diff options
40 files changed, 381 insertions, 54 deletions
diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2 index 4c566d852..e7e60dc95 100644 --- a/data/templates/aws/override_aws_gwlbtun.conf.j2 +++ b/data/templates/aws/override_aws_gwlbtun.conf.j2 @@ -30,7 +30,7 @@ After=vyos-router.service [Service] EnvironmentFile= -ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }} -CapabilityBoundingSet=CAP_NET_ADMIN +ExecStart=/usr/sbin/gwlbtun {{ args | join(' ') }} +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW Restart=always RestartSec=10 diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index cd6c34ede..8d934db9c 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -1,10 +1,11 @@ # Autogenerated by system_conntrack.py {# all values have defaults - thus no checking required #} +net.netfilter.nf_conntrack_buckets = {{ hash_size }} net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} net.netfilter.nf_conntrack_max = {{ table_size }} net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} -net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }}
\ No newline at end of file +net.netfilter.nf_conntrack_timestamp = {{ '1' if log.timestamp is vyos_defined else '0' }} diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 deleted file mode 100644 index 1b12fec5f..000000000 --- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# Autogenerated by system_conntrack.py -options nf_conntrack hashsize={{ hash_size }} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index f5cd801e4..bf051bb57 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -416,7 +416,9 @@ table bridge vyos_filter { ct state invalid ether type arp counter accept ct state invalid ether type 8021q counter accept ct state invalid ether type 8021ad counter accept + ct state invalid ether type 0x8863 counter accept ct state invalid ether type 0x8864 counter accept + ct state invalid ether type 0x0842 counter accept {% endif %} {% endif %} {% if global_options.state_policy is vyos_defined %} diff --git a/data/templates/frr/ospfd.frr.j2 b/data/templates/frr/ospfd.frr.j2 index bc2c74b10..79824fb64 100644 --- a/data/templates/frr/ospfd.frr.j2 +++ b/data/templates/frr/ospfd.frr.j2 @@ -82,7 +82,7 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% for area_id, area_config in area.items() %} {% if area_config.area_type is vyos_defined %} {% for type, type_config in area_config.area_type.items() if type != 'normal' %} - area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} + area {{ area_id }} {{ type }} {{ 'translate-' + type_config.translate if type_config.translate is vyos_defined }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} {% if type_config.default_cost is vyos_defined %} area {{ area_id }} default-cost {{ type_config.default_cost }} {% endif %} diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links index 402c91306..aef22555c 100644 --- a/debian/vyos-1x.links +++ b/debian/vyos-1x.links @@ -1,2 +1,4 @@ /etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper /usr/libexec/vyos/system/standalone_root_pw_reset /opt/vyatta/sbin/standalone_root_pw_reset +/usr/libexec/vyos/vyconf_cli.py /usr/libexec/vyos/vyconf/bin/vy_commit +/usr/libexec/vyos/vyconf_cli.py /usr/libexec/vyos/vyconf/bin/vy_in_session diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index 01ea16bc6..794da4f9d 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -51,7 +51,7 @@ <children> <leafNode name="invalid-connections"> <properties> - <help>Accept ARP, 802.1q, 802.1ad, DHCP and PPPoE despite being marked as invalid connections</help> + <help>Accept ARP, 802.1q, 802.1ad, DHCP, PPPoE and WoL despite being marked as invalid connections</help> <valueless/> </properties> </leafNode> diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i index 6995ce119..517424034 100644 --- a/interface-definitions/include/version/conntrack-version.xml.i +++ b/interface-definitions/include/version/conntrack-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/conntrack-version.xml.i --> -<syntaxVersion component='conntrack' version='5'></syntaxVersion> +<syntaxVersion component='conntrack' version='6'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in index 54610b625..92c4d24cf 100644 --- a/interface-definitions/system_conntrack.xml.in +++ b/interface-definitions/system_conntrack.xml.in @@ -32,14 +32,14 @@ <properties> <help>Hash size for connection tracking table</help> <valueHelp> - <format>u32:1-50000000</format> + <format>u32:1024-50000000</format> <description>Size of hash to use for connection tracking table</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-50000000"/> + <validator name="numeric" argument="--range 1024-50000000"/> </constraint> </properties> - <defaultValue>32768</defaultValue> + <defaultValue>65536</defaultValue> </leafNode> <node name="ignore"> <properties> diff --git a/libvyosconfig b/libvyosconfig -Subproject 3e295c0c0256746f0811a9cb90d2489fd76a465 +Subproject f632edbc947fbcda1916ababacc5f2659cf6cfb diff --git a/op-mode-definitions/clear-interfaces.xml.in b/op-mode-definitions/clear-interfaces.xml.in index 3090aa771..31348808a 100644 --- a/op-mode-definitions/clear-interfaces.xml.in +++ b/op-mode-definitions/clear-interfaces.xml.in @@ -16,17 +16,6 @@ </properties> <command>${vyos_op_scripts_dir}/interfaces.py clear_counters</command> </node> - <tagNode name="connection"> - <properties> - <help>Bring connection-oriented network interface down and up</help> - <completionHelp> - <path>interfaces pppoe</path> - <path>interfaces sstpc</path> - <path>interfaces wwan</path> - </completionHelp> - </properties> - <command>${vyos_op_scripts_dir}/connect_disconnect.py --connect --disconnect --interface "$3"</command> - </tagNode> <node name="bonding"> <properties> <help>Clear Bonding interface information</help> diff --git a/op-mode-definitions/install-mok.xml.in b/op-mode-definitions/install-mok.xml.in index 906c34d8d..ab8e5d3db 100644 --- a/op-mode-definitions/install-mok.xml.in +++ b/op-mode-definitions/install-mok.xml.in @@ -6,7 +6,7 @@ <properties> <help>Install Secure Boot MOK (Machine Owner Key)</help> </properties> - <command>if test -f /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; then mokutil --ignore-keyring --import /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; else echo "Secure Boot Machine Owner Key not found"; fi</command> + <command>${vyos_op_scripts_dir}/install_mok.sh</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/reset-connection.xml.in b/op-mode-definitions/reset-connection.xml.in new file mode 100644 index 000000000..e41d8ed20 --- /dev/null +++ b/op-mode-definitions/reset-connection.xml.in @@ -0,0 +1,18 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="reset"> + <children> + <tagNode name="connection"> + <properties> + <help>Bring connection-oriented network interface down and up</help> + <completionHelp> + <path>interfaces pppoe</path> + <path>interfaces sstpc</path> + <path>interfaces wwan</path> + </completionHelp> + </properties> + <command>${vyos_op_scripts_dir}/connect_disconnect.py --connect --disconnect --interface "$3"</command> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/show-interfaces-bonding.xml.in b/op-mode-definitions/show-interfaces-bonding.xml.in index a9af13145..839a4cd91 100644 --- a/op-mode-definitions/show-interfaces-bonding.xml.in +++ b/op-mode-definitions/show-interfaces-bonding.xml.in @@ -23,7 +23,7 @@ <properties> <help>Show detailed interface information</help> </properties> - <command>if [ -f "/proc/net/bonding/$4" ]; then cat "/proc/net/bonding/$4"; else echo "Interface $4 does not exist!"; fi</command> + <command>${vyos_op_scripts_dir}/show_bonding_detail.sh "$4"</command> </leafNode> <node name="lacp"> <properties> diff --git a/op-mode-definitions/show-interfaces-pppoe.xml.in b/op-mode-definitions/show-interfaces-pppoe.xml.in index c1f502cb3..0904418bf 100644 --- a/op-mode-definitions/show-interfaces-pppoe.xml.in +++ b/op-mode-definitions/show-interfaces-pppoe.xml.in @@ -26,7 +26,7 @@ <path>interfaces pppoe</path> </completionHelp> </properties> - <command>if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi</command> + <command>${vyos_op_scripts_dir}/show_ppp_stats.sh "$4"</command> </leafNode> #include <include/show-interface-type-event-log.xml.i> </children> diff --git a/op-mode-definitions/show-interfaces-sstpc.xml.in b/op-mode-definitions/show-interfaces-sstpc.xml.in index 3bd7a8247..61451db93 100644 --- a/op-mode-definitions/show-interfaces-sstpc.xml.in +++ b/op-mode-definitions/show-interfaces-sstpc.xml.in @@ -26,7 +26,7 @@ <path>interfaces sstpc</path> </completionHelp> </properties> - <command>if [ -d "/sys/class/net/$4" ]; then /usr/sbin/pppstats "$4"; fi</command> + <command>${vyos_op_scripts_dir}/show_ppp_stats.sh "$4"</command> </leafNode> #include <include/show-interface-type-event-log.xml.i> </children> diff --git a/op-mode-definitions/show-login.xml.in b/op-mode-definitions/show-login.xml.in index 6d8c782c4..664677bc6 100644 --- a/op-mode-definitions/show-login.xml.in +++ b/op-mode-definitions/show-login.xml.in @@ -14,12 +14,6 @@ </properties> <command>/usr/bin/id -Gn</command> </leafNode> - <leafNode name="level"> - <properties> - <help>Show current login level</help> - </properties> - <command>if [ -n "$VYATTA_USER_LEVEL_DIR" ]; then basename $VYATTA_USER_LEVEL_DIR; fi</command> - </leafNode> <leafNode name="user"> <properties> <help>Show current login user id</help> diff --git a/op-mode-definitions/suricata.xml.in b/op-mode-definitions/suricata.xml.in index 493aef08b..74e54fb9c 100644 --- a/op-mode-definitions/suricata.xml.in +++ b/op-mode-definitions/suricata.xml.in @@ -6,7 +6,7 @@ <properties> <help>Update Suricata</help> </properties> - <command>if test -f /run/suricata/suricata.yaml; then suricata-update --suricata-conf /run/suricata/suricata.yaml; systemctl restart suricata; else echo "Service Suricata not configured"; fi </command> + <command>${vyos_op_scripts_dir}/update_suricata.sh</command> </node> </children> </node> diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index 2c0827b20..af7f12ba8 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -183,7 +183,7 @@ <properties> <help>Show summary of IKE process information</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then systemctl status strongswan ; else echo "Process is not running" ; fi</command> + <command>systemctl status strongswan</command> </node> </children> </node> @@ -213,25 +213,25 @@ <properties> <help>Show detail active IKEv2 RA sessions</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_ra_detail; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail</command> </node> <tagNode name="connection-id"> <properties> <help>Show detail active IKEv2 RA sessions by connection-id</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_ra_detail --conn-id="$6"; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail --conn-id="$6"</command> </tagNode> <node name="summary"> <properties> <help>Show active IKEv2 RA sessions summary</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_ra_summary; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_summary; else echo "IPsec process not running"</command> </node> <tagNode name="username"> <properties> <help>Show detail active IKEv2 RA sessions by username</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_ra_detail --username="$6"; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_ra_detail --username="$6"</command> </tagNode> </children> </node> @@ -268,12 +268,12 @@ --> <node name="detail"> <properties> - <help>Show Verbose Detail on all active IPsec Security Associations (SA)</help> + <help>Show verbose details on all active IPsec security associations (SA)</help> </properties> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_sa_detail ; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_sa_detail</command> </node> </children> - <command>if systemctl is-active --quiet strongswan ; then ${vyos_op_scripts_dir}/ipsec.py show_sa ; else echo "IPsec process not running" ; fi</command> + <command>${vyos_op_scripts_dir}/ipsec.py show_sa</command> </node> <node name="state"> <properties> @@ -285,7 +285,7 @@ <properties> <help>Show status of IPsec process</help> </properties> - <command>if systemctl is-active --quiet strongswan >/dev/null ; then echo -e "IPsec Process Running: $(pgrep charon)\n$(/usr/sbin/ipsec status)" ; else echo "IPsec process not running" ; fi</command> + <command>/usr/sbin/ipsec status</command> </node> </children> </node> diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py index b57dcac89..f84b14040 100644 --- a/python/vyos/defaults.py +++ b/python/vyos/defaults.py @@ -84,3 +84,7 @@ rt_global_table = rt_symbolic_names['main'] vyconfd_conf = '/etc/vyos/vyconfd.conf' DEFAULT_COMMIT_CONFIRM_MINUTES = 10 + +commit_hooks = {'pre': '/etc/commit/pre-hooks.d', + 'post': '/etc/commit/post-hooks.d' + } diff --git a/python/vyos/utils/commit.py b/python/vyos/utils/commit.py index 9167c78d2..fc259dadb 100644 --- a/python/vyos/utils/commit.py +++ b/python/vyos/utils/commit.py @@ -101,3 +101,30 @@ def release_commit_lock_file(file_descr): return fcntl.lockf(file_descr, fcntl.LOCK_UN) file_descr.close() + + +def call_commit_hooks(which: str): + import re + import os + from pathlib import Path + from vyos.defaults import commit_hooks + from vyos.utils.process import rc_cmd + + if which not in list(commit_hooks): + raise ValueError(f'no entry {which} in commit_hooks') + + hook_dir = commit_hooks[which] + file_list = list(Path(hook_dir).glob('*')) + regex = re.compile('^[a-zA-Z0-9._-]+$') + hook_list = sorted([str(f) for f in file_list if regex.match(f.name)]) + err = False + out = '' + for runf in hook_list: + try: + e, o = rc_cmd(runf) + except FileNotFoundError: + continue + err = err | bool(e) + out = out + o + + return out, int(err) diff --git a/python/vyos/vyconf_session.py b/python/vyos/vyconf_session.py index 4250f0cfb..3cf847b6c 100644 --- a/python/vyos/vyconf_session.py +++ b/python/vyos/vyconf_session.py @@ -29,6 +29,7 @@ from vyos.utils.session import in_config_session from vyos.proto.vyconf_proto import Errnum from vyos.utils.commit import acquire_commit_lock_file from vyos.utils.commit import release_commit_lock_file +from vyos.utils.commit import call_commit_hooks class VyconfSessionError(Exception): @@ -145,10 +146,14 @@ class VyconfSession: if lock_fd is None: return out, Errnum.COMMIT_IN_PROGRESS + pre_out, _ = call_commit_hooks('pre') out = vyconf_client.send_request('commit', token=self.__token) + os.environ['COMMIT_STATUS'] = 'FAILURE' if out.status else 'SUCCESS' + post_out, _ = call_commit_hooks('post') + release_commit_lock_file(lock_fd) - return self.output(out), out.status + return pre_out + self.output(out) + post_out, out.status @raise_exception @config_mode diff --git a/smoketest/config-tests/conntrack-basic b/smoketest/config-tests/conntrack-basic new file mode 100644 index 000000000..8c375d244 --- /dev/null +++ b/smoketest/config-tests/conntrack-basic @@ -0,0 +1,35 @@ +set firewall global-options timeout icmp '30' +set firewall global-options timeout other '600' +set firewall global-options timeout udp other '300' +set firewall global-options timeout udp stream '300' +set interfaces ethernet eth0 vif 5 address '192.0.2.1/24' +set interfaces ethernet eth1 vif 7 description 'FTTH-PPPoE' +set nat source rule 100 log +set nat source rule 100 outbound-interface name 'pppoe0' +set nat source rule 100 source address '192.0.2.0/24' +set nat source rule 100 translation address 'masquerade' +set service ntp allow-client address '172.16.0.0/12' +set service ntp server 0.pool.ntp.org +set service ntp server 1.pool.ntp.org +set service ntp server 2.pool.ntp.org +set system config-management commit-revisions '200' +set system conntrack expect-table-size '2048' +set system conntrack hash-size '1024' +set system conntrack modules ftp +set system conntrack modules h323 +set system conntrack modules nfs +set system conntrack modules pptp +set system conntrack modules sip +set system conntrack modules sqlnet +set system conntrack modules tftp +set system conntrack table-size '262144' +set system conntrack timeout +set system console device ttyS0 speed '115200' +set system domain-name 'vyos.net' +set system host-name 'vyos' +set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/' +set system login user vyos authentication plaintext-password '' +set system name-server '172.16.254.30' +set system syslog local facility all level 'debug' +set system syslog local facility local7 level 'debug' +set system syslog remote 172.16.100.1 facility all level 'warning' diff --git a/smoketest/configs/conntrack-basic b/smoketest/configs/conntrack-basic new file mode 100644 index 000000000..8ecb78aeb --- /dev/null +++ b/smoketest/configs/conntrack-basic @@ -0,0 +1,92 @@ +interfaces { + ethernet eth0 { + duplex auto + speed auto + vif 5 { + address 192.0.2.1/24 + } + } + ethernet