summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/bcast_relay.py135
-rwxr-xr-xsrc/conf_mode/host_name.py17
-rwxr-xr-xsrc/conf_mode/interfaces-bonding.py439
-rwxr-xr-xsrc/conf_mode/interfaces-bridge.py411
-rwxr-xr-xsrc/conf_mode/interfaces-dummy.py32
-rwxr-xr-xsrc/conf_mode/interfaces-ethernet.py296
-rwxr-xr-xsrc/conf_mode/interfaces-geneve.py133
-rwxr-xr-xsrc/conf_mode/interfaces-l2tpv3.py260
-rwxr-xr-xsrc/conf_mode/interfaces-loopback.py30
-rwxr-xr-xsrc/conf_mode/interfaces-macsec.py61
-rwxr-xr-xsrc/conf_mode/interfaces-pppoe.py49
-rwxr-xr-xsrc/conf_mode/interfaces-pseudo-ethernet.py217
-rwxr-xr-xsrc/conf_mode/interfaces-vxlan.py253
-rwxr-xr-xsrc/conf_mode/interfaces-wireguard.py334
-rwxr-xr-xsrc/conf_mode/interfaces-wireless.py688
-rwxr-xr-xsrc/conf_mode/interfaces-wirelessmodem.py54
-rwxr-xr-xsrc/conf_mode/nat.py33
-rwxr-xr-xsrc/conf_mode/service_ipoe-server.py8
-rwxr-xr-xsrc/conf_mode/service_mdns-repeater.py (renamed from src/conf_mode/mdns_repeater.py)52
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py6
-rwxr-xr-xsrc/conf_mode/service_router-advert.py167
-rwxr-xr-xsrc/conf_mode/snmp.py146
-rwxr-xr-xsrc/conf_mode/ssh.py4
-rwxr-xr-xsrc/conf_mode/system-login.py2
-rwxr-xr-xsrc/conf_mode/system-options.py104
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py6
-rwxr-xr-xsrc/conf_mode/vpn_pptp.py6
-rwxr-xr-xsrc/conf_mode/vpn_sstp.py6
28 files changed, 893 insertions, 3056 deletions
diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py
index 5c7294296..a3e141a00 100755
--- a/src/conf_mode/bcast_relay.py
+++ b/src/conf_mode/bcast_relay.py
@@ -15,151 +15,84 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import fnmatch
+from glob import glob
+from netifaces import interfaces
from sys import exit
-from copy import deepcopy
from vyos.config import Config
-from vyos import ConfigError
from vyos.util import call
from vyos.template import render
-
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
-config_file = r'/etc/default/udp-broadcast-relay'
-
-default_config_data = {
- 'disabled': False,
- 'instances': []
-}
+config_file_base = r'/etc/default/udp-broadcast-relay'
def get_config():
- relay = deepcopy(default_config_data)
conf = Config()
base = ['service', 'broadcast-relay']
- if not conf.exists(base):
- return None
- else:
- conf.set_level(base)
-
- # Service can be disabled by user
- if conf.exists('disable'):
- relay['disabled'] = True
- return relay
-
- # Parse configuration of each individual instance
- if conf.exists('id'):
- for id in conf.list_nodes('id'):
- conf.set_level(base + ['id', id])
- config = {
- 'id': id,
- 'disabled': False,
- 'address': '',
- 'description': '',
- 'interfaces': [],
- 'port': ''
- }
-
- # Check if individual broadcast relay service is disabled
- if conf.exists(['disable']):
- config['disabled'] = True
-
- # Source IP of forwarded packets, if empty original senders address is used
- if conf.exists(['address']):
- config['address'] = conf.return_value(['address'])
-
- # A description for each individual broadcast relay service
- if conf.exists(['description']):
- config['description'] = conf.return_value(['description'])
-
- # UDP port to listen on for broadcast frames
- if conf.exists(['port']):
- config['port'] = conf.return_value(['port'])
-
- # Network interfaces to listen on for broadcast frames to be relayed
- if conf.exists(['interface']):
- config['interfaces'] = conf.return_values(['interface'])
-
- relay['instances'].append(config)
-
+ relay = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return relay
def verify(relay):
- if relay is None:
- return None
-
- if relay['disabled']:
+ if not relay or 'disabled' in relay:
return None
- for r in relay['instances']:
+ for instance, config in relay.get('id', {}).items():
# we don't have to check this instance when it's disabled
- if r['disabled']:
+ if 'disabled' in config:
continue
# we certainly require a UDP port to listen to
- if not r['port']:
- raise ConfigError('UDP broadcast relay "{0}" requires a port number'.format(r['id']))
+ if 'port' not in config:
+ raise ConfigError(f'Port number mandatory for udp broadcast relay "{instance}"')
+ # if only oone interface is given it's a string -> move to list
+ if isinstance(config.get('interface', []), str):
+ config['interface'] = [ config['interface'] ]
# Relaying data without two interface is kinda senseless ...
- if len(r['interfaces']) < 2:
- raise ConfigError('UDP broadcast relay "id {0}" requires at least 2 interfaces'.format(r['id']))
+ if len(config.get('interface', [])) < 2:
+ raise ConfigError('At least two interfaces are required for udp broadcast relay "{instance}"')
- return None
+ for interface in config.get('interface', []):
+ if interface not in interfaces():
+ raise ConfigError('Interface "{interface}" does not exist!')
+ return None
def generate(relay):
- if relay is None:
+ if not relay or 'disabled' in relay:
return None
- config_dir = os.path.dirname(config_file)
- config_filename = os.path.basename(config_file)
- active_configs = []
-
- for config in fnmatch.filter(os.listdir(config_dir), config_filename + '*'):
- # determine prefix length to identify service instance
- prefix_len = len(config_filename)
- active_configs.append(config[prefix_len:])
-
- # sort our list
- active_configs.sort()
+ for config in glob(config_file_base + '*'):
+ os.remove(config)
- # delete old configuration files
- for id in active_configs[:]:
- if os.path.exists(config_file + id):
- os.unlink(config_file + id)
-
- # If the service is disabled, we can bail out here
- if relay['disabled']:
- print('Warning: UDP broadcast relay service will be deactivated because it is disabled')
- return None
-
- for r in relay['instances']:
- # Skip writing instance config when it's disabled
- if r['disabled']:
+ for instance, config in relay.get('id').items():
+ # we don't have to check this instance when it's disabled
+ if 'disabled' in config:
continue
- # configuration filename contains instance id
- file = config_file + str(r['id'])
- render(file, 'bcast-relay/udp-broadcast-relay.tmpl', r)
+ config['instance'] = instance
+ render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.tmpl', config)
return None
def apply(relay):
# first stop all running services
- call('systemctl stop udp-broadcast-relay@{1..99}.service')
+ call('systemctl stop udp-broadcast-relay@*.service')
- if (relay is None) or relay['disabled']:
+ if not relay or 'disable' in relay:
return None
# start only required service instances
- for r in relay['instances']:
- # Don't start individual instance when it's disabled
- if r['disabled']:
+ for instance, config in relay.get('id').items():
+ # we don't have to check this instance when it's disabled
+ if 'disabled' in config:
continue
- call('systemctl start udp-broadcast-relay@{0}.service'.format(r['id']))
+
+ call(f'systemctl start udp-broadcast-relay@{instance}.service')
return None
diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py
index f2fa64233..9d66bd434 100755
--- a/src/conf_mode/host_name.py
+++ b/src/conf_mode/host_name.py
@@ -18,20 +18,16 @@
conf-mode script for 'system host-name' and 'system domain-name'.
"""
-import os
import re
import sys
import copy
-import glob
-import argparse
-import jinja2
import vyos.util
import vyos.hostsd_client
from vyos.config import Config
from vyos import ConfigError
-from vyos.util import cmd, call, run, process_named_running
+from vyos.util import cmd, call, process_named_running
from vyos import airbag
airbag.enable()
@@ -47,7 +43,9 @@ default_config_data = {
hostsd_tag = 'system'
-def get_config(conf):
+def get_config():
+ conf = Config()
+
hosts = copy.deepcopy(default_config_data)
hosts['hostname'] = conf.return_value("system host-name")
@@ -77,7 +75,7 @@ def get_config(conf):
return hosts
-def verify(conf, hosts):
+def verify(hosts):
if hosts is None:
return None
@@ -168,9 +166,8 @@ def apply(config):
if __name__ == '__main__':
try:
- conf = Config()
- c = get_config(conf)
- verify(conf, c)
+ c = get_config()
+ verify(c)
generate(c)
apply(c)
except ConfigError as e:
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index a16c4e105..3b238f1ea 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -16,41 +16,25 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BondIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
from vyos.config import Config
-from vyos.util import call, cmd
-from vyos.validate import is_member, has_address_configured
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BondIf
+from vyos.validate import is_member
+from vyos.validate import has_address_configured
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'arp_mon_intvl': 0,
- 'arp_mon_tgt': [],
- 'deleted': False,
- 'hash_policy': 'layer2',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'mode': '802.3ad',
- 'member': [],
- 'shutdown_required': False,
- 'primary': '',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
-}
-
-
def get_bond_mode(mode):
if mode == 'round-robin':
return 'balance-rr'
@@ -67,339 +51,138 @@ def get_bond_mode(mode):
elif mode == 'adaptive-load-balance':
return 'balance-alb'
else:
- raise ConfigError('invalid bond mode "{}"'.format(mode))
+ raise ConfigError(f'invalid bond mode "{mode}"')
def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
+ base = ['interfaces', 'bonding']
+ bond = get_interface_dict(conf, base)
+
+ # To make our own life easier transfor the list of member interfaces
+ # into a dictionary - we will use this to add additional information
+ # later on for wach member
+ if 'member' in bond and 'interface' in bond['member']:
+ # first convert it to a list if only one member is given
+ if isinstance(bond['member']['interface'], str):
+ bond['member']['interface'] = [bond['member']['interface']]
+
+ tmp={}
+ for interface in bond['member']['interface']:
+ tmp.update({interface: {}})
+
+ bond['member']['interface'] = tmp
+
+ if 'mode' in bond:
+ bond['mode'] = get_bond_mode(bond['mode'])
+
+ tmp = leaf_node_changed(conf, ['mode'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+
+ # determine which members have been removed
+ tmp = leaf_node_changed(conf, ['member', 'interface'])
+ if tmp:
+ bond.update({'shutdown_required': ''})
+ if 'member' in bond:
+ bond['member'].update({'interface_remove': tmp })
+ else:
+ bond.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bond and 'interface' in bond['member']:
+ for interface, interface_config in bond['member']['interface'].items():
+ # Check if we are a member of another bond device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp and tmp != bond['ifname']:
+ interface_config.update({'is_bond_member' : tmp})
- # initialize kernel module if not loaded
- if not os.path.isfile('/sys/class/net/bonding_masters'):
- import syslog
- syslog.syslog(syslog.LOG_NOTICE, "loading bonding kernel module")
- if call('modprobe bonding max_bonds=0 miimon=250') != 0:
- syslog.syslog(syslog.LOG_NOTICE, "failed loading bonding kernel module")
- raise ConfigError("failed loading bonding kernel module")
-
- # check if bond has been removed
- cfg_base = 'interfaces bonding ' + ifname
- if not conf.exists(cfg_base):
- bond = deepcopy(default_config_data)
- bond['intf'] = ifname
- bond['deleted'] = True
- return bond
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- bond, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP link monitoring frequency in milliseconds
- if conf.exists('arp-monitor interval'):
- bond['arp_mon_intvl'] = int(conf.return_value('arp-monitor interval'))
-
- # IP address to use for ARP monitoring
- if conf.exists('arp-monitor target'):
- bond['arp_mon_tgt'] = conf.return_values('arp-monitor target')
-
- # Bonding transmit hash policy
- if conf.exists('hash-policy'):
- bond['hash_policy'] = conf.return_value('hash-policy')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bond['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- bond['ip_proxy_arp_pvlan'] = 1
-
- # Bonding mode
- if conf.exists('mode'):
- act_mode = conf.return_value('mode')
- eff_mode = conf.return_effective_value('mode')
- if not (act_mode == eff_mode):
- bond['shutdown_required'] = True
-
- bond['mode'] = get_bond_mode(act_mode)
-
- # determine bond member interfaces (currently configured)
- bond['member'] = conf.return_values('member interface')
-
- # We can not call conf.return_effective_values() as it would not work
- # on reboots. Reboots/First boot will return that running config and
- # saved config is the same, thus on a reboot the bond members will
- # not be added all (https://phabricator.vyos.net/T2030)
- live_members = BondIf(bond['intf']).get_slaves()
- if not (bond['member'] == live_members):
- bond['shutdown_required'] = True
-
- # Primary device interface
- if conf.exists('primary'):
- bond['primary'] = conf.return_value('primary')
-
- add_to_dict(conf, disabled, bond, 'vif', 'vif')
- add_to_dict(conf, disabled, bond, 'vif-s', 'vif_s')
+ # bond members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bond
def verify(bond):
- if bond['deleted']:
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{bond["intf"]}" as it is a '
- f'member of bridge "{bond["is_bridge_member"]}"!'))
-
+ if 'deleted' in bond:
+ verify_bridge_delete(bond)
return None
- if len(bond['arp_mon_tgt']) > 16:
- raise ConfigError('The maximum number of arp-monitor targets is 16')
+ if 'arp_monitor' in bond:
+ if 'target' in bond['arp_monitor'] and len(int(bond['arp_monitor']['target'])) > 16:
+ raise ConfigError('The maximum number of arp-monitor targets is 16')
+
+ if 'interval' in bond['arp_monitor'] and len(int(bond['arp_monitor']['interval'])) > 0:
+ if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
+ raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
+ 'transmit-load-balance or adaptive-load-balance')
- if bond['primary']:
+ if 'primary' in bond:
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
- raise ConfigError((
- 'Mode dependency failed, primary not supported in mode '
- f'"{bond["mode"]}"!'))
-
- if ( bond['is_bridge_member']
- and ( bond['address']
- or bond['ipv6_eui64_prefix']
- or bond['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{bond["intf"]}" '
- f'as it is a member of bridge "{bond["is_bridge_member"]}"!'))
-
- if bond['vrf']:
- if bond['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{bond["vrf"]}" does not exist')
-
- if bond['is_bridge_member']:
- raise ConfigError((
- f'Interface "{bond["intf"]}" cannot be member of VRF '
- f'"{bond["vrf"]}" and bridge {bond["is_bridge_member"]} '
- f'at the same time!'))
+ raise ConfigError('Option primary - mode dependency failed, not'
+ 'supported in mode {mode}!'.format(**bond))
+
+ verify_address(bond)
+ verify_dhcpv6(bond)
+ verify_vrf(bond)
# use common function to verify VLAN configuration
verify_vlan_config(bond)
- conf = Config()
- for intf in bond['member']:
- # check if member interface is "real"
- if intf not in interfaces():
- raise ConfigError(f'Interface {intf} does not exist!')
-
- # a bonding member interface is only allowed to be assigned to one bond!
- all_bonds = conf.list_nodes('interfaces bonding')
- # We do not need to check our own bond
- all_bonds.remove(bond['intf'])
- for tmp in all_bonds:
- if conf.exists('interfaces bonding {tmp} member interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bond "{tmp}"!'))
-
- # can not add interfaces with an assigned address to a bond
- if has_address_configured(conf, intf):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it has an address assigned!'))
-
- # bond members are not allowed to be bridge members
- tmp = is_member(conf, intf, 'bridge')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of bridge "{tmp}"!'))
-
- # bond members are not allowed to be vrrp members
- for tmp in conf.list_nodes('high-availability vrrp group'):
- if conf.exists('high-availability vrrp group {tmp} interface {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already a member of VRRP group "{tmp}"!'))
-
- # bond members are not allowed to be underlaying psuedo-ethernet devices
- for tmp in conf.list_nodes('interfaces pseudo-ethernet'):
- if conf.exists('interfaces pseudo-ethernet {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of pseudo-ethernet "{tmp}"!'))
-
- # bond members are not allowed to be underlaying vxlan devices
- for tmp in conf.list_nodes('interfaces vxlan'):
- if conf.exists('interfaces vxlan {tmp} link {intf}'):
- raise ConfigError((
- f'Cannot add interface "{intf}" to bond "{bond["intf"]}", '
- f'it is already the link of VXLAN "{tmp}"!'))
-
- if bond['primary']:
- if bond['primary'] not in bond['member']:
- raise ConfigError(f'Bond "{bond["intf"]}" primary interface must be a member')
+ bond_name = bond['ifname']
+ if 'member' in bond:
+ member = bond.get('member')
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bond "{bond_name}", '
+
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bond')
+
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
+
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
+
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
+
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
+
+
+ if 'primary' in bond:
+ if bond['primary'] not in bond['member']['interface']:
+ raise ConfigError(f'Primary interface of bond "{bond_name}" must be a member interface')
if bond['mode'] not in ['active-backup', 'balance-tlb', 'balance-alb']:
raise ConfigError('primary interface only works for mode active-backup, ' \
'transmit-load-balance or adaptive-load-balance')
- if bond['arp_mon_intvl'] > 0:
- if bond['mode'] in ['802.3ad', 'balance-tlb', 'balance-alb']:
- raise ConfigError('ARP link monitoring does not work for mode 802.3ad, ' \
- 'transmit-load-balance or adaptive-load-balance')
-
return None
def generate(bond):
return None
def apply(bond):
- b = BondIf(bond['intf'])
+ b = BondIf(bond['ifname'])
- if bond['deleted']:
+ if 'deleted' in bond:
# delete interface
b.remove()
else:
- # ARP link monitoring frequency, reset miimon when arp-montior is inactive
- # this is done inside BondIf automatically
- b.set_arp_interval(bond['arp_mon_intvl'])
-
- # ARP monitor targets need to be synchronized between sysfs and CLI.
- # Unfortunately an address can't be send twice to sysfs as this will
- # result in the following exception: OSError: [Errno 22] Invalid argument.
- #
- # We remove ALL adresses prior adding new ones, this will remove addresses
- # added manually by the user too - but as we are limited to 16 adresses
- # from the kernel side this looks valid to me. We won't run into an error
- # when a user added manual adresses which would result in having more
- # then 16 adresses in total.
