18 files changed, 139 insertions, 36 deletions

diff --git a/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks b/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
index b4b4d516d..570758be6 100644
--- a/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
+++ b/src/etc/dhcp/dhclient-enter-hooks.d/99-run-user-hooks
@@ -1,5 +1,5 @@
 #!/bin/bash
 DHCP_PRE_HOOKS="/config/scripts/dhcp-client/pre-hooks.d/"
 if [ -d "${DHCP_PRE_HOOKS}" ] ; then
-    run-parts "${DHCP_PRE_HOOKS}"
+    run_hookdir "${DHCP_PRE_HOOKS}"
 fi
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook
index 35721d009..d5e6462ba 100644
--- a/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/03-vyos-dhclient-hook
@@ -29,6 +29,7 @@ fi
 
 if [ "$RUN" = "yes" ]; then
         BASE_PATH=$(python3 -c "from vyos.defaults import directories; print(directories['isc_dhclient_dir'])")
+        mkdir -p ${BASE_PATH}
         LOG=${BASE_PATH}/dhclient_"$interface"."$proto"lease
         echo `date` > $LOG
 
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
index 442419d79..910b586f0 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/98-run-user-hooks
@@ -1,5 +1,5 @@
 #!/bin/bash
 DHCP_POST_HOOKS="/config/scripts/dhcp-client/post-hooks.d/"
 if [ -d "${DHCP_POST_HOOKS}" ] ; then
-    run-parts "${DHCP_POST_HOOKS}"
+    run_hookdir "${DHCP_POST_HOOKS}"
 fi
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
index c7a92fe26..e6edc1ac3 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
@@ -71,10 +71,6 @@ if __name__ == '__main__':
                 conf_lines[i] = line.replace(old_ip, new_ip)
                 found = True
 
-        for i, line in enumerate(secrets_lines):
-            if line.find(to_match) > 0:
-                secrets_lines[i] = line.replace(old_ip, new_ip)
-
         if found:
             write_file(SWANCTL_CONF, conf_lines)
             ipsec_down(old_ip)
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 9eb6fac48..441b316c2 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,8 +13,9 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
-## Called as vti_up_down vti_intf_name
+
+# Script called up strongswan to bring the VTI interface up/down based on
+# the state of the IPSec tunnel. Called as vti_up_down vti_intf_name
 
 import os
 import sys
@@ -25,9 +26,10 @@ from syslog import LOG_PID
 from syslog import LOG_INFO
 
 from vyos.configquery import ConfigTreeQuery
+from vyos.configdict import get_interface_dict
+from vyos.ifconfig import VTIIf
 from vyos.utils.process import call
 from vyos.utils.network import get_interface_config
-from vyos.utils.network import get_interface_address
 
 if __name__ == '__main__':
     verb = os.getenv('PLUTO_VERB')
@@ -48,14 +50,13 @@ if __name__ == '__main__':
 
     vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
 
-    config = ConfigTreeQuery()
-    vti_dict = config.get_config_dict(['interfaces', 'vti', interface],
-                                      get_first_key=True)
-
     if verb in ['up-client', 'up-host']:
         if not vti_link_up:
-            if 'disable' not in vti_dict:
-                call(f'sudo ip link set {interface} up')
+            conf = ConfigTreeQuery()
+            _, vti = get_interface_dict(conf.config, ['interfaces', 'vti'], interface)
+            if 'disable' not in vti:
+                tmp = VTIIf(interface)
+                tmp.update(vti)
             else:
                 syslog(f'Interface {interface} is admin down ...')
     elif verb in ['down-client', 'down-host']:
diff --git a/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
index 222c75f21..5157469f4 100755
--- a/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
+++ b/src/etc/ppp/ip-down.d/98-vyos-pppoe-cleanup-nameservers
@@ -1,5 +1,4 @@
 #!/bin/bash
-### Autogenerated by interfaces-pppoe.py ###
 