eth1 { + vif 7 { + description FTTH-PPPoE + } + } +} +nat { + source { + rule 100 { + log + outbound-interface pppoe0 + source { + address 192.0.2.0/24 + } + translation { + address masquerade + } + } + } +} +system { + config-management { + commit-revisions 200 + } + conntrack { + expect-table-size 2048 + hash-size 1023 + table-size 262144 + timeout { + icmp 30 + other 600 + udp { + other 300 + stream 300 + } + } + } + console { + device ttyS0 { + speed 115200 + } + } + domain-name vyos.net + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + name-server 172.16.254.30 + ntp { + allow-clients { + address 172.16.0.0/12 + } + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level debug + } + facility protocols { + level debug + } + } + host 172.16.100.1 { + facility all { + level warning + } + } + } +} + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.3-beta-202101091250 diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 0b2287f74..2d850dfdf 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -785,7 +785,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['ct state invalid', 'ether type arp', 'accept'], ['ct state invalid', 'ether type 8021q', 'accept'], ['ct state invalid', 'ether type 8021ad', 'accept'], + ['ct state invalid', 'ether type 0x8863', 'accept'], ['ct state invalid', 'ether type 0x8864', 'accept'], + ['ct state invalid', 'ether type 0x0842', 'accept'], ['chain VYOS_PREROUTING_filter'], ['type filter hook prerouting priority filter; policy accept;'], ['ip6 daddr @A6_AGV6', 'notrack'], diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index ea55fa031..fc59171e4 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -574,5 +574,23 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): self.assertIn(f'router ospf', frrconfig) self.assertIn(f' network {network} area {area1}', frrconfig) + def test_ospf_18_area_translate_no_summary(self): + area = '11' + area_type = 'nssa' + network = '100.64.0.0/10' + + self.cli_set(base_path + ['area', area, 'area-type', area_type, 'no-summary']) + self.cli_set(base_path + ['area', area, 'area-type', area_type, 'translate', 'never']) + self.cli_set(base_path + ['area', area, 'network', network]) + + # commit changes + self.cli_commit() + + # Verify FRR ospfd configuration + frrconfig = self.getFRRconfig('router ospf', endsection='^exit') + self.assertIn(f'router ospf', frrconfig) + self.assertIn(f' area {area} {area_type} translate-never no-summary', frrconfig) + self.assertIn(f' network {network} area {area}', frrconfig) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py index f6bb3cf7c..27ca28298 100755 --- a/smoketest/scripts/cli/test_system_conntrack.py +++ b/smoketest/scripts/cli/test_system_conntrack.py @@ -20,7 +20,10 @@ import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.firewall import find_nftables_rule -from vyos.utils.file import read_file, read_json +from vyos.utils.file import read_file +from vyos.utils.file import read_json +from vyos.utils.system import sysctl_read +from vyos.xml_ref import default_value base_path = ['system', 'conntrack'] @@ -168,8 +171,8 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) == None) def test_conntrack_hash_size(self): - hash_size = '65536' - hash_size_default = '32768' + hash_size = '8192' + hash_size_default = default_value(base_path + ['hash-size']) self.cli_set(base_path + ['hash-size', hash_size]) @@ -178,7 +181,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): # verify new configuration - only effective after reboot, but # a valid config file is sufficient - tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + tmp = sysctl_read('net.netfilter.nf_conntrack_buckets') self.assertIn(hash_size, tmp) # Test default value by deleting the configuration @@ -189,7 +192,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase): # verify new configuration - only effective after reboot, but # a valid config file is sufficient - tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf') + tmp = sysctl_read('net.netfilter.nf_conntrack_buckets') self.assertIn(hash_size_default, tmp) def test_conntrack_ignore(self): diff --git a/smoketest/scripts/system/test_kernel_options.py b/smoketest/scripts/system/test_kernel_options.py index 