3 files changed, 47 insertions, 14 deletions

diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 4750ca3e8..280a62b9a 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -39,6 +39,8 @@ from vyos.configverify import verify_mirror_redirect
 from vyos.ifconfig import VTunIf
 from vyos.pki import load_dh_parameters
 from vyos.pki import load_private_key
+from vyos.pki import sort_ca_chain
+from vyos.pki import verify_ca_chain
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_crl
 from vyos.pki import wrap_dh_parameters
@@ -148,8 +150,14 @@ def verify_pki(openvpn):
         if 'ca_certificate' not in tls:
             raise ConfigError(f'Must specify "tls ca-certificate" on openvpn interface {interface}')
 
-        if tls['ca_certificate'] not in pki['ca']:
-            raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+        for ca_name in tls['ca_certificate']:
+            if ca_name not in pki['ca']:
+                raise ConfigError(f'Invalid CA certificate on openvpn interface {interface}')
+
+        if len(tls['ca_certificate']) > 1:
+            sorted_chain = sort_ca_chain(tls['ca_certificate'], pki['ca'])
+            if not verify_ca_chain(sorted_chain, pki['ca']):
+                raise ConfigError(f'CA certificates are not a valid chain')
 
         if mode != 'client' and 'auth_key' not in tls:
             if 'certificate' not in tls:
@@ -516,21 +524,28 @@ def generate_pki_files(openvpn):
 
     if tls:
         if 'ca_certificate' in tls:
-            cert_name = tls['ca_certificate']
-            pki_ca = pki['ca'][cert_name]
+            cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem')
+            crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem')
 
-            if 'certificate' in pki_ca:
-                cert_path = os.path.join(cfg_dir, f'{interface}_ca.pem')
-                write_file(cert_path, wrap_certificate(pki_ca['certificate']),
-                           user=user, group=group, mode=0o600)
+            if os.path.exists(cert_path):
+                os.unlink(cert_path)
+
+            if os.path.exists(crl_path):
+                os.unlink(crl_path)
+
+            for cert_name in sort_ca_chain(tls['ca_certificate'], pki['ca']):
+                pki_ca = pki['ca'][cert_name]
+
+                if 'certificate' in pki_ca:
+                    write_file(cert_path, wrap_certificate(pki_ca['certificate']) + "\n",
+                               user=user, group=group, mode=0o600, append=True)
 
-            if 'crl' in pki_ca:
-                for crl in pki_ca['crl']:
-                    crl_path = os.path.join(cfg_dir, f'{interface}_crl.pem')
-                    write_file(crl_path, wrap_crl(crl), user=user, group=group,
-                               mode=0o600)
+                if 'crl' in pki_ca:
+                    for crl in pki_ca['crl']:
+                        write_file(crl_path, wrap_crl(crl) + "\n", user=user, group=group,
+                                   mode=0o600, append=True)
 
-                openvpn['tls']['crl'] = True
+                    openvpn['tls']['crl'] = True
 
         if 'certificate' in tls:
             cert_name = tls['certificate']
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index cd46cbcb4..01f14df61 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -19,6 +19,7 @@ import os
 from sys import exit
 from sys import argv
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configverify import verify_prefix_list
@@ -198,6 +199,9 @@ def verify(bgp):
                     if 'source_interface' in peer_config['interface']:
                         raise ConfigError(f'"source-interface" option not allowed for neighbor "{peer}"')
 
+            if 'address_family' not in peer_config:
+                Warning(f'BGP neighbor "{peer}" requires address-family!')
+
             for afi in ['ipv4_unicast', 'ipv4_multicast', 'ipv4_labeled_unicast', 'ipv4_flowspec',
                         'ipv6_unicast', 'ipv6_multicast', 'ipv6_labeled_unicast', 'ipv6_flowspec',
                         'l2vpn_evpn']:
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 559d1bcd5..61f484129 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -53,6 +53,8 @@ default_config_data = {
     'radius_nas_ip': '',
     'radius_source_address': '',
     'radius_shaper_attr': '',
+    'radius_shaper_enable': False,
+    'radius_shaper_multiplier': '',
     'radius_shaper_vendor': '',
     'radius_dynamic_author': '',
     'thread_cnt': get_half_cpus()
@@ -196,6 +198,18 @@ def get_config(config=None):
     if conf.exists(['nas-ip-address']):
         ipoe['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
 
+    if conf.exists(['rate-limit', 'attribute']):
+        ipoe['radius_shaper_attr'] = conf.return_value(['rate-limit', 'attribute'])
+
+    if conf.exists(['rate-limit', 'enable']):
+        ipoe['radius_shaper_enable'] = True
+
+    if conf.exists(['rate-limit', 'multiplier']):
+        ipoe['radius_shaper_multiplier'] = conf.return_value(['rate-limit', 'multiplier'])
+
+    if conf.exists(['rate-limit', 'vendor']):
+        ipoe['radius_shaper_vendor'] = conf.return_value(['rate-limit', 'vendor'])
+
     if conf.exists(['source-address']):
         ipoe['radius_source_address'] = conf.return_value(['source-address'])