
+ self.assertEqual(target *1000 -1, tmp['options']['target'])
+
+ codel_quantum += 10
+ flows += 2
+ interval += 10
+ queue_limit += 512
+ target += 1
+
+ def test_05_limiter(self):
+ qos_config = {
+ '1' : {
+ 'bandwidth' : '100',
+ 'match4' : {
+ 'ssh' : { 'dport' : '22', },
+ },
+ },
+ '2' : {
+ 'bandwidth' : '100',
+ 'match6' : {
+ 'ssh' : { 'dport' : '22', },
+ },
+ },
+ }
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'egress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+
+
+ for qos_class, qos_class_config in qos_config.items():
+ qos_class_base = base_path + ['policy', 'limiter', policy_name, 'class', qos_class]
+
+ if 'match4' in qos_class_config:
+ for match, match_config in qos_class_config['match4'].items():
+ if 'dport' in match_config:
+ self.cli_set(qos_class_base + ['match', match, 'ip', 'destination', 'port', match_config['dport']])
+
+ if 'match6' in qos_class_config:
+ for match, match_config in qos_class_config['match6'].items():
+ if 'dport' in match_config:
+ self.cli_set(qos_class_base + ['match', match, 'ipv6', 'destination', 'port', match_config['dport']])
+
+ if 'bandwidth' in qos_class_config:
+ self.cli_set(qos_class_base + ['bandwidth', qos_class_config['bandwidth']])
+
+
+ # commit changes
+ self.cli_commit()
+
+ for interface in self._interfaces:
+ for filter in get_tc_filter_json(interface, 'ingress'):
+ # bail out early if filter has no attached action
+ if 'options' not in filter or 'actions' not in filter['options']:
+ continue
+
+ for qos_class, qos_class_config in qos_config.items():
+ # Every flowid starts with ffff and we encopde the class number after the colon
+ if 'flowid' not in filter['options'] or filter['options']['flowid'] != f'ffff:{qos_class}':
+ continue
+
+ ip_hdr_offset = 20
+ if 'match6' in qos_class_config:
+ ip_hdr_offset = 40
+
+ self.assertEqual(ip_hdr_offset, filter['options']['match']['off'])
+ if 'dport' in match_config:
+ dport = int(match_config['dport'])
+ self.assertEqual(f'{dport:x}', filter['options']['match']['value'])
+
+ def test_06_network_emulator(self):
+ policy_type = 'network-emulator'
+
+ bandwidth = 1000000
+ corruption = 1
+ delay = 2
+ duplicate = 3
+ loss = 4
+ queue_limit = 5
+ reordering = 6
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'bandwidth', str(bandwidth)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'corruption', str(corruption)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'delay', str(delay)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'duplicate', str(duplicate)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'loss', str(loss)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'queue-limit', str(queue_limit)])
+ self.cli_set(base_path + ['policy', policy_type, policy_name, 'reordering', str(reordering)])
+
+ bandwidth += 1000000
+ corruption += 1
+ delay += 1
+ duplicate +=1
+ loss += 1
+ queue_limit += 1
+ reordering += 1
+
+ # commit changes
+ self.cli_commit()
+
+ bandwidth = 1000000
+ corruption = 1
+ delay = 2
+ duplicate = 3
+ loss = 4
+ queue_limit = 5
+ reordering = 6
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+ self.assertEqual('netem', tmp['kind'])
+
+ self.assertEqual(int(bandwidth *125), tmp['options']['rate']['rate'])
+ # values are in %
+ self.assertEqual(corruption/100, tmp['options']['corrupt']['corrupt'])
+ self.assertEqual(duplicate/100, tmp['options']['duplicate']['duplicate'])
+ self.assertEqual(loss/100, tmp['options']['loss-random']['loss'])
+ self.assertEqual(reordering/100, tmp['options']['reorder']['reorder'])
+ self.assertEqual(delay/1000, tmp['options']['delay']['delay'])
+
+ self.assertEqual(queue_limit, tmp['options']['limit'])
+
+ bandwidth += 1000000
+ corruption += 1
+ delay += 1
+ duplicate += 1
+ loss += 1
+ queue_limit += 1
+ reordering += 1
+
+ def test_07_priority_queue(self):
+ priorities = ['1', '2', '3', '4', '5']
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', 'priority-queue', policy_name, 'default', 'queue-limit', '10'])
+
+ for priority in priorities:
+ prio_base = base_path + ['policy', 'priority-queue', policy_name, 'class', priority]
+ self.cli_set(prio_base + ['match', f'prio-{priority}', 'ip', 'destination', 'port', str(1000 + int(priority))])
+
+ # commit changes
+ self.cli_commit()
+
+ def test_08_random_detect(self):
+ self.skipTest('tc returns invalid JSON here - needs iproute2 fix')
+ bandwidth = 5000
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', 'random-detect', policy_name, 'bandwidth', str(bandwidth)])
+
+ bandwidth += 1000
+
+ # commit changes
+ self.cli_commit()
+
+ bandwidth = 5000
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+ import pprint
+ pprint.pprint(tmp)
+
+ def test_09_rate_control(self):
+ bandwidth = 5000
+ burst = 20
+ latency = 5
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+ self.cli_set(base_path + ['policy', 'rate-control', policy_name, 'bandwidth', str(bandwidth)])
+ self.cli_set(base_path + ['policy', 'rate-control', policy_name, 'burst', str(burst)])
+ self.cli_set(base_path + ['policy', 'rate-control', policy_name, 'latency', str(latency)])
+
+ bandwidth += 1000
+ burst += 5
+ latency += 1
+ # commit changes
+ self.cli_commit()
+
+ bandwidth = 5000
+ burst = 20
+ latency = 5
+ for interface in self._interfaces:
+ tmp = get_tc_qdisc_json(interface)
+
+ self.assertEqual('tbf', tmp['kind'])
+ self.assertEqual(0, tmp['options']['mpu'])
+ # TC store rates as a 32-bit unsigned integer in bps (Bytes per second)
+ self.assertEqual(int(bandwidth * 125), tmp['options']['rate'])
+
+ bandwidth += 1000
+ burst += 5
+ latency += 1
+
+ def test_10_round_robin(self):
+ qos_config = {
+ '1' : {
+ 'match4' : {
+ 'ssh' : { 'dport' : '22', },
+ },
+ },
+ '2' : {
+ 'match6' : {
+ 'ssh' : { 'dport' : '22', },
+ },
+ },
+ }
+
+ first = True
+ for interface in self._interfaces:
+ policy_name = f'qos-policy-{interface}'
+
+ if first:
+ self.cli_set(base_path + ['interface', interface, 'ingress', policy_name])
+ # verify() - selected QoS policy on interface only supports egress
+ with self.assertRaises(ConfigSessionError):
+ self.cli_commit()
+ self.cli_delete(base_path + ['interface', interface, 'ingress', policy_name])
+ first = False
+
+ self.cli_set(base_path + ['interface', interface, 'egress', policy_name])
+
+ for qos_class, qos_class_config in qos_config.items():
+ qos_class_base = base_path + ['policy', 'round-robin', policy_name, 'class', qos_class]
+
+ if 'match4' in qos_class_config:
+ for match, match_config in qos_class_config['match4'].items():
+ if 'dport' in match_config:
+ self.cli_set(qos_class_base + ['match', match, 'ip', 'destination', 'port', match_config['dport']])
+
+ if 'match6' in qos_class_config:
+ for match, match_config in qos_class_config['match6'].items():
+ if 'dport' in match_config:
+ self.cli_set(qos_class_base + ['match', match, 'ipv6', 'destination', 'port', match_config['dport']])
+
+
+ # commit changes
+ self.cli_commit()
+
+ for interface in self._interfaces:
+ import pprint
+ tmp = get_tc_qdisc_json(interface)
+ self.assertEqual('drr', tmp['kind'])
+
+ for filter in get_tc_filter_json(interface, 'ingress'):
+ # bail out early if filter has no attached action
+ if 'options' not in filter or 'actions' not in filter['options']:
+ continue
+
+ for qos_class, qos_class_config in qos_config.items():
+ # Every flowid starts with ffff and we encopde the class number after the colon
+ if 'flowid' not in filter['options'] or filter['options']['flowid'] != f'ffff:{qos_class}':
+ continue
+
+ ip_hdr_offset = 20
+ if 'match6' in qos_class_config:
+ ip_hdr_offset = 40
+
+ self.assertEqual(ip_hdr_offset, filter['options']['match']['off'])
+ if 'dport' in match_config:
+ dport = int(match_config['dport'])
+ self.assertEqual(f'{dport:x}', filter['options']['match']['value'])
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2, failfast=True)
diff --git a/smoketest/scripts/cli/test_service_dhcp-server.py b/smoketest/scripts/cli/test_service_dhcp-server.py
index 9c9d6d9f1..64ba100a2 100755
--- a/smoketest/scripts/cli/test_service_dhcp-server.py
+++ b/smoketest/scripts/cli/test_service_dhcp-server.py
@@ -102,16 +102,17 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase):
def test_dhcp_single_pool_options(self):
shared_net_name = 'SMOKE-0815'
- range_0_start = inc_ip(subnet, 10)
- range_0_stop = inc_ip(subnet, 20)
- smtp_server = '1.2.3.4'
- time_server = '4.3.2.1'
- tftp_server = 'tftp.vyos.io'
- search_domains = ['foo.vyos.net', 'bar.vyos.net']
- bootfile_name = 'vyos'
- bootfile_server = '192.0.2.1'
- wpad = 'http://wpad.vyos.io/foo/bar'
- server_identifier = bootfile_server
+ range_0_start = inc_ip(subnet, 10)
+ range_0_stop = inc_ip(subnet, 20)
+ smtp_server = '1.2.3.4'
+ time_server = '4.3.2.1'
+ tftp_server = 'tftp.vyos.io'
+ search_domains = ['foo.vyos.net', 'bar.vyos.net']
+ bootfile_name = 'vyos'
+ bootfile_server = '192.0.2.1'
+ wpad = 'http://wpad.vyos.io/foo/bar'
+ server_identifier = bootfile_server
+ ipv6_only_preferred = '300'
pool = base_path + ['shared-network-name', shared_net_name, 'subnet', subnet]
# we use the first subnet IP address as default gateway
@@ -132,6 +133,7 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase):
self.cli_set(pool + ['server-identifier', server_identifier])
self.cli_set(pool + ['static-route', '10.0.0.0/24', 'next-hop', '192.0.2.1'])
+ self.cli_set(pool + ['ipv6-only-preferred', ipv6_only_preferred])
# check validate() - No DHCP address range or active static-mapping set
with self.assertRaises(ConfigSessionError):
@@ -169,6 +171,7 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase):
self.assertIn(f'max-lease-time 86400;', config)
self.assertIn(f'range {range_0_start} {range_0_stop};', config)
self.assertIn(f'set shared-networkname = "{shared_net_name}";', config)
+ self.assertIn(f'option rfc8925-ipv6-only-preferred {ipv6_only_preferred};', config)
# weird syntax for those static routes
self.assertIn(f'option rfc3442-static-route 24,10,0,0,192,0,2,1, 0,192,0,2,1;', config)
diff --git a/smoketest/scripts/cli/test_service_router-advert.py b/smoketest/scripts/cli/test_service_router-advert.py
index 873be7df0..0169b7934 100755
--- a/smoketest/scripts/cli/test_service_router-advert.py
+++ b/smoketest/scripts/cli/test_service_router-advert.py
@@ -37,7 +37,6 @@ def get_config_value(key):
return tmp[0].split()[0].replace(';','')
class TestServiceRADVD(VyOSUnitTestSHIM.TestCase):
-
@classmethod
def setUpClass(cls):
super(TestServiceRADVD, cls).setUpClass()
@@ -114,7 +113,6 @@ class TestServiceRADVD(VyOSUnitTestSHIM.TestCase):
tmp = get_config_value('DecrementLifetimes')
self.assertEqual(tmp, 'off')
-
def test_dns(self):
nameserver = ['2001:db8::1', '2001:db8::2']
dnssl = ['vyos.net', 'vyos.io']
@@ -150,7 +148,6 @@ class TestServiceRADVD(VyOSUnitTestSHIM.TestCase):
tmp = 'DNSSL ' + ' '.join(dnssl) + ' {'
self.assertIn(tmp, config)
-
def test_deprecate_prefix(self):
self.cli_set(base_path + ['prefix', prefix, 'valid-lifetime', 'infinity'])
self.cli_set(base_path + ['prefix', prefix, 'deprecate-prefix'])
@@ -159,13 +156,45 @@ class TestServiceRADVD(VyOSUnitTestSHIM.TestCase):
# commit changes
self.cli_commit()
- config = read_file(RADVD_CONF)
-
tmp = get_config_value('DeprecatePrefix')
self.assertEqual(tmp, 'on')
tmp = get_config_value('DecrementLifetimes')
self.assertEqual(tmp, 'on')
+ def test_route(self):
+ route = '2001:db8:1000::/64'
+
+ self.cli_set(base_path + ['prefix', prefix])
+ self.cli_set(base_path + ['route', route])
+
+ # commit changes
+ self.cli_commit()
+
+ config = read_file(RADVD_CONF)
+
+ tmp = f'route {route}' + ' {'
+ self.assertIn(tmp, config)
+
+ self.assertIn('AdvRouteLifetime 1800;', config)
+ self.assertIn('AdvRoutePreference medium;', config)
+ self.assertIn('RemoveRoute on;', config)
+
+ def test_rasrcaddress(self):
+ ra_src = ['fe80::1', 'fe80::2']
+
+ self.cli_set(base_path + ['prefix', prefix])
+ for src in ra_src:
+ self.cli_set(base_path + ['source-address', src])
+
+ # commit changes
+ self.cli_commit()
+
+ config = read_file(RADVD_CONF)
+ self.assertIn('AdvRASrcAddress {', config)
+ for src in ra_src:
+ self.assertIn(f' {src};', config)
+
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index bd242104f..46db0bbf5 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -39,6 +39,7 @@ vif = '100'
esp_group = 'MyESPGroup'
ike_group = 'MyIKEGroup'
secret = 'MYSECRETKEY'
+PROCESS_NAME = 'charon'
ca_pem = """
MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL
@@ -137,14 +138,14 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
# Check for running process
- self.assertTrue(process_named_running('charon'))
+ self.assertTrue(process_named_running(PROCESS_NAME))
self.cli_delete(base_path)
self.cli_delete(tunnel_path)
self.cli_commit()
# Check for no longer running process
- self.assertFalse(process_named_running('charon'))
+ self.assertFalse(process_named_running(PROCESS_NAME))
def test_01_dhcp_fail_handling(self):
# Interface for dhcp-interface
@@ -166,6 +167,8 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
dhcp_waiting = read_file(dhcp_waiting_file)
self.assertIn(f'{interface}.{vif}', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook
+ self.cli_delete(ethernet_path + [interface, 'vif', vif, 'address'])
+
def test_02_site_to_site(self):
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 8efeaed54..7567444db 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -73,9 +73,19 @@ def get_config(config=None):
# Merge per-container default values
if 'name' in container:
default_values = defaults(base + ['name'])
+ if 'port' in default_values:
+ del default_values['port']
for name in container['name']:
container['name'][name] = dict_merge(default_values, container['name'][name])
+ # XXX: T2665: we can not safely rely on the defaults() when there are
+ # tagNodes in place, it is better to blend in the defaults manually.
+ if 'port' in container['name'][name]:
+ for port in container['name'][name]['port']:
+ default_values = defaults(base + ['name', 'port'])
+ container['name'][name]['port'][port] = dict_merge(
+ default_values, container['name'][name]['port'][port])
+
# Delete container network, delete containers
tmp = node_changed(conf, base + ['network'])
if tmp: container.update({'network_remove' : tmp})
@@ -168,6 +178,11 @@ def verify(container):
if not os.path.exists(source):
raise ConfigError(f'Volume "{volume}" source path "{source}" does not exist!')
+ if 'port' in container_config:
+ for tmp in container_config['port']:
+ if not {'source', 'destination'} <= set(container_config['port'][tmp]):
+ raise ConfigError(f'Both "source" and "destination" must be specified for a port mapping!')
+
# If 'allow-host-networks' or 'network' not set.
if 'allow_host_networks' not in container_config and 'network' not in container_config:
raise ConfigError(f'Must either set "network" or "allow-host-networks" for container "{name}"!')