- arp_tgt_addr = list(map(str, b.get_arp_ip_target().split()))
- for addr in arp_tgt_addr:
- b.set_arp_ip_target('-' + addr)
-
- # Add configured ARP target addresses
- for addr in bond['arp_mon_tgt']:
- b.set_arp_ip_target('+' + addr)
-
- # update interface description used e.g. within SNMP
- b.set_alias(bond['description'])
-
- if bond['dhcp_client_id']:
- b.dhcp.v4.options['client_id'] = bond['dhcp_client_id']
-
- if bond['dhcp_hostname']:
- b.dhcp.v4.options['hostname'] = bond['dhcp_hostname']
-
- if bond['dhcp_vendor_class_id']:
- b.dhcp.v4.options['vendor_class_id'] = bond['dhcp_vendor_class_id']
-
- if bond['dhcpv6_prm_only']:
- b.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bond['dhcpv6_temporary']:
- b.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bond['dhcpv6_pd_length']:
- b.dhcp.v6.options['dhcpv6_pd_length'] = bond['dhcpv6_pd_length']
-
- if bond['dhcpv6_pd_interfaces']:
- b.dhcp.v6.options['dhcpv6_pd_interfaces'] = bond['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- b.set_link_detect(bond['disable_link_detect'])
- # Bonding transmit hash policy
- b.set_hash_policy(bond['hash_policy'])
- # configure ARP cache timeout in milliseconds
- b.set_arp_cache_tmo(bond['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- b.set_arp_filter(bond['ip_disable_arp_filter'])
- # configure ARP accept
- b.set_arp_accept(bond['ip_enable_arp_accept'])
- # configure ARP announce
- b.set_arp_announce(bond['ip_enable_arp_announce'])
- # configure ARP ignore
- b.set_arp_ignore(bond['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- b.set_proxy_arp(bond['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- b.set_proxy_arp_pvlan(bond['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- b.set_ipv6_accept_ra(bond['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- b.set_ipv6_autoconf(bond['ipv6_autoconf'])
- # IPv6 forwarding
- b.set_ipv6_forwarding(bond['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- b.set_ipv6_dad_messages(bond['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in bond['ipv6_eui64_prefix_remove']:
- b.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if bond['mac']:
- b.set_mac(bond['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in bond['ipv6_eui64_prefix']:
- b.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- b.set_mtu(bond['mtu'])
-
- # Primary device interface
- if bond['primary']:
- b.set_primary(bond['primary'])
-
- # Some parameters can not be changed when the bond is up.
- if bond['shutdown_required']:
- # Disable bond prior changing of certain properties
- b.set_admin_state('down')
-
- # The bonding mode can not be changed when there are interfaces enslaved
- # to this bond, thus we will free all interfaces from the bond first!
- for intf in b.get_slaves():
- b.del_port(intf)
-
- # Bonding policy/mode
- b.set_mode(bond['mode'])
-
- # Add (enslave) interfaces to bond
- for intf in bond['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{intf}"')
- b.add_port(intf)
-
- # As the bond interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not bond['disable']:
- b.set_admin_state('up')
- else:
- b.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bond['address_remove']:
- b.del_addr(addr)
- for addr in bond['address']:
- b.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not bond['is_bridge_member']:
- b.set_vrf(bond['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if bond['is_bridge_member']:
- b.add_to_bridge(bond['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(b, bond)
+ b.update(bond)
return None
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 1e4fa5816..ee8e85e73 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -16,251 +16,102 @@
import os
-from copy import deepcopy
from sys import exit
from netifaces import interfaces
-from vyos.ifconfig import BridgeIf, Section
-from vyos.ifconfig.stp import STP
-from vyos.configdict import list_diff, interface_default_data
-from vyos.validate import is_member, has_address_configured
from vyos.config import Config
-from vyos.util import cmd, get_bridge_member_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import BridgeIf
+from vyos.validate import is_member, has_address_configured
+from vyos.xml import defaults
+
+from vyos.util import cmd
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'aging': 300,
- 'arp_cache_tmo': 30,
- 'deleted': False,
- 'forwarding_delay': 14,
- 'hello_time': 2,
- 'igmp_querier': 0,
- 'intf': '',
- 'max_age': 20,
- 'member': [],
- 'member_remove': [],
- 'priority': 32768,
- 'stp': 0
-}
-
def get_config():
- bridge = deepcopy(default_config_data)
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- bridge['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if bridge has been removed
- if not conf.exists('interfaces bridge ' + bridge['intf']):
- bridge['deleted'] = True
- return bridge
-
- # set new configuration level
- conf.set_level('interfaces bridge ' + bridge['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- bridge['address'] = conf.return_values('address')
-
- # Determine interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('address')
- bridge['address_remove'] = list_diff(eff_addr, bridge['address'])
-
- # retrieve aging - how long addresses are retained
- if conf.exists('aging'):
- bridge['aging'] = int(conf.return_value('aging'))
-
- # retrieve interface description
- if conf.exists('description'):
- bridge['description'] = conf.return_value('description')
-
- # get DHCP client identifier
- if conf.exists('dhcp-options client-id'):
- bridge['dhcp_client_id'] = conf.return_value('dhcp-options client-id')
-
- # DHCP client host name (overrides the system host name)
- if conf.exists('dhcp-options host-name'):
- bridge['dhcp_hostname'] = conf.return_value('dhcp-options host-name')
-
- # DHCP client vendor identifier
- if conf.exists('dhcp-options vendor-class-id'):
- bridge['dhcp_vendor_class_id'] = conf.return_value('dhcp-options vendor-class-id')
-
- # DHCPv6 only acquire config parameters, no address
- if conf.exists('dhcpv6-options parameters-only'):
- bridge['dhcpv6_prm_only'] = True
-
- # DHCPv6 temporary IPv6 address
- if conf.exists('dhcpv6-options temporary'):
- bridge['dhcpv6_temporary'] = True
-
- # Disable this bridge interface
- if conf.exists('disable'):
- bridge['disable'] = True
-
- # Ignore link state changes
- if conf.exists('disable-link-detect'):
- bridge['disable_link_detect'] = 2
-
- # Forwarding delay
- if conf.exists('forwarding-delay'):
- bridge['forwarding_delay'] = int(conf.return_value('forwarding-delay'))
-
- # Hello packet advertisment interval
- if conf.exists('hello-time'):
- bridge['hello_time'] = int(conf.return_value('hello-time'))
-
- # Enable Internet Group Management Protocol (IGMP) querier
- if conf.exists('igmp querier'):
- bridge['igmp_querier'] = 1
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- bridge['arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- bridge['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- bridge['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- bridge['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- bridge['ip_enable_arp_ignore'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- bridge['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- bridge['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Determine currently effective EUI64 addresses - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values('ipv6 address eui64')
- bridge['ipv6_eui64_prefix_remove'] = list_diff(eff_addr, bridge['ipv6_eui64_prefix'])
-
- # Remove the default link-local address if set.
- if conf.exists('ipv6 address no-default-link-local'):
- bridge['ipv6_eui64_prefix_remove'].append('fe80::/64')
- else:
- # add the link-local by default to make IPv6 work
- bridge['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- bridge['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- bridge['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # Media Access Control (MAC) address
- if conf.exists('mac'):
- bridge['mac'] = conf.return_value('mac')
-
- # Find out if MAC has changed - if so, we need to delete all IPv6 EUI64 addresses
- # before re-adding them
- if ( bridge['mac'] and bridge['intf'] in Section.interfaces(section='bridge')
- and bridge['mac'] != BridgeIf(bridge['intf'], create=False).get_mac() ):
- bridge['ipv6_eui64_prefix_remove'] += bridge['ipv6_eui64_prefix']
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if bridge['ipv6_autoconf'] or 'dhcpv6' in bridge['address']:
- bridge['ipv6_accept_ra'] = 2
-
- # Interval at which neighbor bridges are removed
- if conf.exists('max-age'):
- bridge['max_age'] = int(conf.return_value('max-age'))
-
- # Determine bridge member interface (currently configured)
- for intf in conf.list_nodes('member interface'):
- # defaults are stored in util.py (they can't be here as all interface
- # scripts use the function)
- memberconf = get_bridge_member_config(conf, bridge['intf'], intf)
- if memberconf:
- memberconf['name'] = intf
- bridge['member'].append(memberconf)
-
- # Determine bridge member interface (currently effective) - to determine which
- # interfaces is no longer assigend to the bridge and thus can be removed
- eff_intf = conf.list_effective_nodes('member interface')
- act_intf = conf.list_nodes('member interface')
- bridge['member_remove'] = list_diff(eff_intf, act_intf)
-
- # Priority for this bridge
- if conf.exists('priority'):
- bridge['priority'] = int(conf.return_value('priority'))
-
- # Enable spanning tree protocol
- if conf.exists('stp'):
- bridge['stp'] = 1
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- bridge['vrf'] = conf.return_value('vrf')
+ base = ['interfaces', 'bridge']
+ bridge = get_interface_dict(conf, base)
+
+ # determine which members have been removed
+ tmp = node_changed(conf, ['member', 'interface'])
+ if tmp:
+ if 'member' in bridge:
+ bridge['member'].update({'interface_remove': tmp })
+ else:
+ bridge.update({'member': {'interface_remove': tmp }})
+
+ if 'member' in bridge and 'interface' in bridge['member']:
+ # XXX TT2665 we need a copy of the dict keys for iteration, else we will get:
+ # RuntimeError: dictionary changed size during iteration
+ for interface in list(bridge['member']['interface']):
+ for key in ['cost', 'priority']:
+ if interface == key:
+ del bridge['member']['interface'][key]
+ continue
+
+ # the default dictionary is not properly paged into the dict (see T2665)
+ # thus we will ammend it ourself
+ default_member_values = defaults(base + ['member', 'interface'])
+ for interface, interface_config in bridge['member']['interface'].items():
+ interface_config.update(default_member_values)
+
+ # Check if we are a member of another bridge device
+ tmp = is_member(conf, interface, 'bridge')
+ if tmp and tmp != bridge['ifname']:
+ interface_config.update({'is_bridge_member' : tmp})
+
+ # Check if we are a member of a bond device
+ tmp = is_member(conf, interface, 'bonding')
+ if tmp:
+ interface_config.update({'is_bond_member' : tmp})
+
+ # Bridge members must not have an assigned address
+ tmp = has_address_configured(conf, interface)
+ if tmp:
+ interface_config.update({'has_address' : ''})
return bridge
def verify(bridge):
- if bridge['dhcpv6_prm_only'] and bridge['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
+ if 'deleted' in bridge:
+ return None
- vrf_name = bridge['vrf']
- if vrf_name and vrf_name not in interfaces():
- raise ConfigError(f'VRF "{vrf_name}" does not exist')
+ verify_dhcpv6(bridge)
+ verify_vrf(bridge)
- conf = Config()
- for intf in bridge['member']:
- # the interface must exist prior adding it to a bridge
- if intf['name'] not in interfaces():
- raise ConfigError((
- f'Cannot add nonexistent interface "{intf["name"]}" '
- f'to bridge "{bridge["intf"]}"'))
+ if 'member' in bridge:
+ member = bridge.get('member')
+ bridge_name = bridge['ifname']
+ for interface, interface_config in member.get('interface', {}).items():
+ error_msg = f'Can not add interface "{interface}" to bridge "{bridge_name}", '
- if intf['name'] == 'lo':
- raise ConfigError('Loopback interface "lo" can not be added to a bridge')
+ if interface == 'lo':
+ raise ConfigError('Loopback interface "lo" can not be added to a bridge')
- # bridge members aren't allowed to be members of another bridge
- for br in conf.list_nodes('interfaces bridge'):
- # it makes no sense to verify ourself in this case
- if br == bridge['intf']:
- continue
+ if interface not in interfaces():
+ raise ConfigError(error_msg + 'it does not exist!')
- tmp = conf.list_nodes(f'interfaces bridge {br} member interface')
- if intf['name'] in tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bridge "{br}"!'))
+ if 'is_bridge_member' in interface_config:
+ tmp = interface_config['is_bridge_member']
+ raise ConfigError(error_msg + f'it is already a member of bridge "{tmp}"!')
- # bridge members are not allowed to be bond members
- tmp = is_member(conf, intf['name'], 'bonding')
- if tmp:
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it is already a member of bond "{tmp}"!'))
+ if 'is_bond_member' in interface_config:
+ tmp = interface_config['is_bond_member']
+ raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
- # bridge members must not have an assigned address
- if has_address_configured(conf, intf['name']):
- raise ConfigError((
- f'Cannot add interface "{intf["name"]}" to bridge '
- f'"{bridge["intf"]}", it has an address assigned!'))
+ if 'has_address' in interface_config:
+ raise ConfigError(error_msg + 'it has an address assigned!')
return None
@@ -268,120 +119,12 @@ def generate(bridge):
return None
def apply(bridge):
- br = BridgeIf(bridge['intf'])
-
- if bridge['deleted']:
+ br = BridgeIf(bridge['ifname'])
+ if 'deleted' in bridge:
# delete interface
br.remove()
else:
- # enable interface
- br.set_admin_state('up')
- # set ageing time
- br.set_ageing_time(bridge['aging'])
- # set bridge forward delay
- br.set_forward_delay(bridge['forwarding_delay'])
- # set hello time
- br.set_hello_time(bridge['hello_time'])
- # configure ARP filter configuration
- br.set_arp_filter(bridge['ip_disable_arp_filter'])
- # configure ARP accept
- br.set_arp_accept(bridge['ip_enable_arp_accept'])
- # configure ARP announce
- br.set_arp_announce(bridge['ip_enable_arp_announce'])
- # configure ARP ignore
- br.set_arp_ignore(bridge['ip_enable_arp_ignore'])
- # IPv6 accept RA
- br.set_ipv6_accept_ra(bridge['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- br.set_ipv6_autoconf(bridge['ipv6_autoconf'])
- # IPv6 forwarding
- br.set_ipv6_forwarding(bridge['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- br.set_ipv6_dad_messages(bridge['ipv6_dup_addr_detect'])
- # set max message age
- br.set_max_age(bridge['max_age'])
- # set bridge priority
- br.set_priority(bridge['priority'])
- # turn stp on/off
- br.set_stp(bridge['stp'])
- # enable or disable IGMP querier
- br.set_multicast_querier(bridge['igmp_querier'])
- # update interface description used e.g. within SNMP
- br.set_alias(bridge['description'])
-
- if bridge['dhcp_client_id']:
- br.dhcp.v4.options['client_id'] = bridge['dhcp_client_id']
-
- if bridge['dhcp_hostname']:
- br.dhcp.v4.options['hostname'] = bridge['dhcp_hostname']
-
- if bridge['dhcp_vendor_class_id']:
- br.dhcp.v4.options['vendor_class_id'] = bridge['dhcp_vendor_class_id']
-
- if bridge['dhcpv6_prm_only']:
- br.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if bridge['dhcpv6_temporary']:
- br.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if bridge['dhcpv6_pd_length']:
- br.dhcp.v6.options['dhcpv6_pd_length'] = br['dhcpv6_pd_length']
-
- if bridge['dhcpv6_pd_interfaces']:
- br.dhcp.v6.options['dhcpv6_pd_interfaces'] = br['dhcpv6_pd_interfaces']
-
- # assign/remove VRF
- br.set_vrf(bridge['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- # (adding members to a fresh bridge changes its MAC too)
- for addr in bridge['ipv6_eui64_prefix_remove']:
- br.del_ipv6_eui64_address(addr)
-
- # remove interface from bridge
- for intf in bridge['member_remove']:
- br.del_port(intf)
-
- # add interfaces to bridge
- for member in bridge['member']:
- # if we've come here we already verified the interface doesn't
- # have addresses configured so just flush any remaining ones
- cmd(f'ip addr flush dev "{member["name"]}"')
- br.add_port(member['name'])
-
- # Change interface MAC address
- if bridge['mac']:
- br.set_mac(bridge['mac'])
-
- # Add IPv6 EUI-based addresses (must be done after adding the
- # 1st bridge member or setting its MAC)
- for addr in bridge['ipv6_eui64_prefix']:
- br.add_ipv6_eui64_address(addr)
-
- # up/down interface
- if bridge['disable']:
- br.set_admin_state('down')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in bridge['address_remove']:
- br.del_addr(addr)
- for addr in bridge['address']:
- br.add_addr(addr)
-
- STPBridgeIf = STP.enable(BridgeIf)
- # configure additional bridge member options
- for member in bridge['member']:
- i = STPBridgeIf(member['name'])
- # configure ARP cache timeout
- i.set_arp_cache_tmo(member['arp_cache_tmo'])
- # ignore link state changes
- i.set_link_detect(member['disable_link_detect'])
- # set bridge port path cost
- i.set_path_cost(member['cost'])
- # set bridge port path priority
- i.set_path_priority(member['priority'])
+ br.update(bridge)
return None
diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py
index 2d62420a6..8df86c8ea 100755
--- a/src/conf_mode/interfaces-dummy.py
+++ b/src/conf_mode/interfaces-dummy.py
@@ -19,41 +19,23 @@ import os
from sys import exit
from vyos.config import Config
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import DummyIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'dummy', ifname]
-
- dummy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if dummy == {}:
- dummy.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- dummy.update({'ifname': ifname})
-
- # check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- dummy.update(tmp)
-
+ base = ['interfaces', 'dummy']
+ dummy = get_interface_dict(conf, base)
return dummy
def verify(dummy):
diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py
index 8b895c4d2..10758e35a 100755
--- a/src/conf_mode/interfaces-ethernet.py
+++ b/src/conf_mode/interfaces-ethernet.py
@@ -17,295 +17,65 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import interfaces
-from vyos.ifconfig import EthernetIf
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.validate import is_member
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_interface_exists
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_address
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import EthernetIf
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'duplex': 'auto',
- 'flow_control': 'on',
- 'hw_id': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'is_bond_member': False,
- 'intf': '',
- 'offload_gro': 'off',
- 'offload_gso': 'off',
- 'offload_sg': 'off',
- 'offload_tso': 'off',
- 'offload_ufo': 'off',
- 'speed': 'auto',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
-
def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
+ base = ['interfaces', 'ethernet']
+ ethernet = get_interface_dict(conf, base)
+ return ethernet
- # check if ethernet interface has been removed
- cfg_base = ['interfaces', 'ethernet', ifname]
- if not conf.exists(cfg_base):
- eth = deepcopy(default_config_data)
- eth['intf'] = ifname
- eth['deleted'] = True
- # we can not bail out early as ethernet interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return eth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- eth, disabled = intf_to_dict(conf, default_config_data)
-
- # disable ethernet flow control (pause frames)
- if conf.exists('disable-flow-control'):
- eth['flow_control'] = 'off'
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- eth['hw_id'] = conf.return_value('hw-id')
-
- # interface duplex
- if conf.exists('duplex'):
- eth['duplex'] = conf.return_value('duplex')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- eth['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists('ip proxy-arp-pvlan'):
- eth['ip_proxy_arp_pvlan'] = 1
-
- # check if we are a member of any bond
- eth['is_bond_member'] = is_member(conf, eth['intf'], 'bonding')
-
- # GRO (generic receive offload)
- if conf.exists('offload-options generic-receive'):
- eth['offload_gro'] = conf.return_value('offload-options generic-receive')
-
- # GSO (generic segmentation offload)
- if conf.exists('offload-options generic-segmentation'):
- eth['offload_gso'] = conf.return_value('offload-options generic-segmentation')
-
- # scatter-gather option
- if conf.exists('offload-options scatter-gather'):
- eth['offload_sg'] = conf.return_value('offload-options scatter-gather')
-
- # TSO (TCP segmentation offloading)
- if conf.exists('offload-options tcp-segmentation'):
- eth['offload_tso'] = conf.return_value('offload-options tcp-segmentation')
-
- # UDP fragmentation offloading
- if conf.exists('offload-options udp-fragmentation'):
- eth['offload_ufo'] = conf.return_value('offload-options udp-fragmentation')
-
- # interface speed
- if conf.exists('speed'):
- eth['speed'] = conf.return_value('speed')
-
- # remove default IPv6 link-local address if member of a bond
- if eth['is_bond_member'] and 'fe80::/64' in eth['ipv6_eui64_prefix']:
- eth['ipv6_eui64_prefix'].remove('fe80::/64')
- eth['ipv6_eui64_prefix_remove'].append('fe80::/64')
-
- add_to_dict(conf, disabled, eth, 'vif', 'vif')
- add_to_dict(conf, disabled, eth, 'vif-s', 'vif_s')
-
- return eth
-
-
-def verify(eth):
- if eth['deleted']:
+def verify(ethernet):
+ if 'deleted' in ethernet:
return None
- if eth['intf'] not in interfaces():
- raise ConfigError(f"Interface ethernet {eth['intf']} does not exist")
+ verify_interface_exists(ethernet)
- if eth['speed'] == 'auto':
- if eth['duplex'] != 'auto':
+ if ethernet.get('speed', None) == 'auto':
+ if ethernet.get('duplex', None) != 'auto':
raise ConfigError('If speed is hardcoded, duplex must be hardcoded, too')
- if eth['duplex'] == 'auto':
- if eth['speed'] != 'auto':
+ if ethernet.get('duplex', None) == 'auto':
+ if ethernet.get('speed', None) != 'auto':
raise ConfigError('If duplex is hardcoded, speed must be hardcoded, too')
- if eth['dhcpv6_prm_only'] and eth['dhcpv6_temporary']:
- raise ConfigError('DHCPv6 temporary and parameters-only options are mutually exclusive!')
