9 files changed, 35 insertions, 21 deletions
diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py
index abccdb6a9..c1308cda7 100755
--- a/src/conf_mode/dhcp_server.py
+++ b/src/conf_mode/dhcp_server.py
@@ -40,6 +40,7 @@ ctrl_config_file = '/run/kea/kea-ctrl-agent.conf'
 ctrl_socket = '/run/kea/dhcp4-ctrl-socket'
 config_file = '/run/kea/kea-dhcp4.conf'
 lease_file = '/config/dhcp4.leases'
+systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf'
 
 ca_cert_file = '/run/kea/kea-failover-ca.pem'
 cert_file = '/run/kea/kea-failover.pem'
@@ -332,6 +333,8 @@ def generate(dhcp):
 
             dhcp['failover']['ca_cert_file'] = ca_cert_file
 
+        render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp)
+
     render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp)
     render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp)
 
diff --git a/src/conf_mode/dns_dynamic.py b/src/conf_mode/dns_dynamic.py
index 809c650d9..99fa8feee 100755
--- a/src/conf_mode/dns_dynamic.py
+++ b/src/conf_mode/dns_dynamic.py
@@ -15,7 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-
+import re
 from sys import exit
 
 from vyos.base import Warning
@@ -103,6 +103,16 @@ def verify(dyndns):
                 raise ConfigError(f'"web-options" is applicable only when using HTTP(S) '
                                   f'web request to obtain the IP address')
 
+        # Warn if using checkip.dyndns.org, as it does not support HTTPS
+        # See: https://github.com/ddclient/ddclient/issues/597
+        if 'web_options' in config:
+            if 'url' not in config['web_options']:
+                raise ConfigError(f'"url" in "web-options" {error_msg_req} '
+                                  f'with protocol "{config["protocol"]}"')
+            elif re.search("^(https?://)?checkip\.dyndns\.org", config['web_options']['url']):
+                Warning(f'"checkip.dyndns.org" does not support HTTPS requests for IP address '
+                        f'lookup. Please use a different IP address lookup service.')
+
         # RFC2136 uses 'key' instead of 'password'
         if config['protocol'] != 'nsupdate' and 'password' not in config:
             raise ConfigError(f'"password" {error_msg_req}')
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index ceed0cf31..da6724fde 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -23,7 +23,7 @@ from sys import exit
 
 from vyos.base import Warning
 from vyos.config import Config
-from vyos.configdict import node_changed
+from vyos.configdict import is_node_changed
 from vyos.configdiff import get_config_diff, Diff
 from vyos.configdep import set_dependents, call_dependents
 from vyos.configverify import verify_interface_exists
@@ -133,7 +133,7 @@ def get_config(config=None):
                                     with_recursive_defaults=True)
 
 
-    firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
+    firewall['group_resync'] = bool('group' in firewall or is_node_changed(conf, base + ['group']))
     if firewall['group_resync']:
         # Update nat and policy-route as firewall groups were updated
         set_dependents('group_resync', conf)
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 31508a3c5..29991e2da 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -49,7 +49,7 @@ def get_config(config=None):
     ifname, bridge = get_interface_dict(conf, base)
 
     # determine which members have been removed
-    tmp = node_changed(conf, base + [ifname, 'member', 'interface'], key_mangling=('-', '_'))
+    tmp = node_changed(conf, base + [ifname, 'member', 'interface'])
     if tmp:
         if 'member' in bridge:
             bridge['member'].update({'interface_remove' : tmp })
diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py
index c2e87d171..3c647a0e8 100755
--- a/src/conf_mode/lldp.py
+++ b/src/conf_mode/lldp.py
@@ -86,9 +86,9 @@ def verify(lldp):
                     raise ConfigError(f'Must define both longitude and latitude for "{interface}" location!')
 
