6 files changed, 63 insertions, 38 deletions

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index eeb57bd30..cbd9cbe90 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -179,6 +179,20 @@ def verify_rule(firewall, rule_conf, ipv6):
     if 'action' not in rule_conf:
         raise ConfigError('Rule action must be defined')
 
+    if 'jump' in rule_conf['action'] and 'jump_target' not in rule_conf:
+        raise ConfigError('Action set to jump, but no jump-target specified')
+
+    if 'jump_target' in rule_conf:
+        if 'jump' not in rule_conf['action']:
+            raise ConfigError('jump-target defined, but action jump needed and it is not defined')
+        target = rule_conf['jump_target']
+        if not ipv6:
+            if target not in dict_search_args(firewall, 'name'):
+                raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
+        else:
+            if target not in dict_search_args(firewall, 'ipv6_name'):
+                raise ConfigError(f'Invalid jump-target. Firewall ipv6-name {target} does not exist on the system')
+
     if 'fragment' in rule_conf:
         if {'match_frag', 'match_non_frag'} <= set(rule_conf['fragment']):
             raise ConfigError('Cannot specify both "match-frag" and "match-non-frag"')
@@ -287,6 +301,18 @@ def verify(firewall):
     for name in ['name', 'ipv6_name']:
         if name in firewall:
             for name_id, name_conf in firewall[name].items():
+                if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
+                    raise ConfigError('default-action set to jump, but no default-jump-target specified')
+                if 'default_jump_target' in name_conf:
+                    target = name_conf['default_jump_target']
+                    if 'jump' not in name_conf['default_action']:
+                        raise ConfigError('default-jump-target defined,but default-action jump needed and it is not defined')
+                    if name_conf['default_jump_target'] == name_id:
+                        raise ConfigError(f'Loop detected on default-jump-target.')
+                    ## Now need to check that default-jump-target exists (other firewall chain/name)
+                    if target not in dict_search_args(firewall, name):
+                        raise ConfigError(f'Invalid jump-target. Firewall {name} {target} does not exist on the system')
+
                 if 'rule' in name_conf:
                     for rule_id, rule_conf in name_conf['rule'].items():
                         verify_rule(firewall, rule_conf, name == 'ipv6_name')
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py
index 61bab2feb..8d738f55e 100755
--- a/src/conf_mode/interfaces-wireguard.py
+++ b/src/conf_mode/interfaces-wireguard.py
@@ -14,16 +14,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
-
 from sys import exit
-from copy import deepcopy
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configdict import get_interface_dict
-from vyos.configdict import node_changed
-from vyos.configdict import leaf_node_changed
+from vyos.configdict import is_node_changed
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -50,17 +46,20 @@ def get_config(config=None):
     ifname, wireguard = get_interface_dict(conf, base)
 
     # Check if a port was changed
-    wireguard['port_changed'] = leaf_node_changed(conf, base + [ifname, 'port'])
+    tmp = is_node_changed(conf, base + [ifname, 'port'])
+    if tmp: wireguard['port_changed'] = {}
 
     # Determine which Wireguard peer has been removed.
     # Peers can only be removed with their public key!
-    dict = {}
-    tmp = node_changed(conf, base + [ifname, 'peer'], key_mangling=('-', '_'))
-    for peer in (tmp or []):
-        public_key = leaf_node_changed(conf, base + [ifname, 'peer', peer, 'public_key'])
-        if public_key:
-            dict = dict_merge({'peer_remove' : {peer : {'public_key' : public_key[0]}}}, dict)
-            wireguard.update(dict)
+    if 'peer' in wireguard:
+        peer_remove = {}
+        for peer, peer_config in wireguard['peer'].items():
+            # T4702: If anything on a peer changes we remove the peer first and re-add it
+            if is_node_changed(conf, base + [ifname, 'peer', peer]):
+                if 'public_key' in peer_config:
+                    peer_remove = dict_merge({'peer_remove' : {peer : peer_config['public_key']}}, peer_remove)
+        if peer_remove:
+           wireguard.update(peer_remove)
 
     return wireguard
 
@@ -81,12 +80,11 @@ def verify(wireguard):
     if 'peer' not in wireguard:
         raise ConfigError('At least one Wireguard peer is required!')
 
-    if 'port' in wireguard and wireguard['port_changed']:
+    if 'port' in wireguard and 'port_changed' in wireguard:
         listen_port = int(wireguard['port'])
         if check_port_availability('0.0.0.0', listen_port, 'udp') is not True:
-            raise ConfigError(
-                f'The UDP port {listen_port} is busy or unavailable and cannot be used for the interface'
-            )
+            raise ConfigError(f'UDP port {listen_port} is busy or unavailable and '
+                               'cannot be used for the interface!')
 