@@ -237,14 +252,10 @@ def generate_run_arguments(name, container_config):
if 'port' in container_config:
protocol = ''
for portmap in container_config['port']:
- if 'protocol' in container_config['port'][portmap]:
- protocol = container_config['port'][portmap]['protocol']
- protocol = f'/{protocol}'
- else:
- protocol = '/tcp'
+ protocol = container_config['port'][portmap]['protocol']
sport = container_config['port'][portmap]['source']
dport = container_config['port'][portmap]['destination']
- port += f' -p {sport}:{dport}{protocol}'
+ port += f' -p {sport}:{dport}/{protocol}'
# Bind volume
volume = ''
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index f68acfe02..20cf1ead1 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -65,7 +65,8 @@ valid_groups = [
'address_group',
'domain_group',
'network_group',
- 'port_group'
+ 'port_group',
+ 'interface_group'
]
nested_group_types = [
diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py
index 8a959dc79..4ed16d0d7 100755
--- a/src/conf_mode/high-availability.py
+++ b/src/conf_mode/high-availability.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -144,8 +144,10 @@ def verify(ha):
# Virtual-server
if 'virtual_server' in ha:
for vs, vs_config in ha['virtual_server'].items():
- if 'port' not in vs_config:
- raise ConfigError(f'Port is required but not set for virtual-server "{vs}"')
+ if 'port' not in vs_config and 'fwmark' not in vs_config:
+ raise ConfigError(f'Port or fwmark is required but not set for virtual-server "{vs}"')
+ if 'port' in vs_config and 'fwmark' in vs_config:
+ raise ConfigError(f'Cannot set both port and fwmark for virtual-server "{vs}"')
if 'real_server' not in vs_config:
raise ConfigError(f'Real-server ip is required but not set for virtual-server "{vs}"')
# Real-server
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index b883ebef2..9936620c8 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -21,6 +21,7 @@ from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import get_interface_dict
+from vyos.configdict import is_node_changed
from vyos.configdict import leaf_node_changed
from vyos.configdict import is_member
from vyos.configdict import is_source_interface
@@ -81,10 +82,10 @@ def get_config(config=None):
if 'mode' in bond:
bond['mode'] = get_bond_mode(bond['mode'])
- tmp = leaf_node_changed(conf, base + [ifname, 'mode'])
+ tmp = is_node_changed(conf, base + [ifname, 'mode'])
if tmp: bond['shutdown_required'] = {}
- tmp = leaf_node_changed(conf, base + [ifname, 'lacp-rate'])
+ tmp = is_node_changed(conf, base + [ifname, 'lacp-rate'])
if tmp: bond['shutdown_required'] = {}
# determine which members have been removed
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index 08cc3a48d..f6694ddde 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -14,14 +14,11 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import os
-
from sys import exit
from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import get_interface_dict
-from vyos.configdict import leaf_node_changed
from vyos.configdict import is_node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_mtu_ipv6
@@ -49,13 +46,10 @@ def get_config(config=None):
# GENEVE interfaces are picky and require recreation if certain parameters
# change. But a GENEVE interface should - of course - not be re-created if
# it's description or IP address is adjusted. Feels somehow logic doesn't it?
- for cli_option in ['remote', 'vni']:
- if leaf_node_changed(conf, base + [ifname, cli_option]):
+ for cli_option in ['remote', 'vni', 'parameters']:
+ if is_node_changed(conf, base + [ifname, cli_option]):
geneve.update({'rebuild_required': {}})
- if is_node_changed(conf, base + [ifname, 'parameters']):
- geneve.update({'rebuild_required': {}})
-
return geneve
def verify(geneve):
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index 4c65bc0b6..dce5c2358 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -21,7 +21,7 @@ from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.configdict import is_node_changed
from vyos.configdict import is_source_interface
-from vyos.configdict import leaf_node_changed
+from vyos.configdict import is_node_changed
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
@@ -51,7 +51,7 @@ def get_config(config=None):
mode = is_node_changed(conf, ['mode'])
if mode: peth.update({'shutdown_required' : {}})
- if leaf_node_changed(conf, base + [ifname, 'mode']):
+ if is_node_changed(conf, base + [ifname, 'mode']):
peth.update({'rebuild_required': {}})
if 'source_interface' in peth:
diff --git a/src/conf_mode/interfaces-sstpc.py b/src/conf_mode/interfaces-sstpc.py
index 6b8094c51..b5cc4cf4e 100755
--- a/src/conf_mode/interfaces-sstpc.py
+++ b/src/conf_mode/interfaces-sstpc.py
@@ -70,7 +70,10 @@ def verify(sstpc):
verify_authentication(sstpc)
verify_vrf(sstpc)
- if dict_search('ssl.ca_certificate', sstpc) == None:
+ if not dict_search('server', sstpc):
+ raise ConfigError('Remote SSTP server must be specified!')
+
+ if not dict_search('ssl.ca_certificate', sstpc):
raise ConfigError('Missing mandatory CA certificate!')
return None
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index acef1fda7..e2701d9d3 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -21,7 +21,7 @@ from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import get_interface_dict
-from vyos.configdict import leaf_node_changed
+from vyos.configdict import is_node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_interface_exists
@@ -52,7 +52,7 @@ def get_config(config=None):
ifname, tunnel = get_interface_dict(conf, base)
if 'deleted' not in tunnel:
- tmp = leaf_node_changed(conf, base + [ifname, 'encapsulation'])
+ tmp = is_node_changed(conf, base + [ifname, 'encapsulation'])
if tmp: tunnel.update({'encapsulation_changed': {}})
# We also need to inspect other configured tunnels as there are Kernel
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index af2d0588d..b1536148c 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -52,13 +52,11 @@ def get_config(config=None):
# VXLAN interfaces are picky and require recreation if certain parameters
# change. But a VXLAN interface should - of course - not be re-created if
# it's description or IP address is adjusted. Feels somehow logic doesn't it?
- for cli_option in ['external', 'gpe', 'group', 'port', 'remote',
+ for cli_option in ['parameters', 'external', 'gpe', 'group', 'port', 'remote',
'source-address', 'source-interface', 'vni']:
- if leaf_node_changed(conf, base + [ifname, cli_option]):
+ if is_node_changed(conf, base + [ifname, cli_option]):
vxlan.update({'rebuild_required': {}})
-
- if is_node_changed(conf, base + [ifname, 'parameters']):
- vxlan.update({'rebuild_required': {}})
+ break
# We need to verify that no other VXLAN tunnel is configured when external
# mode is in use - Linux Kernel limitation
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index e8f3cc87a..54de467ca 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -51,6 +51,11 @@ sync_search = [
'script': '/usr/libexec/vyos/conf_mode/interfaces-openvpn.py'
},
{
+ 'keys': ['ca_certificate'],
+ 'path': ['interfaces', 'sstpc'],
+ 'script': '/usr/libexec/vyos/conf_mode/interfaces-sstpc.py'
+ },
+ {
'keys': ['certificate', 'ca_certificate', 'local_key', 'remote_key'],
'path': ['vpn', 'ipsec'],
'script': '/usr/libexec/vyos/conf_mode/vpn_ipsec.py'
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 1d016695e..40a32efb3 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -36,7 +36,8 @@ valid_groups = [
'address_group',
'domain_group',
'network_group',
- 'port_group'
+ 'port_group',
+ 'interface_group'
]
def get_config(config=None):
diff --git a/src/conf_mode/protocols_failover.py b/src/conf_mode/protocols_failover.py
new file mode 100755
index 000000000..048ba7a89
--- /dev/null
+++ b/src/conf_mode/protocols_failover.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import json
+
+from pathlib import Path
+
+from vyos.config import Config
+from vyos.configdict import dict_merge
+from vyos.template import render
+from vyos.util import call
+from vyos.xml import defaults
+from vyos import ConfigError
+from vyos import airbag
+
+airbag.enable()
+
+
+service_name = 'vyos-failover'
+service_conf = Path(f'/run/{service_name}.conf')
+systemd_service = '/etc/systemd/system/vyos-failover.service'
+rt_proto_failover = '/etc/iproute2/rt_protos.d/failover.conf'
+
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+
+ base = ['protocols', 'failover']
+ failover = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+ # Set default values only if we set config
+ if failover.get('route'):
+ for route, route_config in failover.get('route').items():
+ for next_hop, next_hop_config in route_config.get('next_hop').items():
+ default_values = defaults(base + ['route'])
+ failover['route'][route]['next_hop'][next_hop] = dict_merge(
+ default_values['next_hop'], failover['route'][route]['next_hop'][next_hop])
+
+ return failover
+
+def verify(failover):
+ # bail out early - looks like removal from running config
+ if not failover:
+ return None
+
+ if 'route' not in failover:
+ raise ConfigError(f'Failover "route" is mandatory!')
+
+ for route, route_config in failover['route'].items():
+ if not route_config.get('next_hop'):
+ raise ConfigError(f'Next-hop for "{route}" is mandatory!')
+
+ for next_hop, next_hop_config in route_config.get('next_hop').items():
+ if 'interface' not in next_hop_config:
+ raise ConfigError(f'Interface for route "{route}" next-hop "{next_hop}" is mandatory!')
+
+ if not next_hop_config.get('check'):
+ raise ConfigError(f'Check target for next-hop "{next_hop}" is mandatory!')
+
+ if 'target' not in next_hop_config['check']:
+ raise ConfigError(f'Check target for next-hop "{next_hop}" is mandatory!')
+
+ check_type = next_hop_config['check']['type']
+ if check_type == 'tcp' and 'port' not in next_hop_config['check']:
+ raise ConfigError(f'Check port for next-hop "{next_hop}" and type TCP is mandatory!')
+
+ return None
+
+def generate(failover):
+ if not failover:
+ service_conf.unlink(missing_ok=True)
+ return None
+
+ # Add own rt_proto 'failover'
+ # Helps to detect all own routes 'proto failover'
+ with open(rt_proto_failover, 'w') as f:
+ f.write('111 failover\n')
+
+ # Write configuration file
+ conf_json = json.dumps(failover, indent=4)
+ service_conf.write_text(conf_json)
+ render(systemd_service, 'protocols/systemd_vyos_failover_service.j2', failover)
+
+ return None
+
+def apply(failover):
+ if not failover:
+ call(f'systemctl stop {service_name}.service')
+ call('ip route flush protocol failover')
+ else:
+ call('systemctl daemon-reload')
+ call(f'systemctl restart {service_name}.service')
+ call(f'ip route flush protocol failover')
+
+ return None
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index dbe3be225..1fe3b6aa9 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -15,14 +15,59 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from sys import exit
+from netifaces import interfaces
from vyos.config import Config
from vyos.configdict import dict_merge
+from vyos.configverify import verify_interface_exists
+from vyos.qos import CAKE
+from vyos.qos import DropTail
+from vyos.qos import FairQueue
+from vyos.qos import FQCodel
+from vyos.qos import Limiter
+from vyos.qos import NetEm
+from vyos.qos import Priority
+from vyos.qos import RandomDetect
+from vyos.qos import RateLimiter
+from vyos.qos import RoundRobin
+from vyos.qos import TrafficShaper
+from vyos.qos import TrafficShaperHFSC
+from vyos.util import call
+from vyos.util import dict_search_recursive
from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
+map_vyops_tc = {
+ 'cake' : CAKE,
+ 'drop_tail' : DropTail,
+ 'fair_queue' : FairQueue,
+ 'fq_codel' : FQCodel,
+ 'limiter' : Limiter,
+ 'network_emulator' : NetEm,
+ 'priority_queue' : Priority,
+ 'random_detect' : RandomDetect,
+ 'rate_control' : RateLimiter,
+ 'round_robin' : RoundRobin,
+ 'shaper' : TrafficShaper,
+ 'shaper_hfsc' : TrafficShaperHFSC,
+}
+
+def get_shaper(qos, interface_config, direction):
+ policy_name = interface_config[direction]
+ # An interface might have a QoS configuration, search the used
+ # configuration referenced by this. Path will hold the dict element
+ # referenced by the config, as this will be of sort:
+ #
+ # ['policy', 'drop_tail', 'foo-dtail'] <- we are only interested in
+ # drop_tail as the policy/shaper type
+ _, path = next(dict_search_recursive(qos, policy_name))
+ shaper_type = path[1]
+ shaper_config = qos['policy'][shaper_type][policy_name]
+
+ return (map_vyops_tc[shaper_type], shaper_config)
+
def get_config(config=None):
if config:
conf = config
@@ -32,48 +77,167 @@ def get_config(config=None):
if not conf.exists(base):
return None
- qos = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ qos = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
if 'policy' in qos:
for policy in qos['policy']:
- # CLI mangles - to _ for better Jinja2 compatibility - do we need
- # Jinja2 here?
- policy = policy.replace('-','_')
+ # when calling defaults() we need to use the real CLI node, thus we
+ # need a hyphen
+ policy_hyphen = policy.replace('_', '-')
+
+ if policy in ['random_detect']:
+ for rd_name, rd_config in qos['policy'][policy].items():
+ # There are eight precedence levels - ensure all are present
+ # to be filled later down with the appropriate default values
+ default_precedence = {'precedence' : { '0' : {}, '1' : {}, '2' : {}, '3' : {},
+ '4' : {}, '5' : {}, '6' : {}, '7' : {} }}
+ qos['policy']['random_detect'][rd_name] = dict_merge(
+ default_precedence, qos['policy']['random_detect'][rd_name])
- default_values = defaults(base + ['policy', policy])
+ for p_name, p_config in qos['policy'][policy].items():
+ default_values = defaults(base + ['policy', policy_hyphen])
- # class is another tag node which requires individual handling
- class_default_values = defaults(base + ['policy', policy, 'class'])
- if 'class' in default_values:
- del default_values['class']
+ if policy in ['priority_queue']:
+ if 'default' not in p_config:
+ raise ConfigError(f'QoS policy {p_name} misses "default" class!')
+
+ # XXX: T2665: we can not safely rely on the defaults() when there are
+ # tagNodes in place, it is better to blend in the defaults manually.
+ if 'class' in default_values:
+ del default_values['class']
+ if 'precedence' in default_values:
+ del default_values['precedence']
- for p_name, p_config in qos['policy'][policy].items():
qos['policy'][policy][p_name] = dict_merge(
default_values, qos['policy'][policy][p_name])
+ # class is another tag node which requires individual handling
if 'class' in p_config:
+ default_values = defaults(base + ['policy', policy_hyphen, 'class'])
for p_class in p_config['class']:
qos['policy'][policy][p_name]['class'][p_class] = dict_merge(
- class_default_values, qos['policy'][policy][p_name]['class'][p_class])
+ default_values, qos['policy'][policy][p_name]['class'][p_class])
+
+ if 'precedence' in p_config:
+ default_values = defaults(base + ['policy', policy_hyphen, 'precedence'])
+ # precedence values are a bit more complex as they are calculated
+ # under specific circumstances - thus we need to iterate two times.
+ # first blend in the defaults from XML / CLI
+ for precedence in p_config['precedence']:
+ qos['policy'][policy][p_name]['precedence'][precedence] = dict_merge(
+ default_values, qos['policy'][policy][p_name]['precedence'][precedence])
+ # second calculate defaults based on actual dictionary
+ for precedence in p_config['precedence']:
+ max_thr = int(qos['policy'][policy][p_name]['precedence'][precedence]['maximum_threshold'])
+ if 'minimum_threshold' not in qos['policy'][policy][p_name]['precedence'][precedence]:
+ qos['policy'][policy][p_name]['precedence'][precedence]['minimum_threshold'] = str(
+ int((9 + int(precedence)) * max_thr) // 18);
+
+ if 'queue_limit' not in qos['policy'][policy][p_name]['precedence'][precedence]:
+ qos['policy'][policy][p_name]['precedence'][precedence]['queue_limit'] = \
+ str(int(4 * max_thr))
- import pprint
- pprint.pprint(qos)
return qos
def verify(qos):
- if not qos:
+ if not qos or 'interface' not in qos:
return None
# network policy emulator
# reorder rerquires delay to be set
+ if 'policy' in qos:
+ for policy_type in qos['policy']:
+ for policy, policy_config in qos['policy'][policy_type].items():
+ # a policy with it's given name is only allowed to exist once
+ # on the system. This is because an interface selects a policy
+ # for ingress/egress traffic, and thus there can only be one
+ # policy with a given name.
+ #
+ # We check if the policy name occurs more then once - error out
+ # if this is true
+ counter = 0
+ for _, path in dict_search_recursive(qos['policy'], policy):
+ counter += 1
+ if counter > 1:
+ raise ConfigError(f'Conflicting policy name "{policy}", already in use!')
+
+ if 'class' in policy_config:
+ for cls, cls_config in policy_config['class'].items():
+ # bandwidth is not mandatory for priority-queue - that is why this is on the exception list
+ if 'bandwidth' not in cls_config and policy_type not in ['priority_queue', 'round_robin']:
+ raise ConfigError(f'Bandwidth must be defined for policy "{policy}" class "{cls}"!')
+ if 'match' in cls_config:
+ for match, match_config in cls_config['match'].items():
+ if {'ip', 'ipv6'} <= set(match_config):
+ raise ConfigError(f'Can not use both IPv6 and IPv4 in one match ({match})!')
+
+ if policy_type in ['random_detect']:
+ if 'precedence' in policy_config:
+ for precedence, precedence_config in policy_config['precedence'].items():
+ max_tr = int(precedence_config['maximum_threshold'])
+ if {'maximum_threshold', 'minimum_threshold'} <= set(precedence_config):
+ min_tr = int(precedence_config['minimum_threshold'])
+ if min_tr >= max_tr:
+ raise ConfigError(f'Policy "{policy}" uses min-threshold "{min_tr}" >= max-threshold "{max_tr}"!')