     # check options
-    if 'snmp' in lldp and 'enable' in lldp['snmp']:
+    if 'snmp' in lldp:
         if 'system_snmp_enabled' not in lldp:
-            raise ConfigError('SNMP must be configured to enable LLDP SNMP')
+            raise ConfigError('SNMP must be configured to enable LLDP SNMP!')
 
 
 def generate(lldp):
@@ -121,4 +121,3 @@ if __name__ == '__main__':
     except ConfigError as e:
         print(e)
         exit(1)
-
diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py
index a8b90fb11..6026c61d0 100755
--- a/src/conf_mode/nat64.py
+++ b/src/conf_mode/nat64.py
@@ -148,6 +148,11 @@ def generate(nat64) -> None:
 
             if dict_search("translation.pool", instance):
                 pool4 = []
+                # mark
+                mark = ''
+                if dict_search("match.mark", instance):
+                    mark = instance["match"]["mark"]
+
                 for pool in instance["translation"]["pool"].values():
                     if "disable" in pool:
                         continue
@@ -159,6 +164,8 @@ def generate(nat64) -> None:
                             "prefix": pool["address"],
                             "port range": pool["port"],
                         }
+                        if mark:
+                            obj["mark"] = int(mark)
                         if "description" in pool:
                             obj["comment"] = pool["description"]
 
diff --git a/src/conf_mode/netns.py b/src/conf_mode/netns.py
index 95ab83dbc..7cee33bc6 100755
--- a/src/conf_mode/netns.py
+++ b/src/conf_mode/netns.py
@@ -77,8 +77,8 @@ def verify(netns):
     if 'netns_remove' in netns:
         for name, config in netns['netns_remove'].items():
             if 'interface' in config:
-                raise ConfigError(f'Can not remove NETNS "{name}", it still has '\
-                                  f'member interfaces!')
+                raise ConfigError(f'Can not remove network namespace "{name}", it '\
+                                  f'still has member interfaces!')
 
     if 'name' in netns:
         for name, config in netns['name'].items():
@@ -87,7 +87,6 @@ def verify(netns):
 
     return None
 
-
 def generate(netns):
     if not netns:
         return None
diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py
index 5ec0bc9e5..c339c6391 100755
--- a/src/conf_mode/protocols_nhrp.py
+++ b/src/conf_mode/protocols_nhrp.py
@@ -37,7 +37,7 @@ def get_config(config=None):
 
     nhrp = conf.get_config_dict(base, key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)
-    nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'], key_mangling=('-', '_'))
+    nhrp['del_tunnels'] = node_changed(conf, base + ['tunnel'])
 
     if not conf.exists(base):
         return nhrp
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index d2ed5414f..6565ffd60 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2021 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -54,7 +54,7 @@ def get_config(config=None):
     if not conf.exists(base):
         snmp.update({'deleted' : ''})
 
-    if conf.exists(['service', 'lldp', 'snmp', 'enable']):
+    if conf.exists(['service', 'lldp', 'snmp']):
         snmp.update({'lldp_snmp' : ''})
 
     if 'deleted' in snmp:
@@ -86,7 +86,7 @@ def get_config(config=None):
     return snmp
 
 def verify(snmp):
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     if {'deleted', 'lldp_snmp'} <= set(snmp):
@@ -178,8 +178,6 @@ def verify(snmp):
     return None
 
 def generate(snmp):
-
-    #
     # As we are manipulating the snmpd user database we have to stop it first!
     # This is even save if service is going to be removed
     call(f'systemctl stop {systemd_service}')
@@ -190,7 +188,7 @@ def generate(snmp):
         if os.path.isfile(file):
             os.unlink(file)
 
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     if 'v3' in snmp:
@@ -244,7 +242,7 @@ def apply(snmp):
     # Always reload systemd manager configuration
     call('systemctl daemon-reload')
 
-    if not snmp:
+    if 'deleted' in snmp:
         return None
 
     # start SNMP daemon
@@ -256,9 +254,7 @@ def apply(snmp):
     # Following daemons from FRR 9.0/stable have SNMP module compiled in VyOS
     frr_daemons_list = ['zebra', 'bgpd', 'ospf6d', 'ospfd', 'ripd', 'isisd', 'ldpd']
     for frr_daemon in frr_daemons_list:
-        call(
-            f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null'
-        )
+        call(f'vtysh -c "configure terminal" -d {frr_daemon} -c "agentx" >/dev/null')
 
     return None