6 files changed, 153 insertions, 39 deletions

diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py
index 0a4559ade..daad00067 100755
--- a/src/conf_mode/flow_accounting_conf.py
+++ b/src/conf_mode/flow_accounting_conf.py
@@ -169,7 +169,8 @@ def get_config():
             'configured': vc.exists('system flow-accounting sflow'),
             'agent-address': vc.return_value('system flow-accounting sflow agent-address'),
             'sampling-rate': vc.return_value('system flow-accounting sflow sampling-rate'),
-            'servers': None
+            'servers': None,
+            'source-address': vc.return_value('system flow-accounting sflow source-address')
         },
         'netflow': {
             'configured': vc.exists('system flow-accounting netflow'),
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 92dc4a410..cd5073aa2 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -23,6 +23,7 @@ import vyos.defaults
 import vyos.certbot_util
 
 from vyos.config import Config
+from vyos.configverify import verify_vrf
 from vyos import ConfigError
 from vyos.pki import wrap_certificate
 from vyos.pki import wrap_private_key
@@ -34,6 +35,7 @@ from vyos import airbag
 airbag.enable()
 
 config_file = '/etc/nginx/sites-available/default'
+systemd_override = r'/etc/systemd/system/nginx.service.d/override.conf'
 cert_dir = '/etc/ssl/certs'
 key_dir = '/etc/ssl/private'
 certbot_dir = vyos.defaults.directories['certbot']
@@ -103,6 +105,8 @@ def verify(https):
             if not domains_found:
                 raise ConfigError("At least one 'virtual-host <id> server-name' "
                               "matching the 'certbot domain-name' is required.")
+
+    verify_vrf(https)
     return None
 
 def generate(https):
@@ -143,7 +147,6 @@ def generate(https):
         server_cert = str(wrap_certificate(pki_cert['certificate']))
         if 'ca-certificate' in cert_dict:
             ca_cert = cert_dict['ca-certificate']
-            print(ca_cert)
             server_cert += '\n' + str(wrap_certificate(https['pki']['ca'][ca_cert]['certificate']))
 
         write_file(cert_path, server_cert)
@@ -209,10 +212,12 @@ def generate(https):
     }
 
     render(config_file, 'https/nginx.default.tmpl', data)
-
+    render(systemd_override, 'https/override.conf.tmpl', https)
     return None
 
 def apply(https):
+    # Reload systemd manager configuration
+    call('systemctl daemon-reload')
     if https is not None:
         call('systemctl restart nginx.service')
     else:
diff --git a/src/conf_mode/netns.py b/src/conf_mode/netns.py
new file mode 100755
index 000000000..0924eb616
--- /dev/null
+++ b/src/conf_mode/netns.py
@@ -0,0 +1,118 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+from tempfile import NamedTemporaryFile
+
+from vyos.config import Config
+from vyos.configdict import node_changed
+from vyos.ifconfig import Interface
+from vyos.util import call
+from vyos.util import dict_search
+from vyos.util import get_interface_config
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+
+def netns_interfaces(c, match):
+    """
+    get NETNS bound interfaces
+    """
+    matched = []
+    old_level = c.get_level()
+    c.set_level(['interfaces'])
+    section = c.get_config_dict([], get_first_key=True)
+    for type in section:
+        interfaces = section[type]
+        for name in interfaces:
+            interface = interfaces[name]
+            if 'netns' in interface:
+                v = interface.get('netns', '')
+                if v == match:
+                    matched.append(name)
+
+    c.set_level(old_level)
+    return matched
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+
+    base = ['netns']
+    netns = conf.get_config_dict(base, get_first_key=True,
+                                       no_tag_node_value_mangle=True)
+
+    # determine which NETNS has been removed
+    for name in node_changed(conf, base + ['name']):
+        if 'netns_remove' not in netns:
+            netns.update({'netns_remove' : {}})
+
+        netns['netns_remove'][name] = {}
+        # get NETNS bound interfaces
+        interfaces = netns_interfaces(conf, name)
+        if interfaces: netns['netns_remove'][name]['interface'] = interfaces
+
+    return netns
+
+def verify(netns):
+    # ensure NETNS is not assigned to any interface
+    if 'netns_remove' in netns:
+        for name, config in netns['netns_remove'].items():
+            if 'interface' in config:
+                raise ConfigError(f'Can not remove NETNS "{name}", it still has '\
+                                  f'member interfaces!')
+
+    if 'name' in netns:
+        for name, config in netns['name'].items():
+            print(name)
+
+    return None
+
+
+def generate(netns):
+    if not netns:
+        return None
+
+    return None
+
+
+def apply(netns):
+
+    for tmp in (dict_search('netns_remove', netns) or []):
+        if os.path.isfile(f'/run/netns/{tmp}'):
+            call(f'ip netns del {tmp}')
+
+    if 'name' in netns:
+        for name, config in netns['name'].items():
+            if not os.path.isfile(f'/run/netns/{name}'):
+                call(f'ip netns add {name}')
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py
index 94825ba10..8593da170 100755
--- a/src/conf_mode/protocols_bfd.py
+++ b/src/conf_mode/protocols_bfd.py
@@ -18,6 +18,7 @@ import os
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
+from vyos.configverify import verify_vrf
 from vyos.template import is_ipv6
 from vyos.template import render_to_string
 from vyos.validate import is_ipv6_link_local
@@ -33,7 +34,8 @@ def get_config(config=None):
     else:
         conf = Config()
     base = ['protocols', 'bfd']
-    bfd = conf.get_config_dict(base, get_first_key=True)
+    bfd = conf.get_config_dict(base, key_mangling=('-', '_'),
+                               get_first_key=True)
     # Bail out early if configuration tree does not exist
     if not conf.exists(base):
         return bfd
@@ -76,11 +78,19 @@ def verify(bfd):
 
                 # multihop and echo-mode cannot be used together
                 if 'echo_mode' in peer_config:
-                    raise ConfigError('Multihop and echo-mode cannot be used together')
+                    raise ConfigError('BFD multihop and echo-mode cannot be used together')
 
                 # multihop doesn't accept interface names
                 if 'source' in peer_config and 'interface' in peer_config['source']:
-                    raise ConfigError('Multihop and source interface cannot be used together')
+                    raise ConfigError('BFD multihop and source interface cannot be used together')
+
+            if 'profile' in peer_config:
+                profile_name = peer_config['profile']
+                if 'profile' not in bfd or profile_name not in bfd['profile']:
+                    raise ConfigError(f'BFD profile "{profile_name}" does not exist!')
+
+            if 'vrf' in peer_config:
+                verify_vrf(peer_config)
 
     return None
 
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index b88f0c4ef..03fb17ba7 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -255,14 +255,6 @@ def verify(bgp):
                     tmp = dict_search(f'route_map.vpn.{export_import}', afi_config)
                     if tmp: verify_route_map(tmp, bgp)
 
-            if afi in ['l2vpn_evpn'] and 'vrf' not in bgp:
-                # Some L2VPN EVPN AFI options are only supported under VRF
-                if 'vni' in afi_config:
-                    for vni, vni_config in afi_config['vni'].items():
-                        if 'rd' in vni_config:
-                            raise ConfigError('VNI route-distinguisher is only supported under EVPN VRF')
-                        if 'route_target' in vni_config:
-                            raise ConfigError('VNI route-target is only supported under EVPN VRF')
 
     return None
 
diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py
index 3b27608da..0b0c7d07b 100755
--- a/src/conf_mode/protocols_mpls.py
+++ b/src/conf_mode/protocols_mpls.py
@@ -66,36 +66,24 @@ def verify(mpls):
 
 def generate(mpls):
     # If there's no MPLS config generated, create dictionary key with no value.
-    if not mpls:
-        mpls['new_frr_config'] = ''
+    if not mpls or 'deleted' in mpls:
         return None
 
-    mpls['new_frr_config'] = render_to_string('frr/ldpd.frr.tmpl', mpls)
+    mpls['frr_ldpd_config'] = render_to_string('frr/ldpd.frr.tmpl', mpls)
     return None
 
 def apply(mpls):
-    # Define dictionary that will load FRR config
-    frr_cfg = {}
+    ldpd_damon = 'ldpd'
+
     # Save original configuration prior to starting any commit actions
-    frr_cfg['original_config'] = frr.get_configuration(daemon='ldpd')
-    frr_cfg['modified_config'] = frr.replace_section(frr_cfg['original_config'], mpls['new_frr_config'], from_re='mpls.*')
-
-    # If FRR config is blank, rerun the blank commit three times due to frr-reload
-    # behavior/bug not properly clearing out on one commit.
-    if mpls['new_frr_config'] == '':
-        for x in range(3):
-            frr.reload_configuration(frr_cfg['modified_config'], daemon='ldpd')
-    elif not 'ldp' in mpls:
-        for x in range(3):
-            frr.reload_configuration(frr_cfg['modified_config'], daemon='ldpd')
-    else:
-        # FRR mark configuration will test for syntax errors and throws an
-        # exception if any syntax errors is detected
-        frr.mark_configuration(frr_cfg['modified_config'])
+    frr_cfg = frr.FRRConfig()
+
+    frr_cfg.load_configuration(ldpd_damon)
+    frr_cfg.modify_section(f'^mpls ldp', stop_pattern='^exit', remove_stop_mark=True)
 
-        # Commit resulting configuration to FRR, this will throw CommitError
-        # on failure
-        frr.reload_configuration(frr_cfg['modified_config'], daemon='ldpd')
+    if 'frr_ldpd_config' in mpls:
+        frr_cfg.add_before(frr.default_add_before, mpls['frr_ldpd_config'])
+    frr_cfg.commit_configuration(ldpd_damon)
 
     # Set number of entries in the platform label tables
     labels = '0'
@@ -122,7 +110,7 @@ def apply(mpls):
         system_interfaces = []
         # Populate system interfaces list with local MPLS capable interfaces
         for interface in glob('/proc/sys/net/mpls/conf/*'):
-            system_interfaces.append(os.path.basename(interface))   
+            system_interfaces.append(os.path.basename(interface))
         # This is where the comparison is done on if an interface needs to be enabled/disabled.
         for system_interface in system_interfaces:
             interface_state = read_file(f'/proc/sys/net/mpls/conf/{system_interface}/input')
@@ -138,7 +126,7 @@ def apply(mpls):
         system_interfaces = []
         # If MPLS interfaces are not configured, set MPLS processing disabled
         for interface in glob('/proc/sys/net/mpls/conf/*'):
-            system_interfaces.append(os.path.basename(interface)) 
+            system_interfaces.append(os.path.basename(interface))
         for system_interface in system_interfaces:
             system_interface = system_interface.replace('.', '/')
             call(f'sysctl -wq net.mpls.conf.{system_interface}.input=0')