+
+ if {'maximum_threshold', 'queue_limit'} <= set(precedence_config):
+ queue_lim = int(precedence_config['queue_limit'])
+ if queue_lim < max_tr:
+ raise ConfigError(f'Policy "{policy}" uses queue-limit "{queue_lim}" < max-threshold "{max_tr}"!')
+
+ if 'default' in policy_config:
+ if 'bandwidth' not in policy_config['default']:
+ raise ConfigError('Bandwidth not defined for default traffic!')
+
+ # we should check interface ingress/egress configuration after verifying that
+ # the policy name is used only once - this makes the logic easier!
+ for interface, interface_config in qos['interface'].items():
+ verify_interface_exists(interface)
+
+ for direction in ['egress', 'ingress']:
+ # bail out early if shaper for given direction is not used at all
+ if direction not in interface_config:
+ continue
+
+ policy_name = interface_config[direction]
+ if 'policy' not in qos or list(dict_search_recursive(qos['policy'], policy_name)) == []:
+ raise ConfigError(f'Selected QoS policy "{policy_name}" does not exist!')
+
+ shaper_type, shaper_config = get_shaper(qos, interface_config, direction)
+ tmp = shaper_type(interface).get_direction()
+ if direction not in tmp:
+ raise ConfigError(f'Selected QoS policy on interface "{interface}" only supports "{tmp}"!')
- raise ConfigError('123')
return None
def generate(qos):
+ if not qos or 'interface' not in qos:
+ return None
+
return None
def apply(qos):
+ # Always delete "old" shapers first
+ for interface in interfaces():
+ # Ignore errors (may have no qdisc)
+ call(f'tc qdisc del dev {interface} parent ffff:')
+ call(f'tc qdisc del dev {interface} root')
+
+ if not qos or 'interface' not in qos:
+ return None
+
+ for interface, interface_config in qos['interface'].items():
+ for direction in ['egress', 'ingress']:
+ # bail out early if shaper for given direction is not used at all
+ if direction not in interface_config:
+ continue
+
+ shaper_type, shaper_config = get_shaper(qos, interface_config, direction)
+ tmp = shaper_type(interface)
+ tmp.update(shaper_config, direction)
+
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py
index 32af31bde..41a1deaa3 100755
--- a/src/conf_mode/service_webproxy.py
+++ b/src/conf_mode/service_webproxy.py
@@ -28,8 +28,10 @@ from vyos.util import dict_search
from vyos.util import write_file
from vyos.validate import is_addr_assigned
from vyos.xml import defaults
+from vyos.base import Warning
from vyos import ConfigError
from vyos import airbag
+
airbag.enable()
squid_config_file = '/etc/squid/squid.conf'
@@ -37,24 +39,57 @@ squidguard_config_file = '/etc/squidguard/squidGuard.conf'
squidguard_db_dir = '/opt/vyatta/etc/config/url-filtering/squidguard/db'
user_group = 'proxy'
-def generate_sg_localdb(category, list_type, role, proxy):
+
+def check_blacklist_categorydb(config_section):
+ if 'block_category' in config_section:
+ for category in config_section['block_category']:
+ check_categorydb(category)
+ if 'allow_category' in config_section:
+ for category in config_section['allow_category']:
+ check_categorydb(category)
+
+
+def check_categorydb(category: str):
+ """
+ Check if category's db exist
+ :param category:
+ :type str:
+ """
+ path_to_cat: str = f'{squidguard_db_dir}/{category}'
+ if not os.path.exists(f'{path_to_cat}/domains.db') \
+ and not os.path.exists(f'{path_to_cat}/urls.db') \
+ and not os.path.exists(f'{path_to_cat}/expressions.db'):
+ Warning(f'DB of category {category} does not exist.\n '
+ f'Use [update webproxy blacklists] '
+ f'or delete undefined category!')
+
+
+def generate_sg_rule_localdb(category, list_type, role, proxy):
+ if not category or not list_type or not role:
+ return None
+
cat_ = category.replace('-', '_')
- if isinstance(dict_search(f'url_filtering.squidguard.{cat_}', proxy),
- list):
+ if role == 'default':
+ path_to_cat = f'{cat_}'
+ else:
+ path_to_cat = f'rule.{role}.{cat_}'
+ if isinstance(
+ dict_search(f'url_filtering.squidguard.{path_to_cat}', proxy),
+ list):
# local block databases must be generated "on-the-fly"
tmp = {
- 'squidguard_db_dir' : squidguard_db_dir,
- 'category' : f'{category}-default',
- 'list_type' : list_type,
- 'rule' : role
+ 'squidguard_db_dir': squidguard_db_dir,
+ 'category': f'{category}-{role}',
+ 'list_type': list_type,
+ 'rule': role
}
sg_tmp_file = '/tmp/sg.conf'
- db_file = f'{category}-default/{list_type}'
- domains = '\n'.join(dict_search(f'url_filtering.squidguard.{cat_}', proxy))
-
+ db_file = f'{category}-{role}/{list_type}'
+ domains = '\n'.join(
+ dict_search(f'url_filtering.squidguard.{path_to_cat}', proxy))
# local file
- write_file(f'{squidguard_db_dir}/{category}-default/local', '',
+ write_file(f'{squidguard_db_dir}/{category}-{role}/local', '',
user=user_group, group=user_group)
# database input file
write_file(f'{squidguard_db_dir}/{db_file}', domains,
@@ -64,17 +99,18 @@ def generate_sg_localdb(category, list_type, role, proxy):
render(sg_tmp_file, 'squid/sg_acl.conf.j2', tmp,
user=user_group, group=user_group)
- call(f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"')
+ call(
+ f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"')
if os.path.exists(sg_tmp_file):
os.unlink(sg_tmp_file)
-
else:
# if category is not part of our configuration, clean out the
# squidguard lists
- tmp = f'{squidguard_db_dir}/{category}-default'
+ tmp = f'{squidguard_db_dir}/{category}-{role}'
if os.path.exists(tmp):
- rmtree(f'{squidguard_db_dir}/{category}-default')
+ rmtree(f'{squidguard_db_dir}/{category}-{role}')
+
def get_config(config=None):
if config:
@@ -85,7 +121,8 @@ def get_config(config=None):
if not conf.exists(base):
return None
- proxy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ proxy = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True)
# We have gathered the dict representation of the CLI, but there are default
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
@@ -110,10 +147,11 @@ def get_config(config=None):
default_values = defaults(base + ['cache-peer'])
for peer in proxy['cache_peer']:
proxy['cache_peer'][peer] = dict_merge(default_values,
- proxy['cache_peer'][peer])
+ proxy['cache_peer'][peer])
return proxy
+
def verify(proxy):
if not proxy:
return None
@@ -170,17 +208,30 @@ def generate(proxy):
render(squidguard_config_file, 'squid/squidGuard.conf.j2', proxy)
cat_dict = {
- 'local-block' : 'domains',
- 'local-block-keyword' : 'expressions',
- 'local-block-url' : 'urls',
- 'local-ok' : 'domains',
- 'local-ok-url' : 'urls'
+ 'local-block': 'domains',
+ 'local-block-keyword': 'expressions',
+ 'local-block-url': 'urls',
+ 'local-ok': 'domains',
+ 'local-ok-url': 'urls'
}
- for category, list_type in cat_dict.items():
- generate_sg_localdb(category, list_type, 'default', proxy)
+ if dict_search(f'url_filtering.squidguard', proxy) is not None:
+ squidgard_config_section = proxy['url_filtering']['squidguard']
+
+ for category, list_type in cat_dict.items():
+ generate_sg_rule_localdb(category, list_type, 'default', proxy)
+ check_blacklist_categorydb(squidgard_config_section)
+
+ if 'rule' in squidgard_config_section:
+ for rule in squidgard_config_section['rule']:
+ rule_config_section = squidgard_config_section['rule'][
+ rule]
+ for category, list_type in cat_dict.items():
+ generate_sg_rule_localdb(category, list_type, rule, proxy)
+ check_blacklist_categorydb(rule_config_section)
return None
+
def apply(proxy):
if not proxy:
# proxy is removed in the commit
@@ -198,6 +249,7 @@ def apply(proxy):
call('systemctl restart squid.service')
return None
+
if __name__ == '__main__':
try:
c = get_config()
diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py
index 36dbf155b..e6c7a0ed2 100755
--- a/src/conf_mode/system-option.py
+++ b/src/conf_mode/system-option.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -22,17 +22,19 @@ from time import sleep
from vyos.config import Config
from vyos.configdict import dict_merge
+from vyos.configverify import verify_source_interface
from vyos.template import render
from vyos.util import cmd
from vyos.util import is_systemd_service_running
from vyos.validate import is_addr_assigned
+from vyos.validate import is_intf_addr_assigned
from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
curlrc_config = r'/etc/curlrc'
-ssh_config = r'/etc/ssh/ssh_config'
+ssh_config = r'/etc/ssh/ssh_config.d/91-vyos-ssh-client-options.conf'
systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target'
def get_config(config=None):
@@ -68,8 +70,17 @@ def verify(options):
if 'ssh_client' in options:
config = options['ssh_client']
if 'source_address' in config:
+ address = config['source_address']
if not is_addr_assigned(config['source_address']):
- raise ConfigError('No interface with give address specified!')
+ raise ConfigError('No interface with address "{address}" configured!')
+
+ if 'source_interface' in config:
+ verify_source_interface(config)
+ if 'source_address' in config:
+ address = config['source_address']
+ interface = config['source_interface']
+ if not is_intf_addr_assigned(interface, address):
+ raise ConfigError(f'Address "{address}" not assigned on interface "{interface}"!')
return None
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index b79e9847a..04e2f2939 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -622,7 +622,7 @@ def wait_for_vici_socket(timeout=5, sleep_interval=0.1):
sleep(sleep_interval)
def apply(ipsec):
- systemd_service = 'strongswan-starter.service'
+ systemd_service = 'strongswan.service'
if not ipsec:
call(f'systemctl stop {systemd_service}')
else:
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 27e78db99..65623c2b1 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -58,6 +58,9 @@ default_config_data = {
'ppp_echo_failure' : '3',
'ppp_echo_interval' : '30',
'ppp_echo_timeout': '0',
+ 'ppp_ipv6_accept_peer_intf_id': False,
+ 'ppp_ipv6_intf_id': None,
+ 'ppp_ipv6_peer_intf_id': None,
'radius_server': [],
'radius_acct_inter_jitter': '',
'radius_acct_tmo': '3',
@@ -314,6 +317,15 @@ def get_config(config=None):
if conf.exists(['ppp-options', 'ipv6']):
l2tp['ppp_ipv6'] = conf.return_value(['ppp-options', 'ipv6'])
+ if conf.exists(['ppp-options', 'ipv6-accept-peer-intf-id']):
+ l2tp['ppp_ipv6_accept_peer_intf_id'] = True
+
+ if conf.exists(['ppp-options', 'ipv6-intf-id']):
+ l2tp['ppp_ipv6_intf_id'] = conf.return_value(['ppp-options', 'ipv6-intf-id'])
+
+ if conf.exists(['ppp-options', 'ipv6-peer-intf-id']):
+ l2tp['ppp_ipv6_peer_intf_id'] = conf.return_value(['ppp-options', 'ipv6-peer-intf-id'])
+
return l2tp
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
index 61a89e62a..1f1926e17 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
@@ -23,7 +23,7 @@ DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting"
if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then
if grep -qw $interface $DHCP_HOOK_IFLIST; then
sudo rm $DHCP_HOOK_IFLIST
- sudo python3 /usr/libexec/vyos/conf_mode/vpn_ipsec.py
+ sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py
exit 0
fi
fi
diff --git a/src/helpers/vyos-failover.py b/src/helpers/vyos-failover.py
new file mode 100755
index 000000000..1ac193423
--- /dev/null
+++ b/src/helpers/vyos-failover.py
@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import argparse
+import json
+import subprocess
+import socket
+import time
+
+from vyos.util import rc_cmd
+from pathlib import Path
+from systemd import journal
+
+
+my_name = Path(__file__).stem
+
+
+def get_best_route_options(route, debug=False):
+ """
+ Return current best route ('gateway, interface, metric)
+
+ % get_best_route_options('203.0.113.1')
+ ('192.168.0.1', 'eth1', 1)
+
+ % get_best_route_options('203.0.113.254')
+ (None, None, None)
+ """
+ rc, data = rc_cmd(f'ip --detail --json route show protocol failover {route}')
+ if rc == 0:
+ data = json.loads(data)
+ if len(data) == 0:
+ print(f'\nRoute {route} for protocol failover was not found')
+ return None, None, None
+ # Fake metric 999 by default
+ # Search route with the lowest metric
+ best_metric = 999
+ for entry in data:
+ if debug: print('\n', entry)
+ metric = entry.get('metric')
+ gateway = entry.get('gateway')
+ iface = entry.get('dev')
+ if metric < best_metric:
+ best_metric = metric
+ best_gateway = gateway
+ best_interface = iface
+ if debug:
+ print(f'### Best_route exists: {route}, best_gateway: {best_gateway}, '
+ f'best_metric: {best_metric}, best_iface: {best_interface}')
+ return best_gateway, best_interface, best_metric
+
+def is_port_open(ip, port):
+ """
+ Check connection to remote host and port
+ Return True if host alive
+
+ % is_port_open('example.com', 8080)
+ True
+ """
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
+ s.settimeout(2)
+ try:
+ s.connect((ip, int(port)))
+ s.shutdown(socket.SHUT_RDWR)
+ return True
+ except:
+ return False
+ finally:
+ s.close()
+
+def is_target_alive(target=None, iface='', proto='icmp', port=None, debug=False):
+ """
+ Host availability check by ICMP, ARP, TCP
+ Return True if target checks is successful
+
+ % is_target_alive('192.0.2.1', 'eth1', proto='arp')
+ True
+ """
+ if iface != '':
+ iface = f'-I {iface}'
+ if proto == 'icmp':
+ command = f'/usr/bin/ping -q {target} {iface} -n -c 2 -W 1'
+ rc, response = rc_cmd(command)
+ if debug: print(f' [ CHECK-TARGET ]: [{command}] -- return-code [RC: {rc}]')
+ if rc == 0:
+ return True
+ elif proto == 'arp':
+ command = f'/usr/bin/arping -b -c 2 -f -w 1 -i 1 {iface} {target}'
+ rc, response = rc_cmd(command)
+ if debug: print(f' [ CHECK-TARGET ]: [{command}] -- return-code [RC: {rc}]')
+ if rc == 0:
+ return True
+ elif proto == 'tcp' and port is not None:
+ return True if is_port_open(target, port) else False
+ else:
+ return False
+
+
+if __name__ == '__main__':
+ # Parse command arguments and get config
+ parser = argparse.ArgumentParser()
+ parser.add_argument('-c',
+ '--config',
+ action='store',
+ help='Path to protocols failover configuration',
+ required=True,
+ type=Path)
+
+ args = parser.parse_args()
+ try:
+ config_path = Path(args.config)
+ config = json.loads(config_path.read_text())
+ except Exception as err:
+ print(
+ f'Configuration file "{config_path}" does not exist or malformed: {err}'
+ )
+ exit(1)
+
+ # Useful debug info to console, use debug = True
+ # sudo systemctl stop vyos-failover.service
+ # sudo /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf
+ debug = False
+
+ while(True):
+
+ for route, route_config in config.get('route').items():
+
+ exists_route = exists_gateway, exists_iface, exists_metric = get_best_route_options(route, debug=debug)
+
+ for next_hop, nexthop_config in route_config.get('next_hop').items():
+ conf_iface = nexthop_config.get('interface')
+ conf_metric = int(nexthop_config.get('metric'))
+ port = nexthop_config.get('check').get('port')
+ port_opt = f'port {port}' if port else ''
+ proto = nexthop_config.get('check').get('type')
+ target = nexthop_config.get('check').get('target')
+ timeout = nexthop_config.get('check').get('timeout')
+
+ # Best route not fonund in the current routing table
+ if exists_route == (None, None, None):
+ if debug: print(f" [NEW_ROUTE_DETECTED] route: [{route}]")
+ # Add route if check-target alive
+ if is_target_alive(target, conf_iface, proto, port, debug=debug):
+ if debug: print(f' [ ADD ] -- ip route add {route} via {next_hop} dev {conf_iface} '
+ f'metric {conf_metric} proto failover\n###')
+ rc, command = rc_cmd(f'ip route add {route} via {next_hop} dev {conf_iface} '
+ f'metric {conf_metric} proto failover')
+ # If something is wrong and gateway not added
+ # Example: Error: Next-hop has invalid gateway.
