7 files changed, 86 insertions, 8 deletions

diff --git a/src/conf_mode/interfaces_wireless.py b/src/conf_mode/interfaces_wireless.py
index 02b4a2500..c0a17c0bc 100755
--- a/src/conf_mode/interfaces_wireless.py
+++ b/src/conf_mode/interfaces_wireless.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019-2020 VyOS maintainers and contributors
+# Copyright (C) 2019-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -31,8 +31,9 @@ from vyos.configverify import verify_vrf
 from vyos.configverify import verify_bond_bridge_member
 from vyos.ifconfig import WiFiIf
 from vyos.template import render
-from vyos.utils.process import call
 from vyos.utils.dict import dict_search
+from vyos.utils.kernel import check_kmod
+from vyos.utils.process import call
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -118,6 +119,10 @@ def verify(wifi):
     if 'physical_device' not in wifi:
         raise ConfigError('You must specify a physical-device "phy"')
 
+    physical_device = wifi['physical_device']
+    if not os.path.exists(f'/sys/class/ieee80211/{physical_device}'):
+        raise ConfigError(f'Wirelss interface PHY "{physical_device}" does not exist!')
+
     if 'type' not in wifi:
         raise ConfigError('You must specify a WiFi mode')
 
@@ -266,6 +271,7 @@ def apply(wifi):
 
 if __name__ == '__main__':
     try:
+        check_kmod('mac80211')
         c = get_config()
         verify(c)
         generate(c)
diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 2b16de775..4df97d133 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -473,6 +473,22 @@ def verify(bgp):
                             if peer_group_as is None or (peer_group_as != 'internal' and peer_group_as != bgp['system_as']):
                                 raise ConfigError('route-reflector-client only supported for iBGP peers')
 
+            # T5833 not all AFIs are supported for VRF
+            if 'vrf' in bgp and 'address_family' in peer_config:
+                unsupported_vrf_afi = {
+                    'ipv4_flowspec',
+                    'ipv6_flowspec',
+                    'ipv4_labeled_unicast',
+                    'ipv6_labeled_unicast',
+                    'ipv4_vpn',
+                    'ipv6_vpn',
+                }
+                for afi in peer_config['address_family']:
+                    if afi in unsupported_vrf_afi:
+                        raise ConfigError(
+                            f"VRF is not allowed for address-family '{afi.replace('_', '-')}'"
+                        )
+
     # Throw an error if a peer group is not configured for allow range
     for prefix in dict_search('listen.range', bgp) or []:
         # we can not use dict_search() here as prefix contains dots ...
diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py
index 09c3be8df..d450d11ca 100755
--- a/src/conf_mode/protocols_pim.py
+++ b/src/conf_mode/protocols_pim.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -16,6 +16,7 @@
 
 import os
 
+from ipaddress import IPv4Address
 from ipaddress import IPv4Network
 from signal import SIGTERM
 from sys import exit
@@ -32,6 +33,9 @@ from vyos import frr
 from vyos import airbag
 airbag.enable()
 
+RESERVED_MC_NET = '224.0.0.0/24'
+
+
 def get_config(config=None):
     if config:
         conf = config
@@ -92,9 +96,15 @@ def verify(pim):
     if 'interface' not in pim:
         raise ConfigError('PIM require defined interfaces!')
 
-    for interface in pim['interface']:
+    for interface, interface_config in pim['interface'].items():
         verify_interface_exists(interface)
 
+        # Check join group in reserved net
+        if 'igmp' in interface_config and 'join' in interface_config['igmp']:
+            for join_addr in interface_config['igmp']['join']:
+                if IPv4Address(join_addr) in IPv4Network(RESERVED_MC_NET):
+                    raise ConfigError(f'Groups within {RESERVED_MC_NET} are reserved and cannot be joined!')
+
     if 'rp' in pim:
         if 'address' not in pim['rp']:
             raise ConfigError('PIM rendezvous point needs to be defined!')
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index 3dfb4bab8..ccfc8f6b8 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -70,6 +70,22 @@ def get_shaper(qos, interface_config, direction):
 
     return (map_vyops_tc[shaper_type], shaper_config)
 