-
- memberof = eth['is_bridge_member'] if eth['is_bridge_member'] else eth['is_bond_member']
-
- if ( memberof
- and ( eth['address']
- or eth['ipv6_eui64_prefix']
- or eth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{eth["intf"]}" '
- f'as it is a member of "{memberof}"!'))
+ verify_dhcpv6(ethernet)
+ verify_address(ethernet)
+ verify_vrf(ethernet)
- if eth['vrf']:
- if eth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{eth["vrf"]}" does not exist')
-
- if memberof:
- raise ConfigError((
- f'Interface "{eth["intf"]}" cannot be member of VRF "{eth["vrf"]}" '
- f'and "{memberof}" at the same time!'))
-
- if eth['mac'] and eth['is_bond_member']:
- print('WARNING: "mac {0}" command will be ignored because {1} is a part of {2}'\
- .format(eth['mac'], eth['intf'], eth['is_bond_member']))
+ if {'is_bond_member', 'mac'} <= set(ethernet):
+ print(f'WARNING: changing mac address "{mac}" will be ignored as "{ifname}" '
+ f'is a member of bond "{is_bond_member}"'.format(**ethernet))
# use common function to verify VLAN configuration
- verify_vlan_config(eth)
+ verify_vlan_config(ethernet)
return None
-def generate(eth):
+def generate(ethernet):
return None
-def apply(eth):
- e = EthernetIf(eth['intf'])
- if eth['deleted']:
- # apply all vlans to interface (they need removing too)
- apply_all_vlans(e, eth)
-
+def apply(ethernet):
+ e = EthernetIf(ethernet['ifname'])
+ if 'deleted' in ethernet:
# delete interface
e.remove()
else:
- # update interface description used e.g. within SNMP
- e.set_alias(eth['description'])
-
- if eth['dhcp_client_id']:
- e.dhcp.v4.options['client_id'] = eth['dhcp_client_id']
-
- if eth['dhcp_hostname']:
- e.dhcp.v4.options['hostname'] = eth['dhcp_hostname']
-
- if eth['dhcp_vendor_class_id']:
- e.dhcp.v4.options['vendor_class_id'] = eth['dhcp_vendor_class_id']
-
- if eth['dhcpv6_prm_only']:
- e.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if eth['dhcpv6_temporary']:
- e.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if eth['dhcpv6_pd_length']:
- e.dhcp.v6.options['dhcpv6_pd_length'] = eth['dhcpv6_pd_length']
-
- if eth['dhcpv6_pd_interfaces']:
- e.dhcp.v6.options['dhcpv6_pd_interfaces'] = eth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- e.set_link_detect(eth['disable_link_detect'])
- # disable ethernet flow control (pause frames)
- e.set_flow_control(eth['flow_control'])
- # configure ARP cache timeout in milliseconds
- e.set_arp_cache_tmo(eth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- e.set_arp_filter(eth['ip_disable_arp_filter'])
- # configure ARP accept
- e.set_arp_accept(eth['ip_enable_arp_accept'])
- # configure ARP announce
- e.set_arp_announce(eth['ip_enable_arp_announce'])
- # configure ARP ignore
- e.set_arp_ignore(eth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- e.set_proxy_arp(eth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- e.set_proxy_arp_pvlan(eth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- e.set_ipv6_accept_ra(eth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- e.set_ipv6_autoconf(eth['ipv6_autoconf'])
- # IPv6 forwarding
- e.set_ipv6_forwarding(eth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- e.set_ipv6_dad_messages(eth['ipv6_dup_addr_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in eth['ipv6_eui64_prefix_remove']:
- e.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed. Skip if bond member.
- if not eth['is_bond_member']:
- if eth['mac']:
- e.set_mac(eth['mac'])
- elif eth['hw_id']:
- e.set_mac(eth['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in eth['ipv6_eui64_prefix']:
- e.add_ipv6_eui64_address(addr)
-
- # Maximum Transmission Unit (MTU)
- e.set_mtu(eth['mtu'])
-
- # GRO (generic receive offload)
- e.set_gro(eth['offload_gro'])
-
- # GSO (generic segmentation offload)
- e.set_gso(eth['offload_gso'])
-
- # scatter-gather option
- e.set_sg(eth['offload_sg'])
-
- # TSO (TCP segmentation offloading)
- e.set_tso(eth['offload_tso'])
-
- # UDP fragmentation offloading
- e.set_ufo(eth['offload_ufo'])
-
- # Set physical interface speed and duplex
- e.set_speed_duplex(eth['speed'], eth['duplex'])
-
- # Enable/Disable interface
- if eth['disable']:
- e.set_admin_state('down')
- else:
- e.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in eth['address_remove']:
- e.del_addr(addr)
- for addr in eth['address']:
- e.add_addr(addr)
-
- # assign/remove VRF (ONLY when not a member of a bridge or bond,
- # otherwise 'nomaster' removes it from it)
- if not ( eth['is_bridge_member'] or eth['is_bond_member'] ):
- e.set_vrf(eth['vrf'])
-
- # re-add ourselves to any bridge we might have fallen out of
- if eth['is_bridge_member']:
- e.add_to_bridge(eth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(e, eth)
+ e.update(ethernet)
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py
index 31f6eb6b5..1104bd3c0 100755
--- a/src/conf_mode/interfaces-geneve.py
+++ b/src/conf_mode/interfaces-geneve.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -21,102 +21,37 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import GeneveIf
-from vyos.validate import is_member
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp': 0,
- 'is_bridge_member': False,
- 'mtu': 1500,
- 'remote': '',
- 'vni': ''
-}
-
def get_config():
- geneve = deepcopy(default_config_data)
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- geneve['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- geneve['is_bridge_member'] = is_member(conf, geneve['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces geneve ' + geneve['intf']):
- geneve['deleted'] = True
- return geneve
-
- # set new configuration level
- conf.set_level('interfaces geneve ' + geneve['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- geneve['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- geneve['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- geneve['disable'] = True
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- geneve['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- geneve['ip_proxy_arp'] = 1
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- geneve['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of GENEVE tunnel
- if conf.exists('remote'):
- geneve['remote'] = conf.return_value('remote')
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- geneve['vni'] = conf.return_value('vni')
-
+ base = ['interfaces', 'geneve']
+ geneve = get_interface_dict(conf, base)
return geneve
-
def verify(geneve):
- if geneve['deleted']:
- if geneve['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{geneve["intf"]}" as it is a '
- f'member of bridge "{geneve["is_bridge_member"]}"!'))
-
+ if 'deleted' in geneve:
+ verify_bridge_delete(geneve)
return None
- if geneve['is_bridge_member'] and geneve['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{geneve["intf"]}" '
- f'as it is a member of bridge "{geneve["is_bridge_member"]}"!'))
+ verify_address(geneve)
- if not geneve['remote']:
- raise ConfigError('GENEVE remote must be configured')
+ if 'remote' not in geneve:
+ raise ConfigError('Remote side must be configured')
- if not geneve['vni']:
- raise ConfigError('GENEVE VNI must be configured')
+ if 'vni' not in geneve:
+ raise ConfigError('VNI must be configured')
return None
@@ -127,13 +62,13 @@ def generate(geneve):
def apply(geneve):
# Check if GENEVE interface already exists
- if geneve['intf'] in interfaces():
- g = GeneveIf(geneve['intf'])
+ if geneve['ifname'] in interfaces():
+ g = GeneveIf(geneve['ifname'])
# GENEVE is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
g.remove()
- if not geneve['deleted']:
+ if 'deleted' not in geneve:
# GENEVE interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
@@ -144,32 +79,8 @@ def apply(geneve):
conf['remote'] = geneve['remote']
# Finally create the new interface
- g = GeneveIf(geneve['intf'], **conf)
- # update interface description used e.g. by SNMP
- g.set_alias(geneve['description'])
- # Maximum Transfer Unit (MTU)
- g.set_mtu(geneve['mtu'])
-
- # configure ARP cache timeout in milliseconds
- g.set_arp_cache_tmo(geneve['ip_arp_cache_tmo'])
- # Enable proxy-arp on this interface
- g.set_proxy_arp(geneve['ip_proxy_arp'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in geneve['address']:
- g.add_addr(addr)
-
- # As the GENEVE interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not geneve['disable']:
- g.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if geneve['is_bridge_member']:
- g.add_to_bridge(geneve['is_bridge_member'])
+ g = GeneveIf(geneve['ifname'], **conf)
+ g.update(geneve)
return None
diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py
index 4ff0bcb57..0978df5b6 100755
--- a/src/conf_mode/interfaces-l2tpv3.py
+++ b/src/conf_mode/interfaces-l2tpv3.py
@@ -21,200 +21,65 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.ifconfig import L2TPv3If, Interface
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.ifconfig import L2TPv3If
+from vyos.util import check_kmod
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
-from vyos.util import call
-from vyos.validate import is_member, is_addr_assigned
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'encapsulation': 'udp',
- 'local_address': '',
- 'local_port': 5000,
- 'intf': '',
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'mtu': 1488,
- 'peer_session_id': '',
- 'peer_tunnel_id': '',
- 'remote_address': '',
- 'remote_port': 5000,
- 'session_id': '',
- 'tunnel_id': ''
-}
+k_mod = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
-def check_kmod():
- modules = ['l2tp_eth', 'l2tp_netlink', 'l2tp_ip', 'l2tp_ip6']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
def get_config():
- l2tpv3 = deepcopy(default_config_data)
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
+ base = ['interfaces', 'l2tpv3']
+ l2tpv3 = get_interface_dict(conf, base)
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- l2tpv3['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member of a bridge
- l2tpv3['is_bridge_member'] = is_member(conf, l2tpv3['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces l2tpv3 ' + l2tpv3['intf']):
- l2tpv3['deleted'] = True
- interface = l2tpv3['intf']
-
- # to delete the l2tpv3 interface we need the current tunnel_id and session_id
- if conf.exists_effective(f'interfaces l2tpv3 {interface} tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} tunnel-id')
-
- if conf.exists_effective(f'interfaces l2tpv3 {interface} session-id'):
- l2tpv3['session_id'] = conf.return_effective_value(f'interfaces l2tpv3 {interface} session-id')
-
- return l2tpv3
-
- # set new configuration level
- conf.set_level('interfaces l2tpv3 ' + l2tpv3['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- l2tpv3['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- l2tpv3['description'] = conf.return_value('description')
-
- # get tunnel destination port
- if conf.exists('destination-port'):
- l2tpv3['remote_port'] = int(conf.return_value('destination-port'))
-
- # Disable this interface
- if conf.exists('disable'):
- l2tpv3['disable'] = True
-
- # get tunnel encapsulation type
- if conf.exists('encapsulation'):
- l2tpv3['encapsulation'] = conf.return_value('encapsulation')
-
- # get tunnel local ip address
- if conf.exists('local-ip'):
- l2tpv3['local_address'] = conf.return_value('local-ip')
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- l2tpv3['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- l2tpv3['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local') or
- l2tpv3['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- l2tpv3['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- l2tpv3['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- l2tpv3['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
+ # L2TPv3 is "special" the default MTU is 1488 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ l2tpv3['mtu'] = '1488'
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if l2tpv3['ipv6_autoconf'] or 'dhcpv6' in l2tpv3['address']:
- l2tpv3['ipv6_accept_ra'] = 2
+ # To delete an l2tpv3 interface we need the current tunnel and session-id
+ if 'deleted' in l2tpv3:
+ tmp = leaf_node_changed(conf, ['tunnel-id'])
+ l2tpv3.update({'tunnel_id': tmp})
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- l2tpv3['mtu'] = int(conf.return_value('mtu'))
-
- # Remote session id
- if conf.exists('peer-session-id'):
- l2tpv3['peer_session_id'] = conf.return_value('peer-session-id')
-
- # Remote tunnel id
- if conf.exists('peer-tunnel-id'):
- l2tpv3['peer_tunnel_id'] = conf.return_value('peer-tunnel-id')
-
- # Remote address of L2TPv3 tunnel
- if conf.exists('remote-ip'):
- l2tpv3['remote_address'] = conf.return_value('remote-ip')
-
- # Local session id
- if conf.exists('session-id'):
- l2tpv3['session_id'] = conf.return_value('session-id')
-
- # get local tunnel port
- if conf.exists('source-port'):
- l2tpv3['local_port'] = conf.return_value('source-port')
-
- # get local tunnel id
- if conf.exists('tunnel-id'):
- l2tpv3['tunnel_id'] = conf.return_value('tunnel-id')
+ tmp = leaf_node_changed(conf, ['session-id'])
+ l2tpv3.update({'session_id': tmp})
return l2tpv3
-
def verify(l2tpv3):
- interface = l2tpv3['intf']
-
- if l2tpv3['deleted']:
- if l2tpv3['is_bridge_member']:
- raise ConfigError((
- f'Interface "{l2tpv3["intf"]}" cannot be deleted as it is a '
- f'member of bridge "{l2tpv3["is_bridge_member"]}"!'))
-
+ if 'deleted' in l2tpv3:
+ verify_bridge_delete(l2tpv3)
return None
- if not l2tpv3['local_address']:
- raise ConfigError(f'Must configure the l2tpv3 local-ip for {interface}')
-
- if not is_addr_assigned(l2tpv3['local_address']):
- raise ConfigError(f'Must use a configured IP on l2tpv3 local-ip for {interface}')
+ interface = l2tpv3['ifname']
- if not l2tpv3['remote_address']:
- raise ConfigError(f'Must configure the l2tpv3 remote-ip for {interface}')
+ for key in ['local_ip', 'remote_ip', 'tunnel_id', 'peer_tunnel_id',
+ 'session_id', 'peer_session_id']:
+ if key not in l2tpv3:
+ tmp = key.replace('_', '-')
+ raise ConfigError(f'L2TPv3 {tmp} must be configured!')
- if not l2tpv3['tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 tunnel-id for {interface}')
-
- if not l2tpv3['peer_tunnel_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-tunnel-id for {interface}')
-
- if not l2tpv3['session_id']:
- raise ConfigError(f'Must configure the l2tpv3 session-id for {interface}')
-
- if not l2tpv3['peer_session_id']:
- raise ConfigError(f'Must configure the l2tpv3 peer-session-id for {interface}')
-
- if ( l2tpv3['is_bridge_member']
- and ( l2tpv3['address']
- or l2tpv3['ipv6_eui64_prefix']
- or l2tpv3['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{l2tpv3["intf"]}" '
- f'as it is a member of bridge "{l2tpv3["is_bridge_member"]}"!'))
