3 files changed, 27 insertions, 57 deletions
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 21a04f954..e7250fb49 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -126,7 +126,7 @@ def verify(ethernet):
         if not os.path.exists(f'/sys/class/net/{ifname}/queues/rx-0/rps_cpus'):
             raise ConfigError('Interface does not suport RPS!')
 
-    driver = EthernetIf(ifname).get_driver_name()
+    driver = ethtool.get_driver_name()
     # T3342 - Xen driver requires special treatment
     if driver == 'vif':
         if int(ethernet['mtu']) > 1500 and dict_search('offload.sg', ethernet) == None:
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6be4e918b..02b7f83bf 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -45,9 +45,10 @@ from vyos.template import is_ipv4
 from vyos.template import is_ipv6
 from vyos.util import call
 from vyos.util import chown
-from vyos.util import chmod_600
 from vyos.util import dict_search
 from vyos.util import dict_search_args
+from vyos.util import makedir
+from vyos.util import write_file
 from vyos.validate import is_addr_assigned
 
 from vyos import ConfigError
@@ -80,9 +81,6 @@ def get_config(config=None):
         openvpn['pki'] = tmp_pki
 
     openvpn['auth_user_pass_file'] = '/run/openvpn/{ifname}.pw'.format(**openvpn)
-    openvpn['daemon_user'] = user
-    openvpn['daemon_group'] = group
-
     return openvpn
 
 def is_ec_private_key(pki, cert_name):
@@ -128,7 +126,7 @@ def verify_pki(openvpn):
         if tls['ca_certificate'] not in pki['ca']:
             raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
 
-        if not (mode == 'client' and 'auth_key' in tls):
+        if mode != 'client' and 'auth_key' not in tls:
             if 'certificate' not in tls:
                 raise ConfigError(f'Missing "tls certificate" on openvpn interface {interface}')
 
@@ -449,7 +447,6 @@ def verify(openvpn):
 
 def generate_pki_files(openvpn):
     pki = openvpn['pki']
-
     if not pki:
         return None
 
@@ -457,16 +454,11 @@ def generate_pki_files(openvpn):
     shared_secret_key = dict_search_args(openvpn, 'shared_secret_key')
     tls = dict_search_args(openvpn, 'tls')
 
-    files = []
-
     if shared_secret_key:
         pki_key = pki['openvpn']['shared_secret'][shared_secret_key]
         key_path = os.path.join(cfg_dir, f'{interface}_shared.key')
-
-        with open(key_path, 'w') as f:
-            f.write(wrap_openvpn_key(pki_key['key']))
-
-        files.append(key_path)
+        write_file(key_path, wrap_openvpn_key(pki_key['key']),
+                   user=user, group=group)
 
     if tls:
         if 'ca_certificate' in tls:
@@ -475,20 +467,15 @@ def generate_pki_files(openvpn):
 
             if 'certificate' in pki_ca:
                 cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem')
-
-                with open(cert_path, 'w') as f:
-                    f.write(wrap_certificate(pki_ca['certificate']))
-
-                files.append(cert_path)
+                write_file(cert_path, wrap_certificate(pki_ca['certificate']),
+                           user=user, group=group, mode=0o600)
 
             if 'crl' in pki_ca:
                 for crl in pki_ca['crl']:
                     crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem')
+                    write_file(crl_path, wrap_crl(crl), user=user, group=group,
+                               mode=0o600)
 
-                    with open(crl_path, 'w') as f:
-                        f.write(wrap_crl(crl))
-
-                    files.append(crl_path)
                 openvpn['tls']['crl'] = True
 
         if 'certificate' in tls:
@@ -497,19 +484,14 @@ def generate_pki_files(openvpn):
 
             if 'certificate' in pki_cert:
                 cert_path = os.path.join(cfg_dir, f'{interface}_cert.pem')
-
-                with open(cert_path, 'w') as f:
-                    f.write(wrap_certificate(pki_cert['certificate']))
-
-                files.append(cert_path)
+                write_file(cert_path, wrap_certificate(pki_cert['certificate']),
+                           user=user, group=group, mode=0o600)
 
             if 'private' in pki_cert and 'key' in pki_cert['private']:
                 key_path = os.path.join(cfg_dir, f'{interface}_cert.key')
+                write_file(key_path, wrap_private_key(pki_cert['private']['key']),
+                           user=user, group=group, mode=0o600)
 
-                with open(key_path, 'w') as f:
-                    f.write(wrap_private_key(pki_cert['private']['key']))
-
-                files.append(key_path)
                 openvpn['tls']['private_key'] = True
 
         if 'dh_params' in tls:
@@ -518,11 +500,8 @@ def generate_pki_files(openvpn):
 
             if 'parameters' in pki_dh:
                 dh_path = os.path.join(cfg_dir, f'{interface}_dh.pem')
-
-                with open(dh_path, 'w') as f:
-                    f.write(wrap_dh_parameters(pki_dh['parameters']))
-
-                files.append(dh_path)
+                write_file(dh_path, wrap_dh_parameters(pki_dh['parameters']),
+                           user=user, group=group, mode=0o600)
 
         if 'auth_key' in tls:
             key_name = tls['auth_key']
@@ -530,11 +509,8 @@ def generate_pki_files(openvpn):
 
             if 'key' in pki_key:
                 key_path = os.path.join(cfg_dir, f'{interface}_auth.key')
-
-                with open(key_path, 'w') as f:
-                    f.write(wrap_openvpn_key(pki_key['key']))
-
-                files.append(key_path)
+                write_file(key_path, wrap_openvpn_key(pki_key['key']),
+                           user=user, group=group, mode=0o600)
 
         if 'crypt_key' in tls:
             key_name = tls['crypt_key']
@@ -542,18 +518,17 @@ def generate_pki_files(openvpn):
 
             if 'key' in pki_key:
                 key_path = os.path.join(cfg_dir, f'{interface}_crypt.key')
-
-                with open(key_path, 'w') as f:
-                    f.write(wrap_openvpn_key(pki_key['key']))
-
-                files.append(key_path)
-
-    return files
+                write_file(key_path, wrap_openvpn_key(pki_key['key']),
+                           user=user, group=group, mode=0o600)
 
 
 def generate(openvpn):
     interface = openvpn['ifname']
     directory = os.path.dirname(cfg_file.format(**openvpn))
+    # create base config directory on demand
+    makedir(directory, user, group)
+    # enforce proper permissions on /run/openvpn
+    chown(directory, user, group)
 
     # we can't know in advance which clients have been removed,
     # thus all client configs will be removed and re-added on demand
@@ -565,12 +540,10 @@ def generate(openvpn):
         return None
 
     # create client config directory on demand
-    if not os.path.exists(ccd_dir):
-        os.makedirs(ccd_dir, 0o755)
-        chown(ccd_dir, user, group)
+    makedir(ccd_dir, user, group)
 
     # Fix file permissons for keys
-    fix_permissions = generate_pki_files(openvpn)
+    generate_pki_files(openvpn)
 
     # Generate User/Password authentication file
     if 'authentication' in openvpn:
@@ -598,10 +571,6 @@ def generate(openvpn):
     render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
            formater=lambda _: _.replace("&quot;", '"'), user=user, group=group)
 
-    # Fixup file permissions
-    for file in fix_permissions:
-        chmod_600(file)
-
     return None
 
 def apply(openvpn):
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index d56bae9e9..1a03d520b 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -190,6 +190,7 @@ def apply(policy):
     frr_cfg.modify_section(r'^bgp community-list .*')
     frr_cfg.modify_section(r'^bgp extcommunity-list .*')
     frr_cfg.modify_section(r'^bgp large-community-list .*')
+    frr_cfg.modify_section(r'^route-map .*')
     frr_cfg.add_before('^line vty', policy['new_frr_config'])
     frr_cfg.commit_configuration(bgp_daemon)