 interface=$6
 if [ -z "$interface" ]; then
diff --git a/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
index 0fcedbedc..4affaeb5c 100755
--- a/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
+++ b/src/etc/ppp/ip-up.d/98-vyos-pppoe-setup-nameservers
@@ -1,5 +1,4 @@
 #!/bin/bash
-### Autogenerated by interfaces-pppoe.py ###
 
 interface=$6
 if [ -z "$interface" ]; then
diff --git a/src/etc/sudoers.d/vyos b/src/etc/sudoers.d/vyos
index e0fd8cb0b..63a944f41 100644
--- a/src/etc/sudoers.d/vyos
+++ b/src/etc/sudoers.d/vyos
@@ -42,7 +42,10 @@ Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \
                            /usr/share/heartbeat/hb_standby
 Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
                          /bin/ip vrf exec * /bin/traceroute *, \
+                         /bin/ip vrf exec * /usr/bin/mtr *, \
                          /usr/libexec/vyos/op_mode/*
+Cmnd_Alias KEA_IP6_ROUTES = /sbin/ip -6 route replace *,\
+                           /sbin/ip -6 route del *
 %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
 			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                         DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
@@ -54,3 +57,4 @@ Cmnd_Alias DIAGNOSTICS = /bin/ip vrf exec * /bin/ping *,       \
 # Allow members of group sudo to execute any command
 %sudo ALL=NOPASSWD: ALL
 
+_kea ALL=NOPASSWD: KEA_IP6_ROUTES
diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf
index fcdc1b21d..c9b8ef8fe 100644
--- a/src/etc/sysctl.d/30-vyos-router.conf
+++ b/src/etc/sysctl.d/30-vyos-router.conf
@@ -21,7 +21,6 @@ net.ipv4.conf.all.arp_filter=0
 
 # https://vyos.dev/T300
 net.ipv4.conf.all.arp_ignore=0
-
 net.ipv4.conf.all.arp_announce=2
 
 # Enable packet forwarding for IPv4
@@ -103,6 +102,11 @@ net.ipv4.igmp_max_memberships = 512
 net.core.rps_sock_flow_entries = 32768
 