+ if not is_addr_assigned(l2tpv3['local_ip']):
+ raise ConfigError('L2TPv3 local-ip address '
+ '"{local_ip}" is not configured!'.format(**l2tpv3))
+ verify_address(l2tpv3)
return None
-
def generate(l2tpv3):
return None
@@ -225,65 +90,34 @@ def apply(l2tpv3):
conf = deepcopy(L2TPv3If.get_config())
# Check if L2TPv3 interface already exists
- if l2tpv3['intf'] in interfaces():
+ if l2tpv3['ifname'] in interfaces():
# L2TPv3 is picky when changing tunnels/sessions, thus we can simply
# always delete it first.
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
- l = L2TPv3If(l2tpv3['intf'], **conf)
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
l.remove()
- if not l2tpv3['deleted']:
+ if 'deleted' not in l2tpv3:
conf['peer_tunnel_id'] = l2tpv3['peer_tunnel_id']
- conf['local_port'] = l2tpv3['local_port']
- conf['remote_port'] = l2tpv3['remote_port']
+ conf['local_port'] = l2tpv3['source_port']
+ conf['remote_port'] = l2tpv3['destination_port']
conf['encapsulation'] = l2tpv3['encapsulation']
- conf['local_address'] = l2tpv3['local_address']
- conf['remote_address'] = l2tpv3['remote_address']
+ conf['local_address'] = l2tpv3['local_ip']
+ conf['remote_address'] = l2tpv3['remote_ip']
conf['session_id'] = l2tpv3['session_id']
conf['tunnel_id'] = l2tpv3['tunnel_id']
conf['peer_session_id'] = l2tpv3['peer_session_id']
# Finally create the new interface
- l = L2TPv3If(l2tpv3['intf'], **conf)
- # update interface description used e.g. by SNMP
- l.set_alias(l2tpv3['description'])
- # Maximum Transfer Unit (MTU)
- l.set_mtu(l2tpv3['mtu'])
- # IPv6 accept RA
- l.set_ipv6_accept_ra(l2tpv3['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- l.set_ipv6_autoconf(l2tpv3['ipv6_autoconf'])
- # IPv6 forwarding
- l.set_ipv6_forwarding(l2tpv3['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- l.set_ipv6_dad_messages(l2tpv3['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in l2tpv3['address']:
- l.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in l2tpv3['ipv6_eui64_prefix']:
- l.add_ipv6_eui64_address(addr)
-
- # As the interface is always disabled first when changing parameters
- # we will only re-enable the interface if it is not administratively
- # disabled
- if not l2tpv3['disable']:
- l.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if l2tpv3['is_bridge_member']:
- l.add_to_bridge(l2tpv3['is_bridge_member'])
+ l = L2TPv3If(l2tpv3['ifname'], **conf)
+ l.update(l2tpv3)
return None
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py
index 2368f88a9..0398cd591 100755
--- a/src/conf_mode/interfaces-loopback.py
+++ b/src/conf_mode/interfaces-loopback.py
@@ -18,31 +18,21 @@ import os
from sys import exit
-from vyos.ifconfig import LoopbackIf
from vyos.config import Config
-from vyos import ConfigError, airbag
+from vyos.configdict import get_interface_dict
+from vyos.ifconfig import LoopbackIf
+from vyos import ConfigError
+from vyos import airbag
airbag.enable()
def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = ['interfaces', 'loopback', ifname]
-
- loopback = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if loopback == {}:
- loopback.update({'deleted' : ''})
-
- # store interface instance name in dictionary
- loopback.update({'ifname': ifname})
-
+ base = ['interfaces', 'loopback']
+ loopback = get_interface_dict(conf, base)
return loopback
def verify(loopback):
diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 56273f71a..ca15212d4 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -20,16 +20,14 @@ from copy import deepcopy
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.ifconfig import MACsecIf
from vyos.template import render
from vyos.util import call
-from vyos.validate import is_member
from vyos.configverify import verify_vrf
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_source_interface
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -38,50 +36,25 @@ airbag.enable()
wpa_suppl_conf = '/run/wpa_supplicant/{source_interface}.conf'
def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
base = ['interfaces', 'macsec']
- default_values = defaults(base)
+ macsec = get_interface_dict(conf, base)
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
-
- macsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
# Check if interface has been removed
- if macsec == {}:
- tmp = {
- 'deleted' : '',
- 'source_interface' : conf.return_effective_value(
+ if 'deleted' in macsec:
+ source_interface = conf.return_effective_value(
base + ['source-interface'])
- }
- macsec.update(tmp)
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- macsec = dict_merge(default_values, macsec)
-
- # Add interface instance name into dictionary
- macsec.update({'ifname': ifname})
-
- # Check if we are a member of any bridge
- bridge = is_member(conf, ifname, 'bridge')
- if bridge:
- tmp = {'is_bridge_member' : bridge}
- macsec.update(tmp)
+ macsec.update({'source_interface': source_interface})
return macsec
def verify(macsec):
- if 'deleted' in macsec.keys():
+ if 'deleted' in macsec:
verify_bridge_delete(macsec)
return None
@@ -89,18 +62,18 @@ def verify(macsec):
verify_vrf(macsec)
verify_address(macsec)
- if not (('security' in macsec.keys()) and
- ('cipher' in macsec['security'].keys())):
+ if not (('security' in macsec) and
+ ('cipher' in macsec['security'])):
raise ConfigError(
'Cipher suite must be set for MACsec "{ifname}"'.format(**macsec))
- if (('security' in macsec.keys()) and
- ('encrypt' in macsec['security'].keys())):
+ if (('security' in macsec) and
+ ('encrypt' in macsec['security'])):
tmp = macsec.get('security')
- if not (('mka' in tmp.keys()) and
- ('cak' in tmp['mka'].keys()) and
- ('ckn' in tmp['mka'].keys())):
+ if not (('mka' in tmp) and
+ ('cak' in tmp['mka']) and
+ ('ckn' in tmp['mka'])):
raise ConfigError('Missing mandatory MACsec security '
'keys as encryption is enabled!')
diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py
index 3ee57e83c..928113b49 100755
--- a/src/conf_mode/interfaces-pppoe.py
+++ b/src/conf_mode/interfaces-pppoe.py
@@ -22,51 +22,34 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
from vyos import ConfigError
from vyos import airbag
airbag.enable()
def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
base = ['interfaces', 'pppoe']
- default_values = defaults(base)
- # PPPoE is "special" the default MTU is 1492 - update accordingly
- default_values['mtu'] = '1492'
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
+ pppoe = get_interface_dict(conf, base)
- pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if pppoe == {}:
- pppoe.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- pppoe = dict_merge(default_values, pppoe)
-
- # Add interface instance name into dictionary
- pppoe.update({'ifname': ifname})
+ # PPPoE is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ pppoe['mtu'] = '1492'
return pppoe
def verify(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
@@ -92,7 +75,7 @@ def generate(pppoe):
config_files = [config_pppoe, script_pppoe_pre_up, script_pppoe_ip_up,
script_pppoe_ip_down, script_pppoe_ipv6_up, config_wide_dhcp6c]
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# stop DHCPv6-PD client
call(f'systemctl stop dhcp6c@{ifname}.service')
# Hang-up PPPoE connection
@@ -125,16 +108,16 @@ def generate(pppoe):
if tmp and len(tmp) > 0:
# ipv6.tmpl relies on ifname - this should be made consitent in the
# future better then double key-ing the same value
- render(config_wide_dhcp6c, 'dhcp-client/ipv6_new.tmpl', pppoe, trim_blocks=True)
+ render(config_wide_dhcp6c, 'dhcp-client/ipv6.tmpl', pppoe, trim_blocks=True)
return None
def apply(pppoe):
- if 'deleted' in pppoe.keys():
+ if 'deleted' in pppoe:
# bail out early
return None
- if 'disable' not in pppoe.keys():
+ if 'disable' not in pppoe:
# Dial PPPoE connection
call('systemctl restart ppp@{ifname}.service'.format(**pppoe))
diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py
index 70710e97c..4afea2b3a 100755
--- a/src/conf_mode/interfaces-pseudo-ethernet.py
+++ b/src/conf_mode/interfaces-pseudo-ethernet.py
@@ -18,112 +18,44 @@ import os
from copy import deepcopy
from sys import exit
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import MACVLANIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.ifconfig import MACVLANIf
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'deleted': False,
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_proxy_arp_pvlan': 0,
- 'source_interface': '',
- 'source_interface_changed': False,
- 'mode': 'private',
- 'vif_s': {},
- 'vif_s_remove': [],
- 'vif': {},
- 'vif_remove': [],
- 'vrf': ''
-}
-
def get_config():
- peth = deepcopy(default_config_data)
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
+ base = ['interfaces', 'pseudo-ethernet']
+ peth = get_interface_dict(conf, base)
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- peth['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # Check if interface has been removed
- cfg_base = ['interfaces', 'pseudo-ethernet', peth['intf']]
- if not conf.exists(cfg_base):
- peth['deleted'] = True
- return peth
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- peth, disabled = intf_to_dict(conf, default_config_data)
-
- # ARP cache entry timeout in seconds
- if conf.exists(['ip', 'arp-cache-timeout']):
- peth['ip_arp_cache_tmo'] = int(conf.return_value(['ip', 'arp-cache-timeout']))
-
- # Enable private VLAN proxy ARP on this interface
- if conf.exists(['ip', 'proxy-arp-pvlan']):
- peth['ip_proxy_arp_pvlan'] = 1
-
- # Physical interface
- if conf.exists(['source-interface']):
- peth['source_interface'] = conf.return_value(['source-interface'])
- tmp = conf.return_effective_value(['source-interface'])
- if tmp != peth['source_interface']:
- peth['source_interface_changed'] = True
-
- # MACvlan mode
- if conf.exists(['mode']):
- peth['mode'] = conf.return_value(['mode'])
-
- add_to_dict(conf, disabled, peth, 'vif', 'vif')
- add_to_dict(conf, disabled, peth, 'vif-s', 'vif_s')
+ mode = leaf_node_changed(conf, ['mode'])
+ if mode:
+ peth.update({'mode_old' : mode})
return peth
def verify(peth):
- if peth['deleted']:
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{peth["intf"]}" as it is a '
- f'member of bridge "{peth["is_bridge_member"]}"!'))
-
+ if 'deleted' in peth:
+ verify_bridge_delete(peth)
return None
- if not peth['source_interface']:
- raise ConfigError((
- f'Link device must be set for pseudo-ethernet "{peth["intf"]}"'))
-
- if not peth['source_interface'] in interfaces():
- raise ConfigError((
- f'Pseudo-ethernet "{peth["intf"]}" link device does not exist'))
-
- if ( peth['is_bridge_member']
- and ( peth['address']
- or peth['ipv6_eui64_prefix']
- or peth['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{peth["intf"]}" '
- f'as it is a member of bridge "{peth["is_bridge_member"]}"!'))
-
- if peth['vrf']:
- if peth['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{peth["vrf"]}" does not exist')
-
- if peth['is_bridge_member']:
- raise ConfigError((
- f'Interface "{peth["intf"]}" cannot be member of VRF '
- f'"{peth["vrf"]}" and bridge {peth["is_bridge_member"]} '
- f'at the same time!'))
+ verify_source_interface(peth)
+ verify_vrf(peth)
+ verify_address(peth)
# use common function to verify VLAN configuration
verify_vlan_config(peth)
@@ -133,17 +65,16 @@ def generate(peth):
return None
def apply(peth):
- if peth['deleted']:
+ if 'deleted' in peth:
# delete interface
- MACVLANIf(peth['intf']).remove()
+ MACVLANIf(peth['ifname']).remove()
return None
# Check if MACVLAN interface already exists. Parameters like the underlaying
- # source-interface device can not be changed on the fly and the interface
+ # source-interface device or mode can not be changed on the fly and the interface
# needs to be recreated from the bottom.
- if peth['intf'] in interfaces():
- if peth['source_interface_changed']:
- MACVLANIf(peth['intf']).remove()
+ if 'mode_old' in peth:
+ MACVLANIf(peth['ifname']).remove()
# MACVLAN interface needs to be created on-block instead of passing a ton
# of arguments, I just use a dict that is managed by vyos.ifconfig
@@ -155,98 +86,8 @@ def apply(peth):
# It is safe to "re-create" the interface always, there is a sanity check
# that the interface will only be create if its non existent
- p = MACVLANIf(peth['intf'], **conf)
-
- # update interface description used e.g. within SNMP
- p.set_alias(peth['description'])
-
- if peth['dhcp_client_id']:
- p.dhcp.v4.options['client_id'] = peth['dhcp_client_id']
-
- if peth['dhcp_hostname']:
- p.dhcp.v4.options['hostname'] = peth['dhcp_hostname']
-
- if peth['dhcp_vendor_class_id']:
- p.dhcp.v4.options['vendor_class_id'] = peth['dhcp_vendor_class_id']
-
- if peth['dhcpv6_prm_only']:
- p.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if peth['dhcpv6_temporary']:
- p.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if peth['dhcpv6_pd_length']:
- p.dhcp.v6.options['dhcpv6_pd_length'] = peth['dhcpv6_pd_length']
-
- if peth['dhcpv6_pd_interfaces']:
- p.dhcp.v6.options['dhcpv6_pd_interfaces'] = peth['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- p.set_link_detect(peth['disable_link_detect'])
- # configure ARP cache timeout in milliseconds
- p.set_arp_cache_tmo(peth['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- p.set_arp_filter(peth['ip_disable_arp_filter'])
- # configure ARP accept
- p.set_arp_accept(peth['ip_enable_arp_accept'])
- # configure ARP announce
- p.set_arp_announce(peth['ip_enable_arp_announce'])
- # configure ARP ignore
- p.set_arp_ignore(peth['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- p.set_proxy_arp(peth['ip_proxy_arp'])
- # Enable private VLAN proxy ARP on this interface
- p.set_proxy_arp_pvlan(peth['ip_proxy_arp_pvlan'])
- # IPv6 accept RA
- p.set_ipv6_accept_ra(peth['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- p.set_ipv6_autoconf(peth['ipv6_autoconf'])
- # IPv6 forwarding
- p.set_ipv6_forwarding(peth['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- p.set_ipv6_dad_messages(peth['ipv6_dup_addr_detect'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not peth['is_bridge_member']:
- p.set_vrf(peth['vrf'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in peth['ipv6_eui64_prefix_remove']:
- p.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address
- if peth['mac']:
- p.set_mac(peth['mac'])
-
- # Add IPv6 EUI-based addresses
- for addr in peth['ipv6_eui64_prefix']:
- p.add_ipv6_eui64_address(addr)
-
- # Change interface mode
- p.set_mode(peth['mode'])
-
- # Enable/Disable interface
- if peth['disable']:
- p.set_admin_state('down')
- else:
- p.set_admin_state('up')
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in peth['address_remove']:
- p.del_addr(addr)
- for addr in peth['address']:
- p.add_addr(addr)
-
- # re-add ourselves to any bridge we might have fallen out of
- if peth['is_bridge_member']:
- p.add_to_bridge(peth['is_bridge_member'])
-
- # apply all vlans to interface
- apply_all_vlans(p, peth)
-
+ p = MACVLANIf(peth['ifname'], **conf)
+ p.update(peth)
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py
index 39db814b4..47c0bdcb8 100755
--- a/src/conf_mode/interfaces-vxlan.py
+++ b/src/conf_mode/interfaces-vxlan.py
@@ -21,197 +21,61 @@ from copy import deepcopy
from netifaces import interfaces
from vyos.config import Config
+from vyos.configdict import get_interface_dict
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_source_interface
from vyos.ifconfig import VXLANIf, Interface
-from vyos.validate import is_member
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- 'address': [],
- 'deleted': False,
- 'description': '',
- 'disable': False,
- 'group': '',
- 'intf': '',
- 'ip_arp_cache_tmo': 30,
- 'ip_disable_arp_filter': 1,
- 'ip_enable_arp_accept': 0,
- 'ip_enable_arp_announce': 0,
- 'ip_enable_arp_ignore': 0,
- 'ip_proxy_arp': 0,
- 'ipv6_accept_ra': 1,
- 'ipv6_autoconf': 0,
- 'ipv6_eui64_prefix': [],
- 'ipv6_forwarding': 1,
- 'ipv6_dup_addr_detect': 1,
- 'is_bridge_member': False,
- 'source_address': '',
- 'source_interface': '',
- 'mtu': 1450,
- 'remote': '',
- 'remote_port': 8472, # The Linux implementation of VXLAN pre-dates
- # the IANA's selection of a standard destination port
- 'vni': ''
-}
-
def get_config():
- vxlan = deepcopy(default_config_data)
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
+ base = ['interfaces', 'vxlan']
+ vxlan = get_interface_dict(conf, base)
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- vxlan['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- vxlan['is_bridge_member'] = is_member(conf, vxlan['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists('interfaces vxlan ' + vxlan['intf']):
- vxlan['deleted'] = True
- return vxlan
-
- # set new configuration level
- conf.set_level('interfaces vxlan ' + vxlan['intf'])
-
- # retrieve configured interface addresses
- if conf.exists('address'):
- vxlan['address'] = conf.return_values('address')
-
- # retrieve interface description
- if conf.exists('description'):
- vxlan['description'] = conf.return_value('description')
-
- # Disable this interface
- if conf.exists('disable'):
- vxlan['disable'] = True
-
- # VXLAN multicast grou
- if conf.exists('group'):
- vxlan['group'] = conf.return_value('group')
-
- # ARP cache entry timeout in seconds
- if conf.exists('ip arp-cache-timeout'):
- vxlan['ip_arp_cache_tmo'] = int(conf.return_value('ip arp-cache-timeout'))
-
- # ARP filter configuration
- if conf.exists('ip disable-arp-filter'):
- vxlan['ip_disable_arp_filter'] = 0
-
- # ARP enable accept
- if conf.exists('ip enable-arp-accept'):
- vxlan['ip_enable_arp_accept'] = 1
-
- # ARP enable announce
- if conf.exists('ip enable-arp-announce'):
- vxlan['ip_enable_arp_announce'] = 1
-
- # ARP enable ignore
- if conf.exists('ip enable-arp-ignore'):
- vxlan['ip_enable_arp_ignore'] = 1
-
- # Enable proxy-arp on this interface
- if conf.exists('ip enable-proxy-arp'):
- vxlan['ip_proxy_arp'] = 1
-
- # Enable acquisition of IPv6 address using stateless autoconfig (SLAAC)
- if conf.exists('ipv6 address autoconf'):
- vxlan['ipv6_autoconf'] = 1
-
- # Get prefixes for IPv6 addressing based on MAC address (EUI-64)
- if conf.exists('ipv6 address eui64'):
- vxlan['ipv6_eui64_prefix'] = conf.return_values('ipv6 address eui64')
-
- # Remove the default link-local address if set.
- if not ( conf.exists('ipv6 address no-default-link-local')
- or vxlan['is_bridge_member'] ):
- # add the link-local by default to make IPv6 work
- vxlan['ipv6_eui64_prefix'].append('fe80::/64')
-
- # Disable IPv6 forwarding on this interface
- if conf.exists('ipv6 disable-forwarding'):
- vxlan['ipv6_forwarding'] = 0
-
- # IPv6 Duplicate Address Detection (DAD) tries
- if conf.exists('ipv6 dup-addr-detect-transmits'):
- vxlan['ipv6_dup_addr_detect'] = int(conf.return_value('ipv6 dup-addr-detect-transmits'))
-
- # to make IPv6 SLAAC and DHCPv6 work with forwarding=1,
- # accept_ra must be 2
- if vxlan['ipv6_autoconf'] or 'dhcpv6' in vxlan['address']:
- vxlan['ipv6_accept_ra'] = 2
-
- # VXLAN source address
- if conf.exists('source-address'):
- vxlan['source_address'] = conf.return_value('source-address')
-
- # VXLAN underlay interface
- if conf.exists('source-interface'):
- vxlan['source_interface'] = conf.return_value('source-interface')
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- vxlan['mtu'] = int(conf.return_value('mtu'))
-
- # Remote address of VXLAN tunnel
- if conf.exists('remote'):
- vxlan['remote'] = conf.return_value('remote')
-
- # Remote port of VXLAN tunnel
- if conf.exists('port'):
- vxlan['remote_port'] = int(conf.return_value('port'))
-
- # Virtual Network Identifier
- if conf.exists('vni'):
- vxlan['vni'] = conf.return_value('vni')
+ # VXLAN is "special" the default MTU is 1492 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ vxlan['mtu'] = '1450'
return vxlan
-
def verify(vxlan):
- if vxlan['deleted']:
- if vxlan['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{vxlan["intf"]}" as it is a '
- f'member of bridge "{vxlan["is_bridge_member"]}"!'))
-
+ if 'deleted' in vxlan:
+ verify_bridge_delete(vxlan)
return None
- if vxlan['mtu'] < 1500:
+ if int(vxlan['mtu']) < 1500:
print('WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU')
- if vxlan['group']:
- if not vxlan['source_interface']:
+ if 'group' in vxlan:
+ if 'source_interface' not in vxlan:
raise ConfigError('Multicast VXLAN requires an underlaying interface ')
- if not vxlan['source_interface'] in interfaces():
- raise ConfigError('VXLAN source interface does not exist')
+ verify_source_interface(vxlan)
- if not (vxlan['group'] or vxlan['remote'] or vxlan['source_address']):
+ if not any(tmp in ['group', 'remote', 'source_address'] for tmp in vxlan):
raise ConfigError('Group, remote or source-address must be configured')
- if not vxlan['vni']:
+ if 'vni' not in vxlan:
raise ConfigError('Must configure VNI for VXLAN')
- if vxlan['source_interface']:
+ if 'source_interface' in vxlan:
# VXLAN adds a 50 byte overhead - we need to check the underlaying MTU
# if our configured MTU is at least 50 bytes less
underlay_mtu = int(Interface(vxlan['source_interface']).get_mtu())
- if underlay_mtu < (vxlan['mtu'] + 50):
+ if underlay_mtu < (int(vxlan['mtu']) + 50):
raise ConfigError('VXLAN has a 50 byte overhead, underlaying device ' \
- 'MTU is to small ({})'.format(underlay_mtu))
-
- if ( vxlan['is_bridge_member']
- and ( vxlan['address']
- or vxlan['ipv6_eui64_prefix']
- or vxlan['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{vxlan["intf"]}" '
- f'as it is a member of bridge "{vxlan["is_bridge_member"]}"!'))
