summaryrefslogtreecommitdiff
path: root/smoketest
diff options
context:
space:
mode:
Diffstat (limited to 'smoketest')
-rw-r--r--smoketest/configs/dialup-router-complex4
-rw-r--r--smoketest/scripts/cli/base_interfaces_test.py139
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py492
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_bonding.py5
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_bridge.py7
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_ethernet.py2
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_loopback.py2
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_openvpn.py4
-rwxr-xr-xsmoketest/scripts/cli/test_nat.py36
-rwxr-xr-xsmoketest/scripts/cli/test_protocols_bgp.py2
-rwxr-xr-xsmoketest/scripts/cli/test_protocols_isis.py10
-rwxr-xr-xsmoketest/scripts/cli/test_protocols_ospf.py84
-rwxr-xr-xsmoketest/scripts/cli/test_protocols_ospfv3.py48
-rwxr-xr-xsmoketest/scripts/cli/test_service_dns_dynamic.py99
-rwxr-xr-xsmoketest/scripts/cli/test_service_monitoring_zabbix-agent.py86
-rwxr-xr-xsmoketest/scripts/cli/test_system_ipv6.py2
-rwxr-xr-xsmoketest/scripts/cli/test_vrf.py7
17 files changed, 642 insertions, 387 deletions
diff --git a/smoketest/configs/dialup-router-complex b/smoketest/configs/dialup-router-complex
index 909e6d17b..aa9837fe9 100644
--- a/smoketest/configs/dialup-router-complex
+++ b/smoketest/configs/dialup-router-complex
@@ -1094,6 +1094,10 @@ firewall {
adjust-mss 1452
adjust-mss6 1432
}
+ interface eth0.10 {
+ adjust-mss 1320
+ adjust-mss6 1300
+ }
}
receive-redirects disable
send-redirects enable
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index a3868fa70..b5b65e253 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -26,17 +26,24 @@ from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSession
from vyos.configsession import ConfigSessionError
+from vyos.defaults import directories
from vyos.ifconfig import Interface
from vyos.ifconfig import Section
from vyos.utils.file import read_file
from vyos.utils.dict import dict_search
from vyos.utils.process import process_named_running
from vyos.utils.network import get_interface_config
+from vyos.utils.network import get_interface_vrf
from vyos.utils.process import cmd
-from vyos.validate import is_intf_addr_assigned
-from vyos.validate import is_ipv6_link_local
+from vyos.utils.network import is_intf_addr_assigned
+from vyos.utils.network import is_ipv6_link_local
from vyos.xml_ref import cli_defined
+dhclient_base_dir = directories['isc_dhclient_dir']
+dhclient_process_name = 'dhclient'
+dhcp6c_base_dir = directories['dhcp6_client_dir']
+dhcp6c_process_name = 'dhcp6c'
+
def is_mirrored_to(interface, mirror_if, qdisc):
"""
Ask TC if we are mirroring traffic to a discrete interface.
@@ -66,6 +73,7 @@ class BasicInterfaceTest:
_test_ipv6_pd = False
_test_ipv6_dhcpc6 = False
_test_mirror = False
+ _test_vrf = False
_base_path = []
_options = {}
@@ -93,6 +101,7 @@ class BasicInterfaceTest:
cls._test_ipv6_dhcpc6 = cli_defined(cls._base_path, 'dhcpv6-options')
cls._test_ipv6_pd = cli_defined(cls._base_path + ['dhcpv6-options'], 'pd')
cls._test_mtu = cli_defined(cls._base_path, 'mtu')
+ cls._test_vrf = cli_defined(cls._base_path, 'vrf')
# Setup mirror interfaces for SPAN (Switch Port Analyzer)
for span in cls._mirror_interfaces:
@@ -137,8 +146,6 @@ class BasicInterfaceTest:
for option in self._options.get(interface, []):
self.cli_set(self._base_path + [interface] + option.split())
- self.cli_set(self._base_path + [interface, 'disable'])
-
# Also enable DHCP (ISC DHCP always places interface in admin up
# state so we check that we do not start DHCP client.
# https://vyos.dev/T2767
@@ -151,6 +158,99 @@ class BasicInterfaceTest:
flags = read_file(f'/sys/class/net/{interface}/flags')
self.assertEqual(int(flags, 16) & 1, 0)
+ def test_dhcp_client_options(self):
+ if not self._test_dhcp or not self._test_vrf:
+ self.skipTest('not supported')
+
+ distance = '100'
+
+ for interface in self._interfaces:
+ for option in self._options.get(interface, []):
+ self.cli_set(self._base_path + [interface] + option.split())
+
+ self.cli_set(self._base_path + [interface, 'address', 'dhcp'])
+ self.cli_set(self._base_path + [interface, 'dhcp-options', 'default-route-distance', distance])
+
+ self.cli_commit()
+
+ for interface in self._interfaces:
+ # Check if dhclient process runs
+ dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface)
+ self.assertTrue(dhclient_pid)
+
+ dhclient_config = read_file(f'{dhclient_base_dir}/dhclient_{interface}.conf')
+ self.assertIn('request subnet-mask, broadcast-address, routers, domain-name-servers', dhclient_config)
+ self.assertIn('require subnet-mask;', dhclient_config)
+
+ # and the commandline has the appropriate options
+ cmdline = read_file(f'/proc/{dhclient_pid}/cmdline')
+ self.assertIn(f'-e\x00IF_METRIC={distance}', cmdline)
+
+ def test_dhcp_vrf(self):
+ if not self._test_dhcp or not self._test_vrf:
+ self.skipTest('not supported')
+
+ vrf_name = 'purple4'
+ self.cli_set(['vrf', 'name', vrf_name, 'table', '65000'])
+
+ for interface in self._interfaces:
+ for option in self._options.get(interface, []):
+ self.cli_set(self._base_path + [interface] + option.split())
+
+ self.cli_set(self._base_path + [interface, 'address', 'dhcp'])
+ self.cli_set(self._base_path + [interface, 'vrf', vrf_name])
+
+ self.cli_commit()
+
+ # Validate interface state
+ for interface in self._interfaces:
+ tmp = get_interface_vrf(interface)
+ self.assertEqual(tmp, vrf_name)
+
+ # Check if dhclient process runs
+ dhclient_pid = process_named_running(dhclient_process_name, cmdline=interface)
+ self.assertTrue(dhclient_pid)
+ # .. inside the appropriate VRF instance
+ vrf_pids = cmd(f'ip vrf pids {vrf_name}')
+ self.assertIn(str(dhclient_pid), vrf_pids)
+ # and the commandline has the appropriate options
+ cmdline = read_file(f'/proc/{dhclient_pid}/cmdline')
+ self.assertIn('-e\x00IF_METRIC=210', cmdline) # 210 is the default value
+
+ self.cli_delete(['vrf', 'name', vrf_name])
+
+ def test_dhcpv6_vrf(self):
+ if not self._test_ipv6_dhcpc6 or not self._test_vrf:
+ self.skipTest('not supported')
+
+ vrf_name = 'purple6'
+ self.cli_set(['vrf', 'name', vrf_name, 'table', '65001'])
+
+ # When interface is configured as admin down, it must be admin down
+ # even when dhcpc starts on the given interface
+ for interface in self._interfaces:
+ for option in self._options.get(interface, []):
+ self.cli_set(self._base_path + [interface] + option.split())
+
+ self.cli_set(self._base_path + [interface, 'address', 'dhcpv6'])
+ self.cli_set(self._base_path + [interface, 'vrf', vrf_name])
+
+ self.cli_commit()
+
+ # Validate interface state
+ for interface in self._interfaces:
+ tmp = get_interface_vrf(interface)
+ self.assertEqual(tmp, vrf_name)
+
+ # Check if dhclient process runs
+ tmp = process_named_running(dhcp6c_process_name, cmdline=interface)
+ self.assertTrue(tmp)
+ # .. inside the appropriate VRF instance
+ vrf_pids = cmd(f'ip vrf pids {vrf_name}')
+ self.assertIn(str(tmp), vrf_pids)
+
+ self.cli_delete(['vrf', 'name', vrf_name])
+
def test_span_mirror(self):
if not self._mirror_interfaces:
self.skipTest('not supported')
@@ -743,6 +843,7 @@ class BasicInterfaceTest:
mss = '1400'
dad_transmits = '10'
+ accept_dad = '0'
for interface in self._interfaces:
path = self._base_path + [interface]
@@ -753,6 +854,9 @@ class BasicInterfaceTest:
if cli_defined(self._base_path + ['ipv6'], 'adjust-mss'):
self.cli_set(path + ['ipv6', 'adjust-mss', mss])
+ if cli_defined(self._base_path + ['ipv6'], 'accept-dad'):
+ self.cli_set(path + ['ipv6', 'accept-dad', accept_dad])
+
if cli_defined(self._base_path + ['ipv6'], 'dup-addr-detect-transmits'):
self.cli_set(path + ['ipv6', 'dup-addr-detect-transmits', dad_transmits])
@@ -770,6 +874,10 @@ class BasicInterfaceTest:
if line.startswith(base_options):
self.assertIn(f'tcp option maxseg size set {mss}', line)
+ if cli_defined(self._base_path + ['ipv6'], 'accept-dad'):
+ tmp = read_file(f'{proc_base}/accept_dad')
+ self.assertEqual(accept_dad, tmp)
+
if cli_defined(self._base_path + ['ipv6'], 'dup-addr-detect-transmits'):
tmp = read_file(f'{proc_base}/dad_transmits')
self.assertEqual(dad_transmits, tmp)
@@ -799,13 +907,10 @@ class BasicInterfaceTest:
self.cli_commit()
- dhcp6c_options = read_file(f'/run/dhcp6c/dhcp6c.{interface}.options')
- self.assertIn(f'-n', dhcp6c_options)
-
duid_base = 10
for interface in self._interfaces:
duid = '00:01:00:01:27:71:db:f0:00:50:00:00:00:{}'.format(duid_base)
- dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf')
+ dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf')
self.assertIn(f'interface {interface} ' + '{', dhcpc6_config)
self.assertIn(f' request domain-name-servers;', dhcpc6_config)
self.assertIn(f' request domain-name;', dhcpc6_config)
@@ -816,8 +921,12 @@ class BasicInterfaceTest:
self.assertIn('};', dhcpc6_config)
duid_base += 1
- # Check for running process
- self.assertTrue(process_named_running('dhcp6c'))
+ # Better ask the process about it's commandline in the future
+ pid = process_named_running(dhcp6c_process_name, cmdline=interface)
+ self.assertTrue(pid)
+
+ dhcp6c_options = read_file(f'/proc/{pid}/cmdline')
+ self.assertIn('-n', dhcp6c_options)
def test_dhcpv6pd_auto_sla_id(self):
if not self._test_ipv6_pd:
@@ -853,7 +962,7 @@ class BasicInterfaceTest:
self.cli_commit()
for interface in self._interfaces:
- dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf')
+ dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf')
# verify DHCPv6 prefix delegation
self.assertIn(f'prefix ::/{prefix_len} infinity;', dhcpc6_config)
@@ -871,8 +980,8 @@ class BasicInterfaceTest:
# increment interface address
address = str(int(address) + 1)
- # Check for running process
- self.assertTrue(process_named_running('dhcp6c'))
+ # Check for running process
+ self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface))
for delegatee in delegatees:
# we can already cleanup the test delegatee interface here
@@ -921,7 +1030,7 @@ class BasicInterfaceTest:
for interface in self._interfaces:
address = '1'
sla_id = '1'
- dhcpc6_config = read_file(f'/run/dhcp6c/dhcp6c.{interface}.conf')
+ dhcpc6_config = read_file(f'{dhcp6c_base_dir}/dhcp6c.{interface}.conf')
# verify DHCPv6 prefix delegation
self.assertIn(f'prefix ::/{prefix_len} infinity;', dhcpc6_config)
@@ -938,7 +1047,7 @@ class BasicInterfaceTest:
address = str(int(address) + 1)
# Check for running process
- self.assertTrue(process_named_running('dhcp6c', interface))
+ self.assertTrue(process_named_running(dhcp6c_process_name, cmdline=interface))
for delegatee in delegatees:
# we can already cleanup the test delegatee interface here
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 0c56c2c93..7a13f396f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -90,19 +90,19 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
return False
def test_geoip(self):
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
self.cli_commit()
nftables_search = [
- ['ip saddr @GEOIP_CC_smoketest_1', 'drop'],
- ['ip saddr != @GEOIP_CC_smoketest_2', 'return']
+ ['ip saddr @GEOIP_CC_name_smoketest_1', 'drop'],
+ ['ip saddr != @GEOIP_CC_name_smoketest_2', 'accept']
]
# -t prevents 1000+ GeoIP elements being returned
@@ -127,36 +127,33 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0'])
self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
-
- self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
self.cli_commit()
self.wait_for_domain_resolver('ip vyos_filter', 'D_smoketest_domain', '192.0.2.5')
nftables_search = [
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'return'],
+ ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'accept'],
['elements = { 172.16.99.0/24 }'],
['elements = { 53, 123 }'],
- ['ether saddr @M_smoketest_mac', 'return'],
+ ['ether saddr @M_smoketest_mac', 'accept'],
['elements = { 00:01:02:03:04:05 }'],
['set D_smoketest_domain'],
['elements = { 192.0.2.5, 192.0.2.8,'],
['192.0.2.10, 192.0.2.11 }'],
- ['ip saddr @D_smoketest_domain', 'return'],
- ['oifname @I_smoketest_interface', 'return']
+ ['ip saddr @D_smoketest_domain', 'accept'],
+ ['oifname @I_smoketest_interface', 'accept']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -170,12 +167,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
- self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
-
- self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
+ self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
self.cli_commit()
@@ -187,8 +182,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_delete(['firewall', 'group', 'network-group', 'smoketest_network', 'include', 'smoketest_network1'])
nftables_search = [
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'return'],
+ ['ip saddr @N_smoketest_network1', 'th dport @P_smoketest_port1', 'accept'],
['elements = { 172.16.99.0/24, 172.16.101.0/24 }'],
['elements = { 53, 123 }']
]
@@ -202,61 +196,75 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
mss_range = '501-1460'
conn_mark = '555'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'limit', 'rate', '5/minute'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'log', 'disable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'destination', 'port', '22'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'count', '10'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'recent', 'time', 'minute'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'packet-type', 'host'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'flags', 'syn'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'mss', mss_range])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'packet-type', 'broadcast'])
- self.cli_set(['firewall', 'name', name, 'rule', '5', 'inbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
- self.cli_set(['firewall', 'interface', interface_wc, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
self.cli_commit()
mark_hex = "{0:#010x}".format(int(conn_mark))
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- [f'iifname "{interface_wc}"', f'jump NAME_{name}'],
- ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'],
+ ['chain VYOS_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy drop;'],
+ ['tcp dport 22', 'limit rate 5/minute', 'accept'],
+ ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
+ ['chain VYOS_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
+ ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast', 'accept'],