+ if rc !=0:
+ if debug: print(f'{command} -- return-code [RC: {rc}] {next_hop} dev {conf_iface}')
+ else:
+ journal.send(f'ip route add {route} via {next_hop} dev {conf_iface} '
+ f'metric {conf_metric} proto failover', SYSLOG_IDENTIFIER=my_name)
+ else:
+ if debug: print(f' [ TARGET_FAIL ] target checks fails for [{target}], do nothing')
+ journal.send(f'Check fail for route {route} target {target} proto {proto} '
+ f'{port_opt}', SYSLOG_IDENTIFIER=my_name)
+
+ # Route was added, check if the target is alive
+ # We should delete route if check fails only if route exists in the routing table
+ if not is_target_alive(target, conf_iface, proto, port, debug=debug) and \
+ exists_route != (None, None, None):
+ if debug:
+ print(f'Nexh_hop {next_hop} fail, target not response')
+ print(f' [ DEL ] -- ip route del {route} via {next_hop} dev {conf_iface} '
+ f'metric {conf_metric} proto failover [DELETE]')
+ rc_cmd(f'ip route del {route} via {next_hop} dev {conf_iface} metric {conf_metric} proto failover')
+ journal.send(f'ip route del {route} via {next_hop} dev {conf_iface} '
+ f'metric {conf_metric} proto failover', SYSLOG_IDENTIFIER=my_name)
+
+ time.sleep(int(timeout))
diff --git a/src/migration-scripts/container/0-to-1 b/src/migration-scripts/container/0-to-1
new file mode 100755
index 000000000..d0461389b
--- /dev/null
+++ b/src/migration-scripts/container/0-to-1
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T4870: change underlaying container filesystem from vfs to overlay
+
+import os
+import shutil
+import sys
+
+from vyos.configtree import ConfigTree
+from vyos.util import call
+
+if (len(sys.argv) < 1):
+ print("Must specify file name!")
+ sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['container', 'name']
+config = ConfigTree(config_file)
+
+# Check if containers exist and we need to perform image manipulation
+if config.exists(base):
+ for container in config.list_nodes(base):
+ # Stop any given container first
+ call(f'systemctl stop vyos-container-{container}.service')
+ # Export container image for later re-import to new filesystem. We store
+ # the backup on a real disk as a tmpfs (like /tmp) could probably lack
+ # memory if a host has too many containers stored.
+ image_name = config.return_value(base + [container, 'image'])
+ call(f'podman image save --quiet --output /root/{container}.tar --format oci-archive {image_name}')
+
+# No need to adjust the strage driver online (this is only used for testing and
+# debugging on a live system) - it is already overlay2 when the migration script
+# is run during system update. But the specified driver in the image is actually
+# overwritten by the still present VFS filesystem on disk. Thus podman still
+# thinks it uses VFS until we delete the libpod directory under:
+# /usr/lib/live/mount/persistence/container/storage
+#call('sed -i "s/vfs/overlay2/g" /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2')
+
+base_path = '/usr/lib/live/mount/persistence/container/storage'
+for dir in ['libpod', 'vfs', 'vfs-containers', 'vfs-images', 'vfs-layers']:
+ if os.path.exists(f'{base_path}/{dir}'):
+ shutil.rmtree(f'{base_path}/{dir}')
+
+# Now all remaining information about VFS is gone and we operate in overlayfs2
+# filesystem mode. Time to re-import the images.
+if config.exists(base):
+ for container in config.list_nodes(base):
+ # Export container image for later re-import to new filesystem
+ image_name = config.return_value(base + [container, 'image'])
+ image_path = f'/root/{container}.tar'
+ call(f'podman image load --quiet --input {image_path}')
+
+ # Start any given container first
+ call(f'systemctl start vyos-container-{container}.service')
+
+ # Delete temporary container image
+ if os.path.exists(image_path):
+ os.unlink(image_path)
+
diff --git a/src/migration-scripts/firewall/8-to-9 b/src/migration-scripts/firewall/8-to-9
new file mode 100755
index 000000000..f7c1bb90d
--- /dev/null
+++ b/src/migration-scripts/firewall/8-to-9
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T4780: Add firewall interface group
+# cli changes from:
+# set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface] <interface_name>
+# To
+# set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface] [interface-name | interface-group] <interface_name | interface_group>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+if config.exists(base + ['name']):
+ for name in config.list_nodes(base + ['name']):
+ if not config.exists(base + ['name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['name', name, 'rule']):
+ rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface']
+ rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface']
+
+ if config.exists(rule_iiface):
+ tmp = config.return_value(rule_iiface)
+ config.delete(rule_iiface)
+ config.set(rule_iiface + ['interface-name'], value=tmp)
+
+ if config.exists(rule_oiface):
+ tmp = config.return_value(rule_oiface)
+ config.delete(rule_oiface)
+ config.set(rule_oiface + ['interface-name'], value=tmp)
+
+
+if config.exists(base + ['ipv6-name']):
+ for name in config.list_nodes(base + ['ipv6-name']):
+ if not config.exists(base + ['ipv6-name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+ rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface']
+ rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface']
+
+ if config.exists(rule_iiface):
+ tmp = config.return_value(rule_iiface)
+ config.delete(rule_iiface)
+ config.set(rule_iiface + ['interface-name'], value=tmp)
+
+ if config.exists(rule_oiface):
+ tmp = config.return_value(rule_oiface)
+ config.delete(rule_oiface)
+ config.set(rule_oiface + ['interface-name'], value=tmp)
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1) \ No newline at end of file
diff --git a/src/migration-scripts/ipsec/9-to-10 b/src/migration-scripts/ipsec/9-to-10
index 1254104cb..de366ef3b 100755
--- a/src/migration-scripts/ipsec/9-to-10
+++ b/src/migration-scripts/ipsec/9-to-10
@@ -85,10 +85,10 @@ if config.exists(base + ['site-to-site', 'peer']):
config.rename(peer_base + ['authentication', 'id'], 'local-id')
# For the peer '@foo' set remote-id 'foo' if remote-id is not defined
- if peer.startswith('@'):
- if not config.exists(peer_base + ['authentication', 'remote-id']):
- tmp = peer.replace('@', '')
- config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
+ # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
+ if not config.exists(peer_base + ['authentication', 'remote-id']):
+ tmp = peer.replace('@', '') if peer.startswith('@') else peer
+ config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
# replace: 'peer <tag> force-encapsulation enable'
# => 'peer <tag> force-udp-encapsulation'
diff --git a/src/migration-scripts/qos/1-to-2 b/src/migration-scripts/qos/1-to-2
new file mode 100755
index 000000000..41026cbd6
--- /dev/null
+++ b/src/migration-scripts/qos/1-to-2
@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from sys import argv,exit
+
+from vyos.base import Warning
+from vyos.configtree import ConfigTree
+from vyos.util import read_file
+
+def bandwidth_percent_to_val(interface, percent) -> int:
+ speed = read_file(f'/sys/class/net/{interface}/speed')
+ if not speed.isnumeric():
+ Warning('Interface speed cannot be determined (assuming 10 Mbit/s)')
+ speed = 10
+ speed = int(speed) *1000000 # convert to MBit/s
+ return speed * int(percent) // 100 # integer division
+
+if (len(argv) < 1):
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['traffic-policy']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+iface_config = {}
+
+if config.exists(['interfaces']):
+ def get_qos(config, interface, interface_base):
+ if config.exists(interface_base):
+ tmp = { interface : {} }
+ if config.exists(interface_base + ['in']):
+ tmp[interface]['ingress'] = config.return_value(interface_base + ['in'])
+ if config.exists(interface_base + ['out']):
+ tmp[interface]['egress'] = config.return_value(interface_base + ['out'])
+ config.delete(interface_base)
+ return tmp
+ return None
+
+ # Migrate "interface ethernet eth0 traffic-policy in|out" to "qos interface eth0 ingress|egress"
+ for type in config.list_nodes(['interfaces']):
+ for interface in config.list_nodes(['interfaces', type]):
+ interface_base = ['interfaces', type, interface, 'traffic-policy']
+ tmp = get_qos(config, interface, interface_base)
+ if tmp: iface_config.update(tmp)
+
+ vif_path = ['interfaces', type, interface, 'vif']
+ if config.exists(vif_path):
+ for vif in config.list_nodes(vif_path):
+ vif_interface_base = vif_path + [vif, 'traffic-policy']
+ ifname = f'{interface}.{vif}'
+ tmp = get_qos(config, ifname, vif_interface_base)
+ if tmp: iface_config.update(tmp)
+
+ vif_s_path = ['interfaces', type, interface, 'vif-s']
+ if config.exists(vif_s_path):
+ for vif_s in config.list_nodes(vif_s_path):
+ vif_s_interface_base = vif_s_path + [vif_s, 'traffic-policy']
+ ifname = f'{interface}.{vif_s}'
+ tmp = get_qos(config, ifname, vif_s_interface_base)
+ if tmp: iface_config.update(tmp)
+
+ # vif-c interfaces MUST be migrated before their parent vif-s
+ # interface as the migrate_*() functions delete the path!
+ vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c']
+ if config.exists(vif_c_path):
+ for vif_c in config.list_nodes(vif_c_path):
+ vif_c_interface_base = vif_c_path + [vif_c, 'traffic-policy']
+ ifname = f'{interface}.{vif_s}.{vif_c}'
+ tmp = get_qos(config, ifname, vif_s_interface_base)
+ if tmp: iface_config.update(tmp)
+
+
+# Now we have the information which interface uses which QoS policy.
+# Interface binding will be moved to the qos CLi tree
+config.set(['qos'])
+config.copy(base, ['qos', 'policy'])
+config.delete(base)
+
+# Now map the interface policy binding to the new CLI syntax
+if len(iface_config):
+ config.set(['qos', 'interface'])
+ config.set_tag(['qos', 'interface'])
+
+for interface, interface_config in iface_config.items():
+ config.set(['qos', 'interface', interface])
+ config.set_tag(['qos', 'interface', interface])
+ if 'ingress' in interface_config:
+ config.set(['qos', 'interface', interface, 'ingress'], value=interface_config['ingress'])
+ if 'egress' in interface_config:
+ config.set(['qos', 'interface', interface, 'egress'], value=interface_config['egress'])
+
+# Remove "burst" CLI node from network emulator
+netem_base = ['qos', 'policy', 'network-emulator']
+if config.exists(netem_base):
+ for policy_name in config.list_nodes(netem_base):
+ if config.exists(netem_base + [policy_name, 'burst']):
+ config.delete(netem_base + [policy_name, 'burst'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/op_mode/conntrack.py b/src/op_mode/conntrack.py
index fff537936..df213cc5a 100755
--- a/src/op_mode/conntrack.py
+++ b/src/op_mode/conntrack.py
@@ -116,7 +116,7 @@ def get_formatted_output(dict_data):
reply_src = f'{reply_src}:{reply_sport}' if reply_sport else reply_src
reply_dst = f'{reply_dst}:{reply_dport}' if reply_dport else reply_dst
state = meta['state'] if 'state' in meta else ''
- mark = meta['mark']
+ mark = meta['mark'] if 'mark' in meta else ''
zone = meta['zone'] if 'zone' in meta else ''
data_entries.append(
[conn_id, orig_src, orig_dst, reply_src, reply_dst, proto, state, timeout, mark, zone])
diff --git a/src/op_mode/container.py b/src/op_mode/container.py
index ce466ffc1..ecefc556e 100755
--- a/src/op_mode/container.py
+++ b/src/op_mode/container.py
@@ -23,7 +23,6 @@ from vyos.util import cmd
import vyos.opmode
-
def _get_json_data(command: str) -> list:
"""
Get container command format JSON
@@ -38,7 +37,7 @@ def _get_raw_data(command: str) -> list:
def show_container(raw: bool):
- command = 'sudo podman ps --all'
+ command = 'podman ps --all'
container_data = _get_raw_data(command)
if raw:
return container_data
@@ -47,8 +46,8 @@ def show_container(raw: bool):
def show_image(raw: bool):
- command = 'sudo podman image ls'
- container_data = _get_raw_data('sudo podman image ls')
+ command = 'podman image ls'
+ container_data = _get_raw_data('podman image ls')
if raw:
return container_data
else:
@@ -56,7 +55,7 @@ def show_image(raw: bool):
def show_network(raw: bool):
- command = 'sudo podman network ls'
+ command = 'podman network ls'
container_data = _get_raw_data(command)
if raw:
return container_data
@@ -67,7 +66,7 @@ def show_network(raw: bool):
def restart(name: str):
from vyos.util import rc_cmd
- rc, output = rc_cmd(f'sudo podman restart {name}')
+ rc, output = rc_cmd(f'systemctl restart vyos-container-{name}.service')
if rc != 0:
print(output)
return None
diff --git a/src/op_mode/dhcp.py b/src/op_mode/dhcp.py
index 07e9b7d6c..b9e6e7bc9 100755
--- a/src/op_mode/dhcp.py
+++ b/src/op_mode/dhcp.py
@@ -15,13 +15,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys
-from ipaddress import ip_address
import typing
from datetime import datetime
-from sys import exit
-from tabulate import tabulate
+from ipaddress import ip_address
from isc_dhcp_leases import IscDhcpLeases
+from tabulate import tabulate
+
+import vyos.opmode
from vyos.base import Warning
from vyos.configquery import ConfigTreeQuery
@@ -30,19 +31,10 @@ from vyos.util import cmd
from vyos.util import dict_search
from vyos.util import is_systemd_service_running
-import vyos.opmode
-
-
config = ConfigTreeQuery()
-pool_key = "shared-networkname"
-
-
-def _in_pool(lease, pool):
- if pool_key in lease.sets:
- if lease.sets[pool_key] == pool:
- return True
- return False
-
+lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
+sort_valid_inet = ['end', 'mac', 'hostname', 'ip', 'pool', 'remaining', 'start', 'state']
+sort_valid_inet6 = ['end', 'iaid_duid', 'ip', 'last_communication', 'pool', 'remaining', 'state', 'type']
def _utc_to_local(utc_dt):
return datetime.fromtimestamp((datetime.fromtimestamp(utc_dt) - datetime(1970, 1, 1)).total_seconds())
@@ -71,7 +63,7 @@ def _find_list_of_dict_index(lst, key='ip', value='') -> int:
return idx
-def _get_raw_server_leases(family, pool=None) -> list:
+def _get_raw_server_leases(family='inet', pool=None, sorted=None, state=[]) -> list:
"""
Get DHCP server leases
:return list
@@ -79,9 +71,12 @@ def _get_raw_server_leases(family, pool=None) -> list:
lease_file = '/config/dhcpdv6.leases' if family == 'inet6' else '/config/dhcpd.leases'
data = []
leases = IscDhcpLeases(lease_file).get()
- if pool is not None:
- if config.exists(f'service dhcp-server shared-network-name {pool}'):
- leases = list(filter(lambda x: _in_pool(x, pool), leases))
+
+ if pool is None:
+ pool = _get_dhcp_pools(family=family)
+ else:
+ pool = [pool]
+
for lease in leases:
data_lease = {}
data_lease['ip'] = lease.ip
@@ -90,7 +85,7 @@ def _get_raw_server_leases(family, pool=None) -> list:
data_lease['end'] = lease.end.timestamp()
if family == 'inet':
- data_lease['hardware'] = lease.ethernet
+ data_lease['mac'] = lease.ethernet
data_lease['start'] = lease.start.timestamp()
data_lease['hostname'] = lease.hostname
@@ -110,8 +105,9 @@ def _get_raw_server_leases(family, pool=None) -> list:
data_lease['remaining'] = ''
# Do not add old leases
- if data_lease['remaining'] != '':
- data.append(data_lease)
+ if data_lease['remaining'] != '' and data_lease['pool'] in pool:
+ if not state or data_lease['state'] in state:
+ data.append(data_lease)
# deduplicate
checked = []
@@ -123,15 +119,20 @@ def _get_raw_server_leases(family, pool=None) -> list:
idx = _find_list_of_dict_index(data, key='ip', value=addr)
data.pop(idx)
+ if sorted:
+ if sorted == 'ip':
+ data.sort(key = lambda x:ip_address(x['ip']))
+ else:
+ data.sort(key = lambda x:x[sorted])
return data
-def _get_formatted_server_leases(raw_data, family):
+def _get_formatted_server_leases(raw_data, family='inet'):
data_entries = []
if family == 'inet':
for lease in raw_data:
ipaddr = lease.get('ip')
- hw_addr = lease.get('hardware')
+ hw_addr = lease.get('mac')
state = lease.get('state')
start = lease.get('start')
start = _utc_to_local(start).strftime('%Y/%m/%d %H:%M:%S')
@@ -142,7 +143,7 @@ def _get_formatted_server_leases(raw_data, family):
hostname = lease.get('hostname')
data_entries.append([ipaddr, hw_addr, state, start, end, remain, pool, hostname])
- headers = ['IP Address', 'Hardware address', 'State', 'Lease start', 'Lease expiration', 'Remaining', 'Pool',
+ headers = ['IP Address', 'MAC address', 'State', 'Lease start', 'Lease expiration', 'Remaining', 'Pool',
'Hostname']
if family == 'inet6':
@@ -256,16 +257,28 @@ def show_pool_statistics(raw: bool, family: str, pool: typing.Optional[str]):
@_verify
-def show_server_leases(raw: bool, family: str):
+def show_server_leases(raw: bool, family: str, pool: typing.Optional[str],
+ sorted: typing.Optional[str], state: typing.Optional[str]):
# if dhcp server is down, inactive leases may still be shown as active, so warn the user.
if not is_systemd_service_running('isc-dhcp-server.service'):
Warning('DHCP server is configured but not started. Data may be stale.')