 # Congestion control
-net.core.default_qdisc=fq
+net.core.default_qdisc=fq_codel
 net.ipv4.tcp_congestion_control=bbr
 
+# Disable IPv6 Segment Routing packets by default
+net.ipv6.conf.all.seg6_enabled = 0
+net.ipv6.conf.default.seg6_enabled = 0
+
+net.vrf.strict_mode = 1
diff --git a/src/etc/systemd/system/avahi-daemon.service.d/override.conf b/src/etc/systemd/system/avahi-daemon.service.d/override.conf
deleted file mode 100644
index a9d2085f7..000000000
--- a/src/etc/systemd/system/avahi-daemon.service.d/override.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=/run/avahi-daemon/avahi-daemon.conf
-
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/avahi-daemon --syslog --file /run/avahi-daemon/avahi-daemon.conf
\ No newline at end of file
diff --git a/src/etc/systemd/system/certbot.service.d/10-override.conf b/src/etc/systemd/system/certbot.service.d/10-override.conf
new file mode 100644
index 000000000..542f77eb2
--- /dev/null
+++ b/src/etc/systemd/system/certbot.service.d/10-override.conf
@@ -0,0 +1,7 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/bin/certbot renew --config-dir /config/auth/letsencrypt --no-random-sleep-on-renew --post-hook "/usr/libexec/vyos/vyos-certbot-renew-pki.sh"
diff --git a/src/etc/systemd/system/frr.service.d/override.conf b/src/etc/systemd/system/frr.service.d/override.conf
index 094f83551..614b4f7ed 100644
--- a/src/etc/systemd/system/frr.service.d/override.conf
+++ b/src/etc/systemd/system/frr.service.d/override.conf
@@ -1,3 +1,6 @@
+[Unit]
+After=vyos-router.service
+
 [Service]
 LimitNOFILE=4096
 ExecStartPre=/bin/bash -c 'mkdir -p /run/frr/config; \
diff --git a/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf b/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf
new file mode 100644
index 000000000..0f5bf801e
--- /dev/null
+++ b/src/etc/systemd/system/kea-ctrl-agent.service.d/override.conf
@@ -0,0 +1,9 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/kea-ctrl-agent -c /run/kea/kea-ctrl-agent.conf
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
diff --git a/src/etc/systemd/system/kea-dhcp4-server.service.d/override.conf b/src/etc/systemd/system/kea-dhcp4-server.service.d/override.conf
new file mode 100644
index 000000000..682e5bbce
--- /dev/null
+++ b/src/etc/systemd/system/kea-dhcp4-server.service.d/override.conf
@@ -0,0 +1,7 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/kea-dhcp4 -c /run/kea/kea-dhcp4.conf
diff --git a/src/etc/systemd/system/kea-dhcp6-server.service.d/override.conf b/src/etc/systemd/system/kea-dhcp6-server.service.d/override.conf
new file mode 100644
index 000000000..cb33fc057
--- /dev/null
+++ b/src/etc/systemd/system/kea-dhcp6-server.service.d/override.conf
@@ -0,0 +1,7 @@
+[Unit]
+After=
+After=vyos-router.service
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/kea-dhcp6 -c /run/kea/kea-dhcp6.conf
diff --git a/src/etc/systemd/system/nginx.service.d/10-override.conf b/src/etc/systemd/system/nginx.service.d/10-override.conf
new file mode 100644
index 000000000..1be5cec81
--- /dev/null
+++ b/src/etc/systemd/system/nginx.service.d/10-override.conf
@@ -0,0 +1,3 @@
+[Unit]
+After=
+After=vyos-router.service
diff --git a/src/etc/systemd/system/pdns-recursor.service.d/override.conf b/src/etc/systemd/system/pdns-recursor.service.d/override.conf
deleted file mode 100644
index 158bac02b..000000000
--- a/src/etc/systemd/system/pdns-recursor.service.d/override.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[Service]
-WorkingDirectory=
-WorkingDirectory=/run/powerdns
-RuntimeDirectory=
-RuntimeDirectory=powerdns
-RuntimeDirectoryPreserve=yes
-ExecStart=
-ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir=/run/powerdns --socket-dir=/run/powerdns
diff --git a/src/etc/udev/rules.d/99-vyos-systemd.rules b/src/etc/udev/rules.d/99-vyos-systemd.rules
new file mode 100644
index 000000000..54aea668c
--- /dev/null
+++ b/src/etc/udev/rules.d/99-vyos-systemd.rules
@@ -0,0 +1,79 @@
+# The main reason that we store this file is systemd-udevd interfaces excludes
+# /lib/systemd/systemd-sysctl for dynamic interfaces (ppp|ipoe|l2tp etc)
+
+ACTION=="remove", GOTO="systemd_end"
+
+SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
+KERNEL=="vport*", TAG+="systemd"
+
+SUBSYSTEM=="ptp", TAG+="systemd"
+
+SUBSYSTEM=="ubi", TAG+="systemd"
+
+SUBSYSTEM=="block", TAG+="systemd"