+ ['meta l4proto gre', f'ct mark {mark_hex}', 'return'],
+ ['chain VYOS_OUTPUT_filter'],
+ ['type filter hook output priority filter; policy accept;'],
+ ['meta l4proto gre', f'oifname "{interface_wc}"', 'drop'],
+ ['meta l4proto icmp', f'ct mark {mark_hex}', 'return'],
+ ['chain NAME_smoketest'],
+ ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
- ['tcp dport 22', 'limit rate 5/minute', 'return'],
- ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
- ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
- ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast'],
- ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
+ ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -266,55 +274,54 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name2 = 'smoketest-adv2'
interface = 'eth0'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '64'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '512'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'packet-length', '1024'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '17'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'dscp', '52'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
- self.cli_set(['firewall', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp', '3-11'])
- self.cli_set(['firewall', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
-
- self.cli_set(['firewall', 'name', name2, 'default-action', 'jump'])
- self.cli_set(['firewall', 'name', name2, 'default-jump-target', name])
- self.cli_set(['firewall', 'name', name2, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'source', 'address', '198.51.100.1'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'action', 'jump'])
- self.cli_set(['firewall', 'name', name2, 'rule', '1', 'jump-target', name])
-
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'protocol', 'tcp'])
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'action', 'queue'])
- self.cli_set(['firewall', 'name', name2, 'rule', '2', 'queue', '3'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'protocol', 'udp'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'action', 'queue'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'fanout'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue-options', 'bypass'])
- self.cli_set(['firewall', 'name', name2, 'rule', '3', 'queue', '0-15'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
+
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
+
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
+ self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'return'],
- ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'return'],
- [f'log prefix "[{name}-default-D]"', 'drop'],
+ ['chain VYOS_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy drop;'],
['ip saddr 198.51.100.1', f'jump NAME_{name}'],
- [f'log prefix "[{name2}-default-J]"', f'jump NAME_{name}'],
+ ['chain VYOS_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
[f'meta l4proto tcp','queue to 3'],
- [f'meta l4proto udp','queue flags bypass,fanout to 0-15']
+ [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
+ [f'chain NAME_{name}'],
+ ['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
+ ['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'],
+ [f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -325,22 +332,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1'])
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
self.cli_commit()
@@ -357,34 +362,46 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name = 'v6-smoketest'
interface = 'eth0'
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log', 'enable'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'destination', 'port', '8888'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'inbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'protocol', 'tcp_udp'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'return'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'protocol', 'gre'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'outbound-interface', 'interface-name', interface])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'action', 'return'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'protocol', 'gre'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'interface-name', interface])
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'interface-name', interface])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME6_{name}'],
- ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'return'],
+ ['chain VYOS_IPV6_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy accept;'],
['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'],
+ ['chain VYOS_IPV6_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
+ ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'],
+ ['chain VYOS_IPV6_OUTPUT_filter'],
+ ['type filter hook output priority filter; policy drop;'],
['meta l4proto gre', f'oifname "{interface}"', 'return'],
- ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop']
+ [f'chain NAME6_{name}'],
+ ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" log level crit', 'accept'],
+ [f'"{name} default-action drop"', f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
@@ -394,40 +411,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
name2 = 'v6-smoketest-adv2'
interface = 'eth0'
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
-
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '65'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '513'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'packet-length', '1025'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '18'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'dscp', '53'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length', '1-1999'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'packet-length-exclude', '60000-65535'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp', '4-14'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '4', 'dscp-exclude', '31-35'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '65'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '513'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '1025'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '18'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '53'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'default-action', 'jump'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'default-jump-target', name])
- self.cli_set(['firewall', 'ipv6-name', name2, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'source', 'address', '2001:db8::/64'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'action', 'jump'])
- self.cli_set(['firewall', 'ipv6-name', name2, 'rule', '1', 'jump-target', name])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length', '1-1999'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length-exclude', '60000-65535'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp', '4-14'])
+ self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'dscp-exclude', '31-35'])
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'default-action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'source', 'address', '2001:db8::/64'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'action', 'jump'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '1', 'jump-target', name])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME6_{name}'],
- ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'return'],
- ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'return'],
- [f'log prefix "[{name}-default-D]"', 'drop'],
+ ['chain VYOS_IPV6_FORWARD_filter'],
+ ['type filter hook forward priority filter; policy accept;'],
+ ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'],
+ ['chain VYOS_IPV6_INPUT_filter'],
+ ['type filter hook input priority filter; policy accept;'],
['ip6 saddr 2001:db8::/64', f'jump NAME6_{name}'],
- [f'log prefix "[{name2}-default-J]"', f'jump NAME6_{name}']
+ [f'chain NAME6_{name}'],
+ ['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'],
+ [f'log prefix "[{name}-default-D]"', 'drop']
]
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
@@ -438,22 +454,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'group', 'ipv6-address-group', 'mask_group', 'address', '::beef'])
- self.cli_set(['firewall', 'ipv6-name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'enable-default-log'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'drop'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
- self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
self.cli_commit()
@@ -465,52 +479,32 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
- def test_state_policy(self):
- self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept'])
- self.cli_set(['firewall', 'state-policy', 'related', 'action', 'accept'])
- self.cli_set(['firewall', 'state-policy', 'invalid', 'action', 'drop'])
-
- self.cli_commit()
-
- chains = {
- 'ip vyos_filter': ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'],
- 'ip6 vyos_filter': ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']
- }
-
- for table in ['ip vyos_filter', 'ip6 vyos_filter']:
- for chain in chains[table]:
- nftables_output = cmd(f'sudo nft list chain {table} {chain}')
- self.assertTrue('jump VYOS_STATE_POLICY' in nftables_output)
-
def test_ipv4_state_and_status_rules(self):
name = 'smoketest-state'
interface = 'eth0'
- self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'action', 'reject'])
- self.cli_set(['firewall', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
- self.cli_set(['firewall', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'action', 'accept'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
- self.cli_set(['firewall', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
-
- self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
+
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
+ self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
self.cli_commit()
nftables_search = [
- [f'iifname "{interface}"', f'jump NAME_{name}'],
- ['ct state { established, related }', 'return'],
+ ['ct state { established, related }', 'accept'],
['ct state invalid', 'reject'],
- ['ct state new', 'ct status dnat', 'return'],
- ['ct state { established, new }', 'ct status snat', 'return'],
+ ['ct state new', 'ct status dnat', 'accept'],
+ ['ct state { established, new }', 'ct status snat', 'accept'],
['drop', f'comment "{name} default-action drop"']
]
@@ -523,7 +517,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
with open(path, 'r') as f:
self.assertEqual(f.read().strip(), conf['default'], msg=path)
- self.cli_set(['firewall', name.replace("_", "-"), conf['test_value']])
+ self.cli_set(['firewall', 'global-options', name.replace("_", "-"), conf['test_value']])
self.cli_commit()
@@ -533,35 +527,5 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
with open(path, 'r') as f:
self.assertNotEqual(f.read().strip(), conf['default'], msg=path)
- def test_zone_basic(self):
- self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop'])
- self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0'])
- self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest'])
- self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone'])
- self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest'])
-
- self.cli_commit()
-
- nftables_search = [
- ['chain VZONE_smoketest-eth0'],
- ['chain VZONE_smoketest-local_IN'],
- ['chain VZONE_smoketest-local_OUT'],
- ['oifname "eth0"', 'jump VZONE_smoketest-eth0'],
- ['jump VZONE_smoketest-local_IN'],
- ['jump VZONE_smoketest-local_OUT'],
- ['iifname "eth0"', 'jump NAME_smoketest'],
- ['oifname "eth0"', 'jump NAME_smoketest']
- ]
-
- nftables_output = cmd('sudo nft list table ip vyos_filter')
-
- for search in nftables_search:
- matched = False
- for line in nftables_output.split("\n"):
- if all(item in line for item in search):
- matched = True
- break
- self.assertTrue(matched)
-
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py
index d8e6bde5c..8867cb427 100755
--- a/smoketest/scripts/cli/test_interfaces_bonding.py
+++ b/smoketest/scripts/cli/test_interfaces_bonding.py
@@ -37,9 +37,8 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase):
if 'TEST_ETH' in os.environ:
cls._members = os.environ['TEST_ETH'].split()
else:
- for tmp in Section.interfaces('ethernet'):
- if not '.' in tmp:
- cls._members.append(tmp)
+ for tmp in Section.interfaces('ethernet', vlan=False):
+ cls._members.append(tmp)
cls._options = {'bond0' : []}
for member in cls._members:
diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py
index 674b0535a..cdff49f4b 100755
--- a/smoketest/scripts/cli/test_interfaces_bridge.py
+++ b/smoketest/scripts/cli/test_interfaces_bridge.py
@@ -27,7 +27,7 @@ from vyos.ifconfig import Section
from vyos.utils.process import cmd
from vyos.utils.file import read_file
from vyos.utils.network import get_interface_config
-from vyos.validate import is_intf_addr_assigned
+from vyos.utils.network import is_intf_addr_assigned
class BridgeInterfaceTest(BasicInterfaceTest.TestCase):
@classmethod
@@ -41,9 +41,8 @@ class BridgeInterfaceTest(BasicInterfaceTest.TestCase):
if 'TEST_ETH' in os.environ:
cls._members = os.environ['TEST_ETH'].split()
else:
- for tmp in Section.interfaces('ethernet'):
- if not '.' in tmp:
- cls._members.append(tmp)
+ for tmp in Section.interfaces('ethernet', vlan=False):
+ cls._members.append(tmp)
cls._options['br0'] = []
for member in cls._members:
diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py
index eec3ddbe8..5ea21fea8 100755
--- a/smoketest/scripts/cli/test_interfaces_ethernet.py
+++ b/smoketest/scripts/cli/test_interfaces_ethernet.py
@@ -31,7 +31,7 @@ from vyos.template import is_ipv6
from vyos.utils.process import cmd
from vyos.utils.process import process_named_running
from vyos.utils.file import read_file
-from vyos.validate import is_ipv6_link_local
+from vyos.utils.network import is_ipv6_link_local
server_ca_root_cert_data = """
MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw
diff --git a/smoketest/scripts/cli/test_interfaces_loopback.py b/smoketest/scripts/cli/test_interfaces_loopback.py
index cde90189b..0454dc658 100755
--- a/smoketest/scripts/cli/test_interfaces_loopback.py
+++ b/smoketest/scripts/cli/test_interfaces_loopback.py
@@ -19,7 +19,7 @@ import unittest
from base_interfaces_test import BasicInterfaceTest