- leases = _get_raw_server_leases(family)
+ v = 'v6' if family == 'inet6' else ''
+ if pool and pool not in _get_dhcp_pools(family=family):
+ raise vyos.opmode.IncorrectValue(f'DHCP{v} pool "{pool}" does not exist!')
+
+ if state and state not in lease_valid_states:
+ raise vyos.opmode.IncorrectValue(f'DHCP{v} state "{state}" is invalid!')
+
+ sort_valid = sort_valid_inet6 if family == 'inet6' else sort_valid_inet
+ if sorted and sorted not in sort_valid:
+ raise vyos.opmode.IncorrectValue(f'DHCP{v} sort "{sorted}" is invalid!')
+
+ lease_data = _get_raw_server_leases(family=family, pool=pool, sorted=sorted, state=state)
if raw:
- return leases
+ return lease_data
else:
- return _get_formatted_server_leases(leases, family)
+ return _get_formatted_server_leases(lease_data, family=family)
if __name__ == '__main__':
diff --git a/src/op_mode/generate_system_login_user.py b/src/op_mode/generate_system_login_user.py
new file mode 100755
index 000000000..8f8827b1b
--- /dev/null
+++ b/src/op_mode/generate_system_login_user.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import argparse
+import os
+
+from vyos.util import popen
+from secrets import token_hex
+from base64 import b32encode
+
+if os.geteuid() != 0:
+ exit("You need to have root privileges to run this script.\nPlease try again, this time using 'sudo'. Exiting.")
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument("-u", "--username", type=str, help='Username used for authentication', required=True)
+ parser.add_argument("-l", "--rate_limit", type=str, help='Limit number of logins (rate-limit) per rate-time (default: 3)', default="3", required=False)
+ parser.add_argument("-t", "--rate_time", type=str, help='Limit number of logins (rate-limit) per rate-time (default: 30)', default="30", required=False)
+ parser.add_argument("-w", "--window_size", type=str, help='Set window of concurrently valid codes (default: 3)', default="3", required=False)
+ parser.add_argument("-i", "--interval", type=str, help='Duration of single time interval', default="30", required=False)
+ parser.add_argument("-d", "--digits", type=str, help='The number of digits in the one-time password', default="6", required=False)
+ args = parser.parse_args()
+
+ hostname = os.uname()[1]
+ username = args.username
+ rate_limit = args.rate_limit
+ rate_time = args.rate_time
+ window_size = args.window_size
+ digits = args.digits
+ period = args.interval
+
+ # check variables:
+ if int(rate_limit) < 1 or int(rate_limit) > 10:
+ print("")
+ quit("Number of logins (rate-limit) must be between '1' and '10'")
+
+ if int(rate_time) < 15 or int(rate_time) > 600:
+ print("")
+ quit("The rate-time must be between '15' and '600' seconds")
+
+ if int(window_size) < 1 or int(window_size) > 21:
+ print("")
+ quit("Window of concurrently valid codes must be between '1' and '21' seconds")
+
+ # generate OTP key, URL & QR:
+ key_hex = token_hex(20)
+ key_base32 = b32encode(bytes.fromhex(key_hex)).decode()
+
+ otp_url=''.join(["otpauth://totp/",username,"@",hostname,"?secret=",key_base32,"&digits=",digits,"&period=",period])
+ qrcode,err = popen('qrencode -t ansiutf8', input=otp_url)
+
+ print("# You can share it with the user, he just needs to scan the QR in his OTP app")
+ print("# username: ", username)
+ print("# OTP KEY: ", key_base32)
+ print("# OTP URL: ", otp_url)
+ print(qrcode)
+ print('# To add this OTP key to configuration, run the following commands:')
+ print(f"set system login user {username} authentication otp key '{key_base32}'")
+ if rate_limit != "3":
+ print(f"set system login user {username} authentication otp rate-limit '{rate_limit}'")
+ if rate_time != "30":
+ print(f"set system login user {username} authentication otp rate-time '{rate_time}'")
+ if window_size != "3":
+ print(f"set system login user {username} authentication otp window-size '{window_size}'")
diff --git a/src/op_mode/interfaces.py b/src/op_mode/interfaces.py
new file mode 100755
index 000000000..678c74980
--- /dev/null
+++ b/src/op_mode/interfaces.py
@@ -0,0 +1,412 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import re
+import sys
+import glob
+import json
+import typing
+from datetime import datetime
+from tabulate import tabulate
+
+import vyos.opmode
+from vyos.ifconfig import Section
+from vyos.ifconfig import Interface
+from vyos.ifconfig import VRRP
+from vyos.util import cmd, rc_cmd, call
+
+def catch_broken_pipe(func):
+ def wrapped(*args, **kwargs):
+ try:
+ func(*args, **kwargs)
+ except (BrokenPipeError, KeyboardInterrupt):
+ # Flush output to /dev/null and bail out.
+ os.dup2(os.open(os.devnull, os.O_WRONLY), sys.stdout.fileno())
+ return wrapped
+
+# The original implementation of filtered_interfaces has signature:
+# (ifnames: list, iftypes: typing.Union[str, list], vif: bool, vrrp: bool) -> intf: Interface:
+# Arg types allowed in CLI (ifnames: str, iftypes: str) were manually
+# re-typed from argparse args.
+# We include the function in a general form, however op-mode standard
+# functions will restrict to the CLI-allowed arg types, wrapped in Optional.
+def filtered_interfaces(ifnames: typing.Union[str, list],
+ iftypes: typing.Union[str, list],
+ vif: bool, vrrp: bool) -> Interface:
+ """
+ get all interfaces from the OS and return them; ifnames can be used to
+ filter which interfaces should be considered
+
+ ifnames: a list of interface names to consider, empty do not filter
+
+ return an instance of the Interface class
+ """
+ if isinstance(ifnames, str):
+ ifnames = [ifnames] if ifnames else []
+ if isinstance(iftypes, list):
+ for iftype in iftypes:
+ yield from filtered_interfaces(ifnames, iftype, vif, vrrp)
+
+ for ifname in Section.interfaces(iftypes):
+ # Bail out early if interface name not part of our search list
+ if ifnames and ifname not in ifnames:
+ continue
+
+ # As we are only "reading" from the interface - we must use the
+ # generic base class which exposes all the data via a common API
+ interface = Interface(ifname, create=False, debug=False)
+
+ # VLAN interfaces have a '.' in their name by convention
+ if vif and not '.' in ifname:
+ continue
+
+ if vrrp:
+ vrrp_interfaces = VRRP.active_interfaces()
+ if ifname not in vrrp_interfaces:
+ continue
+
+ yield interface
+
+def _split_text(text, used=0):
+ """
+ take a string and attempt to split it to fit with the width of the screen
+
+ text: the string to split
+ used: number of characted already used in the screen
+ """
+ no_tty = call('tty -s')
+
+ returned = cmd('stty size') if not no_tty else ''
+ returned = returned.split()
+ if len(returned) == 2:
+ _, columns = tuple(int(_) for _ in returned)
+ else:
+ _, columns = (40, 80)
+
+ desc_len = columns - used
+
+ line = ''
+ for word in text.split():
+ if len(line) + len(word) < desc_len:
+ line = f'{line} {word}'
+ continue
+ if line:
+ yield line[1:]
+ else:
+ line = f'{line} {word}'
+
+ yield line[1:]
+
+def _get_counter_val(prev, now):
+ """
+ attempt to correct a counter if it wrapped, copied from perl
+
+ prev: previous counter
+ now: the current counter
+ """
+ # This function has to deal with both 32 and 64 bit counters
+ if prev == 0:
+ return now
+
+ # device is using 64 bit values assume they never wrap
+ value = now - prev
+ if (now >> 32) != 0:
+ return value
+
+ # The counter has rolled. If the counter has rolled
+ # multiple times since the prev value, then this math
+ # is meaningless.
+ if value < 0:
+ value = (4294967296 - prev) + now
+
+ return value
+
+def _pppoe(ifname):
+ out = cmd('ps -C pppd -f')
+ if ifname in out:
+ return 'C'
+ if ifname in [_.split('/')[-1] for _ in glob.glob('/etc/ppp/peers/pppoe*')]:
+ return 'D'
+ return ''
+
+def _find_intf_by_ifname(intf_l: list, name: str):
+ for d in intf_l:
+ if d['ifname'] == name:
+ return d
+ return {}
+
+# lifted out of operational.py to separate formatting from data
+def _format_stats(stats, indent=4):
+ stat_names = {
+ 'rx': ['bytes', 'packets', 'errors', 'dropped', 'overrun', 'mcast'],
+ 'tx': ['bytes', 'packets', 'errors', 'dropped', 'carrier', 'collisions'],
+ }
+
+ stats_dir = {
+ 'rx': ['rx_bytes', 'rx_packets', 'rx_errors', 'rx_dropped', 'rx_over_errors', 'multicast'],
+ 'tx': ['tx_bytes', 'tx_packets', 'tx_errors', 'tx_dropped', 'tx_carrier_errors', 'collisions'],
+ }
+ tabs = []
+ for rtx in list(stats_dir):
+ tabs.append([f'{rtx.upper()}:', ] + stat_names[rtx])
+ tabs.append(['', ] + [stats[_] for _ in stats_dir[rtx]])
+
+ s = tabulate(
+ tabs,
+ stralign="right",
+ numalign="right",
+ tablefmt="plain"
+ )
+
+ p = ' '*indent
+ return f'{p}' + s.replace('\n', f'\n{p}')
+
+def _get_raw_data(ifname: typing.Optional[str],
+ iftype: typing.Optional[str],
+ vif: bool, vrrp: bool) -> list:
+ if ifname is None:
+ ifname = ''
+ if iftype is None:
+ iftype = ''
+ ret =[]
+ for interface in filtered_interfaces(ifname, iftype, vif, vrrp):
+ res_intf = {}
+ cache = interface.operational.load_counters()
+
+ out = cmd(f'ip -json addr show {interface.ifname}')
+ res_intf_l = json.loads(out)
+ res_intf = res_intf_l[0]
+
+ if res_intf['link_type'] == 'tunnel6':
+ # Note that 'ip -6 tun show {interface.ifname}' is not json
+ # aware, so find in list
+ out = cmd('ip -json -6 tun show')
+ tunnel = json.loads(out)
+ res_intf['tunnel6'] = _find_intf_by_ifname(tunnel,
+ interface.ifname)
+ if 'ip6_tnl_f_use_orig_tclass' in res_intf['tunnel6']:
+ res_intf['tunnel6']['tclass'] = 'inherit'
+ del res_intf['tunnel6']['ip6_tnl_f_use_orig_tclass']
+
+ res_intf['counters_last_clear'] = int(cache.get('timestamp', 0))
+
+ res_intf['description'] = interface.get_alias()
+
+ res_intf['stats'] = interface.operational.get_stats()
+
+ ret.append(res_intf)
+
+ # find pppoe interfaces that are in a transitional/dead state
+ if ifname.startswith('pppoe') and not _find_intf_by_ifname(ret, ifname):
+ pppoe_intf = {}
+ pppoe_intf['unhandled'] = None
+ pppoe_intf['ifname'] = ifname
+ pppoe_intf['state'] = _pppoe(ifname)
+ ret.append(pppoe_intf)
+
+ return ret
+
+def _get_summary_data(ifname: typing.Optional[str],
+ iftype: typing.Optional[str],
+ vif: bool, vrrp: bool) -> list:
+ if ifname is None:
+ ifname = ''
+ if iftype is None:
+ iftype = ''
+ ret = []
+ for interface in filtered_interfaces(ifname, iftype, vif, vrrp):
+ res_intf = {}
+
+ res_intf['ifname'] = interface.ifname
+ res_intf['oper_state'] = interface.operational.get_state()
+ res_intf['admin_state'] = interface.get_admin_state()
+ res_intf['addr'] = [_ for _ in interface.get_addr() if not _.startswith('fe80::')]
+ res_intf['description'] = interface.get_alias()
+
+ ret.append(res_intf)
+
+ # find pppoe interfaces that are in a transitional/dead state
+ if ifname.startswith('pppoe') and not _find_intf_by_ifname(ret, ifname):
+ pppoe_intf = {}
+ pppoe_intf['unhandled'] = None
+ pppoe_intf['ifname'] = ifname
+ pppoe_intf['state'] = _pppoe(ifname)
+ ret.append(pppoe_intf)
+
+ return ret
+
+def _get_counter_data(ifname: typing.Optional[str],
+ iftype: typing.Optional[str],
+ vif: bool, vrrp: bool) -> list:
+ if ifname is None:
+ ifname = ''
+ if iftype is None:
+ iftype = ''
+ ret = []
+ for interface in filtered_interfaces(ifname, iftype, vif, vrrp):
+ res_intf = {}
+
+ oper = interface.operational.get_state()
+
+ if oper not in ('up','unknown'):
+ continue
+
+ stats = interface.operational.get_stats()
+ cache = interface.operational.load_counters()
+ res_intf['ifname'] = interface.ifname
+ res_intf['rx_packets'] = _get_counter_val(cache['rx_packets'], stats['rx_packets'])
+ res_intf['rx_bytes'] = _get_counter_val(cache['rx_bytes'], stats['rx_bytes'])
+ res_intf['tx_packets'] = _get_counter_val(cache['tx_packets'], stats['tx_packets'])
+ res_intf['tx_bytes'] = _get_counter_val(cache['tx_bytes'], stats['tx_bytes'])
+
+ ret.append(res_intf)
+
+ return ret
+
+@catch_broken_pipe
+def _format_show_data(data: list):
+ unhandled = []
+ for intf in data:
+ if 'unhandled' in intf:
+ unhandled.append(intf)
+ continue
+ # instead of reformatting data, call non-json output:
+ rc, out = rc_cmd(f"ip addr show {intf['ifname']}")
+ if rc != 0:
+ continue
+ out = re.sub('^\d+:\s+','',out)
+ # add additional data already collected
+ if 'tunnel6' in intf:
+ t6_d = intf['tunnel6']
+ t6_str = 'encaplimit %s hoplimit %s tclass %s flowlabel %s (flowinfo %s)' % (
+ t6_d.get('encap_limit', ''), t6_d.get('hoplimit', ''),
+ t6_d.get('tclass', ''), t6_d.get('flowlabel', ''),
+ t6_d.get('flowinfo', ''))
+ out = re.sub('(\n\s+)(link/tunnel6)', f'\g<1>{t6_str}\g<1>\g<2>', out)
+ print(out)
+ ts = intf.get('counters_last_clear', 0)
+ if ts:
+ when = datetime.fromtimestamp(ts).strftime("%a %b %d %R:%S %Z %Y")
+ print(f' Last clear: {when}')
+ description = intf.get('description', '')
+ if description:
+ print(f' Description: {description}')
+
+ stats = intf.get('stats', {})
+ if stats:
+ print()
+ print(_format_stats(stats))
+
+ for intf in unhandled:
+ string = {
+ 'C': 'Coming up',
+ 'D': 'Link down'
+ }[intf['state']]
+ print(f"{intf['ifname']}: {string}")
+
+ return 0
+
+@catch_broken_pipe
+def _format_show_summary(data):
+ format1 = '%-16s %-33s %-4s %s'
+ format2 = '%-16s %s'
+
+ print('Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down')
+ print(format1 % ("Interface", "IP Address", "S/L", "Description"))
+ print(format1 % ("---------", "----------", "---", "-----------"))
+
+ unhandled = []
+ for intf in data:
+ if 'unhandled' in intf:
+ unhandled.append(intf)
+ continue
+ ifname = [intf['ifname'],]
+ oper = ['u',] if intf['oper_state'] in ('up', 'unknown') else ['D',]
+ admin = ['u',] if intf['admin_state'] in ('up', 'unknown') else ['A',]
+ addrs = intf['addr'] or ['-',]
+ descs = list(_split_text(intf['description'], 0))
+
+ while ifname or oper or admin or addrs or descs:
+ i = ifname.pop(0) if ifname else ''
+ a = addrs.pop(0) if addrs else ''
+ d = descs.pop(0) if descs else ''
+ s = [admin.pop(0)] if admin else []
+ l = [oper.pop(0)] if oper else []
+ if len(a) < 33:
+ print(format1 % (i, a, '/'.join(s+l), d))
+ else:
+ print(format2 % (i, a))
+ print(format1 % ('', '', '/'.join(s+l), d))
+
+ for intf in unhandled:
+ string = {
+ 'C': 'u/D',
+ 'D': 'A/D'
+ }[intf['state']]
+ print(format1 % (ifname, '', string, ''))
+
+ return 0
+
+@catch_broken_pipe
+def _format_show_counters(data: list):
+ formatting = '%-12s %10s %10s %10s %10s'
+ print(formatting % ('Interface', 'Rx Packets', 'Rx Bytes', 'Tx Packets', 'Tx Bytes'))
+
+ for intf in data:
+ print(formatting % (
+ intf['ifname'],
+ intf['rx_packets'],
+ intf['rx_bytes'],
+ intf['tx_packets'],
+ intf['tx_bytes']
+ ))
+
+ return 0
+
+def show(raw: bool, intf_name: typing.Optional[str],
+ intf_type: typing.Optional[str],
+ vif: bool, vrrp: bool):
+ data = _get_raw_data(intf_name, intf_type, vif, vrrp)
+ if raw:
+ return data
+ return _format_show_data(data)
+
+def show_summary(raw: bool, intf_name: typing.Optional[str],
+ intf_type: typing.Optional[str],
+ vif: bool, vrrp: bool):
+ data = _get_summary_data(intf_name, intf_type, vif, vrrp)
+ if raw:
+ return data
+ return _format_show_summary(data)
+
+def show_counters(raw: bool, intf_name: typing.Optional[str],
+ intf_type: typing.Optional[str],
+ vif: bool, vrrp: bool):
+ data = _get_counter_data(intf_name, intf_type, vif, vrrp)
+ if raw:
+ return data
+ return _format_show_counters(data)
+
+if __name__ == '__main__':
+ try:
+ res = vyos.opmode.run(sys.modules[__name__])
+ if res:
+ print(res)
+ except (ValueError, vyos.opmode.Error) as e:
+ print(e)
+ sys.exit(1)
diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py
index f899eb3dc..cf06de0e9 100755
--- a/src/op_mode/nat.py
+++ b/src/op_mode/nat.py
@@ -18,23 +18,21 @@ import jmespath
import json
import sys
import xmltodict
+import typing
-from sys import exit
from tabulate import tabulate
-from vyos.configquery import ConfigTreeQuery
+import vyos.opmode
+from vyos.configquery import ConfigTreeQuery
from vyos.util import cmd
from vyos.util import dict_search
-import vyos.opmode
-
-
base = 'nat'
unconf_message = 'NAT is not configured'
-def _get_xml_translation(direction, family):
+def _get_xml_translation(direction, family, address=None):
"""
Get conntrack XML output --src-nat|--dst-nat
"""
@@ -42,7 +40,10 @@ def _get_xml_translation(direction, family):
opt = '--src-nat'
if direction == 'destination':
opt = '--dst-nat'
- return cmd(f'sudo conntrack --dump --family {family} {opt} --output xml')
+ tmp = f'conntrack --dump --family {family} {opt} --output xml'
+ if address:
+ tmp += f' --src {address}'
+ return cmd(tmp)
def _xml_to_dict(xml):
@@ -66,7 +67,7 @@ def _get_json_data(direction, family):
if direction == 'destination':
chain = 'PREROUTING'
family = 'ip6' if family == 'inet6' else 'ip'
- return cmd(f'sudo nft --json list chain {family} vyos_nat {chain}')
+ return cmd(f'nft --json list chain {family} vyos_nat {chain}')
def _get_raw_data_rules(direction, family):
@@ -82,11 +83,11 @@ def _get_raw_data_rules(direction, family):
return rules
-def _get_raw_translation(direction, family):
+def _get_raw_translation(direction, family, address=None):
"""
Return: dictionary
"""
- xml = _get_xml_translation(direction, family)
+ xml = _get_xml_translation(direction, family, address)
if len(xml) == 0:
output = {'conntrack':
{
@@ -231,7 +232,7 @@ def _get_formatted_output_statistics(data, direction):
return output
-def _get_formatted_translation(dict_data, nat_direction, family):
+def _get_formatted_translation(dict_data, nat_direction, family, verbose):
data_entries = []
if 'error' in dict_data['conntrack']:
return 'Entries not found'
@@ -269,14 +270,14 @@ def _get_formatted_translation(dict_data, nat_direction, family):
reply_src = f'{reply_src}:{reply_sport}' if reply_sport else reply_src
reply_dst = f'{reply_dst}:{reply_dport}' if reply_dport else reply_dst
state = meta['state'] if 'state' in meta else ''
- mark = meta['mark']
+ mark = meta.get('mark', '')
zone = meta['zone'] if 'zone' in meta else ''
if nat_direction == 'source':
- data_entries.append(
- [orig_src, reply_dst, proto, timeout, mark, zone])
+ tmp = [orig_src, reply_dst, proto, timeout, mark, zone]
+ data_entries.append(tmp)
elif nat_direction == 'destination':
- data_entries.append(
- [orig_dst, reply_src, proto, timeout, mark, zone])
+ tmp = [orig_dst, reply_src, proto, timeout, mark, zone]
+ data_entries.append(tmp)
headers = ["Pre-NAT", "Post-NAT", "Proto", "Timeout", "Mark", "Zone"]
output = tabulate(data_entries, headers, numalign="left")
@@ -315,13 +316,20 @@ def show_statistics(raw: bool, direction: str, family: str):
@_verify
-def show_translations(raw: bool, direction: str, family: str):
+def show_translations(raw: bool, direction:
+ str, family: str,
+ address: typing.Optional[str],
+ verbose: typing.Optional[bool]):
family = 'ipv6' if family == 'inet6' else 'ipv4'
- nat_translation = _get_raw_translation(direction, family)
+ nat_translation = _get_raw_translation(direction,
+ family=family,
+ address=address)
+
if raw:
return nat_translation
else:
- return _get_formatted_translation(nat_translation, direction, family)
+ return _get_formatted_translation(nat_translation, direction, family,
+ verbose)
if __name__ == '__main__':
diff --git a/src/op_mode/show_acceleration.py b/src/op_mode/show_acceleration.py
index 752db3deb..48c31d4d9 100755
--- a/src/op_mode/show_acceleration.py
+++ b/src/op_mode/show_acceleration.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -13,7 +13,6 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
import sys
import os
@@ -24,12 +23,11 @@ from vyos.config import Config
from vyos.util import popen
from vyos.util import call
-
def detect_qat_dev():
- output, err = popen('sudo lspci -nn', decode='utf-8')
+ output, err = popen('lspci -nn', decode='utf-8')
if not err:
data = re.findall('(8086:19e2)|(8086:37c8)|(8086:0435)|(8086:6f54)', output)
- #If QAT devices found
+ # QAT devices found
if data:
return
print("\t No QAT device found")
@@ -44,11 +42,11 @@ def show_qat_status():
sys.exit(1)
# Show QAT service
- call('sudo /etc/init.d/qat_service status')
+ call('/etc/init.d/qat_service status')
# Return QAT devices
def get_qat_devices():
- data_st, err = popen('sudo /etc/init.d/qat_service status', decode='utf-8')
+ data_st, err = popen('/etc/init.d/qat_service status', decode='utf-8')
if not err:
elm_lst = re.findall('qat_dev\d', data_st)
print('\n'.join(elm_lst))
@@ -57,7 +55,7 @@ def get_qat_devices():
def get_qat_proc_path(qat_dev):
q_type = ""
q_bsf = ""
- output, err = popen('sudo /etc/init.d/qat_service status', decode='utf-8')
+ output, err = popen('/etc/init.d/qat_service status', decode='utf-8')
if not err:
# Parse QAT service output
data_st = output.split("\n")
@@ -95,20 +93,20 @@ args = parser.parse_args()
if args.hw:
detect_qat_dev()
# Show availible Intel QAT devices
- call('sudo lspci -nn | egrep -e \'8086:37c8|8086:19e2|8086:0435|8086:6f54\'')
+ call('lspci -nn | egrep -e \'8086:37c8|8086:19e2|8086:0435|8086:6f54\'')
elif args.flow and args.dev:
check_qat_if_conf()
- call('sudo cat '+get_qat_proc_path(args.dev)+"fw_counters")
+ call('cat '+get_qat_proc_path(args.dev)+"fw_counters")
elif args.interrupts:
check_qat_if_conf()
# Delete _dev from args.dev
- call('sudo cat /proc/interrupts | grep qat')
+ call('cat /proc/interrupts | grep qat')
elif args.status:
check_qat_if_conf()
show_qat_status()
elif args.conf and args.dev:
check_qat_if_conf()
- call('sudo cat '+get_qat_proc_path(args.dev)+"dev_cfg")
+ call('cat '+get_qat_proc_path(args.dev)+"dev_cfg")
elif args.dev_list:
get_qat_devices()
else:
diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py
deleted file mode 100755
index 4b1758eea..000000000
--- a/src/op_mode/show_dhcp.py
+++ /dev/null
@@ -1,260 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-# TODO: merge with show_dhcpv6.py
-
-from json import dumps
-from argparse import ArgumentParser
-from ipaddress import ip_address
-from tabulate import tabulate
-from sys import exit
-from collections import OrderedDict
-from datetime import datetime
-
-from isc_dhcp_leases import Lease, IscDhcpLeases
-
-from vyos.base import Warning
-from vyos.config import Config
-from vyos.util import is_systemd_service_running
-
-lease_file = "/config/dhcpd.leases"
-pool_key = "shared-networkname"
-
-lease_display_fields = OrderedDict()
-lease_display_fields['ip'] = 'IP address'
-lease_display_fields['hardware_address'] = 'Hardware address'
-lease_display_fields['state'] = 'State'
-lease_display_fields['start'] = 'Lease start'
-lease_display_fields['end'] = 'Lease expiration'
-lease_display_fields['remaining'] = 'Remaining'
-lease_display_fields['pool'] = 'Pool'
-lease_display_fields['hostname'] = 'Hostname'
-
-lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
-
-def in_pool(lease, pool):
- if pool_key in lease.sets:
- if lease.sets[pool_key] == pool:
- return True
-
- return False
-
-def utc_to_local(utc_dt):
- return datetime.fromtimestamp((utc_dt - datetime(1970,1,1)).total_seconds())
-
-def get_lease_data(lease):
- data = {}
-
- # isc-dhcp lease times are in UTC so we need to convert them to local time to display
- try:
- data["start"] = utc_to_local(lease.start).strftime("%Y/%m/%d %H:%M:%S")
- except:
- data["start"] = ""
-
- try:
- data["end"] = utc_to_local(lease.end).strftime("%Y/%m/%d %H:%M:%S")
- except:
- data["end"] = ""
-
- try:
- data["remaining"] = lease.end - datetime.utcnow()
- # negative timedelta prints wrong so bypass it
- if (data["remaining"].days >= 0):
- # substraction gives us a timedelta object which can't be formatted with strftime
- # so we use str(), split gets rid of the microseconds
- data["remaining"] = str(data["remaining"]).split('.')[0]
- else:
- data["remaining"] = ""
- except:
- data["remaining"] = ""
-
- # currently not used but might come in handy
- # todo: parse into datetime string
- for prop in ['tstp', 'tsfp', 'atsfp', 'cltt']:
- if prop in lease.data:
- data[prop] = lease.data[prop]
- else:
- data[prop] = ''
-
- data["hardware_address"] = lease.ethernet
- data["hostname"] = lease.hostname
-
- data["state"] = lease.binding_state
- data["ip"] = lease.ip
-
- try:
- data["pool"] = lease.sets[pool_key]
- except:
- data["pool"] = ""
-
- return data
-
-def get_leases(config, leases, state, pool=None, sort='ip'):
- # get leases from file
- leases = IscDhcpLeases(lease_file).get()
-
- # filter leases by state
- if 'all' not in state:
- leases = list(filter(lambda x: x.binding_state in state, leases))
-
- # filter leases by pool name
- if pool is not None:
- if config.exists_effective("service dhcp-server shared-network-name {0}".format(pool)):
- leases = list(filter(lambda x: in_pool(x, pool), leases))
- else:
- print("Pool {0} does not exist.".format(pool))
- exit(0)
-
- # should maybe filter all state=active by lease.valid here?
-
- # sort by start time to dedupe (newest lease overrides older)
- leases = sorted(leases, key = lambda lease: lease.start)
-
- # dedupe by converting to dict
- leases_dict = {}
- for lease in leases:
- # dedupe by IP
- leases_dict[lease.ip] = lease
-
- # convert the lease data
- leases = list(map(get_lease_data, leases_dict.values()))
-
- # apply output/display sort
- if sort == 'ip':
- leases = sorted(leases, key = lambda lease: int(ip_address(lease['ip'])))
- else:
- leases = sorted(leases, key = lambda lease: lease[sort])
-
- return leases
-
-def show_leases(leases):
- lease_list = []
- for l in leases:
- lease_list_params = []
- for k in lease_display_fields.keys():
- lease_list_params.append(l[k])
- lease_list.append(lease_list_params)
-
- output = tabulate(lease_list, lease_display_fields.values())
-
- print(output)
-
-def get_pool_size(config, pool):
- size = 0
- subnets = config.list_effective_nodes("service dhcp-server shared-network-name {0} subnet".format(pool))
- for s in subnets:
- ranges = config.list_effective_nodes("service dhcp-server shared-network-name {0} subnet {1} range".format(pool, s))
- for r in ranges:
- start = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} start".format(pool, s, r))
- stop = config.return_effective_value("service dhcp-server shared-network-name {0} subnet {1} range {2} stop".format(pool, s, r))
-
- # Add +1 because both range boundaries are inclusive
- size += int(ip_address(stop)) - int(ip_address(start)) + 1
-
- return size
-
-def show_pool_stats(stats):
- headers = ["Pool", "Size", "Leases", "Available", "Usage"]
- output = tabulate(stats, headers)
-
- print(output)
-
-if __name__ == '__main__':
- parser = ArgumentParser()
-
- group = parser.add_mutually_exclusive_group()
- group.add_argument("-l", "--leases", action="store_true", help="Show DHCP leases")
- group.add_argument("-s", "--statistics", action="store_true", help="Show DHCP statistics")
- group.add_argument("--allowed", type=str, choices=["sort", "state"], help="Show allowed values for argument")
-
- parser.add_argument("-p", "--pool", type=str, help="Show lease for specific pool")
- parser.add_argument("-S", "--sort", type=str, default='ip', help="Sort by")
- parser.add_argument("-t", "--state", type=str, nargs="+", default=["active"], help="Lease state to show (can specify multiple with spaces)")
- parser.add_argument("-j", "--json", action="store_true", default=False, help="Produce JSON output")
-
- args = parser.parse_args()
-
- conf = Config()
-
- if args.allowed == 'sort':
- print(' '.join(lease_display_fields.keys()))
- exit(0)
- elif args.allowed == 'state':
- print(' '.join(lease_valid_states))
- exit(0)
- elif args.allowed:
- parser.print_help()
- exit(1)
-
- if args.sort not in lease_display_fields.keys():
- print(f'Invalid sort key, choose from: {list(lease_display_fields.keys())}')
- exit(0)
-
- if not set(args.state) < set(lease_valid_states):
- print(f'Invalid lease state, choose from: {lease_valid_states}')
- exit(0)
-
- # Do nothing if service is not configured
- if not conf.exists_effective('service dhcp-server'):
- print("DHCP service is not configured.")
- exit(0)
-
- # if dhcp server is down, inactive leases may still be shown as active, so warn the user.
- if not is_systemd_service_running('isc-dhcp-server.service'):
- Warning('DHCP server is configured but not started. Data may be stale.')