+ f'MTU is to small ({underlay_mtu} bytes)')
+ verify_address(vxlan)
return None
@@ -221,73 +85,26 @@ def generate(vxlan):
def apply(vxlan):
# Check if the VXLAN interface already exists
- if vxlan['intf'] in interfaces():
- v = VXLANIf(vxlan['intf'])
+ if vxlan['ifname'] in interfaces():
+ v = VXLANIf(vxlan['ifname'])
# VXLAN is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
v.remove()
- if not vxlan['deleted']:
+ if 'deleted' not in vxlan:
# VXLAN interface needs to be created on-block
# instead of passing a ton of arguments, I just use a dict
# that is managed by vyos.ifconfig
conf = deepcopy(VXLANIf.get_config())
# Assign VXLAN instance configuration parameters to config dict
- conf['vni'] = vxlan['vni']
- conf['group'] = vxlan['group']
- conf['src_address'] = vxlan['source_address']
- conf['src_interface'] = vxlan['source_interface']
- conf['remote'] = vxlan['remote']
- conf['port'] = vxlan['remote_port']
+ for tmp in ['vni', 'group', 'source_address', 'source_interface', 'remote', 'port']:
+ if tmp in vxlan:
+ conf[tmp] = vxlan[tmp]
# Finally create the new interface
- v = VXLANIf(vxlan['intf'], **conf)
- # update interface description used e.g. by SNMP
- v.set_alias(vxlan['description'])
- # Maximum Transfer Unit (MTU)
- v.set_mtu(vxlan['mtu'])
-
- # configure ARP cache timeout in milliseconds
- v.set_arp_cache_tmo(vxlan['ip_arp_cache_tmo'])
- # configure ARP filter configuration
- v.set_arp_filter(vxlan['ip_disable_arp_filter'])
- # configure ARP accept
- v.set_arp_accept(vxlan['ip_enable_arp_accept'])
- # configure ARP announce
- v.set_arp_announce(vxlan['ip_enable_arp_announce'])
- # configure ARP ignore
- v.set_arp_ignore(vxlan['ip_enable_arp_ignore'])
- # Enable proxy-arp on this interface
- v.set_proxy_arp(vxlan['ip_proxy_arp'])
- # IPv6 accept RA
- v.set_ipv6_accept_ra(vxlan['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- v.set_ipv6_autoconf(vxlan['ipv6_autoconf'])
- # IPv6 forwarding
- v.set_ipv6_forwarding(vxlan['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- v.set_ipv6_dad_messages(vxlan['ipv6_dup_addr_detect'])
-
- # Configure interface address(es) - no need to implicitly delete the
- # old addresses as they have already been removed by deleting the
- # interface above
- for addr in vxlan['address']:
- v.add_addr(addr)
-
- # IPv6 EUI-based addresses
- for addr in vxlan['ipv6_eui64_prefix']:
- v.add_ipv6_eui64_address(addr)
-
- # As the VXLAN interface is always disabled first when changing
- # parameters we will only re-enable the interface if it is not
- # administratively disabled
- if not vxlan['disable']:
- v.set_admin_state('up')
-
- # re-add ourselves to any bridge we might have fallen out of
- if vxlan['is_bridge_member']:
- v.add_to_bridge(vxlan['is_bridge_member'])
+ v = VXLANIf(vxlan['ifname'], **conf)
+ v.update(vxlan)
return None
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index c24c9a7ce..8b64cde4d 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -15,308 +15,98 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
from sys import exit
from copy import deepcopy
-from netifaces import interfaces
from vyos.config import Config
-from vyos.configdict import list_diff
+from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
+from vyos.configdict import node_changed
+from vyos.configdict import leaf_node_changed
+from vyos.configverify import verify_vrf
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
from vyos.ifconfig import WireGuardIf
-from vyos.util import chown, chmod_750, call
-from vyos.validate import is_member, is_ipv6
+from vyos.util import check_kmod
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-kdir = r'/config/auth/wireguard'
-
-default_config_data = {
- 'intfc': '',
- 'address': [],
- 'address_remove': [],
- 'description': '',
- 'listen_port': '',
- 'deleted': False,
- 'disable': False,
- 'fwmark': 0,
- 'is_bridge_member': False,
- 'mtu': 1420,
- 'peer': [],
- 'peer_remove': [], # stores public keys of peers to remove
- 'pk': f'{kdir}/default/private.key',
- 'vrf': ''
-}
-
-def _check_kmod():
- modules = ['wireguard']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
-def _migrate_default_keys():
- if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
- location = f'{kdir}/default'
- if not os.path.exists(location):
- os.makedirs(location)
-
- chown(location, 'root', 'vyattacfg')
- chmod_750(location)
- os.rename(f'{kdir}/private.key', f'{location}/private.key')
- os.rename(f'{kdir}/public.key', f'{location}/public.key')
-
-
def get_config():
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
base = ['interfaces', 'wireguard']
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- wg = deepcopy(default_config_data)
- wg['intf'] = os.environ['VYOS_TAGNODE_VALUE']
-
- # check if interface is member if a bridge
- wg['is_bridge_member'] = is_member(conf, wg['intf'], 'bridge')
-
- # Check if interface has been removed
- if not conf.exists(base + [wg['intf']]):
- wg['deleted'] = True
- return wg
-
- conf.set_level(base + [wg['intf']])
-
- # retrieve configured interface addresses
- if conf.exists(['address']):
- wg['address'] = conf.return_values(['address'])
-
- # get interface addresses (currently effective) - to determine which
- # address is no longer valid and needs to be removed
- eff_addr = conf.return_effective_values(['address'])
- wg['address_remove'] = list_diff(eff_addr, wg['address'])
-
- # retrieve interface description
- if conf.exists(['description']):
- wg['description'] = conf.return_value(['description'])
-
- # disable interface
- if conf.exists(['disable']):
- wg['disable'] = True
-
- # local port to listen on
- if conf.exists(['port']):
- wg['listen_port'] = conf.return_value(['port'])
-
- # fwmark value
- if conf.exists(['fwmark']):
- wg['fwmark'] = int(conf.return_value(['fwmark']))
-
- # Maximum Transmission Unit (MTU)
- if conf.exists('mtu'):
- wg['mtu'] = int(conf.return_value(['mtu']))
-
- # retrieve VRF instance
- if conf.exists('vrf'):
- wg['vrf'] = conf.return_value('vrf')
-
- # private key
- if conf.exists(['private-key']):
- wg['pk'] = "{0}/{1}/private.key".format(
- kdir, conf.return_value(['private-key']))
-
- # peer removal, wg identifies peers by its pubkey
- peer_eff = conf.list_effective_nodes(['peer'])
- peer_rem = list_diff(peer_eff, conf.list_nodes(['peer']))
- for peer in peer_rem:
- wg['peer_remove'].append(
- conf.return_effective_value(['peer', peer, 'pubkey']))
-
- # peer settings
- if conf.exists(['peer']):
- for p in conf.list_nodes(['peer']):
- # set new config level for this peer
- conf.set_level(base + [wg['intf'], 'peer', p])
- peer = {
- 'allowed-ips': [],
- 'address': '',
- 'name': p,
- 'persistent_keepalive': '',
- 'port': '',
- 'psk': '',
- 'pubkey': ''
- }
-
- # peer allowed-ips
- if conf.exists(['allowed-ips']):
- peer['allowed-ips'] = conf.return_values(['allowed-ips'])
-
- # peer address
- if conf.exists(['address']):
- peer['address'] = conf.return_value(['address'])
-
- # peer port
- if conf.exists(['port']):
- peer['port'] = conf.return_value(['port'])
-
- # persistent-keepalive
- if conf.exists(['persistent-keepalive']):
- peer['persistent_keepalive'] = conf.return_value(['persistent-keepalive'])
-
- # preshared-key
- if conf.exists(['preshared-key']):
- peer['psk'] = conf.return_value(['preshared-key'])
-
- # peer pubkeys
- if conf.exists(['pubkey']):
- key_eff = conf.return_effective_value(['pubkey'])
- key_cfg = conf.return_value(['pubkey'])
- peer['pubkey'] = key_cfg
-
- # on a pubkey change we need to remove the pubkey first
- # peers are identified by pubkey, so key update means
- # peer removal and re-add
- if key_eff != key_cfg and key_eff != None:
- wg['peer_remove'].append(key_cfg)
-
- # if a peer is disabled, we have to exec a remove for it's pubkey
- if conf.exists(['disable']):
- wg['peer_remove'].append(peer['pubkey'])
- else:
- wg['peer'].append(peer)
-
- return wg
-
-
-def verify(wg):
- if wg['deleted']:
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wg["intf"]}" as it is a member '
- f'of bridge "{wg["is_bridge_member"]}"!'))
-
+ wireguard = get_interface_dict(conf, base)
+
+ # Wireguard is "special" the default MTU is 1420 - update accordingly
+ # as the config_level is already st in get_interface_dict() - we can use []
+ tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True)
+ if 'mtu' not in tmp:
+ wireguard['mtu'] = '1420'
+
+ # Mangle private key - it has a default so its always valid
+ wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard)
+
+ # Determine which Wireguard peer has been removed.
+ # Peers can only be removed with their public key!
+ tmp = node_changed(conf, ['peer'])
+ if tmp:
+ dict = {}
+ for peer in tmp:
+ peer_config = leaf_node_changed(conf, ['peer', peer, 'pubkey'])
+ dict = dict_merge({'peer_remove' : {peer : {'pubkey' : peer_config}}}, dict)
+ wireguard.update(dict)
+
+ return wireguard
+
+def verify(wireguard):
+ if 'deleted' in wireguard:
+ verify_bridge_delete(wireguard)
return None
- if wg['is_bridge_member'] and wg['address']:
- raise ConfigError((
- f'Cannot assign address to interface "{wg["intf"]}" '
- f'as it is a member of bridge "{wg["is_bridge_member"]}"!'))
+ verify_address(wireguard)
+ verify_vrf(wireguard)
- if wg['vrf']:
- if wg['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wg["vrf"]}" does not exist')
+ if not os.path.exists(wireguard['private_key']):
+ raise ConfigError('Wireguard private-key not found! Execute: ' \
+ '"run generate wireguard [default-keypair|named-keypairs]"')
- if wg['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wg["intf"]}" cannot be member of VRF '
- f'"{wg["vrf"]}" and bridge {wg["is_bridge_member"]} '
- f'at the same time!'))
+ if 'address' not in wireguard:
+ raise ConfigError('IP address required!')
- if not os.path.exists(wg['pk']):
- raise ConfigError('No keys found, generate them by executing:\n' \
- '"run generate wireguard [keypair|named-keypairs]"')
-
- if not wg['address']:
- raise ConfigError(f'IP address required for interface "{wg["intf"]}"!')
-
- if not wg['peer']:
- raise ConfigError(f'Peer required for interface "{wg["intf"]}"!')
+ if 'peer' not in wireguard:
+ raise ConfigError('At least one Wireguard peer is required!')
# run checks on individual configured WireGuard peer
- for peer in wg['peer']:
- if not peer['allowed-ips']:
- raise ConfigError(f'Peer allowed-ips required for peer "{peer["name"]}"!')
-
- if not peer['pubkey']:
- raise ConfigError(f'Peer public-key required for peer "{peer["name"]}"!')
+ for tmp in wireguard['peer']:
+ peer = wireguard['peer'][tmp]
- if peer['address'] and not peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" port must be defined if address is defined!')
+ if 'allowed_ips' not in peer:
+ raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!')
- if not peer['address'] and peer['port']:
- raise ConfigError(f'Peer "{peer["name"]}" address must be defined if port is defined!')
+ if 'pubkey' not in peer:
+ raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!')
+ if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer):
+ raise ConfigError('Both Wireguard port and address must be defined '
+ f'for peer "{tmp}" if either one of them is set!')
-def apply(wg):
- # init wg class
- w = WireGuardIf(wg['intf'])
-
- # single interface removal
- if wg['deleted']:
- w.remove()
+def apply(wireguard):
+ if 'deleted' in wireguard:
+ WireGuardIf(wireguard['ifname']).remove()
return None
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wg['address_remove']:
- w.del_addr(addr)
- for addr in wg['address']:
- w.add_addr(addr)
-
- # Maximum Transmission Unit (MTU)
- w.set_mtu(wg['mtu'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wg['description'])
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wg['is_bridge_member']:
- w.set_vrf(wg['vrf'])
-
- # remove peers
- for pub_key in wg['peer_remove']:
- w.remove_peer(pub_key)
-
- # peer pubkey
- # setting up the wg interface
- w.config['private_key'] = c['pk']
-
- for peer in wg['peer']:
- # peer pubkey
- w.config['pubkey'] = peer['pubkey']
- # peer allowed-ips
- w.config['allowed-ips'] = peer['allowed-ips']
- # local listen port
- if wg['listen_port']:
- w.config['port'] = wg['listen_port']
- # fwmark
- if c['fwmark']:
- w.config['fwmark'] = wg['fwmark']
-
- # endpoint
- if peer['address'] and peer['port']:
- if is_ipv6(peer['address']):
- w.config['endpoint'] = '[{}]:{}'.format(peer['address'], peer['port'])
- else:
- w.config['endpoint'] = '{}:{}'.format(peer['address'], peer['port'])
-
- # persistent-keepalive
- if peer['persistent_keepalive']:
- w.config['keepalive'] = peer['persistent_keepalive']
-
- if peer['psk']:
- w.config['psk'] = peer['psk']
-
- w.update()
-
- # Enable/Disable interface
- if wg['disable']:
- w.set_admin_state('down')
- else:
- w.set_admin_state('up')
-
+ w = WireGuardIf(wireguard['ifname'])
+ w.update(wireguard)
return None
if __name__ == '__main__':
try:
- _check_kmod()
- _migrate_default_keys()
+ check_kmod('wireguard')
c = get_config()
verify(c)
apply(c)
diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py
index 0162b642c..b6f247952 100755
--- a/src/conf_mode/interfaces-wireless.py
+++ b/src/conf_mode/interfaces-wireless.py
@@ -15,497 +15,163 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
+
from sys import exit
from re import findall
-
from copy import deepcopy
-
-from netifaces import interfaces
from netaddr import EUI, mac_unix_expanded
from vyos.config import Config
-from vyos.configdict import list_diff, intf_to_dict, add_to_dict, interface_default_data
-from vyos.ifconfig import WiFiIf, Section
-from vyos.ifconfig_vlan import apply_all_vlans, verify_vlan_config
+from vyos.configdict import get_interface_dict
+from vyos.configdict import dict_merge
+from vyos.configverify import verify_address
+from vyos.configverify import verify_bridge_delete
+from vyos.configverify import verify_dhcpv6
+from vyos.configverify import verify_source_interface
+from vyos.configverify import verify_vlan_config
+from vyos.configverify import verify_vrf
+from vyos.ifconfig import WiFiIf
from vyos.template import render
-from vyos.util import chown, call
-from vyos.validate import is_member
+from vyos.util import call
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
-default_config_data = {
- **interface_default_data,
- 'cap_ht' : False,
- 'cap_ht_40mhz_incapable' : False,
- 'cap_ht_powersave' : False,
- 'cap_ht_chan_set_width' : '',
- 'cap_ht_delayed_block_ack' : False,
- 'cap_ht_dsss_cck_40' : False,
- 'cap_ht_greenfield' : False,
- 'cap_ht_ldpc' : False,
- 'cap_ht_lsig_protection' : False,
- 'cap_ht_max_amsdu' : '',
- 'cap_ht_short_gi' : [],
- 'cap_ht_smps' : '',
- 'cap_ht_stbc_rx' : '',
- 'cap_ht_stbc_tx' : False,
- 'cap_req_ht' : False,
- 'cap_req_vht' : False,
- 'cap_vht' : False,
- 'cap_vht_antenna_cnt' : '',
- 'cap_vht_antenna_fixed' : False,
- 'cap_vht_beamform' : '',
- 'cap_vht_center_freq_1' : '',
- 'cap_vht_center_freq_2' : '',
- 'cap_vht_chan_set_width' : '',
- 'cap_vht_ldpc' : False,
- 'cap_vht_link_adaptation' : '',
- 'cap_vht_max_mpdu_exp' : '',
- 'cap_vht_max_mpdu' : '',
- 'cap_vht_short_gi' : [],
- 'cap_vht_stbc_rx' : '',
- 'cap_vht_stbc_tx' : False,
- 'cap_vht_tx_powersave' : False,
- 'cap_vht_vht_cf' : False,
- 'channel': '',
- 'country_code': '',
- 'deleted': False,
- 'disable_broadcast_ssid' : False,
- 'disable_link_detect' : 1,
- 'expunge_failing_stations' : False,
- 'hw_id' : '',
- 'intf': '',
- 'isolate_stations' : False,
- 'max_stations' : '',
- 'mgmt_frame_protection' : 'disabled',
- 'mode' : 'g',
- 'phy' : '',
- 'reduce_transmit_power' : '',
- 'sec_wep' : False,
- 'sec_wep_key' : [],
- 'sec_wpa' : False,
- 'sec_wpa_cipher' : [],
- 'sec_wpa_mode' : 'both',
- 'sec_wpa_passphrase' : '',
- 'sec_wpa_radius' : [],
- 'ssid' : '',
- 'op_mode' : 'monitor',
- 'vif': {},
- 'vif_remove': [],
- 'vif_s': {},
- 'vif_s_remove': []
-}
-
# XXX: wpa_supplicant works on the source interface
-wpa_suppl_conf = '/run/wpa_supplicant/{intf}.conf'
-hostapd_conf = '/run/hostapd/{intf}.conf'
+wpa_suppl_conf = '/run/wpa_supplicant/{ifname}.conf'
+hostapd_conf = '/run/hostapd/{ifname}.conf'
+
+def find_other_stations(conf, base, ifname):
+ """
+ Only one wireless interface per phy can be in station mode -
+ find all interfaces attached to a phy which run in station mode
+ """
+ old_level = conf.get_level()
+ conf.set_level(base)
+ dict = {}
+ for phy in os.listdir('/sys/class/ieee80211'):
+ list = []
+ for interface in conf.list_nodes([]):
+ if interface == ifname:
+ continue
+ # the following node is mandatory
+ if conf.exists([interface, 'physical-device', phy]):
+ tmp = conf.return_value([interface, 'type'])
+ if tmp == 'station':
+ list.append(interface)
+ if list:
+ dict.update({phy: list})
+ conf.set_level(old_level)
+ return dict
def get_config():
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # check if wireless interface has been removed
- cfg_base = ['interfaces', 'wireless ', ifname]
- if not conf.exists(cfg_base):
- wifi = deepcopy(default_config_data)
- wifi['intf'] = ifname
- wifi['deleted'] = True
- # we need to know if we're a bridge member so we can refuse deletion
- wifi['is_bridge_member'] = is_member(conf, wifi['intf'], 'bridge')
- # we can not bail out early as wireless interface can not be removed
- # Kernel will complain with: RTNETLINK answers: Operation not supported.