     # run checks on individual configured WireGuard peer
     for tmp in wireguard['peer']:
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 9fddbd2c6..00539b9c7 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -92,7 +92,7 @@ def get_config(config=None):
 
     return policy
 
-def verify_rule(policy, name, rule_conf, ipv6):
+def verify_rule(policy, name, rule_conf, ipv6, rule_id):
     icmp = 'icmp' if not ipv6 else 'icmpv6'
     if icmp in rule_conf:
         icmp_defined = False
@@ -166,7 +166,7 @@ def verify(policy):
             for name, pol_conf in policy[route].items():
                 if 'rule' in pol_conf:
                     for rule_id, rule_conf in pol_conf['rule'].items():
-                        verify_rule(policy, name, rule_conf, ipv6)
+                        verify_rule(policy, name, rule_conf, ipv6, rule_id)
 
     for ifname, if_policy in policy['interfaces'].items():
         name = dict_search_args(if_policy, 'route')
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 6086ef859..dfe73094f 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -21,13 +21,12 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_accel_dict
 from vyos.configverify import verify_accel_ppp_base_service
+from vyos.configverify import verify_interface_exists
 from vyos.template import render
 from vyos.util import call
 from vyos.util import dict_search
-from vyos.util import get_interface_config
 from vyos import ConfigError
 from vyos import airbag
-from vyos.range_regex import range_to_regex
 
 airbag.enable()
 
@@ -54,15 +53,14 @@ def verify(pppoe):
     verify_accel_ppp_base_service(pppoe)
 
     if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
-        raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
+        raise ConfigError('Not more then two WINS name-servers can be configured')
 
     if 'interface' not in pppoe:
         raise ConfigError('At least one listen interface must be defined!')
 
     # Check is interface exists in the system
-    for iface in pppoe['interface']:
-        if not get_interface_config(iface):
-            raise ConfigError(f'Interface {iface} does not exist!')
+    for interface in pppoe['interface']:
+        verify_interface_exists(interface)
 
     # local ippool and gateway settings config checks
     if not (dict_search('client_ip_pool.subnet', pppoe) or
@@ -81,13 +79,6 @@ def generate(pppoe):
     if not pppoe:
         return None
 
-    # Generate special regex for dynamic interfaces
-    for iface in pppoe['interface']:
-        if 'vlan_range' in pppoe['interface'][iface]:
-            pppoe['interface'][iface]['regex'] = []
-            for vlan_range in pppoe['interface'][iface]['vlan_range']:
-                pppoe['interface'][iface]['regex'].append(range_to_regex(vlan_range))
-
     render(pppoe_conf, 'accel-ppp/pppoe.config.j2', pppoe)
 
     if dict_search('authentication.mode', pppoe) == 'local':
@@ -101,15 +92,15 @@ def generate(pppoe):
 
 
 def apply(pppoe):
+    systemd_service = 'accel-ppp@pppoe.service'
     if not pppoe:
-        call('systemctl stop accel-ppp@pppoe.service')
+        call(f'systemctl stop {systemd_service}')
         for file in [pppoe_conf, pppoe_chap_secrets]:
             if os.path.exists(file):
                 os.unlink(file)
-
         return None
 
-    call('systemctl restart accel-ppp@pppoe.service')
+    call(f'systemctl reload-or-restart {systemd_service}')
 
 if __name__ == '__main__':
     try:
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 5ca32d23e..c9061366d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -16,6 +16,7 @@
 
 import ipaddress
 import os
+import re
 
 from sys import exit
 from time import sleep
@@ -348,6 +349,14 @@ def verify(ipsec):
     if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:
         for peer, peer_conf in ipsec['site_to_site']['peer'].items():
             has_default_esp = False
+            # Peer name it is swanctl connection name and shouldn't contain dots or colons, T4118
+            if bool(re.search(':|\.', peer)):
+                raise ConfigError(f'Incorrect peer name "{peer}" '
+                                  f'Peer name can contain alpha-numeric letters, hyphen and underscore')
+
+            if 'remote_address' not in peer_conf:
+                print(f'You should set correct remote-address "peer {peer} remote-address x.x.x.x"\n')
+
             if 'default_esp_group' in peer_conf:
                 has_default_esp = True
                 if 'esp_group' not in ipsec or peer_conf['default_esp_group'] not in ipsec['esp_group']:
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index 23b1baf4d..c050b796b 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -81,9 +81,10 @@ def verify(ocserv):
     # Check if listen-ports not binded other services
     # It can be only listen by 'ocserv-main'
     for proto, port in ocserv.get('listen_ports').items():
-        if check_port_availability('0.0.0.0', int(port), proto) is not True and \
+        if check_port_availability(ocserv['listen_address'], int(port), proto) is not True and \
                 not is_listen_port_bind_service(int(port), 'ocserv-main'):
             raise ConfigError(f'"{proto}" port "{port}" is used by another service')
+
     # Check authentication
     if "authentication" in ocserv:
         if "mode" in ocserv["authentication"]: