4 files changed, 45 insertions, 3 deletions
diff --git a/python/vyos/configsession.py b/python/vyos/configsession.py
index f0d636b89..7af2cb333 100644
--- a/python/vyos/configsession.py
+++ b/python/vyos/configsession.py
@@ -146,7 +146,7 @@ class ConfigSession(object):
     The write API of VyOS.
     """
 
-    def __init__(self, session_id, app=APP):
+    def __init__(self, session_id, app=APP, shared=False):
         """
          Creates a new config session.
 
@@ -187,7 +187,11 @@ class ConfigSession(object):
         else:
             self._vyconf_session = None
 
+        self.shared = shared
+
     def __del__(self):
+        if self.shared:
+            return
         if self._vyconf_session is None:
             try:
                 output = (
diff --git a/python/vyos/frrender.py b/python/vyos/frrender.py
index 73d6dd5f0..d9e409cb4 100644
--- a/python/vyos/frrender.py
+++ b/python/vyos/frrender.py
@@ -543,6 +543,21 @@ def get_frrender_dict(conf, argv=None) -> dict:
             elif conf.exists_effective(ospfv3_vrf_path):
                 vrf['name'][vrf_name]['protocols'].update({'ospfv3' : {'deleted' : ''}})
 
+            # We need to check the CLI if the RPKI node is present and thus load in all the default
+            # values present on the CLI - that's why we have if conf.exists()
+            rpki_vrf_path = ['vrf', 'name', vrf_name, 'protocols', 'rpki']
+            if 'rpki' in vrf_config.get('protocols', []):
+                rpki = conf.get_config_dict(rpki_vrf_path, key_mangling=('-', '_'), get_first_key=True,
+                                            with_pki=True, with_recursive_defaults=True)
+                rpki_ssh_key_base = '/run/frr/id_rpki'
+                for cache, cache_config in rpki.get('cache',{}).items():
+                    if 'ssh' in cache_config:
+                        cache_config['ssh']['public_key_file'] = f'{rpki_ssh_key_base}_{cache}.pub'
+                        cache_config['ssh']['private_key_file'] = f'{rpki_ssh_key_base}_{cache}'
+                vrf['name'][vrf_name]['protocols'].update({'rpki' : rpki})
+            elif conf.exists_effective(rpki_vrf_path):
+                vrf['name'][vrf_name]['protocols'].update({'rpki' : {'deleted' : ''}})
+
             # We need to check the CLI if the static node is present and thus load in all the default
             # values present on the CLI - that's why we have if conf.exists()
             static_vrf_path = ['vrf', 'name', vrf_name, 'protocols', 'static']
@@ -675,7 +690,7 @@ class FRRender:
                 output += render_to_string('frr/ripngd.frr.j2', config_dict['ripng'])
                 output += '\n'
             if 'rpki' in config_dict and 'deleted' not in config_dict['rpki']:
-                output += render_to_string('frr/rpki.frr.j2', config_dict['rpki'])
+                output += render_to_string('frr/rpki.frr.j2', {'rpki': config_dict['rpki']})
                 output += '\n'
             if 'segment_routing' in config_dict and 'deleted' not in config_dict['segment_routing']:
                 output += render_to_string('frr/zebra.segment_routing.frr.j2', config_dict['segment_routing'])
diff --git a/python/vyos/ifconfig/wireguard.py b/python/vyos/ifconfig/wireguard.py
index 3a28723b3..6b5e52412 100644
--- a/python/vyos/ifconfig/wireguard.py
+++ b/python/vyos/ifconfig/wireguard.py
@@ -52,7 +52,7 @@ class WireGuardOperational(Operational):
                     'private_key': None if private_key == '(none)' else private_key,
                     'public_key': None if public_key == '(none)' else public_key,
                     'listen_port': int(listen_port),
-                    'fw_mark': None if fw_mark == 'off' else int(fw_mark),
+                    'fw_mark': None if fw_mark == 'off' else int(fw_mark, 16),
                     'peers': {},
                 }
             else:
diff --git a/python/vyos/template.py b/python/vyos/template.py
index bf7928914..bf2f13183 100755
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -674,6 +674,29 @@ def nft_nested_group(out_list, includes, groups, key):
         add_includes(name)
     return out_list
 
+@register_filter('nft_accept_invalid')
+def nft_accept_invalid(ether_type):
+    ether_type_mapping = {
+        'dhcp': 'udp sport 67 udp dport 68',
+        'arp': 'arp',
+        'pppoe-discovery': '0x8863',
+        'pppoe': '0x8864',
+        '802.1q': '8021q',
+        '802.1ad': '8021ad',
+        'wol': '0x0842',
+    }
+    if ether_type not in ether_type_mapping:
+        raise RuntimeError(f'Ethernet type "{ether_type}" not found in ' \
+                           'available ethernet types!')
+    out = 'ct state invalid '
+
+    if ether_type != 'dhcp':
+        out += 'ether type '
+
+    out += f'{ether_type_mapping[ether_type]} counter accept'
+
+    return out
+
 @register_filter('nat_rule')
 def nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
     from vyos.nat import parse_nat_rule