from netifaces import interfaces
-from vyos.validate import is_intf_addr_assigned
+from vyos.utils.network import is_intf_addr_assigned
loopbacks = ['127.0.0.1', '::1']
diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py
index 5c54f58a3..d1ece84d6 100755
--- a/smoketest/scripts/cli/test_interfaces_openvpn.py
+++ b/smoketest/scripts/cli/test_interfaces_openvpn.py
@@ -337,10 +337,6 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
self.cli_delete(path + ['protocol'])
-
- # check validate() - must specify "tls dh-params" when "tls role" is "passive"
- with self.assertRaises(ConfigSessionError):
- self.cli_commit()
self.cli_set(path + ['tls', 'dh-params', 'ovpn_test'])
self.cli_commit()
diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py
index 28d566eba..e6eaedeff 100755
--- a/smoketest/scripts/cli/test_nat.py
+++ b/smoketest/scripts/cli/test_nat.py
@@ -252,5 +252,41 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_nat')
+ def test_nat_balance(self):
+ ifname = 'eth0'
+ member_1 = '198.51.100.1'
+ weight_1 = '10'
+ member_2 = '198.51.100.2'
+ weight_2 = '90'
+ member_3 = '192.0.2.1'
+ weight_3 = '35'
+ member_4 = '192.0.2.2'
+ weight_4 = '65'
+ dst_port = '443'
+
+ self.cli_set(dst_path + ['rule', '1', 'inbound-interface', ifname])
+ self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp'])
+ self.cli_set(dst_path + ['rule', '1', 'destination', 'port', dst_port])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'source-address'])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'source-port'])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'destination-address'])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'hash', 'destination-port'])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_1, 'weight', weight_1])
+ self.cli_set(dst_path + ['rule', '1', 'load-balance', 'backend', member_2, 'weight', weight_2])
+
+ self.cli_set(src_path + ['rule', '1', 'outbound-interface', ifname])
+ self.cli_set(src_path + ['rule', '1', 'load-balance', 'hash', 'random'])
+ self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_3, 'weight', weight_3])
+ self.cli_set(src_path + ['rule', '1', 'load-balance', 'backend', member_4, 'weight', weight_4])
+
+ self.cli_commit()
+
+ nftables_search = [
+ [f'iifname "{ifname}"', f'tcp dport {dst_port}', f'dnat to jhash ip saddr . tcp sport . ip daddr . tcp dport mod 100 map', f'0-9 : {member_1}, 10-99 : {member_2}'],
+ [f'oifname "{ifname}"', f'snat to numgen random mod 100 map', f'0-34 : {member_3}, 35-99 : {member_4}']
+ ]
+
+ self.verify_nftables(nftables_search, 'ip vyos_nat')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py
index 5b247a413..85e734b8a 100755
--- a/smoketest/scripts/cli/test_protocols_bgp.py
+++ b/smoketest/scripts/cli/test_protocols_bgp.py
@@ -868,6 +868,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['address-family', afi, 'export', 'vpn'])
self.cli_set(base_path + ['address-family', afi, 'import', 'vpn'])
self.cli_set(base_path + ['address-family', afi, 'label', 'vpn', 'export', label])
+ self.cli_set(base_path + ['address-family', afi, 'label', 'vpn', 'allocation-mode', 'per-nexhop'])
self.cli_set(base_path + ['address-family', afi, 'rd', 'vpn', 'export', rd])
self.cli_set(base_path + ['address-family', afi, 'route-map', 'vpn', 'export', route_map_out])
self.cli_set(base_path + ['address-family', afi, 'route-map', 'vpn', 'import', route_map_in])
@@ -887,6 +888,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
self.assertIn(f' export vpn', afi_config)
self.assertIn(f' import vpn', afi_config)
self.assertIn(f' label vpn export {label}', afi_config)
+ self.assertIn(f' label vpn export allocation-mode per-nexthop ', afi_config)
self.assertIn(f' rd vpn export {rd}', afi_config)
self.assertIn(f' route-map vpn export {route_map_out}', afi_config)
self.assertIn(f' route-map vpn import {route_map_in}', afi_config)
diff --git a/smoketest/scripts/cli/test_protocols_isis.py b/smoketest/scripts/cli/test_protocols_isis.py
index 511a5eb8b..5ab7fae14 100755
--- a/smoketest/scripts/cli/test_protocols_isis.py
+++ b/smoketest/scripts/cli/test_protocols_isis.py
@@ -295,9 +295,10 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
for interface in self._interfaces:
self.cli_set(base_path + ['interface', interface, 'ldp-sync', 'holddown', holddown])
- # Commit interface changes for holddown
- self.cli_commit()
+ # Commit interface changes for holddown
+ self.cli_commit()
+ for interface in self._interfaces:
# Verify interface changes for holddown
tmp = self.getFRRconfig(f'interface {interface}', daemon='isisd')
self.assertIn(f'interface {interface}', tmp)
@@ -308,9 +309,10 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase):
for interface in self._interfaces:
self.cli_set(base_path + ['interface', interface, 'ldp-sync', 'disable'])
- # Commit interface changes for disable
- self.cli_commit()
+ # Commit interface changes for disable
+ self.cli_commit()
+ for interface in self._interfaces:
# Verify interface changes for disable
tmp = self.getFRRconfig(f'interface {interface}', daemon='isisd')
self.assertIn(f'interface {interface}', tmp)
diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py
index 80befbfd6..a6850db71 100755
--- a/smoketest/scripts/cli/test_protocols_ospf.py
+++ b/smoketest/scripts/cli/test_protocols_ospf.py
@@ -56,7 +56,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' auto-cost reference-bandwidth 100', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # defaults
@@ -84,7 +84,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' compatible rfc1583', frrconfig)
self.assertIn(f' auto-cost reference-bandwidth {bandwidth}', frrconfig)
@@ -116,7 +116,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # defaults
for ptotocol in protocols:
@@ -137,7 +137,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # defaults
self.assertIn(f' default-information originate metric {metric} metric-type {metric_type} route-map {route_map}', frrconfig)
@@ -147,7 +147,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f' default-information originate always metric {metric} metric-type {metric_type} route-map {route_map}', frrconfig)
@@ -189,7 +189,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' mpls-te on', frrconfig)
self.assertIn(f' mpls-te router-address 0.0.0.0', frrconfig) # default
@@ -212,7 +212,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_set(base_path + ['distance', 'ospf', 'inter-area', inter_area])
self.cli_commit()
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f' distance ospf intra-area {intra_area} inter-area {inter_area} external {external}', frrconfig)
@@ -228,7 +228,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
for neighbor in neighbors:
self.assertIn(f' neighbor {neighbor} priority {priority} poll-interval {poll_interval}', frrconfig) # default
@@ -247,7 +247,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
for protocol in redistribute:
self.assertIn(f' redistribute {protocol} metric {metric} metric-type {metric_type} route-map {route_map}', frrconfig)
@@ -274,7 +274,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' area {area} shortcut {shortcut}', frrconfig)