-
- if args.leases:
- leases = get_leases(conf, lease_file, args.state, args.pool, args.sort)
-
- if args.json:
- print(dumps(leases, indent=4))
- else:
- show_leases(leases)
-
- elif args.statistics:
- pools = []
-
- # Get relevant pools
- if args.pool:
- pools = [args.pool]
- else:
- pools = conf.list_effective_nodes("service dhcp-server shared-network-name")
-
- # Get pool usage stats
- stats = []
- for p in pools:
- size = get_pool_size(conf, p)
- leases = len(get_leases(conf, lease_file, state='active', pool=p))
-
- use_percentage = round(leases / size * 100) if size != 0 else 0
-
- if args.json:
- pool_stats = {"pool": p, "size": size, "leases": leases,
- "available": (size - leases), "percentage": use_percentage}
- else:
- # For tabulate
- pool_stats = [p, size, leases, size - leases, "{0}%".format(use_percentage)]
- stats.append(pool_stats)
-
- # Print stats
- if args.json:
- print(dumps(stats, indent=4))
- else:
- show_pool_stats(stats)
-
- else:
- parser.print_help()
- exit(1)
diff --git a/src/op_mode/show_dhcpv6.py b/src/op_mode/show_dhcpv6.py
deleted file mode 100755
index b34b730e6..000000000
--- a/src/op_mode/show_dhcpv6.py
+++ /dev/null
@@ -1,220 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-# TODO: merge with show_dhcp.py
-
-from json import dumps
-from argparse import ArgumentParser
-from ipaddress import ip_address
-from tabulate import tabulate
-from sys import exit
-from collections import OrderedDict
-from datetime import datetime
-
-from isc_dhcp_leases import Lease, IscDhcpLeases
-
-from vyos.base import Warning
-from vyos.config import Config
-from vyos.util import is_systemd_service_running
-
-lease_file = "/config/dhcpdv6.leases"
-pool_key = "shared-networkname"
-
-lease_display_fields = OrderedDict()
-lease_display_fields['ip'] = 'IPv6 address'
-lease_display_fields['state'] = 'State'
-lease_display_fields['last_comm'] = 'Last communication'
-lease_display_fields['expires'] = 'Lease expiration'
-lease_display_fields['remaining'] = 'Remaining'
-lease_display_fields['type'] = 'Type'
-lease_display_fields['pool'] = 'Pool'
-lease_display_fields['iaid_duid'] = 'IAID_DUID'
-
-lease_valid_states = ['all', 'active', 'free', 'expired', 'released', 'abandoned', 'reset', 'backup']
-
-def in_pool(lease, pool):
- if pool_key in lease.sets:
- if lease.sets[pool_key] == pool:
- return True
-
- return False
-
-def format_hex_string(in_str):
- out_str = ""
-
- # if input is divisible by 2, add : every 2 chars
- if len(in_str) > 0 and len(in_str) % 2 == 0:
- out_str = ':'.join(a+b for a,b in zip(in_str[::2], in_str[1::2]))
- else:
- out_str = in_str
-
- return out_str
-
-def utc_to_local(utc_dt):
- return datetime.fromtimestamp((utc_dt - datetime(1970,1,1)).total_seconds())
-
-def get_lease_data(lease):
- data = {}
-
- # isc-dhcp lease times are in UTC so we need to convert them to local time to display
- try:
- data["expires"] = utc_to_local(lease.end).strftime("%Y/%m/%d %H:%M:%S")
- except:
- data["expires"] = ""
-
- try:
- data["last_comm"] = utc_to_local(lease.last_communication).strftime("%Y/%m/%d %H:%M:%S")
- except:
- data["last_comm"] = ""
-
- try:
- data["remaining"] = lease.end - datetime.utcnow()
- # negative timedelta prints wrong so bypass it
- if (data["remaining"].days >= 0):
- # substraction gives us a timedelta object which can't be formatted with strftime
- # so we use str(), split gets rid of the microseconds
- data["remaining"] = str(data["remaining"]).split('.')[0]
- else:
- data["remaining"] = ""
- except:
- data["remaining"] = ""
-
- # isc-dhcp records lease declarations as ia_{na|ta|pd} IAID_DUID {...}
- # where IAID_DUID is the combined IAID and DUID
- data["iaid_duid"] = format_hex_string(lease.host_identifier_string)
-
- lease_types_long = {"na": "non-temporary", "ta": "temporary", "pd": "prefix delegation"}
- data["type"] = lease_types_long[lease.type]
-
- data["state"] = lease.binding_state
- data["ip"] = lease.ip
-
- try:
- data["pool"] = lease.sets[pool_key]
- except:
- data["pool"] = ""
-
- return data
-
-def get_leases(config, leases, state, pool=None, sort='ip'):
- leases = IscDhcpLeases(lease_file).get()
-
- # filter leases by state
- if 'all' not in state:
- leases = list(filter(lambda x: x.binding_state in state, leases))
-
- # filter leases by pool name
- if pool is not None:
- if config.exists_effective("service dhcp-server shared-network-name {0}".format(pool)):
- leases = list(filter(lambda x: in_pool(x, pool), leases))
- else:
- print("Pool {0} does not exist.".format(pool))
- exit(0)
-
- # should maybe filter all state=active by lease.valid here?
-
- # sort by last_comm time to dedupe (newest lease overrides older)
- leases = sorted(leases, key = lambda lease: lease.last_communication)
-
- # dedupe by converting to dict
- leases_dict = {}
- for lease in leases:
- # dedupe by IP
- leases_dict[lease.ip] = lease
-
- # convert the lease data
- leases = list(map(get_lease_data, leases_dict.values()))
-
- # apply output/display sort
- if sort == 'ip':
- leases = sorted(leases, key = lambda k: int(ip_address(k['ip'].split('/')[0])))
- else:
- leases = sorted(leases, key = lambda k: k[sort])
-
- return leases
-
-def show_leases(leases):
- lease_list = []
- for l in leases:
- lease_list_params = []
- for k in lease_display_fields.keys():
- lease_list_params.append(l[k])
- lease_list.append(lease_list_params)
-
- output = tabulate(lease_list, lease_display_fields.values())
-
- print(output)
-
-if __name__ == '__main__':
- parser = ArgumentParser()
-
- group = parser.add_mutually_exclusive_group()
- group.add_argument("-l", "--leases", action="store_true", help="Show DHCPv6 leases")
- group.add_argument("-s", "--statistics", action="store_true", help="Show DHCPv6 statistics")
- group.add_argument("--allowed", type=str, choices=["pool", "sort", "state"], help="Show allowed values for argument")
-
- parser.add_argument("-p", "--pool", type=str, help="Show lease for specific pool")
- parser.add_argument("-S", "--sort", type=str, default='ip', help="Sort by")
- parser.add_argument("-t", "--state", type=str, nargs="+", default=["active"], help="Lease state to show (can specify multiple with spaces)")
- parser.add_argument("-j", "--json", action="store_true", default=False, help="Produce JSON output")
-
- args = parser.parse_args()
-
- conf = Config()
-
- if args.allowed == 'pool':
- if conf.exists_effective('service dhcpv6-server'):
- print(' '.join(conf.list_effective_nodes("service dhcpv6-server shared-network-name")))
- exit(0)
- elif args.allowed == 'sort':
- print(' '.join(lease_display_fields.keys()))
- exit(0)
- elif args.allowed == 'state':
- print(' '.join(lease_valid_states))
- exit(0)
- elif args.allowed:
- parser.print_help()
- exit(1)
-
- if args.sort not in lease_display_fields.keys():
- print(f'Invalid sort key, choose from: {list(lease_display_fields.keys())}')
- exit(0)
-
- if not set(args.state) < set(lease_valid_states):
- print(f'Invalid lease state, choose from: {lease_valid_states}')
- exit(0)
-
- # Do nothing if service is not configured
- if not conf.exists_effective('service dhcpv6-server'):
- print("DHCPv6 service is not configured")
- exit(0)
-
- # if dhcp server is down, inactive leases may still be shown as active, so warn the user.
- if not is_systemd_service_running('isc-dhcp-server6.service'):
- Warning('DHCPv6 server is configured but not started. Data may be stale.')
-
- if args.leases:
- leases = get_leases(conf, lease_file, args.state, args.pool, args.sort)
-
- if args.json:
- print(dumps(leases, indent=4))
- else:
- show_leases(leases)
- elif args.statistics:
- print("DHCPv6 statistics option is not available")
- else:
- parser.print_help()
- exit(1)
diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py
deleted file mode 100755
index 5b8f00dba..000000000
--- a/src/op_mode/show_ipsec_sa.py
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-from re import split as re_split
-from sys import exit
-
-from hurry import filesize
-from tabulate import tabulate
-from vici import Session as vici_session
-
-from vyos.util import seconds_to_human
-
-
-def convert(text):
- return int(text) if text.isdigit() else text.lower()
-
-
-def alphanum_key(key):
- return [convert(c) for c in re_split('([0-9]+)', str(key))]
-
-
-def format_output(sas):
- sa_data = []
-
- for sa in sas:
- for parent_sa in sa.values():
- # create an item for each child-sa
- for child_sa in parent_sa.get('child-sas', {}).values():
- # prepare a list for output data
- sa_out_name = sa_out_state = sa_out_uptime = sa_out_bytes = sa_out_packets = sa_out_remote_addr = sa_out_remote_id = sa_out_proposal = 'N/A'
-
- # collect raw data
- sa_name = child_sa.get('name')
- sa_state = child_sa.get('state')
- sa_uptime = child_sa.get('install-time')
- sa_bytes_in = child_sa.get('bytes-in')
- sa_bytes_out = child_sa.get('bytes-out')
- sa_packets_in = child_sa.get('packets-in')
- sa_packets_out = child_sa.get('packets-out')
- sa_remote_addr = parent_sa.get('remote-host')
- sa_remote_id = parent_sa.get('remote-id')
- sa_proposal_encr_alg = child_sa.get('encr-alg')
- sa_proposal_integ_alg = child_sa.get('integ-alg')
- sa_proposal_encr_keysize = child_sa.get('encr-keysize')
- sa_proposal_dh_group = child_sa.get('dh-group')
-
- # format data to display
- if sa_name:
- sa_out_name = sa_name.decode()
- if sa_state:
- if sa_state == b'INSTALLED':
- sa_out_state = 'up'
- else:
- sa_out_state = 'down'
- if sa_uptime:
- sa_out_uptime = seconds_to_human(sa_uptime.decode())
- if sa_bytes_in and sa_bytes_out:
- bytes_in = filesize.size(int(sa_bytes_in.decode()))
- bytes_out = filesize.size(int(sa_bytes_out.decode()))
- sa_out_bytes = f'{bytes_in}/{bytes_out}'
- if sa_packets_in and sa_packets_out:
- packets_in = filesize.size(int(sa_packets_in.decode()),
- system=filesize.si)
- packets_out = filesize.size(int(sa_packets_out.decode()),
- system=filesize.si)
- sa_out_packets = f'{packets_in}/{packets_out}'
- if sa_remote_addr:
- sa_out_remote_addr = sa_remote_addr.decode()
- if sa_remote_id:
- sa_out_remote_id = sa_remote_id.decode()
- # format proposal
- if sa_proposal_encr_alg:
- sa_out_proposal = sa_proposal_encr_alg.decode()
- if sa_proposal_encr_keysize:
- sa_proposal_encr_keysize_str = sa_proposal_encr_keysize.decode()
- sa_out_proposal = f'{sa_out_proposal}_{sa_proposal_encr_keysize_str}'
- if sa_proposal_integ_alg:
- sa_proposal_integ_alg_str = sa_proposal_integ_alg.decode()
- sa_out_proposal = f'{sa_out_proposal}/{sa_proposal_integ_alg_str}'
- if sa_proposal_dh_group:
- sa_proposal_dh_group_str = sa_proposal_dh_group.decode()
- sa_out_proposal = f'{sa_out_proposal}/{sa_proposal_dh_group_str}'
-
- # add a new item to output data
- sa_data.append([
- sa_out_name, sa_out_state, sa_out_uptime, sa_out_bytes,
- sa_out_packets, sa_out_remote_addr, sa_out_remote_id,
- sa_out_proposal
- ])
-
- # return output data
- return sa_data
-
-
-if __name__ == '__main__':
- try:
- session = vici_session()
- sas = list(session.list_sas())
-
- sa_data = format_output(sas)
- sa_data = sorted(sa_data, key=alphanum_key)
-
- headers = [
- "Connection", "State", "Uptime", "Bytes In/Out", "Packets In/Out",
- "Remote address", "Remote ID", "Proposal"
- ]
- output = tabulate(sa_data, headers)
- print(output)
- except PermissionError:
- print("You do not have a permission to connect to the IPsec daemon")
- exit(1)
- except ConnectionRefusedError:
- print("IPsec is not runing")
- exit(1)
- except Exception as e:
- print("An error occured: {0}".format(e))
- exit(1)
diff --git a/src/op_mode/show_nat66_statistics.py b/src/op_mode/show_nat66_statistics.py
deleted file mode 100755
index cb10aed9f..000000000
--- a/src/op_mode/show_nat66_statistics.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import jmespath
-import json
-
-from argparse import ArgumentParser
-from jinja2 import Template
-from sys import exit
-from vyos.util import cmd
-
-OUT_TMPL_SRC="""
-rule pkts bytes interface
----- ---- ----- ---------
-{% for r in output %}
-{% if r.comment %}
-{% set packets = r.counter.packets %}
-{% set bytes = r.counter.bytes %}
-{% set interface = r.interface %}
-{# remove rule comment prefix #}
-{% set comment = r.comment | replace('SRC-NAT66-', '') | replace('DST-NAT66-', '') %}
-{{ "%-4s" | format(comment) }} {{ "%9s" | format(packets) }} {{ "%12s" | format(bytes) }} {{ interface }}
-{% endif %}
-{% endfor %}
-"""
-
-parser = ArgumentParser()
-group = parser.add_mutually_exclusive_group()
-group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true")
-group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true")
-args = parser.parse_args()
-
-if args.source or args.destination:
- tmp = cmd('sudo nft -j list table ip6 vyos_nat')
- tmp = json.loads(tmp)
-
- source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }"
- destination = r"nftables[?rule.chain=='PREROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }"
- data = {
- 'output' : jmespath.search(source if args.source else destination, tmp),
- 'direction' : 'source' if args.source else 'destination'
- }
-
- tmpl = Template(OUT_TMPL_SRC, lstrip_blocks=True)
- print(tmpl.render(data))
- exit(0)
-else:
- parser.print_help()
- exit(1)
-
diff --git a/src/op_mode/show_nat66_translations.py b/src/op_mode/show_nat66_translations.py
deleted file mode 100755
index 045d64065..000000000
--- a/src/op_mode/show_nat66_translations.py
+++ /dev/null
@@ -1,204 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-'''
-show nat translations
-'''
-
-import os
-import sys
-import ipaddress
-import argparse
-import xmltodict
-
-from vyos.util import popen
-from vyos.util import DEVNULL
-
-conntrack = '/usr/sbin/conntrack'
-
-verbose_format = "%-20s %-18s %-20s %-18s"
-normal_format = "%-20s %-20s %-4s %-8s %s"
-
-
-def headers(verbose, pipe):
- if verbose:
- return verbose_format % ('Pre-NAT src', 'Pre-NAT dst', 'Post-NAT src', 'Post-NAT dst')
- return normal_format % ('Pre-NAT', 'Post-NAT', 'Prot', 'Timeout', 'Type' if pipe else '')
-
-
-def command(srcdest, proto, ipaddr):
- command = f'{conntrack} -o xml -L -f ipv6'
-
- if proto:
- command += f' -p {proto}'
-
- if srcdest == 'source':
- command += ' -n'
- if ipaddr:
- command += f' --orig-src {ipaddr}'
- if srcdest == 'destination':
- command += ' -g'
- if ipaddr:
- command += f' --orig-dst {ipaddr}'
-
- return command
-
-
-def run(command):
- xml, code = popen(command,stderr=DEVNULL)
- if code:
- sys.exit('conntrack failed')
- return xml
-
-
-def content(xmlfile):
- xml = ''
- with open(xmlfile,'r') as r:
- xml += r.read()
- return xml
-
-
-def pipe():
- xml = ''
- while True:
- line = sys.stdin.readline()
- xml += line
- if '</conntrack>' in line:
- break
-
- sys.stdin = open('/dev/tty')
- return xml
-
-
-def process(data, stats, protocol, pipe, verbose, flowtype=''):
- if not data:
- return
-
- parsed = xmltodict.parse(data)
-
- print(headers(verbose, pipe))
-
- # to help the linter to detect typos
- ORIGINAL = 'original'
- REPLY = 'reply'
- INDEPENDANT = 'independent'
- SPORT = 'sport'
- DPORT = 'dport'
- SRC = 'src'
- DST = 'dst'
-
- for rule in parsed['conntrack']['flow']:
- src, dst, sport, dport, proto = {}, {}, {}, {}, {}
- packet_count, byte_count = {}, {}
- timeout, use = 0, 0
-
- rule_type = rule.get('type', '')
-
- for meta in rule['meta']:
- # print(meta)
- direction = meta['@direction']
-
- if direction in (ORIGINAL, REPLY):
- if 'layer3' in meta:
- l3 = meta['layer3']
- src[direction] = l3[SRC]
- dst[direction] = l3[DST]
-
- if 'layer4' in meta:
- l4 = meta['layer4']
- sp = l4.get(SPORT, '')
- dp = l4.get(DPORT, '')
- if sp:
- sport[direction] = sp
- if dp:
- dport[direction] = dp
- proto[direction] = l4.get('@protoname','')
-
- if stats and 'counters' in meta:
- packet_count[direction] = meta['packets']
- byte_count[direction] = meta['bytes']
- continue
-
- if direction == INDEPENDANT:
- timeout = meta['timeout']
- use = meta['use']
- continue
-
- in_src = '%s:%s' % (src[ORIGINAL], sport[ORIGINAL]) if ORIGINAL in sport else src[ORIGINAL]
- in_dst = '%s:%s' % (dst[ORIGINAL], dport[ORIGINAL]) if ORIGINAL in dport else dst[ORIGINAL]
-
- # inverted the the perl code !!?