- # Thus we need to remove individual settings
- return wifi
-
- # set new configuration level
- conf.set_level(cfg_base)
-
- # get common interface settings
- wifi, disabled = intf_to_dict(conf, default_config_data)
-
- # 40MHz intolerance, use 20MHz only
- if conf.exists('capabilities ht 40mhz-incapable'):
- wifi['cap_ht'] = True
- wifi['cap_ht_40mhz_incapable'] = True
-
- # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
- if conf.exists('capabilities ht auto-powersave'):
- wifi['cap_ht'] = True
- wifi['cap_ht_powersave'] = True
-
- # Supported channel set width
- if conf.exists('capabilities ht channel-set-width'):
- wifi['cap_ht'] = True
- wifi['cap_ht_chan_set_width'] = conf.return_values('capabilities ht channel-set-width')
-
- # HT-delayed Block Ack
- if conf.exists('capabilities ht delayed-block-ack'):
- wifi['cap_ht'] = True
- wifi['cap_ht_delayed_block_ack'] = True
-
- # DSSS/CCK Mode in 40 MHz
- if conf.exists('capabilities ht dsss-cck-40'):
- wifi['cap_ht'] = True
- wifi['cap_ht_dsss_cck_40'] = True
-
- # HT-greenfield capability
- if conf.exists('capabilities ht greenfield'):
- wifi['cap_ht'] = True
- wifi['cap_ht_greenfield'] = True
-
- # LDPC coding capability
- if conf.exists('capabilities ht ldpc'):
- wifi['cap_ht'] = True
- wifi['cap_ht_ldpc'] = True
-
- # L-SIG TXOP protection capability
- if conf.exists('capabilities ht lsig-protection'):
- wifi['cap_ht'] = True
- wifi['cap_ht_lsig_protection'] = True
-
- # Set Maximum A-MSDU length
- if conf.exists('capabilities ht max-amsdu'):
- wifi['cap_ht'] = True
- wifi['cap_ht_max_amsdu'] = conf.return_value('capabilities ht max-amsdu')
-
- # Short GI capabilities
- if conf.exists('capabilities ht short-gi'):
- wifi['cap_ht'] = True
- wifi['cap_ht_short_gi'] = conf.return_values('capabilities ht short-gi')
-
- # Spatial Multiplexing Power Save (SMPS) settings
- if conf.exists('capabilities ht smps'):
- wifi['cap_ht'] = True
- wifi['cap_ht_smps'] = conf.return_value('capabilities ht smps')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc rx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_rx'] = conf.return_value('capabilities ht stbc rx')
-
- # Support for sending PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities ht stbc tx'):
- wifi['cap_ht'] = True
- wifi['cap_ht_stbc_tx'] = True
-
- # Require stations to support HT PHY (reject association if they do not)
- if conf.exists('capabilities require-ht'):
- wifi['cap_req_ht'] = True
-
- # Require stations to support VHT PHY (reject association if they do not)
- if conf.exists('capabilities require-vht'):
- wifi['cap_req_vht'] = True
-
- # Number of antennas on this card
- if conf.exists('capabilities vht antenna-count'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_cnt'] = conf.return_value('capabilities vht antenna-count')
-
- # set if antenna pattern does not change during the lifetime of an association
- if conf.exists('capabilities vht antenna-pattern-fixed'):
- wifi['cap_vht'] = True
- wifi['cap_vht_antenna_fixed'] = True
-
- # Beamforming capabilities
- if conf.exists('capabilities vht beamform'):
- wifi['cap_vht'] = True
- wifi['cap_vht_beamform'] = conf.return_values('capabilities vht beamform')
-
- # VHT operating channel center frequency - center freq 1 (for use with 80, 80+80 and 160 modes)
- if conf.exists('capabilities vht center-channel-freq freq-1'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_1'] = conf.return_value('capabilities vht center-channel-freq freq-1')
-
- # VHT operating channel center frequency - center freq 2 (for use with the 80+80 mode)
- if conf.exists('capabilities vht center-channel-freq freq-2'):
- wifi['cap_vht'] = True
- wifi['cap_vht_center_freq_2'] = conf.return_value('capabilities vht center-channel-freq freq-2')
-
- # VHT operating Channel width
- if conf.exists('capabilities vht channel-set-width'):
- wifi['cap_vht'] = True
- wifi['cap_vht_chan_set_width'] = conf.return_value('capabilities vht channel-set-width')
-
- # LDPC coding capability
- if conf.exists('capabilities vht ldpc'):
- wifi['cap_vht'] = True
- wifi['cap_vht_ldpc'] = True
-
- # VHT link adaptation capabilities
- if conf.exists('capabilities vht link-adaptation'):
- wifi['cap_vht'] = True
- wifi['cap_vht_link_adaptation'] = conf.return_value('capabilities vht link-adaptation')
-
- # Set the maximum length of A-MPDU pre-EOF padding that the station can receive
- if conf.exists('capabilities vht max-mpdu-exp'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu_exp'] = conf.return_value('capabilities vht max-mpdu-exp')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht max-mpdu'):
- wifi['cap_vht'] = True
- wifi['cap_vht_max_mpdu'] = conf.return_value('capabilities vht max-mpdu')
-
- # Increase Maximum MPDU length
- if conf.exists('capabilities vht short-gi'):
- wifi['cap_vht'] = True
- wifi['cap_vht_short_gi'] = conf.return_values('capabilities vht short-gi')
-
- # Support for receiving PPDU using STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc rx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_rx'] = conf.return_value('capabilities vht stbc rx')
-
- # Support for the transmission of at least 2x1 STBC (Space Time Block Coding)
- if conf.exists('capabilities vht stbc tx'):
- wifi['cap_vht'] = True
- wifi['cap_vht_stbc_tx'] = True
-
- # Support for VHT TXOP Power Save Mode
- if conf.exists('capabilities vht tx-powersave'):
- wifi['cap_vht'] = True
- wifi['cap_vht_tx_powersave'] = True
-
- # STA supports receiving a VHT variant HT Control field
- if conf.exists('capabilities vht vht-cf'):
- wifi['cap_vht'] = True
- wifi['cap_vht_vht_cf'] = True
-
- # Wireless radio channel
- if conf.exists('channel'):
- wifi['channel'] = conf.return_value('channel')
-
- # Disable broadcast of SSID from access-point
- if conf.exists('disable-broadcast-ssid'):
- wifi['disable_broadcast_ssid'] = True
-
- # Disassociate stations based on excessive transmission failures
- if conf.exists('expunge-failing-stations'):
- wifi['expunge_failing_stations'] = True
-
- # retrieve real hardware address
- if conf.exists('hw-id'):
- wifi['hw_id'] = conf.return_value('hw-id')
-
- # Isolate stations on the AP so they cannot see each other
- if conf.exists('isolate-stations'):
- wifi['isolate_stations'] = True
-
- # Wireless physical device
- if conf.exists('physical-device'):
- wifi['phy'] = conf.return_value('physical-device')
-
- # Maximum number of wireless radio stations
- if conf.exists('max-stations'):
- wifi['max_stations'] = conf.return_value('max-stations')
-
- # Management Frame Protection (MFP) according to IEEE 802.11w
- if conf.exists('mgmt-frame-protection'):
- wifi['mgmt_frame_protection'] = conf.return_value('mgmt-frame-protection')
-
- # Wireless radio mode
- if conf.exists('mode'):
- wifi['mode'] = conf.return_value('mode')
-
- # Transmission power reduction in dBm
- if conf.exists('reduce-transmit-power'):
- wifi['reduce_transmit_power'] = conf.return_value('reduce-transmit-power')
-
- # WEP enabled?
- if conf.exists('security wep'):
- wifi['sec_wep'] = True
-
- # WEP encryption key(s)
- if conf.exists('security wep key'):
- wifi['sec_wep_key'] = conf.return_values('security wep key')
-
- # WPA enabled?
- if conf.exists('security wpa'):
- wifi['sec_wpa'] = True
-
- # WPA Cipher suite
- if conf.exists('security wpa cipher'):
- wifi['sec_wpa_cipher'] = conf.return_values('security wpa cipher')
-
- # WPA mode
- if conf.exists('security wpa mode'):
- wifi['sec_wpa_mode'] = conf.return_value('security wpa mode')
-
- # WPA default ciphers depend on WPA mode
- if not wifi['sec_wpa_cipher']:
- if wifi['sec_wpa_mode'] == 'wpa':
- wifi['sec_wpa_cipher'].append('TKIP')
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'wpa2':
- wifi['sec_wpa_cipher'].append('CCMP')
-
- elif wifi['sec_wpa_mode'] == 'both':
- wifi['sec_wpa_cipher'].append('CCMP')
- wifi['sec_wpa_cipher'].append('TKIP')
-
- # WPA Group Cipher suite
- if conf.exists('security wpa group-cipher'):
- wifi['sec_wpa_group_cipher'] = conf.return_values('security wpa group-cipher')
-
- # WPA personal shared pass phrase
- if conf.exists('security wpa passphrase'):
- wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase')
-
- # WPA RADIUS source address
- if conf.exists('security wpa radius source-address'):
- wifi['sec_wpa_radius_source'] = conf.return_value('security wpa radius source-address')
-
- # WPA RADIUS server
- for server in conf.list_nodes('security wpa radius server'):
- # set new configuration level
- conf.set_level(cfg_base + ' security wpa radius server ' + server)
- radius = {
- 'server' : server,
- 'acc_port' : '',
- 'disabled': False,
- 'port' : 1812,
- 'key' : ''
- }
-
- # RADIUS server port
- if conf.exists('port'):
- radius['port'] = int(conf.return_value('port'))
-
- # receive RADIUS accounting info
- if conf.exists('accounting'):
- radius['acc_port'] = radius['port'] + 1
-
- # Check if RADIUS server was temporary disabled
- if conf.exists(['disable']):
- radius['disabled'] = True
-
- # RADIUS server shared-secret
- if conf.exists('key'):
- radius['key'] = conf.return_value('key')
-
- # append RADIUS server to list of servers
- wifi['sec_wpa_radius'].append(radius)
-
- # re-set configuration level to parse new nodes
- conf.set_level(cfg_base)
-
- # Wireless access-point service set identifier (SSID)
- if conf.exists('ssid'):
- wifi['ssid'] = conf.return_value('ssid')
-
- # Wireless device type for this interface
- if conf.exists('type'):
- tmp = conf.return_value('type')
- if tmp == 'access-point':
- tmp = 'ap'
-
- wifi['op_mode'] = tmp
+ base = ['interfaces', 'wireless']
+ wifi = get_interface_dict(conf, base)
+
+ if 'security' in wifi and 'wpa' in wifi['security']:
+ wpa_cipher = wifi['security']['wpa'].get('cipher')
+ wpa_mode = wifi['security']['wpa'].get('mode')
+ if not wpa_cipher:
+ tmp = None
+ if wpa_mode == 'wpa':
+ tmp = {'security': {'wpa': {'cipher' : ['TKIP', 'CCMP']}}}
+ elif wpa_mode == 'wpa2':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP']}}}
+ elif wpa_mode == 'both':
+ tmp = {'security': {'wpa': {'cipher' : ['CCMP', 'TKIP']}}}
+
+ if tmp: wifi = dict_merge(tmp, wifi)
# retrieve configured regulatory domain
- conf.set_level('system')
- if conf.exists('wifi-regulatory-domain'):
- wifi['country_code'] = conf.return_value('wifi-regulatory-domain')
+ conf.set_level(['system'])
+ if conf.exists(['wifi-regulatory-domain']):
+ wifi['country_code'] = conf.return_value(['wifi-regulatory-domain'])
- return wifi
+ # Only one wireless interface per phy can be in station mode
+ tmp = find_other_stations(conf, base, wifi['ifname'])
+ if tmp: wifi['station_interfaces'] = tmp
+ return wifi
def verify(wifi):
- if wifi['deleted']:
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Cannot delete interface "{wifi["intf"]}" as it is a '
- f'member of bridge "{wifi["is_bridge_member"]}"!'))
-
+ if 'deleted' in wifi:
+ verify_bridge_delete(wifi)
return None
- if wifi['op_mode'] != 'monitor' and not wifi['ssid']:
- raise ConfigError('SSID must be set for {}'.format(wifi['intf']))
+ if 'physical_device' not in wifi:
+ raise ConfigError('You must specify a physical-device "phy"')
- if not wifi['phy']:
- raise ConfigError('You must specify physical-device')
-
- if not wifi['mode']:
+ if 'type' not in wifi:
raise ConfigError('You must specify a WiFi mode')
- if wifi['op_mode'] == 'ap':
- c = Config()
- if not c.exists('system wifi-regulatory-domain'):
- raise ConfigError('Wireless regulatory domain is mandatory,\n' \
- 'use "set system wifi-regulatory-domain".')
-
- if not wifi['channel']:
- raise ConfigError('Channel must be set for {}'.format(wifi['intf']))
-
- if len(wifi['sec_wep_key']) > 4:
- raise ConfigError('No more then 4 WEP keys configurable')
+ if 'ssid' not in wifi and wifi['type'] != 'monitor':
+ raise ConfigError('SSID must be configured')
- if wifi['cap_vht'] and not wifi['cap_ht']:
- raise ConfigError('Specify HT flags if you want to use VHT!')
-
- if wifi['cap_vht_beamform'] and wifi['cap_vht_antenna_cnt'] == 1:
- raise ConfigError('Cannot use beam forming with just one antenna!')
-
- if wifi['cap_vht_beamform'] == 'single-user-beamformer' and wifi['cap_vht_antenna_cnt'] < 3:
- # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
- raise ConfigError('Single-user beam former requires at least 3 antennas!')
-
- if wifi['sec_wep'] and (len(wifi['sec_wep_key']) == 0):
- raise ConfigError('Missing WEP keys')
-
- if wifi['sec_wpa'] and not (wifi['sec_wpa_passphrase'] or wifi['sec_wpa_radius']):
- raise ConfigError('Misssing WPA key or RADIUS server')
-
- for radius in wifi['sec_wpa_radius']:
- if not radius['key']:
- raise ConfigError('Misssing RADIUS shared secret key for server: {}'.format(radius['server']))
-
- if ( wifi['is_bridge_member']
- and ( wifi['address']
- or wifi['ipv6_eui64_prefix']
- or wifi['ipv6_autoconf'] ) ):
- raise ConfigError((
- f'Cannot assign address to interface "{wifi["intf"]}" '
- f'as it is a member of bridge "{wifi["is_bridge_member"]}"!'))
-
- if wifi['vrf']:
- if wifi['vrf'] not in interfaces():
- raise ConfigError(f'VRF "{wifi["vrf"]}" does not exist')
-
- if wifi['is_bridge_member']:
- raise ConfigError((
- f'Interface "{wifi["intf"]}" cannot be member of VRF '
- f'"{wifi["vrf"]}" and bridge {wifi["is_bridge_member"]} '
- f'at the same time!'))
+ if wifi['type'] == 'access-point':
+ if 'country_code' not in wifi:
+ raise ConfigError('Wireless regulatory domain is mandatory,\n' \
+ 'use "set system wifi-regulatory-domain" for configuration.')
+
+ if 'channel' not in wifi:
+ raise ConfigError('Wireless channel must be configured!')
+
+ if 'security' in wifi:
+ if {'wep', 'wpa'} <= set(wifi.get('security', {})):
+ raise ConfigError('Must either use WEP or WPA security!')
+
+ if 'wep' in wifi['security']:
+ if 'key' in wifi['security']['wep'] and len(wifi['security']['wep']) > 4:
+ raise ConfigError('No more then 4 WEP keys configurable')
+ elif 'key' not in wifi['security']['wep']:
+ raise ConfigError('Security WEP configured - missing WEP keys!')
+
+ elif 'wpa' in wifi['security']:
+ wpa = wifi['security']['wpa']
+ if not any(i in ['passphrase', 'radius'] for i in wpa):
+ raise ConfigError('Misssing WPA key or RADIUS server')
+
+ if 'radius' in wpa:
+ if 'server' in wpa['radius']:
+ for server in wpa['radius']['server']:
+ if 'key' not in wpa['radius']['server'][server]:
+ raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}')
+
+ if 'capabilities' in wifi:
+ capabilities = wifi['capabilities']
+ if 'vht' in capabilities:
+ if 'ht' not in capabilities:
+ raise ConfigError('Specify HT flags if you want to use VHT!')
+
+ if {'beamform', 'antenna_count'} <= set(capabilities.get('vht', {})):
+ if capabilities['vht']['antenna_count'] == '1':
+ raise ConfigError('Cannot use beam forming with just one antenna!')
+
+ if capabilities['vht']['beamform'] == 'single-user-beamformer':
+ if int(capabilities['vht']['antenna_count']) < 3:
+ # Nasty Gotcha: see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf lines 692-705
+ raise ConfigError('Single-user beam former requires at least 3 antennas!')
+
+ if 'station_interfaces' in wifi and wifi['type'] == 'station':
+ phy = wifi['physical_device']
+ if phy in wifi['station_interfaces']:
+ if len(wifi['station_interfaces'][phy]) > 0:
+ raise ConfigError('Only one station per wireless physical interface possible!')
+
+ verify_address(wifi)
+ verify_vrf(wifi)
# use common function to verify VLAN configuration
verify_vlan_config(wifi)
- conf = Config()
- # Only one wireless interface per phy can be in station mode
- base = ['interfaces', 'wireless']
- for phy in os.listdir('/sys/class/ieee80211'):
- stations = []
- for wlan in conf.list_nodes(base):
- # the following node is mandatory
- if conf.exists(base + [wlan, 'physical-device', phy]):
- tmp = conf.return_value(base + [wlan, 'type'])
- if tmp == 'station':
- stations.append(wlan)
-
- if len(stations) > 1:
- raise ConfigError('Only one station per wireless physical interface possible!')