+
+def _clean_conf_dict(conf):
+    """
+    Delete empty nodes from config e.g.
+        match ADDRESS30 {
+            ip {
+                source {}
+            }
+        }
+    """
+    if isinstance(conf, dict):
+        return {node: _clean_conf_dict(val) for node, val in conf.items() if val != {} and _clean_conf_dict(val) != {}}
+    else:
+        return conf
+
+
 def get_config(config=None):
     if config:
         conf = config
@@ -120,6 +136,13 @@ def get_config(config=None):
                     if 'queue_limit' not in qos['policy'][policy][p_name]['precedence'][precedence]:
                         qos['policy'][policy][p_name]['precedence'][precedence]['queue_limit'] = \
                             str(int(4 * max_thr))
+            # cleanup empty match config
+            if 'class' in p_config:
+                for cls, cls_config in p_config['class'].items():
+                    if 'match' in cls_config:
+                        cls_config['match'] = _clean_conf_dict(cls_config['match'])
+                        if cls_config['match'] == {}:
+                            del cls_config['match']
 
     return qos
 
diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py
index 11e950782..28b7fb03c 100755
--- a/src/conf_mode/service_ipoe-server.py
+++ b/src/conf_mode/service_ipoe-server.py
@@ -66,7 +66,7 @@ def verify(ipoe):
         raise ConfigError('No IPoE interface configured')
 
     for interface, iface_config in ipoe['interface'].items():
-        verify_interface_exists(interface)
+        verify_interface_exists(interface, warning_only=True)
         if 'client_subnet' in iface_config and 'vlan' in iface_config:
             raise ConfigError('Option "client-subnet" and "vlan" are mutually exclusive, '
                               'use "client-ip-pool" instead!')
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index b9d174933..c95f976d3 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -84,12 +84,29 @@ def verify_pado_delay(pppoe):
         pado_delay = pppoe['pado_delay']
 
         delays_without_sessions = pado_delay['delays_without_sessions']
+        if 'disable' in delays_without_sessions:
+            raise ConfigError(
+                'Number of sessions must be specified for "pado-delay disable"'
+            )
+
         if len(delays_without_sessions) > 1:
             raise ConfigError(
                 f'Cannot add more then ONE pado-delay without sessions, '
                 f'but {len(delays_without_sessions)} were set'
             )
 
+        if 'disable' in [delay[0] for delay in pado_delay['delays_with_sessions']]:
+            # need to sort delays by sessions to verify if there is no delay
+            # for sessions after disabling
+            sorted_pado_delay = sorted(pado_delay['delays_with_sessions'], key=lambda k_v: k_v[1])
+            last_delay = sorted_pado_delay[-1]
+
+            if last_delay[0] != 'disable':
+                raise ConfigError(
+                    f'Cannot add pado-delay after disabled sessions, but '
+                    f'"pado-delay {last_delay[0]} sessions {last_delay[1]}" was set'
+                )
+
 def verify(pppoe):
     if not pppoe:
         return None
@@ -105,7 +122,7 @@ def verify(pppoe):
 
     # Check is interface exists in the system
     for interface in pppoe['interface']:
-        verify_interface_exists(interface)
+        verify_interface_exists(interface, warning_only=True)
 
     return None
 
diff --git a/src/conf_mode/system_host-name.py b/src/conf_mode/system_host-name.py
index 8975cadb6..3f245f166 100755
--- a/src/conf_mode/system_host-name.py
+++ b/src/conf_mode/system_host-name.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2018-2023 VyOS maintainers and contributors
+# Copyright (C) 2018-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -22,6 +22,7 @@ import vyos.hostsd_client
 
 from vyos.base import Warning
 from vyos.config import Config
+from vyos.configdict import leaf_node_changed
 from vyos.ifconfig import Section
 from vyos.template import is_ip
 from vyos.utils.process import cmd
@@ -37,6 +38,7 @@ default_config_data = {
     'domain_search': [],
     'nameserver': [],
     'nameservers_dhcp_interfaces': {},
+    'snmpd_restart_reqired': False,
     'static_host_mapping': {}
 }
 
@@ -52,6 +54,10 @@ def get_config(config=None):
 
     hosts['hostname'] = conf.return_value(['system', 'host-name'])
 
+    base = ['system']
+    if leaf_node_changed(conf, base + ['host-name']) or leaf_node_changed(conf, base + ['domain-name']):
+        hosts['snmpd_restart_reqired'] = True
+
     # This may happen if the config is not loaded yet,
     # e.g. if run by cloud-init
     if not hosts['hostname']:
@@ -171,7 +177,7 @@ def apply(config):
         call("systemctl restart rsyslog.service")
 
     # If SNMP is running, restart it too
-    if process_named_running('snmpd'):
+    if process_named_running('snmpd') and config['snmpd_restart_reqired']:
         call('systemctl restart snmpd.service')
 
     return None