- out_dst = '%s:%s' % (dst[REPLY], dport[REPLY]) if REPLY in dport else dst[REPLY]
- out_src = '%s:%s' % (src[REPLY], sport[REPLY]) if REPLY in sport else src[REPLY]
-
- if flowtype == 'source':
- v = ORIGINAL in sport and REPLY in dport
- f = '%s:%s' % (src[ORIGINAL], sport[ORIGINAL]) if v else src[ORIGINAL]
- t = '%s:%s' % (dst[REPLY], dport[REPLY]) if v else dst[REPLY]
- else:
- v = ORIGINAL in dport and REPLY in sport
- f = '%s:%s' % (dst[ORIGINAL], dport[ORIGINAL]) if v else dst[ORIGINAL]
- t = '%s:%s' % (src[REPLY], sport[REPLY]) if v else src[REPLY]
-
- # Thomas: I do not believe proto should be an option
- p = proto.get('original', '')
- if protocol and p != protocol:
- continue
-
- if verbose:
- msg = verbose_format % (in_src, in_dst, out_dst, out_src)
- p = f'{p}: ' if p else ''
- msg += f'\n {p}{f} ==> {t}'
- msg += f' timeout: {timeout}' if timeout else ''
- msg += f' use: {use} ' if use else ''
- msg += f' type: {rule_type}' if rule_type else ''
- print(msg)
- else:
- print(normal_format % (f, t, p, timeout, rule_type if rule_type else ''))
-
- if stats:
- for direction in ('original', 'reply'):
- if direction in packet_count:
- print(' %-8s: packets %s, bytes %s' % direction, packet_count[direction], byte_count[direction])
-
-
-def main():
- parser = argparse.ArgumentParser(description=sys.modules[__name__].__doc__)
- parser.add_argument('--verbose', help='provide more details about the flows', action='store_true')
- parser.add_argument('--proto', help='filter by protocol', default='', type=str)
- parser.add_argument('--file', help='read the conntrack xml from a file', type=str)
- parser.add_argument('--stats', help='add usage statistics', action='store_true')
- parser.add_argument('--type', help='NAT type (source, destination)', required=True, type=str)
- parser.add_argument('--ipaddr', help='source ip address to filter on', type=ipaddress.ip_address)
- parser.add_argument('--pipe', help='read conntrack xml data from stdin', action='store_true')
-
- arg = parser.parse_args()
-
- if arg.type not in ('source', 'destination'):
- sys.exit('Unknown NAT type!')
-
- if arg.pipe:
- process(pipe(), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- elif arg.file:
- process(content(arg.file), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- else:
- try:
- process(run(command(arg.type, arg.proto, arg.ipaddr)), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- except:
- pass
-
-if __name__ == '__main__':
- main()
diff --git a/src/op_mode/show_nat_statistics.py b/src/op_mode/show_nat_statistics.py
deleted file mode 100755
index be41e083b..000000000
--- a/src/op_mode/show_nat_statistics.py
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import jmespath
-import json
-
-from argparse import ArgumentParser
-from jinja2 import Template
-from sys import exit
-from vyos.util import cmd
-
-OUT_TMPL_SRC="""
-rule pkts bytes interface
----- ---- ----- ---------
-{% for r in output %}
-{% if r.comment %}
-{% set packets = r.counter.packets %}
-{% set bytes = r.counter.bytes %}
-{% set interface = r.interface %}
-{# remove rule comment prefix #}
-{% set comment = r.comment | replace('SRC-NAT-', '') | replace('DST-NAT-', '') | replace(' tcp_udp', '') %}
-{{ "%-4s" | format(comment) }} {{ "%9s" | format(packets) }} {{ "%12s" | format(bytes) }} {{ interface }}
-{% endif %}
-{% endfor %}
-"""
-
-parser = ArgumentParser()
-group = parser.add_mutually_exclusive_group()
-group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true")
-group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true")
-args = parser.parse_args()
-
-if args.source or args.destination:
- tmp = cmd('sudo nft -j list table ip vyos_nat')
- tmp = json.loads(tmp)
-
- source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }"
- destination = r"nftables[?rule.chain=='PREROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }"
- data = {
- 'output' : jmespath.search(source if args.source else destination, tmp),
- 'direction' : 'source' if args.source else 'destination'
- }
-
- tmpl = Template(OUT_TMPL_SRC, lstrip_blocks=True)
- print(tmpl.render(data))
- exit(0)
-else:
- parser.print_help()
- exit(1)
-
diff --git a/src/op_mode/show_nat_translations.py b/src/op_mode/show_nat_translations.py
deleted file mode 100755
index 508845e23..000000000
--- a/src/op_mode/show_nat_translations.py
+++ /dev/null
@@ -1,216 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020-2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-'''
-show nat translations
-'''
-
-import os
-import sys
-import ipaddress
-import argparse
-import xmltodict
-
-from vyos.util import popen
-from vyos.util import DEVNULL
-
-conntrack = '/usr/sbin/conntrack'
-
-verbose_format = "%-20s %-18s %-20s %-18s"
-normal_format = "%-20s %-20s %-4s %-8s %s"
-
-
-def headers(verbose, pipe):
- if verbose:
- return verbose_format % ('Pre-NAT src', 'Pre-NAT dst', 'Post-NAT src', 'Post-NAT dst')
- return normal_format % ('Pre-NAT', 'Post-NAT', 'Prot', 'Timeout', 'Type' if pipe else '')
-
-
-def command(srcdest, proto, ipaddr):
- command = f'{conntrack} -o xml -L'
-
- if proto:
- command += f' -p {proto}'
-
- if srcdest == 'source':
- command += ' -n'
- if ipaddr:
- command += f' --orig-src {ipaddr}'
- if srcdest == 'destination':
- command += ' -g'
- if ipaddr:
- command += f' --orig-dst {ipaddr}'
-
- return command
-
-
-def run(command):
- xml, code = popen(command,stderr=DEVNULL)
- if code:
- sys.exit('conntrack failed')
- return xml
-
-
-def content(xmlfile):
- xml = ''
- with open(xmlfile,'r') as r:
- xml += r.read()
- return xml
-
-
-def pipe():
- xml = ''
- while True:
- line = sys.stdin.readline()
- xml += line
- if '</conntrack>' in line:
- break
-
- sys.stdin = open('/dev/tty')
- return xml
-
-
-def xml_to_dict(xml):
- """
- Convert XML to dictionary
- Return: dictionary
- """
- parse = xmltodict.parse(xml)
- # If only one NAT entry we must change dict T4499
- if 'meta' in parse['conntrack']['flow']:
- return dict(conntrack={'flow': [parse['conntrack']['flow']]})
- return parse
-
-
-def process(data, stats, protocol, pipe, verbose, flowtype=''):
- if not data:
- return
-
- parsed = xml_to_dict(data)
-
- print(headers(verbose, pipe))
-
- # to help the linter to detect typos
- ORIGINAL = 'original'
- REPLY = 'reply'
- INDEPENDANT = 'independent'
- SPORT = 'sport'
- DPORT = 'dport'
- SRC = 'src'
- DST = 'dst'
-
- for rule in parsed['conntrack']['flow']:
- src, dst, sport, dport, proto = {}, {}, {}, {}, {}
- packet_count, byte_count = {}, {}
- timeout, use = 0, 0
-
- rule_type = rule.get('type', '')
-
- for meta in rule['meta']:
- # print(meta)
- direction = meta['@direction']
-
- if direction in (ORIGINAL, REPLY):
- if 'layer3' in meta:
- l3 = meta['layer3']
- src[direction] = l3[SRC]
- dst[direction] = l3[DST]
-
- if 'layer4' in meta:
- l4 = meta['layer4']
- sp = l4.get(SPORT, '')
- dp = l4.get(DPORT, '')
- if sp:
- sport[direction] = sp
- if dp:
- dport[direction] = dp
- proto[direction] = l4.get('@protoname','')
-
- if stats and 'counters' in meta:
- packet_count[direction] = meta['packets']
- byte_count[direction] = meta['bytes']
- continue
-
- if direction == INDEPENDANT:
- timeout = meta['timeout']
- use = meta['use']
- continue
-
- in_src = '%s:%s' % (src[ORIGINAL], sport[ORIGINAL]) if ORIGINAL in sport else src[ORIGINAL]
- in_dst = '%s:%s' % (dst[ORIGINAL], dport[ORIGINAL]) if ORIGINAL in dport else dst[ORIGINAL]
-
- # inverted the the perl code !!?
- out_dst = '%s:%s' % (dst[REPLY], dport[REPLY]) if REPLY in dport else dst[REPLY]
- out_src = '%s:%s' % (src[REPLY], sport[REPLY]) if REPLY in sport else src[REPLY]
-
- if flowtype == 'source':
- v = ORIGINAL in sport and REPLY in dport
- f = '%s:%s' % (src[ORIGINAL], sport[ORIGINAL]) if v else src[ORIGINAL]
- t = '%s:%s' % (dst[REPLY], dport[REPLY]) if v else dst[REPLY]
- else:
- v = ORIGINAL in dport and REPLY in sport
- f = '%s:%s' % (dst[ORIGINAL], dport[ORIGINAL]) if v else dst[ORIGINAL]
- t = '%s:%s' % (src[REPLY], sport[REPLY]) if v else src[REPLY]
-
- # Thomas: I do not believe proto should be an option
- p = proto.get('original', '')
- if protocol and p != protocol:
- continue
-
- if verbose:
- msg = verbose_format % (in_src, in_dst, out_dst, out_src)
- p = f'{p}: ' if p else ''
- msg += f'\n {p}{f} ==> {t}'
- msg += f' timeout: {timeout}' if timeout else ''
- msg += f' use: {use} ' if use else ''
- msg += f' type: {rule_type}' if rule_type else ''
- print(msg)
- else:
- print(normal_format % (f, t, p, timeout, rule_type if rule_type else ''))
-
- if stats:
- for direction in ('original', 'reply'):
- if direction in packet_count:
- print(' %-8s: packets %s, bytes %s' % direction, packet_count[direction], byte_count[direction])
-
-
-def main():
- parser = argparse.ArgumentParser(description=sys.modules[__name__].__doc__)
- parser.add_argument('--verbose', help='provide more details about the flows', action='store_true')
- parser.add_argument('--proto', help='filter by protocol', default='', type=str)
- parser.add_argument('--file', help='read the conntrack xml from a file', type=str)
- parser.add_argument('--stats', help='add usage statistics', action='store_true')
- parser.add_argument('--type', help='NAT type (source, destination)', required=True, type=str)
- parser.add_argument('--ipaddr', help='source ip address to filter on', type=ipaddress.ip_address)
- parser.add_argument('--pipe', help='read conntrack xml data from stdin', action='store_true')
-
- arg = parser.parse_args()
-
- if arg.type not in ('source', 'destination'):
- sys.exit('Unknown NAT type!')
-
- if arg.pipe:
- process(pipe(), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- elif arg.file:
- process(content(arg.file), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- else:
- try:
- process(run(command(arg.type, arg.proto, arg.ipaddr)), arg.stats, arg.proto, arg.pipe, arg.verbose, arg.type)
- except:
- pass
-
-if __name__ == '__main__':
- main()
diff --git a/src/op_mode/show_raid.sh b/src/op_mode/show_raid.sh
index ba4174692..ab5d4d50f 100755
--- a/src/op_mode/show_raid.sh
+++ b/src/op_mode/show_raid.sh
@@ -1,5 +1,13 @@
#!/bin/bash
+if [ "$EUID" -ne 0 ]; then
+ # This should work without sudo because we have read
+ # access to the dev, but for some reason mdadm must be
+ # run as root in order to succeed.
+ echo "Please run as root"
+ exit 1
+fi
+
raid_set_name=$1
raid_sets=`cat /proc/partitions | grep md | awk '{ print $4 }'`
valid_set=`echo $raid_sets | grep $raid_set_name`
@@ -10,7 +18,7 @@ else
# This should work without sudo because we have read
# access to the dev, but for some reason mdadm must be
# run as root in order to succeed.
- sudo /sbin/mdadm --detail /dev/${raid_set_name}
+ mdadm --detail /dev/${raid_set_name}
else
echo "Must be administrator or root to display RAID status"
fi
diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py
index 68dc5bc45..2392cfe92 100755
--- a/src/op_mode/vpn_ipsec.py
+++ b/src/op_mode/vpn_ipsec.py
@@ -48,8 +48,8 @@ def reset_peer(peer, tunnel):
result = True
for conn in conns:
try:
- call(f'sudo /usr/sbin/ipsec down {conn}{{*}}', timeout = 10)
- call(f'sudo /usr/sbin/ipsec up {conn}', timeout = 10)
+ call(f'/usr/sbin/ipsec down {conn}{{*}}', timeout = 10)
+ call(f'/usr/sbin/ipsec up {conn}', timeout = 10)
except TimeoutExpired as e:
print(f'Timed out while resetting {conn}')
result = False
@@ -81,8 +81,8 @@ def reset_profile(profile, tunnel):
print('Profile not found, aborting')
return
- call(f'sudo /usr/sbin/ipsec down {conn}')
- result = call(f'sudo /usr/sbin/ipsec up {conn}')
+ call(f'/usr/sbin/ipsec down {conn}')
+ result = call(f'/usr/sbin/ipsec up {conn}')
print('Profile reset result: ' + ('success' if result == 0 else 'failed'))
@@ -90,17 +90,17 @@ def debug_peer(peer, tunnel):
peer = peer.replace(':', '-')
if not peer or peer == "all":
debug_commands = [
- "sudo ipsec statusall",
- "sudo swanctl -L",
- "sudo swanctl -l",
- "sudo swanctl -P",
- "sudo ip x sa show",
- "sudo ip x policy show",
- "sudo ip tunnel show",
- "sudo ip address",
- "sudo ip rule show",
- "sudo ip route | head -100",
- "sudo ip route show table 220"
+ "ipsec statusall",
+ "swanctl -L",
+ "swanctl -l",
+ "swanctl -P",
+ "ip x sa show",
+ "ip x policy show",
+ "ip tunnel show",
+ "ip address",
+ "ip rule show",
+ "ip route | head -100",
+ "ip route show table 220"
]
for debug_cmd in debug_commands:
print(f'\n### {debug_cmd} ###')
@@ -117,7 +117,7 @@ def debug_peer(peer, tunnel):
return
for conn in conns:
- call(f'sudo /usr/sbin/ipsec statusall | grep {conn}')
+ call(f'/usr/sbin/ipsec statusall | grep {conn}')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
diff --git a/src/op_mode/webproxy_update_blacklist.sh b/src/op_mode/webproxy_update_blacklist.sh
index d5f301b75..4fb9a54c6 100755
--- a/src/op_mode/webproxy_update_blacklist.sh
+++ b/src/op_mode/webproxy_update_blacklist.sh
@@ -18,6 +18,23 @@ blacklist_url='ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/black
data_dir="/opt/vyatta/etc/config/url-filtering"
archive="${data_dir}/squidguard/archive"
db_dir="${data_dir}/squidguard/db"
+conf_file="/etc/squidguard/squidGuard.conf"
+tmp_conf_file="/tmp/sg_update_db.conf"
+
+#$1-category
+#$2-type
+#$3-list
+create_sg_db ()
+{
+ FILE=$db_dir/$1/$2
+ if test -f "$FILE"; then
+ rm -f ${tmp_conf_file}
+ printf "dbhome $db_dir\ndest $1 {\n $3 $1/$2\n}\nacl {\n default {\n pass any\n }\n}" >> ${tmp_conf_file}
+ /usr/bin/squidGuard -b -c ${tmp_conf_file} -C $FILE
+ rm -f ${tmp_conf_file}
+ fi
+
+}
while [ $# -gt 0 ]
do
@@ -88,6 +105,16 @@ if [[ -n $update ]] && [[ $update -eq "yes" ]]; then
# fix permissions
chown -R proxy:proxy ${db_dir}
+
+ #create db
+ category_list=(`find $db_dir -type d -exec basename {} \; `)
+ for category in ${category_list[@]}
+ do
+ create_sg_db $category "domains" "domainlist"
+ create_sg_db $category "urls" "urllist"
+ create_sg_db $category "expressions" "expressionlist"
+ done
+ chown -R proxy:proxy ${db_dir}
chmod 755 ${db_dir}
logger --priority WARNING "webproxy blacklist entries updated (${count_before}/${count_after})"
diff --git a/src/services/api/graphql/libs/op_mode.py b/src/services/api/graphql/libs/op_mode.py
index 6939ed5d6..211f8ce19 100644
--- a/src/services/api/graphql/libs/op_mode.py
+++ b/src/services/api/graphql/libs/op_mode.py
@@ -84,7 +84,7 @@ def map_type_name(type_name: type, optional: bool = False) -> str:
if type_name == int:
return 'Int!' if not optional else 'Int = null'
if type_name == bool:
- return 'Boolean!' if not optional else 'Boolean = false'
+ return 'Boolean = false'
if typing.get_origin(type_name) == list:
if not optional:
return f'[{map_type_name(typing.get_args(type_name)[0])}]!'
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 14:43:08 +0000