-
return None
def generate(wifi):
- interface = wifi['intf']
+ interface = wifi['ifname']
# always stop hostapd service first before reconfiguring it
call(f'systemctl stop hostapd@{interface}.service')
@@ -513,7 +179,7 @@ def generate(wifi):
call(f'systemctl stop wpa_supplicant@{interface}.service')
# Delete config files if interface is removed
- if wifi['deleted']:
+ if 'deleted' in wifi:
if os.path.isfile(hostapd_conf.format(**wifi)):
os.unlink(hostapd_conf.format(**wifi))
@@ -522,10 +188,10 @@ def generate(wifi):
return None
- if not wifi['mac']:
+ if 'mac' not in wifi:
# http://wiki.stocksy.co.uk/wiki/Multiple_SSIDs_with_hostapd
# generate locally administered MAC address from used phy interface
- with open('/sys/class/ieee80211/{}/addresses'.format(wifi['phy']), 'r') as f:
+ with open('/sys/class/ieee80211/{physical_device}/addresses'.format(**wifi), 'r') as f:
# some PHYs tend to have multiple interfaces and thus supply multiple MAC
# addresses - we only need the first one for our calculation
tmp = f.readline().rstrip()
@@ -545,20 +211,18 @@ def generate(wifi):
wifi['mac'] = str(mac)
# render appropriate new config files depending on access-point or station mode
- if wifi['op_mode'] == 'ap':
- render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi)
+ if wifi['type'] == 'access-point':
+ render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', wifi, trim_blocks=True)
- elif wifi['op_mode'] == 'station':
- render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi)
+ elif wifi['type'] == 'station':
+ render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', wifi, trim_blocks=True)
return None
def apply(wifi):
- interface = wifi['intf']
- if wifi['deleted']:
- w = WiFiIf(interface)
- # delete interface
- w.remove()
+ interface = wifi['ifname']
+ if 'deleted' in wifi:
+ WiFiIf(interface).remove()
else:
# WiFi interface needs to be created on-block (e.g. mode or physical
# interface) instead of passing a ton of arguments, I just use a dict
@@ -566,97 +230,21 @@ def apply(wifi):
conf = deepcopy(WiFiIf.get_config())
# Assign WiFi instance configuration parameters to config dict
- conf['phy'] = wifi['phy']
+ conf['phy'] = wifi['physical_device']
# Finally create the new interface
w = WiFiIf(interface, **conf)
-
- # assign/remove VRF (ONLY when not a member of a bridge,
- # otherwise 'nomaster' removes it from it)
- if not wifi['is_bridge_member']:
- w.set_vrf(wifi['vrf'])
-
- # update interface description used e.g. within SNMP
- w.set_alias(wifi['description'])
-
- if wifi['dhcp_client_id']:
- w.dhcp.v4.options['client_id'] = wifi['dhcp_client_id']
-
- if wifi['dhcp_hostname']:
- w.dhcp.v4.options['hostname'] = wifi['dhcp_hostname']
-
- if wifi['dhcp_vendor_class_id']:
- w.dhcp.v4.options['vendor_class_id'] = wifi['dhcp_vendor_class_id']
-
- if wifi['dhcpv6_prm_only']:
- w.dhcp.v6.options['dhcpv6_prm_only'] = True
-
- if wifi['dhcpv6_temporary']:
- w.dhcp.v6.options['dhcpv6_temporary'] = True
-
- if wifi['dhcpv6_pd_length']:
- w.dhcp.v6.options['dhcpv6_pd_length'] = wifi['dhcpv6_pd_length']
-
- if wifi['dhcpv6_pd_interfaces']:
- w.dhcp.v6.options['dhcpv6_pd_interfaces'] = wifi['dhcpv6_pd_interfaces']
-
- # ignore link state changes
- w.set_link_detect(wifi['disable_link_detect'])
-
- # Delete old IPv6 EUI64 addresses before changing MAC
- for addr in wifi['ipv6_eui64_prefix_remove']:
- w.del_ipv6_eui64_address(addr)
-
- # Change interface MAC address - re-set to real hardware address (hw-id)
- # if custom mac is removed
- if wifi['mac']:
- w.set_mac(wifi['mac'])
- elif wifi['hw_id']:
- w.set_mac(wifi['hw_id'])
-
- # Add IPv6 EUI-based addresses
- for addr in wifi['ipv6_eui64_prefix']:
- w.add_ipv6_eui64_address(addr)
-
- # configure ARP filter configuration
- w.set_arp_filter(wifi['ip_disable_arp_filter'])
- # configure ARP accept
- w.set_arp_accept(wifi['ip_enable_arp_accept'])
- # configure ARP announce
- w.set_arp_announce(wifi['ip_enable_arp_announce'])
- # configure ARP ignore
- w.set_arp_ignore(wifi['ip_enable_arp_ignore'])
- # IPv6 accept RA
- w.set_ipv6_accept_ra(wifi['ipv6_accept_ra'])
- # IPv6 address autoconfiguration
- w.set_ipv6_autoconf(wifi['ipv6_autoconf'])
- # IPv6 forwarding
- w.set_ipv6_forwarding(wifi['ipv6_forwarding'])
- # IPv6 Duplicate Address Detection (DAD) tries
- w.set_ipv6_dad_messages(wifi['ipv6_dup_addr_detect'])
-
- # Configure interface address(es)
- # - not longer required addresses get removed first
- # - newly addresses will be added second
- for addr in wifi['address_remove']:
- w.del_addr(addr)
- for addr in wifi['address']:
- w.add_addr(addr)
-
- # apply all vlans to interface
- apply_all_vlans(w, wifi)
+ w.update(wifi)
# Enable/Disable interface - interface is always placed in
# administrative down state in WiFiIf class
- if not wifi['disable']:
- w.set_admin_state('up')
-
+ if 'disable' not in wifi:
# Physical interface is now configured. Proceed by starting hostapd or
# wpa_supplicant daemon. When type is monitor we can just skip this.
- if wifi['op_mode'] == 'ap':
+ if wifi['type'] == 'access-point':
call(f'systemctl start hostapd@{interface}.service')
- elif wifi['op_mode'] == 'station':
+ elif wifi['type'] == 'station':
call(f'systemctl start wpa_supplicant@{interface}.service')
return None
diff --git a/src/conf_mode/interfaces-wirelessmodem.py b/src/conf_mode/interfaces-wirelessmodem.py
index ec5a85e54..4081be3c9 100755
--- a/src/conf_mode/interfaces-wirelessmodem.py
+++ b/src/conf_mode/interfaces-wirelessmodem.py
@@ -20,21 +20,16 @@ from fnmatch import fnmatch
from sys import exit
from vyos.config import Config
-from vyos.configdict import dict_merge
+from vyos.configdict import get_interface_dict
from vyos.configverify import verify_vrf
from vyos.template import render
from vyos.util import call
-from vyos.xml import defaults
+from vyos.util import check_kmod
from vyos import ConfigError
from vyos import airbag
airbag.enable()
-def check_kmod():
- modules = ['option', 'usb_wwan', 'usbserial']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
+k_mod = ['option', 'usb_wwan', 'usbserial']
def find_device_file(device):
""" Recurively search /dev for the given device file and return its full path.
@@ -47,44 +42,23 @@ def find_device_file(device):
return None
def get_config():
- """ Retrive CLI config as dictionary. Dictionary can never be empty,
- as at least the interface name will be added or a deleted flag """
+ """
+ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
+ interface name will be added or a deleted flag
+ """
conf = Config()
-
- # determine tagNode instance
- if 'VYOS_TAGNODE_VALUE' not in os.environ:
- raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')
-
- # retrieve interface default values
base = ['interfaces', 'wirelessmodem']
- default_values = defaults(base)
-
- ifname = os.environ['VYOS_TAGNODE_VALUE']
- base = base + [ifname]
-
- wwan = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- # Check if interface has been removed
- if wwan == {}:
- wwan.update({'deleted' : ''})
-
- # We have gathered the dict representation of the CLI, but there are
- # default options which we need to update into the dictionary
- # retrived.
- wwan = dict_merge(default_values, wwan)
-
- # Add interface instance name into dictionary
- wwan.update({'ifname': ifname})
-
+ wwan = get_interface_dict(conf, base)
return wwan
def verify(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
return None
- if not 'apn' in wwan.keys():
+ if not 'apn' in wwan:
raise ConfigError('No APN configured for "{ifname}"'.format(**wwan))
- if not 'device' in wwan.keys():
+ if not 'device' in wwan:
raise ConfigError('Physical "device" must be configured')
# we can not use isfile() here as Linux device files are no regular files
@@ -141,11 +115,11 @@ def generate(wwan):
return None
def apply(wwan):
- if 'deleted' in wwan.keys():
+ if 'deleted' in wwan:
# bail out early
return None
- if not 'disable' in wwan.keys():
+ if not 'disable' in wwan:
# "dial" WWAN connection
call('systemctl start ppp@{ifname}.service'.format(**wwan))
@@ -153,7 +127,7 @@ def apply(wwan):
if __name__ == '__main__':
try:
- check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index b0a029f2b..dd34dfd66 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -24,13 +24,17 @@ from netifaces import interfaces
from vyos.config import Config
from vyos.template import render
-from vyos.util import call, cmd
+from vyos.util import call
+from vyos.util import cmd
+from vyos.util import check_kmod
from vyos.validate import is_addr_assigned
from vyos import ConfigError
from vyos import airbag
airbag.enable()
+k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
+
default_config_data = {
'deleted': False,
'destination': [],
@@ -44,15 +48,6 @@ default_config_data = {
iptables_nat_config = '/tmp/vyos-nat-rules.nft'
-def _check_kmod():
- """ load required Kernel modules """
- modules = ['nft_nat', 'nft_chain_nat_ipv4']
- for module in modules:
- if not os.path.exists(f'/sys/module/{module}'):
- if call(f'modprobe {module}') != 0:
- raise ConfigError(f'Loading Kernel module {module} failed')
-
-
def get_handler(json, chain, target):
""" Get nftable rule handler number of given chain/target combination.
Handler is required when adding NAT/Conntrack helper targets """
@@ -79,9 +74,6 @@ def verify_rule(rule, err_msg):
'statically maps a whole network of addresses onto another\n' \
'network of addresses')
- if not rule['translation_address']:
- raise ConfigError(f'{err_msg} translation address not specified')
-
def parse_configuration(conf, source_dest):
""" Common wrapper to read in both NAT source and destination CLI """
@@ -228,10 +220,10 @@ def verify(nat):
for rule in nat['source']:
interface = rule['interface_out']
- err_msg = f"Source NAT configuration error in rule {rule['number']}:"
+ err_msg = f'Source NAT configuration error in rule "{rule["number"]}":'
- if interface and interface not in interfaces():
- print(f'NAT configuration warning: interface {interface} does not exist on this system')
+ if interface and interface not in 'any' and interface not in interfaces():
+ print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
if not rule['interface_out']:
raise ConfigError(f'{err_msg} outbound-interface not specified')
@@ -246,10 +238,10 @@ def verify(nat):
for rule in nat['destination']:
interface = rule['interface_in']
- err_msg = f"Destination NAT configuration error in rule {rule['number']}:"
+ err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":'
- if interface and interface not in interfaces():
- print(f'NAT configuration warning: interface {interface} does not exist on this system')
+ if interface and interface not in 'any' and interface not in interfaces():
+ print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
if not rule['interface_in']:
raise ConfigError(f'{err_msg} inbound-interface not specified')
@@ -261,7 +253,6 @@ def verify(nat):
def generate(nat):
render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
-
return None
def apply(nat):
@@ -273,7 +264,7 @@ def apply(nat):
if __name__ == '__main__':
try:
- _check_kmod()
+ check_kmod(k_mod)
c = get_config()
verify(c)
generate(c)
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index b539da98e..553cc2e97 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -147,17 +147,21 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
if conf.exists(['fail-time']):
- radius['fail-time'] = conf.return_value(['fail-time'])
+ radius['fail_time'] = conf.return_value(['fail-time'])
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/mdns_repeater.py b/src/conf_mode/service_mdns-repeater.py
index b43f9bdd8..1a6b2c328 100755
--- a/src/conf_mode/mdns_repeater.py
+++ b/src/conf_mode/service_mdns-repeater.py
@@ -17,69 +17,51 @@
import os
from sys import exit
-from copy import deepcopy
-from netifaces import ifaddresses, AF_INET
+from netifaces import ifaddresses, interfaces, AF_INET
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
from vyos.template import render
-
+from vyos.util import call
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/etc/default/mdns-repeater'
-default_config_data = {
- 'disabled': False,
- 'interfaces': []
-}
-
def get_config():
- mdns = deepcopy(default_config_data)
conf = Config()
base = ['service', 'mdns', 'repeater']
- if not conf.exists(base):
- return None
- else:
- conf.set_level(base)
-
- # Service can be disabled by user
- if conf.exists(['disable']):
- mdns['disabled'] = True
- return mdns
-
- # Interface to repeat mDNS advertisements
- if conf.exists(['interface']):
- mdns['interfaces'] = conf.return_values(['interface'])
-
+ mdns = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
return mdns
def verify(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
return None
# We need at least two interfaces to repeat mDNS advertisments
- if len(mdns['interfaces']) < 2:
+ if 'interface' not in mdns or len(mdns['interface']) < 2:
raise ConfigError('mDNS repeater requires at least 2 configured interfaces!')
# For mdns-repeater to work it is essential that the interfaces has
# an IPv4 address assigned
- for interface in mdns['interfaces']:
- if AF_INET in ifaddresses(interface).keys():
- if len(ifaddresses(interface)[AF_INET]) < 1:
- raise ConfigError('mDNS repeater requires an IPv6 address configured on interface %s!'.format(interface))
+ for interface in mdns['interface']:
+ if interface not in interfaces():
+ raise ConfigError(f'Interface "{interface}" does not exist!')
+
+ if AF_INET not in ifaddresses(interface):
+ raise ConfigError('mDNS repeater requires an IPv4 address to be '
+ f'configured on interface "{interface}"')
return None
def generate(mdns):
- if mdns is None:
+ if not mdns:
return None
- if mdns['disabled']:
+ if 'disable' in mdns:
print('Warning: mDNS repeater will be deactivated because it is disabled')
return None
@@ -87,7 +69,7 @@ def generate(mdns):
return None
def apply(mdns):
- if (mdns is None) or mdns['disabled']:
+ if not mdns or 'disable' in mdns:
call('systemctl stop mdns-repeater.service')
if os.path.exists(config_file):
os.unlink(config_file)
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 3149bbb2f..a8357f653 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -242,7 +242,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -253,6 +254,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py
index ef6148ebd..4e1c432ab 100755
--- a/src/conf_mode/service_router-advert.py
+++ b/src/conf_mode/service_router-advert.py
@@ -16,145 +16,85 @@
import os
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from sys import exit
from vyos.config import Config
-from vyos import ConfigError
-from vyos.util import call
+from vyos.configdict import dict_merge
from vyos.template import render
-
+from vyos.util import call
+from vyos.xml import defaults
+from vyos import ConfigError
from vyos import airbag
airbag.enable()
config_file = r'/run/radvd/radvd.conf'
-default_config_data = {
- 'interfaces': []
-}
-
def get_config():
- rtradv = default_config_data
conf = Config()
- base_level = ['service', 'router-advert']
-
- if not conf.exists(base_level):
- return rtradv
-
- for interface in conf.list_nodes(base_level + ['interface']):
- intf = {
- 'name': interface,
- 'hop_limit' : '64',
- 'default_lifetime': '',
- 'default_preference': 'medium',
- 'dnssl': [],
- 'link_mtu': '',
- 'managed_flag': 'off',
- 'interval_max': '600',
- 'interval_min': '',
- 'name_server': [],
- 'other_config_flag': 'off',
- 'prefixes' : [],
- 'reachable_time': '0',
- 'retrans_timer': '0',
- 'send_advert': 'on'
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface])
-
- if conf.exists(['hop-limit']):
- intf['hop_limit'] = conf.return_value(['hop-limit'])
-
- if conf.exists(['default-lifetime']):
- intf['default_lifetime'] = conf.return_value(['default-lifetime'])
-
- if conf.exists(['default-preference']):
- intf['default_preference'] = conf.return_value(['default-preference'])
-
- if conf.exists(['dnssl']):
- intf['dnssl'] = conf.return_values(['dnssl'])
-
- if conf.exists(['link-mtu']):
- intf['link_mtu'] = conf.return_value(['link-mtu'])
-
- if conf.exists(['managed-flag']):
- intf['managed_flag'] = 'on'
-
- if conf.exists(['interval', 'max']):
- intf['interval_max'] = conf.return_value(['interval', 'max'])
-
- if conf.exists(['interval', 'min']):
- intf['interval_min'] = conf.return_value(['interval', 'min'])
-
- if conf.exists(['name-server']):
- intf['name_server'] = conf.return_values(['name-server'])
+ base = ['service', 'router-advert']
+ rtradv = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_interface_values = defaults(base + ['interface'])
+ # we deal with prefix defaults later on
+ if 'prefix' in default_interface_values:
+ del default_interface_values['prefix']
+
+ default_prefix_values = defaults(base + ['interface', 'prefix'])
+
+ if 'interface' in rtradv:
+ for interface in rtradv['interface']:
+ rtradv['interface'][interface] = dict_merge(
+ default_interface_values, rtradv['interface'][interface])
+
+ if 'prefix' in rtradv['interface'][interface]:
+ for prefix in rtradv['interface'][interface]['prefix']:
+ rtradv['interface'][interface]['prefix'][prefix] = dict_merge(
+ default_prefix_values, rtradv['interface'][interface]['prefix'][prefix])
+
+ if 'name_server' in rtradv['interface'][interface]:
+ # always use a list when dealing with nameservers - eases the template generation
+ if isinstance(rtradv['interface'][interface]['name_server'], str):
+ rtradv['interface'][interface]['name_server'] = [
+ rtradv['interface'][interface]['name_server']]
- if conf.exists(['other-config-flag']):
- intf['other_config_flag'] = 'on'
-
- if conf.exists(['reachable-time']):
- intf['reachable_time'] = conf.return_value(['reachable-time'])
-
- if conf.exists(['retrans-timer']):
- intf['retrans_timer'] = conf.return_value(['retrans-timer'])
-
- if conf.exists(['no-send-advert']):
- intf['send_advert'] = 'off'
-
- for prefix in conf.list_nodes(['prefix']):
- tmp = {
- 'prefix' : prefix,
- 'autonomous_flag' : 'on',
- 'on_link' : 'on',
- 'preferred_lifetime': 14400,
- 'valid_lifetime' : 2592000
-
- }
-
- # set config level first to reduce boilerplate code
- conf.set_level(base_level + ['interface', interface, 'prefix', prefix])
-
- if conf.exists(['no-autonomous-flag']):
- tmp['autonomous_flag'] = 'off'
-
- if conf.exists(['no-on-link-flag']):
- tmp['on_link'] = 'off'
-
- if conf.exists(['preferred-lifetime']):
- tmp['preferred_lifetime'] = int(conf.return_value(['preferred-lifetime']))
+ return rtradv
- if conf.exists(['valid-lifetime']):
- tmp['valid_lifetime'] = int(conf.return_value(['valid-lifetime']))
+def verify(rtradv):
+ if not rtradv:
+ return None
- intf['prefixes'].append(tmp)
+ if 'interface' not in rtradv:
+ return None
- rtradv['interfaces'].append(intf)
+ for interface in rtradv['interface']:
+ interface = rtradv['interface'][interface]
+ if 'prefix' in interface:
+ for prefix in interface['prefix']:
+ prefix = interface['prefix'][prefix]
+ valid_lifetime = prefix['valid_lifetime']
+ if valid_lifetime == 'infinity':
+ valid_lifetime = 4294967295
- return rtradv
+ preferred_lifetime = prefix['preferred_lifetime']
+ if preferred_lifetime == 'infinity':
+ preferred_lifetime = 4294967295
-def verify(rtradv):
- for interface in rtradv['interfaces']:
- for prefix in interface['prefixes']:
- if not (prefix['valid_lifetime'] > prefix['preferred_lifetime']):
- raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
+ if not (int(valid_lifetime) > int(preferred_lifetime)):
+ raise ConfigError('Prefix valid-lifetime must be greater then preferred-lifetime')
return None
def generate(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
return None
- render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True)
-
- # adjust file permissions of new configuration file
- if os.path.exists(config_file):
- os.chmod(config_file, S_IRUSR | S_IWUSR | S_IRGRP)
-
+ render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, trim_blocks=True, permission=0o644)
return None
def apply(rtradv):
- if not rtradv['interfaces']:
+ if not rtradv:
# bail out early - looks like removal from running config
call('systemctl stop radvd.service')
if os.path.exists(config_file):
@@ -163,6 +103,7 @@ def apply(rtradv):
return None
call('systemctl restart radvd.service')
+
return None
if __name__ == '__main__':
diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py
index bafd26edc..e9806ef47 100755
--- a/src/conf_mode/snmp.py
+++ b/src/conf_mode/snmp.py
@@ -16,20 +16,16 @@
import os
-from binascii import hexlify
-from netifaces import interfaces
-from time import sleep
from sys import exit
from vyos.config import Config
from vyos.configverify import verify_vrf
+from vyos.snmpv3_hashgen import plaintext_to_md5, plaintext_to_sha1, random
+from vyos.template import render
+from vyos.util import call
from vyos.validate import is_ipv4, is_addr_assigned
from vyos.version import get_version_data
-from vyos import ConfigError
-from vyos.util import call
-from vyos.template import render
-
-from vyos import airbag
+from vyos import ConfigError, airbag
airbag.enable()
config_file_client = r'/etc/snmp/snmp.conf'
@@ -61,7 +57,7 @@ default_config_data = {
'trap_targets': [],
'vyos_user': '',
'vyos_user_pass': '',
- 'version': '999',
+ 'version': '',
'v3_enabled': 'False',
'v3_engineid': '',
'v3_groups': [],
@@ -90,9 +86,8 @@ def get_config():
snmp['version'] = version_data['version']
# create an internal snmpv3 user of the form 'vyosxxxxxxxxxxxxxxxx'
- # os.urandom(8) returns 8 bytes of random data
- snmp['vyos_user'] = 'vyos' + hexlify(os.urandom(8)).decode('utf-8')
- snmp['vyos_user_pass'] = hexlify(os.urandom(16)).decode('utf-8')
+ snmp['vyos_user'] = 'vyos' + random(8)
+ snmp['vyos_user_pass'] = random(16)
if conf.exists('community'):
for name in conf.list_nodes('community'):
@@ -263,30 +258,30 @@ def get_config():
# cmdline option '-a'
trap_cfg['authProtocol'] = conf.return_value('v3 trap-target {0} auth type'.format(trap))
- if conf.exists('v3 trap-target {0} auth plaintext-key'.format(trap)):
+ if conf.exists('v3 trap-target {0} auth plaintext-password'.format(trap)):
# Set the authentication pass phrase used for authenticated SNMPv3 messages.
# cmdline option '-A'
- trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-key'.format(trap))
+ trap_cfg['authPassword'] = conf.return_value('v3 trap-target {0} auth plaintext-password'.format(trap))
- if conf.exists('v3 trap-target {0} auth encrypted-key'.format(trap)):
+ if conf.exists('v3 trap-target {0} auth encrypted-password'.format(trap)):
# Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master authentication keys.
# cmdline option '-3m'
- trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-key'.format(trap))
+ trap_cfg['authMasterKey'] = conf.return_value('v3 trap-target {0} auth encrypted-password'.format(trap))
if conf.exists('v3 trap-target {0} privacy type'.format(trap)):
# Set the privacy protocol (DES or AES) used for encrypted SNMPv3 messages.
# cmdline option '-x'
trap_cfg['privProtocol'] = conf.return_value('v3 trap-target {0} privacy type'.format(trap))
- if conf.exists('v3 trap-target {0} privacy plaintext-key'.format(trap)):
+ if conf.exists('v3 trap-target {0} privacy plaintext-password'.format(trap)):
# Set the privacy pass phrase used for encrypted SNMPv3 messages.
# cmdline option '-X'
- trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-key'.format(trap))
+ trap_cfg['privPassword'] = conf.return_value('v3 trap-target {0} privacy plaintext-password'.format(trap))
- if conf.exists('v3 trap-target {0} privacy encrypted-key'.format(trap)):
+ if conf.exists('v3 trap-target {0} privacy encrypted-password'.format(trap)):
# Sets the keys to be used for SNMPv3 transactions. These options allow you to set the master encryption keys.
# cmdline option '-3M'
- trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-key'.format(trap))
+ trap_cfg['privMasterKey'] = conf.return_value('v3 trap-target {0} privacy encrypted-password'.format(trap))
if conf.exists('v3 trap-target {0} protocol'.format(trap)):
trap_cfg['ipProto'] = conf.return_value('v3 trap-target {0} protocol'.format(trap))
@@ -325,11 +320,11 @@ def get_config():
}
# v3 user {0} auth
- if conf.exists('v3 user {0} auth encrypted-key'.format(user)):
- user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-key'.format(user))
+ if conf.exists('v3 user {0} auth encrypted-password'.format(user)):
+ user_cfg['authMasterKey'] = conf.return_value('v3 user {0} auth encrypted-password'.format(user))
- if conf.exists('v3 user {0} auth plaintext-key'.format(user)):
- user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-key'.format(user))
+ if conf.exists('v3 user {0} auth plaintext-password'.format(user)):
+ user_cfg['authPassword'] = conf.return_value('v3 user {0} auth plaintext-password'.format(user))
# load default value
type = user_cfg['authProtocol']
@@ -349,11 +344,11 @@ def get_config():
user_cfg['mode'] = conf.return_value('v3 user {0} mode'.format(user))
# v3 user {0} privacy
- if conf.exists('v3 user {0} privacy encrypted-key'.format(user)):
- user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-key'.format(user))
+ if conf.exists('v3 user {0} privacy encrypted-password'.format(user)):
+ user_cfg['privMasterKey'] = conf.return_value('v3 user {0} privacy encrypted-password'.format(user))
- if conf.exists('v3 user {0} privacy plaintext-key'.format(user)):
- user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-key'.format(user))
+ if conf.exists('v3 user {0} privacy plaintext-password'.format(user)):
+ user_cfg['privPassword'] = conf.return_value('v3 user {0} privacy plaintext-password'.format(user))
# load default value
type = user_cfg['privProtocol']
@@ -450,16 +445,16 @@ def verify(snmp):
if 'v3_traps' in snmp.keys():
for trap in snmp['v3_traps']:
if trap['authPassword'] and trap['authMasterKey']:
- raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap auth')
+ raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap auth')
if trap['authPassword'] == '' and trap['authMasterKey'] == '':
- raise ConfigError('Must specify encrypted-key or plaintext-key for trap auth')
+ raise ConfigError('Must specify encrypted-password or plaintext-key for trap auth')
if trap['privPassword'] and trap['privMasterKey']:
- raise ConfigError('Must specify only one of encrypted-key/plaintext-key for trap privacy')
+ raise ConfigError('Must specify only one of encrypted-password/plaintext-key for trap privacy')
if trap['privPassword'] == '' and trap['privMasterKey'] == '':
- raise ConfigError('Must specify encrypted-key or plaintext-key for trap privacy')
+ raise ConfigError('Must specify encrypted-password or plaintext-key for trap privacy')
if not 'type' in trap.keys():
raise ConfigError('v3 trap: "type" must be specified')
@@ -490,19 +485,12 @@ def verify(snmp):
if error:
raise ConfigError('You must create group "{0}" first'.format(user['group']))
- # Depending on the configured security level
- # the user has to provide additional info
- if user['authPassword'] and user['authMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user auth')
-
+ # Depending on the configured security level the user has to provide additional info
if (not user['authPassword'] and not user['authMasterKey']):
- raise ConfigError('Must specify encrypted-key or plaintext-key for user auth')
-
- if user['privPassword'] and user['privMasterKey']:
- raise ConfigError('Can not mix "encrypted-key" and "plaintext-key" for user privacy')
+ raise ConfigError('Must specify encrypted-password or plaintext-key for user auth')
if user['privPassword'] == '' and user['privMasterKey'] == '':
- raise ConfigError('Must specify encrypted-key or plaintext-key for user privacy')
+ raise ConfigError('Must specify encrypted-password or plaintext-key for user privacy')
if user['mode'] == '':
raise ConfigError('Must specify user mode ro/rw')
@@ -524,12 +512,36 @@ def generate(snmp):
for file in config_files:
rmfile(file)
- # Reload systemd manager configuration
- call('systemctl daemon-reload')
-
if not snmp:
return None
+ if 'v3_users' in snmp.keys():
+ # net-snmp is now regenerating the configuration file in the background
+ # thus we need to re-open and re-read the file as the content changed.
+ # After that we can no read the encrypted password from the config and
+ # replace the CLI plaintext password with its encrypted version.
+ os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos"
+
+ for user in snmp['v3_users']:
+ if user['authProtocol'] == 'sha':
+ hash = plaintext_to_sha1
+ else:
+ hash = plaintext_to_md5
+
+ if user['authPassword']:
+ user['authMasterKey'] = hash(user['authPassword'], snmp['v3_engineid'])
+ user['authPassword'] = ''
+
+ call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" auth encrypted-password "{authMasterKey}" > /dev/null'.format(**user))
+ call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" auth plaintext-password > /dev/null'.format(**user))
+
+ if user['privPassword']:
+ user['privMasterKey'] = hash(user['privPassword'], snmp['v3_engineid'])
+ user['privPassword'] = ''
+
+ call('/opt/vyatta/sbin/my_set service snmp v3 user "{name}" privacy encrypted-password "{privMasterKey}" > /dev/null'.format(**user))
+ call('/opt/vyatta/sbin/my_delete service snmp v3 user "{name}" privacy plaintext-password > /dev/null'.format(**user))
+
# Write client config file
render(config_file_client, 'snmp/etc.snmp.conf.tmpl', snmp)
# Write server config file
@@ -544,50 +556,14 @@ def generate(snmp):
return None
def apply(snmp):
+ # Always reload systemd manager configuration
+ call('systemctl daemon-reload')
+
if not snmp:
return None
- # Reload systemd manager configuration
- call('systemctl daemon-reload')
# start SNMP daemon
- call("systemctl restart snmpd.service")
-
- if 'vrf' not in snmp.keys():
- # service will be restarted multiple times later on
- while (call('systemctl -q is-active snmpd.service') != 0):
- sleep(0.5)
-
- # net-snmp is now regenerating the configuration file in the background
- # thus we need to re-open and re-read the file as the content changed.
- # After that we can no read the encrypted password from the config and
- # replace the CLI plaintext password with its encrypted version.
- os.environ["vyos_libexec_dir"] = "/usr/libexec/vyos"
-
- # XXX: actually this whole logic makes less sense - why not calculate the
- # password hashed on our own and write them back into the config? I see
- # no valid reason in waiting for a third party process to do so.
- with open(config_file_user, 'r') as f:
- engineID = ''
- for line in f:
- if line.startswith('usmUser'):
- string = line.split(' ')
- cfg = {
- 'user': string[4].replace(r'"', ''),
- 'auth_pw': string[8],
- 'priv_pw': string[10]
- }
- # No need to take care about the VyOS internal user
- if cfg['user'] == snmp['vyos_user']:
- continue
-
- # Now update the running configuration
- #
- # Currently when executing call() the environment does not
- # have the vyos_libexec_dir variable set, see Phabricator T685.
- call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" auth encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['auth_pw']))
- call('/opt/vyatta/sbin/my_set service snmp v3 user "{0}" privacy encrypted-key "{1}" > /dev/null'.format(cfg['user'], cfg['priv_pw']))
- call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" auth plaintext-key > /dev/null'.format(cfg['user']))
- call('/opt/vyatta/sbin/my_delete service snmp v3 user "{0}" privacy plaintext-key > /dev/null'.format(cfg['user']))
+ call('systemctl restart snmpd.service')
# Enable AgentX in FRR
call('vtysh -c "configure terminal" -c "agentx" >/dev/null')
diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py
index ffb0b700d..7b262565a 100755
--- a/src/conf_mode/ssh.py
+++ b/src/conf_mode/ssh.py
@@ -28,7 +28,7 @@ from vyos.xml import defaults
from vyos import airbag
airbag.enable()
-config_file = r'/etc/ssh/sshd_config'
+config_file = r'/run/ssh/sshd_config'
systemd_override = r'/etc/systemd/system/ssh.service.d/override.conf'
def get_config():
@@ -42,6 +42,8 @@ def get_config():
# options which we need to update into the dictionary retrived.
default_values = defaults(base)
ssh = dict_merge(default_values, ssh)
+ # pass config file path - used in override template
+ ssh['config_file'] = config_file
return ssh
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 93d4cc679..b1dd583b5 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -72,7 +72,7 @@ def get_config():
user = {
'name': username,
'password_plaintext': '',
- 'password_encred': '!',
+ 'password_encrypted': '!',
'public_keys': [],
'full_name': '',
'home_dir': '/home/' + username,
diff --git a/src/conf_mode/system-options.py b/src/conf_mode/system-options.py
index 8de3b6fa2..0aacd19d8 100755
--- a/src/conf_mode/system-options.py
+++ b/src/conf_mode/system-options.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -16,67 +16,83 @@
import os
+from netifaces import interfaces
from sys import exit
-from copy import deepcopy
+
from vyos.config import Config
+from vyos.template import render
+from vyos.util import call
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
-from vyos.util import run
-
from vyos import airbag
airbag.enable()
-systemd_ctrl_alt_del = '/lib/systemd/system/ctrl-alt-del.target'
-
-default_config_data = {
- 'beep_if_fully_booted': False,
- 'ctrl_alt_del': 'ignore',
- 'reboot_on_panic': True
-}
+curlrc_config = r'/etc/curlrc'
+ssh_config = r'/etc/ssh/ssh_config'
+systemd_action_file = '/lib/systemd/system/ctrl-alt-del.target'
def get_config():
- opt = deepcopy(default_config_data)
conf = Config()
- conf.set_level('system options')
- if conf.exists(''):
- if conf.exists('ctrl-alt-del-action'):
- opt['ctrl_alt_del'] = conf.return_value('ctrl-alt-del-action')
-
- opt['beep_if_fully_booted'] = conf.exists('beep-if-fully-booted')
- opt['reboot_on_panic'] = conf.exists('reboot-on-panic')
-
- return opt
-
-def verify(opt):
- pass
-
-def generate(opt):
- pass
-
-def apply(opt):
+ base = ['system', 'options']
+ options = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ return options
+
+def verify(options):
+ if 'http_client' in options:
+ config = options['http_client']
+ if 'source_interface' in config:
+ if not config['source_interface'] in interfaces():
+ raise ConfigError(f'Source interface {source_interface} does not '
+ f'exist'.format(**config))
+
+ if {'source_address', 'source_interface'} <= set(config):
+ raise ConfigError('Can not define both HTTP source-interface and source-address')
+
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
+ if 'ssh_client' in options:
+ config = options['ssh_client']
+ if 'source_address' in config:
+ if not is_addr_assigned(config['source_address']):
+ raise ConfigError('No interface with give address specified!')
+
+ return None
+
+def generate(options):
+ render(curlrc_config, 'system/curlrc.tmpl', options, trim_blocks=True)
+ render(ssh_config, 'system/ssh_config.tmpl', options, trim_blocks=True)
+ return None
+
+def apply(options):
# Beep action
- if opt['beep_if_fully_booted']:
- run('systemctl enable vyos-beep.service')
+ if 'beep_if_fully_booted' in options.keys():
+ call('systemctl enable vyos-beep.service')
else:
- run('systemctl disable vyos-beep.service')
+ call('systemctl disable vyos-beep.service')
# Ctrl-Alt-Delete action
- if opt['ctrl_alt_del'] == 'ignore':
- if os.path.exists(systemd_ctrl_alt_del):
- os.unlink('/lib/systemd/system/ctrl-alt-del.target')
+ if os.path.exists(systemd_action_file):
+ os.unlink(systemd_action_file)
+
+ if 'ctrl_alt_del_action' in options:
+ if options['ctrl_alt_del_action'] == 'reboot':
+ os.symlink('/lib/systemd/system/reboot.target', systemd_action_file)
+ elif options['ctrl_alt_del_action'] == 'poweroff':
+ os.symlink('/lib/systemd/system/poweroff.target', systemd_action_file)
- elif opt['ctrl_alt_del'] == 'reboot':
- if os.path.exists(systemd_ctrl_alt_del):
- os.unlink(systemd_ctrl_alt_del)
- os.symlink('/lib/systemd/system/reboot.target', systemd_ctrl_alt_del)
+ if 'http_client' not in options:
+ if os.path.exists(curlrc_config):
+ os.unlink(curlrc_config)
- elif opt['ctrl_alt_del'] == 'poweroff':
- if os.path.exists(systemd_ctrl_alt_del):
- os.unlink(systemd_ctrl_alt_del)
- os.symlink('/lib/systemd/system/poweroff.target', systemd_ctrl_alt_del)
+ if 'ssh_client' not in options:
+ if os.path.exists(ssh_config):
+ os.unlink(ssh_config)
# Reboot system on kernel panic
with open('/proc/sys/kernel/panic', 'w') as f:
- if opt['reboot_on_panic']:
+ if 'reboot_on_panic' in options.keys():
f.write('60')
else:
f.write('0')
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index 88df2902e..26ad1af84 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -151,7 +151,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -162,6 +163,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py
index 4536692d2..32cbadd74 100755
--- a/src/conf_mode/vpn_pptp.py
+++ b/src/conf_mode/vpn_pptp.py
@@ -111,7 +111,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -122,6 +123,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index 4c4d8e403..ddb499bf4 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -118,7 +118,8 @@ def get_config():
'server' : server,
'key' : '',
'fail_time' : 0,
- 'port' : '1812'
+ 'port' : '1812',
+ 'acct_port' : '1813'
}
conf.set_level(base_path + ['authentication', 'radius', 'server', server])
@@ -129,6 +130,9 @@ def get_config():
if conf.exists(['port']):
radius['port'] = conf.return_value(['port'])
+ if conf.exists(['acct-port']):
+ radius['acct_port'] = conf.return_value(['acct-port'])
+
if conf.exists(['key']):
radius['key'] = conf.return_value(['key'])