self.assertIn(f' area {area} virtual-link {virtual_link} hello-interval {hello} retransmit-interval {retransmit} transmit-delay {transmit} dead-interval {dead}', frrconfig)
@@ -306,11 +306,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
# commit changes
self.cli_commit()
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' passive-interface default', frrconfig)
for interface in interfaces:
+ # Can not use daemon for getFRRconfig() as bandwidth parameter belongs to zebra process
config = self.getFRRconfig(f'interface {interface}')
self.assertIn(f'interface {interface}', config)
self.assertIn(f' ip ospf authentication-key {password}', config)
@@ -323,6 +324,17 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.assertIn(f' no ip ospf passive', config)
self.assertIn(f' bandwidth {bandwidth}', config)
+ # T5467: Remove interface from OSPF process and VRF
+ self.cli_delete(base_path + ['interface'])
+ self.cli_commit()
+
+ for interface in interfaces:
+ # T5467: It must also be removed from FRR config
+ frrconfig = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+ self.assertNotIn(f'interface {interface}', frrconfig)
+ # There should be no OSPF related command at all under the interface
+ self.assertNotIn(f' ip ospf', frrconfig)
+
def test_ospf_11_interface_area(self):
area = '0'
interfaces = Section.interfaces('ethernet')
@@ -339,11 +351,11 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
for interface in interfaces:
- config = self.getFRRconfig(f'interface {interface}')
+ config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
self.assertIn(f'interface {interface}', config)
self.assertIn(f' ip ospf area {area}', config)
@@ -355,8 +367,10 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
vrf = 'blue'
vrf_base = ['vrf', 'name', vrf]
vrf_iface = 'eth1'
+ area = '1'
+
self.cli_set(vrf_base + ['table', table])
- self.cli_set(vrf_base + ['protocols', 'ospf', 'interface', vrf_iface])
+ self.cli_set(vrf_base + ['protocols', 'ospf', 'interface', vrf_iface, 'area', area])
self.cli_set(['interfaces', 'ethernet', vrf_iface, 'vrf', vrf])
# Also set a default VRF OSPF config
@@ -364,16 +378,31 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' auto-cost reference-bandwidth 100', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # defaults
- frrconfig = self.getFRRconfig(f'router ospf vrf {vrf}')
+ frrconfig = self.getFRRconfig(f'router ospf vrf {vrf}', daemon=PROCESS_NAME)
self.assertIn(f'router ospf vrf {vrf}', frrconfig)
self.assertIn(f' auto-cost reference-bandwidth 100', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # defaults
+ frrconfig = self.getFRRconfig(f'interface {vrf_iface}', daemon=PROCESS_NAME)
+ self.assertIn(f'interface {vrf_iface}', frrconfig)
+ self.assertIn(f' ip ospf area {area}', frrconfig)
+
+ # T5467: Remove interface from OSPF process and VRF
+ self.cli_delete(vrf_base + ['protocols', 'ospf', 'interface'])
+ self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
+ self.cli_commit()
+
+ # T5467: It must also be removed from FRR config
+ frrconfig = self.getFRRconfig(f'interface {vrf_iface}', daemon=PROCESS_NAME)
+ self.assertNotIn(f'interface {vrf_iface}', frrconfig)
+ # There should be no OSPF related command at all under the interface
+ self.assertNotIn(f' ip ospf', frrconfig)
+
# cleanup
self.cli_delete(['vrf', 'name', vrf])
self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
@@ -385,7 +414,6 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
area = '0.0.0.10'
network = '10.0.0.0/8'
-
self.cli_set(['policy', 'access-list', acl, 'rule', seq, 'action', 'permit'])
self.cli_set(['policy', 'access-list', acl, 'rule', seq, 'source', 'any'])
self.cli_set(['policy', 'access-list', acl, 'rule', seq, 'destination', 'any'])
@@ -396,7 +424,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig) # default
self.assertIn(f' network {network} area {area}', frrconfig)
@@ -430,7 +458,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify all changes
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f' segment-routing on', frrconfig)
self.assertIn(f' segment-routing global-block {global_block_low} {global_block_high} local-block {local_block_low} {local_block_high}', frrconfig)
self.assertIn(f' segment-routing node-msd {maximum_stack_size}', frrconfig)
@@ -449,7 +477,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify main OSPF changes
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' timers throttle spf 200 1000 10000', frrconfig)
self.assertIn(f' mpls ldp-sync holddown {holddown}', frrconfig)
@@ -457,11 +485,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
for interface in interfaces:
self.cli_set(base_path + ['interface', interface, 'ldp-sync', 'holddown', holddown])
- # Commit interface changes for holddown
- self.cli_commit()
+ # Commit interface changes for holddown
+ self.cli_commit()
+ for interface in interfaces:
# Verify interface changes for holddown
- config = self.getFRRconfig(f'interface {interface}')
+ config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
self.assertIn(f'interface {interface}', config)
self.assertIn(f' ip ospf dead-interval 40', config)
self.assertIn(f' ip ospf mpls ldp-sync', config)
@@ -470,11 +499,12 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
for interface in interfaces:
self.cli_set(base_path + ['interface', interface, 'ldp-sync', 'disable'])
- # Commit interface changes for disable
- self.cli_commit()
+ # Commit interface changes for disable
+ self.cli_commit()
+ for interface in interfaces:
# Verify interface changes for disable
- config = self.getFRRconfig(f'interface {interface}')
+ config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
self.assertIn(f'interface {interface}', config)
self.assertIn(f' ip ospf dead-interval 40', config)
self.assertIn(f' no ip ospf mpls ldp-sync', config)
@@ -496,7 +526,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf')
+ frrconfig = self.getFRRconfig('router ospf', daemon=PROCESS_NAME)
self.assertIn(f'router ospf', frrconfig)
self.assertIn(f' capability opaque', frrconfig)
self.assertIn(f' graceful-restart grace-period {period}', frrconfig)
diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py
index 64dfa18db..0d6c6c691 100755
--- a/smoketest/scripts/cli/test_protocols_ospfv3.py
+++ b/smoketest/scripts/cli/test_protocols_ospfv3.py
@@ -74,7 +74,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' area {default_area} range {prefix}', frrconfig)
self.assertIn(f' ospf6 router-id {router_id}', frrconfig)
@@ -82,7 +82,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.assertIn(f' area {default_area} export-list {acl_name}', frrconfig)
for interface in interfaces:
- if_config = self.getFRRconfig(f'interface {interface}', daemon='ospf6d')
+ if_config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
self.assertIn(f'ipv6 ospf6 area {default_area}', if_config)
self.cli_delete(['policy', 'access-list6', acl_name])
@@ -103,7 +103,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' distance {dist_global}', frrconfig)
self.assertIn(f' distance ospf6 intra-area {dist_intra_area} inter-area {dist_inter_area} external {dist_external}', frrconfig)
@@ -123,7 +123,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
for protocol in redistribute:
self.assertIn(f' redistribute {protocol} route-map {route_map}', frrconfig)
@@ -154,13 +154,13 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
cost = '100'
priority = '10'
for interface in interfaces:
- if_config = self.getFRRconfig(f'interface {interface}', daemon='ospf6d')
+ if_config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
self.assertIn(f'interface {interface}', if_config)
self.assertIn(f' ipv6 ospf6 bfd', if_config)
self.assertIn(f' ipv6 ospf6 bfd profile {bfd_profile}', if_config)
@@ -172,6 +172,15 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
cost = str(int(cost) + 10)
priority = str(int(priority) + 5)
+ # Cleanup interfaces
+ self.cli_delete(base_path + ['interface'])
+ self.cli_commit()
+
+ for interface in interfaces:
+ if_config = self.getFRRconfig(f'interface {interface}', daemon=PROCESS_NAME)
+ # There should be no OSPF6 configuration at all after interface removal
+ self.assertNotIn(f' ipv6 ospf6', if_config)
+
def test_ospfv3_05_area_stub(self):
area_stub = '23'
@@ -184,7 +193,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' area {area_stub} stub', frrconfig)
self.assertIn(f' area {area_stub_nosum} stub no-summary', frrconfig)
@@ -210,7 +219,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' area {area_nssa} nssa', frrconfig)
self.assertIn(f' area {area_nssa_nosum} nssa default-information-originate no-summary', frrconfig)
@@ -230,7 +239,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' default-information originate metric {metric} metric-type {metric_type} route-map {route_map}', frrconfig)
@@ -239,7 +248,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f' default-information originate always metric {metric} metric-type {metric_type} route-map {route_map}', frrconfig)
@@ -265,18 +274,29 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6', daemon='ospf6d')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' ospf6 router-id {router_id}', frrconfig)
- frrconfig = self.getFRRconfig(f'interface {vrf_iface}', daemon='ospf6d')
+ frrconfig = self.getFRRconfig(f'interface {vrf_iface}', daemon=PROCESS_NAME)
self.assertIn(f'interface {vrf_iface}', frrconfig)
self.assertIn(f' ipv6 ospf6 bfd', frrconfig)
- frrconfig = self.getFRRconfig(f'router ospf6 vrf {vrf}', daemon='ospf6d')
+ frrconfig = self.getFRRconfig(f'router ospf6 vrf {vrf}', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6 vrf {vrf}', frrconfig)
self.assertIn(f' ospf6 router-id {router_id_vrf}', frrconfig)
+ # T5467: Remove interface from OSPF process and VRF
+ self.cli_delete(vrf_base + ['protocols', 'ospfv3', 'interface'])
+ self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
+ self.cli_commit()
+
+ # T5467: It must also be removed from FRR config
+ frrconfig = self.getFRRconfig(f'interface {vrf_iface}', daemon=PROCESS_NAME)
+ self.assertNotIn(f'interface {vrf_iface}', frrconfig)
+ # There should be no OSPF related command at all under the interface
+ self.assertNotIn(f' ipv6 ospf6', frrconfig)
+
# cleanup
self.cli_delete(['vrf', 'name', vrf])
self.cli_delete(['interfaces', 'ethernet', vrf_iface, 'vrf'])
@@ -298,7 +318,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Verify FRR ospfd configuration
- frrconfig = self.getFRRconfig('router ospf6')
+ frrconfig = self.getFRRconfig('router ospf6', daemon=PROCESS_NAME)
self.assertIn(f'router ospf6', frrconfig)
self.assertIn(f' graceful-restart grace-period {period}', frrconfig)
self.assertIn(f' graceful-restart helper planned-only', frrconfig)
diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py
index f6c42e8c9..ee8a07b37 100755
--- a/smoketest/scripts/cli/test_service_dns_dynamic.py
+++ b/smoketest/scripts/cli/test_service_dns_dynamic.py
@@ -14,7 +14,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import re
import os
import unittest
import tempfile
@@ -34,13 +33,6 @@ zone = 'vyos.io'
password = 'paSS_@4ord'
interface = 'eth0'
-
-def get_config_value(key):
- tmp = cmd(f'sudo cat {DDCLIENT_CONF}')
- vals = re.findall(r'\n?{}=([.-@_A-Za-z0-9]+),? \\'.format(key), tmp)
- return vals[0] if vals else ''
-
-
class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
# Check for running process
@@ -54,45 +46,54 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
self.assertFalse(os.path.exists(DDCLIENT_PID))
# IPv4 standard DDNS service configuration
- def test_dyndns_service_standard(self):
+ def test_01_dyndns_service_standard(self):
ddns = ['address', interface, 'service']
services = {'cloudflare': {'protocol': 'cloudflare'},
'freedns': {'protocol': 'freedns', 'username': 'vyos_user'},
'zoneedit': {'protocol': 'zoneedit1', 'username': 'vyos_user'}}
for svc, details in services.items():
+ # Always start with a clean CLI instance
self.cli_delete(base_path)
+
self.cli_set(base_path + ddns + [svc, 'host-name', hostname])
- for opt, value in details.items():
- self.cli_set(base_path + ddns + [svc, opt, value])
self.cli_set(base_path + ddns + [svc, 'password', password])
self.cli_set(base_path + ddns + [svc, 'zone', zone])
+ for opt, value in details.items():
+ self.cli_set(base_path + ddns + [svc, opt, value])
# commit changes
if details['protocol'] == 'cloudflare':
- self.cli_commit()
+ pass
else:
# zone option does not work on all protocols, an exception is
# raised for all others
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_delete(base_path + ddns + [svc, 'zone', zone])
- # commit changes again - now it should work
- self.cli_commit()
+
+ # commit changes
+ self.cli_commit()
# Check the generating config parameters
- self.assertEqual(get_config_value('use'), 'if')
- self.assertEqual(get_config_value('if'), interface)
- self.assertEqual(get_config_value('password'), password)
+ ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+ # default value 300 seconds
+ self.assertIn(f'daemon=300', ddclient_conf)
+ self.assertIn(f'use=if', ddclient_conf)
+ self.assertIn(f'if={interface}', ddclient_conf)
+ self.assertIn(f'password={password}', ddclient_conf)
for opt in details.keys():
if opt == 'username':
- self.assertEqual(get_config_value('login'), details[opt])
+ login = details[opt]
+ self.assertIn(f'login={login}', ddclient_conf)
else:
- self.assertEqual(get_config_value(opt), details[opt])
+ tmp = details[opt]
+ self.assertIn(f'{opt}={tmp}', ddclient_conf)
# IPv6 only DDNS service configuration
- def test_dyndns_service_ipv6(self):
+ def test_02_dyndns_service_ipv6(self):
+ timeout = '60'
ddns = ['address', interface, 'service', 'dynv6']
proto = 'dyndns2'
user = 'none'
@@ -100,6 +101,7 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
srv = 'ddns.vyos.io'
ip_version = 'ipv6'
+ self.cli_set(base_path + ['timeout', timeout])
self.cli_set(base_path + ddns + ['ip-version', ip_version])
self.cli_set(base_path + ddns + ['protocol', proto])
self.cli_set(base_path + ddns + ['server', srv])
@@ -111,15 +113,17 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Check the generating config parameters
- self.assertEqual(get_config_value('usev6'), 'ifv6')
- self.assertEqual(get_config_value('ifv6'), interface)
- self.assertEqual(get_config_value('protocol'), proto)
- self.assertEqual(get_config_value('server'), srv)
- self.assertEqual(get_config_value('login'), user)
- self.assertEqual(get_config_value('password'), password)
+ ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+ self.assertIn(f'daemon={timeout}', ddclient_conf)
+ self.assertIn(f'usev6=ifv6', ddclient_conf)
+ self.assertIn(f'ifv6={interface}', ddclient_conf)
+ self.assertIn(f'protocol={proto}', ddclient_conf)
+ self.assertIn(f'server={srv}', ddclient_conf)
+ self.assertIn(f'login={user}', ddclient_conf)
+ self.assertIn(f'password={password}', ddclient_conf)
# IPv4+IPv6 dual DDNS service configuration
- def test_dyndns_service_dual_stack(self):
+ def test_03_dyndns_service_dual_stack(self):
ddns = ['address', interface, 'service']
services = {'cloudflare': {'protocol': 'cloudflare', 'zone': 'vyos.io'},
'freedns': {'protocol': 'freedns', 'username': 'vyos_user'}}
@@ -127,30 +131,35 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
ip_version = 'both'
for svc, details in services.items():
+ # Always start with a clean CLI instance
self.cli_delete(base_path)
+
self.cli_set(base_path + ddns + [svc, 'host-name', hostname])
- for opt, value in details.items():
- self.cli_set(base_path + ddns + [svc, opt, value])
self.cli_set(base_path + ddns + [svc, 'password', password])
self.cli_set(base_path + ddns + [svc, 'ip-version', ip_version])
+ for opt, value in details.items():
+ self.cli_set(base_path + ddns + [svc, opt, value])
# commit changes
self.cli_commit()
# Check the generating config parameters
- self.assertEqual(get_config_value('usev4'), 'ifv4')
- self.assertEqual(get_config_value('usev6'), 'ifv6')
- self.assertEqual(get_config_value('ifv4'), interface)
- self.assertEqual(get_config_value('ifv6'), interface)
- self.assertEqual(get_config_value('password'), password)
+ ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+ self.assertIn(f'usev4=ifv4', ddclient_conf)
+ self.assertIn(f'usev6=ifv6', ddclient_conf)
+ self.assertIn(f'ifv4={interface}', ddclient_conf)
+ self.assertIn(f'ifv6={interface}', ddclient_conf)
+ self.assertIn(f'password={password}', ddclient_conf)
for opt in details.keys():
if opt == 'username':
- self.assertEqual(get_config_value('login'), details[opt])
+ login = details[opt]
+ self.assertIn(f'login={login}', ddclient_conf)
else:
- self.assertEqual(get_config_value(opt), details[opt])
+ tmp = details[opt]
+ self.assertIn(f'{opt}={tmp}', ddclient_conf)
- def test_dyndns_rfc2136(self):
+ def test_04_dyndns_rfc2136(self):
# Check if DDNS service can be configured and runs
ddns = ['address', interface, 'rfc2136', 'vyos']
srv = 'ns1.vyos.io'
@@ -170,14 +179,14 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
self.cli_commit()
# Check some generating config parameters
- self.assertEqual(get_config_value('use'), 'if')
- self.assertEqual(get_config_value('if'), interface)
- self.assertEqual(get_config_value('protocol'), 'nsupdate')
- self.assertEqual(get_config_value('server'), srv)
- self.assertEqual(get_config_value('zone'), zone)
- self.assertEqual(get_config_value('password'), key_file.name)
- self.assertEqual(get_config_value('ttl'), ttl)
-
+ ddclient_conf = cmd(f'sudo cat {DDCLIENT_CONF}')
+ self.assertIn(f'use=if', ddclient_conf)
+ self.assertIn(f'if={interface}', ddclient_conf)
+ self.assertIn(f'protocol=nsupdate', ddclient_conf)
+ self.assertIn(f'server={srv}', ddclient_conf)
+ self.assertIn(f'zone={zone}', ddclient_conf)
+ self.assertIn(f'password={key_file.name}', ddclient_conf)
+ self.assertIn(f'ttl={ttl}', ddclient_conf)
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py
new file mode 100755
index 000000000..7cc661688
--- /dev/null
+++ b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.configsession import ConfigSessionError
+from vyos.utils.process import process_named_running
+from vyos.utils.file import read_file
+
+
+PROCESS_NAME = 'zabbix_agent2'
+ZABBIX_AGENT_CONF = '/run/zabbix/zabbix-agent2.conf'
+base_path = ['service', 'monitoring', 'zabbix-agent']
+
+
+class TestZabbixAgent(VyOSUnitTestSHIM.TestCase):
+ def tearDown(self):
+ # Check for running process
+ self.assertTrue(process_named_running(PROCESS_NAME))
+
+ self.cli_delete(base_path)
+ self.cli_commit()
+
+ # Process must be terminated after deleting the config
+ self.assertFalse(process_named_running(PROCESS_NAME))
+
+ def test_01_zabbix_agent(self):
+ directory = '/tmp'
+ buffer_send = '8'
+ buffer_size = '120'
+ log_level = {'warning': '3'}
+ log_size = '1'
+ servers = ['192.0.2.1', '2001:db8::1']
+ servers_active = {'192.0.2.5': {'port': '10051'}, '2001:db8::123': {'port': '10052'}}
+ port = '10050'
+ timeout = '5'
+ listen_ip = '0.0.0.0'
+
+ self.cli_set(base_path + ['directory', directory])
+ self.cli_set(base_path + ['limits', 'buffer-flush-interval', buffer_send])
+ self.cli_set(base_path + ['limits', 'buffer-size', buffer_size])
+ self.cli_set(base_path + ['log', 'debug-level', next(iter(log_level))])
+ self.cli_set(base_path + ['log', 'size', log_size])
+ for server in servers:
+ self.cli_set(base_path + ['server', server])
+ for server_active, server_config in servers_active.items():
+ self.cli_set(base_path + ['server-active', server_active, 'port', server_config['port']])
+ self.cli_set(base_path + ['timeout', timeout])
+
+ # commit changes
+ self.cli_commit()
+
+ config = read_file(ZABBIX_AGENT_CONF)
+
+ self.assertIn(f'LogFileSize={log_size}', config)
+ self.assertIn(f'DebugLevel={log_level.get("warning")}', config)
+
+ self.assertIn(f'Server={",".join(sorted(servers))}', config)
+ tmp = 'ServerActive=192.0.2.5:10051,[2001:db8::123]:10052'
+ self.assertIn(tmp, config)
+
+ self.assertIn(f'ListenPort={port}', config)
+ self.assertIn(f'ListenIP={listen_ip}', config)
+ self.assertIn(f'BufferSend={buffer_send}', config)
+ self.assertIn(f'BufferSize={buffer_size}', config)
+ self.assertIn(f'Include={directory}/*.conf', config)
+ self.assertIn(f'Timeout={timeout}', config)
+
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_ipv6.py b/smoketest/scripts/cli/test_system_ipv6.py
index b540be9ff..978af3766 100755
--- a/smoketest/scripts/cli/test_system_ipv6.py
+++ b/smoketest/scripts/cli/test_system_ipv6.py
@@ -22,7 +22,7 @@ from vyos.configsession import ConfigSessionError
from vyos.template import is_ipv4
from vyos.utils.file import read_file
from vyos.utils.network import get_interface_config
-from vyos.validate import is_intf_addr_assigned
+from vyos.utils.network import is_intf_addr_assigned
base_path = ['system', 'ipv6']
diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py
index 932f7b4f1..5fb599a87 100755
--- a/smoketest/scripts/cli/test_vrf.py
+++ b/smoketest/scripts/cli/test_vrf.py
@@ -29,7 +29,7 @@ from vyos.template import is_ipv4
from vyos.utils.process import cmd
from vyos.utils.file import read_file
from vyos.utils.network import get_interface_config
-from vyos.validate import is_intf_addr_assigned
+from vyos.utils.network import is_intf_addr_assigned
base_path = ['vrf']
vrfs = ['red', 'green', 'blue', 'foo-bar', 'baz_foo']
@@ -47,9 +47,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
tmp = os.environ['TEST_ETH'].split()
cls._interfaces = tmp
else:
- for tmp in Section.interfaces('ethernet'):
- if not '.' in tmp:
- cls._interfaces.append(tmp)
+ for tmp in Section.interfaces('ethernet', vlan=False):
+ cls._interfaces.append(tmp)
# call base-classes classmethod
super(VRFTest, cls).setUpClass()