+
+# We can't make any conclusions about suspended DM devices so let's just import previous SYSTEMD_READY state and skip other rules
+SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", IMPORT{db}="SYSTEMD_READY", GOTO="systemd_end"
+SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
+
+# Ignore encrypted devices with no identified superblock on it, since
+# we are probably still calling mke2fs or mkswap on it.
+SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
+
+# Explicitly set SYSTEMD_READY=1 for DM devices that don't have it set yet, so that we always have something to import above
+SUBSYSTEM=="block", ENV{DM_UUID}=="?*", ENV{SYSTEMD_READY}=="", ENV{SYSTEMD_READY}="1"
+
+# add symlink to GPT root disk
+SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
+SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
+SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{DM_NAME}=="root", SYMLINK+="gpt-auto-root"
+
+# Ignore raid devices that are not yet assembled and started
+SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", TEST!="md/array_state", ENV{SYSTEMD_READY}="0"
+SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", ATTR{md/array_state}=="|clear|inactive", ENV{SYSTEMD_READY}="0"
+
+# Ignore loop devices that don't have any file attached
+SUBSYSTEM=="block", KERNEL=="loop[0-9]*", ENV{DEVTYPE}=="disk", TEST!="loop/backing_file", ENV{SYSTEMD_READY}="0"
+
+# Ignore nbd devices until the PID file exists (which signals a connected device)
+SUBSYSTEM=="block", KERNEL=="nbd*", ENV{DEVTYPE}=="disk", TEST!="pid", ENV{SYSTEMD_READY}="0"
+
+# We need a hardware independent way to identify network devices. We
+# use the /sys/subsystem/ path for this. Kernel "bus" and "class" names
+# should be treated as one namespace, like udev handles it. This is mostly
+# just an identification string for systemd, so whether the path actually is
+# accessible or not does not matter as long as it is unique and in the
+# filesystem namespace.
+
+SUBSYSTEM=="net", KERNEL!="lo", TAG+="systemd", ENV{SYSTEMD_ALIAS}+="/sys/subsystem/net/devices/$name"
+SUBSYSTEM=="bluetooth", TAG+="systemd", ENV{SYSTEMD_ALIAS}+="/sys/subsystem/bluetooth/devices/%k", \
+  ENV{SYSTEMD_WANTS}+="bluetooth.target", ENV{SYSTEMD_USER_WANTS}+="bluetooth.target"
+
+ENV{ID_SMARTCARD_READER}=="?*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="smartcard.target", ENV{SYSTEMD_USER_WANTS}+="smartcard.target"
+SUBSYSTEM=="sound", KERNEL=="controlC*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sound.target", ENV{SYSTEMD_USER_WANTS}+="sound.target"
+
+SUBSYSTEM=="printer", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+SUBSYSTEM=="usb", KERNEL=="lp*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0701??:*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="printer.target", ENV{SYSTEMD_USER_WANTS}+="printer.target"
+
+SUBSYSTEM=="udc", ACTION=="add", TAG+="systemd", ENV{SYSTEMD_WANTS}+="usb-gadget.target"
+
+# Apply sysctl variables to network devices (and only to those) as they appear. 
+# T5706. Exclude: lo, dummy*, ppp*, ipoe*, l2tp*, pptp*, sslvpn* and sstp*.
+ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo|dummy*|ppp*|ipoe*|l2tp*|pptp*|sslvpn*|sstp*", RUN+="/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/$name --prefix=/net/ipv4/neigh/$name --prefix=/net/ipv6/conf/$name --prefix=/net/ipv6/neigh/$name"
+
+# Pull in backlight save/restore for all backlight devices and
+# keyboard backlights
+SUBSYSTEM=="backlight", TAG+="systemd", IMPORT{builtin}="path_id", ENV{SYSTEMD_WANTS}+="systemd-backlight@backlight:$name.service"
+SUBSYSTEM=="leds", KERNEL=="*kbd_backlight", TAG+="systemd", IMPORT{builtin}="path_id", ENV{SYSTEMD_WANTS}+="systemd-backlight@leds:$name.service"
+
+# Pull in rfkill save/restore for all rfkill devices
+SUBSYSTEM=="rfkill", ENV{SYSTEMD_RFKILL}="1"
+SUBSYSTEM=="rfkill", IMPORT{builtin}="path_id"
+SUBSYSTEM=="misc", KERNEL=="rfkill", TAG+="systemd", ENV{SYSTEMD_WANTS}+="systemd-rfkill.socket"
+
+# Asynchronously mount file systems implemented by these modules as soon as they are loaded.
+SUBSYSTEM=="module", KERNEL=="fuse", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sys-fs-fuse-connections.mount"
+SUBSYSTEM=="module", KERNEL=="configfs", TAG+="systemd", ENV{SYSTEMD_WANTS}+="sys-kernel-config.mount"
+
+LABEL="systemd_end"