84e9c145d..8188e7678 100755 --- a/smoketest/scripts/system/test_kernel_options.py +++ b/smoketest/scripts/system/test_kernel_options.py @@ -143,5 +143,23 @@ class TestKernelModules(unittest.TestCase): tmp = re.findall(f'{option}=3', self._config_data) self.assertTrue(tmp) + def test_inotify_stackfs(self): + for option in ['CONFIG_INOTIFY_USER', 'CONFIG_INOTIFY_STACKFS']: + tmp = re.findall(f'{option}=y', self._config_data) + self.assertTrue(tmp) + + def test_wwan(self): + for option in ['CONFIG_USB_NET_DRIVERS', 'CONFIG_USB_USBNET', + 'CONFIG_USB_NET_CDCETHER', 'CONFIG_USB_NET_HUAWEI_CDC_NCM', + 'CONFIG_USB_NET_CDC_MBIM', 'CONFIG_USB_NET_QMI_WWAN', + 'CONFIG_USB_SIERRA_NET', 'CONFIG_WWAN', + 'CONFIG_USB_SERIAL', 'CONFIG_USB_SERIAL_WWAN']: + tmp = re.findall(f'{option}=y', self._config_data) + self.assertTrue(tmp) + + for option in ['CONFIG_WWAN_HWSIM', 'CONFIG_IOSM', 'CONFIG_MTK_T7XX']: + tmp = re.findall(f'{option}=m', self._config_data) + self.assertTrue(tmp) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 94882fc14..83e6dee11 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -315,7 +315,7 @@ def generate_run_arguments(name, container_config): sysctl_opt = '' if 'sysctl' in container_config and 'parameter' in container_config['sysctl']: for k, v in container_config['sysctl']['parameter'].items(): - sysctl_opt += f" --sysctl {k}={v['value']}" + sysctl_opt += f" --sysctl \"{k}={v['value']}\"" # Add capability options. Should be in uppercase capabilities = '' diff --git a/src/conf_mode/interfaces_wwan.py b/src/conf_mode/interfaces_wwan.py index ddbebfb4a..fb71731d8 100755 --- a/src/conf_mode/interfaces_wwan.py +++ b/src/conf_mode/interfaces_wwan.py @@ -29,6 +29,7 @@ from vyos.configverify import verify_vrf from vyos.configverify import verify_mtu_ipv6 from vyos.ifconfig import WWANIf from vyos.utils.dict import dict_search +from vyos.utils.network import is_wwan_connected from vyos.utils.process import cmd from vyos.utils.process import call from vyos.utils.process import DEVNULL @@ -137,7 +138,7 @@ def apply(wwan): break sleep(0.250) - if 'shutdown_required' in wwan: + if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])): # we only need the modem number. wwan0 -> 0, wwan1 -> 1 modem = wwan['ifname'].lstrip('wwan') base_cmd = f'mmcli --modem {modem}' @@ -159,7 +160,7 @@ def apply(wwan): return None - if 'shutdown_required' in wwan: + if 'shutdown_required' in wwan or (not is_wwan_connected(wwan['ifname'])): ip_type = 'ipv4' slaac = dict_search('ipv6.address.autoconf', wwan) != None if 'address' in wwan: diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index c06c0aafc..467c9611b 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021-2024 VyOS maintainers and contributors +# Copyright (C) 2021-2025 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -17,6 +17,7 @@ from sys import exit from sys import argv +from vyos.base import Warning from vyos.config import Config from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_route_map @@ -62,6 +63,16 @@ def verify(config_dict): if 'area' in ospf: networks = [] for area, area_config in ospf['area'].items(): + # Implemented as warning to not break existing configurations + if area == '0' and dict_search('area_type.nssa', area_config) != None: + Warning('You cannot configure NSSA to backbone!') + # Implemented as warning to not break existing configurations + if area == '0' and dict_search('area_type.stub', area_config) != None: + Warning('You cannot configure STUB to backbone!') + # Implemented as warning to not break existing configurations + if len(area_config['area_type']) > 1: + Warning(f'Only one area-type is supported for area "{area}"!') + if 'import_list' in area_config: acl_import = area_config['import_list'] if acl_import: verify_access_list(acl_import, ospf) diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py index f25ed8d10..8909d9cba 100755 --- a/src/conf_mode/system_conntrack.py +++ b/src/conf_mode/system_conntrack.py @@ -32,7 +32,6 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -conntrack_config = r'/etc/modprobe.d/vyatta_nf_conntrack.conf' sysctl_file = r'/run/sysctl/10-vyos-conntrack.conf' nftables_ct_file = r'/run/nftables-ct.conf' vyos_conntrack_logger_config = r'/run/vyos-conntrack-logger.conf' @@ -204,7 +203,6 @@ def generate(conntrack): elif path[0] == 'ipv6': conntrack['ipv6_firewall_action'] = 'accept' - render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack) diff --git a/src/etc/default/vyatta b/src/etc/default/vyatta index e5fa3bb30..0a5129e8b 100644 --- a/src/etc/default/vyatta +++ b/src/etc/default/vyatta @@ -173,6 +173,7 @@ unset _vyatta_extglob declare -x -r vyos_bin_dir=/usr/bin declare -x -r vyos_sbin_dir=/usr/sbin declare -x -r vyos_share_dir=/usr/share + declare -x -r vyconf_bin_dir=/usr/libexec/vyos/vyconf/bin if test -z "$vyos_conf_scripts_dir" ; then declare -x -r vyos_conf_scripts_dir=$vyos_libexec_dir/conf_mode diff --git a/src/helpers/set_vyconf_backend.py b/src/helpers/set_vyconf_backend.py index 6747e51c3..816452f3b 100755 --- a/src/helpers/set_vyconf_backend.py +++ b/src/helpers/set_vyconf_backend.py @@ -19,10 +19,14 @@ # N.B. only for use within testing framework; explicit invocation will leave # system in inconsistent state. +import os +import sys from argparse import ArgumentParser from vyos.utils.backend import set_vyconf_backend +if os.getuid() != 0: + sys.exit('Requires root privileges') parser = ArgumentParser() parser.add_argument('--disable', action='store_true', diff --git a/src/helpers/vyconf_cli.py b/src/helpers/vyconf_cli.py new file mode 100755 index 000000000..a159a2678 --- /dev/null +++ b/src/helpers/vyconf_cli.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2025 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import os +import sys + +from vyos.vyconf_session import VyconfSession + + +pid = os.getppid() + +vs = VyconfSession(pid=pid) + +script_path = sys.argv[0] +script_name = os.path.basename(script_path) +# drop prefix 'vy_' if present +if script_name.startswith('vy_'): + func_name = script_name[3:] +else: + func_name = script_name + +if hasattr(vs, func_name): + func = getattr(vs, func_name) +else: + sys.exit(f'Call unimplemented: {func_name}') + +out = func() +if isinstance(out, bool): + # for use in shell scripts + sys.exit(int(not out)) + +print(out) diff --git a/src/migration-scripts/conntrack/5-to-6 b/src/migration-scripts/conntrack/5-to-6 new file mode 100644 index 000000000..1db2e78b4 --- /dev/null +++ b/src/migration-scripts/conntrack/5-to-6 @@ -0,0 +1,30 @@ +# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +# T7202: fix lower limit of supported conntrack hash-size to match Kernel +# lower limit. + +from vyos.configtree import ConfigTree + +base = ['system', 'conntrack'] +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + if config.exists(base + ['hash-size']): + tmp = config.return_value(base + ['hash-size']) + if int(tmp) < 1024: + config.set(base + ['hash-size'], value=1024) diff --git a/src/op_mode/install_mok.sh b/src/op_mode/install_mok.sh new file mode 100755 index 000000000..29f78cd1f --- /dev/null +++ b/src/op_mode/install_mok.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if test -f /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; then + mokutil --ignore-keyring --import /var/lib/shim-signed/mok/vyos-dev-2025-shim.der; +else + echo "Secure Boot Machine Owner Key not found"; +fi diff --git a/src/op_mode/show_bonding_detail.sh b/src/op_mode/show_bonding_detail.sh new file mode 100755 index 000000000..62265daa2 --- /dev/null +++ b/src/op_mode/show_bonding_detail.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ -f "/proc/net/bonding/$1" ]; then + cat "/proc/net/bonding/$1"; +else + echo "Interface $1 does not exist!"; +fi diff --git a/src/op_mode/show_ppp_stats.sh b/src/op_mode/show_ppp_stats.sh new file mode 100755 index 000000000..d9c17f966 --- /dev/null +++ b/src/op_mode/show_ppp_stats.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +if [ -d "/sys/class/net/$1" ]; then + /usr/sbin/pppstats "$1"; +fi diff --git a/src/op_mode/update_suricata.sh b/src/op_mode/update_suricata.sh new file mode 100755 index 000000000..6e4e605f4 --- /dev/null +++ b/src/op_mode/update_suricata.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +if test -f /run/suricata/suricata.yaml; then + suricata-update --suricata-conf /run/suricata/suricata.yaml; + systemctl restart suricata; +else + echo "Service Suricata not configured"; +fi |